the marvellous universe of arithmetization oriented
play

The Marvellous Universe of Arithmetization-Oriented Primitives - PowerPoint PPT Presentation

Oct 23, 2022 •180 likes •690 views

The Marvellous Universe of Arithmetization-Oriented Primitives Abdelrahaman Aly, Tomer Ashur , Eli Ben-Sasson, Siemen Dhooghe, Alan Szepieniec The Goal The goal is to design a hash function that: The Goal The goal is to design a hash

  1. The Marvellous Universe of Arithmetization-Oriented Primitives Abdelrahaman Aly, Tomer Ashur , Eli Ben-Sasson, Siemen Dhooghe, Alan Szepieniec

  2. The Goal ◮ The goal is to design a hash function that:

  3. The Goal ◮ The goal is to design a hash function that: ◮ is secure;

  4. The Goal ◮ The goal is to design a hash function that: ◮ is secure; ◮ operates on field elements (e.g., no bit fiddling);

  5. The Goal ◮ The goal is to design a hash function that: ◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number of field multiplications.

  6. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number of field multiplications.

  7. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ Is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number of field multiplications.

  8. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ Is secure; ◮ operates on field ◮ natively operates on elements in GF(2 8 ); elements (e.g., no bit fiddling); ◮ minimizes the number of field multiplications.

  9. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ Is secure; ◮ operates on field ◮ natively operates on elements in GF(2 8 ); elements (e.g., no bit ◮ well understood and fiddling); ◮ minimizes the number heavily cryptanaylzed; of field multiplications. but

  10. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ Is secure; ◮ operates on field ◮ natively operates on elements in GF(2 8 ); elements (e.g., no bit ◮ well understood and fiddling); ◮ minimizes the number heavily cryptanaylzed; of field multiplications. but ◮ does not minimize the number of field multiplications.

  11. AES as a Starting Point ◮ AES has 4 operations: ◮ S-box ◮ ShiftRows ◮ MixColumns (a) S-box (b) ShiftRows ◮ AddRoundKey (c) (d) MixColumns AddRoundKey

  12. AES as a Starting Point ◮ AES has 4 operations: ◮ S-box ◮ ShiftRows ◮ MixColumns (a) S-box (b) ShiftRows ◮ AddRoundKey ◮ All the multiplications are inside the S-box (c) (d) MixColumns AddRoundKey

  13. The S-box ◮ The S-box consists of two operations: ◮ Multiplicative inverse (11 multiplications) (see Damg˚ ard & Keller FC’10) ◮ Affine polynomial (7 multiplications)

  14. Cost ◮ Multiplications per S-box: (11 + 7) = 18

  15. Cost ◮ Multiplications per S-box: (11 + 7) = 18 ◮ Multiplications per round: (11 + 7) · 16 = 288

  16. Cost ◮ Multiplications per S-box: (11 + 7) = 18 ◮ Multiplications per round: (11 + 7) · 16 = 288 ◮ Multiplications per AES evaluation: (11 + 7) · 16 10 = 2880 · ���� ���� � �� � state rounds S-box

  17. Observations ◮ Non-procedural computation

  18. Non-Procedural Computation ◮ Verification, not computation

  19. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can

  20. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can ◮ directly compute ( x 1 ) 254 ; or

  21. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can ◮ directly compute ( x 1 ) 254 ; or ◮ check if x 1 · y 1 = 1

  22. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can ◮ directly compute ( x 1 ) 254 ; or ◮ check if x 1 · y 1 = 1 ◮ Don’t forget 0 → 0: x (1 − xy ) = 0

  23. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can ◮ directly compute ( x 1 ) 254 ; or ◮ check if x 1 · y 1 = 1 ◮ Don’t forget 0 → 0: x (1 − xy ) = 0 ◮ Cost of the multiplicative inverse 11 2

  24. Cost ◮ Multiplications per AES evaluation (old): (11 + 7) · 16 10 = 2880 · ���� ���� � �� � state rounds S-box

  25. Cost ◮ Multiplications per AES evaluation (old): (11 + 7) · 16 10 = 2880 · ���� ���� � �� � state rounds S-box ◮ Multiplications per AES evaluation (new): (2 + 7) · 16 10 = 1440 (50% of AES-128) · ���� ���� � �� � state rounds S-box

  26. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable

  27. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree

  28. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree ◮ Take two linearized polynomials of degree 4 and compose one with the inverse of the other. This

  29. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree ◮ Take two linearized polynomials of degree 4 and compose one with the inverse of the other. This ◮ Requires many multiplications to compute directly; but

  30. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree ◮ Take two linearized polynomials of degree 4 and compose one with the inverse of the other. This ◮ Requires many multiplications to compute directly; but ◮ requires only (2 + 2) = 4 a few multiplications to verify.

