All or Nothing at All

We continue a study of unconditionally secure all-or-nothing transforms (AONT) begun in \cite{St}. An AONT is a bijective mapping that constructs s outputs from s inputs. We consider the security of t inputs, when s-t outputs are known. Previous work concerned the case t=1; here we consider the problem for general t, focussing on the case t=2. We investigate constructions of binary matrices for which the desired properties hold with the maximum probability. Upper bounds on these probabilities are obtained via a quadratic programming approach, while lower bounds can be obtained from combinatorial constructions based on symmetric BIBDs and cyclotomy. We also report some results on exhaustive searches and random constructions for small values of s.


Introduction
Rivest defined all-or-nothing transforms in [10] in the setting of computational security. Stinson considered unconditionally secure all-or-nothing transforms in [12]. Here we extend some of the results in [12] by considering more general types of unconditionally secure all-or-nothing transforms.
Let X be a finite set, called an alphabet. Let s be a positive integer, and suppose that φ : X s → X s . We will think of φ as a function that maps an input s-tuple, say x = (x 1 , . . . , x s ), to an output s-tuple, say y = (y 1 , . . . , y s ), where x i , y i ∈ X for 1 ≤ i ≤ s. Informally, the function φ is an unconditionally secure all-or-nothing transform provided that the following properties are satisfied: 1. φ is a bijection. * We have "borrowed" the title of this paper from the classic song of the same name written by Altman and Lawrence in 1939. It was recorded by Frank Sinatra and the Harry James Orchestra in 1939, and became a huge hit in 1943.
2. If any s − 1 of the s output values y 1 , . . . , y s are fixed, then the value of any one input value x i (1 ≤ i ≤ s) is completely undetermined, in an information-theoretic sense.
We will denote such a function as an (s, v)-AONT, where v = |X|. The above definition can be rephrased in terms of the entropy function, H, as follows. Let X 1 , . . . , X s , Y 1 , . . . , Y s be random variables taking on values in the finite set X. (The variables X 1 , . . . , X s need not be independent, or uniformly distributed.) Then these 2s random variables define an AONT provided that the following conditions are satisfied: 1. H(Y 1 , . . . , Y s | X 1 , . . . , X s ) = 0.
Rivest [10] defined AONT to provide a mode of operation for block ciphers that would require the decryption of all blocks of an encrypted message in order to determine any specific single block of plaintext. He called it the "package transform". The method is very simple and elegant. Suppose we are given s blocks of plaintext, (x 1 , . . . , x s ). First, we apply an AONT, computing (y 1 , . . . , y s ) = φ(x 1 , . . . , x s ). Then we encrypt (y 1 , . . . , y s ) using a block cipher. At the receiver's end, the ciphertext is decrypted, and then the inverse transform φ −1 is applied to restore the s plaintext blocks. Note that the transform φ is not secret. Extensions of this technique are studied in [1,5].
We note that the above definition of an unconditionally secure AONT does not say anything regarding partial information that might be revealed about more than one of the s input values. For example, it does not rule out the possibility of determining the exclusiveor of two input values, given some relatively small number of output values. This motivates the following more general definition. Let 1 ≤ t ≤ s. We will say that φ is a t-all-or-nothing transform provided that the following properties are satisfied: 1. φ is a bijection.
2. If any s − t of the s output values y 1 , . . . , y s are fixed, then any t of the input values x i (1 ≤ i ≤ s) are completely undetermined, in an information-theoretic sense.
We will denote such a function as a (t, s, v)-AONT, where v = |X|. Note that the original definition corresponds to a 1-all-or-nothing transform. This definition can also be rephrased in terms of the entropy function. As before, let X 1 , . . . , X s , Y 1 , . . . , Y s be random variables taking on values in the finite set X. These 2s random variables define a t-AONT provided that the following conditions are satisfied:

