low depth low size circuits for cryptographic applications
play

Low-Depth, Low-Size Circuits for Cryptographic Applications Joan - PowerPoint PPT Presentation

Sep 09, 2023 •110 likes •612 views

Low-Depth, Low-Size Circuits for Cryptographic Applications Joan Boyar* 1 Magnus Gausdal Find 2 Ren Peralta 2 1 University of Southern Denmark 2 National Institute of Standards and Technology, USA BFA 2017 Boyar, Find, Peralta Heuristic:

  1. Low-Depth, Low-Size Circuits for Cryptographic Applications Joan Boyar* 1 Magnus Gausdal Find 2 René Peralta 2 1 University of Southern Denmark 2 National Institute of Standards and Technology, USA BFA 2017 Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 1 / 22

  2. Circuits over GF ( 2 ) AND gates × / ∧ XOR gates + XNOR gates # Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 2 / 22

  3. Circuits over GF ( 2 ) AND gates × / ∧ XOR gates + XNOR gates # Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 2 / 22

  4. Circuits over GF ( 2 ) AND gates × / ∧ XOR gates + XNOR gates # Both circuits compute the predicate MAJ(a,b,c) in size 4 and depth 3. Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 2 / 22

  5. Boolean Circuit Complexity The (Boolean) circuit complexity of a function f is the number of gates necessary and sufficient to compute f . Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 3 / 22

  6. Boolean Circuit Complexity The (Boolean) circuit complexity of a function f is the number of gates necessary and sufficient to compute f . Shannon-Lupanov bound: the circuit complexity of a predicate on n bits is about 2 n n almost everywhere. Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 3 / 22

  7. Multiplicative Complexity The multiplicative complexity of a function f is the number of multiplications (ANDs) necessary and sufficient to compute f (over the basis AND, XOR, XNOR). Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 4 / 22

  8. Multiplicative Complexity The multiplicative complexity of a function f is the number of multiplications (ANDs) necessary and sufficient to compute f (over the basis AND, XOR, XNOR). Almost all Boolean predicates on n bits have multiplicative complexity close n 2 (i.e. about the square root of the total number of gates needed). to 2 [B., Peralta, Pochuev],[Nechiporuk] Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 4 / 22

  9. Multiplicative Complexity The multiplicative complexity of a function f is the number of multiplications (ANDs) necessary and sufficient to compute f (over the basis AND, XOR, XNOR). Almost all Boolean predicates on n bits have multiplicative complexity close n 2 (i.e. about the square root of the total number of gates needed). to 2 [B., Peralta, Pochuev],[Nechiporuk] Our thesis is that this observation can be used for Boolean circuit optimization. Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 4 / 22

  10. Motivation Why do we care? Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 5 / 22

  11. Motivation Why do we care? 1 Smaller chip area, less power Lower depth, faster Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 5 / 22

  12. Motivation Why do we care? 1 Smaller chip area, less power Lower depth, faster 2 Multi-party computations: Communication complexity can depend (only) on the number of ANDs in the circuit. Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 5 / 22

  13. Motivation Why do we care? 1 Smaller chip area, less power Lower depth, faster 2 Multi-party computations: Communication complexity can depend (only) on the number of ANDs in the circuit. 3 Homomorphic computations: Performing computations on encrypted data, such as in the cloud. The multiplicative complexity can affect the number of bootstrappings. Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 5 / 22

  14. An example function: AES S-Box Advanced Encryption Standard (AES) Block cipher - 128 bit blocks, 128 bit keys Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 6 / 22

  15. An example function: AES S-Box Advanced Encryption Standard (AES) Block cipher - 128 bit blocks, 128 bit keys 10 rounds using 4 operations: SubBytes — Nonlinear substitution step (S-Box) ShiftRows MixColumns AddRoundKey Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 6 / 22

  16. AES S-Box The S-Box has 8 inputs and 8 outputs. Inversion in GF ( 2 8 ) , followed by affine transformation (linear, followed by some negations). Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 7 / 22

  17. AES S-Box The S-Box has 8 inputs and 8 outputs. Inversion in GF ( 2 8 ) , followed by affine transformation (linear, followed by some negations). Can be done by table look-up . 256 different inputs, each with 8 bits output 2048 bits large area — 16 S-Boxes in each round Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 7 / 22