  31. Cost ◮ Multiplications per AES evaluation (old): (2 + 7) · 16 10 = 1440 (50% of AES-128) · ���� ���� � �� � state rounds S-box

  32. Cost ◮ Multiplications per AES evaluation (old): (2 + 7) · 16 10 = 1440 (50% of AES-128) · ���� ���� � �� � state rounds S-box ◮ Multiplications per AES evaluation (new): (2 + (2 + 2)) · 16 10 = 960 (33% of AES-128) · ���� ���� � �� � state rounds S-box

  33. Observations ◮ Non-determinism ◮ Cost of multiplication is independent of the field size

  34. Reducing the State ◮ Instead of a 4 × 4 state of bytes, we now use a 1 x 1 state of 128-bit elements.

  35. Reducing the State ◮ Instead of a 4 × 4 state of bytes, we now use a 1 x 1 state of 128-bit elements. ◮ No need for ShiftRows and MixColumns

  36. Reducing the State ◮ Instead of a 4 × 4 state of bytes, we now use a 1 x 1 state of 128-bit elements. ◮ No need for ShiftRows and MixColumns ◮ One S-box per round

  37. Cost ◮ Multiplications per AES evaluation (old): (2 + (2 + 2)) · 16 10 = 960 (33% of AES-128) · ���� ���� � �� � state rounds S-box

  38. Cost ◮ Multiplications per AES evaluation (old): (2 + (2 + 2)) · 16 10 = 960 (33% of AES-128) · ���� ���� � �� � state rounds S-box ◮ Multiplications per AES evaluation (new): (2 + (2 + 2)) 1 10 = 60 (2% of AES-128) · · ���� ���� � �� � state rounds S-box

  39. Setting the Number of Rounds ◮ The way to determine the proper number of rounds is to try all known attacks, see which one reaches most rounds, add a safety margin, and viola!

  40. Observations ◮ Non-determinism ◮ Cost of multiplication is independent of the field size ◮ Increasing the field size kills statistical attacks (e.g., differential and linear cryptanalysis) faster

  41. Jarvis

  42. Alas

  43. Vision ◮ An m × 1 state ◮ MDS matrix to mix the elements ◮ Alternate between a linearized polynomial of low degree and its inverse ◮ Particular attention to Gr¨ obner basis attacks

  44. Vision

  45. Rescue ◮ Operates over prime fields ◮ Alternate between x α (e.g., α = 3) and x 1 a (resp., cubic root)

  46. Rescue

  47. Breaking News

  48. Cleaning Roberto’s Mess

  49. The Team

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BLOOMIN' MARVELLOUS WHY PROBABLY CAN BE BETTER THAN DEFINITELY Adrian Colyer, @adriancolyer

BLOOMIN' MARVELLOUS WHY PROBABLY CAN BE BETTER THAN DEFINITELY Adrian Colyer, @adriancolyer

BLOOMIN' MARVELLOUS WHY PROBABLY CAN BE BETTER THAN DEFINITELY Adrian Colyer, @adriancolyer AGENDA Introduction & motivation Bloom filters Tuning Hashing Related applications of PDSs TRAFFIC SURVEILLANCE For every traffic camera in

920 views • 44 slides
Star A large, glowing ball of gas that generates heat and light through nuclear fusion Planet

Star A large, glowing ball of gas that generates heat and light through nuclear fusion Planet

Chapter 1 1.1 A Modern View of the Our Place in the Universe Universe Our goals for learning: What is our place in the universe? How did we come to be? How can we know what the universe was like in the past? Can we see the

118 views • 8 slides
Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin

Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin

S C I E N C E P A S S I O N T E C H N O L O G Y Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin Albrecht Carlos Cid Lorenzo Grassi Dmitry Khovratovich Reinhard Lfenegger

895 views • 61 slides
Wedding Planner in Santorini Marvellous Wedding Wedding Venues Presentation Wedding planner

Wedding Planner in Santorini Marvellous Wedding Wedding Venues Presentation Wedding planner

Wedding Planner in Santorini Marvellous Wedding Wedding Venues Presentation Wedding planner in Santorini Marv rvel ellou ous Wedding was created to meet all your special needs to make this day absolut lutely ely unique ue and

314 views • 19 slides
REVELATION 15 GODS GREAT AND MARVELLOUS DEEDS AND OUR WORSHIP Series The future has already

REVELATION 15 GODS GREAT AND MARVELLOUS DEEDS AND OUR WORSHIP Series The future has already

