smashing the implementation records of
play

Smashing the Implementation Records of AES S-box Arash - PowerPoint PPT Presentation

Aug 02, 2023 •236 likes •824 views

Smashing the Implementation Records of AES S-box Arash Reyhani-Masoleh, Mostafa Taha, and Doaa Ashmawy Western University London, Ontario, Canada CHES-2018 1 Outline Introduction. Proposed AES S-box Architecture. New

  1. Smashing the Implementation Records of AES S-box Arash Reyhani-Masoleh, Mostafa Taha, and Doaa Ashmawy Western University London, Ontario, Canada CHES-2018 1

  2. Outline • Introduction. • Proposed AES S-box Architecture. • New Logic-Minimization Algorithms. • New GF((2 4 ) 2 ) Inversion. • New Exponentiation Stage. • New Representation of Subfield Inversion. • New Output Multipliers. • Comparisons and Concluding Remarks. 2

  3. Introduction First Introduction Standardizing of Rijndael Rijndael as the AES Rijmen & Daemen 1998 2001 2005 2010 2015 2016 2018 First Imp. using Tower Fields Satoh et al. 3

  4. Introduction Reduce the number of Then First Introduction Standardizing Most compact gates in Canright to 115 to 113 Target small area of Rijndael Rijndael as the S-box AES Rijmen & Daemen Boyar and Peralta CMT Canright 1998 2001 2005 2010 2015 2016 2018 First Imp. using Tower Fields Satoh et al. 3

  5. Introduction Reduce the number of Then First Introduction Standardizing Most compact gates in Canright to 115 to 113 Target small area of Rijndael Rijndael as the S-box AES Rijmen & Daemen Boyar and Peralta CMT Canright 1998 2001 2005 2010 2015 2016 2018 First Imp. using Reduce the depth Most efficient Target small delay Tower Fields of S-box to 16 gates S-box / high efficiency Satoh et al. Ueno et al. Boyar, Find and Peralta 3

  6. Introduction Reduce the number of Then First Introduction Standardizing Most compact gates in Canright to 115 to 113 Target small area of Rijndael Rijndael as the S-box AES Rijmen & Daemen Boyar and Peralta CMT Canright 1998 2001 2005 2010 2015 2016 2018 First Imp. using Reduce the depth Most efficient Target small delay Tower Fields of S-box to 16 gates S-box / high efficiency Satoh et al. Ueno et al. Boyar, Find and Peralta In this paper, we propose: 1. The most compact S-box to date. 2. The most efficient S-box to date. 3

  7. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 4

  8. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. 4

  9. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. • We improved previous designs using AND gates to the ones using NAND/NOR gates: Delay (ns) Area (GEs) S-box Original Improved Original Improved Canright [Can05b] 200 1.253 113-gates [Boy16] 202 1.523 1.346 194 Depth-16 (2012) [BP12] 230.5 222 0.960 0.906 Depth-16 (2017) [BFP17] 224.5 0.957 0.912 216 Ueno et al. [UHS+15] 256.5 0.831 0.772 238 Targeting STM 65-nm CMOS standard library 4

  10. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. • We improved previous designs using AND gates to the ones using NAND/NOR gates: The smallest The fastest original original Delay (ns) Area (GEs) S-box Original Improved Original Improved Canright [Can05b] 200 1.253 113-gates [Boy16] 202 1.523 1.346 194 Depth-16 (2012) [BP12] 230.5 222 0.960 0.906 Depth-16 (2017) [BFP17] 224.5 0.957 0.912 216 Ueno et al. [UHS+15] 256.5 0.831 0.772 238 Targeting STM 65-nm CMOS standard library 4

  11. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. • We improved previous designs using AND gates to the ones using NAND/NOR gates: The smallest The smallest The fastest The fastest original improved original improved Delay (ns) Area (GEs) S-box Original Improved Original Improved Canright [Can05b] 200 1.253 113-gates [Boy16] 202 1.523 1.346 194 Depth-16 (2012) [BP12] 230.5 222 0.960 0.906 Depth-16 (2017) [BFP17] 224.5 0.957 0.912 216 Ueno et al. [UHS+15] 256.5 0.831 0.772 238 Targeting STM 65-nm CMOS standard library 4

  12. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. • We improved previous designs using AND gates to the ones using NAND/NOR gates: The smallest The smallest The fastest The fastest original improved original improved Delay (ns) Area (GEs) S-box Original Improved Original Improved Canright [Can05b] 200 1.253 113-gates [Boy16] 202 1.523 1.346 194 Depth-16 (2012) [BP12] 230.5 222 0.960 0.906 Depth-16 (2017) [BFP17] 224.5 0.957 0.912 216 Ueno et al. [UHS+15] 256.5 0.831 0.772 238 Targeting STM 65-nm CMOS standard library At the end, we compare only against the Improved Versions. Formulations of the improved designs are included in the paper. 4