Organization of the Paper
The rest of this paper is organized as follows. In Section 2, we give our basic result that characterizes linear AONT in terms of matrices having invertible submatrices. We also give a construction using Cauchy matrices over a finite field F q , which is applicable provided that q ≥ 2s. It turns out that it is impossible to construct linear AONT over F 2 , so an interesting question is how "close" one can get to an AONT in this setting. In Section 3, we give some preliminary results and analyze one infinite class of matrices. In Section 4, we derive an upper bound on the maximum number of invertible 2 by 2 submatrices of an invertible s by s 0 − 1 matrix (this is relevant for the study of 2-AONT). We use a method based on quadratic programming to prove our bound. In Section 5, we discuss five construction methods for invertible s by s 0 − 1 matrices containing a large number of invertible 2 by 2 submatrices. The five methods are 1. exhaustive search, 2. a random construction, 3. a recursive construction, 4. a construction using symmetric balanced incomplete block designs (SBIBDs), and 5. a construction based on cyclotomy.
We achieve our best asymptotic results from SBIBDs, where we have an infinite class of examples that are close to the upper bound derived in the previous section. In Section 6, we turn to arbitrary (i.e., linear or nonlinear) AONT, and describe some connections with orthogonal arrays. Finally, Section 7 is a brief summary.

