MDS matrix

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

An MDS matrix (Maximum Distance Separable) is a matrix representing a function with certain diffusion properties that have useful applications in cryptography. Technically, an m×n matrix A over a finite field K is an MDS matrix if it is the transformation matrix of a linear transformation f(x)=Ax from Kn to Km such that no two different (m+n)-tuples of the form (x,f(x)) coincide in n or more components. Equivalently, the set of all (m+n)-tuples (x,f(x)) is an MDS code, i.e. a linear code that reaches the Singleton bound.

Let be the matrix obtained by joining the identity matrix Idn to A. Then a necessary and sufficient condition for a matrix A to be MDS is that every possible n×n submatrix obtained by removing m rows from is non-singular. This is also equivalent to the following: all the sub-determinants of the matrix A are non-zero. Then a binary matrix A (namely over the field with two elements) is never MDS unless it has only one row or only one column with all components 1.

Reed–Solomon codes have the MDS property and are frequently used to obtain the MDS matrices used in cryptographic algorithms.

Serge Vaudenay suggested using MDS matrices in cryptographic primitives to produce what he called multipermutations, not-necessarily linear functions with this same property. These functions have what he called perfect diffusion: changing t of the inputs changes at least m-t+1 of the outputs. He showed how to exploit imperfect diffusion to cryptanalyze functions that are not multipermutations.

MDS matrices are used for diffusion in such block ciphers as AES, SHARK, Square, Twofish, Anubis, KHAZAD, Manta, Hierocrypt, Kalyna and Camellia, and in the stream cipher MUGI and the cryptographic hash function Whirlpool.


  • Serge Vaudenay (November 16, 1994). On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER (PDF/PostScript). 2nd International Workshop on Fast Software Encryption (FSE '94). Leuven: Springer-Verlag. pp. 286–297. Retrieved 2007-03-05.CS1 maint: uses authors parameter (link)