gimli a cross platform permutation
play

Gimli: A Cross-Platform Permutation Daniel J. Bernstein, Stefan K - PowerPoint PPT Presentation

Dec 11, 2023 •814 likes •1.28k views

Gimli: A Cross-Platform Permutation Daniel J. Bernstein, Stefan K olbl, Stefan Lucks, Pedro Maat Costa Massolino, Florian Mendel, Kashif Nawaz, Tobias Schneider, Peter Schwabe, Fran cois-Xavier Standaert, Yosuke Todo, Beno t Viguier

  1. Gimli: A Cross-Platform Permutation Daniel J. Bernstein, Stefan K¨ olbl, Stefan Lucks, Pedro Maat Costa Massolino, Florian Mendel, Kashif Nawaz, Tobias Schneider, Peter Schwabe, Fran¸ cois-Xavier Standaert, Yosuke Todo, Benoˆ ıt Viguier Advances in permutation-based cryptography, Milan, October 10, 2018 1

  2. What is a Permutation? Definition: A Permutation is a keyless block cipher. 2

  3. What is a Permutation? Definition: A Permutation is a keyless block cipher. 2

  4. What is a Permutation? Definition: A Permutation is a keyless block cipher. k 0 k 1 M f C Even-Mansour construction 2

  5. What is a Permutation? Definition: A Permutation is a keyless block cipher. k 0 k 1 M f C Even-Mansour construction m 0 m 1 m 2 z 0 z 2 r bits f f f f c bits Absorbing phase Squeezing phase Sponge construction 2

  6. Why Gimli? Currently we have: Permutation width in bits Benefits AES 128 very fast if the instruction is available . Chaskey 128 lightning fast on Cortex-M0/M3/M4 Keccak- f 200,400,800,1600 low-cost masking Salsa20,ChaCha20 512 very fast on CPUs with vector units . 3

  7. Why Gimli? Currently we have: Permutation Hindrance AES Not that fast without HW . Chaskey Low security margin, slow with side-channel protection Keccak- f Huge state (800,1600) Salsa20,ChaCha20 Horrible on HW . 4

  8. Why Gimli? Currently we have: Permutation Hindrance AES Not that fast without HW . Chaskey Low security margin, slow with side-channel protection Keccak- f Huge state (800,1600) Salsa20,ChaCha20 Horrible on HW . Can we have a permutation that is not too big, nor too small and good in all these areas? 4

  9. Yes! Source: Wikipedia , Fair Use 5

  10. What is Gimli? Gimli is: ◮ a 384-bit permutation (just the right size) • Sponge with c = 256 , r = 128 = ⇒ 128 bits of security • Cortex-M3/M4: full state in registers • AVR, Cortex-M0: 192 bits (half state) fit in registers 6

  11. What is Gimli? Gimli is: ◮ a 384-bit permutation (just the right size) • Sponge with c = 256 , r = 128 = ⇒ 128 bits of security • Cortex-M3/M4: full state in registers • AVR, Cortex-M0: 192 bits (half state) fit in registers ◮ with high cross-platform performances ◮ designed for: • energy-efficient hardware • side-channel-protected hardware • microcontrollers • compactness • vectorization • short messages • high security level 6

  12. Specifications: State j i Figure: State Representation 384 bits represented as: ◮ a parallelepiped with dimensions 3 × 4 × 32 (Keccak-like) ◮ or, as a 3 × 4 matrix of 32-bit words. 7

  13. Specifications: Non-linear layer In parallel: x ← x ≪ 24 y ← y ≪ 9 x y In parallel: x ← x ⊕ ( z ≪ 1) ⊕ (( y ∧ z ) ≪ 2) z y ← y ⊕ x ⊕ (( x ∨ z ) ≪ 1) z ← z ⊕ y ⊕ (( x ∧ y ) ≪ 3) x y In parallel: z x ← z z ← x x y z Figure: The bit-sliced 9-to-3-bit SP-box applied to a column 8

