Skip to main content

The MDSECheck method: choosing secure square MDS matrices for P-SP-networks

by
18 min read

This article introduces MDSECheck method — a novel approach to checking square MDS matrices for unconditional security as the components of affine permutation layers of P-SP-networks.

Introduction

Maximum distance separable (MDS) matrices play a significant role in algebraic coding theory and symmetric cryptography. In particular, square MDS matrices are commonly used in affine permutation layers of partial substitution-permutation networks (P-SPNs). These are widespread designs of the modern symmetric ciphers and hash functions. A classic example of the latter is Poseidon [1], a well-known hash function used in zk-SNARK proving systems.

Square MDS matrices differ in terms of security that they are able to provide for P-SPNs. The use of some such matrices in certain P-SPNs may result in existence of infinitely long subspace trails of small period for the latter, which make them vulnerable to differential cryptanalysis [2].

Two methods for security checking of square MDS matrices for P-SPNs have been proposed in [2]. The first one, which is referred to as the three tests method in the rest of the article, is aimed at security checking for a specified structure of the substitution layer of a P-SPN. The second method, which is referred here as the sufficient test method, has been designed to determine whether a square MDS matrix satisfies a sufficient condition of being secure regardless of the structure of a P-SPN substitution layer, i.e. to check whether the matrix belongs to the class of square MDS matrices, which are referred to as unconditionally secure in the current article.

This article aims to introduce MDSECheck method — a novel approach to checking square MDS matrices for unconditional security, which has already been implemented in the Rust programming language as the library crate [3]. The next sections explain the notions mentioned above, describe the MDSECheck method as well as its mathematical foundations, provide a brief overview of the MDSECheck library crate and outline possible future research directions.

MDS matrix: how to define and construct

An mm x nn matrix MM over a finite field is called MDS, if and only if for distinct nn-dimensional column vectors v1v_1 and v2v_2 the column vectors v1Mv1v_1 \: | \: M v_1 and v2Mv2v_2 \: | \: M v_2, where | stands for vertical concatenation, do not coincide in nn or more components. The set of all possible column vectors vMvv \: | \: M v for some fixed matrix MM is a systematic MDS code, i.e. a linear code, which contains input symbols on their original positions and achieves the Singleton bound. The latter property results in good error-correction capability.

There are several equivalent definitions of MDS matrices, but the next one is especially useful for constructing them directly by means of algebraic methods. A matrix over a finite field is called MDS, if and only if all its square submatrices are nonsingular. The matrix entries and the matrix itself are also considered submatrices.

One of the most efficient and straightforward methods to directly construct an MDS matrix is generating a Cauchy matrix [4]. Such an mm x nn matrix is defined using mm-dimensional vector xx and nn-dimensional vector yy, for which all entries in the concatenation of xx and yy are distinct. The entries of the Cauchy matrix are described by the formula Mi,j=1/(xiyj)M_{i, j} = 1 \: / \: (x_i - y_j). It is obvious that any submatrix of a Cauchy matrix is also a Cauchy matrix. The Cauchy determinant formula [5] implies that every square Cauchy matrix is nonsingular. Thus, Cauchy matrices satisfy the second definition of MDS matrices.

Partial substitution-permutation networks

Describing SPNs in algebraic terms is convenient, so this approach has been chosen for this article. SPNs are designs of the symmetric cryptoprimitives, which operate on an internal state, which is represented as an nn-dimensional vector over some finite field, and update this state iteratively by means of the round transformations described below.

Each round begins with an optional update of the internal state by adding to its components some input data or extraction of some of these components as the output data. This optional step depends on the specific cryptoprimitive and the current round number. The next step is called the nonlinear substitution layer and lies in replacing the ii-th component of the internal state with Si(c)S_i(c) for each i[1..n]i \in [1..n], where cc is the component value and Si(x)S_i(x) is a nonlinear invertible function over the finite field. The function Si(x)S_i(x) is specific to the cryptoprimitive and called an S-Box. The final step, which is known as the affine permutation layer, replaces the internal state with MX+cM X + c, where XX is the current internal state, MM is a nonsingular square matrix and cc is the vector of the round constants. The value of cc is specific to the cryptoprimitive and the current round number, while MM typically depends only on the cryptoprimitive. The data flow diagram for an SPN is given below.

