On the Multiplicative Complexity of Boolean Functions and Bitsliced - PowerPoint PPT Presentation

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara

Higher-Order Masking x = x 1 + x 2 + · · · + x d 2/28

Higher-Order Masking x = x 1 + x 2 + · · · + x d � Linear operations: O ( d ) 2/28

Higher-Order Masking x = x 1 + x 2 + · · · + x d � Linear operations: O ( d ) � Non-linear operations: O ( d 2 ) 2/28

Higher-Order Masking x = x 1 + x 2 + · · · + x d � Linear operations: O ( d ) � Non-linear operations: O ( d 2 ) → Challenge for blockciphers: S-boxes 2/28

Ishai-Sahai-Wagner Multiplication � � � � � � · = � i,j a i · b j + fresh random i a i i b i � Variant: CPRR evaluation for quadratic functions (Coron etal, FSE 2013) 3/28

The Polynomial Method � Sbox seen as a (univariate) polynomial over GF (2 n ) � Specific S-boxes, e.g. AES S ( x ) = Aff ( x 254 ) � Generic methods: ◮ CRV decomposition (CHES 2014): S ( x ) = � t − 1 i =0 g i ( x ) · h i ( x ) + h t ( x ) ◮ Algebraic decomposition (CRYPTO 2015): S ( x ) = � t − 1 i =0 h i ( g i ( x )) + h t ( x ) 4/28

The Bitslice Method � Sbox seen as boolean circuit 5/28

The Bitslice Method � Sbox seen as boolean circuit X 1 X 2 X n x 1 x 2 . . . x n . . . . . . . . . + + � CPU CPU XOR XOR . . . . . . + CPU AND 5/28

Bitslice for S-boxes � Find a compact Boolean circuit at the S-box � 16 S-box computed with one bitsliced computation � Higher-Order Masking: ◮ XOR → d XORs ◮ AND → ISW-AND � Minimizing the O ( d 2 ) → minimizing the number of ISW-AND 6/28

Polynomial vs Bitslice approach � How Fast Can Higher-Order Masking Be in Software?, eprint 2016 · 10 5 · 10 6 8 Bitslice AES Bitslice PRESENT 1 . 2 Best Polynomial Best Polynomial 1 6 clock cycles clock cycles 0 . 8 4 0 . 6 0 . 4 2 0 . 2 2 4 6 8 10 2 4 6 8 10 d d � Motivation: bitslice for generic s-box evaluations 7/28

Multiplicative Complexity of Boolean Functions 8/28

Boolean functions �� m � Span: � f 1 , f 2 . . . , f m � = � i =0 a i f i | a i ∈ F 2 x �→ x u = x u 1 1 · x u 2 � M n = � 2 · · · x u n n | u ∈ { 0 , 1 } n � is the set of monomials � Algebraic Normal Form (ANF): u ∈{ 0 , 1 } n a u x u , i.e. f ∈ �M n � f ( x ) = � � S-box: S ( x ) = ( f 1 ( x ) , f 2 ( x ) , . . . , f n ( x )) 9/28

Multiplicative Complexity � C ( f ) : minimum number of multiplications to compute f 10/28

Multiplicative Complexity � C ( f ) : minimum number of multiplications to compute f � C ( f 1 , f 2 , . . . , f n ) ≤ C ( M n ) = 2 n − ( n + 1) 10/28

Multiplicative Complexity � C ( f ) : minimum number of multiplications to compute f � C ( f 1 , f 2 , . . . , f n ) ≤ C ( M n ) = 2 n − ( n + 1) n � ∃ f ∈ �M n � , C ( f ) > 2 2 − n 10/28

Multiplicative Complexity � C ( f ) : minimum number of multiplications to compute f � C ( f 1 , f 2 , . . . , f n ) ≤ C ( M n ) = 2 n − ( n + 1) n � ∃ f ∈ �M n � , C ( f ) > 2 2 − n � Method to find optimal solution for n ≤ 5 : SAT-Solver 10/28

