Decomposing Linear Layers

. There are many recent results on reverse-engineering (potentially hidden) structure in cryptographic S-boxes. The problem of recovering structure in the other main building block of symmetric cryptographic primitives, namely, the linear layer, has not been paid that much attention so far. To fill this gap, in this work, we develop a systematic approach to decomposing structure in the linear layer of a substitution-permutation network (SPN), covering the case in which the specification of the linear layer is obfuscated by applying secret linear transformations to the S-boxes. We first present algorithms to decide whether an ms × ms matrix with entries in a prime field F p can be represented as an m × m matrix over the extension field F p s . We then study the case of recovering structure in MDS matrices by investigating whether a given MDS matrix follows a Cauchy construction. As an application, for the first time, we show that the 8 × 8 MDS matrix over F 2 8 used in the hash function Streebog is a Cauchy matrix.


Introduction
Different from the naive expectation, quite often and for various reasons, a cryptanalyst or user of a (symmetric) cryptographic primitive is not aware of the full documentation of its design. In some cases, the designers do publish the specification, but miss out documenting the design rationale explaining the reason for choosing each building block. The most prominent example is the Data Encryption Standard (DES) [PUB77], standardized in 1977, for which the S-boxes have been (secretly) designed to resist differential cryptanalysis [Cop94], a cryptanalytic technique that became known to the public only several years later [BS90]. As more recent examples, we mention the block cipher families Simon and Speck designed by the US National Security Agency (NSA) [BSS + 13] and the Russian hash function standard Streebog [Fed12]. In the latter, the 8-bit S-box π is just given as a plain look-up table and the linear layer employs a 64 × 64 matrix L with entries in F 2 and it is not explained in any more detail in the specification. In more severe cases, even the specification of the cryptographic algorithm is not made public and (in the best case) the user or cryptanalyist only has access to a device or software in which the algorithm is implemented. Examples include the stream cipher A5/1 used for GSM encryption [BGW99] and the stream ciphers GEA/1 and GEA/2 for GPRS encryption [BDL + 21], but there are also block ciphers of that kind, e.g., Skipjack [Nat98, BBD + 98] or Chiasmus [STW13]. 1 1 Those algorithms became public through reverse-engineering, declassification, or anonymous sources.
Another example is ransomware. Via obfuscation techniques, the cryptographic algorithms are hidden to bypass virus scanners. Hence, the analyst has to deal with the problem of figuring out the original specification of the employed cryptographic algorithm, once identified with techniques as in, e.g., [KPK + 20], with the goal to break it and recover the data without paying the ransom.
In the case where the specification is secret or otherwise obfuscated, before any cryptanalysis could be made, the whole cryptographic algorithm has to first be reverseengineered from the device or software. What results after such a process is not a well-written design specification, but rather some more or less complicated program code, which does not reveal the precise specifications of the cryptographic building blocks that the designers chose.
While this is true for all designs, we are focusing on substitution-permutation networks (SPNs) and are interesed in particular to find structure that is induced by defining linear layers over extension fields. In the case of SPNs, a natural limitation is that the S-box within an SPN can only be recovered up to some linear transformations in the input and the output and for each such S-box one obtains a different linear layer. In Figure 1 we depict the original design, and two variants of obfuscated linear layers that might occur. This obfuscation makes the above task of recovering structure harder, not only computationally, but also as we are not sure what the "correct" representation should be. 2 In the case of S-boxes, there are lots of recent results on this problem, see [BP15,BPU16,PUB16,PU16,BPT19]. To name one specific result in this area, Perrin [Per19] has shown that the S-box π of Streebog has the interesting property of mapping multiplicative cosets to additive cosets of F * 2 4 . Although no attack has been found exploiting this fact, such a result negatively affects the trust in the algorithm: Why did the designers intend to have such a property in the first place without making it public? Obviously, to fully understand the cryptographic strength of an algorithm, analyzing only the S-box is not enough and one has to study the interaction with the linear layer (see also the discussion in [Per19] for the case of Streebog). For reverse-engineering structure in linear layers, not much previous work has been done. In [KK13], Kazymyrov and Kazymyrova have shown that the transpose of the 64 × 64 binary matrix L used in Streebog can be represented as an 8 × 8 MDS matrix with entries in the extension field F 2 8 . In their method, they only focused on representing F 2 8 as a quotient F 2 [X]/(p) for p being an irreducible polynomial in F 2 [X] of degree 8. More precisely, for all such irreducible polynomials p, they converted all 8 × 8 submatrices to an element of the finite field and finally checked the MDS property of the resulting matrix.
In this work, we develop a systematic approach to decomposing structure in the linear layer of a block cipher or cryptographic permutation, also covering the case in which the specification of the linear layer is obfuscated by applying linear transformations to the S-boxes.
Remark 1. Note that from a designer's point of view, hiding structure of linear layers induced by extension fields seems counterintuitive, as the existence of such structure might allow for easier security arguments, e.g., by applying the wide-trail strategy [Dae95].

