Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao, Shasha Zhang Nov. 09, 2020
Lightweight Cryptography -Requirements -Primitives : SIMON , SPECK Circuit size PRESENT, RECTANGLE Latency LED , MIDORI Throughput …… …… -Optimization (sbox) -Lightweight Components: Gladman (Serpent) Lightweight MDS or near-MDS SAT based method (Stoffelen, matrix FSE 2016) Sbox? LIGHTER (Jean, FSE 2017) ……
Optimization---Linear layer Local optimization Global optimization optimize the multiplication (finite treat the linear layer as a binary field or matrix-vector matrix and find the minimal multiplication) of each entry of a number of xor operations to matrix. implement the matrix Method :using different basis Method : Paar1 and Paar2 reuse intermediate values BP (Boyar and Peralta) LIGHTER LIGHTER variants …… Cost = fixed cost + multiplication Cost = returned by the AES = 96 + () algorithms AES = 92
Metrics 1 1 1 0 1 1 0 1 Consider a matrix to be implemented, 𝑁 = 1 0 1 0 0 1 1 0 𝑧 1 = 𝑦 1 ⊕ 𝑦 2 ⊕ 𝑦 3 𝑧 2 = 𝑦 1 ⊕ 𝑦 2 ⊕ 𝑦 4 𝐻𝐺 2 : 𝑧 3 = 𝑦 1 ⊕ 𝑦 3 𝑧 4 = 𝑦 2 ⊕ 𝑦 3 Counting the number of 1’s within a binary matrix. D-xor D-xor(M) = 6
Metrics Counting the minimal number of operations 𝑦 𝑗 = 𝑦 𝑛 ⊕ 𝑦 𝑜 G-xor implementing the matrix. Shortest Linear Straight-Line Program, NP-hard 𝑢 1 = 𝑦 1 ⊕ 𝑦 3 (𝑧 3 ) 𝑢 2 = 𝑦 2 ⊕ 𝑦 3 (𝑧 4 ) D-xor = 6 G-xor = 5 𝑢 3 = 𝑦 1 ⊕ 𝑦 2 𝑢 4 = 𝑢 3 ⊕ 𝑦 3 (𝑧 1 ) 𝑢 5 = 𝑢 3 ⊕ 𝑦 4 (𝑧 2 )
Metrics Counting the nominal number of operations 𝑦 𝑗 = 𝑦 𝑗 ⊕ 𝑦 𝑘 S-xor implementing the matrix. Optimal pivoting in Gauss-Jordan elimination 𝑦 4 = 𝑦 4 ⊕ 𝑦 2 𝑦 4 ⊕ 𝑦 2 𝑦 4 = 𝑦 4 ⊕ 𝑦 1 𝑦 4 ⊕ 𝑦 2 ⊕ 𝑦 1 = 𝑧 2 S-xor = 5 𝑦 1 = 𝑦 1 ⊕ 𝑦 3 𝑦 1 ⊕ 𝑦 3 = 𝑧 3 𝑦 3 = 𝑦 3 ⊕ 𝑦 2 𝑦 3 ⊕ 𝑦 2 = 𝑧 4 𝑦 2 = 𝑦 2 ⊕ 𝑦 1 𝑦 2 ⊕ 𝑦 1 ⊕ 𝑦 3 = 𝑧 1
