SLIDE 1
The Marvellous Universe of Arithmetization-Oriented Primitives - - PowerPoint PPT Presentation
The Marvellous Universe of Arithmetization-Oriented Primitives - - PowerPoint PPT Presentation
The Marvellous Universe of Arithmetization-Oriented Primitives Abdelrahaman Aly, Tomer Ashur , Eli Ben-Sasson, Siemen Dhooghe, Alan Szepieniec The Goal The goal is to design a hash function that: The Goal The goal is to design a hash
SLIDE 2
SLIDE 3
The Goal
◮ The goal is to design a hash function that:
◮ is secure;
SLIDE 4
The Goal
◮ The goal is to design a hash function that:
◮ is secure; ◮ operates on field elements (e.g., no bit fiddling);
SLIDE 5
The Goal
◮ The goal is to design a hash function that:
◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number
- f field multiplications.
SLIDE 6
The Goal
◮ The goal is to design a hash function that:
◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number
- f field multiplications.
◮ AES!
SLIDE 7
The Goal
◮ The goal is to design a hash function that:
◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number
- f field multiplications.
◮ AES!
◮ Is secure;
SLIDE 8
The Goal
◮ The goal is to design a hash function that:
◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number
- f field multiplications.
◮ AES!
◮ Is secure; ◮ natively operates on elements in GF(28);
SLIDE 9
The Goal
◮ The goal is to design a hash function that:
◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number
- f field multiplications.
◮ AES!
◮ Is secure; ◮ natively operates on elements in GF(28); ◮ well understood and heavily cryptanaylzed; but
SLIDE 10
The Goal
◮ The goal is to design a hash function that:
◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number
- f field multiplications.
◮ AES!
◮ Is secure; ◮ natively operates on elements in GF(28); ◮ well understood and heavily cryptanaylzed; but ◮ does not minimize the number of field multiplications.
SLIDE 11
AES as a Starting Point
◮ AES has 4 operations:
◮ S-box ◮ ShiftRows ◮ MixColumns ◮ AddRoundKey (a) S-box (b) ShiftRows (c) MixColumns (d) AddRoundKey
SLIDE 12
AES as a Starting Point
◮ AES has 4 operations:
◮ S-box ◮ ShiftRows ◮ MixColumns ◮ AddRoundKey
◮ All the multiplications are inside the S-box
(a) S-box (b) ShiftRows (c) MixColumns (d) AddRoundKey
SLIDE 13
The S-box
◮ The S-box consists of two operations:
◮ Multiplicative inverse (11 multiplications) (see Damg˚ ard & Keller FC’10) ◮ Affine polynomial (7 multiplications)
SLIDE 14
Cost
◮ Multiplications per S-box: (11 + 7) = 18
SLIDE 15
Cost
◮ Multiplications per S-box: (11 + 7) = 18 ◮ Multiplications per round: (11 + 7) · 16 = 288
SLIDE 16
Cost
◮ Multiplications per S-box: (11 + 7) = 18 ◮ Multiplications per round: (11 + 7) · 16 = 288 ◮ Multiplications per AES evaluation: (11 + 7)
- S-box
· 16
- state
· 10
- rounds
= 2880
SLIDE 17
Observations
◮ Non-procedural computation
SLIDE 18
Non-Procedural Computation
◮ Verification, not computation
SLIDE 19
Non-Procedural Computation
◮ Verification, not computation ◮ Given (x1, y1) to verify that y1 =
1 x1 we can
SLIDE 20
Non-Procedural Computation
◮ Verification, not computation ◮ Given (x1, y1) to verify that y1 =
1 x1 we can
◮ directly compute (x1)254; or
SLIDE 21
Non-Procedural Computation
◮ Verification, not computation ◮ Given (x1, y1) to verify that y1 =
1 x1 we can
◮ directly compute (x1)254; or ◮ check if x1 · y1 = 1
SLIDE 22
Non-Procedural Computation
◮ Verification, not computation ◮ Given (x1, y1) to verify that y1 =
1 x1 we can
◮ directly compute (x1)254; or ◮ check if x1 · y1 = 1
◮ Don’t forget 0 → 0: x(1 − xy) = 0
SLIDE 23
Non-Procedural Computation
◮ Verification, not computation ◮ Given (x1, y1) to verify that y1 =
1 x1 we can
