 Hello everyone, I'm Shun. I'm glad to present our work about how small can we go lightweight iterative MDS matrices. It's a joint work with Shun Siwei, Dan Bing, Li Chaoyun, and Hu Lei. Okay, let's start. Firstly, I want to introduce some background. The diffusion components in lightweight, symmetric key, cryptographic algorithms are typically utilized with linear operations expressed as matrices and spreading internal dependencies as much as possible. The diffusion property of diffusion matrix is up to its branch number by definition. A branch number of a matrix is defined as the minimum number of addition of non-zero blocks of input and output of a matrix. Regular lightweight primitives have following types of diffusion layer. The first is bit-level commutations such as present and gift. The second is bit-wise X-source and rotations such as skinny and f-craft. The third is maximal distance separable for MDS matrices such as AES, a famous example, and the last is generalized from MDS matrices called almost MDS matrices such as Midori and Coma. The definition of an invertible matrix is MDS, our embed words if and only if the branch number of the matrix equals K plus 1 or the dimension plus 1. Here is an example of MDS matrix in AES. By the way, it's also succulent. There are several constructions about MDS and matrix. The first is X-source and rotations based such as height. The second is iteration based. There are LFS, GFS, DSI, and SPAS DSI forms. The third is special type based such as succulent, orthogonal, admiral, top leads, cotree, and emulatory. By definition, the matrix is called an iterative MDS matrix with MDS all the T if T is the smallest positive integer such that the T power of A is MDS. MDS iterative MDS matrix have some advantage and disadvantage. The advantage is the cost of the implementation of iterative MDS matrices in terms of area is determined by the matrix regardless of how complicated MDS matrix is. The disadvantage is reduced area footprint comes at the cost of increased delays. Here is an example of LFS type iterative MDS matrix used in FongTong hash functions as well as the LED block cipher which are presented at crypto to 2011 and TRES 2011 respectively. This LFS type iterative MDS matrix has all the four. Then we are going to minimize the structure of iterative MDS matrix. Actually, it is inspired by the SPAS DSI so we are going to identify the theoretically smallest iterative MDS matrix with regard to the number of MDS blocks required in its implementation. Throughout all existing structure of iterative MDS matrices, we wonder if we could go further to make the nonzero blocks as less as possible so that the matrix could be more SPAS in K by K. The natural question is what's the minimum number of nonzero blocks of an iterative MDS matrix such that the T power of the iterative MDS matrix can be MDS for some positive integer T. The following lemma clearly give us a lower bound for the number of nonzero blocks. When the matrix has only three or less nonzero blocks, it's singular of course and whatever how many times it iterates, it's also singular. When the matrix has four nonzero blocks and the two of them are in the same row or in the same column, it's also singular and it's also not MDS for any positive integer and when the matrix have four nonzero blocks and the four nonzero blocks are in the different columns and in different rows, we could prove it by the mathematical induction. That is this form of matrix has always only four nonzero blocks, whatever how many times it iterates. So we have to increase the nonzero blocks number and if we got a matrix with more than four nonzero blocks, how to track if it's iterative MDS matrix or not. Here is an example, we have matrix, we find the matrix in 16 by 16 by the matrix over four bit words and if it's an iterative MDS matrix lemma, the order is no more than 2 to the 16. That's because there must be two of them are the same when the order over 2 to the 16. That is we could find the same matrices in the chair of power. So the search space is limited to the matrix with more than five nonzero blocks and we calculate its order up to 2 to the 16 and track if it's MDS or not but the space is too big and it's invisible. So we have to reduce the search space. First of all for matrix with five nonzero blocks to be iterative MDS, the placement of the five nonzero blocks is not arbitrary. Actually we can identify four blocks from the five nonzero blocks such that any two of them are in different rows and different columns, otherwise it's not MDS. The structure of five nonzero blocks given an iterative MDS matrix with five nonzero blocks, it can be decomposed as B and Z. Well B has four nonzero blocks from A which are placed in at different rows and different columns and Z has a single nonzero blocks from A and we can we can find that the main component B has only six out of 24 possibilities of the choice of the positions of the four nonzero blocks shows below. Actually it's because of the cycle permutation we will represent all possible matrix B in cycle permutation and try to find some equivalence. The positions of the nonzero blocks in B correspond to a permutation which can be represent as the product of some disjoint cycles. For example here we got four matrix and they are of type they are different type I mean the first one includes four one cycle the second one includes two two cycles and the third one includes one one cycle and one three cycle and the last one it's just the four cycle so it can it can be easily proved only four cycles are allowed and the four cycles have have totally six possibilities if it's not a four cycle there are exists some entries in any power of the matrix to be zero blocks so it's not MDS of course to find the light the lightest iterative MDS matrix in 4M by 4M our ambient words with five nonzero blocks we only need to consider the matrices whose main component B are of type one