Count November 21st, 2017

Similar documents
The Invariant Set Attack 26th January 2017

Lightweight Multiplication in GF (2 n ) with Applications to MDS Matrices

Mixed-integer Programming based Differential and Linear Cryptanalysis

Lightweight MDS Generalized Circulant Matrices (Full Version)

Direct Construction of Lightweight Rotational-XOR MDS Diffusion Layers

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

Direct construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Direct construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes

Hardware Design and Analysis of Block Cipher Components

observations on the simon block cipher family

Invariant Subspace Attack Against Full Midori64

Construction of Lightweight S-Boxes using Feistel and MISTY structures

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

A New Distinguisher on Grain v1 for 106 rounds

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Impossible Differential Cryptanalysis of Reduced-Round SKINNY

Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism

Improved Multiple Impossible Differential Cryptanalysis of Midori128

STP Models of Optimal Differential and Linear Trail for S-box Based Ciphers

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Algebraic Analysis of the Simon Block Cipher Family

Affine equivalence in the AES round function

New attacks on RSA with Moduli N = p r q

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

A Five-Round Algebraic Property of the Advanced Encryption Standard

A Collision-Attack on AES Combining Side Channel- and Differential-Attack

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes

Perfect Diffusion Primitives for Block Ciphers

Algebraic Techniques in Differential Cryptanalysis

Multiplicative Complexity Reductions in Cryptography and Cryptanalysis

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

How to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis

A Brief Comparison of Simon and Simeck

LOOKING INSIDE AES AND BES

XOR-counts and lightweight multiplication with fixed elements in binary finite fields

Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations

Hadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes. Daniel Augot and Matthieu Finiasz

Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities

Enhancing the Signal to Noise Ratio

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

Highly Efficient GF(2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design

A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms

Zero-Sum Partitions of PHOTON Permutations

Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

Block Ciphers and Side Channel Protection

Differential Analysis of the LED Block Cipher

On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics

Revisit and Cryptanalysis of a CAST Cipher

Similarities between encryption and decryption: how far can we go?

Subquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach

A Fault Attack on the LED Block Cipher

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Nonlinear Invariant Attack

DIFFERENTIAL FAULT ANALYSIS ATTACK RESISTANT ARCHITECTURES FOR THE ADVANCED ENCRYPTION STANDARD *

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

Impossible Differential Attacks on 13-Round CLEFIA-128

Proving Resistance against Invariant Attacks: How to Choose the Round Constants

Weaknesses in the HAS-V Compression Function

Some approaches to construct MDS matrices over a finite field

Linear Cryptanalysis of Reduced-Round PRESENT

New Insights on AES-Like SPN Ciphers

Security of SM4 Against (Related-Key) Differential Cryptanalysis

Security of the AES with a Secret S-box

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

PARALLEL MULTIPLICATION IN F 2

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

Changing of the Guards: a simple and efficient method for achieving uniformity in threshold sharing

If a Generalised Butterfly is APN then it Operates on 6 Bits

On the invertibility of the XOR of rotations of a binary word

Towards Provable Security of Substitution-Permutation Encryption Networks

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis

Rebound Attack on Reduced-Round Versions of JH

Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis

On the Security of NOEKEON against Side Channel Cube Attacks

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

MILP-aided Cryptanalysis of Round Reduced ChaCha

Statistical Properties of the Square Map Modulo a Power of Two

Cryptanalysis of the Stream Cipher ABC v2

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

Matrix Power S-Box Construction

On Generating Coset Representatives of P GL 2 (F q ) in P GL 2 (F q 2)

Algebraic Side-Channel Collision Attacks on AES

Fast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures

Analysis of AES, SKINNY, and Others with Constraint Programming

Human-readable Proof of the Related-Key Security of AES-128

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

Improved Linear Distinguishers for SNOW 2.0

Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

Transcription:

RUHR-UNIVERSITÄT BOCHUM XOR Count November 21st, 2017 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer XOR Count November 21st, 2017 1

Overview Joint Work Its not me alone [Kra+17] 1 Thorsten Kranz, Gregor Leander, Ko Stoffelen, Friedrich Wiemer Outline 1 Motivation 2 Preliminaries 3 State of the Art and Related Work 4 Future Work 1 available on eprint: https://eprint.iacr.org/2017/1151 Friedrich Wiemer XOR Count November 21st, 2017 2

What is the XOR count, and why is it important? Some facts Lightweight Block Ciphers Efficient Linear Layers MDS matrices are optimal (regarding security) 2 2 Are they? Friedrich Wiemer XOR Count November 21st, 2017 3

What is the XOR count, and why is it important? Some facts Lightweight Block Ciphers Efficient Linear Layers MDS matrices are optimal (regarding security) 2 What is the lightest implementable MDS matrix? What about additional features (Involutory)? 2 Are they? Friedrich Wiemer XOR Count November 21st, 2017 3

