Quasi-Recursive MDS Matrices: Theory & Applications

• Quasi-recursive MDS matrices are generalized recursive matrices that attain maximal diffusion through relaxed companion structures defined over finite fields and Galois rings.
• They utilize skew polynomial rings and σ-twisted multiplications to construct compact diffusion layers with improved implementation efficiency for lightweight cryptography.
• Construction methods leveraging companion matrices and generalized Vandermonde criteria ensure provable MDS properties and enhanced performance in both hardware and software applications.

Quasi-recursive MDS matrices generalize the well-studied class of recursive MDS matrices, offering algebraic frameworks for constructing efficient diffusion layers in symmetric cryptography. These matrices are constructed over finite fields or, more generally, over Galois rings, and are defined by certain algebraic properties that guarantee maximal diffusion—formally, the maximal possible branch number for a given size. Quasi-recursive constructions relax the strict companion structure of classical recursive MDS matrices by introducing additional structural flexibility (such as block-bandedness or σ-twisted multiplication), while maintaining compact representation and strong algebraic criteria for the MDS property. Recent research extends these constructions to skew polynomial rings and the non-commutative setting, yielding large families of new matrices with tunable implementation profiles suitable for lightweight cryptographic primitives (Augot et al., 2013, Ali et al., 19 Dec 2025).

1. Algebraic Foundations and Galois Ring Framework

Quasi-recursive MDS matrices are defined over both finite fields $\mathbb{F}_{q^s}$ and Galois rings $GR(p^s, p^{sm})$, which are local rings of characteristic $p^s$ with residue field $\mathbb{F}_{p^m}$. Galois rings are constructed as $$GR(p^s, p^{sm}) \simeq \mathbb{Z}_{p^s}[Y]/\langle f(Y)\rangle$$, where $f$ is a monic basic-primitive polynomial of degree $m$. Automorphisms of these rings, particularly the Frobenius automorphism and its powers, underpin the construction of skew polynomial rings $GR(p^s, p^{sm})[X; \sigma]$. In these rings, multiplication is defined so that $X a = \sigma(a) X$ for any automorphism $\sigma$, rendering the ring non-commutative unless $\sigma$ is the identity.

The primary algebraic objects used in quasi-recursive constructions are monic skew polynomials and their companion matrices. Skew polynomial rings support right Euclidean division and admit rich factorization structures, enabling the definition of generalized companion matrices and criteria for the MDS property in broader algebraic settings.

2. Formal Definitions and MDS Property

Let $M \in M_{k}(R)$ be a $k \times k$ matrix over a ring $R$. $M$ is called MDS (Maximum Distance Separable) if every $t \times t$ minor ($1 \leq t \leq k$) has determinant in the unit group $U(R)$. The branch number of $M$ is $B(M) = \min_{v \ne 0} [w(v) + w(Mv)]$, where $w(v)$ is the Hamming weight of $v$. For an MDS matrix, $B(M) = k+1$, saturating the Singleton-type bound.

Recursive MDS matrices typically arise as the $l$th power of a companion matrix in the field setting; i.e., $M = C^l$ for $C$ a companion matrix defined via a vector of companion coefficients $c_0, c_1, \dots, c_{l-1}$. In quasi-recursive constructions, the strict power structure is relaxed to allow, for example, products of $\sigma$-twisted companions: $M = C_g^{[t-1]}\cdots C_g$, where $C_g^{[i]}$ denotes application of the automorphism $\sigma^i$ to every entry of $C_g$. M is then called quasi-recursive MDS if, for some $r \geq 1$, $M^{[r-1]} \cdots M^{[1]}M$ is MDS.

The algebraic characterization of the MDS property is reduced to the invertibility of all minors of the symbolic matrix $M(X)$ modulo the minimal polynomial of the underlying operator or in terms of the unit group of the Galois ring.

3. Construction Methods and Criteria

Several construction paradigms for quasi-recursive MDS matrices have been established via the theory of skew polynomials:

• Companion Matrix Construction: For a given monic polynomial $$g(X) = g_0 + g_1 X + \cdots + g_{k-1} X^{k-1} + X^k$$ in a skew polynomial ring, the companion matrix $C_g$ is defined with appropriate subdiagonal and last-row structure. Products of $\sigma$-twists (i.e., $C_g^{[i]}$) yield quasi-recursive matrices.
• Weight Criterion: If $g(X)$ is a right-divisor of $X^n - 1$ with $n \geq 2k$, then the $k \times k$ matrix $N_g = [X^k \bmod_* g, \ldots, X^{2k-1} \bmod_* g]$ is MDS if and only if every nonzero left multiple $c(X)*g(X)$ of degree $<2k$ has Hamming weight at least $k+1$.
• Vandermonde (W-Polynomial) Criterion: If $g(X)$ admits a factorization via right roots $a_1, \dots, a_k$ in an extension ring, then $M = C_g^{[t-1]} \cdots C_g$ is MDS if and only if every $k \times k$ minor of the generalized $\sigma$-Vandermonde matrix $V_n^\sigma(a_1, \dots, a_k; E)$ is in $U(GR)$, where $E$ specifies an appropriate index set.
• Perturbation and Block-Banded Variants: Companion constructions can be perturbed by scaling roots by units or adding nilpotent elements; certain block-banded feedback matrices extend the permitted structure beyond pure shifts. These variants (loosening the strict recursive companion form) are at the core of the quasi-recursive designation.

