Fixslicing - Application to some NIST LWC round 2 candidates - - PowerPoint PPT Presentation

Fixslicing - Application to some NIST LWC round 2 candidates

Alexandre Adomnicai Thomas Peyrin Nanyang Technological University, Singapore Temasek Laboratories, Singapore

Lightweight Cryptography Workshop 2020

What this talk is about

B Constant-time software implementations on 32-bit platforms B Application of the fixslicing implementation strategy to some NIST LWC round 2 candidates built upon AES-128, GIFT-128 and Skinny-128 primitives B Benchmarking results on ARM Cortex-M3 for payloads up to 256 bytes

Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020 2 / 14

B Fixsliced GIFT-128 runs about 7x faster on ARM Cortex-M3 compared to a naive bitsliced implementation B Consists in fixing a slice to never move and adjusting the others for the S-box layer

The fixslicing implementation strategy

B Initially introduced as a new representation for the GIFT block ciphers [ANP20]

Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020 3 / 14

B Consists in fixing a slice to never move and adjusting the others for the S-box layer

The fixslicing implementation strategy

B Initially introduced as a new representation for the GIFT block ciphers [ANP20] B Fixsliced GIFT-128 runs about 7x faster on ARM Cortex-M3 compared to a naive bitsliced implementation

Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020 3 / 14

The fixslicing implementation strategy

B Initially introduced as a new representation for the GIFT block ciphers [ANP20] B Fixsliced GIFT-128 runs about 7x faster on ARM Cortex-M3 compared to a naive bitsliced implementation B Consists in fixing a slice to never move and adjusting the others for the S-box layer

Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020 3 / 14

Classical representation of GIFT-128

S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S ki ki+1 ki+2 ki+3 ki+4

Fixsliced representation of GIFT-128

S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S k′

i

k′

i+1

k′

i+2

k′

i+3

ki+4

NOPE! B Many ciphers spend cycles to move bits within the slices to achieve better diffusion ⇒ alternative representations might be valuable even for more complex linear layers

Genericity of the fixslicing technique

Figure: Extract from [ANP20] B So, only of interest for Substitution-bitPermutation Networks (SbPN)?

Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020 6 / 14

Genericity of the fixslicing technique

Figure: Extract from [ANP20] B So, only of interest for Substitution-bitPermutation Networks (SbPN)? NOPE! B Many ciphers spend cycles to move bits within the slices to achieve better diffusion ⇒ alternative representations might be valuable even for more complex linear layers

6 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Application to AES-like ciphers

S SubBytes <<< 1 <<< 2 <<< 3 ShiftRows

×     2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2    

MixColumns AddRoundKey

Figure: AES round function

7 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Application to AES-like ciphers

SC AC ART >>> 1 >>> 2 >>> 3 ShiftRows MixColumns

Figure: Skinny round function

7 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Application to AES-like ciphers

SC AC ART >>> 1 >>> 2 >>> 3 ShiftRows MixColumns

Figure: Skinny round function B Performance improvements for AES and Skinny-128 on ARM Cortex-M and E31 RISC-V processors [AP20]

7 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Implementation results on ARM Cortex-M3

AES-128 GIFTb-128 Skinny-128-384 Skinny-128-384+ 50 100 150 200 250 300 83 73 160 116 cycles per byte (cpb) 2 blocks

Performance for constant-time implementations on ARM Cortex-M3

8 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Implementation results on ARM Cortex-M3

AES-128 GIFTb-128 Skinny-128-384 Skinny-128-384+ 50 100 150 200 250 300 167 73 264 191 83 73 160 116 cycles per byte (cpb) 1 block 2 blocks

Performance for constant-time implementations on ARM Cortex-M3

8 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Bitslicing a single block for Skinny-128

b0 b1 b2 b3 b4 b5 b6 b7 b2 b3 b7 b4 b6 b1 b0 b5

9 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Bitslicing a single block for Skinny-128

b0 b1 b2 b3 b4 b5 b6 b7 b2 b3 b7 b4 b6 b1 b0 b5 1st layer

b0 b1 b2 b3 b4 b5 b6 b7

2nd layer

b0 b1 b5 b6 b4 b2 b3 b7

3rd layer

b7 b4 b5 b6 b1 b2 b3 b0

4th layer

b7 b4 b2 b3 b1 b5 b6 b0

last permutation

b7 b4 b2 b3 b0 b5 b6 b1

• utput

b2 b3 b7 b4 b6 b1 b0 b5

9 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Speed optimized Skinny tweakey schedule

Extracted round tweakey PT LFSR LFSR

(a) Single round

10 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Speed optimized Skinny tweakey schedule

Extracted round tweakey PT LFSR LFSR

(a) Single round

Extracted round tweakey LFSR LFSR LFSR LFSR Extracted round tweakey P 2

T

(b) Double round Figure: Skinny tweakey schedule round function

10 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Speed optimized Skinny tweakey schedule

TK3 LFSR3 LFSR3 LFSR3 LFSR3 LFSR3 LFSR3 LFSR3 LFSR3

.... .... .... ....

LFSR3 LFSR3 LFSR3 LFSR3 LFSR3 LFSR3 LFSR3 LFSR3 TK2 LFSR2 LFSR2 LFSR2 LFSR2 LFSR2 LFSR2 LFSR2 LFSR2

.... .... .... ....

LFSR2 LFSR2 LFSR2 LFSR2 LFSR2 LFSR2 LFSR2 LFSR2 TK1

.... .... .... ....

RTK0 RTK1 P 2

T

RTK2 P 4

T

RTK3 RTK4

....

P 14

T

RTK13 RTK14 RTK15

11 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Benchmark results on ARM Cortex-M3

32 64 96 128 160 192 224 256 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1e5 GIFT-COFB 32 64 96 128 160 192 224 256 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1e5 SAEAES-128-64-128 32 64 96 128 160 192 224 256 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1e5 Romulus-M 32 64 96 128 160 192 224 256 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1e5 Romulus-N 32 64 96 128 160 192 224 256 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1e5 Skinny-AEAD-M1+

12 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

What about other candidates?

B Fixslicing may be valuable for other candidates!

• PHOTON-Beetle? (AES-like primitive)
• Elephant? (Spongent is an SbPN)
• ...

13 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

What about other candidates?

B Fixslicing may be valuable for other candidates!

• PHOTON-Beetle? (AES-like primitive)
• Elephant? (Spongent is an SbPN)
• ...

B Some primitives are fixsliced by design (e.g. Ascon-p)

13 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

Thanks for your attention! Questions?

Feel free to contact us at firstname.lastname@ntu.edu.sg

14 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020

References

Alexandre Adomnicai, Zakaria Najm, and Thomas Peyrin, Fixslicing: A New GIFT Representation: Fast Constant-Time Implementations of GIFT and GIFT-COFB on ARM Cortex-M, IACR Transactions on Cryptographic Hardware and Embedded Systems 2020 (2020), no. 3, 402–427. Alexandre Adomnicai and Thomas Peyrin, Fixslicing AES-like Ciphers: New bitsliced AES speed records on ARM-Cortex M and RISC-V, Cryptology ePrint Archive, Report 2020/1123, 2020, https://eprint.iacr.org/2020/1123.

14 / 14 Fixslicing - Application to some NIST LWC round 2 candidates - LWC Workshop 2020