Our Contribution and Results
Let p be a prime and m, s be positive integers, s > 1. In Section 3, we start by investigating whether a given (non-obfuscated) ms × ms matrix with entries in the prime field F p can be represented as an m × m matrix over the extension field F p s (Theorem 1 and Algorithm 2). Compared to the case where F p s is represented as the polynomial ring F p [X] modulo an irreducible polynomial of degree s, we work with matrix representations of F p s , which allows for a much more general choice of basis. Being of independent interest, at the core of our method is an algorithm that runs in time complexity of O(n log p s + ns 4 log p log log p s ) elementary field operations (assuming the prime factorization of p s − 1 is known) and decides whether the matrix algebra F p [A 1 , . . . , A n ] with A 1 , . . . , A n ∈ GL(s, F p ) is a field isomorphic to (a subfield of) F p s (Theorem 2). Since the algorithm needs to compute multiplicative orders of elements in GL(s, F p ) as a subroutine, we need an oracle for the prime factorization of p s − 1. However, that requirement is not a limitation for the parameters we consider in practice.
In Sections 4.1 and 4.2, we then study the case in which the specification of the linear layer (i.e., the ms × ms matrix under consideration) is obfuscated by applying secret linear transformations to the S-boxes (i.e., applying block-diagonal matrices with entries in GL(s, F p ) in the input and the output). Interestingly, the complexity for recovering a matrix representation over F p s (if it exists) is comparable to the complexity of doing so in the non-obfuscated case (Theorems 3 and 5 and Algorithms 3 and 4).
In Section 5, we then study the problem of decomposing structure in a given MDS matrix; more precisely, we decide whether an MDS matrix over a finite field follows a Cauchy construction. As an application, we show in Section 6 how our methods can be applied to the linear layer of Streebog. For the first time, we show that the MDS matrix used in Streebog follows such a Cauchy construction.

Preliminaries
We recall some properties and relations about finite fields and matrix spaces and we fix the notation used in the remainder of this article. Thereby, we assume that the reader is familiar with basic facts about these objects. We denote by Mat(n, F p ) the set of n × n matrices with coefficients in F p . A block diagonal matrix of the form will be denoted by M 1 ⊕ M 2 ⊕ · · · ⊕ M k . If M 1 = M 2 = · · · = M k , we will also write M ⊕k . By N we denote the natural numbers with 0 included.
Throughout this work, let p be a prime. For a positive integer s, it is well known that there exists exactly one finite field with p s elements up to isomorphism, and we usually denote it by F p s and talk about the finite field with p s elements. There are two typical representations of this field. The first, and most common, way is to fix an irreducible polynomial q ∈ F p [X] of degree s and represent the elements in F p s as elements in F p [X]/(q). The second way is to use a matrix representation. Thereby a matrix A ∈ Mat(s, F p ) is chosen with irreducible minimal polynomial q of degree s. The matrix algebra and therefore a representation of F p s (see [War94]). In this way, the multiplicative group of the field can be represented as a subgroup of GL(s, F p ), i.e., the group of all invertible s × s matrices with coefficients in F p . Together with the zero-matrix, this then defines a field with the addition being the usual matrix addition. Below, we briefly give a specific construction based on this second approach. For more details, we refer to [War94], Section 2.5 of [LN94], Section 7.2 of [HJ20], and also to [BKL16].
Let α ∈ F p s be a non-zero element of the finite field (using an arbitrary field representation). Then, multiplication by α is an invertible linear mapping in F p s . As F p s is isomorphic as a vector space to F s p by choosing an F p -basis, there exist an isomorphism by Φ : F p s → F s p . Using this, multiplication by α can be written as the mapping Φ −1 • A α • Φ, where A α ∈ GL(s, F p ), as the following commutative diagram illustrates. Here, by abuse of notation, A α denotes the mapping x → A α x.
Note that the matrix A α depends on the choice of basis. In the same way, the multiplication by 0 in the finite field can be written as Φ −1 • 0 • Φ with 0 being the s × s zero-matrix. It becomes obvious that the set {A α | α ∈ F * p s } ⊆ GL(s, F p ), together with the zero-matrix defines a field with p s elements by using the usual multiplication and addition of matrices. Changing the choice-of-basis transformation Φ corresponds to changing the matrices A α up to similarity. In other words, for each matrix M ∈ GL(s, F p ), . As we will heavily use this wording in the remainder of the work, we explicitly define it. Definition 1. Any set of matrices M ⊆ GL(s, F p ) ∪ {0} that, together with the natural matrix operations, forms the field F p s is called a matrix representation of F p s .
The most simple matrix representation of F p s can be given as Indeed, T q corresponds to multiplication with a field element with minimal polynomial q. We are going to use the following, more general, lemma which gives a criterion when a matrix algebra is a field. It is a well known result, see also [War94] or [BKL16, Theorem 1]. We still provide a proof for completeness. Lemma 1. Let A ∈ GL(s, F p ). Then, the matrix algebra F p [A] is a field of order p t with t | s if and only if the minimal polynomial of A is irreducible.
Proof. Let us denote by m A the minimal polynomial of A with t := deg(m A ). If m A is reducible, it can be easily seen that F p [A] is not a field. Indeed, we could write m A as a product of two non-constant polynomials P = If . Moreover by definition of the minimal polynomial, the ideal (m A ) is the kernel of the surjective ring homomorphism f : by the isomorphism theorem for rings and thus F p [A] is a field.
Remark 2. Note that we did not impose any restriction on the degree of m A . If the degree of m A is strictly smaller than s, then A is an element of a proper subfield of F p s .
Clearly, if the matrix algebra generated by A ∈ GL(s, F p ) is a field, the cyclic group ⟨A⟩ := {A i | i ≥ 0} is isomorphic to a subgroup of F * p s . A matrix representation of a finite field of characteristic p is more general than the representation of the field as F p [X]/(q), where q is an irreducible polynomial. Indeed, not every matrix representation is of the of F 2 4 , which does not contain any companion matrix (or a transpose of it). To summarize, any matrix A which is similar to T q yields a field isomorphic to F p [X]/(q) and vice versa.

