Exhaustive Search for Various Types of MDS Matrices

. MDS matrices are used in the design of diﬀusion layers in many block ciphers and hash functions due to their optimal branch number. But MDS matrices, in general, have costly implementations. So in search for eﬃciently implementable MDS matrices, there have been many proposals. In particular, circulant, Hadamard, and recursive MDS matrices from companion matrices have been widely studied. In a recent work, recursive MDS matrices from sparse DSI matrices are studied, which are of interest due to their low ﬁxed cost in hardware implementation. In this paper, we present results on the exhaustive search for (recursive) MDS matrices over GL (4 , F 2 ). Speciﬁcally, circulant MDS matrices of order 4 , 5 , 6 , 7 , 8; Hadamard MDS matrices of order 4 , 8; recursive MDS matrices from companion matrices of order 4; recursive MDS matrices from sparse DSI matrices of order 4 , 5 , 6 , 7 , 8 are considered. It is to be noted that the exhaustive search is impractical with a naive approach. We ﬁrst use some linear algebra tools to restrict the search to a smaller domain and then apply some space-time trade-oﬀ techniques to get the solutions. From the set of solutions in the restricted domain, one can easily generate all the solutions in the full domain. From the experimental results, we can see the (non) existence of (involutory) MDS matrices for the choices mentioned above. In particular, over GL (4 , F 2 ), we provide companion matrices of order 4 that yield involutory MDS matrices, circulant MDS matrices of order 8, and establish the nonexistence of involutory circulant MDS matrices of order 6 , 8, circulant MDS matrices of order 7, sparse DSI matrices of order 4 that yield involutory MDS matrices, and sparse DSI matrices of order 5 , 6 , 7 , 8 that yield MDS matrices. To the best of our knowledge, these results were not known before. For the choices mentioned above, if such MDS matrices exist, we provide base sets of MDS matrices, from which all the MDS matrices with the least cost (with respect to d -XOR and s -XOR counts) can be obtained. We also take this opportunity to present some results on the search for sparse DSI matrices over ﬁnite ﬁelds that yield MDS matrices. We establish that there is no sparse DSI matrix S of order 8 over F 2 8 such that S 8 is MDS.


Introduction
The Lightweight Cryptography (LWC) project is an initiative launched by the National Institute of Standards and Technology (NIST) which aims to create reliable solutions to the problem of securing data in constrained environments.Solutions to these problems are typically given by building symmetric cryptosystems that have small footprint in hardware and/or low computational complexity.The diffusion layer is one of the key primitives in the design of block ciphers and hash functions, whose major role is to provide an avalanche effect, as this ensures a slight change in inputs causes significant changes in outputs.One way to achieve this is to use MDS matrices as they have optimal branch number [Dae95].The term MDS originates from Coding theory, codes for which the Singleton bound is met are called maximal distance separable codes [MS77].Over a period of time, several investigations have been made to construct MDS matrices suitable for cryptographic applications.In particular circulant and Hadamard matrices are widely studied [DR02, GR14, SKOP15, LS16a, LW16, PSA + 18].The early implementations of these matrices are round based.Later in 2011, Guo et al. [GPP11] proposed a new recursive (serialized) method of constructing MDS matrices using companion matrices.Liu et al. [LS16a] observed that the implementation of circulant matrices could also be done in a serialized way.Several constructions of recursive MDS matrices have been studied in [GPP11, WWW12, AF13, KPPY14, AF14, GPV17, SSSM17, TTKS18].In 2018, Toh et al. [TTKS18] proposed a new matrix structure known as Diagonal-Serial Invertible (DSI) matrices and its variants sparse DSI matrices.The benefit of using a sparse DSI matrix is that its fixed cost is close to half the cost of other matrix types of the same order (see Table 2).The ultimate goal of this line of research is to obtain MDS matrices with low hardware cost.
In many designs of block ciphers, if the diffusion matrix in encryption is M then the diffusion matrix in decryption is M −1 .If the MDS matrix is involutory or orthogonal, then the same matrix can be used in both encryption and decryption, and hence the overall hardware cost can be reduced.It is known that there is no involutory circulant MDS matrix over fields of even characteristic (see [GR14,CL19]).But there exist involutory circulant MDS matrices over the general linear group GL(m, F q ) (see [LW16]).It is also known that there is no companion matrix over fields of even characteristic which yields an involutory MDS matrix (see [GPV19,Theorem 2]).The involutory Hadamard MDS matrices are studied in [SKOP15].
Many of the constructions consider MDS matrices over finite fields.The finite field F q with q = 2 m can be interpreted as the m-dimensional vector space F m 2 .With respect to some basis, the multiplication mapping of an element in F * 2 m can be interpreted as a nonsingular binary matrix in GL(m, F 2 ).So the MDS matrices over F 2 m can also be interpreted as MDS matrices over GL(m, F 2 ).In search for efficient MDS matrices, as a generalization, block matrices over GL(m, F 2 ) are considered.Despite the impressive progress made so far, exhaustive search for MDS matrices over GL(m, F 2 ) has remained elusive for some parameter choices of practical importance.There have been many works that employ some ad hoc techniques to search for efficient MDS matrices over GL(m, F 2 ).If the exhaustive search is possible then the best MDS matrices that have the least cost/optimal with respect to some efficiency metrics can be identified.With a naive approach, it is difficult to search for MDS matrices exhaustively for some parameter choices.For instance, the size of the search space of 8 × 8 circulant matrices over GL(4, F 2 ) is approximately 2 112 as |GL(4, F 2 )| ≈ 2 14 .So it is of great interest to study different properties of the block matrices over GL(4, F 2 ) to reduce the search space.In practice, the concept of equivalence classes of a particular matrix type is used to reduce the search space, as was done in [LS16a] for circulant matrices and in [SKOP15] for Hadamard matrices.In this work, we present a method to exhaustively search for MDS matrices over GL(m, F 2 ) in which we use conjugacy classes and restricted conjugacy classes in order to reduce the search space.We also identify the best MDS matrices over GL(4, F 2 ) by considering the hardware cost metrics d-XOR count and s-XOR count.