Linear AONT
We are mainly going to consider linear transforms. Let F q be a finite field of order q. An AONT with alphabet F q is linear if each y i is an F q -linear function of x 1 , . . . , x s . Then, we can write y = φ(x) = xM −1 and x = φ −1 (y) = yM , where M is an invertible s by s matrix with entries from F q .
We will also be interested in functions that satisfy the condition (1) for certain (but not necessarily all) pairs X , Y. This will be particularly relevant in the case where φ is a binary linear transformation. More specifically, suppose q = 2 r for some r ≥ 1 and M is defined over the subfield F 2 (so M is a 0−1 matrix). This could be desirable from an efficiency point of view, because the only operations required to compute the transform are exclusive-ors of bitstrings. However, it turns out that there are no nontrivial 1-AONT (a fact that was already observed in [12]). So it is a reasonable and interesting problem to study how close we can get to an AONT in this setting. We will give a precise answer to this question for t = 1 in Theorem 3.5; much of the rest of this paper will study the corresponding problem when t = 2.
For I, J ⊆ {1, . . . , s}, define M (I, J) to be the |I| by |J| submatrix of M induced by the columns in I and the rows in J. The following lemma characterizes linear all-or-nothing transforms in terms of properties of the matrix M . This lemma can be considered to be a generalization of [ Proof. Let x ′ = (x i : i ∈ I). We have x ′ = yM (I, {1, . . . , s}). Now assume that y j is fixed for all j ∈ J. Then we can write x ′ = y ′ M (I, J)+c, where y ′ = (y j : j ∈ J) and c is a vector of constants. If M (I, J) is invertible, then x ′ is completely undetermined, in the sense that x ′ takes on all values in (F q ) t as y ′ varies over (F q ) t . On the other hand, if M (I, J) is not invertible, then x ′ can take on only (F q ) t ′ possible values, where rank(M (I, J)) = t ′ < t.
An s by s Cauchy matrix can be defined over F q if q ≥ 2s. Let a 1 , . . . , a s , b 1 , . . . , b s be distinct elements of F q . Let c ij = 1/(a i − b j ), for 1 ≤ i ≤ s and 1 ≤ j ≤ s. Then C = (c ij ) is the Cauchy matrix defined by the sequence a 1 , . . . , a s , b 1 , . . . , b s . The most important property of a Cauchy matrix C is that any square submatrix of C (including C itself) is invertible over F q .
Cauchy matrices were briefly mentioned in [12] as a possible method of constructing AONT. However, they are particularly relevant in light of the stronger definitions we are now investigating. To be specific, Cauchy matrices immediately yield the strongest possible all-or-nothing transforms, as stated in the following theorem.
Theorem 2.2. Suppose q is a prime power and q ≥ 2s. Then there is a linear transform that is simultaneously a (t, s, q)-AONT for all t such that 1 ≤ t ≤ s.
3 Linear Transforms over F 2 Remark 3.1. In the remainder of the paper, when we discuss invertibility of a matrix, we mean invertibility over F 2 .
There is no Cauchy matrix over F 2 if s > 1. In fact, it is easy to see that there is no linear (1, s, 2)-AONT if s > 1. This is because every entry of M must equal 1 (in order that the 1 by 1 submatrices of M are invertible). But then M itself is not invertible. This motivates trying to determine how close we can get to a (1, s, 2)-AONT, or more generally, to a (t, s, 2)-AONT, for a given t, 1 ≤ t ≤ s.
For future reference, we record the 2 by 2 invertible 0 − 1 matrices. We first consider an example. It seems natural to quantify the "closeness" of M to an all-or-nothing transform by considering the ratio of invertible square submatrices to the total number of square submatrices (of a given size t). Therefore, for an s by s invertible 0 − 1 matrix M and for 1 ≤ t ≤ s, we define We refer to R t (M ) as the t-density of the matrix M . For 1 ≤ t ≤ s, we also define  Proof. There must exist at least two columns of M that do not contain a zero entry. These two columns are identical, so they are linearly dependent. Proof. If s is even, then it is easy to check that M −1 = M . If s is odd, then observe that the sum of all the columns of M yields the zero-vector, so we have a dependence relation among the columns of M . Proof. First suppose that there are at least two zero entries in a specific column of M . Then there must exist at least two columns of M that do not contain a zero entry, and M is not invertible, as in Lemma 3.2. A similar conclusion holds if there exist at least two zero entries in a specific row of M . Therefore we can restrict our attention to the case where the zero entries occur in s − 1 different rows and in s − 1 different columns. We will show that M is invertible in this case. By permuting rows and columns if necessary (which does not affect invertibility), we can assume that M = (m ij ) has the form We will prove that M is invertible by induction on s. Clearly we can use s = 1 as a base case. Now we assume s ≥ 2 and we evaluate det M over F 2 by using a cofactor expansion along the first column. This yields where M i1 is the minor formed by deleting row i and column 1 of M .
We consider two cases, depending on whether s is even or odd. First, suppose that s is odd. Here, det(M 11 ) = 1 from Lemma 3.3, and det(M i1 ) = 1 for 2 ≤ i ≤ s by induction. It follows that det(M ) = s mod 2 = 1. Now let s be even. We have that det(M 11 ) = 0 from Lemma 3.3, and det(M i1 ) = 1 for 2 ≤ i ≤ s by induction. It follows that det(M ) = (s − 1) mod 2 = 1. By induction, the proof is complete.
The following result is an immediate corollary of Lemmas 3.2 and 3.4.
It was shown in [12] that R 1 (s) ≥ 1 − 1 s when s is even. This was based on using the matrix J s − I s as a transform. Theorem 3.5 is a slight improvement, and it holds for all values of s. If we can count the number of submatrices of this form, then we can compute R t (M ). But this is not hard to do.
) submatrices that contain exactly t − 1 zero entries. So we now obtain the following.
If t is even, then Theorem 3.8 also provides (constructive) lower bounds on R t (s) for all values of t ≤ s. We do not claim that these bounds are necessarily good asymptotic bounds, however. Even . This suggests looking for constructions which will yield constant lower bounds on R 2 (s). On the other side, we would also like to find good upper bounds on R 2 (s).

