On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
|
|
- Darlene Cross
- 5 years ago
- Views:
Transcription
1 On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara
2 Higher-Order Masking x = x 1 + x x d 2/28
3 Higher-Order Masking x = x 1 + x x d Linear operations: O(d) 2/28
4 Higher-Order Masking x = x 1 + x x d Linear operations: O(d) Non-linear operations: O(d 2 ) 2/28
5 Higher-Order Masking x = x 1 + x x d Linear operations: O(d) Non-linear operations: O(d 2 ) Challenge for blockciphers: S-boxes 2/28
6 Ishai-Sahai-Wagner Multiplication ( i a ) ( i i b ) i = i,j a i b j + fresh random Variant: CPRR evaluation for quadratic functions (Coron etal, FSE 2013) 3/28
7 The Polynomial Method Sbox seen as a (univariate) polynomial over GF (2 n ) Specific S-boxes, e.g. AES S(x) = Aff(x 254 ) Generic methods: CRV decomposition (CHES 2014): S(x) = t 1 i=0 g i(x) h i (x) + h t (x) Algebraic decomposition (CRYPTO 2015): S(x) = t 1 i=0 h i(g i (x)) + h t (x) 4/28
8 The Bitslice Method Sbox seen as boolean circuit 5/28
9 The Bitslice Method Sbox seen as boolean circuit x 1 x 2... x n X 1 X 2 X n CPU +... XOR CPU XOR +... CPU AND... 5/28
10 Bitslice for S-boxes Find a compact Boolean circuit at the S-box 16 S-box computed with one bitsliced computation Higher-Order Masking: XOR d XORs AND ISW-AND Minimizing the O(d 2 ) minimizing the number of ISW-AND 6/28
11 Polynomial vs Bitslice approach How Fast Can Higher-Order Masking Be in Software?, eprint 2016 clock cycles Bitslice AES Best Polynomial d clock cycles Bitslice PRESENT Best Polynomial d Motivation: bitslice for generic s-box evaluations 7/28
12 Multiplicative Complexity of Boolean Functions 8/28
13 Boolean functions Span: f 1, f 2..., f m = { m i=0 a i f i a i F 2 } M n = { x x u = x u 1 1 xu 2 2 xun n u {0, 1} n} is the set of monomials Algebraic Normal Form (ANF): f(x) = u {0,1} n a u x u, i.e. f M n S-box: S(x) = (f 1 (x), f 2 (x),..., f n (x)) 9/28
14 Multiplicative Complexity C(f): minimum number of multiplications to compute f 10/28
15 Multiplicative Complexity C(f): minimum number of multiplications to compute f C(f 1, f 2,..., f n ) C(M n ) = 2 n (n + 1) 10/28
16 Multiplicative Complexity C(f): minimum number of multiplications to compute f C(f 1, f 2,..., f n ) C(M n ) = 2 n (n + 1) f M n, C(f) > 2 n 2 n 10/28
17 Multiplicative Complexity C(f): minimum number of multiplications to compute f C(f 1, f 2,..., f n ) C(M n ) = 2 n (n + 1) f M n, C(f) > 2 n 2 n Method to find optimal solution for n 5: SAT-Solver 10/28