  13. AES S-box • Original S-box Inversion g x M + h s GF(2 8 ) 5

  14. AES S-box • Original S-box Inversion g x M + h s GF(2 8 ) • Typical implementation using Composite Fields in Normal Basis Composite field Inversion () 2 X - 1 g X x M + h s 5

  15. Proposed AES S-box Architecture • 12 terms are shared between the Exponentiation and Multipliers Composite field Inversion 6 5 10 g T in 12 s T out 5 6 6

  16. Proposed AES S-box Architecture • 12 terms are shared between the Exponentiation and Multipliers Composite field Inversion 6 5 10 g T in 12 s T out 5 6 New Logic- New Logic- New, Improved New New New Minimization Minimization Representations Formulations Formulations Multipliers Algorithms Algorithms 6

  17. Proposed AES S-box Architecture • 12 terms are shared between the Exponentiation and Multipliers Composite field Inversion 6 5 10 g T in 12 s T out 5 6 New Logic- New Logic- New, Improved New New New Minimization Minimization Representations Formulations Formulations Multipliers Algorithms Algorithms Everything optimized by-hand and by CAD tools at various abstraction levels (promote using NAND/NOR and compound gates ) 6

  18. Outline • Introduction, Motivation and Previous Work. • Proposed AES S-box Architecture. • New Logic-Minimization Algorithms. • New GF((2 4 ) 2 ) Inversion. • New Exponentiation Stage. • New Representation of Subfield Inversion. • New Output Multipliers. • Comparisons and Concluding Remarks. 7

  19. Logic-Minimization Algorithms T in • Implement isomorphic transformation Input Rep. in GF((2 4 ) 2 ) matrices using smallest number of gates. • NP-hard problem [BMP08]. g T in 12 12 shared terms 8

  20. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. 9

  21. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. • Heuristics (with cancellation): Normal-BP (Boyar and Peralta [BP10]) 9

  22. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. • Heuristics (with cancellation): 1 Normal-BP (Boyar and Peralta [BP10]) 1. Test adding one gate 2. Compute Distance to each target (assuming no sharing) 3. Select a gate leading to the (min average Dist ) Resolve ties using different methods. 9

  23. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. Compute • Heuristics (with cancellation): 2 Dist 1 Normal-BP (Boyar and Peralta [BP10]) 1. Test adding one gate 2. Compute Distance to each target (assuming no sharing) 3. Select a gate leading to the (min average Dist ) Resolve ties using different methods. 9

  24. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. Compute • Heuristics (with cancellation): 2 Dist 1 Normal-BP (Boyar and Peralta [BP10]) 1. Test adding one gate 3 2. Compute Distance to each target (assuming no sharing) 3. Select a gate leading to the (min average Dist ) Resolve ties using different methods. 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

257 views • 22 slides
Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit ... overflow direction / higher addresses int main(int argc, char **argv) buf { stack growth char buf[0x10]; gets(buf); saved return address

911 views • 13 slides
Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr ) (mstampar@zsis.hr ) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.)

462 views • 35 slides
Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern University Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem

660 views • 46 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

Techorganic About PGP Disclaimer Vulnerabilities Musings from the brainpan 64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64- bit

451 views • 9 slides
Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does that mean? The guardian ofyour schools records Rule 2380 The RL knows what records are kept in your school The RL is the expert!

361 views • 13 slides
Recommendations for enhancing the implementation and utility of shared digital health records in

Recommendations for enhancing the implementation and utility of shared digital health records in

Recommendations for enhancing the implementation and utility of shared digital health records in rural Australian communities H. ALMOND a, , E. CUMMINGS b , P. TURNER a a School of Engineering & ICT, University of Tasmania b School of Health

309 views • 13 slides
Risk and Records at UTS Records Management Program > University Records, Governance Support

Risk and Records at UTS Records Management Program > University Records, Governance Support

THINK.CHANGE.DO Risk and Records at UTS Records Management Program > University Records, Governance Support Unit, Registrar, DVC (Corporate Services) 6 dedicated f/t positions > Devolved system 2 campuses (city campus over

325 views • 13 slides
Canadian Records Management February 2005 Summit Canadian Records Management Summit Calgary,

Canadian Records Management February 2005 Summit Canadian Records Management Summit Calgary,

Canadian Records Management February 2005 Summit Canadian Records Management Summit Calgary, Alberta February 21-24, 2006 Introduction What Makes RIM Programs Successful? Steps to Implementation How to Determine

315 views • 8 slides
AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis Framework for Good Recordkeeping Records are evidence of business Records system Records system Records Records characteristics

404 views • 21 slides
References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html Exploiting format string vulnerabilities https://crypto.stanford.edu/cs155/papers/for matstring-1.2.pdf Once upon a free()

427 views • 19 slides
A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management

A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management

RM1001 Records Custodian Training May 6, 2019 A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management important? 3. What is a Public Record? 4. What is Records Management? 5. Resources 2 1. Who is a

796 views • 33 slides
Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have

Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have

Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have Open Records Laws? Sunshine concept Examples of Records Transparent & Ethical Requests: Government Newspaper request for

