On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking

Transcription

1 On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara

2 Higher-Order Masking x = x 1 + x x d 2/28

3 Higher-Order Masking x = x 1 + x x d Linear operations: O(d) 2/28

4 Higher-Order Masking x = x 1 + x x d Linear operations: O(d) Non-linear operations: O(d 2 ) 2/28

5 Higher-Order Masking x = x 1 + x x d Linear operations: O(d) Non-linear operations: O(d 2 ) Challenge for blockciphers: S-boxes 2/28

6 Ishai-Sahai-Wagner Multiplication ( i a ) ( i i b ) i = i,j a i b j + fresh random Variant: CPRR evaluation for quadratic functions (Coron etal, FSE 2013) 3/28

7 The Polynomial Method Sbox seen as a (univariate) polynomial over GF (2 n ) Specific S-boxes, e.g. AES S(x) = Aff(x 254 ) Generic methods: CRV decomposition (CHES 2014): S(x) = t 1 i=0 g i(x) h i (x) + h t (x) Algebraic decomposition (CRYPTO 2015): S(x) = t 1 i=0 h i(g i (x)) + h t (x) 4/28

8 The Bitslice Method Sbox seen as boolean circuit 5/28

9 The Bitslice Method Sbox seen as boolean circuit x 1 x 2... x n X 1 X 2 X n CPU +... XOR CPU XOR +... CPU AND... 5/28

10 Bitslice for S-boxes Find a compact Boolean circuit at the S-box 16 S-box computed with one bitsliced computation Higher-Order Masking: XOR d XORs AND ISW-AND Minimizing the O(d 2 ) minimizing the number of ISW-AND 6/28

11 Polynomial vs Bitslice approach How Fast Can Higher-Order Masking Be in Software?, eprint 2016 clock cycles Bitslice AES Best Polynomial d clock cycles Bitslice PRESENT Best Polynomial d Motivation: bitslice for generic s-box evaluations 7/28

12 Multiplicative Complexity of Boolean Functions 8/28

13 Boolean functions Span: f 1, f 2..., f m = { m i=0 a i f i a i F 2 } M n = { x x u = x u 1 1 xu 2 2 xun n u {0, 1} n} is the set of monomials Algebraic Normal Form (ANF): f(x) = u {0,1} n a u x u, i.e. f M n S-box: S(x) = (f 1 (x), f 2 (x),..., f n (x)) 9/28

14 Multiplicative Complexity C(f): minimum number of multiplications to compute f 10/28

15 Multiplicative Complexity C(f): minimum number of multiplications to compute f C(f 1, f 2,..., f n ) C(M n ) = 2 n (n + 1) 10/28

16 Multiplicative Complexity C(f): minimum number of multiplications to compute f C(f 1, f 2,..., f n ) C(M n ) = 2 n (n + 1) f M n, C(f) > 2 n 2 n 10/28

17 Multiplicative Complexity C(f): minimum number of multiplications to compute f C(f 1, f 2,..., f n ) C(M n ) = 2 n (n + 1) f M n, C(f) > 2 n 2 n Method to find optimal solution for n 5: SAT-Solver 10/28

18 Multiplicative Complexity C(f): minimum number of multiplications to compute f C(f 1, f 2,..., f n ) C(M n ) = 2 n (n + 1) f M n, C(f) > 2 n 2 n Method to find optimal solution for n 5: SAT-Solver Constructive method [BPP00]: C(f) 2 n 2 +1 n /28

19 Our results Generalization of BPP for S-boxes: C(S) n2 n n 1 2 log n New method: generalization of CRV C(S) n2 n n 1 n BPP extended Our generic method (C n,n ) Our improved method (Cn,n) Table: Multiplicative complexities of n bits s-boxes. 11/28

20 New Generic Decomposition Method 12/28

21 Decomposition of a Single Boolean Function f(x) = t i=0 g i(x) h i (x) 13/28

22 Decomposition of a Single Boolean Function f(x) = t i=0 g i(x) h i (x) g i : random linear combinations from B = {φ j } j a i,j $ {0, 1} g i j a i,jφ j 13/28

23 Decomposition of a Single Boolean Function f(x) = t i=0 g i(x) h i (x) g i : random linear combinations from B = {φ j } j a i,j $ {0, 1} g i j a i,jφ j find c i,j s.t h i = j c i,jφ j solving a linear system: f(x) = i ( j a i,jφ j (x))( j c i,jφ j (x)), x 13/28

24 Decomposition of a Single Boolean Function f(x) = i ( j a i,jφ j (x))( j c i,jφ j (x)), x {e i } 2n i=1 = Fn 2 A 1 c 1 + A 2 c A t c t = (f(e 1 ), f(e 2 ),..., f(e 2 n)) A i = φ 1 (e 1 ) g i (e 1 ) φ 2 (e 1 ) g i (e 1 )... φ B (e 1 ) g i (e 1 ) φ 1 (e 2 ) g i (e 2 ) φ 2 (e 2 ) g i (e 2 )... φ B (e 2 ) g i (e 2 ) φ 1 (e 2 n) g i (e 2 n) φ 2 (e 2 n) g i (e 2 n)... φ B (e 2 n) g i (e 2 n) 14/28

25 Conditions (t + 1) B unknowns, 2 n equations: (t + 1) B 2 n Condition on the sum: t 2n B 1 Condition on the basis: B B has to span all Boolean functions 15/28