What is the XOR count, and why is it important? Some facts Lightweight Block Ciphers Efficient Linear Layers MDS matrices are optimal (regarding security) 2 What is the lightest implementable MDS matrix? What about additional features (Involutory)? The XOR count Metric for needed hardware resources Smaller is better 2 Are they? Friedrich Wiemer XOR Count November 21st, 2017 3

What is an MDS matrix? Definition: MDS A matrix M of dimension k over the field F is maximum distance separable (MDS), iff all possible submatrices of M are invertible (or nonsingular). Friedrich Wiemer XOR Count November 21st, 2017 4

What is an MDS matrix? Definition: MDS A matrix M of dimension k over the field F is maximum distance separable (MDS), iff all possible submatrices of M are invertible (or nonsingular). Example The AES MIXCOLUMN matrix is defined over F 2 8 = F[x]/0x11b: 0x02 0x03 0x01 0x01 x x + 1 1 1 0x01 0x02 0x03 0x01 0x01 0x01 0x02 0x03 = 1 x x + 1 1 1 1 x x + 1 0x03 0x01 0x01 0x02 x + 1 1 1 x This is a (right) circulant matrix: circ(x, x + 1, 1, 1). Friedrich Wiemer XOR Count November 21st, 2017 4

What is an MDS matrix? Constructions Cauchy by construction MDS Vandermonde can be made involutory Circulant used in AES, GRØSTL, WHIRLPOOL, QARMA, MIDORI other Subfield used in WHIRLWIND Toeplitz Hadamard can be made involutory, used in ANUBIS, KHAZAD, JOLTIK Friedrich Wiemer XOR Count November 21st, 2017 5

What is an MDS matrix? Constructions Cauchy by construction MDS Vandermonde can be made involutory Circulant used in AES, GRØSTL, WHIRLPOOL, QARMA, MIDORI other Subfield used in WHIRLWIND Toeplitz Hadamard can be made involutory, used in ANUBIS, KHAZAD, JOLTIK Friedrich Wiemer XOR Count November 21st, 2017 5

What is an MDS matrix? Constructions Cauchy by construction MDS Vandermonde can be made involutory Circulant used in AES, GRØSTL, WHIRLPOOL, QARMA, MIDORI other Subfield used in WHIRLWIND Toeplitz Hadamard can be made involutory, used in ANUBIS, KHAZAD, JOLTIK Friedrich Wiemer XOR Count November 21st, 2017 5

What is an MDS matrix? Representations How to implement this in hardware? This is about hardware implementations How do we implement a field multiplication in hardware? How do we implement a matrix multiplication in hardware? Friedrich Wiemer XOR Count November 21st, 2017 6

What is an MDS matrix? Representations How to implement this in hardware? This is about hardware implementations How do we implement a field multiplication in hardware? How do we implement a matrix multiplication in hardware? Example α 1 β α x β α (x + 1) β Friedrich Wiemer XOR Count November 21st, 2017 6

What is an MDS matrix? Representations How to implement this in hardware? This is about hardware implementations How do we implement a field multiplication in hardware? How do we implement a matrix multiplication in hardware? Example α (x + 1) β α 1 β α x β α x β 1 Friedrich Wiemer XOR Count November 21st, 2017 6

Field Multiplication in Hardware From F 2 [x]/p(x) to F n 2 Implement α 1 β OK, this one is easy Example in F 2 [x]/0x13: Friedrich Wiemer XOR Count November 21st, 2017 7

Field Multiplication in Hardware From F 2 [x]/p(x) to F n 2 Implement α 1 β OK, this one is easy Example in F 2 [x]/0x13: α = α 0 + α 1 x + α 2 x 2 + α 3 x 3 β = β 0 + β 1 x + β 2 x 2 + β 3 x 3 = α 0 + α 1 x + α 2 x 2 + α 3 x 3 Friedrich Wiemer XOR Count November 21st, 2017 7

Field Multiplication in Hardware From F 2 [x]/p(x) to F n 2 Implement α x β Example in F 2 [x]/0x13: Friedrich Wiemer XOR Count November 21st, 2017 7

Field Multiplication in Hardware From F 2 [x]/p(x) to F n 2 Implement α x β Example in F 2 [x]/0x13: α = α 0 + α 1 x + α 2 x 2 + α 3 x 3 x 4 x + 1 mod 0x13 β = β 0 + β 1 x + β 2 x 2 + β 3 x 3 = x (α 0 + α 1 x + α 2 x 2 + α 3 x 3 ) α 3 + (α 0 + α 3 )x + α 1 x 2 + α 2 x 3 ) Friedrich Wiemer XOR Count November 21st, 2017 7