281 views • 16 slides
Dimer Interpretations in Cluster Algebras: Smashing, Splitting, and Finding the Perfect Match

Dimer Interpretations in Cluster Algebras: Smashing, Splitting, and Finding the Perfect Match

Dimer Interpretations in Cluster Algebras: Smashing, Splitting, and Finding the Perfect Match Piriyakorn Piriyatamwong and Caledonia Wilson University of Minnesota Twin Cities REU in Combinatorics Monday July 30, 2018 Introduction Consider

463 views • 45 slides
Books and Records 1 Overview Records to be maintained Other Information 2 These se

Books and Records 1 Overview Records to be maintained Other Information 2 These se

Guidelines on maintaining Books and Records 1 Overview Records to be maintained Other Information 2 These se gu guidelin elines es are propo posed sed to be enacted cted as a part of the Regu gulati tions ons for External

283 views • 10 slides
Zero-Knowledge Protocols A B 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Claim The Awards

Zero-Knowledge Protocols A B 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Claim The Awards

The People Zero-Knowledge Protocols A B 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Claim The Awards I Prover (Peggy) Verifier (Vic) S Secret Decision d { true , false } A zero-knowledge protocol allows Peggy to Convince Vic that

414 views • 10 slides
Audit Risk Presented by: Eric Kline, CPA Quality Assurance & Technical Specialist Center

Audit Risk Presented by: Eric Kline, CPA Quality Assurance & Technical Specialist Center

Audit Risk Presented by: Eric Kline, CPA Quality Assurance & Technical Specialist Center for Audit Excellence August 6, 2015 Risk Assessment 2 Agenda Audit Risk Various Components of Audit Model Risk Ohio Auditor of

751 views • 28 slides
Unit4: Rotations, Angles & Dynamics Mike Chantler, 31/8/2008 P35 image from

Unit4: Rotations, Angles & Dynamics Mike Chantler, 31/8/2008 P35 image from

Slides: Unit 4: Rotations, Angles & Dynamics 3D Modelling & Animation Module F21MA Unit4: Rotations, Angles & Dynamics Mike Chantler, 31/8/2008 P35 image from http://www.military-aircraft.org.uk Unit contents Rotating an

675 views • 26 slides
CAME AME L Lab ab Emerging Non-Volatile Memory for SSDs 450 us Latency (reads) 150 us 25

CAME AME L Lab ab Emerging Non-Volatile Memory for SSDs 450 us Latency (reads) 150 us 25

ATC 2020 Fully Hardware Automated Open Research Framework for Future Fast NVMe Device Myoungsoo Jung Computer Architecture and Memory systems Laboratory Sponsored by CAME AME L Lab ab Emerging Non-Volatile Memory for SSDs 450 us

538 views • 49 slides
NEW ANOMALY INDUCED SECOND ORDER TRANSPORT F. PEA-BENTEZ IFT - UAM/CSIC BASED ON:

NEW ANOMALY INDUCED SECOND ORDER TRANSPORT F. PEA-BENTEZ IFT - UAM/CSIC BASED ON:

NEW ANOMALY INDUCED SECOND ORDER TRANSPORT F. PEA-BENTEZ IFT - UAM/CSIC BASED ON: 1304.5529 WITH EUGENIO MEGAS OUTLINE ANOMALIES AND HYDRODYNAMICS STRONGLY COUPLED MODEL FLUID GRAVITY CORRESPONDENCE RESULTS SUMMARY, ACTUAL AND

382 views • 34 slides
Liberty Queues for EPIC Architectures Thomas Jablin, Yun Zhang, James A. Jablin, Jialu Huang,

Liberty Queues for EPIC Architectures Thomas Jablin, Yun Zhang, James A. Jablin, Jialu Huang,

Liberty Queues for EPIC Architectures Thomas Jablin, Yun Zhang, James A. Jablin, Jialu Huang, Hanjun Kim, & David I. August The Liberty Research Group Princeton University Comparison: IMT, PMT, CMT IMT PMT CMT Core 1 Core 2 Core 1

670 views • 19 slides
Speculative Asset Prices Robert J. Shiller Prize Lecture Stockholm, December 8, 2013 Prices as

Speculative Asset Prices Robert J. Shiller Prize Lecture Stockholm, December 8, 2013 Prices as

Speculative Asset Prices Robert J. Shiller Prize Lecture Stockholm, December 8, 2013 Prices as Expected Present Values Constant Discount Rate Case Real Stock Prices 1871-2013 Actual (Blue) and Ex-Post Rational (Red) Based on Shiller (Am.

540 views • 18 slides
A simple holographic model of momentum relaxation Tom as Andrade (Durham U) January 28th,

A simple holographic model of momentum relaxation Tom as Andrade (Durham U) January 28th,

A simple holographic model of momentum relaxation Tom as Andrade (Durham U) January 28th, 2014, Oxford in collaboration with Ben Withers (Southampton) Hasnt it occurred to you to suspect that behind that Mondrian could a Viera da Silva

816 views • 66 slides

More recommend