..................................                         
│ │ │ │
▼ ▼ ▼ ▼
┌────────────────────────────────┐
│ Optional addition / extraction │ <─────> Input / output
└──┬────────┬────────┬────────┬──┘
▼ ▼ ▼ ▼
┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐
│S₁(x)│ │S₂(x)│ │ ... │ │Sₙ(x)│
└──┬──┘ └──┬──┘ └──┬──┘ └──┬──┘
▼ ▼ ▼ ▼
┌────────────────────────────────┐
│ Affine permutation │
└──┬────────┬────────┬────────┬──┘
▼ ▼ ▼ ▼
┌────────────────────────────────┐
│ Optional addition / extraction │ <─────> Input / output
└──┬────────┬────────┬────────┬──┘
▼ ▼ ▼ ▼
┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐
│S₁(x)│ │S₂(x)│ │ ... │ │Sₙ(x)│
└──┬──┘ └──┬──┘ └──┬──┘ └──┬──┘
▼ ▼ ▼ ▼
┌────────────────────────────────┐
│ Affine permutation │
└──┬────────┬────────┬────────┬──┘
▼ ▼ ▼ ▼
..................................

Partial SPNs are modifications of SPNs, where for certain rounds some S-Boxes are replaced with the identity functions to reduce computational efforts [2]. For example, the nonlinear substitution layers of the partial rounds of Poseidon update only the first internal state component [1]. In the case of P-SPNs, security considerations commonly demand to choose MM as a square MDS matrix, because these matrices provide perfect diffusion property for the affine permutation layer [6]. Possessing this property means ensuring that any two nn-dimensional internal states, which differ in exactly tt components, are mapped by the affine permutation layer to two new internal states that differ in at least nt+1n - t + 1 components.

Square MDS matrix security check in the context of P-SPNs

Certain square MDS matrices should not be used in certain P-SPNs to avoid making them vulnerable to differential cryptanalysis, since it may exploit the existence of infinitely long subspace trails of small period for vulnerable P-SPNs. [2]. Such matrices are called insecure with respect to particular P-SPNs.

An infinitely long subspace trail of period ll exists for a P-SPN, if and only if there is a proper subspace of differences of internal state vectors, such that if for a pair of initial internal states the difference belongs to this subspace, then the difference for the new internal states, which are obtained from the initial ones by means of the same ll-round transformation, also belongs to this subspace [2].

Two methods for checking square MDS matrices for suitability for P-SPNs in terms of existence of infinitely long subspace trails have been proposed in [2]. The three tests method is aimed at checking whether using a specified matrix for a P-SPN with a specified structure of the substitution layer leads to existence of infinitely long subspace trails of period pp for this P-SPN for all pp no larger than a given ll. The sufficient test method has been designed to determine whether a square MDS matrix satisfies a sufficient condition of non-existence of infinitely long subspace trails of period pp for P-SPNs using this matrix for all pp no larger than a specified ll.

The sufficient test method is a direct consequence of Theorem 8 in [2] and consists in checking that the minimal polynomial of the pp-th power of the tested matrix has maximum degree and is irreducible for all p[1..l]p \in [1..l]. The aforesaid sufficient non-existence condition is satisfied by the matrix, if and only if all the checks yield positive results.

It is convenient to define the unconditional P-SPN security level of the square MDS matrix as follows: this level is ll for the matrix MM, if and only if the minimal polynomials of MM, M2M^2, ......, MlM^l have maximum degree and are irreducible, but for Ml+1M^{l \: + \: 1} the minimal polynomial does not have this property. Using this definition, the purpose of the sufficient test method can be described as checking whether the unconditional P-SPN security level of the specified matrix is no less than a given bound.

MDSECheck method: getting rid of the matrix powers

The MDSECheck method, whose name is derived from the words "MDS", "security", "elaborated" and "check", has the same purpose as the sufficient test method, but achieves it differently. The differences of the first method from the latter and approaches to implementing them can be described as follows:

  1. Computation and verification of minimal polynomials of M2M^2, M3M^3, ......, MlM^l, where MM is the tested nn x nn matrix over GF(q)GF(q) and ll is the security level bound, has been replaced with checks for the corresponding powers of a root of the characteristic polynomial of MM for non-presence in nontrivial subfields of GF(qn)GF(q^n).

