putting wings on sphincs
play

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April - PowerPoint PPT Presentation

Jun 01, 2023 •141 likes •692 views

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical University of Denmark, Cybercrypt SPHINCS SPHINCS Hash-based signature scheme Stateless 128-bit post-quantum security Sizes: Public

  1. Putting wings on SPHINCS PQCRYPTO Conference Stefan K¨ olbl April 10th, 2018 Technical University of Denmark, Cybercrypt

  2. SPHINCS SPHINCS • Hash-based signature scheme • Stateless • 128-bit post-quantum security • Sizes: • Public Key: 1KB • Secret Key: 1KB • Signature: 41KB https://sphincs.cr.yp.to/ 1

  3. How to instantiate SPHINCS? 1

  4. SPHINCS Main components: • One-time Signature (WOTS) • Few-time Signature (HORST) • Merkle-Tree 2

  5. SPHINCS Level 1 . . . Level 2 32x Level 12 HORST Message 3

  6. SPHINCS pk OTS sign . . . . . . . . . pk pk pk pk OTS sign 4

  7. SPHINCS What is computed? • Many calls to a hash function... • ...but using short input only. f f f f 5

  8. SPHINCS For one signature • ≈ 450.000 times F • ≈ 90.000 times H { 0 , 1 } 512 { 0 , 1 } 256 H { 0 , 1 } 256 { 0 , 1 } 256 F 6

  9. Cryptographic Hash Functions Which hash function could we use? • Standards • SHA256 • SHA-3 • ChaCha12 permutation • Keccak • Haraka • Simpira 7

  10. Cryptographic Hash Functions SHA-2 (FIPS PUB 180-4) • 512-bit Message Blocks • Padding... M 1 M 2 M n h 1 h n +1 f f f IV 8

  11. Cryptographic Hash Functions SHA3-256 (FIPS PUB 202) • 1600-bit Permutation • 1088-bit Message Blocks h M 0 M 1 M 2 h 0 h 1 r 0 π π π π π c 0 9

  12. Cryptographic Hash Functions Other Keccak variants: • Use 800-bit permutation? • Use less rounds (Kangaroo12 1 ). • Best preimage attack on 4 rounds 2 . 0 see https://eprint.iacr.org/2016/770 0 Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak, Asiacrypt 2016 10

  13. Cryptographic Hash Functions ChaCha12 • Suggested in SPHINCS paper. • Use ChaCha12 permutation in sponge. • Great software performance with vectorization. 11

  14. Cryptographic Hash Functions Haraka: A short-input hash function 3 • Permutation based on AES rounds. • SPN construction. • 256- and 512-bit permutation. trunc x H ( x ) π 3 https://eprint.iacr.org/2016/098 12

  15. Cryptographic Hash Functions Simpira 4 • Permutation based on AES rounds. • Feistel construction. • 256- and 512-bit permutation. trunc x H ( x ) π 4 https://eprint.iacr.org/2016/122 13

  16. Microarchitectures SPHINCS not well suited for small devices 5 • Signature size larger than RAM for some devices. • Computational costs for signing high... • ... but verification is cheap. Focus on highend platforms: • Intel Haswell/Skylake, AMD Ryzen • ARM Cortex A57/A72 5 see https://eprint.iacr.org/2015/1042 14

  17. Microarchitectures How to get a fast implementation? • Vectorization (AVX2, NEON, AVX-512) • Hardware Support (AES, SHA-2, SHA-3) • Utilize pipeline 15

  18. Microarchitectures Vector Instructions X 7 X 6 X 5 X 4 X 3 X 2 X 1 X 0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ Y 7 Y 6 Y 5 Y 4 Y 3 Y 2 Y 1 Y 0 = = = = = = = = Z 7 Z 6 Z 5 Z 4 Z 3 Z 2 Z 1 Z 0 • Apply same operation on all elements of the vector. • Use independet inputs. 16

  19. Microarchitectures Pipelining • Latency • Inverse Throughput Cycles aesenc aesenc aesenc L aesenc 17

  20. Microarchitectures Pipelining • Latency • Inverse Throughput Cycles aesenc aesenc aesenc aesenc aesenc aesenc T − 1 aesenc 17

  21. Microarchitectures Pipelining • Latency • Inverse Throughput Cycles aesenc aesenc aesenc aesenc aesenc aesenc aesenc aesenc aesenc T − 1 aesenc 17