18 Multiplicative Complexity C(f): minimum number of multiplications to compute f C(f 1, f 2,..., f n ) C(M n ) = 2 n (n + 1) f M n, C(f) > 2 n 2 n Method to find optimal solution for n 5: SAT-Solver Constructive method [BPP00]: C(f) 2 n 2 +1 n /28
19 Our results Generalization of BPP for S-boxes: C(S) n2 n n 1 2 log n New method: generalization of CRV C(S) n2 n n 1 n BPP extended Our generic method (C n,n ) Our improved method (Cn,n) Table: Multiplicative complexities of n bits s-boxes. 11/28
20 New Generic Decomposition Method 12/28
21 Decomposition of a Single Boolean Function f(x) = t i=0 g i(x) h i (x) 13/28
22 Decomposition of a Single Boolean Function f(x) = t i=0 g i(x) h i (x) g i : random linear combinations from B = {φ j } j a i,j $ {0, 1} g i j a i,jφ j 13/28
23 Decomposition of a Single Boolean Function f(x) = t i=0 g i(x) h i (x) g i : random linear combinations from B = {φ j } j a i,j $ {0, 1} g i j a i,jφ j find c i,j s.t h i = j c i,jφ j solving a linear system: f(x) = i ( j a i,jφ j (x))( j c i,jφ j (x)), x 13/28
24 Decomposition of a Single Boolean Function f(x) = i ( j a i,jφ j (x))( j c i,jφ j (x)), x {e i } 2n i=1 = Fn 2 A 1 c 1 + A 2 c A t c t = (f(e 1 ), f(e 2 ),..., f(e 2 n)) A i = φ 1 (e 1 ) g i (e 1 ) φ 2 (e 1 ) g i (e 1 )... φ B (e 1 ) g i (e 1 ) φ 1 (e 2 ) g i (e 2 ) φ 2 (e 2 ) g i (e 2 )... φ B (e 2 ) g i (e 2 ) φ 1 (e 2 n) g i (e 2 n) φ 2 (e 2 n) g i (e 2 n)... φ B (e 2 n) g i (e 2 n) 14/28
25 Conditions (t + 1) B unknowns, 2 n equations: (t + 1) B 2 n Condition on the sum: t 2n B 1 Condition on the basis: B B has to span all Boolean functions 15/28
26 How to Construct the Basis B Start from B 0 such that B 0 B 0 = M n from B 0 to B: φ, ψ $ B B φ ψ 16/28
27 Costs r multiplications for B r = B n 1, B B 0 t multiplications for decomposition products t 2n B 1 Cost: r + t n (r, t) (2,3) (5,3) (9,5) (16,6) (25,9) (41,11) (59,17) C n,n /28
28 Decomposition of the S-box Sbox: x (f 1 (x), f 2 (x),..., f n (x)) Apply n Boolean decompositions on the f i s Costs: r + t n multiplications n (r, t) (4,1) (7,2) (13,3) (22,4) (37,5) (59,7) (90,10) C n,n Works for any S-boxes 18/28
29 S-box Dependent Improvements 19/28
30 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 20/28
31 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 Set B 2 = B 1 {g 1,i h 1,i } Decompose f 2 = i g 2,i h 2,i with B 2 20/28
32 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 Set B 2 = B 1 {g 1,i h 1,i } Decompose f 2 = i g 2,i h 2,i with B 2 Set B 3 = B 2 {g 2,i h 2,i } Decompose f 3 = i g 3,i h 3,i with B 3 20/28
33 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 Set B 2 = B 1 {g 1,i h 1,i } Decompose f 2 = i g 2,i h 2,i with B 2 Set B 3 = B 2 {g 2,i h 2,i } Decompose f 3 = i g 3,i h 3,i with B 3... B n = B n 1 {g n 1,i h n 1,i } Decompose f n = i g n,i h n,i with B n 1 20/28