    1. The non-presence check is performed without straightforward consideration of all nontrivial subfields of GF(qn)GF(q^n). The root is checked only for non-presence in the subfields GF(qn/p1)GF(q^{n \: / \: p_1}), GF(qn/p2)GF(q^{n \: / \: p_2}), ......, GF(qn/pd)GF(q^{n \: / \: p_d}), where p1p_1, p2p_2, ......, pdp_d are all prime divisors of nn.

    2. The non-presence check reuses some data computed during the checking for irreducibility the minimal polynomial of MM, which in this case coincides with f(y)f(y) designating the characteristic polynomial of MM. The values of yqn/pjmodf(y)y^{q^{n \: / \: p_j}} \mod f(y) are saved for each j[1..d]j \in [1..d] during the irreducibility check to replace exponentiations with sequential computations of (yi)qn/pjmodf(y)(y^i)^{q^{n \: / \: p_j}} \mod f(y) from (y(i1))qn/pjmodf(y)(y^{(i \: - \: 1)})^{q^{n \: / \: p_j}} \mod f(y) as its product with yqn/pjmodf(y)y^{q^{n \: / \: p_j}} \mod f(y).

  2. The check of the minimal polynomial of MM for irreducibility and maximum degree is performed without unconditional computation of this polynomial. This computation has been replaced with the Krylov method fragment, which consists in building and solving only one system of linear equations over GF(q)GF(q). If MM has an irreducible minimal polynomial of maximum degree, then its coefficients are trivially determined from the system solution. If the system is degenerate, then the minimal polynomial of MM does not have such properties.

The correctness of the first distinctive feature can be proven as follows. Verifying that the minimal polynomial of a matrix is of maximum degree and irreducible is equivalent to verifying that the characteristic polynomial of this matrix is irreducible, because the minimal polynomial divides the characteristic one. Also, it is trivially proven that for a matrix with such a minimal polynomial it is equal to the characteristic polynomial. Thus, the required checks for the matrices M2M^2, M3M^3, ......, MlM^l can be done by checking their characteristic polynomials for irreducibility.

Let MM be nn x nn matrix over GF(q)GF(q), whose minimal polynomial is of maximum degree and irreducible. The statements in the previous paragraph imply that f(y)f(y), which is the nn-degree characteristic polynomial of MM, is irreducible. Consider MM over the extension field GF(qn)GF(q^n), which is the splitting field of f(y)f(y). Let αGF(qn)α \in GF(q^n) be a root of f(y)f(y). According to standard results from the Galois field theory, αα, αqα^q, αq2α^{q^2}, ......, αqn1α^{q^{n \: - \: 1}} are distinct roots of f(y)f(y) [7]. Thus, these powers of αα are nn distinct eigenvalues of MM. Hence, due to matrix similarity properties, there is some matrix SS such that SMS1=DS M S^{-1} = D, where DD is the diagonal matrix, whose nonzero elements are αα, αqα^q, αq2α^{q^2}, ......, αqn1α^{q^{n \: - \: 1}}. Therefore, SMiS1=DiS M^i S^{-1} = D^i, so the roots of the characteristic polynomial of MiM^i are αiα^i, (αq)i(α^q)^i, (αq2)i(α^{q^2})^i, ......, (αqn1)i(α^{q^{n \: - \: 1}})^i. If the minimal polynomial of αiα^i has degree less than nn, then the characteristic polynomial of MiM^i is divisible by this minimal polynomial, while αiα^i lies in some nontrivial subfield of GF(qn)GF(q^n). One of the fields isomorphic to this subfield is a residue class ring of polynomials modulo the minimal polynomial of αiα^i [7]. If the minimal polynomial of αiα^i is of degree nn, then the characteristic polynomial of MiM^i equals this minimal polynomial and therefore is irreducible, while αiα^i does not lie in any nontrivial subfield of GF(qn)GF(q^n). In this case, 11, αiα^i, (αi)2(α^i)^2, ......, (αi)n1(α^i)^{n \: - \: 1} are linearly independent as distinct roots of an irreducible polynomial over a finite field [7], so any field containing αiα^i has at least qnq^n elements and therefore cannot be a trivial subfield of GF(qn)GF(q^n). Thus, checking the characteristic polynomials of the matrices M2M^2, M3M^3, ......, MlM^l for irreducibility is equivalent to verifying that α2α^2, α3α^3, ......, αlα^l do not lie in any nontrivial subfield of GF(qn)GF(q^n).

