On the direct construction of recursive MDS matrices

MDS matrices allow to build optimal linear diffusion layers in the design of block ciphers and hash functions. There has been a lot of study in designing efficient MDS matrices suitable for software and/or hardware implementations. In particular recursive MDS matrices are considered for resource constrained environments. Such matrices can be expressed as a power of simple companion matrices, i.e., an MDS matrix \(M = C_g^k\) for some companion matrix corresponding to a monic polynomial \(g(X) \in \mathbb {F}_q[X]\) of degree k. In this paper, we first show that for a monic polynomial g(X) of degree \(k\ge 2\), the matrix \(M = C_g^k\) is MDS if and only if g(X) has no nonzero multiple of degree \(\le 2k-1\) and weight \(\le k\). This characterization answers the issues raised by Augot et al. in FSE-2014 paper to some extent. We then revisit the algorithm given by Augot et al. to find all recursive MDS matrices that can be obtained from a class of BCH codes (which are also MDS) and propose an improved algorithm. We identify exactly what candidates in this class of BCH codes yield recursive MDS matrices. So the computation can be confined to only those potential candidate polynomials, and thus greatly reducing the complexity. As a consequence we are able to provide formulae for the number of such recursive MDS matrices, whereas in FSE-2014 paper, the same numbers are provided by exhaustively searching for some small parameter choices. We also present a few ideas making the search faster for finding efficient recursive MDS matrices in this class. Using our approach, it is possible to exhaustively search this class for larger parameter choices which was not possible earlier. We also present our search results for the case \(k=8\) and \(q=2^{16}\).