Multiplicative Complexity � C ( f ) : minimum number of multiplications to compute f � C ( f 1 , f 2 , . . . , f n ) ≤ C ( M n ) = 2 n − ( n + 1) n � ∃ f ∈ �M n � , C ( f ) > 2 2 − n � Method to find optimal solution for n ≤ 5 : SAT-Solver � Constructive method [BPP00]: 2 +1 − n n C ( f ) ≈ 2 2 − 2 10/28

Our results � Generalization of BPP for S-boxes: C ( S ) ≈ √ n 2 2 +1 − 3 n 2 n − 1 2 log n � New method: generalization of CRV C ( S ) ≈ √ n 2 n 2 +1 − 2 n − 1 4 5 6 7 8 9 10 n BPP extended 8 16 29 47 87 120 190 Our generic method ( C n,n ) 8 17 31 50 77 122 190 Our improved method ( C ∗ n,n ) 7 13 23 38 61 96 145 Table: Multiplicative complexities of n bits s-boxes. 11/28

New Generic Decomposition Method 12/28

Decomposition of a Single Boolean Function f ( x ) = � t i =0 g i ( x ) · h i ( x ) 13/28

Decomposition of a Single Boolean Function f ( x ) = � t i =0 g i ( x ) · h i ( x ) � g i : random linear combinations from B = { φ j } j a i,j ← $ { 0 , 1 } g i ← � j a i,j φ j 13/28

Decomposition of a Single Boolean Function f ( x ) = � t i =0 g i ( x ) · h i ( x ) � g i : random linear combinations from B = { φ j } j a i,j ← $ { 0 , 1 } g i ← � j a i,j φ j � find c i,j s.t h i = � j c i,j φ j solving a linear system: f ( x ) = � i ( � j a i,j φ j ( x ))( � j c i,j φ j ( x )) , ∀ x 13/28

Decomposition of a Single Boolean Function f ( x ) = � i ( � j a i,j φ j ( x ))( � j c i,j φ j ( x )) , ∀ x � { e i } 2 n i =1 = F n 2 � A 1 c 1 + A 2 c 2 + · · · + A t c t = ( f ( e 1 ) , f ( e 2 ) , . . . , f ( e 2 n ))  φ 1 ( e 1 ) · g i ( e 1 ) φ 2 ( e 1 ) · g i ( e 1 ) ... φ |B| ( e 1 ) · g i ( e 1 )  φ 1 ( e 2 ) · g i ( e 2 ) φ 2 ( e 2 ) · g i ( e 2 ) ... φ |B| ( e 2 ) · g i ( e 2 )       A i =  . . .  ... . . .   . . .       φ 1 ( e 2 n ) · g i ( e 2 n ) φ 2 ( e 2 n ) · g i ( e 2 n ) φ |B| ( e 2 n ) · g i ( e 2 n ) ... 14/28

Conditions � ( t + 1) |B| unknowns, 2 n equations: ( t + 1) |B| ≥ 2 n � Condition on the sum: t ≥ ⌈ 2 n |B| ⌉ − 1 � Condition on the basis: B × B has to span all Boolean functions 15/28

How to Construct the Basis B � Start from B 0 such that B 0 × B 0 = �M n � � from B 0 to B : ◮ φ, ψ ← $ �B� ◮ B ← φ · ψ 16/28

Costs � r multiplications for B r = |B| − n − 1 , |B| ≥ |B 0 | � t multiplications for decomposition products t ≥ ⌈ 2 n |B| ⌉ − 1 � Cost: r + t n 4 5 6 7 8 9 10 ( r, t ) (2,3) (5,3) (9,5) (16,6) (25,9) (41,11) (59,17) 5 8 14 22 34 52 78 C n,n 17/28

