design of lightweight linear diffusion layers from near
play

Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices - PowerPoint PPT Presentation

Jun 10, 2023 •243 likes •548 views

Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices Chaoyun Li 1 Qingju Wang 1 , 2 1 imec and COSIC, KU Leuven 2 DTU Compute, Technical University of Denmark March 6, 2017 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU

  1. Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices Chaoyun Li 1 Qingju Wang 1 , 2 1 imec and COSIC, KU Leuven 2 DTU Compute, Technical University of Denmark March 6, 2017 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 1 / 23

  2. Introduction Outlines Introduction 1 Constructions of Near-MDS Matrices 2 Near-MDS Matrices with Lowest XOR Count 3 Security Analysis 4 Conclusion 5 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 2 / 23

  3. Introduction Lightweight cryptography Meet the security requirements of ubiquitous computing - Internet of Things (IoT) Explore the tradeoffs between implementation cost and security Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 3 / 23

  4. Introduction Linear diffusion layers Confusion and Diffusion (Shannon 1949) - SPN structure: Nonlinear layer and linear diffusion layer Diffusion matrices - Spread internal dependency - Provide resistance against differential/linear attacks (Daemen and Rijmen 2002) ֒ → The focus of attention in lightweight cryptography Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 4 / 23

  5. Introduction MDS matrices Direct construction MDS matrix in MixColumns of AES (Daemen and Rijmen 2002)   2 3 1 1 1 2 3 1   circ (2 , 3 , 1 , 1) =  .   1 1 2 3  3 1 1 2 Efficiency Direct constructions are costly in hardware 1 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 5 / 23

  6. Introduction MDS matrices Recursive construction Direct construction Recursive MDS in PHOTON and LED (Guo MDS matrix in MixColumns of AES (Daemen and Rijmen 2002) et al. 2011)   2 3 1 1 4     0 1 0 0 1 2 1 4 1 2 3 1   A 4 = 0 0 1 0 4 9 6 17 circ (2 , 3 , 1 , 1) =      . =   1 1 2 3     0 0 0 1 17 38 24 66      3 1 1 2 1 2 1 4 66 149 100 11 Efficiency Direct constructions are costly in hardware 1 Recursive constructions are lighweight but need additional clock cycles 2 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 5 / 23

  7. Introduction Near-MDS matrices Near-MDS matrices An n × n matrix M is near-MDS if B d ( M ) = B l ( M ) = n Suboptimal diffusion but require less area than MDS Better tradeoff of security and efficiency - FOAM framework (Khoo et al. 2014) Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 6 / 23

  8. Introduction Near-MDS matrices Near-MDS matrices An n × n matrix M is near-MDS if B d ( M ) = B l ( M ) = n Suboptimal diffusion but require less area than MDS Better tradeoff of security and efficiency - FOAM framework (Khoo et al. 2014) Our goal 1 Construct lightweight near-MDS matrices over finite fields 2 Investigate near-MDS matrices with minimal implementation cost Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 6 / 23

  9. Constructions of Near-MDS Matrices Outlines Introduction 1 Constructions of Near-MDS Matrices 2 Near-MDS Matrices with Lowest XOR Count 3 Security Analysis 4 Conclusion 5 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 7 / 23

  10. Constructions of Near-MDS Matrices Previous work The 4 × 4 near-MDS matrix   0 1 1 1 1 0 1 1   circ (0 , 1 , 1 , 1) =   1 1 0 1   1 1 1 0 + Implementation cost can be only 50% of MDS matrix in AES + With lowest XOR count among all near-MDS matrices of order 4 + Involutory ⋆ Used in PRINCE, FIDES, PRIDE, Midori, MANTIS Nonexistence result for n > 4 (Choy and Khoo 2008) { 0 , 1 } -matrix of order n cannot be near-MDS Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 8 / 23

  11. Constructions of Near-MDS Matrices Search strategy Generic matrices Special form Maximize occurrences of 0 , 1 and minimize the number of distinct entries Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 9 / 23