Our contribution:
We first consider four types of MDS matrices over GL(4, F 2 ): circulant, Hadamard, recursive MDS matrices from companion and sparse DSI matrices (see Section 2 for definitions).We also present a one-to-one correspondence between circulant MDS matrices and cyclic MDS matrices, and so it is enough to search for circulant MDS matrices.We use the conjugacy classes and the restricted conjugacy classes discussed in Section 2.2 to restrict the search to a smaller domain.We apply some space-time trade-off techniques to speed up the search/computation.For this purpose, we exploit the nonsingularity of 2 × 2 submatrices consisting of some component pairs/triplets.We also use look-up table for inverses of the matrices in GL(4, F 2 ).From the set of solutions in the restricted domain, one can easily generate all the solutions in the full domain.We have implemented the search for the following parameter choices: circulant matrices of order 4, 5, 6, 7, 8, Hadamard matrices of order 4, 8, companion matrices of order 4, sparse DSI matrices of order 4, 5, 6, 7, 8.The problem of constructing involutory circulant MDS matrices of order 6, 8 over GL(m, F 2 ), m = 4, 8 was mentioned in [LW16].Also the problem of generalizing the sparse DSI matrices over GL(m, F 2 ) was mentioned in [TTKS18].From the experimental results, we have the following observations.To the best of our knowledge, these results were not known before.
4. There exists a companion matrix L of order 4 over GL(4, F 2 ) such that L 4 is an involutory MDS matrix.
5. There is no sparse DSI matrix S of order n over GL(4, F 2 ) such that S n is MDS for n = 5, 6, 7, 8.
6.There is no sparse DSI matrix S of order 4 over GL(4, F 2 ) such that S 4 is involutory MDS.
In our experimental results, we consider the hardware cost metrics d-XOR count and s-XOR count to identify the best matrices.From our search results, for the parameter choices considered, where MDS matrices were known before, we establish that they are the best with respect to these metrics.We can also see many negative results on the existence of MDS matrices for some parameter choices.In the first case finding a better MDS matrix than the known ones and in the other case finding an MDS matrix is a futile attempt.Now with our results such unsuccessful attempts can be avoided.We are also able to provide MDS matrices in some cases which were not known before.We provide our experimental results at https://www.isichennai.res.in/~venku/MDS/es_mds.html.The base lists of MDS matrices are also available.One can generate all the MDS matrices using our base lists of matrices, and search exhaustively to find the best matrices with respect to some other cost metrics or suitable for a particular platform of implementation.
Note that, in our search for efficient matrices, we try to optimize the cost with respect to the hardware cost metrics d/s-XOR count, by choosing the components of the matrices having low d/s-XOR count.Recently there have been many works which try to optimize the total cost by considering the full matrix instead of local optimization.The first work [KLSW17] in this line exhibits an implementation of AES MixColumn matrix with 97 XOR gates.In [BFI19, TP19] some improved heuristics are proposed to get better implementations of binary matrices in the sense of the number of XOR gates required.As pointed by the anonymous reviewers, it is possible to have implementations with less number of XOR gates when considered the cost of full matrix implementation for the matrices presented in the appendix.In future we would like to apply global optimization tools for the matrices considered.We will make the results available at https://www.isichennai.res.in/~venku/MDS/es_mds.html.
Next we consider sparse DSI matrices over finite fields.In [TTKS18] the authors have provided examples of sparse DSI matrices for some parameter values, and it was mentioned as an open problem to construct higher order sparse DSI matrices.For this purpose, we first analyze the structure of (sparse) DSI matrices over finite fields.We provide several results on the equivalence of these matrices in the sense of preserving MDS property.By using these results, we are able to search exhaustively for MDS matrices that can be obtained from the sparse DSI matrices of order n over F 2 m for n = 4, 5, 6, 7, 8 and m = 4, 5, 6, 7, 8, and for n = 8 and m = 9.Also note that it is possible to search for higher order recursive MDS matrices of this type with our idea.From the experimental results, we have the following observations.1.There is no sparse DSI matrix S of order 8 over F 2 m for m = 4, 5, 6, 7, 8 such that S 8 is MDS.
2. We have a recursive MDS matrix from sparse DSI matrices of order 7 which is better than the known ones.
In the next section we provide notation and definitions.We also provide some basic results that we use later.In Section 2.1 we discuss the hardware cost metrics d-XOR count and s-XOR count.In Section 2.2 we discuss conjugacy classes and restricted conjugacy classes.In Section 3 we first discuss some basic results.We then present our results on reducing the search space for circulant matrices.We discuss this case in more details.Later we present similar search techniques for Hadamard, companion and sparse DSI matrices.In Section 3.5 we consider the case of sparse DSI matrices over finite fields.We provide some experimental results in the appendix.We conclude this paper in Section 4.

