usuba
play

Usuba High-Throughput and Constant-Time Ciphers, by Construction - PowerPoint PPT Presentation

Jan 10, 2024 •198 likes •1.02k views

Usuba High-Throughput and Constant-Time Ciphers, by Construction Pierre- Darius Mercadier Evariste Dagand LIP6 CNRS Inria Sorbonne Universit e June 24, 2019 1 / 15 Anatomy of a block cipher The Rectangle cipher Plaintext (64

  1. Usuba High-Throughput and Constant-Time Ciphers, by Construction Pierre-´ Darius Mercadier Evariste Dagand LIP6 – CNRS – Inria Sorbonne Universit´ e June 24, 2019 1 / 15

  2. Anatomy of a block cipher The Rectangle cipher Plaintext (64 bits) key ₀ (64 bits) SubColumn ShiftRows key ₁ (64 bits) SubColumn ShiftRows ... key ₂₄ (64 bits) SubColumn ShiftRows key ₂₅ (64 bits) Ciphertext (64 bits) 2 / 15

  3. Anatomy of a block cipher The Rectangle cipher Plaintext (64 bits) U SUBA key ₀ node Rectangle (plain:b64, (64 bits) key :b64[26]) SubColumn returns (cipher:b64) ShiftRows vars key ₁ round : b64[26] (64 bits) let SubColumn round[0] = plain; forall i in [0,24] { ShiftRows round[i+1] = ... ShiftRows( key ₂₄ SubColumn( (64 bits) round[i] ^ key[i] SubColumn ) ) ShiftRows } key ₂₅ (64 bits) cipher = round[25] ^ key[25] Ciphertext (64 bits) tel 2 / 15

  4. Anatomy of a block cipher Rectangle/ShiftRows void ShiftRows(bool a[64], bool b[64]) { b[0] = a[0]; b[1] = a[1]; b[2] = a[2]; b[3] = a[3]; b[4] = a[4]; b[5] = a[5]; ... b[59] = a[56]; b[60] = a[57]; b[61] = a[58]; b[62] = a[59]; b[63] = a[60]; } 3 / 15

  5. Anatomy of a block cipher Rectangle/ShiftRows node ShiftRows (input:u16x4) returns (out:u16x4) 3 / 15

  6. Anatomy of a block cipher Rectangle/ShiftRows node ShiftRows (input:u16x4) returns (out:u16x4) let out[0] = input[0]; tel 3 / 15

  7. Anatomy of a block cipher Rectangle/ShiftRows node ShiftRows (input:u16x4) returns (out:u16x4) let out[0] = input[0]; out[1] = input[1] <<< 1; tel 3 / 15

  8. Anatomy of a block cipher Rectangle/ShiftRows node ShiftRows (input:u16x4) returns (out:u16x4) let out[0] = input[0]; out[1] = input[1] <<< 1; out[2] = input[2] <<< 12; tel 3 / 15

  9. Anatomy of a block cipher Rectangle/ShiftRows node ShiftRows (input:u16x4) returns (out:u16x4) let out[0] = input[0]; out[1] = input[1] <<< 1; out[2] = input[2] <<< 12; out[3] = input[3] <<< 13 tel 3 / 15

  10. Anatomy of a block cipher Rectangle/SubColumn Caution: lookup tables are strictly forbidden ! 4 / 15

  11. Anatomy of a block cipher Rectangle/SubColumn a 0 b 0 a 1 b 1 a 2 b 2 a 3 b 3 4 / 15

  12. Anatomy of a block cipher Rectangle/SubColumn void SubColumn(bool *a0, bool *a1, bool *a2, bool *a3) { bool t1, t2, t3, t5, t6, t8, t9, t11; bool a0_ = *a0; bool a1_ = *a1; t1 = ~*a1; t2 = *a0 & t1; t3 = *a2 ^ *a3; *a0 = t2 ^ t3; t5 = *a3 | t1; t6 = a0_ ^ t5; *a1 = *a2 ^ t6; t8 = a1_ ^ *a2; t9 = t3 & t6; *a3 = t8 ^ t9; t11 = *a0 | t8; *a2 = t6 ^ t11; } 4 / 15

  13. Anatomy of a block cipher Rectangle/SubColumn table SubColumn (a:v4) returns (b:v4) { 6, 5, 12, 10, 1, 14, 7, 9, 11, 0, 3, 13, 8, 15, 4, 2 } 4 / 15

  14. Anatomy of a block cipher Rectangle, our way node ShiftRows (input:u16x4) node Rectangle (plain:u16x4, returns (out:u16x4) key :u16x4[26]) vars returns (cipher:u16x4) let vars out[0] = input[0]; round : u16x4[26] out[1] = input[1] <<< 1; let out[2] = input[2] <<< 12; round[0] = plain; out[3] = input[3] <<< 13 forall i in [0,24] { tel round[i+1] = ShiftRows( SubColumn( round[i] ^ key[i] ) table SubColumn (input:v4) ) returns (out:v4) { } 6, 5, 12, 10, 1, 14, 7, 9, cipher = round[25] ^ key[25] 11, 0, 3, 13, 8, 15, 4, 2 tel } 5 / 15

  15. Man vs. Machine 7 6 5 cycles/byte 4 3 2 1 0 Naïve Usuba SSE (128-bit) 6 / 15

  16. Man vs. Machine 7 6 5 cycles/byte 4 3 2 1 0 Naïve Hand-tuned Usuba SSE (128-bit) 6 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 -strongly compact cardinals and cardinal functions in topology Toshimichi Usuba Waseda

1 -strongly compact cardinals and cardinal functions in topology Toshimichi Usuba Waseda