The last sentences of the two previous paragraphs imply the following: verifying that the minimal polynomials of M2M^2, M3M^3, ......, MlM^l are of maximum degree and irreducible can be performed by verifying that the corresponding powers of a root of the characteristic polynomial of the nn x nn matrix MM over GF(q)GF(q) do not belong to any nontrivial subfield of GF(qn)GF(q^n). \blacksquare

The approaches to implementing the first distinctive feature can be explained and proven to be correct as follows. Since GF(qw)GF(q^w) is a nontrivial subfield of GF(qu)GF(q^u) if and only if ww divides uu and w<uw < u [7], the presence of some εε in GF(qh)GF(q^h), which is a nontrivial subfield of GF(qn)GF(q^n), implies that εGF(qn/ν)ε \in GF(q^{n \: / \: ν}) for some prime νν dividing nn, because hh divides the quotient of nn and some of its prime factors. Thus, checking that some value does not belong to subfields GF(qn/p1)GF(q^{n \: / \: p_1}), GF(qn/p2)GF(q^{n \: / \: p_2}), ......, GF(qn/pd)GF(q^{n \: / \: p_d}), where p1p_1, p2p_2, ......, pdp_d are all prime divisors of nn, is equivalent to checking this value for non-presence in nontrivial subfields of GF(qn)GF(q^n).

Checking for irreducibility the minimal polynomial of MM is performed by means of Algorithm 2.2.9 in [8] and consists in sequential computation of ypmodf(y)y^p \mod f(y), yp2modf(y)y^{p^2} \mod f(y), ......, ypn/2modf(y)y^{p^{\lfloor n \: / \: 2 \rfloor}} \mod f(y) and checking that GCD(ypimodf(y)y,f(y))=1GCD(y^{p^i} \mod f(y) \: - \: y, f(y)) = 1 for each i[1..n/2]i \in [1..\lfloor n \: / \: 2 \rfloor], where f(y)f(y) is the characteristic polynomial of MM and coincides with the minimal polynomial in this case. The optimized root non-presence check is performed by checking that for each i[2..l]i \in [2..l] for each j[1..d]j \in [1..d] the value of ((yi)qn/pjyi)modf(y)((y^i)^{q^{n \: / \: p_j}} - y^i) \mod f(y) is nonzero. This approach is based on the following standard results from the Galois field theory [7]:

  • GF(qn)GF(q^n) is isomorphic to the residue class ring of univariate polynomials in yy modulo f(y)f(y), because at this point f(y)f(y) is known to be irreducible, and some root of f(y)f(y) is mapped by this isomorphism to the residue class the polynomial yy in this ring.

  • All elements of a finite field GF(qw)GF(q^w) and only they are roots of yqwyy^{q^w} - y.

The expression ((yi)qn/pjyi)modf(y)((y^i)^{q^{n \: / \: p_j}} - y^i) \mod f(y) can be rewritten as ((yqn/pj)iyi)modf(y)((y^{q^{n \: / \: p_j}})^i - y^i) \mod f(y), which can be computed without exponentiation as the product of (y(i1))qn/pjmodf(y)(y^{(i \: - \: 1)})^{q^{n \: / \: p_j}} \mod f(y) and yqn/pjmodf(y)y^{q^{n \: / \: p_j}} \mod f(y), which has been saved during the irreducibility check.