Notation and Preliminaries
Let F q be the finite field containing q elements with char(F q ) = 2.The ring of m × m matrices over F q is denoted by M(m, F q ) and the general linear group consisting of nonsingular m × m matrices over F q is denoted by GL(m, F q ).For simplicity we use M m for M(m, F 2 ).We consider some special matrices where the entries are either from the finite field F q or from the matrix ring M m .Let M(n, m) be the set of n × n block matrices over M m and D(n, m) be the set of block diagonal matrices over GL(m, F 2 ).Also let P(n, m) be the set of n × n block permutation matrices over M m and P m be the set of m × m permutation matrices over F 2 .So the elements of M(n, m), D(n, m) and P(n, m) can be viewed as mn × mn binary matrices.Note that the matrices in D(n, m) and P(n, m) are nonsingular.For M ∈ M(n, m), the (i, j)-th entry of the block matrix M is denoted by M [i, j] for 0 ≤ i, j ≤ n − 1.We denote a matrix D ∈ D(n, m) with Diag(P 0 , . . ., P n−1 ), where P i 's are the diagonal entries of D, i.e., D[i, i] = P i .The identity matrix in M m is denoted by I m and the identity matrix in M(n, m) is denoted by I m,n which is the same as I mn .If the block matrix D = Diag(P, P, . . ., P) ∈ D(n, m) for some P ∈ GL(m, F 2 ) then D = PI m,n , and so we simply write D = Diag(P).The zero matrix/vector is denoted by 0 with suitable size.
We can interpret a column vector v ∈ F mn 2 as a column vector in (F m 2 ) n , say v = (v 0 , v 1 , . . ., v n−1 ).The m-block weight wt m (v) of v is defined as the number of nonzero component vectors, i.e., wt m (v) = |{v i : m) be a block matrix.The transpose of M denoted by M T is the usual transpose considering M as an mn × mn binary matrix, i.e., M T [i, j] = M [j, i] T .The branch number of a block matrix M ∈ M(n, m) is defined as follows.
Definition 1.Let M ∈ M(n, m).The differential branch number of M is defined as and the linear branch number of M is defined as Similarly, we can also define the branch number of a matrix M of order n over a finite field F 2 m by considering the Hamming weight instead of the m-block weight.It is easy to see that B d and B of any matrix M ∈ M(n, m) are less than or equal to n + 1.
We can also define MDS matrices over finite fields analogously.Evidently, MDS matrices have the maximal branch number.So if the matrix used in a diffusion layer is MDS then a change in a single component of the input vector leads to changes in all the components of the output vector.The following characterization of MDS matrices is an important tool to verify whether a matrix is MDS or not.
Theorem 1. (See [BR99]) A matrix M ∈ M(n, F q ) is MDS if and only if every square submatrix of M is nonsingular.Similarly, a block matrix M ∈ M(n, m) is MDS if and only if every square block submatrix of M is nonsingular.
The following results can easily be seen from the above theorem.
In many designs of block ciphers, one needs to implement M −1 in the decryption if the diffusion layer in the encryption is given by M .In such cases, involutory matrices are more suitable.Definition 3. A square matrix M is said to be involutory if M 2 is equal to the identity matrix.An involutory MDS matrix is an MDS matrix which is involutory.
The main advantage of an involutory matrix M is that its inverse is also M .So if an involutory MDS matrix is used in a diffusion layer, then the diffusion layer process is exactly the same in both encryption and decryption.
Next we define various types of matrices that we study in this paper.Specifically, circulant, cyclic, Hadamard, companion and (sparse) DSI matrices are considered.We define these matrices over M m , and one can easily see the appropriate form of the definitions when such matrices are considered over finite fields.Definition 4. A circulant matrix C of order n over M m is a block matrix where each subsequent row is a right rotation by 1 of the previous row.So the matrix C can be determined by its first row, and we denote such a matrix C as Cir(C 0 , C 1 , . . ., C n−1 ), where C i 's are the entries of its first row.The (i, j)-th entry of C can be expressed as The diffusion matrix used in the block cipher AES [DR02] is a circulant matrix.One may consider any permutation which is a full cycle instead of the right rotation by 1 as in the case of circulant matrices.In this direction, as a generalization of circulant matrices, cyclic matrices were proposed in [LS16a] which we define below.Definition 5. Let ρ be a cycle of length n in the permutation group of {0, 1, . . ., n − 1}.A cyclic matrix C ρ of order n determined by the ordered tuple (C 0 , C 1 , . . ., The circulant matrices are also cyclic matrices and the corresponding permutation is The number of cycles of length n in the permutation group of {0, 1, . . ., n−1} is (n − 1)!.The size of the permutation group of {1, . . ., n − 1} is also (n − 1)!.The following result gives a one-to-one correspondence between circulant matrices and cyclic matrices.In the discussion below, the columns/rows of a matrix in M(n, m) are indexed from 0 to n − 1. Lemma 3. Let ρ be a cycle of length n in the permutation group of {0, 1, . . ., n−1}.Given a cyclic matrix C ρ = Cyc ρ (C 0 , C 1 , . . ., C n−1 ) there exists a permutation π of the columns 1 to n − 1 such that the matrix obtained by applying π on C ρ is a circulant matrix.Similarly, given a circulant matrix C, any permutation π of the columns 1 to n − 1 of C gives a cyclic matrix for some cycle ρ of length n in the permutation group of {0, 1, . . ., n − 1}.
It can easily be seen that the mapping given by ρ → π is a bijection.Let P be the permutation matrix in P(n, m) corresponding to the extended permutation π given by π(0) = 0 and π(j) = π(j) for 1 ≤ j ≤ n−1.Now consider C = C ρ P the matrix obtained by permuting the columns from 1 to n−1 of C ρ corresponding to π. Observe that the column 0 of C and C ρ are the same and it is given by Then the j-th column of C ρ and the (n−i j )-th column of C are the same, and it is given by [ ), and hence the result.
The above result can also be derived with a similar argument as in the proof of [LS16a, Theorem 3].Another important class of matrices is Hadamard matrices defined below.Definition 6.Let n = 2 t .An n × n block matrix over M m is called a Hadamard matrix if it can be expressed as follows: where H 1 and H 2 are also Hadamard matrices of order 2 t−1 over M m .Note that if the first row of H is given by the ordered tuple (H 0 , H 1 , . . ., We denote such a matrix H as Had(H 0 , H 1 , . . ., H 2 t −1 ).
There has been a lot of study on the design of lightweight ciphers.In 2011, Guo et al. proposed a new type of matrices known as recursive MDS matrices suitable for lightweight applications [GPP11].The main idea in their proposal is to use some power of a companion matrix in the diffusion layer.The advantage of a companion matrix is that it can be implemented by an LFSR, and the diffusion layer can be implemented by clocking the LFSR several times.Definition 7. Let r be a positive integer.A matrix M is said to be recursive MDS or r-MDS if the matrix M r is MDS.If M is r-MDS then we say M yields an MDS matrix.
Remark 1.It is easy to see from Lemmas 1 and 2 that if M is r-MDS then M T and M −1 are also r-MDS.
In our work, we consider recursive MDS matrices of the types companion and sparse DSI, and for such a matrix M of order n, the matrix M r cannot be MDS for r < n.If M r is MDS for r ≥ n then the matrix M needs to be applied r times in the serialized implementation of the diffusion layer.So the best case is to see whether M n is MDS or not.So, in our experiments, we consider recursive MDS matrices that are n-MDS only.Also we say a matrix M is involutory n-MDS, if M is n-MDS and M 2n is the identity matrix.

Definition 8. A companion matrix L associated to the ordered tuple (L
We denote such a matrix L as Comp(L 0 , L 1 , . . ., L n−1 ).The matrix L is often associated with the matrix polynomial Φ In a recent work [TTKS18], the authors have proposed another type of recursive MDS matrices known as sparse DSI matrices.The definitions presented below are slightly different from the definitions in [TTKS18].However, as we will see later in Section 3.5 that these matrices are similar and so it is okay to consider in this manner.Definition 9. Let n ≥ 2 be an integer.A Diagonal-Serial Invertible (DSI) matrix S = (S[i, j]) 0≤i,j≤(n−1) of order n determined by the ordered tuples (A 0 , A 1 , . . ., We denote such a matrix S as DSI(B 0 , B 1 , . . ., B n−1 ; A 0 , A 1 , . . ., A n−1 ).
In the above definition, we consider Definition 10.Let n ≥ 2 be an integer and k = n+1 2 .A Diagonal-Serial Invertible matrix S of order n determined by the ordered tuples (A 0 , A 1 , . . ., is said to sparse or simply sparse DSI if B i = 0 for i odd and B i ∈ GL(m, F 2 ) for i even.The (i, j)-th entry of the sparse DSI matrix S is given by We denote such a matrix S with SpDSI(B 0 , B 2 , . . ., B 2(k−1) ; A 0 , A 1 , . . ., A n−1 ) as we have B i = 0 for i odd.
In the above definition, in the case when n is odd, we consider B i = 0 for i odd, whereas [TTKS18].In the case when n is even, our definition matches with that of [TTKS18].
The recursive MDS matrices from sparse DSI matrices are of importance due to their low fixed cost in hardware implementation (see Section 2.1).In the case where n is even, the GFS matrices (of suitable order) proposed in [WWW12, Section 5] have the same fixed cost in hardware implementation.We have the following observation on the relation between GFS matrices and sparse DSI matrices.
Remark 2. Let n = 2k and S = SpDSI(B 0 , B 2 , . . ., B 2(k−1) ; A 0 , A 1 , . . ., A n−1 ) be a sparse DSI matrix with A i = I m for i odd.The inverse of the sparse DSI matrix S is a GFS matrix defined in [WWW12, Section 5].Note that if M is an n-MDS matrix then its inverse M −1 is also an n-MDS matrix.So we can view the sparse DSI matrices as a generalization of the GFS matrices proposed in [WWW12, Section 5].
Let C(n, m) and H(n, m) denote the set of MDS matrices in M(n, m) of the type circulant and Hadamard respectively.Also let L(n, m) and S(n, m) denote the set of n-MDS matrices in M(n, m) of the type companion and sparse DSI matrices respectively.