Field Multiplication in Hardware From F 2 [x]/p(x) to F n 2 In matrix notation for F 2 [x]/0x13: ) β = 1 α β = x α ( β0 β 1 β 2 β 3 ( β0 β 1 β 2 β 3 ) = = ( 1 0 0 0 ) 0 1 0 0 0 0 1 0 0 0 0 1 ) ( 0 0 0 1 1 0 0 1 0 1 0 0 0 0 1 0 ( α0 α 1 α 2 α 3 ( α0 α 1 α 2 α 3 ) ) Friedrich Wiemer XOR Count November 21st, 2017 7

Field Multiplication in Hardware From F 2 [x]/p(x) to F n 2 In matrix notation for F 2 [x]/0x13: ) β = 1 α β = x α ( β0 β 1 β 2 β 3 ( β0 β 1 β 2 β 3 ) = = ( 1 0 0 0 ) 0 1 0 0 0 0 1 0 0 0 0 1 ) ( 0 0 0 1 1 0 0 1 0 1 0 0 0 0 1 0 ( α0 α 1 α 2 α 3 ( α0 α 1 α 2 α 3 ) ) Companion Matrix We call M p(x) = ( 0 0 0 1 1 0 0 1 0 1 0 0 0 0 1 0 ) the companion matrix of the polynomial p(x) = 0x13. For any element γ F 2 [x]/p(x), we denote by M γ the matrix that implements the multiplication by this element in F n 2. Friedrich Wiemer XOR Count November 21st, 2017 7

Counting XOR s Example We can rewrite the AES MIXCOLUMN matrix as: M AES = circ(x, x + 1, 1, 1) = circ(m x, M x+1, M 1, M 1 ). Starting in (F 2 [x]/0x11b) 4 4, we end up in ( F 2 8 8 ) 4 4 = F 32 32 2. Friedrich Wiemer XOR Count November 21st, 2017 8

Counting XOR s Example We can rewrite the AES MIXCOLUMN matrix as: M AES = circ(x, x + 1, 1, 1) = circ(m x, M x+1, M 1, M 1 ). Starting in (F 2 [x]/0x11b) 4 4, we end up in ( F 2 8 8 ) 4 4 = F 32 32 2. A first XOR-count To implement multiplication by γ, we need hw(m γ ) dim(m γ ) many XOR s. Thus XOR-count(M AES ) = 4 (hw(m x ) + hw(m x+1 ) + 2 hw(m 1 )) 32 = 4 (11 + 19 + 2 8) 32 = 152. Friedrich Wiemer XOR Count November 21st, 2017 8

The General Linear Group Generalise a bit Instead of choosing elements from F 2 n = F2 [x]/p(x) we can extend our possible choices for multiplication matrices by exploiting the following. Friedrich Wiemer XOR Count November 21st, 2017 9

The General Linear Group Generalise a bit Instead of choosing elements from F 2 n = F2 [x]/p(x) we can extend our possible choices for multiplication matrices by exploiting the following. Todo Maybe remove this? Friedrich Wiemer XOR Count November 21st, 2017 9

RUHR-UNIVERSITÄT BOCHUM The Stupidity of recent XOR Count Papers November 21st, 2017 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 1

State of the Art Before our Paper You saw how to count XORs This count is split in the overhead and the XORs needed for the field multiplication Thus for AES we get 56 + 8 3 4 = 56 + 96 = 152 Finding a good matrix reduces now to find the cheapest elements for field multiplication There is a lot of work followng this line [BKL16; JPS17; LS16; LW16; LW17; Sim+15; SS16a; SS16b; SS17; ZWS17] Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 2

State of the Art Best known Results 4 4 matrices over GL(8, F 2 ) Matrix Naive Literature AES (Circulant) 152 7+96 [Sim+15] (Subfield) 136 40+96 [LS16] (Circulant) 128 32+96 [LW16] 106 10+96 [BKL16] (Circulant) 136 24+96 [SS16b] (Toeplitz) 123 27+96 [JPS17] (Subfield) 122 20+96 Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 3

Related Work I Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 4

Related Work I Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 4

Related Work II Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 5

State of the Art Best known Results (After our Paper) 4 4 matrices over GL(8, F 2 ) Matrix Naive Literature AES (Circulant) 152 7+96 [Sim+15] (Subfield) 136 40+96 [LS16] (Circulant) 128 32+96 [LW16] 106 10+96 [BKL16] (Circulant) 136 24+96 [SS16b] (Toeplitz) 123 27+96 [JPS17] (Subfield) 122 20+96 Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 6