1 -strongly compact cardinals and cardinal functions in topology Toshimichi Usuba Waseda University Nov. 19, 2018 Reflections on Set Theoretic reflection, Sant Bernat T. Usuba (Waseda Univ.) 1 -strongly compact Nov.19, 2018 1 / 27

821 views • 54 slides
Set-theoretic geology with large cardinals Toshimichi Usuba ( ) Kobe University

Set-theoretic geology with large cardinals Toshimichi Usuba ( ) Kobe University

Set-theoretic geology with large cardinals Toshimichi Usuba ( ) Kobe University September 11, 2015 Computability Theory and Foundations of Mathematics 2015 Tokyo Institute of Technology 1 / 19 Definability of the ground model

486 views • 34 slides
Partial Stationary Reflection Principles Toshimichi Usuba ( ) Nagoya University

Partial Stationary Reflection Principles Toshimichi Usuba ( ) Nagoya University

Partial Stationary Reflection Principles Toshimichi Usuba ( ) Nagoya University RIMS Set Theory Workshop 2012 Forcing extensions and large cardinals RIMS Kyoto Univ. December 5, 2012 Stationary reflection : infinite cardinal

498 views • 21 slides
Lindel of spaces and large cardinals Toshimichi Usuba ( ) Waseda University July

Lindel of spaces and large cardinals Toshimichi Usuba ( ) Waseda University July

Lindel of spaces and large cardinals Toshimichi Usuba ( ) Waseda University July 26, 2016 TOPOSYM 2016 1 / 30 Abstract: We are going to show some connections between large cardinals and Lindel of spaces with small

814 views • 58 slides
Weak Reflection Principle Definition 1. X : non-empty set. S [ X ] is stationary

Weak Reflection Principle Definition 1. X : non-empty set. S [ X ] is stationary

Reflection principles on [ ] Toshimichi Usuba Nagoya University Oct. 26, 2010 RIMS Set Theory Workshop 2010, Kyoto Weak Reflection Principle Definition 1. X : non-empty set. S [ X ] is stationary (in [ X ] ) For

768 views • 39 slides
Announcements You shouldve received an email from the mailing list with a link to course

Announcements You shouldve received an email from the mailing list with a link to course

CS 642: Computer Security and Privacy Cryptography [Intro] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Franzi Roesner Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly

692 views • 26 slides
Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Karlstad University Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M, C, E, D, K) M: the set of plaintexts C: the set of ciphertexts E: M x K -&gt; C enciphering functions D: C x K

446 views • 40 slides
RES212 Example of Exam 25/6/2018 Firstname LASTNAME Cycle/ID QCM No. 0 Instructions :

RES212 Example of Exam 25/6/2018 Firstname LASTNAME Cycle/ID QCM No. 0 Instructions :

RES212 Example of Exam 25/6/2018 Firstname LASTNAME Cycle/ID QCM No. 0 Instructions : You must return ALL paper sheets : any non-complete copy will have a 0/20 score. Do not forget to fill your personal details above This exam

148 views • 4 slides
Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time

Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time

Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP) (Phew!) Eric Rescorla David McGrew Eric Rescorla IETF 67 1 Overview SDP signals Im willing to do DTLS (and

93 views • 8 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

823 views • 46 slides
Cryptography and Network Security Bhaskaran Raman Department of CSE, IIT Kanpur Reference:

Cryptography and Network Security Bhaskaran Raman Department of CSE, IIT Kanpur Reference:

Cryptography and Network Security Bhaskaran Raman Department of CSE, IIT Kanpur Reference: Whitfield Diffie and Martin E. Hellman, Privacy and Authentication: An Introduction to Cryptography, in Proc. IEEE, vol. 67, no.3, pp. 397 - 427,

360 views • 17 slides
Strings l Chapter 3s problem context is cryptography, but mostly it is about strings and

Strings l Chapter 3s problem context is cryptography, but mostly it is about strings and

Starting chapter 3 Strings l Chapter 3s problem context is cryptography, but mostly it is about strings and related ideas l Strings are basically sequences of characters l A string literal is enclosed in quotes ( '' or in Python):

292 views • 12 slides
Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS

Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS

Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS REMINDER 2: Security Services in X.800 Authentication 1. Pear entity authentication Data origin authentication Access Control 2.

618 views • 13 slides
Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI Kolkata November 18, 2018 Introduction Types of Circuits: Brief background. Block cipher circuits: Round based vs Serial. Eg: Working example

489 views • 44 slides
Computational Survivalism Compiler(s) for the End of Moores Law: a case study Pierre-

Computational Survivalism Compiler(s) for the End of Moores Law: a case study Pierre-

Computational Survivalism Compiler(s) for the End of Moores Law: a case study Pierre- Evariste Dagand Joint work with Darius Mercadier Based on an original idea from Xavier Leroy LIP6 CNRS Inria Sorbonne Universit e 1 / 31

775 views • 76 slides
On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1

On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1

On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Icebreak 2013 Reykjavik, Iceland June 8, 2013 1 / 61 Outline 1 Origins 2 The sponge construction 3 Inside

1.12k views • 71 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

540 views • 28 slides
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1 , 2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key Crypto 2 / 18 Classical

696 views • 55 slides
Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview of the Talk Part 1: Background Part 2: Our solution for arbitrary modulus G-lattice sampling Part 3: Our

210 views • 20 slides
Public key encryp4on: defini4ons and security Dan Boneh

Public key encryp4on: defini4ons and security Dan Boneh

Online Cryptography Course

999 views • 55 slides
CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor

CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor

740 views • 45 slides
Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE)

274 views • 23 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides

More recommend