Decomposing Matrices
In this section, the problem we are studying is how to algorithmically decide whether a given ms × ms matrix over F p can be represented as a matrix over the extension field F p s . Let us first formally define our terminology.
Definition 2. Let s, m be positive integers and let n = s · m. Let A ∈ Mat(n, F p ) and We then have the following result. Note that we exclude the case of A = 0 in the statement of the theorem. Clearly, the zero-matrix can trivially be represented over an extension field. is a finite integral domain and therefore a field (see, e.g., [LN94]). By Lemma 1, the element α has an irreducible minimal polynomial.

Theorem 1. Let s, m be positive integers and let
Let us now assume that ⟨S⟩ = ⟨α⟩ for α ∈ GL(s, F p ) with irreducible minimal polynomial. By Lemma 1, the matrix algebra generated by α is a field, so the group ⟨α⟩ is a subgroup of F * p s .
On deciding whether a subgroup of GL(s, F p ) is a subgroup of F * p s . The problem we face now is to algorithmically decide whether a subgroup G of GL(s, F p ) generates a subgroup of the multiplicative group of F p s , i.e., to decide whether G is cyclic and generated by an element with irreducible minimal polynomial (see Condition 2 of Theorem 1). If this is the case, we also want to find the generator of G. This problem can be solved by using only elementary group theory. We first recall the following fundamental lemma on cyclic groups.
Lemma 2 (See, e.g., Thm. 1.6.17 of [HJ20]). Let G = ⟨α⟩ be a finite cyclic group of order n and let d be a divisor of n. Then, there exists a unique subgroup of G of order d, i.e., ⟨α n d ⟩.
Another well-known group-theoretic result is that, if G is an Abelian group containing elements of finite orders k 1 and k 2 , then G contains an element of order lcm(k 1 , k 2 ) (see, e.g., Thm. 1.6.21 of [HJ20]). For the special case of cyclic groups (which are always Abelian), this result allows to give a generator quite easily, as we formulate below. Lemma 3 and the corresponding lines 8-15 in Algorithm 1 are mathematical folklore, we still provide a proof for completeness.
Lemma 3. Let G = ⟨A 1 , A 2 ⟩ be a finite cyclic group with k 1 and k 2 being the multiplicative order of A 1 and A 2 , respectively. Let h 1 , h 2 be coprime positive integers such that h 1 h 2 = lcm(k 1 , k 2 ) and, is an element of order h 1 h 2 (Lem. 1.6.19 of [HJ20]), the order of G ′ is equal to lcm(k 1 , k 2 ). Hence, by Lemma 2, G ′ contains unique subgroups S 1 , S 2 of order k 1 and k 2 , respectively. Since G ′ is a subgroup of G and G is cyclic, S 1 (resp., S 2 ) is also the unique subgroup of G of order k 1 (resp., k 2 ). Hence, both A 1 and A 2 must be in G ′ .
Note that from the prime factorizations of k 1 and k 2 , it is easy to compute elements h 1 and h 2 that fulfill the conditions of Lemma 3, see ll. 8-15 in Algorithm 1. Applying Lemma 3 iteratively allows to find a generator of a cyclic group G = ⟨A 1 , . . . , A n ⟩. Proof. If G is cyclic and generated by an element with irreducible minimal polynomial, G is a subgroup of F * p s , hence the order of G divides p s − 1 and the minimal polynomial of each generator is irreducible. In particular, it suffices to compute an arbitrary generator of G. By Lemma 3, the element α computed in Algorithm 1 is a generator of G. Because its minimal polynomial is irreducible, the matrix algebra F p [α] is a field of extension degree at most s over F p . Hence, A 1 , . . . , A n are all in the linear span of {1, α, α 2 , . . . , α s−1 }.
If G is not cyclic, the elements A 1 , . . . , A n do not lie all in a finite field, so clearly Algorithm 1 would return ⊥ when checking whether A 1 , . . . , A n ∈ F p [α] in line 21 (if it did not return ⊥ already before). If G is cyclic, but not generated by an element with irreducible minimal polynomial, Algorithm 1 returns ⊥ in line 19.
Let us now analyze the time complexity. In each of the n − 1 iterations of the main loop (ll. 2-17), we need to perform one multiplication, four exponentiations, and two computations of the multiplicative order of elements in GL(s, F p ). Further, we need to compute two prime factorizations of integers dividing p s − 1. Let p c1 1 p c2 2 · · · p cr r be the prime factorization of p s − 1. The two prime factorizations in line 7 can be obtained by computing  [Sto98]) and for checking whether A 1 , . . . , A n ∈ F p [α], we need to solve n linear systems of s 2 equations and s unknowns over F p .
There are various ways to optimize the implementation of Algorithm 1 further. For instance, we could add a step at the beginning which checks whether the degrees of all minimal polynomials m Ai , i = 1, . . . , n divide s. If we know beforehand that G = ⟨A 1 , A 2 , . . . , A n ⟩ is cyclic, we could use a probabilistic algorithm (e.g., Algorithm 4.80 in [VOMV96]) to find a generator of G.
Remark 3. Algorithm 1 is general enough to even work if all of the A 1 , . . . , A n lie in different proper subfields of F p s . Note that, once we encounter one element with multiplicative order p s − 1 in line 6 of Algorithm 1, we could skip the rest of the computation and directly perform the check in line 21 for that particular element. In particular, constructing a potential generator by means of Lemma 3 is not needed if one of the A i has multiplicative order p s − 1. Further, if one of the matrices A 1 , . . . , A n ∈ GL(s, F p ) (say A 1 ) has an irreducible minimal polynomial of degree s and if we are not interested in finding the generator α, but just want to know whether A 1 , . . . , A n are contained in a field F p [α], we could take α := A 1 and directly perform the check in line 21 for α. However, we would not necessarily have G = ⟨α⟩.
Algorithm 2 takes as input a non-zero matrix A ∈ Mat(n, F p ) and positive integers m, s with n = s · m and outputs (if it exists) a representation of A as The running time of this algorithm is dominated by solving m 2 discrete logarithms over F * p s in order to recover the exponents N (i, j) for i, j ∈ {1, . . . , m} (this step could be omitted if the exponents are not needed). For the parameters s = m = 8 and p = 2, our implementation recovers the field representation within less than a second when running Algorithm 1 ComputeGenerator Input: Matrices A 1 , A 2 , . . . , A n ∈ GL(s, F p ). Output: A generator α of G := ⟨A 1 , A 2 , . . . , A n ⟩ if G is cyclic and generated by an element of irreducible minimal polynomial, ⊥ otherwise.
Compute the prime factorizations k 1 = p d1 1 · p d2 2 · · · · p dr r and k 2 = p e1 1 · p e2 2 · · · · p er r 8:  Return ⊥ 13: end if 14: Return A as α N (i,j) 1≤i,j≤m ▷ We need to solve m 2 dlogs over F * p s to recover the exponents on a PC. Applying the algorithm to the linear layer used in Streebog, we directly obtain the representation given in Section 6.