  14. Specifications: Linear layer Small Swap Big Swap Figure: The linear layer 9 e 3 7 7 9 ? ? ⊕ Figure: Constant addition 0x9e3779?? 9

  15. Gimli in C extern void Gimli(uint32_t *state) { uint32_t round, column, x, y, z; for (round = 24; round > 0; --round) { for (column = 0; column < 4; ++column) { x = rotate(state[ column], 24); // x <<< 24 y = rotate(state[4 + column], 9); // y <<< 9 z = state[8 + column]; state[8 + column] = x ^ (z << 1) ^ ((y & z) << 2); state[4 + column] = y ^ x ^ ((x | z) << 1); state[column] = z ^ y ^ ((x & y) << 3); } if ((round & 3) == 0) { // small swap: pattern s...s...s... etc. x = state[0]; state[0] = state[1]; state[1] = x; x = state[2]; state[2] = state[3]; state[3] = x; } if ((round & 3) == 2) { // big swap: pattern ..S...S...S. etc. x = state[0]; state[0] = state[2]; state[2] = x; x = state[1]; state[1] = state[3]; state[3] = x; } if ((round & 3) == 0) { // add constant: pattern c...c...c... etc. state[0] ^= (0x9e377900 | round); } } } 10

  16. Specifications: Rounds Round 24 Non-linear layer Small Swap & Round constant addition Round 23 Non-linear layer Round 22 Non-linear layer Big Swap Round 21 Non-linear layer Non-linear layer Round 20 Small Swap & Round constant addition Round 19 Non-linear layer Non-linear layer Round 18 Big Swap . . . . . . Figure: 7 first rounds of Gimli 11

  17. Unrolled AVR & Cortex-M0 1. SP-box col. 0 2. SP-box col. 1 Round 24 swap word s 0 , 0 and s 0 , 1 1 2 7 8 3. SP-box col. 1 4. SP-box col. 1 5. SP-box col. 0 Round 23 5 3 11 9 6. SP-box col. 0 store columns 0,1 ; load columns 2,3 7. SP-box col. 2 Round 22 6 4 12 10 8. SP-box col. 3 swap word s 0 , 2 and s 0 , 3 9. SP-box col. 3 10. SP-box col. 3 11. SP-box col. 2 Round 21 21 23 13 15 12. SP-box col. 2 push word s 0 , 2 , s 0 , 3 ; load word s 0 , 0 , s 0 , 1 13. SP-box col. 2 Round 20 22 24 14 16 14. SP-box col. 2 15. SP-box col. 3 16. SP-box col. 3 swap word s 0 , 2 and s 0 , 3 Round 19 27 25 19 17 17. SP-box col. 3 18. SP-box col. 3 19. SP-box col. 2 Round 18 28 26 20 18 20. SP-box col. 2 store columns 2,3 ; load columns 0,1 . . . . . . Figure: Computation order on AVR & Cortex-M0 12

  18. Implementation in Assembly # Rotate # Compute x # Compute y # Compute z x ← x ≪ 24 v ← z ≪ 1 v ← y u ← u ∧ v y ← y ≪ 9 x ← z ∧ y y ← u ∨ z u ← u ≪ 3 u ← x x ← x ≪ 2 y ← y ≪ 1 z ← z ⊕ v . x ← u ⊕ x y ← u ⊕ y z ← z ⊕ u . x ← x ⊕ v y ← y ⊕ v . The SP-box requires only 2 additional registers u and v . 13

  19. Rotate for free on Cortex-M3/M4 # Rotate # Compute x # Compute y # Compute z x ← x ≪ 24 v ← z ≪ 1 v ← y u ← u ∧ (v ≪ 9) . x ← z ∧ (y ≪ 9) y ← u ∨ z u ← u ≪ 3 u ← x x ← x ≪ 2 y ← y ≪ 1 z ← z ⊕ (v ≪ 9) . x ← u ⊕ x y ← u ⊕ y z ← z ⊕ u . x ← x ⊕ v y ← y ⊕ (v ≪ 9) . Remove y <<< 9 . 14