  12. Constructions of Near-MDS Matrices Main approach 1 Consider generic circulant/Hadamard matrices with entries 0 and x i , first search matrices consisting of 0 , 1 , x , x − 1 , x 2 2 Check near-MDS property and generate conditions for the matrix to be near-MDS 3 Substitute x with the lightest α ∈ F 2 m satisfying all the conditions Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 10 / 23

  13. Constructions of Near-MDS Matrices Lightweight near-MDS circulant matrices Generic near-MDS circulant matrices of order 5 ≤ n ≤ 9 Near-MDS property holds for almost all finite fields Occurrences of 0 , 1 maximized Only four distinct entries 0 , 1 , x , x − 1 Example  0 1 1 1  α α 0 1 1 1 α α   1 0 1 1   α α   1 1 0 1   α α   1 1 1 0  α α  1 1 1 0 α α is near-MDS over F 2 m if α is not a root of the following polynomials x , x + 1 , x 2 + x + 1 . Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 11 / 23

  14. Constructions of Near-MDS Matrices Comparison with MDS matrices XOR count of α Number of XOR operations required to implement α · β with arbitrary β XOR counts of best known lightweight MDS and near-MDS circulant matrices over F 2 8 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 12 / 23

  15. Constructions of Near-MDS Matrices Involutory near-MDS matrices Hadamard matrices Easy to be involutory Efficient implementation Involutory near-MDS Hadamard matrices of order 8 2688 matrices with five distinct entries 0 , 1 , x , x − 1 , x 2 Two different equivalence classes had (0 , x 2 , x − 1 , x 2 , x − 1 , x , x , 1) had (0 , x 2 , x − 1 , x − 1 , x 2 , x , x , 1) Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 13 / 23

  16. Near-MDS Matrices with Lowest XOR Count Outlines Introduction 1 Constructions of Near-MDS Matrices 2 Near-MDS Matrices with Lowest XOR Count 3 Security Analysis 4 Conclusion 5 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 14 / 23

  17. Near-MDS Matrices with Lowest XOR Count Near-MDS matrices with minimal implementation cost Focus on the total XOR count of the near-MDS matrices Comparison with all near-MDS matrices of the same order For 2 ≤ n ≤ 4, binary circulant matrices achieve lowest XOR count Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 15 / 23

  18. Near-MDS Matrices with Lowest XOR Count Near-MDS circulant matrices of order 7 , 8 Theorem If α is the lightest element in F 2 m \ { 0 , 1 } and satisfies the near-MDS conditions, then the following near-MDS circulant matrices have lowest XOR counts. For any 4 ≤ m ≤ 2048 , the matrices always have instantiations with lowest XOR count over F 2 m . n Coefficients of the first row Conditions x , x + 1 , x 2 + x + 1 , x 3 + x + 1 (0 , α, 1 , α − 1 , 1 , 1 , 1) 7 x 3 + x 2 + 1 , x 4 + x 3 + x 2 + x + 1 x , x + 1 , x 2 + x + 1 , x 3 + x + 1 x 3 + x 2 + 1 , x 4 + x 3 + x 2 + x + 1 (0 , α, 1 , α, α − 1 , 1 , 1 , 1) 8 x 5 + x 4 + x 3 + x 2 + 1 Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 16 / 23

  19. Near-MDS Matrices with Lowest XOR Count Proof sketch 1 Determine the maximum occurrences of 0 and 1 for all near-MDS matrices 2 Show circulant matrices attain the maximum occurrences of 0 and 1 simultaneously 3 The remaining entries ( α and α − 1 ) all have the smallest XOR count Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 17 / 23

  20. Near-MDS Matrices with Lowest XOR Count Proof sketch 1 Determine the maximum occurrences of 0 and 1 for all near-MDS matrices 2 Show circulant matrices attain the maximum occurrences of 0 and 1 simultaneously 3 The remaining entries ( α and α − 1 ) all have the smallest XOR count 4 For 4 ≤ m ≤ 2048, there always exists α which is the lightest element in F 2 m \ { 0 , 1 } and satisfies the near-MDS conditions (Beierle et al. CRYPTO 2016) Chaoyun Li, Qingju Wang ( imec and COSIC, KU Leuven, DTU Compute, Technical University of Denmark) FSE 2017 Presentation March 6, 2017 17 / 23

