mds matrices with lightweight circuits
play

MDS Matrices with Lightweight Circuits S ebastien Duval Ga etan - PowerPoint PPT Presentation

Apr 13, 2023 •139 likes •482 views

MDS Matrices with Lightweight Circuits S ebastien Duval Ga etan Leurent March 26, 2019 Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 2 / 18 SPN Ciphers Plaintext Shannons

  1. MDS Matrices with Lightweight Circuits S´ ebastien Duval Ga¨ etan Leurent March 26, 2019

  2. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 2 / 18 SPN Ciphers Plaintext Shannon’s criteria K 0 1 Diffusion S S S S - Every bit of plaintext and key must affect every bit of the output L - We usually use linear functions 2 Confusion K 1 - Relation between plaintext and ciphertext must be intractable S S S S - Requires non-linear operations L - Often implemented with tables: S-Boxes K 2 Example: Rijndael/AES [Daemen Rijmen 1998] Ciphertext

  3. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 3 / 18 Block Cipher Security Analysis x x ⊕ a Differential Attacks [Biham Shamir 91] K 0 K 0 ◮ Attacker exploits (a,b) such that S S S S S S S S E K ( x ) ⊕ E K ( x ⊕ a ) = b L L with high probability ◮ Maximum of the probability K 1 K 1 over all ( a , b ) bounded by S S S S S S S S � B d ( L ) − 1 � δ ( S ) L L 2 n K 2 K 2 y y ⊕ b

  4. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 4 / 18 MDS Matrices Differential Branch Number B d ( L ) = min x � =0 { w ( x ) + w ( L ( x )) } where w ( x ) is the number of L non-zero n -bits words in x . Linear Branch Number x � =0 { w ( x ) + w ( L ⊤ ( x )) } L linear permutation B l ( L ) = min on k words of n bits.

  5. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 4 / 18 MDS Matrices Differential Branch Number B d ( L ) = min x � =0 { w ( x ) + w ( L ( x )) } where w ( x ) is the number of L non-zero n -bits words in x . Linear Branch Number x � =0 { w ( x ) + w ( L ⊤ ( x )) } L linear permutation B l ( L ) = min on k words of n bits. Maximum branch number : k + 1 Equivalent to MDS codes.

  6. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 4 / 18 MDS Matrices Differential Branch Number B d ( L ) = min x � =0 { w ( x ) + w ( L ( x )) } where w ( x ) is the number of L non-zero n -bits words in x . Linear Branch Number x � =0 { w ( x ) + w ( L ⊤ ( x )) } L linear permutation B l ( L ) = min on k words of n bits. Maximum branch number : k + 1 Equivalent to MDS codes.

  7. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 5 / 18 Matrices and Characterisation Usually on finite fields:   2 3 1 1 x a primitive element of F n 2 1 2 3 1   Coeffs. ∈ F 2 [ x ] / P , with P a   1 1 2 3   primitive polynomial 3 1 1 2 2 ↔ x 3 ↔ x + 1 AES MixColumns Characterisation L is MDS iff its minors are non-zero

  8. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 6 / 18 Previous Works Recursive Matrices [Guo et al. 2011] A lightweight matrix A i MDS Implement A , then iterate A i times. Optimizing Coefficients ◮ Structured matrices: restrict to a small subspace with many MDS matrices ◮ More general than finite fields: inputs are binary vectors, matrix coeffs. are n × n matrices. ⇒ less costly operations than multiplication in a finite field

  9. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 7 / 18 Cost Evaluation “Real cost” Number of operations of the best implementation. Xor count (naive cost) Hamming weight of the binary matrix. Cannot reuse intermediate values. Intermediate values ◮ Local optimisation : Lighter [Jean et al. 2017] cost of matrix multiplication = number of XORs + cost of the mult. by each coefficent. ◮ Global optimisation : ◮ Hardware synthesis: straight line programs [Kranz et al. 2018]. Heuristics to implement binary matrices. ◮ Our approach: Number of operations of the best implementation using operations on words.