Decomposing an Obfuscated Matrix
A designer of an SPN using an S-box S (m times in parallel) and a linear layer L for its round function (as depicted in Figure 1 (left)) could try to hide the structure of the linear layer L, most importantly the property whether L has a representation over an extension field F p s , by publishing a different representation of the round. In particular, the designer could select a linear layer L ′ = Q ⊕m • L • P ⊕m for some invertible linear mappings P, Q aligned with the S-boxes and then cancel the application of those mappings P and Q by selecting an S-box S ′ which is linear equivalent to S, see Figure 1 (middle). If one allows to represent a round function with multiple distinct S-boxes, instead of restricting to a single pair (P, Q) a designer could even choose P 1 , . . . , P m , Q 1 , . . . , Q m and define Figure 1 (right). The resulting ciphers are the same as the original one, up to linear permutations in the input and output, and up to the addition of different round keys. It is worth remarking that the most important cryptographic properties of L are not affected by changing to L ′ . In particular, if L is MDS, so is L ′ (see [WLTZ21,Prop. 6]). However, what is affected is the property whether the linear layer can or cannot be represented over an extension field F p s . The same situation is often encountered when reverse engineering some proprietary cipher on hardware or included in binaries of a software, e.g., in ransomware. Therefore, we study the problem how to decide whether such obfuscated linear layers can be represented over an extension field F p s , and if they can, how to recover such a representation. Section 4.1 deals with the case of hiding the structure of L by using a single pair of invertible linear mappings (P, Q) (as depicted in Figure 1 (middle)), and Section 4.2 analyzes the case where L is hidden as depicted in Figure 1 (right). In both cases, it turns out that the recovery of a representation over an extension field is not more complex than the recovery of such a representation in the non-obfuscated case.

Simple Obfuscation
Let s, m be positive integers and let n = s · m. The problem we are studying now is, given a matrix B ∈ Mat(n, F p ), decide whether there exists matrices P, Q ∈ GL(s, F p ) and a matrix A ∈ Mat(n, F p ) which can be represented as a matrix over F p s such that If such a representation as given in (2) exists, our goal is to recover P, Q, a matrix representation M of F p s , and to find α ∈ M\{0} and exponents N (i, j), i, j = 1, . . . , m with N (i, j) ∈ N∪{∞} such that A can be represented as in (1). Note that such a representation (if it exists) is not unique. For instance, up to a change of basis transformation of the coefficients in A, we can without loss of generality assume that Q is the identity matrix. In the following, let us denote by A i,j and B i,j , i, j = 1, . . . , m the s × s blocks of A and B

There exists a block
is cyclic and generated by an element α ∈ GL(s, F p ) with irreducible minimal polynomial.
Proof. We first show that if one of the two conditions does not hold, a representation as given in (2) (3) such that the matrix algebra generated by G is not a field (note that a block B k ′ ,ℓ ′ ∈ GL(s, F p ) exists as we assume that B ̸ = 0). Indeed, if G is not cyclic, it is not isomorphic to a subgroup of F * p s . If G is cyclic, but not generated by an element with irreducible minimal polynomial, we can directly apply Lemma 1. Hence, there exists a non-zero non-invertible element H of F p [G]. Suppose that such an element H does not exist, F p [G] would be a finite division ring and therefore a field due to Wedderburn's theorem (see [Wit31]). Having a representation of B as But if H is not invertible, also H ′ is not invertible, a contradiction to the fact that A can be represented as a matrix over F p s .
Let now both of the Conditions 1 and 2 hold. Let B k ′ ,ℓ ′ be an invertible block of B such that ⟨B i,j B −1 k ′ ,ℓ ′ | i, j = 1, . . . , m and B i,j ∈ GL(s, F p )⟩ = ⟨α⟩ with α having an irreducible minimal polynomial. By Lemma 1, we have that ⟨α⟩ ⊆ M\{0} for a matrix representation M of F p s . Let now A ∈ Mat(n, F p ) be such that which is a representation as in Relation (2) with Q being the identity and P = B k ′ ,ℓ ′ . For any i, j ∈ {1, . . . , m}, we now have Algorithm 3 recovers α, P and N (i, j) ∈ N ∪ {∞} for 1 ≤ i, j ≤ m such that A = [α N (i,j) ] 1≤i,j≤m (if it exists) and outputs ⊥ otherwise (note that we assume without loss of generality Q to be the identity). Again, the running time is dominated by solving m 2 discrete logarithms over F * p s for recovering the exponents N (i, j) for i, j ∈ {1, . . . , m}. For the parameters s = m = 8 and p = 2, our implementation recovers the field representation within a few seconds when running on a PC.