  18. AES S-Box The S-Box has 8 inputs and 8 outputs. Inversion in GF ( 2 8 ) , followed by affine transformation. Tower of fields constructions : Concentration on size: Wolkerstorfer, Oswald, Lamberger 2002 — work over subfield GF ( 2 4 ) Satoh, Morioka, Takano, Munetoh 2001 — within GF ( 2 4 ) use GF ( 2 2 ) Canright 2005 — tried many different bases B., Peralta 2010 — used Canright’s base - 115 gates (improved to 113 gates by Calik; same technique, exploring all ties) Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 8 / 22

  19. AES S-Box The S-Box has 8 inputs and 8 outputs. Inversion in GF ( 2 8 ) , followed by affine transformation. Tower of fields constructions : Concentration on size: Wolkerstorfer, Oswald, Lamberger 2002 — work over subfield GF ( 2 4 ) Satoh, Morioka, Takano, Munetoh 2001 — within GF ( 2 4 ) use GF ( 2 2 ) Canright 2005 — tried many different bases B., Peralta 2010 — used Canright’s base - 115 gates (improved to 113 gates by Calik; same technique, exploring all ties) depth 28 Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 8 / 22

  20. AES S-Box The S-Box has 8 inputs and 8 outputs. Inversion in GF ( 2 8 ) , followed by affine transformation. Tower of fields constructions : Depth: Canright 2005 — depth 25 ( ≥ 125 gates) Nogami, Nekado, Toyota, Hongo, Morikawa 2010 choose mixed bases so ≤ 4 ones for top and bottom transformations, so depth 2 for each depth 22, size 148 Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 9 / 22

  21. AES S-Box The S-Box has 8 inputs and 8 outputs. Inversion in GF ( 2 8 ) , followed by affine transformation. Tower of fields constructions : Depth: Canright 2005 — depth 25 ( ≥ 125 gates) Nogami, Nekado, Toyota, Hongo, Morikawa 2010 choose mixed bases so ≤ 4 ones for top and bottom transformations, so depth 2 for each depth 22, size 148 B., Peralta 2012 — depth 16, size 128 this presentation — depth 16, size 125, more automated Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 9 / 22

  22. AES S-Box Goal: minimize size (number of gates) and depth Technique : 1 Start with a circuit with small size (using previous techniques, for example [B.,Matthews,Peralta 2013]) Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 10 / 22

  23. AES S-Box Goal: minimize size (number of gates) and depth Technique : 1 Start with a circuit with small size (using previous techniques, for example [B.,Matthews,Peralta 2013]) 2 Use techniques from automatic theorem proving to re-synthesize non-linear components into lower-depth constructions (reused from [B., Peralta 2012]) Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 10 / 22

  24. AES S-Box Goal: minimize size (number of gates) and depth Technique : 1 Start with a circuit with small size (using previous techniques, for example [B.,Matthews,Peralta 2013]) 2 Use techniques from automatic theorem proving to re-synthesize non-linear components into lower-depth constructions (reused from [B., Peralta 2012]) 3 Apply a randomized, greedy heuristic to re-synthesize linear components into lower-depth constructions, using a new See-Saw Method Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 10 / 22

  25. Circuit for the S-Box of AES 8 bits in Top linear 22 bits · · · 22 bits Middle nonlinear 18 bits · · · 18 bits Bottom linear 8 bits out Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 11 / 22

  26. See-Saw Method depth 0 8 bits in Top linear 27 gates variable depth 22 bits · · · 22 bits 63 gates, fixed Middle nonlinear 18 bits · · · variable depth 18 bits 34 gates Bottom linear depth ≤ 19 8 bits out Start: Total depth 19, size 124 gates. Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 12 / 22

  27. See-Saw Method depth 0 8 bits in 27 gates Top linear variable depth 22 bits After processing.... depth 0 Top linear 29 gates depth ≤ 3 Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 13 / 22

  28. See-Saw Method depth 0 29 gates Top linear depth ≤ 3 · · · 22 bits 63 gates, fixed Middle nonlinear 18 bits · · · 18 bits variable depth 34 gates Bottom linear depth ≤ 18 8 bits out Start: Total depth 19, size 124 gates. Now: Total depth 18, size 126 gates. Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 14 / 22

  29. See-Saw Method variable depth inputs 18 bits 34 gates Bottom linear variable depth ≤ 18 8 bits out After processing.... variable depth inputs 18 bits 35 gates Bottom linear variable depth ≤ 16 8 bits out Boyar, Find, Peralta Heuristic: Low-Depth, Low-Size Circuits BFA 2017 15 / 22