REVELATION 15 GODS GREAT AND MARVELLOUS DEEDS AND OUR WORSHIP Series The future has already begun #12 IBC Eindhoven, 26 April 2020 Its not fair! HOW LONG? Revelation 6:10 + Psalm 13 + many others! REVELATION 15:1 Another great and

146 views • 10 slides
BIG BANG: beginning of Time Early times in the Universe were really Hot Stuff!! If the

BIG BANG: beginning of Time Early times in the Universe were really Hot Stuff!! If the

ASTR 1120 OUR Universe: General Astronomy: Accelerating Universe REVIEW Stars & Galaxies Dark Energy is causing the FINAL: Saturday, Dec 12th, 7:30pm, HERE expansion of ALTERNATE FINAL : Monday, Dec 7th, 5:30pm the universe

599 views • 10 slides
The Marvellous Neutrino Carlo Rubbia CERN, Geneva, Switzerland Institute for Advanced

The Marvellous Neutrino Carlo Rubbia CERN, Geneva, Switzerland Institute for Advanced

The Marvellous Neutrino Carlo Rubbia CERN, Geneva, Switzerland Institute for Advanced Sustainability Studies Potsdam, Germany A tribute to Milla Baldo Ceolin Milla Baldo Ceolin, la signora dei neutrini MILLA.Nov2012 Slide# : 2 The high

761 views • 43 slides
Science Forces and Magnets Year One Science | Year 3 | Forces and Magnets | Marvellous Magnets |

Science Forces and Magnets Year One Science | Year 3 | Forces and Magnets | Marvellous Magnets |

Science Forces and Magnets Year One Science | Year 3 | Forces and Magnets | Marvellous Magnets | Lesson 6 Ai Aim I can explain that magnets attract some materials. Succe Success Cri Criteri ria I can identify materials that are

366 views • 12 slides
Lecture 25: Modern Physics and the Universe The Universe We Live In Announcements Cosmology:

Lecture 25: Modern Physics and the Universe The Universe We Live In Announcements Cosmology:

Lecture 25: Modern Physics and the Universe The Universe We Live In Announcements Cosmology: Past, Present, Future Schedule: Today: Current Physics - The Universe March ( parts of Ch. 12 , 20) Big Bang Report/Essay Due Today Next

313 views • 7 slides
9. The Universe 9.1 The Universe and Solar System 9.2 Seasons and the Moon 9.1 The Universe

9. The Universe 9.1 The Universe and Solar System 9.2 Seasons and the Moon 9.1 The Universe

9. The Universe 9.1 The Universe and Solar System 9.2 Seasons and the Moon 9.1 The Universe and Solar System What is a galaxy? A system of stars, star systems (like our solar system), dust, and any other objects within range of the star

819 views • 26 slides
The Universe: What We Know and What we Don t Fundamental Physics Cosmology Elementary

The Universe: What We Know and What we Don t Fundamental Physics Cosmology Elementary

The Universe: What We Know and What we Don t Fundamental Physics Cosmology Elementary Particle Physics 1 Cosmology Study of the universe at the largest scale How big is the universe? Where did the universe come from?

577 views • 38 slides
+ An Introduction to Particle Physics + The Universe started with a Big Bang + The Universe

+ An Introduction to Particle Physics + The Universe started with a Big Bang + The Universe

+ An Introduction to Particle Physics + The Universe started with a Big Bang + The Universe started with a Big Bang What is our Universe made of? Particle physics aims to understand Elementary (fundamental) particles

683 views • 45 slides
The Answer to Life, the Universe and Everything Douglas Adams, Life, the Universe and Everything,

The Answer to Life, the Universe and Everything Douglas Adams, Life, the Universe and Everything,

The Answer to Life, the Universe and Everything Douglas Adams, Life, the Universe and Everything, Harmony Books, 1982. WELCOME TO THE ELM STREET DAILY MIRROR 42

520 views • 9 slides
Herbrand Theory 1 Herbrand universe The Herbrand universe T ( F ) of a closed formula F in Skolem

Herbrand Theory 1 Herbrand universe The Herbrand universe T ( F ) of a closed formula F in Skolem

First-order Predicate Logic Herbrand Theory 1 Herbrand universe The Herbrand universe T ( F ) of a closed formula F in Skolem form is the set of all terms that can be constructed using the function symbols in F . In the special case that F

539 views • 15 slides
The Jungle Universe About scales and physics in the cosmos Simon Portegies Zwart Sterrewacht

The Jungle Universe About scales and physics in the cosmos Simon Portegies Zwart Sterrewacht