Recommend

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes Daniel Augot and

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes Daniel Augot and

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes Daniel Augot and Matthieu Finiasz Context Diffusion layers in a block cipher/SPN should: obviously, offer good diffusion, have a large branch number , be

381 views • 21 slides
On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS Innovation Labs December 11, 2017 SUMANTA SARKAR Lightweight Cryptography Internet of Things / Connected Cars Internet of things (IoT): Network of

786 views • 45 slides
Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao,

Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao,

Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao, Shasha Zhang Nov. 09, 2020 Lightweight Cryptography -Requirements -Primitives : SIMON SPECK Circuit size PRESENT, RECTANGLE

646 views • 22 slides
ECE 3060 VLSI and Advanced Digital Design Lecture 4 Layout Design & Tools CMOS Layers

ECE 3060 VLSI and Advanced Digital Design Lecture 4 Layout Design & Tools CMOS Layers

ECE 3060 VLSI and Advanced Digital Design Lecture 4 Layout Design & Tools CMOS Layers Standard n -Well Process Active (Diffusion) Polysilicon Metal 1, Metal 2, Metal3 Poly Cut (connects metal 1 to polysilicon)

778 views • 24 slides
Analysis of model equations for stress-enhanced diffusion in coal layers Andro Mikeli c

Analysis of model equations for stress-enhanced diffusion in coal layers Andro Mikeli c

Analysis of model equations for stress-enhanced diffusion in coal layers Andro Mikeli c Andro.Mikelic@univ-lyon1.fr Institut Camille Jordan, UFR Math ematiques Universit e Claude Bernard Lyon 1, Lyon, France Talk at the conference

584 views • 36 slides
On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1 AIST, Japan Kolkata, India (16 November 2018) 1 / 38 Table of contents 1 Introduction 2 Lightweight Crypto Stack for Circuit/RAM Size Requirement

670 views • 38 slides
A supersymmetric non linear sigma model for quantum diffusion Margherita DISERTORI joint work

A supersymmetric non linear sigma model for quantum diffusion Margherita DISERTORI joint work

The general setting A toy model for quantum diffusion A supersymmetric non linear sigma model for quantum diffusion Margherita DISERTORI joint work with T. Spencer and M. Zirnbauer Laboratoire de Math ematiques Rapha el Salem CNRS -

297 views • 27 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
Fast Randomized Iteration: Diffusion Monte Carlo through the Lens of Numerical Linear Algebra

Fast Randomized Iteration: Diffusion Monte Carlo through the Lens of Numerical Linear Algebra

Fast Randomized Iteration: Diffusion Monte Carlo through the Lens of Numerical Linear Algebra Raul Platero December 1, 2017 1 / 13 August 2017, Lek-Heng Lim, Jonathan Weare Modification to diffusion Monte Carlo techniques to solve common

461 views • 13 slides
Concepts of Programming Design Scala and Lightweight Modular Staging (LMS) Alexey Rodriguez

Concepts of Programming Design Scala and Lightweight Modular Staging (LMS) Alexey Rodriguez

Concepts of Programming Design Scala and Lightweight Modular Staging (LMS) Alexey Rodriguez Blanter, Ferenc Balla, Matthijs Steen, Ruben Meerkerk, Ratih Ngestrini [ Faculty of Science Information and Computing Sciences] 1 Scala and Lightweight

1.33k views • 56 slides
Motion through an oscillator chain: diffusion and linear response S. De Bivre (Universit de

Motion through an oscillator chain: diffusion and linear response S. De Bivre (Universit de

Motion through an oscillator chain: diffusion and linear response S. De Bivre (Universit de Lille) Numerical methods in molecular simulation Bonn Hausdorff Institute for Mathematics April 2008 Introduction THE SETTING Hamiltonian

296 views • 29 slides
Spacetime domain decomposition methods for linear and nonlinear diffusion problems Michel

Spacetime domain decomposition methods for linear and nonlinear diffusion problems Michel