On the Degrees of Freedom by the Designer
Algorithm 3 recovers a simply-obfuscated matrix A with entries from a finite field F p s up to the simplification that, without loss of generality, it is assumed that Q is the identity matrix. In other words, it outputs only one of several possible solutions of the decomposition. When it comes to cryptanalysis or studying implementation properties of the whole primitive, it might be crucial to recover the original matrix A chosen by designer or at least a matrix A ′ which is "as close as possible" to A. In this section we will deal with this problem. The next lemma is crucial to settle it.

Algorithm 3 SimplyObfuscatedMatrixDecomposition
Input: Positive integers m, s and a matrix B ∈ Mat(m · s, F p ) \ {0}. Output: A matrix P ∈ GL(s, F p ) and A ∈ Mat(m · s, and F k being the representation matrix of the Frobenius automorphism x → x p k with respect to the basis 1, . . . , α s−1 . Proof. First note that α is similar to a companion matrix with an irreducible minimal polynomial and the statement is true if and only if it is true for the corresponding companion matrix. Hence w.l.o.g., α is a companion matrix with minimal polynomial m α (x). Let a be a zero of m α (x) in the standard representation of F p s . We get F s p = F p [a]. Moreover 1, a, . . . , a s−1 is an F p -basis of F p [a] but also 1, α, . . . , α s−1 an F p -basis of M. The embedding Φ : F s p → F p s is defined by virtue e i → a i . Thereby e i = (0, . . . , 0, 1, 0, . . . 0 i−th position ) T , i = 1, . . . , n denotes the i-th canonical unit vector. Note that this way α becomes the representation matrix of the multiplication mapping x → ax with respect to 1, a, . . . , a s−1 . Let F k denote the matrix representation of the Frobenius automorphism x → x p k with respect to 1, a, . . . , a s−1 . For v ∈ F s p and A ∈ Mat(s, F p ) we denote by A(v) the matrix-vector multiplication. The equation We will now show that, for L ∈ GL(s, F p ), the equation α = Lα p k L −1 holds if and only if L = β ′ F s−k for an element β ′ ∈ M \ {0}. The equation α = Lα p k L −1 is equivalent to αL = Lα p k . α(e 1 ) corresponds to a. By abuse of notation but for the sake of clarity we use α j (e 1 ) and a j synonymously. Hence, L(α p k (e 1 )) = LF k α(e 1 ) corresponds to LF k (a). It follows that α(L(e 1 )) = L(a p k ). Note that L(e 1 ) corresponds to an element b ′ ∈ F p s . So α(L(e 1 )) is identical to a(b ′ ) = b ′ (a). With α = Lα p k L −1 , we also have α i = Lα ip k L −1 , i = 0, . . . , s − 1. In the same vein it follows that α i (L(e 1 )) = b ′ (a i ) = L(a ip k ) = LF k (a i ) for i = 0, . . . , s − 1 . As 1, a, . . . , a s−1 forms a polynomial basis, it follows that representation matrix β ′ of the multiplication with b ′ is equal to LF k and by composing with F s−k from the right we finally have L = β ′ F s−k . Thus Q −1 1 Q 2 = β ′ F s−k . It follows that Q 2 F k β ′−1 = Q 1 . We have F k β ′−1 = β ′−p k F k . By setting β := β ′−p k the result follows.
The next theorem shows how close one can get to the original matrix A, given the simply-obfuscated matrix B.