Hardware Implementation -XOR Count
Suppose that M ∈ M(n, m) is an MDS matrix used in a diffusion layer.So the diffusion layer is given by the mapping Essentially, we need to evaluate the cost of hardware implementation of the mapping u → Mu for some M ∈ GL(m, F 2 ) and u ∈ F m 2 .For this purpose, we count the number of XOR gates required in its hardware implementation.There are two metrics proposed in the literature.The direct XOR count was introduced in [KPPY14], and later in [JPST17] another metric known as the sequential XOR count was introduced.We below define both the XOR count metrics.For more details on the two metrics of XOR count, we refer to [Köl19] and references therein.
where ω(M) denotes the number of ones in the matrix M.
Definition 12. Let M ∈ GL(m, F 2 ) be a nonsingular m × m binary matrix.The sequential XOR count (s-XOR count) of M denoted by s-XOR(M) is equal to if is the smallest non-negative integer such that M can be expressed as where P ∈ P m and E i,j , i = j, is a binary matrix with 1 as (i, j)-th entry and 0 elsewhere.
We have the following result on the XOR counts.
For any two permutation matrices P and Q in P m , we have We have |GL(4, F 2 )| = 20, 160.In Table 1 we present the number of matrices in GL(4, F 2 ) with their d-XOR and s-XOR counts.In the case where the elements of an MDS matrix are from a finite field F q , we need to implement field element multiplication.We can consider F q with q = 2 m as the mdimensional vector space F m 2 .By distributive property, it can easily be seen that for α ∈ F q , the field element multiplication by α given by x → αx is a linear function over F 2 .For defining the XOR count of α ∈ F q , we consider the matrix representation M α,B of the mapping x → αx with respect to some basis B of F q over F 2 .
Definition 13.Let α ∈ F q and B be a basis of F q over F 2 , where q = 2 m .Let M α,B ∈ GL(m, F 2 ) be the matrix representation of the mapping x → αx with respect to the basis B. The d-XOR count and the s-XOR count of α with respect to the basis B, denoted by d-XOR(α, B) and s-XOR(α, B) respectively, is as follows: Observe that the d/s-XOR count of M α,B generally differs from the d/s-XOR count of M α,B for different bases B and B .In [BKL16], the authors studied methods to find a basis with which the s-XOR count of a finite field element is optimal.
We use XOR(A) to denote the XOR count of a matrix A ∈ M m and it can be either the d-XOR count or the s-XOR count of A unless otherwise mentioned.Note that the circulant (cyclic) MDS and the recursive MDS matrices from the companion or sparse DSI matrices can have a serialized implementation.So the variable cost depends on the elements determining such matrices.The XOR count of these matrices is the number of XOR gates required in one iteration/step of their serialized implementation.Though it is nontrivial to implement Hadamard matrices in a serialized manner, we follow the convention, and consider the cost of implementing its defining elements for the purpose of comparison.We refer to [TTKS18, Section 4.3 & 5] for more details on the XOR count of these matrices.We often use Cost(M ) to denote the XOR count of a matrix M .In Table 2 we present XOR counts/Costs of the matrices that we consider (see also [TTKS18, Section 5]) The last component in the entries of the second column in Table 2 gives the fixed cost of the corresponding matrices, and it depends on the size of the matrix but not on the entries of the matrix.Note that the fixed cost of sparse DSI matrices is close to half the cost of other matrix types of the same order.
Next we discuss conjugacy classes and restricted conjugacy classes.These classes play an important role in the exhaustive search for MDS matrices which we discuss in Section 3.

Conjugacy Classes and Restricted Conjugacy Classes
Let G = GL(m, F q ) be the general linear group of order m over F q .For A, B ∈ G, we say A is similar to B or A ∼ B if there exists P ∈ G such that B = P −1 AP.It is well known that the similarity relation is an equivalence relation on G.A related concept in group theory is G acting on itself by conjugation.And so the equivalence classes are known as conjugacy classes.For A ∈ G, the orbit or conjugacy class containing A is given by Let N G denote a set of representatives of the distinct conjugacy classes.
Lemma 5. [Sta12,p. 138] The number of distinct conjugacy classes in the group G = GL(4, F q ) is given by The centralizer of an element A ∈ G is defined by It is also well known that C G (A) forms a subgroup of G. Now consider the action of C G (A) on G by conjugation.For B, C ∈ G, we say B ∼ A C if there exists P ∈ C G (A) such that C = P −1 BP.
It is easy to see that this is an equivalence relation.We call these equivalence classes as A-restricted conjugacy classes.For A ∈ G, the A-restricted conjugacy class containing B ∈ G is given by cc Let N A G denote a set of representatives of the distinct A-restricted conjugacy classes.For the case where G = GL(4, F 2 ), we present below a set N G and the sizes of N A G for A ∈ N G .Note that by Lemma 5 we have |N G | = 14.In the table below we represent a matrix A ∈ G = GL(4, F 2 ) given by by the integer value 15 i=0 a i 2 i in hexadecimal form.For example the identity matrix I ∈ G is represented by 0x8421.Observe that The numbers in Table 3 do not depend on the choice of representatives N G .We now present our main results in the next section.