  10. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 8 / 18 Metrics Comparison x 0 x 1 x 2   3 2 2 2 3 2   2 2 3 × 2  6 mult. by 2 �  1 mult. by 2  Xor Count: 3 mult. by 3 Our approach: 5 XORS  6 XORS 

  11. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 9 / 18 Formal Matrices Formal matrices x 0 x 1 x 2 ◮ Optimise in 2 steps: 1 Find M ( α ) for α an undefined linear mapping. � α +1 α α � α α +1 2 Instantiate with the best choice of α α α α α α +1 ◮ Not necessarily a finite field. ◮ Then coeffs. are polynomials in α .

  12. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 9 / 18 Formal Matrices Formal matrices x 0 x 1 x 2 ◮ Optimise in 2 steps: 1 Find M ( α ) for α an undefined linear mapping. � α +1 α α � α α +1 2 Instantiate with the best choice of α α α α α α +1 ◮ Not necessarily a finite field. ◮ Then coeffs. are polynomials in α . Characterisation of formally MDS matrices ◮ Objective: find M ( α ) s.t. ∃ A , M ( A ) MDS. ◮ If a minor of M ( α ) is null, then impossible. ◮ Otherwise, there always exists an A . Characterisation possible on M ( α ).

  13. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 10 / 18 Search Space Search over circuits Search Space Operations: ◮ word-wise XOR ◮ α (generalization of a multiplication) ◮ Copy Note: Only word-wise operations. r registers: one register per word (3 for 3 × 3) + (at least) one more register → more complex operations

  14. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 11 / 18 Implementation: Main Idea Tree-based Dijkstra search ◮ Node = matrix = sequence of operations ◮ Lightest circuit = shortest path to MDS matrix ◮ When we spawn a node, we test if it is MDS Search results ◮ k = 3 fast (seconds) ◮ k = 4 long (hours) ◮ k = 5 out of reach ◮ Collection of MDS matrices with trade-off between cost and depth (latency).

  15. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 12 / 18 Scheme of the Search x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 . . . . . . x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 α α α α α α α α

  16. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 13 / 18 Optimization: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective

  17. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 13 / 18 Optimization: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate:

  18. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 13 / 18 Optimization: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate: ◮ Heuristic ◮ How far from MDS ?

  19. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 13 / 18 Optimization: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate: ◮ Heuristic ◮ How far from MDS ? ◮ Column with a 0: cannot be part of MDS matrix

  20. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 13 / 18 Optimization: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate: ◮ Heuristic ◮ How far from MDS ? ◮ Column with a 0: cannot be part of MDS matrix ◮ Linearly dependent columns: not part of MDS matrix

  21. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 13 / 18 Optimization: A ∗ A ∗ Idea of A ∗ ◮ Guided Dijkstra ◮ weight = weight from origin + estimated weight to objective Our estimate: ◮ Heuristic ◮ How far from MDS ? ◮ Column with a 0: cannot be part of MDS matrix ◮ Linearly dependent columns: not part of MDS matrix ◮ Estimate: m = rank of the matrix (without columns containing 0) ◮ Need at least k − m word-wise XORs to MDS Result: much faster

  22. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 14 / 18 Methodology of the Instantiation The Idea 1 Input: Formal matrix M ( α ) MDS 2 Output: M ( A ) MDS, with A a linear mapping (the lightest we can find)

  23. Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 15 / 18 Characterisation of MDS Instantiations MDS Test ◮ Intuitive approach: ◮ Choose A a linear mapping ◮ Evaluate M ( A ) ◮ See if all minors are non-singular

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Shun Li , Siwei Sun,

Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Shun Li , Siwei Sun,

Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Shun Li , Siwei Sun, Chaoyun Li, Zihao Wei, Lei Hu FSE 2019 @ Paris, France Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE

782 views • 44 slides
MDS Matrices with Lightweight Circuits Sbastien Duval Gatan Leurent Sebastien.Duval@inria.fr

