MDS matrix

From Wikipedia, the free encyclopedia

An MDS matrix (maximum distance separable) is a matrix representing a function with certain diffusion properties that have useful applications in cryptography. Technically, an matrix over a finite field is an MDS matrix if it is the transformation matrix of a linear transformation from to such that no two different -tuples of the form coincide in or more components. Equivalently, the set of all -tuples is an MDS code, i.e., a linear code that reaches the Singleton bound.

Let be the matrix obtained by joining the identity matrix to . Then a necessary and sufficient condition for a matrix to be MDS is that every possible submatrix obtained by removing rows from is non-singular. This is also equivalent to the following: all the sub-determinants of the matrix are non-zero. Then a binary matrix (namely over the field with two elements) is never MDS unless it has only one row or only one column with all components .

Reed–Solomon codes have the MDS property and are frequently used to obtain the MDS matrices used in cryptographic algorithms.

Serge Vaudenay suggested using MDS matrices in cryptographic primitives to produce what he called multipermutations, not-necessarily linear functions with this same property.[1] These functions have what he called perfect diffusion: changing of the inputs changes at least of the outputs. He showed how to exploit imperfect diffusion to cryptanalyze functions that are not multipermutations.

MDS matrices are used for diffusion in such block ciphers as AES, SHARK, Square, Twofish, Anubis, KHAZAD, Manta, Hierocrypt, Kalyna, Camellia and HADESMiMC, and in the stream cipher MUGI and the cryptographic hash function Whirlpool, Poseidon.


  1. ^ Vaudenay, Serge (1995), Preneel, Bart (ed.), "On the need for multipermutations: Cryptanalysis of MD4 and SAFER", Fast Software Encryption, vol. 1008, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 286–297, doi:10.1007/3-540-60590-8_22, ISBN 978-3-540-60590-4, retrieved 2023-07-17