Exhaustive Search for MDS Matrices
If a circulant matrix C ∈ M(n, m) is MDS then all the entries must be nonsingular.In a naive approach, in order to exhaustively search for circulant MDS matrices, the number of candidates for that we need to verify the MDS property is |GL(m, F 2 )| n , which is practically difficult for m = 4 and n ≥ 4. Note that |GL(4, F 2 )| = 20, 160 > 2 14 .It is the same for other types of matrices as well.In this section we first present some basic results without proofs.By using these basic results and the results on the conjugacy classes, we are able to reduce the search domain.In order to exhaustively search for circulant MDS matrices, it is enough to search for circulant MDS matrices in this reduced domain.We also apply some space-time trade-off techniques to speed up the search/computation.For given parameters and the type of matrix, from the MDS matrices in the reduced search domain, one can easily get all the MDS matrices of that type.Next we present some basic results on the similarity/equivalence of (recursive) MDS matrices.Similarly, we can also define diagonal/permutation equivalence/similarity for matrices in M(n, F q ), and one can easily see that Lemmas 6 to 9 are also valid for this case.
If the matrix M ∈ M(n, m) is MDS then it is necessary that all the 2 × 2 block submatrices of M are nonsingular.The number of 2 × 2 block submatrices of M is given by n 2 2 .It may happen that, some of these submatrices are multiples of another submatrix by block permutation matrices.By the following result, it is possible to reduce the number of 2 × 2 submatrices that we need to verify the nonsingularity and thus we can avoid some unnecessary checks.
Lemma 10.Let M ∈ M(n, m) be an n × n block matrix over M m .Let P, Q ∈ P(n, m) be permutation matrices.The matrix M is nonsingular if and only if P M Q is nonsingular.In particular, if To verify the nonsingularity of 2 × 2 block matrices, we use the following result.
Lemma 11.Suppose that Then we have M is nonsingular if and only if To verify the nonsingularity of higher order block submatrices, we use the recursive formulas given in [Pow11].In particular, we use the formula given in [Pow11, Section 4.2] for 3 × 3 block matrices.
Let G = GL(m, F 2 ) and N G denote a set of representatives of the distinct conjugacy classes.For A ∈ N G , let N A G denote a set of representatives of the distinct A-restricted conjugacy classes.Recall that, for P ∈ G, the block diagonal matrix Diag(P) = PI m,n .Next we discuss our technique to reduce the search space using conjugacy classes and restricted conjugacy classes.The results are presented in a more general form, but for the experimental results we consider m = 4 and the order n of the matrices will be specified.

Circulant Matrices
In this section we consider circulant matrices over M m .In order to perform exhaustive search, we first reduce the search space using conjugacy/restricted conjugacy classes.
Theorem 2. Let i, j, k ∈ {0, 1, . . ., n − 1} be distinct integers.For any circulant MDS matrix Proof.First note that the product of a circulant matrix and a block diagonal matrix of the form Diag(P) is a circulant matrix.Let us consider P 1 = C −1 i .Suppose that P 1 C j ∈ cc(A) for some A ∈ N G .Then there exists a matrix P 2 ∈ G = GL(m, F 2 ) such that P 1 C j = P 2 AP −1 2 .Now consider the matrix 2 )Diag(P 1 )CDiag(P 2 ).
Observe that we have We take Q = P −1 3 P −1 2 and P = P −1 1 Q −1 , and it is easy to see that is in the required form.By Lemma 6 we can see that the matrix C is MDS.
Observe that in order to search for circulant MDS matrices of order n over M m , it is enough to search for circulant MDS matrices of the form C given in Theorem 2. We have We can then get all the solutions C by C = Diag(P −1 )C Diag(Q −1 ), where P, Q ∈ GL(m, F 2 ).
We now illustrate the main ideas of our search technique considering the case of circulant matrices of order 8 over G = GL(4, F 2 ).Let C = Cir(C 0 , C 1 , . . ., C 7 ) be a circulant matrix of order 8 over GL(4, F 2 ).In our search, we choose We first collect all the distinct 2 × 2 submatrices of C that we need to check nonsingularity to verify the MDS property of C. We eliminate unnecessary checks by using Lemma 10.In fact, we need to check the nonsingularity of 100 distinct 2 × 2 submatrices of C in this case.We have as a 2 × 2 submatrix of C. So we have exactly 5 choices for C 4 such that the matrix M is nonsingular (need to verify whether I 4 + C 2 4 is nonsingular or not).We have 7 submatrices of order 2 involving C 2 , C 6 and C 4 .For a fixed choice of C 4 , we verify whether these 7 submatrices are nonsingular or not.We store all the choices of C 2 , C 6 that satisfy the required conditions in a list for later use.We have 5 submatrices of order 2 involving C 1 , C 5 and C 4 (also with C 3 , C 7 and C 4 ).For a fixed choice of C 4 , we create lists for valid choices of the pairs (C 1 , C 5 ) and (C 3 , C 7 ) satisfying the required nonsingularity conditions.We now proceed to verify the nonsingularity of the other 2 × 2 submatrices.By creating lists, we are able to substantially reduce the number of candidates that we need to verify the remaining conditions.In verifying the remaining conditions, in the process, if we encounter a singular submatrix then we exit permanently and move on to verify the next candidate.Finally we prepare a list of potential candidates C satisfying that all the 2 × 2 submatrices of C are nonsingular.Now we verify the determinants of submatrices of order ≥ 3 recursively by using the formulas in [Pow11].As usual, in the process of verification, if we encounter a singular submatrix, we then exit permanently and move on to verify the next candidate.Since C 0 = I 4 and few choices for C 4 , from the conditions on the 2 × 2 submatrices, we see that the number of candidates that we actually need to verify the nonsingularity of higher order submatrices is significantly less, and so it is possible to complete the exhaustive search on a desktop computer quickly.
From the solution set in the restricted domain, we eliminate (few) duplicates in the sense that no two matrices are constant diagonal similar.In this way, we get 32 distinct circulant MDS matrices of order n = 8 up to (constant) diagonal similarity, and we denote it by C r (8, 4).Now we extend it by considering matrices of the form C = Diag(P) −1 CDiag(P) for C ∈ C r (8, 4) and P ∈ GL(4, F 2 ), and we denote the extended set by C re (8, 4).In this way, we get C re (8, 4) = 645, 120 distinct circulant MDS matrices.Note that the diagonal element of the matrices in C re (8, 4) is equal to 1.There is no circulant/cyclic MDS matrix of order 7 over GL(4, F 2 ).
3. There is no circulant MDS matrix of order 8 over F 2 4 but there exist circulant MDS matrices of order 8 over GL(4, F 2 ).
The problem of constructing involutory circulant MDS matrices over GL(4, F 2 ) of order 6, 8 was mentioned in [LW16, Problem 1].But we have a negative result.In fact, by using Lemma 3 we have verified that there is no involutory cyclic MDS matrix of order 6, 8 over GL(4, F 2 ).For this purpose, it is enough to verify the involutory property of cyclic matrices of the form Ĉ = CDiag(Q)P for C ∈ C r (n, 4), Q ∈ GL(4, F 2 ), and P ∈ P(n, m) with P [0, 0] = I m .
We have the following result on the permutation equivalence of circulant MDS matrices., m).Since the defining elements of all such matrices are the same, the cost/XOR count of all those matrices are the same.
By Lemma 4 we get the following result.
Lemma 13.Let C be a circulant MDS matrix over M m .Then for P = Diag(P) and Q = Diag(Q), where P, Q ∈ P m are permutation matrices of order m, we have In particular, We compute the cost of the matrices in C(n, 4) according to the formula given in Table 2.We get a list of matrices with the least cost with respect to both d-XOR and s-XOR metrics.By reverse process, we get a base set of circulant MDS matrices with the least cost in the sense that by applying Lemmas 12 and 13 we get all the circulant MDS matrices with the same cost.
In the appendix we present a base set of (involutory) circulant MDS matrices in C(n, 4) with the least cost (according to the formula in Table 2) from which we can generate all the circulant MDS matrices with the same cost.

