The optimal branch number of MDS matrices makes them a preferred choice for designing diffusion layers in many block ciphers and hash functions. However, in lightweight cryptography, Near-MDS (NMDS) matrices with sub-optimal branch numbers offer a better balance between security and efficiency as a diffusion layer, compared to MDS matrices. In this paper, we study NMDS matrices, exploring their construction in both recursive and nonrecursive settings. We provide several theoretical results and explore the hardware efficiency of the construction of NMDS matrices. Additionally, we make comparisons between the results of NMDS and MDS matrices whenever possible. For the recursive approach, we study the DLS matrices and provide some theoretical results on their use. Some of the results are used to restrict the search space of the DLS matrices. We also show that over a field of characteristic 2, any sparse matrix of order $n\geq 4$ with fixed XOR value of 1 cannot be an NMDS when raised to a power of $k\leq n$. Following that, we use the generalized DLS (GDLS) matrices to provide some lightweight recursive NMDS matrices of several orders that perform better than the existing matrices in terms of hardware cost or the number of iterations. For the nonrecursive construction of NMDS matrices, we study various structures, such as circulant and left-circulant matrices, and their generalizations: Toeplitz and Hankel matrices. In addition, we prove that Toeplitz matrices of order $n>4$ cannot be simultaneously NMDS and involutory over a field of characteristic 2. Finally, we use GDLS matrices to provide some lightweight NMDS matrices that can be computed in one clock cycle. The proposed nonrecursive NMDS matrices of orders 4, 5, 6, 7, and 8 can be implemented with 24, 50, 65, 96, and 108 XORs over $\mathbb{F}_{2^4}$, respectively.

翻译：MDS矩阵的最优分支数使其成为许多分组密码和哈希函数中设计扩散层时的首选。然而在轻量级密码学中，与MDS矩阵相比，具有次优分支数的近MDS（NMDS）矩阵作为扩散层时，在安全性与效率之间提供了更优的平衡。本文研究NMDS矩阵，探讨其在递归与非递归两种场景下的构造方法。我们给出了若干理论结果，并探究了NMDS矩阵构造的硬件效率。此外，在可行情况下，我们尽可能将NMDS矩阵与MDS矩阵的结果进行对比。针对递归方法，我们研究了DLS矩阵，并提供了关于其使用的若干理论结果。其中部分结果用于限制DLS矩阵的搜索空间。我们还证明：在特征为2的域上，任意阶数$n\geq 4$且固定XOR值为1的稀疏矩阵，当其乘幂次数$k\leq n$时，不可能是NMDS矩阵。随后，我们利用广义DLS（GDLS）矩阵，在若干阶数上构造了性能优于现有矩阵（就硬件成本或迭代次数而言）的轻量级递归NMDS矩阵。对于NMDS矩阵的非递归构造，我们研究了多种结构，例如循环矩阵与左循环矩阵及其推广形式：Toeplitz矩阵与Hankel矩阵。此外，我们证明在特征为2的域上，阶数$n>4$的Toeplitz矩阵不能同时满足NMDS与对合性。最后，我们利用GDLS矩阵构造了可在单个时钟周期内计算的轻量级NMDS矩阵。所提出的阶数分别为4、5、6、7、8的非递归NMDS矩阵，在$\mathbb{F}_{2^4}$上可分别通过24、50、65、96和108个XOR门实现。