MDS matrix

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

An MDS matrix (maximum distance separable) is a matrix representing a function with certain diffusion properties that have useful applications in cryptography. Technically, an matrix over a finite field is an MDS matrix if it is the transformation matrix of a linear transformation from to such that no two different -tuples of the form coincide in or more components. Equivalently, the set of all -tuples is an MDS code, i.e., a linear code that reaches the Singleton bound.

Let be the matrix obtained by joining the identity matrix to . Then a necessary and sufficient condition for a matrix to be MDS is that every possible submatrix obtained by removing rows from is non-singular. This is also equivalent to the following: all the sub-determinants of the matrix are non-zero. Then a binary matrix (namely over the field with two elements) is never MDS unless it has only one row or only one column with all components .

Reed–Solomon codes have the MDS property and are frequently used to obtain the MDS matrices used in cryptographic algorithms.

Serge Vaudenay suggested using MDS matrices in cryptographic primitives to produce what he called multipermutations, not-necessarily linear functions with this same property. These functions have what he called perfect diffusion: changing of the inputs changes at least of the outputs. He showed how to exploit imperfect diffusion to cryptanalyze functions that are not multipermutations.

MDS matrices are used for diffusion in such block ciphers as AES, SHARK, Square, Twofish, Anubis, KHAZAD, Manta, Hierocrypt, Kalyna and Camellia, and in the stream cipher MUGI and the cryptographic hash function Whirlpool.


  • Serge Vaudenay (November 16, 1994). On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER (PDF/PostScript). 2nd International Workshop on Fast Software Encryption (FSE '94). Leuven: Springer-Verlag. pp. 286–297. Retrieved 2007-03-05.{{cite conference}}: CS1 maint: uses authors parameter (link)
  • Vincent Rijmen, Joan Daemen, Bart Preneel, Antoon Bosselaers, Erik De Win (February 1996). The Cipher SHARK (PDF/PostScript). 3rd International Workshop on Fast Software Encryption (FSE '96). Cambridge: Springer-Verlag. pp. 99–111. Retrieved 2007-03-06.{{cite conference}}: CS1 maint: uses authors parameter (link)
  • Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson (June 15, 1998). "The Twofish Encryption Algorithm" (PDF/PostScript). Retrieved 2007-03-04. {{cite journal}}: Cite journal requires |journal= (help)CS1 maint: uses authors parameter (link)