two three four because our five four cycles could be transformed to about four via a series of invertible operation preserving the error cost and the iterative MDS properties such as this example that one two three four cycle could be equivalent to one two four three and when B is restricted to the form of one two three four the unique nonzero blocks in Z seems to have 12 possible positions but further transformation makes only two cases reasonable here we give the equivalent four positions that is Z appears in one four is equivalent to two one and three two and four three for the only two structure of five nonzero blocks matrix we can further give some restrictions on the entries that is we can prove that the four nonzero blocks of B have to be have all have to be non singular that is from the property of MDS that's the ending some matrices one by one two by two three by three and four by four has to be all invertible for matrix to be an invert to be an MDS matrix and the four nonzero blocks of B A1 A2 A3 A4 will appear in some of entries in any iterations so to make sure any iterations each entries in any iterations to be singular to be invertible non singular the four nonzero blocks have all to be non singular and we consider one of the two target sets we could start a trail search in the minimizer space because from the aspect of X or count the permutation matrix may be the best choice so we fix A1 A2 A3 A4 all be permutation matrices and find if we can get a iterative MDS matrices and luckily we got three extra count matrix whose 451 power is MDS and it's probably lightest iterative MDS matrix in 16 by 16 binary matrices over four bit words because we could prove this lemma that stays and in iterative MDS block matrix with five nonzero blocks of six nonzero blocks we have the actual count is not less than three and actually we exhaustively search through all matrices read five or six nonzero blocks via its actual count is not bigger than two and find no solution although the three actual count is a good thing but the five the 451 iteration times is not good so we try to find something better on the latency or lightweight iterative MDS matrices with small orders the previous matrix with only three actual area counts is only of theoretic interest when it requires 551 cycles to complete the computation so can we find a more reasonable iterative MDS matrix with minimal MDS orders because we just care about the latency so we could do some ending equivalent transform to make a search space minimal without losing MDS property and we search in the space we of matrices with only five nonzero blocks and the exact lower all lower bound of order is 14 same as before the way is to fix assume to the numbers of nonzero blocks or for the first law of second law of third law and first law to obey 2111 and other patterns can be put into less form with a series of invertible transformation which is iterative MDS and MDS order in very right such as the left side shows below and when we fix the order to be the lower bound 14 and we actually got a matrix with only seven actual times when we sought 14 maybe still too big compared to existing iterative MDS matrices with order only four so we relax the restriction on a number of nonzero blocks and find something new that is we could find for all the iterative MDS matrix in when when the nonzero blocks of the matrix is six and there are only two actually two possibilities for the distribution of nonzero blocks of a to make it became a iterative MDS matrix correspond to the two forms we expect of iterative MDS matrices satisfying the order is four and have six nonzero blocks and further search shows we could not get better result than previous because all matrices with six nonzero blocks and order four have at least 10 extra times we go on searching higher dimensions for lighter iterative MDS matrices well when the dimension is higher the constraints are more because we have to make all one by one two by two three by three four by four and five by five some matrices all singular and we find actually a six extra iterative MDS matrices whose 981 power is MDS same as before 981 is too big for latency we increase left count gradually and find a rather low order only eight and its actual count is 15 we can follow the previous trivial extension to find to find something some matrices in high totally dimensions that means the km by km over m bit worse we could enlarge it to 2 km by 2 km over 2 m bit worse for example the left matrix is two by two and we could enlarge it to four by four but also we could sort it as a two by two and each some matrix is two m by two m the corresponding the corresponding is a11 to a110 a11 and this enlargement will not change the MDS property here are some examples shows the usefulness of enlargement techniques we can use the iterative MDS matrix we found in 16 by 16 costing three extra gates with iterative order 451 we could get an iterative MDS matrix in 32 by 32 of eight bit worse costing six extra gates with the same iterative order and also we could use the iterative MDS matrix in 20 by 20 costing six extra gates with iterative order 981 we could get an iterative MDS matrix in 40 by 40 costing 12 extra gates with the same iterative orders this is just a direct use of the four results or the matrix we found before to construct directly a new matrix also iterative MDS so it's quite useful and finally we will give our main results we emphasize the better part of our results in both form and in conclusion we search iterative MDS matrices without any special structure given theoretical analysis and compared to previous constructions and we identify theoretically lightest iterative MDS matrix in four by four of four bit words with minimal nine zero blocks and we find iterative MDS matrices of various dimensions which are not only lighter than previous results but also which are lower bounds in terms of latencies that's all thank you