Decomposition of the S-box � Sbox : x → ( f 1 ( x ) , f 2 ( x ) , . . . , f n ( x )) � Apply n Boolean decompositions on the f i ’s � Costs: r + t · n multiplications n 4 5 6 7 8 9 10 ( r, t ) (4,1) (7,2) (13,3) (22,4) (37,5) (59,7) (90,10) 8 17 31 50 77 122 190 C n,n � Works for any S-boxes 18/28

S-box Dependent Improvements 19/28

Basis Update Improvements � Start with B 1 ⊇ B 0 � Decompose f 1 = � i g 1 ,i · h 1 ,i with B 1 20/28

Basis Update Improvements � Start with B 1 ⊇ B 0 � Decompose f 1 = � i g 1 ,i · h 1 ,i with B 1 � Set B 2 = B 1 ∪ { g 1 ,i · h 1 ,i } � Decompose f 2 = � i g 2 ,i · h 2 ,i with B 2 20/28

Basis Update Improvements � Start with B 1 ⊇ B 0 � Decompose f 1 = � i g 1 ,i · h 1 ,i with B 1 � Set B 2 = B 1 ∪ { g 1 ,i · h 1 ,i } � Decompose f 2 = � i g 2 ,i · h 2 ,i with B 2 � Set B 3 = B 2 ∪ { g 2 ,i · h 2 ,i } � Decompose f 3 = � i g 3 ,i · h 3 ,i with B 3 20/28

Basis Update Improvements � Start with B 1 ⊇ B 0 � Decompose f 1 = � i g 1 ,i · h 1 ,i with B 1 � Set B 2 = B 1 ∪ { g 1 ,i · h 1 ,i } � Decompose f 2 = � i g 2 ,i · h 2 ,i with B 2 � Set B 3 = B 2 ∪ { g 2 ,i · h 2 ,i } � Decompose f 3 = � i g 3 ,i · h 3 ,i with B 3 . . . � B n = B n − 1 ∪ { g n − 1 ,i · h n − 1 ,i } � Decompose f n = � i g n,i · h n,i with B n − 1 20/28

Basis Update Improvements � Start with B 1 ⊇ B 0 t 1 = ⌈ 2 n � Decompose f 1 = � i g 1 ,i · h 1 ,i with B 1 |B 1 | ⌉ − 1 � Set B 2 = B 1 ∪ { g 1 ,i · h 1 ,i } t 2 = ⌈ 2 n � Decompose f 2 = � i g 2 ,i · h 2 ,i with B 2 |B 2 | ⌉ − 1 � Set B 3 = B 2 ∪ { g 2 ,i · h 2 ,i } t 3 = ⌈ 2 n � Decompose f 3 = � i g 3 ,i · h 3 ,i with B 3 |B 3 | ⌉ − 1 . . . � B n = B n − 1 ∪ { g n − 1 ,i · h n − 1 ,i } t n = ⌈ 2 n � Decompose f n = � i g n,i · h n,i with B n − 1 |B n | ⌉ − 1 � Costs: r + t 1 + t 2 + . . . + t n 20/28

Rank Drop � A 1 c 1 + A 2 c 2 + · · · + A t c t = ( f ( e 0 ) , f ( e 1 ) , . . . , f ( e 2 n )) � System A · c = b with rank( A ) = 2 n − δ works for 1 2 δ boolean functions � Try O (2 δ ) systems � Reduced parameter: ( t + 1) |B| ≥ 2 n − δ → t ≥ ⌈ 2 n − δ |B| ⌉ − 1 21/28

Results Sbox Serpent SC2000 S 5 SC2000 S 6 CLEFIA n 4 5 6 8 Our generic method 7 17 31 77 Our improved method 6 11 21 62 Gain 1 6 10 15 22/28

Implementation 23/28

Parallelization � 16 S-box → 16-bit bitsliced registers � But 32-bit architecture � 2 16-bit ISW-AND ⇒ 1 32-bits ISW-AND � At the circuit level: grouping AND gates per pair 24/28