Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong - - PowerPoint PPT Presentation

Optimizing Implementations of Linear Layers

Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao, Shasha Zhang

• Nov. 09, 2020

Lightweight Cryptography

• Requirements

Circuit size Latency Throughput ……

• Primitives:

SIMON，SPECK PRESENT, RECTANGLE LED，MIDORI ……

• Lightweight Components:

 Lightweight MDS or near-MDS matrix  Sbox?

• Optimization (sbox)

 Gladman (Serpent)  SAT based method (Stoffelen, FSE 2016)  LIGHTER (Jean, FSE 2017)  ……

Optimization---Linear layer

optimize the multiplication (finite field or matrix-vector multiplication) of each entry of a matrix. Method:using different basis reuse intermediate values LIGHTER Cost = fixed cost + multiplication AES = 96 + ()

 treat the linear layer as a binary matrix and find the minimal number of xor operations to implement the matrix  Method: Paar1 and Paar2 BP (Boyar and Peralta) LIGHTER variants……  Cost = returned by the algorithms  AES = 92 Local optimization Global optimization

Metrics

Counting the number of 1’s within a binary matrix. D-xor(M) = 6

Consider a matrix to be implemented, 𝑁 = 1 1 1 1 1 1 1 1 1 1 𝐻𝐺 2 : 𝑧1 = 𝑦1 ⊕ 𝑦2 ⊕ 𝑦3 𝑧2 = 𝑦1 ⊕ 𝑦2 ⊕ 𝑦4 𝑧3 = 𝑦1 ⊕ 𝑦3 𝑧4 = 𝑦2 ⊕ 𝑦3

D-xor

Metrics

𝑢1 = 𝑦1 ⊕ 𝑦3 (𝑧3) 𝑢2 = 𝑦2 ⊕ 𝑦3 (𝑧4) 𝑢3 = 𝑦1 ⊕ 𝑦2 𝑢4 = 𝑢3 ⊕ 𝑦3 (𝑧1) 𝑢5 = 𝑢3 ⊕ 𝑦4 (𝑧2)

D-xor = 6 G-xor = 5 Counting the minimal number of operations 𝑦𝑗 = 𝑦𝑛 ⊕ 𝑦𝑜 implementing the matrix. G-xor Shortest Linear Straight-Line Program, NP-hard

Metrics

Counting the nominal number of operations 𝑦𝑗 = 𝑦𝑗 ⊕ 𝑦𝑘 implementing the matrix.

𝑦4 ⊕ 𝑦2 𝑦4 ⊕ 𝑦2 ⊕ 𝑦1 = 𝑧2 𝑦1 ⊕ 𝑦3 = 𝑧3 𝑦3 ⊕ 𝑦2 = 𝑧4 𝑦2 ⊕ 𝑦1 ⊕ 𝑦3 = 𝑧1

S-xor Optimal pivoting in Gauss-Jordan elimination

𝑦4 = 𝑦4 ⊕ 𝑦2 𝑦4 = 𝑦4 ⊕ 𝑦1 𝑦1 = 𝑦1 ⊕ 𝑦3 𝑦3 = 𝑦3 ⊕ 𝑦2 𝑦2 = 𝑦2 ⊕ 𝑦1

S-xor = 5

Extra advantage of S-xor

2019/4/13 湖北大学 7

𝑢1 = 𝑦1 ⊕ 𝑦3 (𝑧3) 𝑢2 = 𝑦2 ⊕ 𝑦3 (𝑧4) 𝑢3 = 𝑦1 ⊕ 𝑦2 𝑢4 = 𝑢3 ⊕ 𝑦3 (𝑧1) 𝑢5 = 𝑢3 ⊕ 𝑦4 (𝑧2) Bit-sliced software implementation 𝑢1 = 𝑦1^𝑦3 (𝑧3) 𝑢2 = 𝑦2^𝑦3 (𝑧4) 𝑢3 = 𝑦1^𝑦2 𝑢4 = 𝑢3^𝑦3 (𝑧1) 𝑢5 = 𝑢3^𝑦4 (𝑧2) Xor destructive 𝑢1 = 𝑦1^𝑦3 movl x1, t1 xorl x3, t1 𝑢1 = 𝑦1^𝑦3 (𝑧3) 𝑢2 = 𝑦2^𝑦3 (𝑧4) 𝑦1 = 𝑦1^𝑦2 𝑦3 = 𝑦1^𝑦3 (𝑧1) 𝑦4 = 𝑦1^𝑦4 (𝑧2)