Hadamard Matrices
In this section we consider Hadamard matrices over M m .With a similar argument as in the proof of Theorem 2 we get the following result in the case of Hadamard MDS matrices from which we can reduce the search space.H(n, m).Since the defining elements of all such matrices are the same, the XOR counts of all those matrices are the same.
We now present our experimental results.
This way we get 560 distinct Hadamard MDS matrices up to (constant) diagonal similarity, and we denote it by H r (4,4).Now we extend it by considering matrices of the form H = Diag(P) −1 HDiag(P) for H ∈ H r (4, 4) and P ∈ GL(4, F 2 ), and we denote the extended set by H re (4,4).In this way, we get H re (4, 4) = 2, 376, 912 distinct Hadamard MDS matrices.Note that the diagonal element of the matrices in H re (4, 4) is equal to I 4 .Observe that any matrix in H(4, 4) is a constant multiple of a matrix in H re (4,4).Therefore we have Case: n = 8 Let H = Had(H 0 , H 1 , H 2 , . . ., H 7 ).We choose the index choices same as above.In this case, we get 336 distinct matrices up to (constant) diagonal similarity, and we denote it by H r (8, 4).Similarly, we get |H re (8, 4)| = 451, 584 distinct Hadamard MDS matrices, where the diagonal element in these matrices is equal to I 4 .
In the appendix we present a base set of (involutory) Hadamard MDS matrices in H(n, 4) for n = 4, 8 with the least cost (according to the formula in Table 2) from which we can generate all the Hadamard MDS matrices with the same cost.

Recursive MDS Matrices from Companion Matrices
In this section we consider companion matrices over M m .We first present a result from which we can reduce the search space.Then we present our experimental results on the exhaustive search for 4-MDS companion matrices of order 4 over GL(4, F 2 ).
Let L be a companion matrix as given above.First note that Diag(P)LDiag(P) −1 is also a companion matrix.Suppose that L i ∈ cc(A) for some A ∈ N G .Then there exists a matrix We take P = P −1 2 P −1 1 , and it is easy to see that L = Diag(P)LDiag(P −1 ) is in the required form.By Lemma 7 we can see that the matrix L is recursive MDS.
We now present our experimental results for the case where n = m = 4.In our search we first consider L 0 = A( = I 4 ) ∈ N G and L 2 ∈ N A G .In the case when L 0 = I 4 , we consider In this way, we get 1, 495 distinct matrices up to (constant) diagonal similarity, and we denote it by L r (4, 4).Now we extend it by considering matrices of the form L = Diag(P) −1 LDiag(P) for L ∈ L r (4, 4) and P ∈ GL(4, F 2 ), and observe that the extended set is L(4, 4).In this way, we get |L(4, 4)| = 7, 358, 400 distinct 4-MDS companion matrices of order 4 over GL(4, F 2 ).
It is well known that there is no companion matrix over fields of even characteristic which yields an involutory MDS matrix (see [GPV19, Theorem 2]).But we get involutory MDS matrices from L(4, 4).We provide such a matrix in the appendix.Now we state this result.
Theorem 5.There exists a companion matrix L of order 4 over GL(4, F 2 ) such that L 4 is involutory MDS.
In the appendix we present a base set of companion matrices in L(4, 4) with the least cost (according to the formula in Table 2) from which we can generate all the companion matrices with the same cost.

Recursive MDS Matrices from Sparse DSI Matrices
In this section we consider sparse DSI matrices over M m .This problem was mentioned in [TTKS18, Section 7.2].We first present a result from which we can reduce the search space.Then we show a close relationship between sparse DSI matrices and Ring LFSRs.Next we present our experimental results on the exhaustive search for n-MDS sparse DSI matrices of order n over GL(4, F 2 ) for n = 4, 5, 6, 7, 8. Theorem 6.Let n ≥ 2 be an integer and k = n+1 2 .Let t be an even integer with 0 ≤ t ≤ n − 1.For any recursive MDS matrix S = SpDSI(B 0 , B 2 , . . ., B 2(k−1) ; A 0 , A 1 , . . ., A n−1 ) ∈ S(n, m) there exists D = Diag(P 0 , P 1 , . . ., Let S be a sparse DSI matrix as given above and D = Diag(P 0 , P 1 , . . ., Then there exists a matrix 1 .Now consider the matrix , and it is easy to verify that S = DSD −1 is in the required form.By Lemma 7 we can see that the matrix S is recursive MDS. Remark 5.The LFSR associated with the companion matrix L in Definition 8 is known as Fibonacci LFSR.The state transition matrix of a word-oriented Fibonacci LFSR is of the form given by L. Another well known type of LFSR is Galois LFSR whose state transition matrix is of the form (L T ) −1 .In [ABMP11] Ring LFSRs are introduced as a generalization.The state transition matrix of a word-oriented Ring LFSR can be given by (see [ABMP11, Def.3.7]) . . .
The above matrix is closely related to the restricted version of the sparse DSI matrices obtained in Theorem 6.So we can see that the sparse DSI matrices are closely related to the word-oriented Ring LFSRs.There have been some works on Ring LFSRs, so an interesting problem is to develop a theory for sparse DSI matrices that yield MDS matrices.
We now present our experimental results.We only get n-MDS sparse DSI matrices of order n = 4 over GL(4, F 2 ), and for n = 5, 6, 7, 8 there is no such matrix.In our search, we first consider A 0 = A( = I 4 ) ∈ N G and B 0 ∈ N A G .In the case when A 0 = I 4 , we consider In this way, we get 236 distinct matrices up to diagonal similarity, and we denote it by S r (4,4).Now we extend it by considering matrices of the form S = Diag(P) −1 SDiag(P) for S ∈ S r (4, 4) and P ∈ GL(4, F 2 ), and we denote the extended set by S re (4,4).In this way, we get |S re (4, 4)| = 483, 840 distinct matrices.
Observe that any matrix S in S(4, 4) is of the form S = D −1 SD for some S ∈ S re (4,4) and D = Diag(I 4 , P 1 , P 2 , P 3 ), where P 1 , P 2 , P 3 ∈ GL(4, F 2 ).So we have Also note that there is no involutory 4-MDS sparse DSI matrix in S(4, 4).Now we state our search results.
In the appendix we present a base set of sparse DSI matrices in S re (4, 4) with the least cost (according to the formula in Table 2) from which we can generate all the sparse DSI matrices with the same cost.