MDS Matrices with Lightweight Circuits Sbastien Duval Gatan Leurent Sebastien.Duval@inria.fr

MDS Matrices with Lightweight Circuits Sbastien Duval Gatan Leurent Sebastien.Duval@inria.fr February 14, 2019 Introduction Lightweight Our approach Formal Results Instantiation Conclusion Security of Block Ciphers Shannons

745 views • 59 slides
Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI Kolkata November 18, 2018 Introduction Types of Circuits: Brief background. Block cipher circuits: Round based vs Serial. Eg: Working example

489 views • 44 slides
Lightweight MDS Involution Matrices Siang Meng Sim 1 Khoongming Khoo 2 erique Oggier 1 Thomas

Lightweight MDS Involution Matrices Siang Meng Sim 1 Khoongming Khoo 2 erique Oggier 1 Thomas

Introduction Analyzing XOR Count E.C. of Had-based Matrices Comparisons Lightweight MDS Involution Matrices Siang Meng Sim 1 Khoongming Khoo 2 erique Oggier 1 Thomas Peyrin 1 Fr ed 1.Nanyang Technological University, Singapore 2.DSO

877 views • 36 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
MathLight A lightweight matrix manipulation language Boya Song (bs3065) Chunli Fu(cf2710)

MathLight A lightweight matrix manipulation language Boya Song (bs3065) Chunli Fu(cf2710)

MathLight A lightweight matrix manipulation language Boya Song (bs3065) Chunli Fu(cf2710) Mingye Chen (mc4414) Yuli Han(yh2986) Motivation Increasing and common usage of matrices. Matlab: expensive, not lightweight enough make it

581 views • 19 slides
Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices Chaoyun Li 1 Qingju Wang 1 ,

Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices Chaoyun Li 1 Qingju Wang 1 ,

Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices Chaoyun Li 1 Qingju Wang 1 , 2 1 imec and COSIC, KU Leuven 2 DTU Compute, Technical University of Denmark March 6, 2017 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU

548 views • 29 slides
MATHEMATICS 1 CONTENTS Matrices Special matrices Operations with matrices Matrix

MATHEMATICS 1 CONTENTS Matrices Special matrices Operations with matrices Matrix

Matrices BUSINESS MATHEMATICS 1 CONTENTS Matrices Special matrices Operations with matrices Matrix multipication More operations with matrices Matrix transposition Symmetric matrices Old exam question Further study 2 MATRICES A

615 views • 25 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
Why Are We Matrices? Studying plenty Matrices have uses in Computer Science. E.g.: of

Why Are We Matrices? Studying plenty Matrices have uses in Computer Science. E.g.: of

Topic 7: Matrices - p. - CSc (Mccann) Matrlcs 245 v1.1 1 Why Are We Matrices? Studying plenty Matrices have uses in Computer Science. E.g.: of o Representation... o . graph (see . . of the data structure CSc

253 views • 8 slides
Transformations and Matrices Transformations I Transformations are functions Matrices

Transformations and Matrices Transformations I Transformations are functions Matrices

Transformations and Matrices Transformations I Transformations are functions Matrices are functions representations Matrices represent linear transfs CS5600 Computer Graphics Lecture Set 5 by 2 x 2 Matrices == 2D Linear

269 views • 9 slides
New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007 Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES?

364 views • 12 slides
Adjacency Matrices Representations memory? 1. Adjacency matrices. 2. Adjacency lists. 3.

Adjacency Matrices Representations memory? 1. Adjacency matrices. 2. Adjacency lists. 3.