34 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 t 1 = 2n B 1 1 Set B 2 = B 1 {g 1,i h 1,i } Decompose f 2 = i g 2,i h 2,i with B 2 t 2 = 2n B 2 1 Set B 3 = B 2 {g 2,i h 2,i } Decompose f 3 = i g 3,i h 3,i with B 3... t 3 = 2n B 3 1 B n = B n 1 {g n 1,i h n 1,i } Decompose f n = i g n,i h n,i with B n 1 t n = 2n B 1 n Costs: r + t 1 + t t n 20/28
35 Rank Drop A 1 c 1 + A 2 c A t c t = (f(e 0 ), f(e 1 ),..., f(e 2 n)) System A c = b with rank(a) = 2 n δ works for 1 2 δ boolean functions Try O(2 δ ) systems Reduced parameter: (t + 1) B 2 n δ t 2n δ B 1 21/28
36 Results Sbox Serpent SC2000 S 5 SC2000 S 6 CLEFIA n Our generic method Our improved method Gain /28
37 Implementation 23/28
38 Parallelization 16 S-box 16-bit bitsliced registers But 32-bit architecture 2 16-bit ISW-AND 1 32-bits ISW-AND At the circuit level: grouping AND gates per pair 24/28
39 A circuit for AES with parallelizable AND gates t 2 = y 12 y 15 t 23 = t 19 y 21 t 34 = t 23 t 33 z 2 = t 33 x 7 t 3 = y 3 y 6 t 15 = y 8 y 10 t 35 = t 27 t 33 z 3 = t 43 y 16 t 5 = y 4 x 7 t 26 = t 21 t 23 t 42 = t 29 t 33 z 4 = t 40 y 1 t 7 = y 13 y 16 t 16 = t 15 t 12 z 14 = t 29 y 2 z 6 = t 42 y 11 t 8 = y 5 y 1 t 18 = t 6 t 16 t 36 = t 24 t 35 z 7 = t 45 y 17 t 10 = y 2 y 7 t 20 = t 11 t 16 t 37 = t 36 t 34 z 8 = t 41 y 10 t 12 = y 9 y 11 t 24 = t 20 y 18 t 38 = t 27 t 36 z 9 = t 44 y 12 t 13 = y 14 y 17 t 30 = t 23 t 24 t 39 = t 29 t 38 z 10 = t 37 y 3 t 4 = t 3 t 2 t 22 = t 18 y 19 z 5 = t 29 y 7 z 11 = t 33 y 4 t 6 = t 5 t 2 t 25 = t 21 t 22 t 44 = t 33 t 37 z 12 = t 43 y 13 t 9 = t 8 t 7 t 27 = t 24 t 26 t 40 = t 25 t 39 z 13 = t 40 y 5 t 11 = t 10 t 7 t 31 = t 22 t 26 t 41 = t 40 t 37 z 15 = t 42 y 9 t 14 = t 13 t 12 t 28 = t 25 t 27 t 43 = t 29 t 40 z 16 = t 45 y 14 t 17 = t 4 t 14 t 32 = t 31 t 30 t 45 = t 42 t t41 z 17 = t 41 y 8 t 19 = t 9 t 14 t 29 = t 28 t 22 z 0 = t 44 y 15 t 21 = t 17 y 20 t 33 = t 33 t 24 z 1 = t 37 y 6 25/28
40 Parallelization Parallelization level: k = architecture size nb of Sboxes Generic method: MC = r k + n t k Improved method: results for specific s-boxes 26/28
41 Performance Comparison in ARM clock cycles Our implementation CRV AD clock cycles Our implementation CRV AD d Figure: 16 Sboxes (n = 8), k = multiplications d Figure: 16 Sboxes (n = 4), k = multiplications. 27/28
42 Questions? 28/28
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi 1,2 and Matthieu Rivain 1 1 CryptoExperts, Paris, France 2 ENS, CNRS, INRIA and PSL Research University,
More informationHow Fast Can Higher-Order Masking Be in Software?