Upper Bounds for R 2 (s)
We first establish an easy upper bound for R 2 (s). This bound follows from the following lemma. . Of course a 0 + a 1 + a 2 + a 3 = s. From Lemma 3.1, the number of invertible 2 by 2 submatrices in N is easily seen to be a 1 a 2 + a 1 a 3 + a 2 a 3 . This expression is maximized when a 0 = 0, a 1 = a 2 = a 3 = s/3, yielding 3(s/3) 2 = s 2 /3 invertible 2 by 2 submatrices.
Theorem 4.2. For any s ≥ 2, it holds that .
Proof. From Lemma 4.1, in any two rows of M there are at most s 2 /3 invertible 2 by 2 submatrices. Now, in the entire matrix M , there are s 2 ways to choose two rows, and there are s 2 2 submatrices of order 2. This immediately yields . It is clear from the proof of Theorem 4.2 that all nine 2 by 2 submatrices of M are invertible, and M is the only 3 by 3 matrix with this property. However, M is not itself invertible, so we can conclude that R 2 (3) ≤ 8/9. Example 3.1 shows that R 2 (3) ≥ 7/9. In fact, we can show that R 2 (3) = 7/9. Suppose that R 2 (3) = 8/9. Let R 2 (M ) = 8/9. Then we can assume that the first two rows of M contain three invertible 2 by 2 submatrices, the first and third rows of M contain three invertible 2 by 2 submatrices, and the last two rows of M contain two invertible 2 by 2 submatrices. By permuting columns, the first two rows of M look like: In order that the first and third rows contain three invertible 2 by 2 submatrices, the third row must be 1 0 1 or 1 1 0. In the first case, the last two rows of M contain no invertible 2 by 2 submatrices, and in the second case, the last two rows of M contain three invertible 2 by 2 submatrices. We conclude that R 2 (3) < 8/9, so R 2 (3) = 7/9. It is easy to check that 30 of the 2 by 2 submatrices of M are invertible. Therefore, R 2 (4) ≥ 5/6. We can in fact show that R 2 (4) = 5/6, as follows. Suppose R 2 (4) > 5/6. Then there is a 4 by 4 0 − 1 matrix M having at least 31 invertible 2 by 2 submatrices. There are six pairs of rows in M , and 31 > 6 × 5, so there is at least one pair of rows that contains six invertible 2 by 2 submatrices. But this contradicts Lemma 4.1, where it is shown that the maximum number of 2 by 2 submatrices in two given rows is at most 4 2 /3 = 16/3 < 6.
We next present a generalization of Theorem 4.2 that leads to an improved upper bound on R 2 (s). The proof of Let C = (c ij ); note that C is a 15 by 15 symmetric matrix with zero diagonal such that every off-diagonal element is a positive integer. This matrix C is straightforward to compute and it is presented in Figure 1.
Now define z = (z 1 , . . . , z 15 ) and consider the following quadratic program Q: We have the following result. . . , a 15 ) (we can ignore a 0 because a zero column does not give rise to any invertible submatrices). If we now define z i = a i /s for all i, then we obtain There are s 4 ways to choose four rows from M . The total number of occurrences of invertible 2 by 2 submatrices obtained is at most s 4 γs. However, each invertible 2 by 2  .
In general, it can be difficult to find (global) optimal solutions for quadratic programs. We were able to solve our quadratic program Q using the BARON software [13] on the NEOS server (http://www.neos-server.org/neos/). The result is that γ = 15/8 and an optimal solution is given by z 7 = z 11 = z 13 = z 14 = 1/4, z i = 0 if i ∈ {7, 11, 13, 14}. It is interesting to observe that this solution corresponds to the given set of four rows containing only columns consisting of three 1's and one 0. In fact, when s = 4, this provides an alternative proof of Example 4.2.
Applying Theorem 4.3, we immediately obtain the following improved upper bound. .
This upper bound is asymptotically equal to 5/8, which is a definite improvement over the asymptotic upper bound of 2/3 obtained from Theorem 4.2.
It is of course possible to generalize this approach, by considering ρ rows at a time. The coefficient matrix C will have 2 ρ − 1 rows and columns. If γ ρ denotes the solution to the related quadratic program, then we obtain the following generalization of Theorem 4.3.

Theorem 4.5. For any integers s ≥ ρ ≥ 2, it holds that
Proof. The equation (3) becomes the following: The difficulty in obtaining improved bounds using this approach is that the optimal solutions γ ρ of the quadratic programs are hard to compute.

Constructions
In the next subsections, we consider five possible construction methods for AONT with good 2-density. The first is exhaustive search. The second is based on choosing each entry independently at random with an appropriate probability. The third technique is a recursive technique. The fourth method is based on using incidence matrices of symmetric BIBDs. Our fifth and last approach makes use of classical results concerning cyclotomy and cyclotomic numbers.