  22. Platforms Performance varies a lot depending on the platform Latency inv. Throughput Platform Instruction Skylake vectorized XOR 1 0.33 Ryzen vectorized XOR 1 0.5 Cortex A57 vectorized XOR 3 2 18

  23. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • ChaCha12 • Haraka • Simpira 19

  24. Implementations How to implement those functions efficiently? • SHA-2 • 32-bit word oriented • Vectorize • Hardware Support • Keccak[ b = 800] • ChaCha12 • Haraka • Simpira 19

  25. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • 32-bit word oriented • Vectorize • ChaCha12 • Haraka • Simpira 19

  26. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • ChaCha12 • 32-bit word oriented • Vectorize • Haraka • Simpira 19

  27. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • ChaCha12 • Haraka • AES + permute • Simpira 19

  28. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • ChaCha12 • Haraka • Simpira • AES 19

  29. Tour de SPHINCS 19

  30. Tour de SPHINCS Intel Skylake • AVX2 (256-bit vector) • AES-NI 20

  31. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 • AVX2 (256-bit vector) Haraka • AES-NI Keccak SHA-256 Simpira 20

  32. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 • AVX2 (256-bit vector) Haraka • AES-NI Keccak SHA-256 142.06 Simpira 20

  33. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 • AVX2 (256-bit vector) Haraka • AES-NI Keccak 108.62 SHA-256 142.06 Simpira 20

  34. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 43.49 • AVX2 (256-bit vector) Haraka • AES-NI Keccak 108.62 SHA-256 142.06 Simpira 20

  35. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 43.49 • AVX2 (256-bit vector) Haraka • AES-NI Keccak 108.62 SHA-256 142.06 Simpira 28.40 20

  36. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 43.49 • AVX2 (256-bit vector) Haraka 20.78 • AES-NI Keccak 108.62 SHA-256 142.06 Simpira 28.40 20

  37. Tour de SPHINCS AMD Ryzen • AVX2 (256-bit vector) • AES-NI (2 ports) • SHA256 instructions 21

  38. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 • AES-NI (2 ports) Haraka Keccak • SHA256 instructions SHA-256 Simpira 21

  39. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 • AES-NI (2 ports) Haraka Keccak 189.98 • SHA256 instructions SHA-256 Simpira 21

  40. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 63.42 • AES-NI (2 ports) Haraka Keccak 189.98 • SHA256 instructions SHA-256 Simpira 21

  41. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 63.42 • AES-NI (2 ports) Haraka Keccak 189.98 • SHA256 instructions SHA-256 53.33 Simpira 21

  42. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 63.42 • AES-NI (2 ports) Haraka Keccak 189.98 • SHA256 instructions SHA-256 53.33 Simpira 20.43 21

  43. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 63.42 • AES-NI (2 ports) Haraka 15.54 Keccak 189.98 • SHA256 instructions SHA-256 53.33 Simpira 20.43 21

  44. Tour de SPHINCS ARM Cortex A57 • NEON (128-bit vector) • AES • SHA256 support 22

  45. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 • AES Haraka Keccak • SHA256 support SHA-256 Simpira 22

  46. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 • AES Haraka Keccak 376.90 • SHA256 support SHA-256 Simpira 22

  47. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 193.51 • AES Haraka Keccak 376.90 • SHA256 support SHA-256 Simpira 22

  48. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 193.51 • AES Haraka Keccak 376.90 • SHA256 support SHA-256 92.08 Simpira 22

  49. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 193.51 • AES Haraka Keccak 376.90 • SHA256 support SHA-256 92.08 Simpira 63.48 22

  50. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 193.51 • AES Haraka 47.10 Keccak 376.90 • SHA256 support SHA-256 92.08 Simpira 63.48 22

  51. Formula SPHINCS Hash Performance for F 20 16.71 ChaCha 18 Haraka 16 Keccak Cycles per Byte 14 SHA256 12 Simpira 10 6.94 7.3 5.52 8 4.11 3.91 6 2.73 2.44 1.85 1.71 4 1.08 0.94 0.63 0.39 0.49 2 0 Skylake Ryzen Cortex-A57 23

  52. Formula SPHINCS Hash Performance for H 11 8.68 ChaCha 10 Haraka 7.15 9 Keccak Cycles per Byte 8 SHA256 7 Simpira 6 3.55 5 2.73 2.58 2.20 4 1.82 1.71 1.44 1.51 1.13 3 0.94 0.72 0.48 0.49 2 1 0 Skylake Ryzen Cortex-A57 24