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi 1,2 and Matthieu Rivain 1 1 CryptoExperts, Paris, France 2 ENS, CNRS, INRIA and PSL Research University, Paris, France dahmun.goudarzi@cryptoexperts.com
More informationFormal Verification of Side-Channel Countermeasures
Formal Verification of Side-Channel Countermeasures Sonia Belaïd June 5th 2018 1 / 35 1 Side-Channel Attacks 2 Masking 3 Formal Tools Verification of Masked Implementations at Fixed Order Verification
More informationFast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures
Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-channel Countermeasures Jean-Sébastien Coron 1, Arnab Roy 1,2, Srinivas Vivek 1 1 University of Luxembourg 2 DTU, Denmark
More informationFormal Verification of Masked Implementations
Formal Verification of Masked Implementations Sonia Belaïd Benjamin Grégoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order
More informationProvable Security against Side-Channel Attacks
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable
More informationParallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model G. Barthe, F. Dupressoir, S. Faust, B. Grégoire, F.-X. Standaert, P.-Y. Strub IMDEA (Spain), Univ. Surrey (UK), Univ. Bochum
More informationOn the Use of Masking to Defeat Power-Analysis Attacks
1/32 On the Use of Masking to Defeat Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security
More informationGeneralized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi 1,2, Matthieu Rivain 1, Damien Vergnaud 2, and Srinivas Vivek 3 1 CryptoExperts, Paris,
More informationFormal Verification of Side-channel Countermeasures via Elementary Circuit Transformations
Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations Jean-Sébastien Coron University of Luxembourg jean-sebastiencoron@unilu April 9, 2018 Abstract We describe a technique
More informationBlock Ciphers and Side Channel Protection
Block Ciphers and Side Channel Protection Gregor Leander ECRYPT-CSA@CHANIA-2017 Main Idea Side-Channel Resistance Without protection having a strong cipher is useless Therefore: Masking necessary Usual
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationMASKING is the most widely deployed countermeasure
1 Corrections to Further Improving Efficiency of Higher-Order Masking Schemes by Decreasing Randomness Complexity Shuang Qiu, Rui Zhang, Yongbin Zhou, Wei Cheng Abstract Provably secure masking schemes
More informationMultiplicative Complexity Gate Complexity Cryptography and Cryptanalysis
Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis Nicolas T. Courtois 1,2, Daniel Hulme 1,2, Theodosis Mourouzis 1 1 University College London, UK 2 NP-Complete Ltd, UK Two Interesting
More informationAlgebraic Immunity of S-boxes and Augmented Functions
Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationRevisiting a Masked Lookup-Table Compression Scheme
Revisiting a Masked Lookup-Table Compression Scheme Srinivas Vivek University of Bristol, UK sv.venkatesh@bristol.ac.uk Abstract. Lookup-table based side-channel countermeasure is the prime choice for
More informationFaster Evaluation of S-Boxes via Common Shares
Faster Evaluation of S-Boxes via Common Shares J-S. Coron, A. Greuet, E. Prouff, R. Zeitoun F.Rondepierre CHES 2016 CHES 2016 1 S-Box Evaluation AES By definition: S AES (x) = A x 254 + b F 2 8[x] CHES
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Sonia Belaïd Joint Work with Gilles Barthe, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi 1 / 31
More informationConsolidating Masking Schemes
Consolidating Masking Schemes Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, and Ingrid Verbauwhede firstname.lastname@esat.kuleuven.be KU Leuven ESAT/COSIC and iminds, Belgium Abstract.