Exhaustive Searches
We used an exhaustive search in order to find an invertible s × s matrix with the maximum possible number of invertible 2 × 2 submatrices, for 4 ≤ s ≤ 8. The algorithm consists of s nested loops, each iterating over the possible values in a given row of the matrix. There are 2 s possibilities for any given row. However, any permutation of rows and columns does not affect either the nonsingularity of the matrix or the number of invertible 2 × 2 submatrices. Therefore, the search algorithm only generated matrices in which each row has at least as many 1's as the row immediately above it. Also, if two rows have the same number of 1's, the row having the smaller representation as a binary number would appear higher. These two rules enabled us to search only a 1/s! fraction of the search domain. Finally, we partially restricted column permutations by fixing all the 1's in the first row to occur in the rightmost positions. This also sped up the search process.
The computations for 4 ≤ s ≤ 8 were executed on one node on the Cheriton School of Computer Science server, linux.cs.uwaterloo.ca, which has a 64 bit AMD CPU, having a 2.6 GHz clock rate. For s = 9, we attempted to use the same algorithm distributed over 256 processors on grex.westgrid.ca. But the search was not finished by the end of the 96 hour time limit. However, it did find a solution with 783 invertible 2 × 2 submatrices, which is presented in Example A.5.

Random Constructions
We investigate the expected number of invertible 2 by 2 submatrices in a random s by s 0−1 matrix M . Suppose every entry of M is chosen to be a 1 with probability ǫ, independent of the values of all other entries. Using Lemma 3.1, it is easy to see that a specified 2 by 2 submatrix is invertible with probability This function is maximized by choosing ǫ = 1/2. The expected number of invertible 2 by 2 submatrices in M is 1 2 s 2 2 (leading to an expected 2-density of .5). Unfortunately, this does not immediately yield an AONT because it seems difficult to ensure that the constructed matrix is itself invertible. However, this random construction proves to be a useful method to obtain good small examples.

Recursive Constructions
We now investigate the possibility of constructing "good" AONT recursively. Specifically, we analyze a type of doubling construction in a particular case. We begin with the (2, 4, 2)-AONT from Example 4.2. Recall that this AONT arises from the matrix J 4 − I 4 and it achieves the optimal result R 2 (4) = 5/6. We might try to use this matrix to construct a (2, 8, 2)-AONT. There are various ways in which we could try to do this; we present one method which leads to a reasonably good outcome. Consider the matrix We first need to show that M is invertible. We show that det(M ) = 1 as follows. Consider a matrix of the form Next, we proceed to compute the number of 2 by 2 invertible submatrices of M . We do this by looking at pairs of rows of M , say row i and row j, and computing the relevant numbers a 0 , a 1 , a 2 , a 3 in each case (where we are using the notation from the proof of Lemma 4.1). We tabulate the results in Table 1.
The number of occurrences of the four cases enumerated in Table 1 is (respectively) 6, 6, 12 and 4. Therefore, Summarizing, we have the following.
It is interesting to note that this recursive construction yields a better result than the direct constructions considered previously. For example, if M = J 8 − I 8 , then we only get that N 2 ≥ 364. Also, Theorem 3.8 (with s = 8, t = 2) only yields N 2 ≥ 322.