Theorem 4. Let us be given a simply-obfuscated matrix
1≤i,j≤m , s > 1. Thereby γ is the representation matrix for the multiplication with a primitive element of F * p s with respect to a basis B. Let B k ′ ,ℓ ′ ∈ GL(s, F p ) and a matrix representation of F p s , i.e., 1, ζ, . . . , ζ s−1 defines a polynomial basis. Then, for any primitive element g ∈ F * p s , a companion matrix α of g and matrices Q ′ = QLβ 1 F k , P ′ = P −1 Lβ 2 F k can be computed from B, ζ such that 3 where c is such that α c = β −1 1 β 2 and d such that Lα d L −1 = γ. The complexity for this computation is O(s 2·3 ) elementary field operations, and the computation of one discrete logarithm with respect to g or α.
Proof. Let us choose a primitive element g of F * p s and let α be its companion matrix. Let L denote the transition matrix from 1, g, . . . , g s−1 to B. As g and γ are primitive elements there exists an exponent d with gcd(d, p s − 1) = 1 such that − 1), and ζ can be re-written as QLα ep k L −1 Q −1 (where e := de ′ ). The exponent e is determined by considering the characteristic polynomial χ ζ of ζ, which is identical to χ γ e ′ and computing a discrete logarithm with respect to g or α respectively. Moreover, p k cannot be determined uniquely as a characteristic polynomial determines a zero only up to application of the Frobenius automorphism. By Lemma 4, the equation ζ = Q ′ α e Q ′ −1 has the solutions Q ′ = QLβ 1 F k , where β 1 is the representation matrix of the multiplication with a field element β 1 and F k the representation matrix of the Frobenius automorphism x → x p k with respect to 1, . . . , g s−1 . By solving the equation ζQ ′ = Q ′ α e the matrices Q ′ can be computed with s 2·3 arithmetic field operations. Let ζ ′ := B −1 k ′ ,ℓ ′ · ζ · B k ′ ,ℓ ′ . Then, ζ ′ = P −1 γ e ′ p k P and thus we can compute P ′ = P −1 Lβ 2 F k in the same vein. It follows that (Q Note that with Algorithm 3 one can check if Theorem 4 is applicable and determine s. The element ζ can be found by using Algorithm 1. Then, Theorem 4 shows that one is able to recover a representation based on companion matrices, which might deal as a good enough substitute for the original matrix chosen by the designer to conduct, e.g., cryptanalysis or implementation optimization. However, if we are not interested in deriving such a representation based on companion matrices, we can omit the computation step of complexity O(s 2·3 ) and the computation of the discrete logarithm given in Theorem 4. Indeed, we can formulate the following corollary, which shows that, up to similarity, we can find A up to (p s − 1) 2 possibilities. Corollary 1. Let s > 1. Given a simply-obfuscated matrix B = Q ⊕m · A · P ⊕m ̸ = 0 with P, Q ∈ GL(s, F p ) and where A = γ N (i,j) 1≤i,j≤m for a primitive element γ ∈ F * p s . Let α be an arbitrary primitive element of F * p s . Let B k ′ ,ℓ ′ ∈ GL(s, F p ) and such that 1, ζ, . . . , ζ s−1 defines a polynomial basis of F p s . Then there exists L ∈ GL(s, F p ) and c, d ∈ {0, 1, . . . , p s − 2} such that A = Lα dN (i,j)+c L −1 1≤i,j≤m .

Heavy Obfuscation
Again, let s, m be positive integers and let n = s · m. The problem we are studying in this section is, given a matrix B ∈ Mat(n, F p ), decide whether there exists matrices P 1 , P 2 , . . . , P m ∈ GL(s, F p ) and Q 1 , Q 2 , . . . , Q m ∈ GL(s, F p ), and a matrix A ∈ Mat(n, F p ) which can be represented as a matrix over F p s such that In the following, we restrict to the simpler case in which B (and therefore also A) does not contain a zero block, i.e., 0 / ∈ {A i,j | 1 ≤ i, j ≤ m}. This might be a reasonable assumption when having B as a linear layer of a block cipher or cryptographic permutation. For instance, in an MDS matrix, all square submatrices are invertible [MS77].
Again, a representation as in (4) (if it exists) is not unique. For instance, without loss of generality, we can assume that Q 1 is the identity matrix as changing Q 1 only applies a change-of-basis transformation to the elements of A. Our goal is to recover a matrix representation M of F p s and to find α ∈ M \ {0} and exponents N (i, j), i, j = 1, . . . , m with N (i, j) ∈ N such that A is given as in (1)

The group
is cyclic and generated by an element α ∈ GL(s, F p ) with irreducible minimal polynomial.
Proof. Having any representation of B as But if H is not invertible, also H ′ is not invertible, a contradiction to the fact that A can be represented as a matrix over F p s .
Let now both of the Conditions 1 and 2 hold. Let . . , m⟩ = ⟨α⟩ with α having an irreducible minimal polynomial. By Lemma 1, we have that ⟨α⟩ ⊆ M\{0} for a matrix representation M of F p s . Let now A ∈ Mat(n, F p ) be such that i.e., for each i, j ∈ {1, . . . , m}, we define A i,j : Algorithm 4 recovers α, Q 2 , . . . , Q m , P 1 , P 2 , . . . , P m and N (i, j) ∈ N for 1 ≤ i, j ≤ m such that A = [α N (i,j) ] 1≤i,j≤m (if it exists) and outputs ⊥ otherwise (note that we assume without loss of generality Q 1 to be the identity, denoted I s ). Again, the running time is dominated by solving m 2 discrete logarithms over F * p s for recovering the exponents N (i, j) for i, j ∈ {1, . . . , m}.

On the Degrees of Freedom by the Designer
Again, as we already saw in the case of simple obfuscation, the decomposition of a heavyobfuscated matrix B into P 1 , . . . , P m , Q 1 , . . . , Q m and A is not unique. To precisely reveal the possible degrees of freedom, one can proceed in the same vein as in Theorem 4. Doing so yields the following theorem, which we state without proof. (4) with P 1 , P 2 , . . . , P m , Q 1 , Q 2 , . . . , Q m ∈ GL(s, F p ) and A = [A i,j ] 1≤i,j≤m ∈ Mat(n, F p ) that can be represented as a matrix over F p s and not containing a zero block, i.e. A = γ N (i,j) 1≤i,j≤m , s > 1 and N (i, j) ∈ N for i, j ∈ {1, . . . , m}. Thereby γ is the representation matrix for the multiplication with a primitive element of F * p s with respect to a basis B. a matrix representation of F p s , i.e., 1, ζ, . . . , ζ s−1 defines a polynomial basis. Then, for any primitive element g ∈ F * p s , a companion matrix α of g and matrices

Theorem 6. Let us be given a heavily-obfuscated matrix B as in Relation
The complexity for this computation is O(ms 2·3 ) elementary field operations, and the computation of m discrete logarithms with respect to g or α.
Again, if we are not interested in deriving a representation based on companion matrices, we can omit the computation step of complexity O(ms 2·3 ) and the computation of the discrete logarithms. Indeed, we can formulate the following corollary.