More informationMultiplicative Complexity Reductions in Cryptography and Cryptanalysis
Multiplicative Complexity Reductions in Cryptography and Cryptanalysis THEODOSIS MOUROUZIS SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 1 Presentation Overview Linearity
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationPARALLEL MULTIPLICATION IN F 2
PARALLEL MULTIPLICATION IN F 2 n USING CONDENSED MATRIX REPRESENTATION Christophe Negre Équipe DALI, LP2A, Université de Perpignan avenue P Alduy, 66 000 Perpignan, France christophenegre@univ-perpfr Keywords:
More informationSeveral Masked Implementations of the Boyar-Peralta AES S-Box
Several Masked Implementations of the Boyar-Peralta AES S-Box Ashrujit Ghoshal 1[0000 0003 2436 0230] and Thomas De Cnudde 2[0000 0002 2711 8645] 1 Indian Institute of Technology Kharagpur, India ashrujitg@iitkgp.ac.in
More informationConsolidating Inner Product Masking
Consolidating Inner Product Masking Josep Balasch 1, Sebastian Faust 2,3, Benedikt Gierlichs 1, Clara Paglialonga 2,3, François-Xavier Standaert 4 1 imec-cosic KU euven, Belgium 2 Ruhr-Universität Bochum,
More informationCBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge
More informationFormal Verification of Masked Hardware Implementations in the Presence of Glitches
Formal Verification of Masked Hardware Implementations in the Presence of Glitches Roderick Bloem, Hannes Gross, Rinat Iusupov, Bettina Könighofer, Stefan Mangard, and Johannes Winter Institute for Applied
More informationDirect Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes. Daniel Augot and Matthieu Finiasz
Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes Daniel Augot and Matthieu Finiasz Context Diffusion layers in a block cipher/spn should: obviously, offer good diffusion,
More informationProvably Secure Higher-Order Masking of AES
Provably Secure Higher-Order Masking of AES Matthieu Rivain 1 and Emmanuel Prouff 2 1 CryptoExperts matthieu.rivain@cryptoexperts.com 2 Oberthur Technologies e.prouff@oberthur.com Abstract. Implementations
More informationHigh-Order Conversion From Boolean to Arithmetic Masking
High-Order Conversion From Boolean to Arithmetic Masking Jean-Sébastien Coron University of Luxembourg jean-sebastien.coron@uni.lu Abstract. Masking with random values is an effective countermeasure against
More informationQuantum Computer Simulation Using CUDA (Quantum Fourier Transform Algorithm)
Quantum Computer Simulation Using CUDA (Quantum Fourier Transform Algorithm) Alexander Smith & Khashayar Khavari Department of Electrical and Computer Engineering University of Toronto April 15, 2009 Alexander
More informationComparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
More informationSubquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach
Subquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach M A Hasan 1 and C Negre 2 1 ECE Department and CACR, University of Waterloo, Ontario, Canada 2 Team
More informationAlgebraic attack on stream ciphers Master s Thesis
Comenius University Faculty of Mathematics, Physics and Informatics Department of Computer Science Algebraic attack on stream ciphers Master s Thesis Martin Vörös Bratislava, 2007 Comenius University Faculty
More informationQuantum Simulation. 9 December Scott Crawford Justin Bonnar
Quantum Simulation 9 December 2008 Scott Crawford Justin Bonnar Quantum Simulation Studies the efficient classical simulation of quantum circuits Understanding what is (and is not) efficiently simulable
More informationIntro to Rings, Fields, Polynomials: Hardware Modeling by Modulo Arithmetic
Intro to Rings, Fields, Polynomials: Hardware Modeling by Modulo Arithmetic Priyank Kalla Associate Professor Electrical and Computer Engineering, University of Utah kalla@ece.utah.edu http://www.ece.utah.edu/~kalla
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationRevisiting Finite Field Multiplication Using Dickson Bases
Revisiting Finite Field Multiplication Using Dickson Bases Bijan Ansari and M. Anwar Hasan Department of Electrical and Computer Engineering University of Waterloo, Waterloo, Ontario, Canada {bansari,
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationOptimized Threshold Implementations: Securing Cryptographic Accelerators for Low-Energy and Low-Latency Applications
Optimized Threshold Implementations: Securing Cryptographic Accelerators for Low-Energy and Low-Latency Applications Dušan Božilov 1,2, Miroslav Knežević 1 and Ventzislav Nikov 1 1 NXP Semiconductors,
