mds matrices with lightweight circuits
play

MDS Matrices with Lightweight Circuits Sbastien Duval Gatan Leurent - PowerPoint PPT Presentation

Oct 09, 2023 •148 likes •745 views

MDS Matrices with Lightweight Circuits Sbastien Duval Gatan Leurent Sebastien.Duval@inria.fr February 14, 2019 Introduction Lightweight Our approach Formal Results Instantiation Conclusion Security of Block Ciphers Shannons

  1. MDS Matrices with Lightweight Circuits Sébastien Duval Gaëtan Leurent Sebastien.Duval@inria.fr February 14, 2019

  2. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Security of Block Ciphers Shannon’s criteria 1 Diffusion - Every bit of plaintext and key must affect every bit of the output - We usually use linear functions 2 Confusion - Relation between plaintext and ciphertext must be intractable - Requires non-linear operations - Often implemented with tables: S-Boxes S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 2 / 32

  3. Introduction Lightweight Our approach Formal Results Instantiation Conclusion SPN Ciphers Differential Branch Number Plaintext K 0 B d ( L ) = min x � = 0 { w ( x ) + w ( L ( x )) } S S S S L Linear Branch Number K 1 x � = 0 { w ( x ) + w ( L ⊤ ( x )) } B l ( L ) = min S S S S L K 2 Ciphertext S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 3 / 32

  4. Introduction Lightweight Our approach Formal Results Instantiation Conclusion SPN Ciphers Differential Branch Number Plaintext K 0 B d ( L ) = min x � = 0 { w ( x ) + w ( L ( x )) } S S S S L x ⊕ a x K 1 F F S S S S y y ⊕ b L K 2 Ciphertext S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 3 / 32

  5. Introduction Lightweight Our approach Formal Results Instantiation Conclusion SPN Ciphers Differential Branch Number Plaintext K 0 B d ( L ) = min x � = 0 { w ( x ) + w ( L ( x )) } S S S S L Linear Branch Number K 1 x � = 0 { w ( x ) + w ( L ⊤ ( x )) } B l ( L ) = min S S S S L K 2 Maximum branch number : k + 1 Ciphertext Can be obtained from MDS codes S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 3 / 32

  6. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Diffusion Matrices Usually on finite fields: x a primitive element of F 2 n 2 ↔ x   2 3 1 1 3 ↔ x + 1 1 2 3 1   Coeffs. = polynomials in x with   1 1 2 3   binary coefficients 3 1 1 2 i.e. coeffs. ∈ F 2 [ x ] / P , with P a primitive polynomial Characterization L is MDS iff its minors are non-zero S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 4 / 32

  7. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Going Lightweight lightweight cipher = lightweight S-Boxes + lightweight diffusion matrix Focus on the diffusion function Goal: Find lightweight MDS matrix Main approaches: ◮ Optimize existing ciphers: MDS matrix → reduce cost (AES MixColumns) ◮ New ciphers: lightweight by design S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 5 / 32

  8. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Previous Works Recursive Matrices Guo, Peyrin and Poschmann in PHOTON (used in LED) A lightweight matrix A i MDS Implement A , then iterate A i times. Optimizing Coefficients ◮ Structured matrices: restrict to a small subspace with many MDS matrices ◮ More general than finite fields: less costly operations than multiplication in a finite field S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 6 / 32

  9. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Cost Evaluation Previous work: Number of XORS + sum of cost of each coefficient Drawback: Cannot reuse intermediate values Our approach: Global optimization as a circuit x 0 x 1 x 2   3 2 2 2 3 2   2 2 3 × 2  6 mult. by 2 �  1 mult. by 2  Previous: 3 mult. by 3 New: 5 XORS  6 XORS  S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 7 / 32

  10. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Formal Matrices Finite fields → polynomial ring ◮ α linear mapping on F 2 n x 0 x 1 x 2 ◮ Coefficients ∈ F 2 [ α ] i.e. polynomials in α with coeffs. in F 2 α S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 8 / 32