The Jungle Universe About scales and physics in the cosmos Simon Portegies Zwart Sterrewacht Leiden Observation of the early universe (WMAP) Abel1689 Stephen's quintuplet The universe is multi-physics The universe is multi-scale Jungle

578 views • 44 slides
Make this universe yours Hoshikaze 2250, at a glance : An huge and wide Universe Actual

Make this universe yours Hoshikaze 2250, at a glance : An huge and wide Universe Actual

Make this universe yours Hoshikaze 2250, at a glance : An huge and wide Universe Actual concrete Achievements A collaborative and transmedia Project driven by a Non-for-Profit Association A dedicated creative Team The Hoshikaze

937 views • 69 slides
Semantic relatedness and cross-lingual passage retrieval Eneko Agirre 1 , Olatz Ansa 1 , Xabier

Semantic relatedness and cross-lingual passage retrieval Eneko Agirre 1 , Olatz Ansa 1 , Xabier

ResPubliQA - QA@CLEF 2009 Semantic relatedness and cross-lingual passage retrieval Eneko Agirre 1 , Olatz Ansa 1 , Xabier Arregi 1 , Maddalen Lopez de Lacalle 2 , Arantxa Otegi 1 , Xabier Saralegi 2 , Hugo Zaragoza 3 1 IXA NLP Group, University of

413 views • 20 slides
Martingales and the Method of Bounded Differences Advanced Algorithms Nanjing University, Fall

Martingales and the Method of Bounded Differences Advanced Algorithms Nanjing University, Fall

Martingales and the Method of Bounded Differences Advanced Algorithms Nanjing University, Fall 2018 (Some) Concentration Inequalities Question: probability that X deviates more than from expectation? (Some) Concentration Inequalities

2.13k views • 171 slides
A generalization of Quantum Relative Entropy Luiza H.F. Andrade 1 Rui F. Vigelis 2 Charles C.

A generalization of Quantum Relative Entropy Luiza H.F. Andrade 1 Rui F. Vigelis 2 Charles C.

Introduction Generalized Relative Entropy Conclusion A generalization of Quantum Relative Entropy Luiza H.F. Andrade 1 Rui F. Vigelis 2 Charles C. Cavalcante 3 1 Department of Natural Science, Mathematics and Statistics Federal Rural University

412 views • 19 slides
Generalized Cauchy determinant and Schur Pfaffian, and Their Applications Soichi OKADA (Nagoya

Generalized Cauchy determinant and Schur Pfaffian, and Their Applications Soichi OKADA (Nagoya

Generalized Cauchy determinant and Schur Pfaffian, and Their Applications Soichi OKADA (Nagoya University) Lattice Models: Exact Methods and Combinatorics Firenze, May 21, 2015 Cauchy determinants 1 i<j n ( x j x i ) (

689 views • 53 slides
Module 12, part 4 The End Develop Your Data Mindset Communicate findings of goal evaluation

Module 12, part 4 The End Develop Your Data Mindset Communicate findings of goal evaluation

Module 12, part 4 The End Develop Your Data Mindset Communicate findings of goal evaluation analysis to appropriate stakeholders Make decisions based on goal evaluation analysis findings S.6.B. Explanation: Explains different data

931 views • 35 slides
BEHAVE Working Group IETF 87 Berlin July 2013 Chairs: Dave Thaler, dthaler@microsoft.com

BEHAVE Working Group IETF 87 Berlin July 2013 Chairs: Dave Thaler, dthaler@microsoft.com

BEHAVE Working Group IETF 87 Berlin July 2013 Chairs: Dave Thaler, dthaler@microsoft.com Dan Wing, dwing@cisco.com 1 Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF

98 views • 7 slides
The Square Kilometre Array Radio Telescope Project : An Overview Yashwant Gupta NCRA-TIFR

The Square Kilometre Array Radio Telescope Project : An Overview Yashwant Gupta NCRA-TIFR

The Square Kilometre Array Radio Telescope Project : An Overview Yashwant Gupta NCRA-TIFR Science with the SKA IISER Mohali 19th March Background : what is the SKA ? The SKA is the most

654 views • 17 slides
Hardware Acceleration of Pulsar Search on FPGAs using OpenCL Oliver Sinnen Haomiao Wang &

Hardware Acceleration of Pulsar Search on FPGAs using OpenCL Oliver Sinnen Haomiao Wang &

Overview and Task FT Convolution Decomposition High-level Techniques and Implementation Evaluation Whats Next Hardware Acceleration of Pulsar Search on FPGAs using OpenCL Oliver Sinnen Haomiao Wang & Prabu Thiagaraj (Manchester Uni)

603 views • 33 slides

More recommend