Recovering MDS Constructions -The Case of Cauchy Matrices
There are several ways to construct MDS matrices. If we are given an arbitrary MDS matrix over a finite field, e.g., by applying the decomposition methods described earlier, as a next step, it would be interesting to reveal how the actual matrix was constructed. In the following, we explain methods to algorithmically decide whether an (obfuscated) MDS matrix follows a Cauchy construction and to decompose the underlying structure.

Deciding Whether an MDS Matrix Is Cauchy
Cauchy matrices are of interest in symmetric cryptography as they yield MDS matrices in a very simple manner (see [RS85]). Cauchy matrices can be used to construct maximum distance separable (MDS) codes and are often used as linear layers in block cipher and hash function designs due to their optimal diffusion properties. Thus, given an MDS matrix recovered by one of our approaches, it is very natural to check if it is a Cauchy matrix and thereby revealing more structure of the possible design criteria. In this section we give an algorithm to do so.
Definition 3 (See, e.g., [RS85] We will see that this way all possibilities to represent A are covered. To detect whether A is a Cauchy matrix, we could derive a linear system with the 2m unknowns α N (i) and α N ′ (j) and m 2 equations. If the system has a solutions, we can afterwards (if needed) 4 reveal the exponents by computing 2m discrete logarithms.
The system of equations is of the form l i,j := x i − y j − a i,j = 0 with unknowns x i , y j , 1 ≤ i, j ≤ m. The case m = 1 is trivial. Thus, we assume m ≥ 2 in the following. Subtracting successively l 1,j − l 1,j+1 , j = 1, . . . , m − 1 yields −y 1 + y 2 − a 1,1 + a 1,2 = 0 −y 2 + y 3 − a 1,2 + a 1, (7) Obviously y m can be chosen as a free parameter. Once a value b ∈ F * p s is assigned to y m , the whole system is uniquely determined. Hence, if the system is solvable, the solution space is a 1-dimensional affine subspace, which can be split into Proof. From System (7), by setting y m = 0, we obtain all the relations for v m as described in 2. From the condition Using those method, we show in Section 6 that the matrix used in the linear layer of Streebog is indeed a Cauchy matrix. To the best of our knowledge, this was not pointed out previously in the literature.
Remark 5. As we discussed in Sections 4.1 and 4.2, a recovered matrix A with entries from a finite field from a (simply-or heavily-) obfuscated matrix is not unique. Unfortunately, it might well be possible that the matrix chosen by the designer is of a Cauchy form, while the one recovered by our methods is not. In the case of having a simply-obfuscated MDS matrix B = Q ⊕m · A · P ⊕m with A being a matrix with entries in F p s , Corollary 1 gives all (p s − 1) 2 possible solutions (up to applying the same similarity transformation to the entries of A) for A. Since applying the same similarity transformations to the entries of a Cauchy matrix does not affect the property of being a Cauchy matrix, we could decide whether there exist a solution for a Cauchy matrix A by simply brute-forcing all (p s − 1) 2 possible choices for the tuple (c, d) given in Corollary 1. This is feasible for usual parameters in block cipher constructions, i.e., p = 2, s ≤ 8.
In the case of heavy obfuscation, we have (p s − 1) 2m+1 s m possible solutions for A, where m denotes the number of rows of A (see Corollary 2). The naive approach of brute forcing all those choices and check the Cauchy property quickly becomes infeasible, even for the parameters usually used in practice. For instance, in the case of p = 2, s = 8, m = 4 (the parameters corresponding to an AES MixColumns operation), we would need to brute force roughly 2 84 possibilities. In the next section, we will consider an alternative approach to solving that problem based on so-called generalized Cauchy matrices.

Detecting and Recovering Generalized Cauchy Matrices
In order to ease notation, in the following we use lower-case letters for matrices corresponding to field elements to distinguish them from general matrices. We need the notion of a generalized Cauchy matrix, defined as follows. Similarly to the notion of a Cauchy matrix as given in Definition 3, generalized Cauchy matrices are MDS.