  11. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Formal Matrices Finite fields → polynomial ring ◮ α linear mapping on F 2 n x 0 x 1 x 2 ◮ Coefficients ∈ F 2 [ α ] i.e. polynomials in α with coeffs. in F 2 α Formal matrices ◮ α undefined ⇒ formal coefficients/matrix ◮ Objective: find M ( α ) s.t. ∃ A , M ( A ) MDS S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 8 / 32

  12. Introduction Lightweight Our approach Formal Results Instantiation Conclusion MDS Characterization of Formal Matrices MDS Characterization Maximal branch number iff the minors are non-zero (call it formal MDS ) Caution: minors are polynomials in α M ( α ) formal MDS ⇔ ∃ A , M ( A ) MDS Objective ◮ Find M ( α ) formal MDS and lightweight ◮ Fix n ◮ Find A linear mapping over F 2 n lightweight s.t. M ( A ) MDS S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 9 / 32

  13. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Algorithm Exhaustive search over circuits Search Space MDS matrices of sizes 3 × 3 and 4 × 4 For any word size n Operations: ◮ word-wise XOR ◮ α (generalization of a multiplication) ◮ Copy r registers: one register per word (3 for 3 × 3) + (at least) one more register → more complex operations Very costly S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 10 / 32

  14. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Implementation: Main Idea Graph-based search ◮ Node = matrix = sequence of operations ◮ Lightest implementation = shortest path to MDS matrix ◮ When we spawn a node, we test if it is MDS Representation k × r matrix, coefficients are polynomials in F 2 [ α ] S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 11 / 32

  15. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Optimizations: Cut Useless Branches Limit use of Copy After copy, force use of the copied value S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 12 / 32

  16. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Optimizations: Cut Useless Branches Limit use of Copy After copy, force use of the copied value Set up Boundaries Choose maximum cost and maximum depth for circuits + many more optimizations to save memory (at the cost of computation time) S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 12 / 32

  17. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Optimizations: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 13 / 32

  18. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Optimizations: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate: S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 13 / 32

  19. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Optimizations: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate: ◮ Heuristic ◮ How far from MDS ? S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 13 / 32

  20. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Optimizations: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate: ◮ Heuristic ◮ How far from MDS ? ◮ Column with a 0: cannot be part of MDS matrix S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 13 / 32

  21. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Optimizations: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate: ◮ Heuristic ◮ How far from MDS ? ◮ Column with a 0: cannot be part of MDS matrix ◮ Linearly dependent columns: not part of MDS matrix S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 13 / 32

  22. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Optimizations: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate: ◮ Heuristic ◮ How far from MDS ? ◮ Column with a 0: cannot be part of MDS matrix ◮ Linearly dependent columns: not part of MDS matrix ◮ Estimate: m = rank of the matrix (without columns containing 0) ◮ Need at least k − m word-wise XORs to MDS Result: much faster S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 13 / 32

  23. Introduction Lightweight Our approach Formal Results Instantiation Conclusion Optimizations: Use Equivalence ◮ TestedNodes : list of all nodes that have been tested for MDS ◮ UntestedNodes : list of all untested nodes S. Duval, G. Leurent MDS Matrices with Lightweight Circuits February 14, 2019 14 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Shun Li , Siwei Sun,

Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Shun Li , Siwei Sun,

Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Shun Li , Siwei Sun, Chaoyun Li, Zihao Wei, Lei Hu FSE 2019 @ Paris, France Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE

782 views • 44 slides
MDS Matrices with Lightweight Circuits S ebastien Duval Ga etan Leurent March 26, 2019

MDS Matrices with Lightweight Circuits S ebastien Duval Ga etan Leurent March 26, 2019