Recursive MDS Matrices from Sparse DSI Matrices over Finite Fields
The sparse DSI matrices were introduced in [TTKS18].The authors have provided n-MDS sparse DSI matrices over F 2 m (having low cost) for some parameter values.But they have not provided matrices for many parameter values.Since these matrices have low fixed cost, it is of importance to see whether such matrices exist or not.In this section we discuss many of the issues raised in [TTKS18, Section 7.2].Throughout this subsection, we assume that n ≥ 2 and k = n+1

2
. We denote the identity matrix in M(n, F q ) by I n .Let D(n, F q ) denote the set of nonsingular n × n diagonal matrices over F q .
A DSI matrix S of order n over F q is given by where a i , b j ∈ F q with a i = 0 ∀ i, 0 ≤ i < n, and b j = 0 for some j, 0 ≤ j < n, (see Definition 9).Since b j = 0 for some j, the determinant of S is equal to The matrix S is nonsingular since a i = 0, ∀ i.Let R n be the n × n rotation matrix given by and we denote the inverse of R n by L n .Observe that R T n = L n .We have the following similarity relation over diagonal matrices.
Lemma 15.Let D = Diag(d 0 , d 1 , . . ., d n−1 ) be a diagonal matrix of order n over F q .Then we have Observe that the DSI matrix S in (3) satisfies where A = Diag(a 0 , a 1 , . . ., a n−1 ) and B = Diag(b 0 , b 1 , . . ., b n−1 ).Now consider the matrix S = L n SR n , where S is the DSI matrix mentioned in (3).Then by (5) we have Remark 6.For n odd, the definition in [TTKS18] is slightly different from our definition of sparse DSI matrix, but both the matrices are permutation similar.In fact, for n odd, the matrix L 2 n SR 2 n is in the form defined in [TTKS18, Definition 6] (see also Remark 7).Let S(n, F q ) denote the set of all n-MDS sparse DSI matrices of order n over F q .From Lemmas 7 and 9 we have the following result for the case of sparse DSI matrices over F q .
Lemma 16.If two sparse DSI matrices S and S over F q are diagonal/permutation similar then S is r-MDS if and only if S is r-MDS.
With a similar argument as in the proof of Theorem 6 we get the following result in the case of sparse DSI matrices over F q .For completeness, we present a proof.Theorem 8. Let (a 0 , a 1 , . . ., a n−1 ) and (a 0 , a 1 , . . ., a n−1 ) be two tuples in (F * q ) n such that a = ) k and a ∈ F * q .Then, for any c ∈ F * q , the matrix S is r-MDS if and only if S = SpDSI(cb 0 , cb 2 , . . ., cb 2(k−1) ; c n a, 1, . . ., 1) is r-MDS.
Proof.Observe that the matrix cS is also sparse DSI and by Theorem 8 we can see that cS is diagonal similar to S .By Lemma 16 we get the required result.
We now discuss further reduction by restricting the choices for the element a.Let α be a generator of the cyclic group F * q and let a = α i for some 0 ≤ i < (q − 1).Let n = 2 t, where t is odd.Suppose that i = jt + s for some s, 0 ≤ s < t.Also note that there always exists a 2 th root of α, say β, in F * q .So we have a = α i = β jn α s .Observe that for c = β −j , the matrix S in Lemma 17 is given by S = SpDSI(cb 0 , cb 2 , . . ., cb 2(k−1) ; α s , 1, . . ., 1), 0 ≤ s < t.
Let Ŝ(n, F q ) denote the set of all n-MDS sparse DSI matrices over F q of the form given in (6) with a = α s , 0 ≤ s < t, where n = 2 t with t odd and α is a generator of F * q .From the discussion above, we can see that any matrix in S(n, F q ) can be obtained from a matrix in Ŝ(n, F q ) with suitable transformations given in Lemma 17 and Theorem 8. Let B(n, F q ) be the set of ordered k-tuples given by B Similarly, the set of ordered k-tuples (b 0 , b 2 , . . ., b 2(k−1) ) appearing in the n-MDS sparse DSI matrices from S(n, F q ) is denoted by B(n, F q ).From the discussion above we can see the following result.
Lemma 18.The sets satisfy B(n, F q ) ⊆ B(n, F q ).Moreover, each tuple in B(n, F q ) is a constant multiplier of some tuple in B(n, F q ).We now provide some equivalent classes over Ŝ(n, F q ).For this purpose we consider the following permutation matrix Proof.Let D = Diag(d 0 , d 1 , . . ., d n−1 ) be a diagonal matrix.It is easy to see that We have S = B + AR n , where B = Diag(b 0 , b 1 , b 2 , . . ., b n−1 ) with b i = 0 for i odd and A = Diag(a, 1, . . ., 1).Suppose that n is even.Then consider the matrix S 1 = L n J n SJ n R n .Now we can see that 5) and (7) and by a careful observation we can see that Then by Lemma 16 and Theorem 8 we get the required result.In the case where n is odd, we consider S 1 = J n SJ n .By a careful observation, we can see that S = S T 1 .Hence the result.
Remark 7. The above result is valid for even values of n.If n is odd, we have the first and the last entries are nonzero in the diagonal and zeros appear alternatively.Any rotation of the elements in the diagonal violates this condition.However, we can see that by Theorem 8 and Corollary 1 all those matrices are also n-MDS if the matrix S is n-MDS.
Remark 8.In the case where n = 2 we must have a = 1 and the elements of Ŝ(n, F q ) are of the form S = SpDSI(b 0 , b 2 , . . ., b 2(k−1) ; 1).Observe that the transpose of S is in the form of state transition matrix of a Ring LFSR over F q (see (2)).
From Lemmas 19 and 20 we have the following result.
Corollary 2. Suppose that n is even.
for j even and 0 ≤ j ≤ n − 1, where the indices are taken modulo n.
We now define an ordering on the elements b j so that we can consider only one choice among the 2n (or 2) permutations of the tuple (b 0 , b 2 , . . ., b 2(k−1) ) depending on n is even or odd (see Corollary 2 and Lemma 19).Suppose that the elements of the finite field F q , q = 2 m , are represented with the polynomial basis.We can order the elements according to their value in integer representation, i.e., for an element a From the above discussion in this subsection, we have the following result.
Theorem 9. Up to diagonal/permutation similarity, any matrix in S(n, F q ) is a constant multiple of a matrix in S r (n, F q ).So in order to search for n-MDS sparse DSI matrices over F q exhaustively, it is enough to search for n-MDS matrices of the form in S r (n, F q ).We have implemented the search technique for n × n matrices over F 2 m for n ∈ {4, 5, 6, 7, 8} and m ∈ {4, 5, 6, 7, 8}, and n = 8 and m = 9.To verify whether a matrix S is n-MDS, we recursively check that all the submatrices (of order 1 to n − 1) of S n are nonsingular.In the process, if we encounter a submatrix which is singular then we exit permanently, and move on to verify the next candidate.We use the determinants of 2 × 2 submatrices to check the nonsingularity of 3 × 3 and 4 × 4 submatrices.The search results are presented in Table 4.We can see that there is no 8-MDS sparse DSI matrix of order 8 over F 2 8 .
Next we discuss the implementation costs of the sparse DSI matrices over F q .Recall that the cost of implementing a single iteration of the sparse DSI matrix  where k = n+1 It is likely that that the sparse DSI matrices having the least cost are of the form S .Recall that up to diagonal/permutation similarity any n-MDS sparse DSI matrix is a constant multiple of an n-MDS matrix in S r (n, F q ) (see Theorem 9).Now consider a sparse DSI matrix S = SpDSI(b 0 , b 2 , . . ., b 2(k−1) ; a) ∈ S r (n, F q ).By Lemma 17, we can see that cS is diagonal similar to S = SpDSI(cb 0 , cb 2 , . . ., cb 2(k−1) ; c n a).If there exists some subset T ⊂ {0, 2, . . ., 2(k − 1)} of size t such that c t j∈T b j = c n a then we can distribute the determinant det(S ) in a i 's and get a matrix whose cost only depends on cb j 's.We apply this technique for the matrices of order n over F 2 8 for n = 4, 5, 6, 7. We do not get any better matrix than the matrices [TTKS18, Table 4] for n = 4, 5, 6.But we get a 7 × 7 sparse DSI matrix whose cost is 47, whereas the cost of the matrix provided in [TTKS18, Table 4] is 54.We use the same notation for the finite field In [BKL16], the authors provided methods to find a basis with which the XOR count of a finite field element is optimal.
It is an open problem to find an optimal basis such that c∈E XOR(c) is minimal for a subset E of F * q of size |E| ≥ 2. Remark 9. Essentially we need to distribute the determinant c n a of S in a i 's such that a i = c n a and it optimizes the cost of the matrix S as given in (10).It is not difficult to find an optimal distribution even in this general case, and for n = 7 we have not got a better solution than the matrix presented above.So the sparse DSI matrix S presented above is one of the best as per the XOR counts given in [TTKS18, Appendix B].
Remark 10.From each matrix S ∈ S r (n, F q ), we can generate up to 2n (2) sparse DSI matrices if n is even (odd), and for each such matrix S ∈ Ŝ(n, F q ) generated we get (q − 1) n many distinct sparse DSI matrices in S(n, F q ), by taking D −1 S D, where D is a nonsingular diagonal matrix over F q .

