The optimal branch number of MDS matrices makes them a preferred choice for designing diffusion layers in many block ciphers and hash functions. However, in lightweight cryptography, Near-MDS (NMDS) matrices with sub-optimal branch numbers offer a better balance between security and efficiency as a diffusion layer, compared to MDS matrices. In this paper, we study NMDS matrices, exploring their construction in both recursive and nonrecursive settings. We provide several theoretical results and explore the hardware efficiency of the construction of NMDS matrices. Additionally, we make comparisons between the results of NMDS and MDS matrices whenever possible. For the recursive approach, we study the DLS matrices and provide some theoretical results on their use. Some of the results are used to restrict the search space of the DLS matrices. We also show that over a field of characteristic 2, any sparse matrix of order $n\geq 4$ with fixed XOR value of 1 cannot be an NMDS when raised to a power of $k\leq n$. Following that, we use the generalized DLS (GDLS) matrices to provide some lightweight recursive NMDS matrices of several orders that perform better than the existing matrices in terms of hardware cost or the number of iterations. For the nonrecursive construction of NMDS matrices, we study various structures, such as circulant and left-circulant matrices, and their generalizations: Toeplitz and Hankel matrices. In addition, we prove that Toeplitz matrices of order $n>4$ cannot be simultaneously NMDS and involutory over a field of characteristic 2. Finally, we use GDLS matrices to provide some lightweight NMDS matrices that can be computed in one clock cycle. The proposed nonrecursive NMDS matrices of orders 4, 5, 6, 7, and 8 can be implemented with 24, 50, 65, 96, and 108 XORs over $\mathbb{F}_{2^4}$, respectively.

翻译：MDS矩阵的最优分支数使其成为许多分组密码和哈希函数中设计扩散层的首选。然而，在轻量级密码学中，具有次优分支数的近MDS（NMDS）矩阵作为扩散层相比MDS矩阵在安全性和效率之间提供了更好的平衡。本文研究了NMDS矩阵，探讨了其在递归和非递归场景下的构造。我们给出了若干理论结果，并考察了NMDS矩阵构造的硬件效率。此外，在可能的情况下，我们对NMDS和MDS矩阵的结果进行了比较。对于递归方法，我们研究了DLS矩阵并提供了其使用的若干理论结果。部分结果被用于限制DLS矩阵的搜索空间。我们还证明，在特征为2的域上，任何阶数$n\geq 4$且固定异或值为1的稀疏矩阵在$k\leq n$次幂时都不能成为NMDS。随后，我们利用广义DLS（GDLS）矩阵提供了一些阶数的轻量级递归NMDS矩阵，这些矩阵在硬件成本或迭代次数方面优于现有矩阵。对于NMDS矩阵的非递归构造，我们研究了多种结构，如循环矩阵和左循环矩阵及其推广：Toeplitz矩阵和Hankel矩阵。此外，我们证明在特征为2的域上，阶数$n>4$的Toeplitz矩阵不能同时是NMDS和对合的。最后，我们利用GDLS矩阵提供了一些可在单个时钟周期内计算的轻量级NMDS矩阵。所提出的阶数为4、5、6、7和8的非递归NMDS矩阵在$\mathbb{F}_{2^4}$上分别可通过24、50、65、96和108个异或门实现。