Extra advantage of S-xor

𝑦4 = 𝑦4^𝑦2 𝑦4 ⊕ 𝑦2 𝑦4 = 𝑦4^𝑦1 𝑦4 ⊕ 𝑦2 ⊕ 𝑦1 = 𝑧2 𝑦1 = 𝑦1^𝑦3 𝑦1 ⊕ 𝑦3 = 𝑧3 𝑦3 = 𝑦3^𝑦2 𝑦3 ⊕ 𝑦2 = 𝑧4 𝑦2 = 𝑦2^𝑦1 𝑦2⊕ 𝑦1 ⊕ 𝑦3 = 𝑧1 xorl x2, x4 xorl x1, x4 xorl x3, x1 xorl x2, x3 xorl x1, x2 Quantum Implementation

CNOT gate 𝑦0 𝑦1 𝑦0 𝑦1 ⊕ 𝑦0

Elementary operation and elementary matrix

Interchange two rows (columns) Multiply a row (column) with a nonzero number Add a row (column) to another

• ne multiplied by a nonzero

number Type-1 Type-2 Type-3 𝐹 1 ↔ 2 = 1 1 1 𝐹 1 + 2 ∗ 𝑙 = 1 𝑙 1 𝐹 1 + 2 ∗ 𝑙 = 1 𝑙 1 1

𝑙 ∈ 𝐺

2

𝑙 ∈ 𝐺

2

Cost of elementary matrix

Type-1 Type-3 𝐹 1 ↔ 2 = 1 1 1 𝐹 1 + 2 = 1 1 1 1 1 1 1 𝑦1 𝑦2 𝑦3 = 𝑧1 = 𝑦2 𝑧2 = 𝑦1 𝑧3 = 𝑦3 1 1 1 1 𝑦1 𝑦2 𝑦3 = 𝑧1 = 𝑦1 ⊕ 𝑦2 𝑧2 = 𝑦2 𝑧3 = 𝑦3 Cost = 0 Cost = 1 (S-xor)

Matrix Decomposition

Any invertible matrix can be transformed into an identity matrix using elementary row and/or column operations. Thus, any invertible matrix can ben decomposed as a product of elementary matrices. Theorem Corollary Any matrix in 𝐻𝑀(2, 𝐺2) can be transformed into an identity matrix by applying a series of type-1 and type-3 elementary row and/or column operations. Thus, any matrix in 𝐻𝑀(2, 𝐺2) can ben decomposed as a product of type-1 and type-3 elementary matrices.

𝐺2

Matrix decompositions

Elementary row operation based matrix decomposition Gaussian Elimination

1

Elementary column operation based matrix decomposition

2 3

Hybrid elementary operation based matrix decomposition

Pick the elementary

• peration which minimize

the most number of 1’s in the given matrix Tie break: the first one VS random Increase the number of 1’s –> infinite loop -> 1

• r 2

Matrix Decomposition

𝐹 𝑗 + 𝑘 𝐹 𝑙 ↔ 𝑚 = 𝐹 𝑙 ↔ 𝑚 𝐹 𝑔

𝑙,𝑚 𝑗 + 𝑔 𝑙,𝑚 𝑘

, 𝐹 𝑙 ↔ 𝑚 𝐹 𝑗 + 𝑘 = 𝐹 𝑔

𝑙,𝑚 𝑗 + 𝑔 𝑙,𝑚 𝑘

𝐹(𝑙 ↔ 𝑚), where 𝑔

𝑙,𝑚 𝑦 = ቐ

𝑙, 𝑚, 𝑦,

Property

if 𝑦 = 𝑚, if 𝑦 = 𝑙, else.

Theorem

Any matrix 𝑁 in 𝐻𝑀 2, 𝐺2 can ben decomposed as: 𝑁 = 𝐹 𝑗𝑢 + 𝑘𝑢 ⋯ 𝐹 𝑗1 + 𝑘1 𝐹 𝑗𝑡

′ ↔ 𝑘𝑡 ′ ⋯ 𝐹(𝑗1 ′ ↔ 𝑘𝑡 ′)

Cost(M) = t

Properties of matrix multiplication

Property

Let 𝐹 𝑗 ↔ 𝑘 and E(i+j) denote a type-1 and type-3 elementary matrices in 𝐻𝑀 2, 𝐺2 respectively, then the following equations hold.