Direct algorithms for constructing such matrices involve picking Teichmüller lifts, choosing root patterns, forming the associate skew polynomial, and verifying MDS via checking generalized Vandermonde minors.

4. Complexity, Implementation, and Representation

Quasi-recursive constructions yield extremely compact representations: for a $k \times k$ MDS matrix over $F_{2^s}$, only $k \cdot s$ bits are needed to encode the companion coefficients, as opposed to $O(k^2 s)$ for a general dense matrix. When the coefficients are monomials $L^{e_i}$, even more succinct exponent encodings suffice.

Implementation metrics emphasize the efficiency in both hardware and software:

• Hardware: Each matrix step (application of the companion structure) uses $k-1$ XOR and shift units, and the full $C^k$ evaluation completes in $k$ cycles. For quasi-recursive variants with sparse or block-banded structure, complexity remains $O(k)$, compared to $O(k^2)$ for dense MDS multiplications.
• Software: Direct register-level manipulations (XORs, rotates) replace field multiplication lookups, achieving empirically measured speedups of $3\times$–$5\times$ in lightweight cryptographic codecs such as LED and PHOTON for $k=8, 16$ (Augot et al., 2013).
• Complexity of Search: Brute-force search for companion tuples grows as $(2^s)^{k-1}$. For $s=4, k=8$ this is $2^{27.3}$ candidates; for $s=5, k=16$ with symmetry, about $2^{37.4}$. Direct algebraic constructions in the non-commutative or Galois ring setting expand accessible matrix sizes beyond the brute-force limit (Ali et al., 19 Dec 2025).

5. Specialization to $\mathbb{F}_{2^m}$ and Galois Rings

For $s=1, p = 2$, the Galois ring formalism specializes to $\mathbb{F}_{2^m}$, where all nilpotent perturbations vanish and automorphisms are Frobenius $x \mapsto x^2$ and its powers. In this context:

• Criteria simplify: All minors reduce to standard determinants over the finite field, which can be tested via classical methods.
• Direct construction: Explicit MDS matrices are constructed by setting roots $a_j = \beta^{b + j - 1}$ for $\beta$ a primitive element. These yield involutory matrices when $g(X)$ factors completely, which is advantageous for cryptographic implementations requiring both forward and inverse diffusion.
• Structural properties: Palindromic symmetry in companion coefficients ($c_i = c_{k - i}$) is observed empirically in found solutions, enhancing implementation efficiency.

In the general Galois ring setting, the use of skew polynomials, Teichmüller roots, and nilpotent perturbations dramatically enlarge the repertoire of explicit constructions, enabling efficient MDS matrices in characteristic $p^s > 2$, non-commutative rings, or for block sizes and parameter sets beyond those addressable by field-based search (Ali et al., 19 Dec 2025).

6. Cryptographic Applications and Security Implications

Quasi-recursive MDS matrices enable optimal one-round diffusion in substitution-permutation networks, hash functions, and lightweight block ciphers. The maximal branch number guarantees that for any nonzero input difference of weight $t$, the output difference spreads to at least $k + 1 - t$ symbols, which is crucial for thwarting differential and linear cryptanalysis.

Their compact description, implementation in $O(k)$ gates or cycles, and compatibility with shift-register-based hardware architectures make them particularly attractive for low-area, low-latency cryptographic circuits.

A distinctive trait is the ability, in certain cases, to construct involutory quasi-recursive MDS matrices ($M^{[k]}M = I$), which enables identical hardware to compute both the MDS transform and its inverse, streamlining the design of encryption/decryption circuits and hash invertibility.

The extension to quasi-recursive and skew-polynomial frameworks unifies field, ring, and non-commutative approaches, producing candidates suited to emerging applications in post-quantum cryptography and privacy-preserving computation.

7. Research Directions and Outlook

The development of direct construction techniques for quasi-recursive MDS matrices over Galois rings, as advanced in recent work (Ali et al., 19 Dec 2025), provides a principled pathway to systematically enlarge the class of available matrices beyond those found by exhaustive search in the field setting (Augot et al., 2013). The algebraic criteria—particularly those involving W-polynomial roots and generalized Vandermonde determinants—enable provably MDS constructions for diverse algebraic environments.

Ongoing questions include the search for explicit algebraic constructions for larger matrices (e.g., $k=32$), a comprehensive theory of block-banded and perturbed feedback structures, and systematic cryptanalysis of new construction families. The corollaries on decomposition of minimal polynomials and isomorphism indicate the portability of quasi-recursive templates across contexts with matching minimal polynomial structures, enhancing their practical applicability and composability for cryptographic design.