MDS Matrices with Lightweight Circuits S ebastien Duval Ga etan Leurent March 26, 2019 Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 2 / 18 SPN Ciphers Plaintext Shannons

482 views • 34 slides
Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI Kolkata November 18, 2018 Introduction Types of Circuits: Brief background. Block cipher circuits: Round based vs Serial. Eg: Working example

489 views • 44 slides
Lightweight MDS Involution Matrices Siang Meng Sim 1 Khoongming Khoo 2 erique Oggier 1 Thomas

Lightweight MDS Involution Matrices Siang Meng Sim 1 Khoongming Khoo 2 erique Oggier 1 Thomas

Introduction Analyzing XOR Count E.C. of Had-based Matrices Comparisons Lightweight MDS Involution Matrices Siang Meng Sim 1 Khoongming Khoo 2 erique Oggier 1 Thomas Peyrin 1 Fr ed 1.Nanyang Technological University, Singapore 2.DSO

877 views • 36 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
MathLight A lightweight matrix manipulation language Boya Song (bs3065) Chunli Fu(cf2710)

MathLight A lightweight matrix manipulation language Boya Song (bs3065) Chunli Fu(cf2710)

MathLight A lightweight matrix manipulation language Boya Song (bs3065) Chunli Fu(cf2710) Mingye Chen (mc4414) Yuli Han(yh2986) Motivation Increasing and common usage of matrices. Matlab: expensive, not lightweight enough make it

581 views • 19 slides
Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices Chaoyun Li 1 Qingju Wang 1 ,

Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices Chaoyun Li 1 Qingju Wang 1 ,

Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices Chaoyun Li 1 Qingju Wang 1 , 2 1 imec and COSIC, KU Leuven 2 DTU Compute, Technical University of Denmark March 6, 2017 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU

548 views • 29 slides
MATHEMATICS 1 CONTENTS Matrices Special matrices Operations with matrices Matrix

MATHEMATICS 1 CONTENTS Matrices Special matrices Operations with matrices Matrix

Matrices BUSINESS MATHEMATICS 1 CONTENTS Matrices Special matrices Operations with matrices Matrix multipication More operations with matrices Matrix transposition Symmetric matrices Old exam question Further study 2 MATRICES A

615 views • 25 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
Why Are We Matrices? Studying plenty Matrices have uses in Computer Science. E.g.: of

Why Are We Matrices? Studying plenty Matrices have uses in Computer Science. E.g.: of

Topic 7: Matrices - p. - CSc (Mccann) Matrlcs 245 v1.1 1 Why Are We Matrices? Studying plenty Matrices have uses in Computer Science. E.g.: of o Representation... o . graph (see . . of the data structure CSc

253 views • 8 slides
Transformations and Matrices Transformations I Transformations are functions Matrices

Transformations and Matrices Transformations I Transformations are functions Matrices

Transformations and Matrices Transformations I Transformations are functions Matrices are functions representations Matrices represent linear transfs CS5600 Computer Graphics Lecture Set 5 by 2 x 2 Matrices == 2D Linear

269 views • 9 slides
New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007 Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES?

364 views • 12 slides
Adjacency Matrices Representations memory? 1. Adjacency matrices. 2. Adjacency lists. 3.

Adjacency Matrices Representations memory? 1. Adjacency matrices. 2. Adjacency lists. 3.

Lecture 11 | Part 1 Adjacency Matrices Representations memory? 1. Adjacency matrices. 2. Adjacency lists. 3. Dictionary of sets How do we store a graph in a computers Three approaches: Adjacency Matrices Assume nodes are

927 views • 26 slides
Sequential Circuits Combinational circuits : current input output Sequential circuit :

Sequential Circuits Combinational circuits : current input output Sequential circuit :

14:332:231 DIGITAL LOGIC DESIGN Ivan Marsic, Rutgers University Electrical & Computer Engineering Fall 2013 Lecture #15: Sequential Circuits: Latches Sequential Circuits Combinational circuits : current input output Sequential