◮ directly compute (x1)254; or ◮ check if x1 · y1 = 1
◮ Don’t forget 0 → 0: x(1 − xy) = 0 ◮ Cost of the multiplicative inverse 11 2
SLIDE 24
Cost
◮ Multiplications per AES evaluation (old): (11 + 7)
- S-box
· 16
- state
· 10
- rounds
= 2880
SLIDE 25
Cost
◮ Multiplications per AES evaluation (old): (11 + 7)
- S-box
· 16
- state
· 10
- rounds
= 2880 ◮ Multiplications per AES evaluation (new): (2 + 7)
S-box
· 16
- state
· 10
- rounds
= 1440 (50% of AES-128)
SLIDE 26
The Affine Polynomial
◮ Polynomials of the form
i ci · 22i (linearized polynomials)
are efficiently computable
SLIDE 27
The Affine Polynomial
◮ Polynomials of the form
i ci · 22i (linearized polynomials)
are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree
SLIDE 28
The Affine Polynomial
◮ Polynomials of the form
i ci · 22i (linearized polynomials)
are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree ◮ Take two linearized polynomials of degree 4 and compose
- ne with the inverse of the other. This
SLIDE 29
The Affine Polynomial
◮ Polynomials of the form
i ci · 22i (linearized polynomials)
are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree ◮ Take two linearized polynomials of degree 4 and compose
- ne with the inverse of the other. This
◮ Requires many multiplications to compute directly; but
SLIDE 30
The Affine Polynomial
◮ Polynomials of the form
i ci · 22i (linearized polynomials)
are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree ◮ Take two linearized polynomials of degree 4 and compose
- ne with the inverse of the other. This
◮ Requires many multiplications to compute directly; but ◮ requires only (2 + 2) = 4 a few multiplications to verify.
SLIDE 31
Cost
◮ Multiplications per AES evaluation (old): (2 + 7)
S-box
· 16
- state
· 10
- rounds
= 1440 (50% of AES-128)
SLIDE 32
Cost
◮ Multiplications per AES evaluation (old): (2 + 7)
S-box
· 16
- state
· 10
- rounds
= 1440 (50% of AES-128) ◮ Multiplications per AES evaluation (new): (2 + (2 + 2))
- S-box
· 16
- state
· 10
- rounds
= 960 (33% of AES-128)
SLIDE 33
Observations
◮ Non-determinism ◮ Cost of multiplication is independent of the field size
SLIDE 34
Reducing the State
◮ Instead of a 4 × 4 state of bytes, we now use a 1x1 state of 128-bit elements.
SLIDE 35
Reducing the State
◮ Instead of a 4 × 4 state of bytes, we now use a 1x1 state of 128-bit elements. ◮ No need for ShiftRows and MixColumns
SLIDE 36
Reducing the State
◮ Instead of a 4 × 4 state of bytes, we now use a 1x1 state of 128-bit elements. ◮ No need for ShiftRows and MixColumns ◮ One S-box per round
SLIDE 37
Cost
◮ Multiplications per AES evaluation (old): (2 + (2 + 2))
- S-box
· 16
- state
· 10
- rounds
= 960 (33% of AES-128)
SLIDE 38
Cost
◮ Multiplications per AES evaluation (old): (2 + (2 + 2))
- S-box
· 16
- state
· 10
- rounds
= 960 (33% of AES-128) ◮ Multiplications per AES evaluation (new): (2 + (2 + 2))
- S-box
· 1
- state
· 10
- rounds
= 60 (2% of AES-128)
SLIDE 39
Setting the Number of Rounds
◮ The way to determine the proper number of rounds is to try all known attacks, see which one reaches most rounds, add a safety margin, and viola!
SLIDE 40
Observations
◮ Non-determinism ◮ Cost of multiplication is independent of the field size ◮ Increasing the field size kills statistical attacks (e.g., differential and linear cryptanalysis) faster
SLIDE 41
Jarvis
SLIDE 42
Alas
SLIDE 43
Vision
◮ An m × 1 state ◮ MDS matrix to mix the elements ◮ Alternate between a linearized polynomial of low degree and its inverse ◮ Particular attention to Gr¨
- bner basis attacks
SLIDE 44
Vision
SLIDE 45
Rescue
◮ Operates over prime fields ◮ Alternate between xα (e.g., α = 3) and x
1 a (resp., cubic
root)
SLIDE 46
Rescue
SLIDE 47
Breaking News
SLIDE 48
Cleaning Roberto’s Mess
SLIDE 49