26 How to Construct the Basis B Start from B 0 such that B 0 B 0 = M n from B 0 to B: φ, ψ $ B B φ ψ 16/28

27 Costs r multiplications for B r = B n 1, B B 0 t multiplications for decomposition products t 2n B 1 Cost: r + t n (r, t) (2,3) (5,3) (9,5) (16,6) (25,9) (41,11) (59,17) C n,n /28

28 Decomposition of the S-box Sbox: x (f 1 (x), f 2 (x),..., f n (x)) Apply n Boolean decompositions on the f i s Costs: r + t n multiplications n (r, t) (4,1) (7,2) (13,3) (22,4) (37,5) (59,7) (90,10) C n,n Works for any S-boxes 18/28

29 S-box Dependent Improvements 19/28

30 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 20/28

31 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 Set B 2 = B 1 {g 1,i h 1,i } Decompose f 2 = i g 2,i h 2,i with B 2 20/28

32 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 Set B 2 = B 1 {g 1,i h 1,i } Decompose f 2 = i g 2,i h 2,i with B 2 Set B 3 = B 2 {g 2,i h 2,i } Decompose f 3 = i g 3,i h 3,i with B 3 20/28

33 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 Set B 2 = B 1 {g 1,i h 1,i } Decompose f 2 = i g 2,i h 2,i with B 2 Set B 3 = B 2 {g 2,i h 2,i } Decompose f 3 = i g 3,i h 3,i with B 3... B n = B n 1 {g n 1,i h n 1,i } Decompose f n = i g n,i h n,i with B n 1 20/28

34 Basis Update Improvements Start with B 1 B 0 Decompose f 1 = i g 1,i h 1,i with B 1 t 1 = 2n B 1 1 Set B 2 = B 1 {g 1,i h 1,i } Decompose f 2 = i g 2,i h 2,i with B 2 t 2 = 2n B 2 1 Set B 3 = B 2 {g 2,i h 2,i } Decompose f 3 = i g 3,i h 3,i with B 3... t 3 = 2n B 3 1 B n = B n 1 {g n 1,i h n 1,i } Decompose f n = i g n,i h n,i with B n 1 t n = 2n B 1 n Costs: r + t 1 + t t n 20/28

35 Rank Drop A 1 c 1 + A 2 c A t c t = (f(e 0 ), f(e 1 ),..., f(e 2 n)) System A c = b with rank(a) = 2 n δ works for 1 2 δ boolean functions Try O(2 δ ) systems Reduced parameter: (t + 1) B 2 n δ t 2n δ B 1 21/28

36 Results Sbox Serpent SC2000 S 5 SC2000 S 6 CLEFIA n Our generic method Our improved method Gain /28

37 Implementation 23/28

38 Parallelization 16 S-box 16-bit bitsliced registers But 32-bit architecture 2 16-bit ISW-AND 1 32-bits ISW-AND At the circuit level: grouping AND gates per pair 24/28

39 A circuit for AES with parallelizable AND gates t 2 = y 12 y 15 t 23 = t 19 y 21 t 34 = t 23 t 33 z 2 = t 33 x 7 t 3 = y 3 y 6 t 15 = y 8 y 10 t 35 = t 27 t 33 z 3 = t 43 y 16 t 5 = y 4 x 7 t 26 = t 21 t 23 t 42 = t 29 t 33 z 4 = t 40 y 1 t 7 = y 13 y 16 t 16 = t 15 t 12 z 14 = t 29 y 2 z 6 = t 42 y 11 t 8 = y 5 y 1 t 18 = t 6 t 16 t 36 = t 24 t 35 z 7 = t 45 y 17 t 10 = y 2 y 7 t 20 = t 11 t 16 t 37 = t 36 t 34 z 8 = t 41 y 10 t 12 = y 9 y 11 t 24 = t 20 y 18 t 38 = t 27 t 36 z 9 = t 44 y 12 t 13 = y 14 y 17 t 30 = t 23 t 24 t 39 = t 29 t 38 z 10 = t 37 y 3 t 4 = t 3 t 2 t 22 = t 18 y 19 z 5 = t 29 y 7 z 11 = t 33 y 4 t 6 = t 5 t 2 t 25 = t 21 t 22 t 44 = t 33 t 37 z 12 = t 43 y 13 t 9 = t 8 t 7 t 27 = t 24 t 26 t 40 = t 25 t 39 z 13 = t 40 y 5 t 11 = t 10 t 7 t 31 = t 22 t 26 t 41 = t 40 t 37 z 15 = t 42 y 9 t 14 = t 13 t 12 t 28 = t 25 t 27 t 43 = t 29 t 40 z 16 = t 45 y 14 t 17 = t 4 t 14 t 32 = t 31 t 30 t 45 = t 42 t t41 z 17 = t 41 y 8 t 19 = t 9 t 14 t 29 = t 28 t 22 z 0 = t 44 y 15 t 21 = t 17 y 20 t 33 = t 33 t 24 z 1 = t 37 y 6 25/28

40 Parallelization Parallelization level: k = architecture size nb of Sboxes Generic method: MC = r k + n t k Improved method: results for specific s-boxes 26/28

41 Performance Comparison in ARM clock cycles Our implementation CRV AD clock cycles Our implementation CRV AD d Figure: 16 Sboxes (n = 8), k = multiplications d Figure: 16 Sboxes (n = 4), k = multiplications. 27/28

42 Questions? 28/28