Recommend

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of cryptographic function output based on genetic programming Petr venda, Martin Ukrop, Vashek Maty {svenda,xukrop,matyas}@fi.muni.cz Overview

367 views • 19 slides
A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer Science and Engineering Department, Indian Institute of Technology, Bombay, (IITB) India. Joint work with Suryajith Chillara, Christian Engels,

2.53k views • 191 slides
Exponential lower bounds for hom. depth-5 circuits over finite fields Mrinal Kumar Ramprasad

Exponential lower bounds for hom. depth-5 circuits over finite fields Mrinal Kumar Ramprasad

Exponential lower bounds for hom. depth-5 circuits over finite fields Mrinal Kumar Ramprasad Saptharishi TIFR, Mumbai CCC 2017 Riga Rutgers Harvard Algebraic Circuits f ( x 1 , x 2 , x 3 ) = 2 x 2 1 + 2 x 1 x 2 + 2 x 1 x 3 + 2 x 2 x 3 =

1.56k views • 115 slides
Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
Hardness vs Randomness for Bounded Depth Arithmetic Circuits Chi-Ning Chou Mrinal Kumar Noam

Hardness vs Randomness for Bounded Depth Arithmetic Circuits Chi-Ning Chou Mrinal Kumar Noam

Hardness vs Randomness for Bounded Depth Arithmetic Circuits Chi-Ning Chou Mrinal Kumar Noam Solomon Harvard University 1 Outline Arithmetic circuits and algebraic complexity classes Polynomial identity testing (PIT) Hardness vs

1.8k views • 145 slides
Tamper resilient circuits: The Adversary at the Gates Yiannis Tselekounis Joint work with

Tamper resilient circuits: The Adversary at the Gates Yiannis Tselekounis Joint work with

Tamper resilient circuits: The Adversary at the Gates Yiannis Tselekounis Joint work with Aggelos Kiayias University of Athens Asiacrypt 2013 - December 4, 2013 Introduction Attacking a cryptographic implementation Cryptographic device

258 views • 24 slides
A #SAT Algorithm for Small Constant-Depth Circuits with PTF gates. Nutan Limaye Compuer Science

A #SAT Algorithm for Small Constant-Depth Circuits with PTF gates. Nutan Limaye Compuer Science

A #SAT Algorithm for Small Constant-Depth Circuits with PTF gates. Nutan Limaye Compuer Science and Engineering Department, Indian Institute of Technology, Bombay, (IITB) India. Joint work with Swapnam Bajpai, Vaibhav Krishan, Deepanshu Kush,

2.27k views • 159 slides
A #SAT Algorithm for Small Constant-Depth Circuits with PTF gates. Nutan Limaye Computer Science

A #SAT Algorithm for Small Constant-Depth Circuits with PTF gates. Nutan Limaye Computer Science

A #SAT Algorithm for Small Constant-Depth Circuits with PTF gates. Nutan Limaye Computer Science and Engineering Department, Indian Institute of Technology, Bombay, (IITB) India. Joint work with Swapnam Bajpai, Vaibhav Krishan, Deepanshu Kush,

1.85k views • 159 slides
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Cryptographic applications of codes in rank

498 views • 33 slides
Graph Algorithms: Applications CptS 223 Advanced Data Structures Larry Holder School of

Graph Algorithms: Applications CptS 223 Advanced Data Structures Larry Holder School of

Graph Algorithms: Applications CptS 223 Advanced Data Structures Larry Holder School of Electrical Engineering and Computer Science Washington State University 1 Applications Depth-first search Biconnectivity Euler circuits

366 views • 33 slides
Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Three Ways to Argue for Cryptographic Security Cryptanalysis

933 views • 75 slides
Depth Lower Bound against Circuits with Sparse Orientation Sajin Koroth 1 Jayalal Sarma 1 1

Depth Lower Bound against Circuits with Sparse Orientation Sajin Koroth 1 Jayalal Sarma 1 1

Depth Lower Bound against Circuits with Sparse Orientation Sajin Koroth 1 Jayalal Sarma 1 1 Algorithms and Complexity Theory Lab Department of Computer Science IIT Madras Chennai Theory Day, 2013 1 / 17 Circuit Model A circuit family C

880 views • 75 slides
Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Introduction Arithmetic in GF ( 2 m ) Summary - results, comments, future prospects Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power consumption - security tradeoffs Danuta Pamua 17th December 2012

695 views • 32 slides
Arithmetic circuits with locally low algebraic rank Mrinal Kumar Joint work with Shubhangi Saraf

Arithmetic circuits with locally low algebraic rank Mrinal Kumar Joint work with Shubhangi Saraf

Arithmetic circuits with locally low algebraic rank Mrinal Kumar Joint work with Shubhangi Saraf Plan for the talk Plan for the talk Depth four arithmetic circuits. Plan for the talk Depth four arithmetic circuits. The problem we

1.23k views • 106 slides
Relationship between Water Flow and Animal Size Variables Control variables: Water depth, river

Relationship between Water Flow and Animal Size Variables Control variables: Water depth, river

Relationship between Water Flow and Animal Size Variables Control variables: Water depth, river bed substrate composition, light intensity, water temperature Independent variable : Water flow rate Dependent variables: Animal species(size of

373 views • 10 slides
Transistor Size Optimization Methodology for Logic Circuits Considering Variations caused by BTI

Transistor Size Optimization Methodology for Logic Circuits Considering Variations caused by BTI

Transistor Size Optimization Methodology for Logic Circuits Considering Variations caused by BTI and Process TAU 2016 Thursday, March 10, 2016 Michitarou YABUUCHI, Kazutoshi KOBAYASHI Kyoto Institute of Technology 1 Kobayashi Lab. Summary

497 views • 18 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Cryptographic Tools for Privacy, Compliance & Efficiency in Blockchain Applications Fernando

Cryptographic Tools for Privacy, Compliance & Efficiency in Blockchain Applications Fernando

Cryptographic Tools for Privacy, Compliance & Efficiency in Blockchain Applications Fernando Krell, PhD Columbia U. Lead Cryptography Engineer, Findora Public-Ledgers/Blockchains R 1:... R 2:... R 3:... R 4:... ... Append only Database

359 views • 34 slides
Wo o l l y Mammo t h Th eat r e Lighting Depth Canopy Lobby Theatre Office Electrical Depth

Wo o l l y Mammo t h Th eat r e Lighting Depth Canopy Lobby Theatre Office Electrical Depth

Location: Washington DC Owner: The Woolly Mammoth Theatre Company Architect: Mcinturff Architects Size: 31,600 SF Total Stories: 3 Cost: $8,000,000 Over view Wo o l l y Mammo t h Th eat r e Lighting Depth Canopy Lobby Theatre Office

766 views • 33 slides
Applications of Graph Traversal Algorithm : Design & Analysis [12] In the last class

Applications of Graph Traversal Algorithm : Design & Analysis [12] In the last class

Applications of Graph Traversal Algorithm : Design & Analysis [12] In the last class Depth-First and Breadth-First Search Finding Connected Components General Depth-First Search Skeleton Depth-First Search Trace

498 views • 35 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Private Set In Intersection (PSI): in the Cloud, or using Circuits Benny Pinkas September 10,

Private Set In Intersection (PSI): in the Cloud, or using Circuits Benny Pinkas September 10,

Private Set In Intersection (PSI): in the Cloud, or using Circuits Benny Pinkas September 10, 2017 Pri rivate Set In Intersectio ion (P (PSI) ? ? In In this talk Computing PSI using linear-size circuits, via two-dimensional Cuckoo

1.11k views • 78 slides
Parity Helps to Compute Majority Igor Carboni Oliveira Rahul Santhanam Srikanth Srinivasan

Parity Helps to Compute Majority Igor Carboni Oliveira Rahul Santhanam Srikanth Srinivasan

Parity Helps to Compute Majority Igor Carboni Oliveira Rahul Santhanam Srikanth Srinivasan Computational Complexity Conference 2019 1 Background and Motivation 2 Bounded-depth boolean circuits AC 0 : Bounded-depth circuits with AND , OR

926 views • 61 slides
Majority is incompressible by AC 0 [ p ] circuits Igor Carboni Oliveira Columbia University

Majority is incompressible by AC 0 [ p ] circuits Igor Carboni Oliveira Columbia University

Majority is incompressible by AC 0 [ p ] circuits Igor Carboni Oliveira Columbia University Joint work with Rahul Santhanam (Univ. Edinburgh) 1 Part 1 Background, Examples, and Motivation 2 Basic Definitions AC 0 d circuits: polynomial size

1.51k views • 90 slides

More recommend