Spacetime domain decomposition methods for linear and nonlinear diffusion problems Michel Kern with T.T.P . Hoang, E. Ahmed, C. Japhet, J. Roberts, J.Jaffr INRIA Paris Maison de la Simulation Work supported by Andra & ANR

807 views • 28 slides
Very high-order finite volume scheme for the 2D linear convection-diffusion problem S. Clain 1 , 3

Very high-order finite volume scheme for the 2D linear convection-diffusion problem S. Clain 1 , 3

Very high-order finite volume scheme for the 2D linear convection-diffusion problem S. Clain 1 , 3 , G.J. Machado 1 , J.M. Nobrega 2 , R.M.S. Pereira 1 , A. Boularas 4 1 Mathematical Centre, University of Minho, Portugal 2 Institute for Polymers

378 views • 33 slides
Pace Layers The social economy ecosystem has many layers, all of which change at different

Pace Layers The social economy ecosystem has many layers, all of which change at different

Pace Layers The social economy ecosystem has many layers, all of which change at different rates, the outer layers moving faster than the inner Source: Stewart Brand, The Clock of the Long Now 1 | Confidential & Proprietary 2 |

421 views • 4 slides
Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school May/June 2011 G. Leander Lightweight Block Cipher Design Motivation Industry

577 views • 56 slides
Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Sardinia

Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Sardinia

Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Sardinia 2015 Motivation Industry Academia Lightweight: 2nd Generation NIST

1.4k views • 95 slides
Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Croatia 2014

Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Croatia 2014

Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Croatia 2014 Motivation Industry Academia A Critical View Lightweight:

1.77k views • 79 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
CS 3330 introduction 1 layers of abstraction Higher-level language: C x += y

CS 3330 introduction 1 layers of abstraction Higher-level language: C x += y

CS 3330 introduction 1 layers of abstraction Higher-level language: C x += y Assembly: X86-64 add %rbx, %rax Machine code: Y86 6 0 03 SIXTEEN Hardware Design Language: HCLRS Gates / Transistors / Wires / Registers 2 layers of

1.18k views • 114 slides
International Linear Colllider International Linear Colllider Global Design Effort Global Design

International Linear Colllider International Linear Colllider Global Design Effort Global Design

International Linear Colllider International Linear Colllider Global Design Effort Global Design Effort Barry Barish ILCSC - Frankfurt 10-May-05 Starting Point for the GDE pre-accelerator few GeV source KeV damping extraction ring

615 views • 35 slides
Exploring the Design Space of Combining Linux with Lightweight Kernels for Extreme Scale

Exploring the Design Space of Combining Linux with Lightweight Kernels for Extreme Scale

Exploring the Design Space of Combining Linux with Lightweight Kernels for Extreme Scale Computing Balazs Gerofi , Takagi Masamichi , Yutaka Ishikawa , Rolf Riesen , Evan Powers , Robert W. Wisniewski RIKEN Advanced

396 views • 22 slides
Questions about Exercise 2? Lecture: Natural diffusion Introduction to the

Questions about Exercise 2? Lecture: Natural diffusion Introduction to the

Class overview today - November 11, 2019 Questions about Exercise 2? Lecture: Natural diffusion Introduction to the diffusion process Mathematical description of diffusion Hillslope diffusion processes Exercise 3:

846 views • 58 slides
Questions about Exercise 2? Lecture: Natural diffusion Introduction to the

Questions about Exercise 2? Lecture: Natural diffusion Introduction to the

Class overview today - November 12, 2018 Questions about Exercise 2? Lecture: Natural diffusion Introduction to the diffusion process Mathematical description of diffusion Hillslope diffusion processes Exercise 3:

688 views • 55 slides
Shannons Idea of Confusion and Diffusion The DES, AES and many block ciphers are designed

Shannons Idea of Confusion and Diffusion The DES, AES and many block ciphers are designed

Shannons Idea of Confusion and Diffusion The DES, AES and many block ciphers are designed using Shannons idea of confusion and diffusion. The objectives of this document is to introduce linear and nonlinear functions; and

451 views • 11 slides

More recommend