  20. Shift for free on Cortex-M3/M4 # Rotate # Compute x # Compute y # Compute z x ← x ≪ 24 . v ← y u ← u ∧ (v ≪ 9) . x ← z ∧ (y ≪ 9) y ← u ∨ z . u ← x . . z ← z ⊕ (v ≪ 9) . x ← u ⊕ (x ≪ 2) y ← u ⊕ (y ≪ 1) z ← z ⊕ (u ≪ 3) . x ← x ⊕ (z ≪ 1) y ← y ⊕ (v ≪ 9) . Get rid of the other shifts. 15

  21. Free mov on Cortex-M3/M4 # Rotate # Compute x # Compute y # Compute z x ← x ≪ 24 . v ← y x ← x ∧ (v ≪ 9) . u ← z ∧ (y ≪ 9) y ← x ∨ z . . . . z ← z ⊕ (v ≪ 9) . u ← x ⊕ (u ≪ 2) y ← x ⊕ (y ≪ 1) z ← z ⊕ (x ≪ 3) . u ← u ⊕ (z ≪ 1) y ← y ⊕ (v ≪ 9) . Remove the last mov : u contains the new value of x y contains the new value of y z contains the new value of z 16

  22. Free mov on Cortex-M3/M4 # Rotate # Compute x # Compute y # Compute z x ← x ≪ 24 . . x ← x ∧ (y ≪ 9) . u ← z ∧ (y ≪ 9) v ← x ∨ z . . . . z ← z ⊕ (y ≪ 9) . u ← x ⊕ (u ≪ 2) v ← x ⊕ (v ≪ 1) z ← z ⊕ (x ≪ 3) . u ← u ⊕ (z ≪ 1) v ← v ⊕ (y ≪ 9) . Remove the last mov : u contains the new value of x v contains the new value of y z contains the new value of z 17

  23. Free swap on Cortex-M3/M4 # Rotate # Compute x # Compute y # Compute z x ← x ≪ 24 u ← z ∧ (y ≪ 9) v ← x ∨ z x ← x ∧ (y ≪ 9) . u ← x ⊕ (u ≪ 2) v ← x ⊕ (v ≪ 1) z ← z ⊕ (y ≪ 9) . u ← u ⊕ (z ≪ 1) v ← v ⊕ (y ≪ 9) z ← z ⊕ (x ≪ 3) Swap x and z : u contains the new value of z v contains the new value of y z contains the new value of x SP-box requires a total of 10 instructions. 18

  24. How fast is Gimli? (Software) Cycles / Bytes (Lower is better) AVR ATmega 413 small 216 213 fast 171 small 151 fast Chaskey Gimli Salsa20 ChaCha20 AES-128 NORX-32-4-1 Keccak- f [400,12] Keccak- f [800,12]

  25. How fast is Gimli? (Software) Cycles / Bytes (Lower is better) AVR ATmega 413 small 216 213 fast 171 small 151 fast Cortex-M0 49 40 9 . 8 Chaskey Gimli Salsa20 ChaCha20 AES-128 NORX-32-4-1 Keccak- f [400,12] Keccak- f [800,12]

  26. How fast is Gimli? (Software) Cycles / Bytes (Lower is better) AVR ATmega 413 small 216 213 fast 171 small 151 fast Cortex-M0 49 40 9 . 8 Cortex-M3/M4 63 34 21 13 7 Chaskey Gimli Salsa20 ChaCha20 AES-128 NORX-32-4-1 Keccak- f [400,12] Keccak- f [800,12]