Lecture 11 | Part 1 Adjacency Matrices Representations memory? 1. Adjacency matrices. 2. Adjacency lists. 3. Dictionary of sets How do we store a graph in a computers Three approaches: Adjacency Matrices Assume nodes are

927 views • 26 slides
Sequential Circuits Combinational circuits : current input output Sequential circuit :

Sequential Circuits Combinational circuits : current input output Sequential circuit :

14:332:231 DIGITAL LOGIC DESIGN Ivan Marsic, Rutgers University Electrical & Computer Engineering Fall 2013 Lecture #15: Sequential Circuits: Latches Sequential Circuits Combinational circuits : current input output Sequential

483 views • 15 slides
Lecture 14: Sequential Circuits, FSM Todays topics: Sequential circuits Finite

Lecture 14: Sequential Circuits, FSM Todays topics: Sequential circuits Finite

Lecture 14: Sequential Circuits, FSM Todays topics: Sequential circuits Finite state machines 1 Sequential Circuits Until now, circuits were combinational when inputs change, the outputs change after a while (time = logic

435 views • 19 slides
Open Problems for Polynomials over Finite Fields and Applications 1 Daniel Panario School of

Open Problems for Polynomials over Finite Fields and Applications 1 Daniel Panario School of

Introduction Prescribed Coefficients Low Weight Polynomials Potpourri of Open Problems Conclusions Open Problems for Polynomials over Finite Fields and Applications 1 Daniel Panario School of Mathematics and Statistics Carleton University

954 views • 52 slides
Multivariate Extreme Value models Michel Bierlaire michel.bierlaire@epfl.ch Transport and

Multivariate Extreme Value models Michel Bierlaire michel.bierlaire@epfl.ch Transport and

Multivariate Extreme Value models Michel Bierlaire michel.bierlaire@epfl.ch Transport and Mobility LAboratory Multivariate Extreme Value models p. 1/62 Logit Random utility: U in = V in + in in is i.i.d. EV (Extreme Value)

990 views • 62 slides
Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc Beuchat Laboratory of Cryptography and Informantion Security University of Tsukuba, Japan jeanluc.beuchat@gmail.com Joint work with: enaire, LIP,

1.73k views • 139 slides
Theory of Computer Games: Concluding Remarks Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games: Concluding Remarks Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games: Concluding Remarks Tsan-sheng Hsu tshsu@iis.sinica.edu.tw http://www.iis.sinica.edu.tw/~tshsu 1 Abstract Introducing practical issues. The open book. The graph history interaction (GHI) problem. Smart

884 views • 28 slides
Goals and Objectives Life throws at us many different types of problems. Being able to solve

Goals and Objectives Life throws at us many different types of problems. Being able to solve

Slide 1 / 224 Slide 2 / 224 New Jersey Center for Teaching and Learning Algebra II Progressive Mathematics Initiative This material is made freely available at www.njctl.org and is intended for the non-commercial use of Fundamental Skills of

415 views • 38 slides
Using dependent types in models of climate change impacts Cezar Ionescu PIK : Potsdam Institute

Using dependent types in models of climate change impacts Cezar Ionescu PIK : Potsdam Institute

Using dependent types in models of climate change impacts Cezar Ionescu PIK : Potsdam Institute for Climate Impact Research At PIK researchers in the natural and social sciences work together to study global change and its impacts on

395 views • 18 slides
TEMPLATE Teacher Name (and Class Name photo/bitmoji if possible) Key Learning Outcomes In

TEMPLATE Teacher Name (and Class Name photo/bitmoji if possible) Key Learning Outcomes In

TEMPLATE Teacher Name (and Class Name photo/bitmoji if possible) Key Learning Outcomes In order to pass this class, students need to be able to... Technology Help Learning outcome one - - Description - Where to find assignments. -

734 views • 50 slides
6 DOF EKF SLAM in Underwater Environments Markus Solbach Final Masters Project Universitat de

6 DOF EKF SLAM in Underwater Environments Markus Solbach Final Masters Project Universitat de

Introduction 3D Transformation Image Registration Visual EKF-SLAM Results Conclusion 6 DOF EKF SLAM in Underwater Environments Markus Solbach Final Masters Project Universitat de les Illes Balears September 24, 2014 1 / 66 Introduction

883 views • 66 slides

More recommend