Definition 4. [RS85] A matrix A over a field F p s with entries
is called a generalized Cauchy matrix. In Section 4.2 we introduced Algorithm 4 that tests if a heavily-obfuscated matrix can be represented over a field extension. The algorithm takes as input a matrix B and, if it is indeed representable over an extension field, computes a matrix representation for the field together with a decomposition of the matrix into a form where G is over an extension field F p s . Fortunately, if we want to test whether a matrix B corresponds to a heavily-obfuscated generalized Cauchy matrix, the matrix G determined by the algorithm is in fact also generalized Cauchy if the obfuscated matrix A is.
Theorem 8. If B = (Q 1 ⊕ · · · ⊕ Q m ) · A · (P 1 ⊕ · · · ⊕ P m ) is a heavily-obfuscated matrix representation of a generalized Cauchy matrix A over F p s with Q 1 , . . . , Q m , P 1 , . . . , P m ∈ GL(s, F p ), then the matrix G returned by Algorithm 4 with entries is also a generalized Cauchy matrix over F p s .
Proof. By assumption, for i, j ∈ {1, . . . , m}, we have it follows that the entries of G are of the form and thus is a generalized Cauchy matrix over the field F p s . Theorem 8 above shows the strength of Algorithm 4 described earlier. Not only does the algorithm discover a conjugate matrix representation of the field of the obfuscated matrix, it also directly provides a matrix for us which is generalized Cauchy if and only if the matrix that has been obfuscated was originally generalized Cauchy. Thus, in order to check whether a matrix is a heavily-obfuscated generalized Cauchy matrix, we can apply Algorithm 4 to determine a de-obfuscated matrix which then must be a generalized Cauchy matrix only involving field elements. Thus, the matrix G over F p s which is returned by Algorithm 4 will have entries of the form From the definition of generalized Cauchy matrices there are (p s −1) 2m−1 2m−1 i=0 (p s −i) parameters to choose from. However, not all of those matrices will be unique. There are many sets of choices of tuples u, u ′ , v, v ′ , x, x ′ , y, y ′ ∈ F m p s leading to the same fixed generalized Cauchy matrix. These equivalences provide some freedom when we want to determine whether a matrix G is indeed a generalized Cauchy. For instance, for any h ∈ F p s and g 1 , g 2 , g ∈ F * p s with g 1 g 2 = g such that for all 1 ≤ i, j ≤ m. Since an element g ∈ F * p s can be expressed as a product g 1 g 2 = g in (p s − 1) ways, while the number of shifts h ∈ F p s is exactly p k , the above equivalences define (p s − 1) 2 p s equivalent generalized Cauchy constructions.

Algorithm for Testing Generalized Cauchy
In this section we present an algorithm (Algorithm 5) that, given the output of Algorithm 4, tests whether a matrix over a field is generalized Cauchy by either returning a valid set of Cauchy-defining parameters u, v, x, y ∈ F m p s or decides that it is not a generalized Cauchy matrix. The matrix G returned by Algorithm 4 has an especially nice form. Since the first row and first column are all ones, the entries of the generalized Cauchy matrix satisfy which is related to y t via which is related to x t by x t = v 1 G −1 t,1 u t + y 1 = v 1 u t + y 1 . Notice in particular that the values (u t , x t ) or (v t , y t ) only depend on the values of the matrix G together with a valid decomposition of the initial upper leftmost 2 × 2 square matrix. Thus consider the first upper leftmost 2 × 2 sub-matrix with entries The equivalences explained in the previous subsection allows us to fix u 1 = v 1 = 1 and x 1 = 0. From the first equation we find that y 1 = −1. By simplifying (8) and (9) to v t =(1 − G −1 2,t (x 2 + 1)) −1 (−x 2 ) y t = −v t u t =(−y 2 G −1 t,2 − 1) −1 (−(1 + y 2 )) x t = u t − 1, we guess x 2 in the above and get u 2 = x 2 + 1, v 2 and y 2 = −v 2 . In the case we guess x 2 such that x 2 = G 2,t − 1 or y 2 = −G t,2 for any t, the algorithm fails. Thus, if we let A = {G 2,t − 1 | 0 < t ≤ m} and B = {−G t,2 | 0 < t ≤ m}, we pick x 2 such that x 2 is not in A (nor among x 1 , y 1 ) and such that the corresponding y 2 is not in B (nor among x 1 , y 1 , x 2 ). If this condition holds, we proceed and compute the rest of the u i , v i , x i , y i . The number of possible wrong choices for x 2 is exactly 2m − 1 out of p s . The complete procedure is presented in Algorithm 5 and requires first to use Algorithm 4 to recover a field representation and a matrix G.

Algorithm 5 ReverseGeneralizedCauchy
Input: An m × m matrix G over a field which has minimal polynomial q = X 8 +X 6 +X 5 +X 4 +1 ∈ F 2 [X]. Note that (γ 32 ) ⊤ = T q , so by substituting γ by γ 32 (and adapting the exponents accordingly) and transposing, we obtain the representation as recovered in [KK13]. Note that this is a consequence of Theorem 4, where we choose α = T q . Recall that by Theorem 4 there exist Q ′ , P ′ such that Q ′ −1 γ N (i,j) P ′ = α dN (i,j)+c . Indeed, 32 = 2 5 is the application of the Frobenius automorphism x → x 2 5 and transposing a matrix is a similarity operation, i.e. A T i,j = L −1 A i,j L for a proper chosen matrix L ∈ GL(s, F p ). Hence A T i,j = L −1 γ N (i,j) L = T 2 8−5 N (i,j) q = α 2 3 N (i,j) which gives as requested the above identity with P ′ = Q ′ = L, d = 2 3 and c = 0. It was remarked in [KK13], the decomposition method of Kazymyrov and Kazymyrova only worked if the matrix used in Streebog is transposed first.

Conclusion
We presented algorithms to detect and recover the existence of structure induced by extension fields in matrices over finite fields. Surprisingly, while being a natural question in algorithmic algebra, even outside of cryptographic applications, we are not aware of previous solutions to this question.
Structure induced by extension fields is certainly most prominent in current designs and we exhaustively handled that case in our work. In case our algorithms fail to detect any structure coming from extension fields, there might of course exist other, so far unknown, types of structure or design ideas. Here, our work raises many questions on how to detect such types of structure in linear layers that we feel are worth being investigated in future works.