  27. How fast is Gimli? (Software) Cycles / Bytes (Lower is better) Cortex-A8 AVR ATmega 413 small 19 . 3 x blocks 216 16 . 9 1 block 213 8 . 73 fast 1 block 171 6 . 25 small x blocks 151 5 . 48 fast x blocks Cortex-M0 49 40 9 . 8 Cortex-M3/M4 63 34 21 13 7 Chaskey Gimli Salsa20 ChaCha20 AES-128 NORX-32-4-1 Keccak- f [400,12] Keccak- f [800,12]

  28. How fast is Gimli? (Software) Cycles / Bytes (Lower is better) Cortex-A8 AVR ATmega 413 small 19 . 3 x blocks 216 16 . 9 1 block 213 8 . 73 fast 1 block 171 6 . 25 small x blocks 151 5 . 48 fast x blocks Intel Haswell Cortex-M0 6 . 76 1 blocks 49 4 . 46 40 1 block 2 . 84 9 . 8 1 block 2 . 33 2 blocks 1 . 77 4 blocks Cortex-M3/M4 1 . 38 8 blocks 63 1 . 2 8 blocks 34 0 . 85 x blocks 21 13 7 Chaskey Gimli Salsa20 ChaCha20 AES-128 NORX-32-4-1 Keccak- f [400,12] Keccak- f [800,12] 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptanalysis Results on the NIST Candidate Gimli (WIP) Antonio Flrez Gutirrez, Gatan

Cryptanalysis Results on the NIST Candidate Gimli (WIP) Antonio Flrez Gutirrez, Gatan

Cryptanalysis Results on the NIST Candidate Gimli (WIP) Antonio Flrez Gutirrez, Gatan Leurent, Mara Naya-Plasencia, Lo Perrin, Andr Schrottenloher, Ferdinand Sibleyras Inria, France Context Gimli is a permutation proposed by

529 views • 7 slides
Gimli: Server Process Monitoring &amp; Fault Analysis Agenda What problem does Gimli solve?

Gimli: Server Process Monitoring &amp; Fault Analysis Agenda What problem does Gimli solve?

Gimli: Server Process Monitoring &amp; Fault Analysis Agenda What problem does Gimli solve? How does it work? How can I leverage Gimli? Where can I get Gimli? How can I contribute to Gimli? 2 The Setting

484 views • 29 slides
Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web

Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web

Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web Web WebGL Socket Worker Optimized Parallel Hardware Communication Acceleration Processing Channel Web Workers JaHOVA OS Internal APIs

957 views • 38 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
Building Consistent Cross-Platform Interfaces Building Consistent Cross-Platform Interfaces

Building Consistent Cross-Platform Interfaces Building Consistent Cross-Platform Interfaces

Building Consistent Cross-Platform Interfaces Building Consistent Cross-Platform Interfaces https:/ /bit.ly/ato2018-cross-platform https:/ /bit.ly/ato2018-cross-platform-pdf @dbanksdesign #AllThingsOpen Consistent experiences help users

1k views • 46 slides
Forbruger Europa Christel Hst clp@forbrugereuropa.dk ODR platform About the ODR-platform

Forbruger Europa Christel Hst clp@forbrugereuropa.dk ODR platform About the ODR-platform

Forbruger Europa Christel Hst clp@forbrugereuropa.dk ODR platform About the ODR-platform Aim: to solve cross border complaints fast and cost efficiently Challenges: language barriers ODR platform Using the platform 1. A

713 views • 7 slides
Native-quality, cross-platform HTML5 apps Peter Helm 11.9.2012 Enyo is A framework for

Native-quality, cross-platform HTML5 apps Peter Helm 11.9.2012 Enyo is A framework for

Native-quality, cross-platform HTML5 apps Peter Helm 11.9.2012 Enyo is A framework for building native-quality , cross- platform HTML5 apps Sponsored by Enyo is... Truly cross-platform Optimized for mobile Built to manage

537 views • 36 slides
Making a Language Cross Platform Libraries and Tooling Gwen Mittertreiner Facebook Gwen

Making a Language Cross Platform Libraries and Tooling Gwen Mittertreiner Facebook Gwen

Making a Language Cross Platform Libraries and Tooling Gwen Mittertreiner Facebook Gwen Mittertreiner LLVM Developers Meetup 2019 Goals Make you think about cross platform support High level, but still have practical advice. Gwen

686 views • 32 slides
Cross-Platform Development CS 4720 Mobile Application Development CS 4720 Which Platform?