Extra advantage of S-xor 𝑢 1 = 𝑦 1 ⊕ 𝑦 3 (𝑧 3 ) 𝑢 1 = 𝑦 1 ^𝑦 3 (𝑧 3 ) Bit-sliced software 𝑢 2 = 𝑦 2 ⊕ 𝑦 3 (𝑧 4 ) 𝑢 2 = 𝑦 2 ^𝑦 3 (𝑧 4 ) implementation 𝑢 3 = 𝑦 1 ⊕ 𝑦 2 𝑢 3 = 𝑦 1 ^𝑦 2 𝑢 4 = 𝑢 3 ⊕ 𝑦 3 (𝑧 1 ) 𝑢 4 = 𝑢 3 ^𝑦 3 (𝑧 1 ) 𝑢 5 = 𝑢 3 ⊕ 𝑦 4 (𝑧 2 ) 𝑢 5 = 𝑢 3 ^𝑦 4 (𝑧 2 ) 𝑢 1 = 𝑦 1 ^𝑦 3 (𝑧 3 ) 𝑢 1 = 𝑦 1 ^𝑦 3 𝑢 2 = 𝑦 2 ^𝑦 3 (𝑧 4 ) Xor 𝑦 1 = 𝑦 1 ^𝑦 2 movl x1, t1 destructive 𝑦 3 = 𝑦 1 ^𝑦 3 (𝑧 1 ) xorl x3, t1 𝑦 4 = 𝑦 1 ^𝑦 4 (𝑧 2 ) 湖北大学 2019/4/13 7
Extra advantage of S-xor 𝑦 4 = 𝑦 4 ^𝑦 2 𝑦 4 ⊕ 𝑦 2 xorl x2, x4 𝑦 4 = 𝑦 4 ^𝑦 1 𝑦 4 ⊕ 𝑦 2 ⊕ 𝑦 1 = 𝑧 2 xorl x1, x4 𝑦 1 = 𝑦 1 ^𝑦 3 𝑦 1 ⊕ 𝑦 3 = 𝑧 3 xorl x3, x1 xorl x2, x3 𝑦 3 = 𝑦 3 ^𝑦 2 𝑦 3 ⊕ 𝑦 2 = 𝑧 4 xorl x1, x2 𝑦 2 = 𝑦 2 ^𝑦 1 𝑦 2 ⊕ 𝑦 1 ⊕ 𝑦 3 = 𝑧 1 𝑦 0 𝑦 0 Quantum Implementation 𝑦 1 𝑦 1 ⊕ 𝑦 0 CNOT gate
Elementary operation and elementary matrix 0 1 0 Interchange two rows (columns) Type-1 𝐹 1 ↔ 2 = 1 0 0 0 0 1 𝑙 ∈ 𝐺 2 1 0 0 Multiply a row (column) with a Type-2 𝐹 1 + 2 ∗ 𝑙 = 0 𝑙 0 nonzero number 0 0 1 𝑙 ∈ 𝐺 1 𝑙 0 Add a row (column) to another 2 Type-3 𝐹 1 + 2 ∗ 𝑙 = 0 1 0 one multiplied by a nonzero 0 0 1 number
Cost of elementary matrix 0 1 0 1 1 0 Type-3 𝐹 1 ↔ 2 = 𝐹 1 + 2 = Type-1 1 0 0 0 1 0 0 0 1 0 0 1 𝑦 1 𝑧 1 = 𝑦 2 𝑦 1 𝑧 1 = 𝑦 1 ⊕ 𝑦 2 1 1 0 0 1 0 𝑦 2 𝑧 2 = 𝑦 1 𝑦 2 𝑧 2 = 𝑦 2 = = 1 0 0 0 1 0 𝑦 3 𝑦 3 𝑧 3 = 𝑦 3 𝑧 3 = 𝑦 3 0 0 1 0 0 1 Cost = 0 Cost = 1 (S-xor)
Matrix Decomposition Any invertible matrix can be transformed into an identity matrix using elementary row and/or column operations. Thus, any Theorem invertible matrix can ben decomposed as a product of elementary matrices . 𝐺 2 Any matrix in 𝐻𝑀(2, 𝐺 2 ) can be transformed into an identity matrix by applying a series of type-1 and type-3 elementary row and/or Corollary column operations. Thus, any matrix in 𝐻𝑀(2, 𝐺 2 ) can ben decomposed as a product of type-1 and type-3 elementary matrices.