State of the Art Best known Results (After our Paper) 4 4 matrices over GL(8, F 2 ) Our Results [Kra+17] Matrix Naive Literature PAAR1 PAAR2 BP AES (Circulant) 152 7+96 108 108 97 [Sim+15] (Subfield) 136 40+96 100 98 100 [LS16] (Circulant) 128 32+96 116 116 112 [LW16] 106 10+96 102 102 102 [BKL16] (Circulant) 136 24+96 116 112 110 [SS16b] (Toeplitz) 123 27+96 110 108 107 [JPS17] (Subfield) 122 20+96 96 95 86 Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 6

State of the Art Finding better matrices? Type Previously Best Known XOR count GL(4, F 2 ) 4 4 58 [JPS17; SS16b] 36 GL(8, F 2 ) 4 4 106 [LW16] 72 (F 2 [x]/0x13) 8 8 392 [Sim+15] 196 GL(8, F 2 ) 8 8 640 [LS16] 392 (F 2 [x]/0x13) 4 4 * 63 [JPS17] 42 GL(8, F 2 ) 4 4 126 [JPS17] 84 (F 2 [x]/0x13) 8 8 424 [Sim+15] 212 GL(8, F 2 ) 8 8 663 [JPS17] 424 Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 7

Future Work; Questions? Thank you for your attention! Do your work! Apply global optimization techniques that are known for years! (But thanks for the easy paper ) Mainboard & Questionmark Images: flickr Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 8

References I [BKL16] [JPS17] [Kra+17] C. Beierle, T. Kranz, and G. Leander. Lightweight Multiplication in GF(2 n ) with Applications to MDS Matrices. In: CRYPTO 2016, Part I. Ed. by M. Robshaw and J. Katz. Vol. 9814. LNCS. Springer, Heidelberg, Aug. 2016, pp. 625 653. DOI: 10.1007/978-3-662-53018-4_23. J. Jean, T. Peyrin, and S. M. Sim. Optimizing Implementations of Lightweight Building Blocks. Cryptology eprint Archive, Report 2017/101. http://eprint.iacr.org/2017/101. 2017. T. Kranz, G. Leander, K. Stoffelen, and F. Wiemer. Shorter Linear Straight-Line Programs for MDS Matrices. In: IACR Trans. Symm. Cryptol. 2017.4 (2017). to appear. ISSN: 2519-173X. [LS16] M. Liu and S. M. Sim. Lightweight MDS Generalized Circulant Matrices. In: FSE 2016. Ed. by T. Peyrin. Vol. 9783. LNCS. Springer, Heidelberg, Mar. 2016, pp. 101 120. DOI: 10.1007/978-3-662-52993-5_6. [LW16] Y. Li and M. Wang. On the Construction of Lightweight Circulant Involutory MDS Matrices. In: FSE 2016. Ed. by T. Peyrin. Vol. 9783. LNCS. Springer, Heidelberg, Mar. 2016, pp. 121 139. DOI: 10.1007/978-3-662-52993-5_7. Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 9

References II [LW17] [Sim+15] [SS16a] [SS16b] [SS17] C. Li and Q. Wang. Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices. In: IACR Trans. Symm. Cryptol. 2017.1 (2017), pp. 129 155. ISSN: 2519-173X. DOI: 10.13154/tosc.v2017.i1.129-155. S. M. Sim, K. Khoo, F. E. Oggier, and T. Peyrin. Lightweight MDS Involution Matrices. In: FSE 2015. Ed. by G. Leander. Vol. 9054. LNCS. Springer, Heidelberg, Mar. 2015, pp. 471 493. DOI: 10.1007/978-3-662-48116-5_23. S. Sarkar and S. M. Sim. A Deeper Understanding of the XOR Count Distribution in the Context of Lightweight Cryptography. In: AFRICACRYPT 2016. Ed. by D. Pointcheval, A. Nitaj, and T. Rachidi. Vol. 9646. LNCS. Springer International Publishing, 2016, pp. 167 182. S. Sarkar and H. Syed. Lightweight Diffusion Layer: Importance of Toeplitz Matrices. In: IACR Trans. Symm. Cryptol. 2016.1 (2016). http://tosc.iacr.org/index.php/tosc/article/view/537, pp. 95 113. ISSN: 2519-173X. DOI: 10.13154/tosc.v2016.i1.95-113. S. Sarkar and H. Syed. Analysis of Toeplitz MDS Matrices. In: ACISP 17, Part II. Ed. by J. Pieprzyk and S. Suriadi. Vol. 10343. LNCS. Springer, Heidelberg, July 2017, pp. 3 18. Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 10

References III [ZWS17] L. Zhou, L. Wang, and Y. Sun. On the Construction of Lightweight Orthogonal MDS Matrices. Cryptology eprint Archive, Report 2017/371. http://eprint.iacr.org/2017/371. 2017. Friedrich Wiemer The Stupidity of recent XOR Count Papers November 21st, 2017 11

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback