Generalized Polynomial Decomposition for S-boxes with Application to - PowerPoint PPT Presentation

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud

Background 2


 Secure Software S-box Implementations Higher-Order Masking 
 x = x 1 + x 2 + · · · + x d Main Challenge: S-box evaluations Linear operations: O ( d ) Non-linear operations: O ( d 2 ) Goal: Find S-box representation with less non-linear operations 3


 
 
 
 
 
 
 
 
 Polynomial Methods S-box seen as a polynomial over 
 F 2 n n X a i x i S ( x ) = i =0 Generic Methods Specific Methods: example on AES S AES ( x ) = A ff ( x 254 ) X S ( x ) = ( p i ? q i )( x ) i CRV decomposition, RP 4-mult chain on F 2 8 ? = × Algebraic decomposition, KHL 5-mult chain on F 2 4 ? = � 4


 
 
 
 
 
 
 
 
 Bitslice Methods S-box seen as a Boolean circuit 
 S : x → ( f 1 ( x ) , f 2 ( x ) , . . . , f m ( x )) Generic Methods Specific Methods: example on AES Based on Boolean functions Based on a Boolean circuit (BMP13) 5

Polynomial vs Bitslice Generic 8-bit S-box evaluation Polynomial Bitslice 400000 300000 Clock Cycles 200000 100000 0 2 3 4 5 6 7 8 9 10 Masking Order 6


 Full Field Boolean Field CRV decomposition Boolean decomposition Intermediate Field ? 
 This work S ( x ) → ( S 1 ( y, z ) , S 2 ( y, z )) 1 8-bit function 4-bit functions 7

Motivation Working on smaller fields Degree of parallelisation increased (32-bit architecture) Boolean Case 4-bit field 8-bit field 32 8 4 Mult. in // Example: 16 AES S-box with polynomial method 5 · 10 4 KHL RP (ISW-HT) 4 clock cycles 3 2 1 2 4 6 8 10 d 8


 Our results Generalized decomposition method for any S-boxes w.r.t 3 parameters : number of inputs n : number of output elements m : bit-size of the elements λ Study of the median case: example on 8-bit S-boxes: 
 with S ( x, y ) = ( f 1 ( x, y ) , f 2 ( x, y )) x, y ∈ F 2 4 Implementation in ARM assembly to compare with state of the art 9

Generalized Decomposition Method 10


 
 
 
 
 S-box Characterization S-box seen as a -bit to -bit polynomial over : 
 m λ n λ F 2 λ S ( x ) = ( f 1 ( x ) , f 2 ( x ) , . . . , f m ( x )) where (set of functions from to ) F n F 2 λ f 1 , f 2 , . . . , f m ∈ F n, λ 2 λ 11

Coordinate Function Decomposition t X f ( x ) = g i ( x ) · h i ( x ) i =0 : random linear combinations from a basis with h ¯ B i g i 8 9 λ − 1 < = c φ ,i ⇥ φ 2 i X X h ¯ B i i = : g, g = ; i =0 φ ∈ B X find s.t by solving : h i = c i,j φ j c i,j j X X X f ( x ) = ( a i,j φ j ( x ))( c i,j φ j ( x )) , ∀ x i j j 12

Solving a Linear System X X X f ( x ) = ( a i,j φ j ( x ))( c i,j φ j ( x )) , ∀ x i j j { e i } 2 n λ i =1 = F n 2 λ A 1 c 1 + A 2 c 2 + · · · + A t c t = ( f ( e 1 ) , f ( e 2 ) , . . . , f ( e 2 n ))   φ 1 ( e 1 ) · g i ( e 1 ) φ 2 ( e 1 ) · g i ( e 1 ) φ |B| ( e 1 ) · g i ( e 1 ) ... φ 1 ( e 2 ) · g i ( e 2 ) φ 2 ( e 2 ) · g i ( e 2 ) φ |B| ( e 2 ) · g i ( e 2 ) ...       A i = . . .   ... . . .   . . .       φ 1 ( e 2 n ) · g i ( e 2 n ) φ 2 ( e 2 n ) · g i ( e 2 n ) φ |B| ( e 2 n ) · g i ( e 2 n ) ... 13

Conditions unknowns, equations: 2 n λ ( t + 1) |B| ( t + 1) |B| ≥ 2 n λ ⇠ 2 n λ ⇡ Condition on the sum: t ≥ − 1 |B| Condition on the basis: has to span the entire space h ¯ B ⇥ ¯ F n, λ B i 14


 
 
 
 
 
 
 
 
 Spanning Property h ¯ B ⇥ ¯ ) rank(Mat( ¯ B ⇥ ¯ B )) = 2 n λ B i = F n, λ ( with 
   ϕ 1 ( e 1 ) ϕ 2 ( e 1 ) ϕ |S| ( e 1 ) ... ϕ 1 ( e 2 ) ϕ 2 ( e 2 ) ϕ |S| ( e 2 ) ...       Mat( S ) = . . .   ... . . .   . . .       ϕ 1 ( e 2 n λ ) ϕ 2 ( e 2 n λ ) ϕ |S| ( e 2 n λ ) ... where and S = h ¯ B ⇥ ¯ { ϕ 1 , ϕ 2 , . . . , ϕ |S| } = S B i 15

Basis Construction Start with B = { 1 , x 1 , x 2 . . . , x n } Pick in at random, where φ , ψ h ¯ B i 8 9 λ − 1 < = c φ ,i ⇥ φ 2 i X X h ¯ B i = : g , g = ; i =0 φ ∈ B Compute with rank(Mat( S × S )) S = B ∪ φ · ψ Redo times and choose that increase the rank most ( φ , ψ ) N Repeat until rank is at least 2 n λ 16

Random Basis 4-bit s-boxes 8-bit s-boxes ( λ , n ) (1,4) (2,2) (4,1) (1,8) (2,4) (4,2) (8,1) |B 1 | 7 4 3 26 14 8 5 2 1 1 17 9 5 3 r Improvements w.r.t previous methods: Boolean case : initial basis from 25 to 17 17

Decomposition of the S-box Sbox: S : x → ( f 1 ( x ) , f 2 ( x ) , . . . , f m ( x )) Apply coordinate decompositions on the ’s f i m Basis update: Start with a basis B i At each step: B i +1 ← B i ∪ { g i · h i } t i i =0 18

Decomposition example S : F 2 8 → F 2 8 n = 2 , m = 2 , λ = 4 → S ( x, y ) = ( f 1 ( x, y ) , f 2 ( x, y )) B 1 | B 1 × B 1 spans F n, λ t 1 X f 1 ( x ) = g 1 ,i ( x ) · h 1 ,i ( x ) i =0 t 2 X B 2 = B 1 ∪ { g 1 ,i · h 1 ,i } t 1 f 2 ( x ) = g 2 ,i ( x ) · h 2 ,i ( x ) i =0 i =0 19

Experimental Results and Implementations 20


 
 
 
 
 Optimal Parameters Cost of the decomposition: 
 m 
 X r + t i i =1 ⇠ 2 n λ − 1 ⇡ with 
 t i ≥ − 1 λ | B i | + 1 Optimal parameters: 
 ⇠ 2 n λ − 1 ⇡ t i = − 1 λ | B i | + 1 21

Achievable Results for Median Cases Optimal/Achievable ( λ , n ) |B 1 | r t 1 , t 2 , . . . , t n C ∗ 4-bit s-boxes Optimal (2,2) 5 2 1,1 4 (2,2) 5 2 1,1 4 Achievable 8-bit s-boxes Optimal (2,4) 16 11 8,5,4,3 31 (2,4) 16 11 9,6,5,3 34 Achievable Optimal (4,2) 10 7 6,4 17 (4,2) 10 7 7,4 18 Achievable 22

Implementation Results · 10 5 Bitslice 16 � 4 CRV (4 × 4 � ) Code Size RAM Our implementations CRV 27.5 KB 80 d B 3 clock cycles Boolean Dec 4.6 KB 644d B 2 Our impl. 8.7 KB 92d B 1 2 4 6 8 10 d 23

Conclusion Generalized decomposition method well suited for any s-boxes or target architectures against side-channel attacks [GR16] E x n t e n o s n i o n [ P b V a 1 T s Number of coordinate 6 h e ] i d s functions w o r k [CRV14] n Decomposition fjeld size 24

Conclusion Case study on 32-bit ARM Median case 8-bit S-box => 2 4-bit functions Implementation comparison with state of the art Memory trade-off Can suit low end device with smaller architecture Parallelisation level decreased => poor bitslice performances Few memory requirements 25