  53. NIST PQ Competition Two variants of SPHINCS in NIST PQ competition: • Gravity-SPHINCS • Results directly apply. • Already uses Haraka. • SPHINCS+ • Tweakable Hash. • Needs to process slightly larger inputs. 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Wings Demo Walkthrough For a brief overview of Wings, see

Wings Demo Walkthrough For a brief overview of Wings, see

Wings Demo Walkthrough For a brief overview of Wings, see http://www.isi.edu/~gil/slides/WingsTour-8-08.pdf Last Update: August 22, 2008 1 Summary of Wings Demonstration Wings can: Express high-level reusable workflow templates

794 views • 36 slides
SMILES ON WINGS SMILES ON WINGS NEW BEGINNINGS D I N I N G F O R W O M E N - D E C E M B E R

SMILES ON WINGS SMILES ON WINGS NEW BEGINNINGS D I N I N G F O R W O M E N - D E C E M B E R

SMILES ON WINGS SMILES ON WINGS NEW BEGINNINGS D I N I N G F O R W O M E N - D E C E M B E R 2 0 1 3 HISTORY SMILES ON WINGS Oct October 2003 ber 2003 SOW was founded by Dr. Usa Bunnag, a native Thai dentist living and practicing

199 views • 15 slides
Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe Aumasson 1 , Guillaume

Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe Aumasson 1 , Guillaume

Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 11 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1 Introduction: SPHINCS Hash-based signatures

725 views • 35 slides
Characteris/cs of finite wings Flow around the wing @p

Characteris/cs of finite wings Flow around the wing @p

Finite wings Introduc)on to Aeronau)cal Engineering Ir. Nando Timmer Franck Cabrol - CC - BY - SA 3.0 Characteris/cs of finite wings Flow

292 views • 13 slides
A Very Old Man with Enormous Wings Bellwork 2/15/2018 -Read A Very Old Man with Enormous

A Very Old Man with Enormous Wings Bellwork 2/15/2018 -Read A Very Old Man with Enormous

A Very Old Man with Enormous Wings Bellwork 2/15/2018 -Read A Very Old Man with Enormous Wings by Gabriel Garcia Marquez Page 406 to 409 Alata will be here soon... Journal Entry: - What kinds of things have you experienced in your

591 views • 29 slides
What are the 4Cs? About WINGS Global Mandate Network of almost 90 grantmaker associations and

What are the 4Cs? About WINGS Global Mandate Network of almost 90 grantmaker associations and

Assessing the Value of Philanthropy Infrastructure: What are the 4Cs? About WINGS Global Mandate Network of almost 90 grantmaker associations and philanthropic support organisations in more than 30 countries. Together WINGS members and

313 views • 14 slides
A new submission to the SNAKE OIL CRYPTO competition Roberto Avanzi @FakeIACR (ad hodorem)

A new submission to the SNAKE OIL CRYPTO competition Roberto Avanzi @FakeIACR (ad hodorem)

A new submission to the SNAKE OIL CRYPTO competition Roberto Avanzi @FakeIACR (ad hodorem) Diego Aranha (our network expert) ANNOUNCEMENT After SPHINCS and SPHINCS-Haraka we are introducing a third variant of this

482 views • 4 slides
Transient Capability of a Multi-group Pin Homogenized SP 3 Code SPHINCS Hyun Ho Cho 1) , Junsu Kang

Transient Capability of a Multi-group Pin Homogenized SP 3 Code SPHINCS Hyun Ho Cho 1) , Junsu Kang

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Transient Capability of a Multi-group Pin Homogenized SP 3 Code SPHINCS Hyun Ho Cho 1) , Junsu Kang 1) , Joo Il Yoon 2) and Han Gyu Joo 1)* Seoul National University,

272 views • 4 slides
SCHEME SPHINCS-256 Dorian Amiet 1 , Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule fr

SCHEME SPHINCS-256 Dorian Amiet 1 , Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule fr

IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1 , Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule fr Technik, Rapperswil, Switzerland 2 Securosys SA, Zrich, Switzerland CHES 2018 12.09.2018

525 views • 28 slides
WINGS-SSA Collaboration Sally Balch Hurme, JD National Guardianship Association Board of

WINGS-SSA Collaboration Sally Balch Hurme, JD National Guardianship Association Board of

WINGS-SSA Collaboration Sally Balch Hurme, JD National Guardianship Association Board of Directors Working Interdisciplinary Networks of WINGS Guardianship Stakeholders Ongoing Court-initiated Problem-solving