More information20.1 2SAT. CS125 Lecture 20 Fall 2016
CS125 Lecture 20 Fall 2016 20.1 2SAT We show yet another possible way to solve the 2SAT problem. Recall that the input to 2SAT is a logical expression that is the conunction (AND) of a set of clauses,
More informationCryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences
Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo,
More informationImplementing GCM on ARMv8
Introduction........ Implementation....... Results.... Conclusion Implementing GCM on ARMv8 Conrado P. L. Gouvêa Julio López KRYPTUS Information Security Solutions University of Campinas CT-RSA 2015 Conrado
More informationAn Improved Affine Equivalence Algorithm for Random Permutations
An Improved Affine Equivalence Algorithm for Random Permutations Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. In this paper we study the affine equivalence problem,
More informationCS151 Complexity Theory
Introduction CS151 Complexity Theory Lecture 5 April 13, 2004 Power from an unexpected source? we know PEXP, which implies no polytime algorithm for Succinct CVAL poly-size Boolean circuits for Succinct
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationOn the Practical Security of a Leakage Resilient Masking Scheme
On the Practical Security of a Leakage Resilient Masking Scheme T. Roche thomas.roche@ssi.gouv.fr Joint work with E. Prouff and M. Rivain French Network and Information Security Agency (ANSSI) CryptoExperts
More informationFinding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms
Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms Vladimir Bayev Abstract. Low degree annihilators for Boolean functions are of great interest in cryptology because of
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationFault Tolerance & Reliability CDA Chapter 2 Cyclic Polynomial Codes
Fault Tolerance & Reliability CDA 5140 Chapter 2 Cyclic Polynomial Codes - cylic code: special type of parity check code such that every cyclic shift of codeword is a codeword - for example, if (c n-1,
More informationOn Reverse-Engineering S-boxes with Hidden Design Criteria or Structure
On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure Alex Biryukov, Léo Perrin {alex.biryukov,leo.perrin}@uni.lu University of Luxembourg January 13, 2015 1 / 42 Introduction Skipjack
More informationCryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur
Cryptographically Robust Large Boolean Functions Debdeep Mukhopadhyay CSE, IIT Kharagpur Outline of the Talk Importance of Boolean functions in Cryptography Important Cryptographic properties Proposed
More informationHorizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme
Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme Alberto Battistello 1, Jean-Sébastien Coron 2, Emmanuel Prouff 3, and Rina Zeitoun 1 1 Oberthur Technologies, France {a.battistello,r.zeitoun}@oberthur.com
More information8.1 Polynomial Threshold Functions
CS 395T Computational Learning Theory Lecture 8: September 22, 2008 Lecturer: Adam Klivans Scribe: John Wright 8.1 Polynomial Threshold Functions In the previous lecture, we proved that any function over
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationL9: Galois Fields. Reading material
L9: Galois Fields Reading material Muzio & Wesselkamper Multiple-valued switching theory, p. 3-5, - 4 Sasao, Switching theory for logic synthesis, pp. 43-44 p. 2 - Advanced Logic Design L9 - Elena Dubrova
More informationCRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n
CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n S. M. DEHNAVI, A. MAHMOODI RISHAKANI, M. R. MIRZAEE SHAMSABAD, HAMIDREZA MAIMANI, EINOLLAH PASHA Abstract. The operation of modular addition modulo a power
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationMasking AES with d + 1 Shares in Hardware
Masking AES with d + 1 Shares in Hardware Thomas De Cnudde 1, Oscar Reparaz 1, Begül Bilgin 1, Svetla Nikova 1, Ventzislav Nikov 2 and Vincent Rijmen 1 1 KU Leuven, ESAT-COSIC and iminds, Belgium {name.surname}@esat.kuleuven.be
More informationAlgebraic Methods. Motivation: Systems like this: v 1 v 2 v 3 v 4 = 1 v 1 v 2 v 3 v 4 = 0 v 2 v 4 = 0
Motivation: Systems like this: v v 2 v 3 v 4 = v v 2 v 3 v 4 = 0 v 2 v 4 = 0 are very difficult for CNF SAT solvers although they can be solved using simple algebraic manipulations Let c 0, c,...,c 2 n