R1 R2 R3 R7 R4 R6 R5 𝐹 𝑙 + 𝑗 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑗) 𝐹 𝑗 + 𝑙 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑘 = 𝐹 𝑙 + 𝑘 𝐹(𝑗 + 𝑙) 𝐹(𝑗 + 𝑙)𝐹 𝑘 + 𝑙 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑘 + 𝑙) 𝐹 𝑘 + 𝑙 𝐹 𝑗 + 𝑙 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑘 + 𝑙) 𝐹 𝑙 + 𝑘 𝐹 𝑙 + 𝑗 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑗) 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑙 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑘) 𝐹 𝑘 + 𝑗 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 ↔ 𝑘 𝐹(𝑘 + 𝑗)

Properties of matrix multiplication

𝐹 𝑙 + 𝑗 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑗) Consider 𝐹 𝑙 + 𝑗 𝐹 𝑙 + 𝑘 𝐹 𝑗 + 𝑘 𝑦, where 𝑦 = 𝑦1, 𝑦2, … , 𝑦𝑜 . Only 𝑦𝑗, 𝑦𝑘 and 𝑦𝑙 are involved in the computation. 𝒚𝒋 𝒚𝒌 𝒚𝒍 𝑦𝑗 ⊕ 𝑦𝑘 𝑦𝑘 𝑦𝑙 𝑦𝑗 ⊕ 𝑦𝑘 𝑦𝑘 𝑦𝑙 ⊕ 𝑦𝑘 𝑦𝑗 ⊕ 𝑦𝑘 𝑦𝑘 𝑦𝑙 ⊕ 𝑦𝑗 𝒚𝒋 𝒚𝒌 𝒚𝒍 𝑦𝑗 𝑦𝑘 𝑦𝑙 ⊕ 𝑦𝑗 𝑦𝑗 ⊕ 𝑦𝑘 𝑦𝑘 𝑦𝑙 ⊕ 𝑦𝑗 equivalent

Properties of matrix multiplication

matrix multiplication does NOT generally satisfy the commutative law.

Property

Let 𝑗, 𝑘, 𝑙, 𝑚 be integers and 𝑗 ≠ 𝑘 ≠ 𝑙 ≠ 𝑚, then we have

1 2 3 𝐹 𝑙 + 𝑚 𝐹 𝑗 + 𝑘 = 𝐹 𝑗 + 𝑘 𝐹(𝑙 + 𝑚) 𝐹 𝑗 + 𝑘 𝐹 𝑙 + 𝑘 = 𝐹 𝑙 + 𝑘 𝐹(𝑗 + 𝑘) 𝐹 𝑗 + 𝑘 𝐹 𝑗 + 𝑙 = 𝐹 𝑗 + 𝑙 𝐹(𝑗 + 𝑘) special cases

Example

𝑁 = 𝐹 3 + 2 𝐹 3 + 4 𝐹 3 + 1 𝐹(2 + 1) 𝑁 = 𝐹 3 + 4 𝐹 3 + 2 𝐹 3 + 1 𝐹(2 + 1)

commutative reduction (R1)

𝑁 = 𝐹 3 + 4 𝐹(2 + 1) 𝐹 3 + 2

cost = 3 cost = 4

Reduction algorithm

A given matrix decomposition 𝐹(𝑗1 + 𝑘1) ⋮ ⋮ 𝐹(𝑗𝑡 + 𝑘𝑡) ⋮ ⋮ 𝐹(𝑗𝑢 + 𝑘𝑢) Commutable with Commutable with Match a reduction rule Conditions Identify possible reduction Reduction =

Search algorithm

𝑁 decompose Pick a segment replace Reduce cost Equivalent decomposition

Applications

On Inverse Matrices

𝑁 = 𝐹1𝐹2 ⋯ 𝐹𝑜 𝑁−1 = 𝐹𝑜

−1𝐹𝑜−1 −1 ⋯ 𝐹1 −1

the cost of the inverse of 𝑁 = the cost of 𝑁 The inverse of AES MixColumns can ben implemented using 92 xor’s.