Cross-Platform Development CS 4720 Mobile Application Development CS 4720 Which Platform?

Cross-Platform Development CS 4720 Mobile Application Development CS 4720 Which Platform? Weve discussed this! Where are the users you want to target? How much do you plan to charge? How much do you want to invest?

300 views • 17 slides
development is challenging Let tools help! Marc Goodner What are challenges with Cross Platform

development is challenging Let tools help! Marc Goodner What are challenges with Cross Platform

Cross-platform C++ development is challenging Let tools help! Marc Goodner What are challenges with Cross Platform C++? Libraries Compilers Build Testing Debugging Editing Host Libraries and Compilers System

278 views • 12 slides
Ultimate Guide to Successful Cross-Platform Deployments with Apache Ignite Pavel Petroshenko

Ultimate Guide to Successful Cross-Platform Deployments with Apache Ignite Pavel Petroshenko

Ultimate Guide to Successful Cross-Platform Deployments with Apache Ignite Pavel Petroshenko Electric Imp Agenda Apache Ignite Clients Data interoperability in Ignite Binary Client Protocol Cross-platform deployment demo 2

501 views • 13 slides
Going cross-platform how htop was made portable Hisham Muhammad @hisham_hm http://hisham.hm

Going cross-platform how htop was made portable Hisham Muhammad @hisham_hm http://hisham.hm

Slide: [ ] Talk: Going cross-platform Presenter: @hisham_hm PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command Going cross-platform how htop was made portable Hisham Muhammad @hisham_hm http://hisham.hm

330 views • 22 slides
A massive challenge: The cross-platform approach of the mobile MMO TibiaME Benjamin Zuckerer

A massive challenge: The cross-platform approach of the mobile MMO TibiaME Benjamin Zuckerer

A massive challenge: The cross-platform approach of the mobile MMO TibiaME Benjamin Zuckerer Product Manager, CipSoft GmbH 1 / 31 What is this session about? Introduction to CipSoft and TibiaME TibiaME's cross platform approach Architecture

576 views • 31 slides
J , the all- 1 matrix. (The corresponding only G -invariant association scheme is the trivial A

J , the all- 1 matrix. (The corresponding only G -invariant association scheme is the trivial A

Association schemes and Permutation groups permutation groups Let G be a permutation group on . Then the characteristic functions of the orbits of G on Peter J Cameron G

44 views • 3 slides
Tracy: A Debugger and System Analyzer for Cross-Platform Graphics Development Sami Ky stil

Tracy: A Debugger and System Analyzer for Cross-Platform Graphics Development Sami Ky stil

Tracy: A Debugger and System Analyzer for Cross-Platform Graphics Development Sami Ky stil (Nokia) Kari J. Kangas (Nokia) Kari Pulli (Nokia Research Center) Motivation Mobile graphics development environment Cross-platform

471 views • 19 slides
Cothority 1 Introduction Collective Certificate Management (CCM) SUMMARY Cross Platform Mobile

Cothority 1 Introduction Collective Certificate Management (CCM) SUMMARY Cross Platform Mobile

INTEGRATE COLLECTIVE CERTIFICATE MANAGEMENT ON SKIPCHAINS AND ON CROSS PLATFORM MOBILE APPLICATION CLAUDIO LOUREIRO RESPONSIBLE SUPERVISOR PROF. BRYAN FORD MASTER SEMESTER PROJECT LINUS GASSER DEDIS/EPFL DECENTRALIZED AND DISTRIBUTED