483 views • 15 slides
Lecture 14: Sequential Circuits, FSM Todays topics: Sequential circuits Finite

Lecture 14: Sequential Circuits, FSM Todays topics: Sequential circuits Finite

Lecture 14: Sequential Circuits, FSM Todays topics: Sequential circuits Finite state machines 1 Sequential Circuits Until now, circuits were combinational when inputs change, the outputs change after a while (time = logic

435 views • 19 slides
The doubly-exponential problem in equation/inequality solving James Davenport 1 University of

The doubly-exponential problem in equation/inequality solving James Davenport 1 University of

The doubly-exponential problem in equation/inequality solving James Davenport 1 University of Bath Fulbright Scholar at NYU J.H.Davenport@bath.ac.uk 30 March 2017 1 Thanks to Matthew England (Coventry), EPSRC EP/J003247/1, EU

266 views • 24 slides
Lecture 6.4: Galois groups Matthew Macauley Department of Mathematical Sciences Clemson

Lecture 6.4: Galois groups Matthew Macauley Department of Mathematical Sciences Clemson

Lecture 6.4: Galois groups Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4120, Modern Algebra M. Macauley (Clemson) Lecture 6.4: Galois groups Math 4120, Modern Algebra 1

405 views • 7 slides
A Survey of Polynomial Results (Number Theory Seminar) Abdullah Al-Shaghay Dalhousie University

A Survey of Polynomial Results (Number Theory Seminar) Abdullah Al-Shaghay Dalhousie University

A Survey of Polynomial Results (Number Theory Seminar) Abdullah Al-Shaghay Dalhousie University Monday March 25, 2019 Abdullah Al-Shaghay (Dalhousie University) Monday March 25, 2019 1 / 24 Overview Cyclotomic Polynomials 1 Sums of Roots

958 views • 48 slides
Minimal Polynomials Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Minimal Polynomials Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Minimal Polynomials Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay October 9, 2014 1 / 13 Factoring x q x over a Field F q and F p Example F = { 0 , 1 , y , y + 1 }

412 views • 13 slides
Q -polynomial Association Schemes Jason Williford University of Wyoming Modern Trends in

Q -polynomial Association Schemes Jason Williford University of Wyoming Modern Trends in

Q -polynomial Association Schemes Jason Williford University of Wyoming Modern Trends in Algebraic Graph Theory June 4th, 2014 Jason Williford University of Wyoming Q -polynomial Association Schemes Association Schemes A d -class symmetric

1.49k views • 101 slides
Friable values of polynomials Greg Martin Introduction Friable integers How often do the values

Friable values of polynomials Greg Martin Introduction Friable integers How often do the values

Friable values of polynomials Friable values of polynomials Greg Martin Introduction Friable integers How often do the values of a polynomial Friable values of polynomials have only small prime factors? Bounds for friable values of

1.49k views • 117 slides
Pattern of zeros- a joint work with X.-G. Wen Zhenghan Wang Microsoft Station Q UCSB TPM TQC

Pattern of zeros- a joint work with X.-G. Wen Zhenghan Wang Microsoft Station Q UCSB TPM TQC

Pattern of zeros- a joint work with X.-G. Wen Zhenghan Wang Microsoft Station Q UCSB TPM TQC UMTC Two Kinds of Model Systems String-net condensation---doubled MTCs Mathematically well-understood, Physically not clear Trial wave

534 views • 40 slides
On a secant Dirichlet series and Eichler integrals of Eisenstein series Modular Forms and Modular

On a secant Dirichlet series and Eichler integrals of Eisenstein series Modular Forms and Modular

On a secant Dirichlet series and Eichler integrals of Eisenstein series Modular Forms and Modular Integrals in Memory of Marvin Knopp AMS Sectional Meeting, Temple University Armin Straub October 12, 2013 University of Illinois &

647 views • 42 slides

More recommend