337 views • 12 slides
these wings must be inclined to the relative wind. The inclination of the body and wings is

these wings must be inclined to the relative wind. The inclination of the body and wings is

MISSILE DYNAMICS presented by 6- by 6-Foot Supersonic Wind-Tunnel In our demonstration today, we are going to try to explain certain difficult aspects of missile research with which we are concerned, not only here, but in various other sections

275 views • 8 slides
Feature The 'Plight of the Monarch' and Wings of Change by Sandy Lindsay April 21, 2016

Feature The 'Plight of the Monarch' and Wings of Change by Sandy Lindsay April 21, 2016

(continued) Feature The 'Plight of the Monarch' and Wings of Change by Sandy Lindsay April 21, 2016 www.saugeentimes.com To Comment on this article Click Here Monarch message at Southampton Library attracts interested group 'Wings of Change'

429 views • 3 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas Hlsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 28 April 2015 Hash-based

586 views • 33 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H ulsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 2 April 2015 Traditional hash-based

288 views • 10 slides
Wings & Waves Interna.onal Cargo LLC OUR MISSION: Keep Our Customers Happy By Offering Service

Wings & Waves Interna.onal Cargo LLC OUR MISSION: Keep Our Customers Happy By Offering Service

Wings & Waves Interna.onal Cargo LLC OUR MISSION: Keep Our Customers Happy By Offering Service Beyond Expecta;ons! OUR VISION: Be the world leader in complete logis;cs solu;ons INTRODUCTION: Wings and Waves is supported by well experienced

203 views • 9 slides
Wings for Pegasus: A Semantic Approach for Creating Very Large Scientific Workflows Yolanda Gil

Wings for Pegasus: A Semantic Approach for Creating Very Large Scientific Workflows Yolanda Gil

Powered by Powered by Wings for Pegasus: A Semantic Approach for Creating Very Large Scientific Workflows Yolanda Gil Jihie Kim Varun Ratnakar Ewa Deelman USC Information Sciences Institute www.isi.edu/ikcap/wings pegasus.isi.edu

505 views • 28 slides
Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles for

679 views • 65 slides
RA RACE CE A softw A softwar are e fr framew amewor ork k for inter or interope

RA RACE CE A softw A softwar are e fr framew amewor ork k for inter or interope

RA RACE CE A softw A softwar are e fr framew amewor ork k for inter or interope operable, ble, plug-and plug and-play play, , distributed r distributed robotic obotic sys systems tems-of of-sys systems tems Robert Skilton

382 views • 19 slides
Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David

Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David

Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David Houngninou Southern Methodist University Table of content 1. Target device: MCBSTM32C 2. References 3. GPIO ports: registers and pins 4. Interfacing

585 views • 31 slides
A common high-dimensional linear model of representational spaces in human cortex Jim Haxby Center

A common high-dimensional linear model of representational spaces in human cortex Jim Haxby Center

A common high-dimensional linear model of representational spaces in human cortex Jim Haxby Center for Cognitive Neuroscience, Dartmouth College Center for Mind/Brain Sciences (CIMeC), University of Trento Supported by NSF CRCNS German-US

542 views • 25 slides
Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

11 September 2018 Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder , Markus Krausz , and Tim uneysu . G University of Bristol, UK; Ruhr-Universit at Bochum, Germany; and

890 views • 87 slides
Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial

Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial

Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial line (PAL) Quantitative assessment Neural canal width (NCW) Basion-axial interval (BAI) Basion Defined for our purposes as the most

334 views • 11 slides
Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural

Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural

Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural Networks Fully-connected layers im2col+GEMM algorithm for convolution 1x1 convolutional layers Android CPU Landscape Overview of CPU

449 views • 17 slides
uXOM: Efficient eXecute-Only Memory on Cortex-M Donghyun Kwon 1,4 , Jangseop Shin 1 , Giyeol Kim 1

uXOM: Efficient eXecute-Only Memory on Cortex-M Donghyun Kwon 1,4 , Jangseop Shin 1 , Giyeol Kim 1

uXOM: Efficient eXecute-Only Memory on Cortex-M Donghyun Kwon 1,4 , Jangseop Shin 1 , Giyeol Kim 1 , Byoungyoung Lee 1,2 , Yeongpil Cho 3 , Yunheung Paek 1 1 Seoul National University, 2 Purdue University, 3 Soongsil University, 4 Electronics and

875 views • 24 slides

More recommend