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationPolynomial Evaluation and Side Channel Analysis
Polynomial Evaluation and Side Channel Analysis Claude Carlet, Emmanuel Prouff To cite this version: Claude Carlet, Emmanuel Prouff. Polynomial Evaluation and Side Channel Analysis. The New Codebreakers,
More informationLecture 2: From Classical to Quantum Model of Computation
CS 880: Quantum Information Processing 9/7/10 Lecture : From Classical to Quantum Model of Computation Instructor: Dieter van Melkebeek Scribe: Tyson Williams Last class we introduced two models for deterministic
More informationImproved upper bounds for the expected circuit complexity of dense systems of linear equations over GF(2)
Improved upper bounds for expected circuit complexity of dense systems of linear equations over GF(2) Andrea Visconti 1, Chiara V. Schiavo 1, and René Peralta 2 1 Department of Computer Science, Università
More informationMultiplicative complexity in block cipher design and analysis
Multiplicative complexity in block cipher design and analysis Pavol Zajac Institute of Computer Science and Mathematics Slovak University of Technology pavol.zajac@stuba.sk Fewer Multiplications in Cryptography
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationDirect construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes
Direct construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes Cauchois Victor 1 Loidreau Pierre 1 Merkiche Nabil 23 1 DGA-MI / IRMAR 2 DGA-IP 3 Sorbonnes Université, UPMC, LIP6
More informationOutline. policies for the first part. with some potential answers... MCS 260 Lecture 10.0 Introduction to Computer Science Jan Verschelde, 9 July 2014
Outline 1 midterm exam on Friday 11 July 2014 policies for the first part 2 questions with some potential answers... MCS 260 Lecture 10.0 Introduction to Computer Science Jan Verschelde, 9 July 2014 Intro
More informationAnother view of the division property
Another view of the division property Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016 Motivation E K : block cipher with
More informationTHRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES
THRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES B.Bilgin, S.Nikova, V.Nikov, V.Rijmen, G.Stütz KU Leuven, UTwente, NXP, TU Graz CHES 2012 - Leuven, Belgium 2012-09-10 Countermeasures Search for a
More informationNotes for Lecture 3... x 4
Stanford University CS254: Computational Complexity Notes 3 Luca Trevisan January 14, 2014 Notes for Lecture 3 In this lecture we introduce the computational model of boolean circuits and prove that polynomial
More informationEfficient Masked S-Boxes Processing A Step Forward
Efficient Masked S-Boxes Processing A Step Forward Vincent Grosso 1, Emmanuel Prouff 2, François-Xavier Standaert 1 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium. 2 ANSSI, 51 Bd
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationLeakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi
Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Wednesday, September 16 th, 015 Motivation Security Evaluation Motivation Security Evaluation
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationGF(2 m ) arithmetic: summary
GF(2 m ) arithmetic: summary EE 387, Notes 18, Handout #32 Addition/subtraction: bitwise XOR (m gates/ops) Multiplication: bit serial (shift and add) bit parallel (combinational) subfield representation
More informationSharing Independence & Relabeling: Efficient Formal Verification of Higher-Order Masking
Sharing Independence & Relabeling: Efficient Formal Verification of Higher-Order Masking Roderick Bloem, Hannes Gross, Rinat Iusupov, Martin Krenn, and Stefan Mangard Institute for Applied Information
More informationChanging of the Guards: a simple and efficient method for achieving uniformity in threshold sharing
Changing of the Guards: a simple and efficient method for achieving uniformity in threshold sharing Joan Daemen 1,2 1 Radboud University 2 STMicroelectronics Abstract. Since they were first proposed as
More informationInner Product Masking Revisited
Inner Product Masking Revisited Josep Balasch 1, Sebastian Faust 2, and Benedikt Gierlichs 1 1 KU Leuven Dept. Electrical Engineering-ESAT/COSIC and iminds Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More information2. Linear algebra. matrices and vectors. linear equations. range and nullspace of matrices. function of vectors, gradient and Hessian