541 views • 20 slides
Refined enumeration of permutations sorted with two stacks and a D 8 symmetry Mathilde Bouvel and

Refined enumeration of permutations sorted with two stacks and a D 8 symmetry Mathilde Bouvel and

Refined enumeration of permutations sorted with two stacks and a D 8 symmetry Mathilde Bouvel and Olivier Guibert (LaBRI) Permutation Patterns 2012, University of Strathclyde The little story of the problem, with many characters! Questions of

851 views • 56 slides
Permuting Upper and Lower bounds [Aggarwal, Vitter, 88] Page 1 Upper Bound Assume instance is

Permuting Upper and Lower bounds [Aggarwal, Vitter, 88] Page 1 Upper Bound Assume instance is

Permuting Upper and Lower bounds [Aggarwal, Vitter, 88] Page 1 Upper Bound Assume instance is specified by each element knowing its final position: 3 2 4 1 a c b d a c d b Algorithm Internal Cost I/O Cost 1) Place each element

303 views • 9 slides
Quarter Turn Baxter Permutations Kevin Dilks North Dakota State University June 26, 2017 Kevin

Quarter Turn Baxter Permutations Kevin Dilks North Dakota State University June 26, 2017 Kevin

Background Generating Trees Quarter Turn Baxter Permutations Kevin Dilks North Dakota State University June 26, 2017 Kevin Dilks Quarter Turn Baxter Permutations Background Generating Trees Outline Background 1 Generating Trees 2

1.07k views • 58 slides
Polyas Theory of Counting Generating Functions Polyas Theory of Counting Example 1 A disc

Polyas Theory of Counting Generating Functions Polyas Theory of Counting Example 1 A disc

Polyas Theory of Counting Generating Functions Polyas Theory of Counting Example 1 A disc lies in a plane. Its centre is fixed but it is free to rotate. It has been divided into n sectors of angle 2 / n . Each sector is to be colored Red

558 views • 32 slides
Discrete Mathematics &amp; Mathematical Reasoning Chapter 6: Counting Kousha Etessami U. of

Discrete Mathematics &amp; Mathematical Reasoning Chapter 6: Counting Kousha Etessami U. of

Discrete Mathematics &amp; Mathematical Reasoning Chapter 6: Counting Kousha Etessami U. of Edinburgh, UK Kousha Etessami (U. of Edinburgh, UK) Discrete Mathematics (Chapter 6) 1 / 39 Chapter Summary The Basics of Counting The Pigeonhole

891 views • 53 slides
Shuffling properties for products of random permutations Olivier Bernardi (MIT) Joint work with

Shuffling properties for products of random permutations Olivier Bernardi (MIT) Joint work with

Shuffling properties for products of random permutations Olivier Bernardi (MIT) Joint work with Rosena Du, Alejandro Morales, Richard Stanley 3 9 7 10 2 1 8 5 11 4 6 Halifax, June 2012 Warm up Question: Let be a uniformly random

592 views • 48 slides
Backtracking And Branch And Bound Subset &amp; Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset &amp; Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset &amp; Permutation Problems Subset problem of size n. Nonsystematic search of the space for the answer takes O(p2 n ) time, where p is the time needed to evaluate each member of the solution space.

310 views • 4 slides
Sequence Covering Arrays Lower Bounds Upper Bounds Existence Results Charles J. Colbourn 1

Sequence Covering Arrays Lower Bounds Upper Bounds Existence Results Charles J. Colbourn 1

Sequence Covering Arrays Charles J. Colbourn Sequence Covering Arrays Covering Arrays Sequence Covering Arrays Lower Bounds Upper Bounds Existence Results Charles J. Colbourn 1 Conclusion 1 School of Computing, Informatics, and Decision

427 views • 31 slides

More recommend