Constructions from Symmetric BIBDs
We next give a construction which potentially achieves similar behaviour as the random construction, using symmetric balanced incomplete block designs (SBIBDs). A (v, k, λ)balanced incomplete block design (BIBD) is a pair (X, A), where X is a set of v points and A is a collection of k-subsets of X called blocks, such that every pair of points occurs in exactly λ blocks. Denote b = |A|; it is well-known that b = λv(v − 1)/(k(k − 1)). It is also the case that every point occurs in exactly Equivalently, this condition can be expressed as r = k or Proof. It is well-known (see, e.g., [4]) that det(M ) is an integer and Reducing modulo 2, we see that det(M ) ≡ 1 mod 2 if and only if k is odd and λ is even. Theorem 5.3. Suppose M is the incidence matrix of a symmetric (v, k, λ)-BIBD where k is odd and λ is even. Then Proof. First, since k is odd and λ is even, M is invertible over F 2 by Lemma 5.2. Consider two rows of M and define a 0 , a 1 , a 2 , a 3 as in the proof of Theorem 4.2. Using the fact that M is the incidence matrix of a symmetric (v, k, λ)-BIBD, it is not hard to see that a 0 = v − 2k + λ, a 1 = a 2 = k − λ and a 3 = λ. Then we can compute From this, we have N 2 (M ) = v 2 (k 2 − λ 2 ) and (5) is easily derived. Let's try to figure out the best result that we could possibly obtain from Theorem 5.3. Suppose k ≈ cv. Then from the equation λ(v − 1) = k(k − 1), we see that λ ≈ c 2 v. Substituting into (5), we get R 2 (M ) ≈ 2(c 2 − c 4 ). Now we of course have 0 ≤ c ≤ 1, and the function 2(c 2 − c 4 ) is maximized when c = 1/2. In this case, we would get R 2 (M ) ≈ 1/2, more-or-less matching the random construction from Section 5.2. We have also guaranteed that the matrix M is invertible. Of course, we would require a suitable SBIBD in order to get close to this bound.
We consider some examples to illustrate the application of Theorem 5.3.
Example 5.1. It is known [4] that there is a (31, 21, 14)-SBIBD. Noting that 21 is odd and 14 is even, the incidence matrix of this design is invertible over F 2 by Lemma 5.2. Observe that 21/31 is quite close to 1/2, so we expect a good result. Applying Theorem 5.3, we get Example 5.2. There also exists (40, 27, 18)-SBIBD (see [4]). Noting that 27 is odd and 18 is even, the incidence matrix of this design is invertible over F 2 by Lemma 5.2. Applying Theorem 5.3, we get If m is odd, then λ = m − 1 is even. Certainly k = 2m − 1 is odd, so the incidence matrix M is invertible, by Lemma 5.2. These SBIBDs are known to exist for infinitely many (odd) values of m, e.g., whenever 4m − 1 ≡ 3 mod 8 is a prime or a prime power (see [4]). From the incidence matrix of such a BIBD, we obtain Example 5.4. Here we make use of a classic result based on difference sets. Suppose q = 4t 2 + 9 is prime and t is odd. In this situation, it was shown by E. Lehmer that the quartic residues modulo q, together with 0, form a difference set which generates a (q, (q + 3)/4, (q + 3)/16)-SBIBD (e.g., see [4, p. 116]). If we complement this design (i.e., we replace all 0's by 1's and all 1's by 0's in the incidence matrix), the result is a (q, 3(q − 1)/4, 3(3q − 7)/16)-SBIBD. This SBIBD will have k odd and λ even, so its incidence matrix M is invertible, by Lemma 5.2. The first example is obtained when t = 5, yielding Asymptotically, from (5), we obtain R 2 (M ) ≈ 63 128 if there exist sufficiently large q of the desired form. However, it is a famous unsolved conjecture that there exist infinitely many primes of the form x 2 + 9, so we are not in a position to claim that this asymptotic result holds.
The following theorem generalizes Example 5.2. .
Proof. The points and hyperplanes of the m-dimensional projective geometry over F 3 yield a -SBIBD. If we complement this design, we get a 3 m+1 −1 2 , 3 m , 2 × 3 m−1 -SBIBD. This design has k odd and λ even, so we can apply Theorem 5.3. The result is that .
Let's examine the asymptotic behaviour of the result proven in Theorem 5.4. The SBIBD has k ≈ 2v/3 and λ ≈ 4v/9. It then follows from (5) that Therefore, we obtain the following corollary.