Conclusion
We have considered circulant, Hadamard, companion and sparse DSI matrices over GL(4, F 2 ).We have provided a method with which we are able to exhaustively search for MDS matrices of these types for some parameter choices.We have provided circulant MDS matrices of order 8 which were not known before.We have also established the nonexistence of involutory circulant/cyclic MDS matrices of order 6, 8.It is well known that there is no companion matrix over fields of even characteristic that yields an involutory MDS matrix.With our method, we have obtained companion matrices over GL(4, F 2 ) that yield involutory MDS matrices.We have analyzed the structure of sparse DSI matrices over finite fields, and using this we are able to exhaustively search for sparse DSI matrices that yield MDS matrices for some small parameter values.We are able to obtain a sparse DSI matrix of order 7 over F 2 8 , which is better than the known ones.We have also established the nonexistence of 8-MDS sparse DSI matrices of order 8 over F 2 8 .A characterization of recursive MDS companion matrices was given in [GPV17], and they are related to Fibonacci LFSRs.We have discussed a relation between (sparse) DSI matrices and Ring LFSRs.It is an interesting open problem to develop a theory for recursive MDS sparse DSI matrices.

Definition 14 .
Two matrices M and M in M(n, m) are called diagonal equivalent, denoted by M ∼ de M , if there exist two diagonal matrices P, Q ∈ D(n, m) such that M = P M Q. Lemma 6. Suppose that two matrices M and M in M(n, m) are diagonal equivalent.Then M is MDS if and only if M is MDS.Definition 15.Two matrices M and M in M(n, m) are called diagonal similar, denoted by M ∼ ds M , if there exists a block diagonal matrix P ∈ D(n, m) such that M = P −1 M P .Lemma 7. Suppose that two matrices M and M in M(n, m) are diagonal similar.Then M is r-MDS if and only if M is r-MDS.Definition 16.Two matrices M and M in M(n, m) are called permutation equivalent, denoted by M ∼ pe M , if there exist two permutation matrices P, Q ∈ P(n, m) such that M = P M Q. Lemma 8. Suppose that two matrices M and M in M(n, m) are permutation equivalent.Then M is MDS if and only if M is MDS.Definition 17.Two matrices M and M in M(n, m) are called permutation similar, denoted by M ∼ ps M , if there exists a permutation matrix P ∈ P(n, m) such that M = P −1 M P .Lemma 9. Suppose that two matrices M and M in M(n, m) are permutation similar.Then M is r-MDS if and only if M is r-MDS.

Table 1 :
The number of matrices in GL(4, F 2 ) with fixed XOR count

Table 3 :
The number of elements in A-restricted conjugacy classes :|N A G | for A ∈ N G Remark 3. The number of permutations σ satisfying the condition in Lemma 12 is given by nφ(n), where φ(n) is Euler's totient function.For each such σ, we can see by Lemma 8 that C is MDS if and only if C σ is MDS.So given a circulant MDS matrix C ∈ C(n, m), we can generate up to nφ(n) many matrices in C(n some t > 0. The number of permutations σ satisfying the condition in Lemma 14 is given by n • |GL(t, F 2 )|.For each such σ, by Lemma 8 we have H is MDS if and only if H σ is MDS.Also note that the defining elements are distinct in a Hadamard MDS matrix.So given a Hadamard MDS matrix H ∈ H(n, m), we can generate n • |GL(t, F 2 )| many matrices in

Table 4 :
Number of n-MDS sparse DSI matrices in S r (n, F q )