FE661 - Statistical Methods for Financial Engineering 2. Linear algebra Jitkomut Songsiri matrices and vectors linear equations range and nullspace of matrices function of vectors, gradient and Hessian
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationSearching for Nonlinear Feedback Shift Registers with Parallel Computing
Searching for Nonlinear Feedback Shift Registers with Parallel Computing Przemysław Dąbrowski, Grzegorz Łabuzek, Tomasz Rachwalik, Janusz Szmidt Military Communication Institute ul. Warszawska 22A, 05-130
More informationLinear Feedback Shift Registers
Linear Feedback Shift Registers Pseudo-Random Sequences A pseudo-random sequence is a periodic sequence of numbers with a very long period. Golomb's Principles G1: The # of zeros and ones should be as
More informationBLOCK ciphers are widely used in the field of information
Construction of High Quality Key-dependent S-boxes Tianyong Ao, Jinli Rao, Kui Dai, and Xuecheng Zou Abstract High quality key-dependent S-boxes can break the preconditions of many cryptanalysis technologies,
More informationHow to Evaluate Side-Channel Leakages
How to Evaluate Side-Channel Leakages 7. June 2017 Ruhr-Universität Bochum Acknowledgment Tobias Schneider 2 Motivation Security Evaluation Attack based Testing Information theoretic Testing Testing based
More informationA New Distinguisher on Grain v1 for 106 rounds
A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.
More informationB. Cyclic Codes. Primitive polynomials are the generator polynomials of cyclic codes.
B. Cyclic Codes A cyclic code is a linear block code with the further property that a shift of a codeword results in another codeword. These are based on polynomials whose elements are coefficients from
More informationIntroduction to Side Channel Analysis. Elisabeth Oswald University of Bristol
Introduction to Side Channel Analysis Elisabeth Oswald University of Bristol Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage and very briefly Part 3: Countermeasures Part
More informationCSL361 Problem set 4: Basic linear algebra
CSL361 Problem set 4: Basic linear algebra February 21, 2017 [Note:] If the numerical matrix computations turn out to be tedious, you may use the function rref in Matlab. 1 Row-reduced echelon matrices
More informationImproved Linear Cryptanalysis of SOSEMANUK
Improved Linear Cryptanalysis of SOSEMANUK Joo Yeon Cho and Miia Hermelin Helsinki University of Technology, Department of Information and Computer Science, P.O. Box 5400, FI-02015 TKK, Finland {joo.cho,miia.hermelin}@tkk.fi
More informationAlgebraic Attacks on Stream Ciphers with Linear Feedback
Algebraic Attacks on Stream Ciphers with Linear Feedback Extended Version of the Eurocrypt 2003 paper, August 24, 2003 Nicolas T. Courtois 1 and Willi Meier 2 1 Cryptography Research, Schlumberger Smart
More informationA new class of irreducible pentanomials for polynomial based multipliers in binary fields
Noname manuscript No. (will be inserted by the editor) A new class of irreducible pentanomials for polynomial based multipliers in binary fields Gustavo Banegas Ricardo Custódio Daniel Panario the date
More informationFault Analysis of the KATAN Family of Block Ciphers
Fault Analysis of the KATAN Family of Block Ciphers Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Centre for Computer and Information Security Research,
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationInner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages
Inner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages Weijia Wang 1, François-Xavier Standaert 2, Yu Yu 1,3, Sihang Pu 1, Junrong Liu 1, Zheng Guo 1, and Dawu
More informationUNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More informationLinear Algebra, 4th day, Thursday 7/1/04 REU Info:
Linear Algebra, 4th day, Thursday 7/1/04 REU 004. Info http//people.cs.uchicago.edu/laci/reu04. Instructor Laszlo Babai Scribe Nick Gurski 1 Linear maps We shall study the notion of maps between vector
More informationSoftware Engineering 2DA4. Slides 8: Multiplexors and More
Software Engineering 2DA4 Slides 8: Multiplexors and More Dr. Ryan Leduc Department of Computing and Software McMaster University Material based on S. Brown and Z. Vranesic, Fundamentals of Digital Logic
More information