Constructions using Cyclotomy
We now look at constructions using cyclotomy. Let p = 4f + 1 be prime, where f is even, and let ν ∈ F p * be a primitive element. Let C 0 = {ν 4i : 0 ≤ i ≤ f − 1}; this is the unique subgroup of F p * having order f . The multiplicative cosets of C 0 are C j = ν j C 0 , for j = 0, 1, 2, 3. These cosets are often called cyclotomic classes.
We now construct a p by p 0 − 1 matrix M ′ = (m ij ) from C 0 . The rows and columns of M ′ are indexed by F p , and m ij = 1 if and only if j − i ∈ C 0 . Note that the ith row of M ′ is the incidence vector of i + C 0 . Finally, define M to be the complement of M ′ (i.e., replace all 1's by 0's and vice versa).
We will now compute the number of invertible 2 by 2 submatrices of M . Consider rows i 1 and i 2 of M . It is obvious that the number of invertible 2 by 2 submatrices contained in these two rows is the same as the number of invertible 2 by 2 submatrices contained in rows 0 and d, where d = i 1 − i 2 . We can compute this number if we can determine the number n d of columns c such that m 0c = m dc = 1. It is clear that However, for this particular value of j. This quantity is a cyclotomic number of order 4 and is denoted by (j, j).
We will make use of the following theorem from [7].
As we consider all p 2 pairs {i 1 , i 2 } with i 1 = i 2 , we see that (j, j) takes on each of the four possible values A i (1 ≤ i ≤ 4) one quarter of the time. Therefore the total number of invertible 2 by 2 submatrices in M is where the last line is obtained by applying the formulas given in Theorem 5.6.  The total number of invertible 2 by 2 submatrices in M is 9962.
It remains to consider the invertibility of the matrices M constructed above. The matrices in question are cyclic. Suppose a p by p cyclic 0 − 1 matrix M has as its initial row the vector (m 0 , . . . , m p−1 ). We associate with this vector the polynomial It is easy to see that M is invertible if and only if gcd(m(x), x p − 1) = 1. In this case, the inverse m −1 (x) of m(x) is defined in the quotient ring Z 2 [x]/(x p − 1). The cyclic matrix whose first row is determined by m −1 (x) will in fact be the inverse of M . Therefore, to determine the invertibility of M , we just need to do a gcd computation.
By Dirichlet's Theorem, there are an infinite number of primes p ≡ 1 mod 8. However, we do not have a theoretical criterion to determine if a given matrix M in this class of examples is invertible. Therefore, we cannot prove that there are an infinite number of examples of this type. However, by computing gcds, as described above, we determined all the invertible matrices M of order less than 500 that can be constructed by this method. Some data about these matrices is presented in Table 2. Another observation is that, if this is in fact an infinite class, then it can be shown that the density of these examples approaches 63/128 ≈ .492 as f approaches infinity.

Values and Bounds on N 2 (s) for Small s
We summarize our upper and lower bounds on N 2 (s) for s ≤ 12 in Table 3. For the cases s = 5, 6, 7, 8, we have exact values of N 2 (s) that are obtained from exhaustive computer searches For s = 9, our lower bound is obtained from a partial (uncompleted) exhaustive search. For s = 10, 11, 12, the lower bounds come from randomly constructed matrices. All of these matrices are presented in Appendix A.

General Transforms
In this section, we examine general (i.e., linear or nonlinear) AONT over an arbitrary alphabet, extending some results from [12] in a straightforward manner.
Let A be an N by k array whose entries are elements chosen from an alphabet X of order v. We will refer to A as an (N, k, v)-array. Suppose the columns of A are labelled by the elements in the set C = {1, . . . , k}. Let D ⊆ C, and define A D to be the array obtained from A by deleting all the columns c / ∈ D. We say that A is unbiased with respect to D if the rows of A D contain every |D|-tuple of elements of X exactly N/v |D| times.
The following result characterizes (t, s, v)-AONT in terms of arrays that are unbiased with respect to certain subsets of columns. Theorem 6.1. A (t, s, v)-AONT is equivalent to a (v s , 2s, v)-array that is unbiased with respect to the following subsets of columns: