constructing low latency involutory mds matrices with
play

Constructing Low-latency Involutory MDS Matrices with Lightweight - PowerPoint PPT Presentation

Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Shun Li , Siwei Sun, Chaoyun Li, Zihao Wei, Lei Hu FSE 2019 @ Paris, France Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE


  1. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Shun Li , Siwei Sun, Chaoyun Li, Zihao Wei, Lei Hu FSE 2019 @ Paris, France Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 1 / 30

  2. Outlines 1 Background and Motivation 2 Lightweight Involutory MDS matrices 3 Our Construction 4 Low-latency Involutory MDS Matrices 5 Main Results Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 2 / 30

  3. Background and Motivation Outline 1 Background and Motivation 2 Lightweight Involutory MDS matrices 3 Our Construction 4 Low-latency Involutory MDS Matrices 5 Main Results Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 3 / 30

  4. Background and Motivation Difgusion Matrices The difgusion layers are typically realized with linear operations, expressed as matrices and spreading the internal dependencies as much as possible. The difgusion property of a difgusion matrix is up to its branch number: Defjnition Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 3 / 30 The branch number B n ( A ) of A ∈ M nk ( F 2 ) is defjned as x ∈ F 2 nk \{ 0 } { ω n ( x ) + ω n ( Ax ) } . min

  5. Background and Motivation Difgusion Layer Regular lightweight primitive have following types of difgusion layer: Bit-level Permutations: PRESENT[A. Bogdanov et al., CHES’07], GIFT[S. Banik et al., CHES’17] Bitwise XORs and Rotations: Skinny[C. Beierle et al., CRYPTO’16], CRAFT[C. Beierle et al., FSE’19] Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 4 / 30

  6. Background and Motivation Difgusion Layer Regular lightweight primitive have following types of difgusion layer: Bit-level Permutations: PRESENT[A. Bogdanov et al., CHES’07], GIFT[S. Banik et al., CHES’17] Bitwise XORs and Rotations: Skinny[C. Beierle et al., CRYPTO’16], CRAFT[C. Beierle et al., FSE’19] Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 4 / 30

  7. Background and Motivation Difgusion Layer Regular lightweight primitive have following types of difgusion layer: Bit-level Permutations: PRESENT[A. Bogdanov et al., CHES’07], GIFT[S. Banik et al., CHES’17] Bitwise XORs and Rotations: Skinny[C. Beierle et al., CRYPTO’16], CRAFT[C. Beierle et al., FSE’19] Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 4 / 30

  8. Background and Motivation 1 FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. 0 1 1 1 1 0 1 1 Difgusion Layer 1 0 1 1 1 1 0 M Midori QARMA[R. Avanzi, FSE’17] Almost MDS Matrices: Midori[S. Banik et al., ASIACRYPT’15], Maximal Distance Separable (MDS) Matrices: AES 5 / 30

  9. Background and Motivation 1 FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. 0 1 1 1 1 0 1 1 Difgusion Layer 1 0 1 Maximal Distance Separable (MDS) Matrices: AES Almost MDS Matrices: Midori[S. Banik et al., ASIACRYPT’15], QARMA[R. Avanzi, FSE’17] 5 / 30 0 1 1 1     M Midori =    

  10. Background and Motivation 3 FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. 2 1 1 3 3 2 1 1 MDS Matrices 1 2 1 Defjnition Example 6 / 30 2 3 1 1 An invertible nk × nk binary matrix A is MDS over k n -bit words if and only if B n ( A ) = k + 1. The MDS matrix in AES:        

  11. Background and Motivation Midori Almost MDS, 128-bit block size and 128-bit key FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. simple and clear security proofs followed from AES. number of round is 10. AES MDS, 128-bit block size and 128-bit key size, size, number of round is 20. tweakey size, number of round is 40. Wide Trail Strategy Skinny Bitwise XORs, 128-bit block size and 128-bit Relatively small numbers of rounds, low-latency designs. block cipher: with the strategy, have advantages as difgusion layers in iterative difgerential and linear cryptanalysis. MDS matrices are in accordance transformations that combine effjciency and resistance against The wide trail strategy is an approach used to design the round 7 / 30

  12. Background and Motivation 9 FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. Circuit-search-based: S. Duval and G. Leurent, FSE’19 Cauchy, Involutory matrices Special-type-based: Circulant, Orthogonal, Hadamard, Toeplitz, 66 149 100 11 24 66 17 38 17 6 4 Construction 4 1 2 1 4 1 2 1 4 0 0 0 1 0 0 1 0 0 1 0 0 CRYPTO’11] Iteration-based: PHOTON hash functions[J. Guo et al., XOR and Rotations-based: Hight[D. Hong et al., CHES’06] 8 / 30

  13. Background and Motivation 9 FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. Circuit-search-based: S. Duval and G. Leurent, FSE’19 Cauchy, Involutory matrices Special-type-based: Circulant, Orthogonal, Hadamard, Toeplitz, 66 149 100 11 24 66 17 38 17 6 4 Construction 4 1 2 1 4 1 2 1 4 0 0 0 1 0 0 1 0 0 1 0 0 CRYPTO’11] Iteration-based: PHOTON hash functions[J. Guo et al., XOR and Rotations-based: Hight[D. Hong et al., CHES’06] 8 / 30

  14. Background and Motivation Construction FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. Circuit-search-based: S. Duval and G. Leurent, FSE’19 Cauchy, Involutory matrices Special-type-based: Circulant, Orthogonal, Hadamard, Toeplitz, 66 149 100 11 24 66 17 38 17 6 9 4 4 1 2 1 2 1 4 0 0 0 1 0 0 1 0 CRYPTO’11] Iteration-based: PHOTON hash functions[J. Guo et al., XOR and Rotations-based: Hight[D. Hong et al., CHES’06] 8 / 30 ( 0 1 0 0 ) 4 ( 1 ) = ,

  15. Background and Motivation Construction FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. Circuit-search-based: S. Duval and G. Leurent, FSE’19 Cauchy, Involutory matrices Special-type-based: Circulant, Orthogonal, Hadamard, Toeplitz, 66 149 100 11 24 66 17 38 17 6 9 4 4 1 2 1 2 1 4 0 0 0 1 0 0 1 0 CRYPTO’11] Iteration-based: PHOTON hash functions[J. Guo et al., XOR and Rotations-based: Hight[D. Hong et al., CHES’06] 8 / 30 ( 0 1 0 0 ) 4 ( 1 ) = ,

  16. Background and Motivation Involutory Matrices Defjnition An involutory matrix M is a square matrix that is its own inverse. That is, multiplication by matrix M is an involution if and only if Involutory matrices are preferable in term of hardware implementation, since the same circuit can be reused when the inverse is required. Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 9 / 30 M 2 = I .

  17. Background and Motivation 6 FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. PRINCE, [J. Borghofg et al., ASIACRYPT’12] ICEBERG, [F. Standaert et al., FSE’04] 1 2 4 6 2 1 4 Involutory MDS Matrices 4 6 1 2 6 4 2 1 Anubis, [P. Barreto et al., 2000] more preferable, Involutory MDS matrices applied in designs: The advantage of MDS and Involutory makes involutory matrices 10 / 30

  18. Background and Motivation 4 FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. PRINCE, [J. Borghofg et al., ASIACRYPT’12] ICEBERG, [F. Standaert et al., FSE’04] 1 2 4 6 2 1 6 Involutory MDS Matrices 4 6 1 The advantage of MDS and Involutory makes involutory matrices more preferable, Involutory MDS matrices applied in designs: Anubis, [P. Barreto et al., 2000] 10 / 30 1 2 4 6 2        

  19. Background and Motivation 4 FSE 2019 Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits Li, Sun et al. PRINCE, [J. Borghofg et al., ASIACRYPT’12] ICEBERG, [F. Standaert et al., FSE’04] 1 2 4 6 2 1 6 Involutory MDS Matrices 4 6 1 The advantage of MDS and Involutory makes involutory matrices more preferable, Involutory MDS matrices applied in designs: Anubis, [P. Barreto et al., 2000] 10 / 30 1 2 4 6 2        

  20. Lightweight Involutory MDS matrices Outline 1 Background and Motivation 2 Lightweight Involutory MDS matrices 3 Our Construction 4 Low-latency Involutory MDS Matrices 5 Main Results Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 11 / 30

  21. Lightweight Involutory MDS matrices Metrics We estimate the hardware cost of a linear operation as the number of It is NP-hard to obtain the minimum number of XOR2 gates required: Theorem (J. Boyar et al.) Li, Sun et al. Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits FSE 2019 11 / 30 F 2 × F 2 → F 2 XOR2 gates required in its implementation. For any fjeld F , SHORTEST LINEAR PROGRAM is NP-hard.

Recommend


More recommend