Matrix decompositions Elementary row operation based matrix decomposition 1 Gaussian Elimination Elementary column operation based matrix decomposition 2 3 Hybrid elementary operation based matrix decomposition Tie break: the first one Pick the elementary VS random operation which minimize the most number of 1’s in Increase the number of the given matrix 1’s – > infinite loop -> 1 or 2
Matrix Decomposition 𝐹 𝑗 + 𝑘 𝐹 𝑙 ↔ 𝑚 = 𝐹 𝑙 ↔ 𝑚 𝐹 𝑔 𝑙,𝑚 𝑗 + 𝑔 𝑙,𝑚 𝑘 , 𝐹 𝑙 ↔ 𝑚 𝐹 𝑗 + 𝑘 = 𝐹 𝑔 𝑙,𝑚 𝑗 + 𝑔 𝑙,𝑚 𝑘 𝐹(𝑙 ↔ 𝑚), where Property 𝑙, if 𝑦 = 𝑚, 𝑔 𝑙,𝑚 𝑦 = ቐ 𝑚, if 𝑦 = 𝑙, 𝑦, else. Any matrix 𝑁 in 𝐻𝑀 2, 𝐺 2 can ben decomposed as: Theorem ′ ↔ 𝑘 𝑡 ′ ↔ 𝑘 𝑡 ′ ⋯ 𝐹(𝑗 1 ′ ) 𝑁 = 𝐹 𝑗 𝑢 + 𝑘 𝑢 ⋯ 𝐹 𝑗 1 + 𝑘 1 𝐹 𝑗 𝑡 Cost(M) = t
Properties of matrix multiplication Let 𝐹 𝑗 ↔ 𝑘 and E(i+j) denote a type-1 and type-3 Property elementary matrices in 𝐻𝑀 2, 𝐺 2 respectively, then the following equations hold. 𝐹 𝑙 + 𝑗 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑗 ) R1 𝐹 𝑗 + 𝑙 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑘 = 𝐹 𝑙 + 𝑘 𝐹(𝑗 + 𝑙 ) R2 𝐹(𝑗 + 𝑙)𝐹 𝑘 + 𝑙 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑘 + 𝑙 ) R3 𝐹 𝑘 + 𝑙 𝐹 𝑗 + 𝑙 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑘 + 𝑙 ) R4 R5 𝐹 𝑙 + 𝑘 𝐹 𝑙 + 𝑗 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑗 ) 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑙 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑘 ) R6 R7 𝐹 𝑘 + 𝑗 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 ↔ 𝑘 𝐹(𝑘 + 𝑗 )
Properties of matrix multiplication 𝐹 𝑙 + 𝑗 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑗 ) Consider 𝐹 𝑙 + 𝑗 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑘 𝑦 , where 𝑦 = 𝑦 1 , 𝑦 2 , … , 𝑦 𝑜 . Only 𝑦 𝑗 , 𝑦 𝑘 and 𝑦 𝑙 are involved in the computation. 𝒚 𝒋 𝒚 𝒌 𝒚 𝒍 𝒚 𝒋 𝒚 𝒍 𝒚 𝒌 equivalent 𝑦 𝑗 ⊕ 𝑦 𝑘 𝑦 𝑘 𝑦 𝑙 𝑦 𝑗 𝑦 𝑘 𝑦 𝑙 ⊕ 𝑦 𝑗 𝑦 𝑗 ⊕ 𝑦 𝑘 𝑦 𝑘 𝑦 𝑙 ⊕ 𝑦 𝑘 𝑦 𝑗 ⊕ 𝑦 𝑘 𝑦 𝑘 𝑦 𝑙 ⊕ 𝑦 𝑗 𝑦 𝑗 ⊕ 𝑦 𝑘 𝑦 𝑘 𝑦 𝑙 ⊕ 𝑦 𝑗
Properties of matrix multiplication matrix multiplication does NOT generally satisfy the commutative law. special cases Let 𝑗, 𝑘, 𝑙, 𝑚 be integers and 𝑗 ≠ 𝑘 ≠ 𝑙 ≠ 𝑚 , then we have Property 𝐹 𝑙 + 𝑚 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑚) 1 𝐹 𝑗 + 𝑘 𝐹 𝑙 + 𝑘 = 𝐹 𝑙 + 𝑘 𝐹(𝑗 + 𝑘) 2 𝐹 𝑗 + 𝑘 𝐹 𝑗 + 𝑙 = 𝐹 𝑗 + 𝑙 𝐹(𝑗 + 𝑘) 3
Example 𝑁 = 𝐹 3 + 2 𝐹 3 + 4 𝐹 3 + 1 𝐹(2 + 1) cost = 4 commutative 𝑁 = 𝐹 3 + 4 𝐹 3 + 2 𝐹 3 + 1 𝐹(2 + 1) reduction (R1) 𝑁 = 𝐹 3 + 4 𝐹(2 + 1) 𝐹 3 + 2 cost = 3
Reduction algorithm 𝐹(𝑗 1 + 𝑘 1 ) Commutable with ⋮ ⋮ Commutable with 𝐹(𝑗 𝑡 + 𝑘 𝑡 ) ⋮ = ⋮ 𝐹(𝑗 𝑢 + 𝑘 𝑢 ) Match a reduction rule A given matrix Identify possible Conditions Reduction decomposition reduction
Search algorithm Pick a 𝑁 decompose Reduce cost replace segment Equivalent decomposition
Applications
On Inverse Matrices 𝑁 −1 = 𝐹 𝑜 −1 ⋯ 𝐹 1 −1 −1 𝐹 𝑜−1 𝑁 = 𝐹 1 𝐹 2 ⋯ 𝐹 𝑜 the cost of the inverse of 𝑁 = the cost of 𝑁 The inverse of AES MixColumns can ben implemented using 92 xor’s .
Recommend
More recommend