The second distinctive feature can be explained and proven to be correct in following way. The nn x nn matrix MM does not have a minimal polynomial of maximum degree, if some Krylov subspace of order nn for it is not nn-dimensional. Indeed, the minimal polynomial of the matrix is divisible by the minimal polynomial of the restriction of this linear operator to an arbitrary subspace, and in the considered case the latter polynomial has degree less than nn, because the degree of the minimal polynomial of a linear operator cannot exceed the dimension of the subspace the operator acts on. Thus, an unconditional computation of the minimal polynomial of MM is not required to determine whether this polynomial is irreducible and has maximum degree. Using this computation has been replaced with the Krylov method fragment, which consists in choosing any nonzero nn-dimensional column vector vv and solving the system of linear equations AX=bA X = b, where AA is an nn x nn matrix, whose columns are vv, MvM v, M2vM^2 v, ......, Mn1vM^{n \: - \: 1} v, and bb is MnvM^n v. If AA is singular, the minimal polynomial of MM is reducible or does not have maximum degree, so checking MM has been accomplished; otherwise, f(y)f(y), which is the minimal and characteristic polynomial of MM, can be expressed as ynXn1yn1Xn2yn2X1yX0y^n - X_{n \: - \: 1} y^{n \: - \: 1} - X_{n \: - \: 2} y^{n \: - \: 2} - … - X_1 y - X_0.

The steps of MDSECheck method can be summarized as follows:

  1. The square MDS matrix MM over GF(q)GF(q) and the unconditional P-SPN security level bound ll are received as inputs.

  2. The Krylov method fragment is used to compute the minimal polynomial of MM. If the computation fails, then MM is not unconditionally secure, so the check of MM is complete. If it succeeds, then the minimal polynomial has maximum degree and, therefore, coincides with the characteristic polynomial of MM.

  3. Algorithm 2.2.9 is used to check for irreducibility the minimal polynomial of MM, which is also the characteristic polynomial of MM in this case. Some data computed during this step is saved to be reused at the next one. If the polynomial is reducible, then the check of MM is complete, because MM has been found to be not unconditionally secure.

  4. The values of α2α^2, α3α^3, ......, αlα^l, where αα is a root of the characteristic polynomial of MM, are sequentially checked for non-presence in nontrivial subfields of GF(qn)GF(q^n) as described above. If αiα^i belongs to some nontrivial subfield of GF(qn)GF(q^n), then the unconditional P-SPN security level of MM is i1i \: - \: 1, so the check of MM is complete. If all the values do not belong to such a subfield, then the unconditional P-SPN security level is at least ll.

MDSECheck library crate: implementation in Rust

The library crate [3] provides tools for generating random square Cauchy MDS matrices over prime finite fields and applying the MDSECheck method to check such matrices for unconditional security. The used data types of field elements and polynomials are provided by the crates ark-ff [9] and ark-poly [10]. The auxiliary tools in the crate modules are accessible as well.

Generating by means of this crate a 10 x 10 MDS matrix, which is defined over the BN254 scalar field [11] and has unconditional P-SPN security level is 1000, takes less than 60 milliseconds on average for the laptop with the processor Intel® Core™ i9-14900HX, whose maximum clock frequency is 5.8 GHz.

Conclusion

The MDSECheck method proposed in this article is a novel approach to checking square MDS matrices for unconditional security as the components of affine permutation layers of P-SPNs. It has been implemented as a practical library crate for generating unconditionally secure square MDS matrices for P-SPNs over prime finite fields.

The future research directions may include theoretical and experimental studies of performance of approaches, which use the MDSECheck method to generate unconditionally secure square MDS matrices for P-SPNs.

References

  1. L. Grassi, D. Khovratovich, C. Rechberger, A. Roy, M. Schofnegger. "POSEIDON: A New Hash Function for Zero-Knowledge Proof Systems (Updated Version)".
  2. L. Grassi, C. Rechberger, M. Schofnegger. "Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer".
  3. The page "mdsecheck" on crates.io.
  4. Y. Kumar, P. Mishra, S. Samanta, K. Chand Gupta, A. Gaur. "Construction of all MDS and involutory MDS matrices".
  5. The page "Value of Cauchy Determinant" on proofwiki.org.
  6. T. Silva, R. Dahab "MDS Matrices for Cryptography".
  7. S. Huczynska, M. Neunhöffer. "Finite Fields"
  8. R. Crandall, C. Pomerance. "Prime Numbers: A Computational Perspective" (2nd edition).
  9. The page "ark-ff" on crates.io.
  10. The page "ark-poly" on crates.io.
  11. The page "ark-bn254" on crates.io.