smashing the implementation records of
play

Smashing the Implementation Records of AES S-box Arash - PowerPoint PPT Presentation

Aug 02, 2023 •236 likes •824 views

Smashing the Implementation Records of AES S-box Arash Reyhani-Masoleh, Mostafa Taha, and Doaa Ashmawy Western University London, Ontario, Canada CHES-2018 1 Outline Introduction. Proposed AES S-box Architecture. New

  1. Smashing the Implementation Records of AES S-box Arash Reyhani-Masoleh, Mostafa Taha, and Doaa Ashmawy Western University London, Ontario, Canada CHES-2018 1

  2. Outline • Introduction. • Proposed AES S-box Architecture. • New Logic-Minimization Algorithms. • New GF((2 4 ) 2 ) Inversion. • New Exponentiation Stage. • New Representation of Subfield Inversion. • New Output Multipliers. • Comparisons and Concluding Remarks. 2

  3. Introduction First Introduction Standardizing of Rijndael Rijndael as the AES Rijmen & Daemen 1998 2001 2005 2010 2015 2016 2018 First Imp. using Tower Fields Satoh et al. 3

  4. Introduction Reduce the number of Then First Introduction Standardizing Most compact gates in Canright to 115 to 113 Target small area of Rijndael Rijndael as the S-box AES Rijmen & Daemen Boyar and Peralta CMT Canright 1998 2001 2005 2010 2015 2016 2018 First Imp. using Tower Fields Satoh et al. 3

  5. Introduction Reduce the number of Then First Introduction Standardizing Most compact gates in Canright to 115 to 113 Target small area of Rijndael Rijndael as the S-box AES Rijmen & Daemen Boyar and Peralta CMT Canright 1998 2001 2005 2010 2015 2016 2018 First Imp. using Reduce the depth Most efficient Target small delay Tower Fields of S-box to 16 gates S-box / high efficiency Satoh et al. Ueno et al. Boyar, Find and Peralta 3

  6. Introduction Reduce the number of Then First Introduction Standardizing Most compact gates in Canright to 115 to 113 Target small area of Rijndael Rijndael as the S-box AES Rijmen & Daemen Boyar and Peralta CMT Canright 1998 2001 2005 2010 2015 2016 2018 First Imp. using Reduce the depth Most efficient Target small delay Tower Fields of S-box to 16 gates S-box / high efficiency Satoh et al. Ueno et al. Boyar, Find and Peralta In this paper, we propose: 1. The most compact S-box to date. 2. The most efficient S-box to date. 3

  7. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 4

  8. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. 4

  9. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. • We improved previous designs using AND gates to the ones using NAND/NOR gates: Delay (ns) Area (GEs) S-box Original Improved Original Improved Canright [Can05b] 200 1.253 113-gates [Boy16] 202 1.523 1.346 194 Depth-16 (2012) [BP12] 230.5 222 0.960 0.906 Depth-16 (2017) [BFP17] 224.5 0.957 0.912 216 Ueno et al. [UHS+15] 256.5 0.831 0.772 238 Targeting STM 65-nm CMOS standard library 4

  10. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. • We improved previous designs using AND gates to the ones using NAND/NOR gates: The smallest The fastest original original Delay (ns) Area (GEs) S-box Original Improved Original Improved Canright [Can05b] 200 1.253 113-gates [Boy16] 202 1.523 1.346 194 Depth-16 (2012) [BP12] 230.5 222 0.960 0.906 Depth-16 (2017) [BFP17] 224.5 0.957 0.912 216 Ueno et al. [UHS+15] 256.5 0.831 0.772 238 Targeting STM 65-nm CMOS standard library 4

  11. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. • We improved previous designs using AND gates to the ones using NAND/NOR gates: The smallest The smallest The fastest The fastest original improved original improved Delay (ns) Area (GEs) S-box Original Improved Original Improved Canright [Can05b] 200 1.253 113-gates [Boy16] 202 1.523 1.346 194 Depth-16 (2012) [BP12] 230.5 222 0.960 0.906 Depth-16 (2017) [BFP17] 224.5 0.957 0.912 216 Ueno et al. [UHS+15] 256.5 0.831 0.772 238 Targeting STM 65-nm CMOS standard library 4

  12. Implementation Pitfalls 1. Use AND gates, when NAND gates have smaller area and delay in all technology libraries. 2. Use only simple gates, when compound gates (AND-OR-Invert, OR-AND-Invert) may be more efficient. • We improved previous designs using AND gates to the ones using NAND/NOR gates: The smallest The smallest The fastest The fastest original improved original improved Delay (ns) Area (GEs) S-box Original Improved Original Improved Canright [Can05b] 200 1.253 113-gates [Boy16] 202 1.523 1.346 194 Depth-16 (2012) [BP12] 230.5 222 0.960 0.906 Depth-16 (2017) [BFP17] 224.5 0.957 0.912 216 Ueno et al. [UHS+15] 256.5 0.831 0.772 238 Targeting STM 65-nm CMOS standard library At the end, we compare only against the Improved Versions. Formulations of the improved designs are included in the paper. 4

  13. AES S-box • Original S-box Inversion g x M + h s GF(2 8 ) 5

  14. AES S-box • Original S-box Inversion g x M + h s GF(2 8 ) • Typical implementation using Composite Fields in Normal Basis Composite field Inversion () 2 X - 1 g X x M + h s 5

  15. Proposed AES S-box Architecture • 12 terms are shared between the Exponentiation and Multipliers Composite field Inversion 6 5 10 g T in 12 s T out 5 6 6

  16. Proposed AES S-box Architecture • 12 terms are shared between the Exponentiation and Multipliers Composite field Inversion 6 5 10 g T in 12 s T out 5 6 New Logic- New Logic- New, Improved New New New Minimization Minimization Representations Formulations Formulations Multipliers Algorithms Algorithms 6

  17. Proposed AES S-box Architecture • 12 terms are shared between the Exponentiation and Multipliers Composite field Inversion 6 5 10 g T in 12 s T out 5 6 New Logic- New Logic- New, Improved New New New Minimization Minimization Representations Formulations Formulations Multipliers Algorithms Algorithms Everything optimized by-hand and by CAD tools at various abstraction levels (promote using NAND/NOR and compound gates ) 6

  18. Outline • Introduction, Motivation and Previous Work. • Proposed AES S-box Architecture. • New Logic-Minimization Algorithms. • New GF((2 4 ) 2 ) Inversion. • New Exponentiation Stage. • New Representation of Subfield Inversion. • New Output Multipliers. • Comparisons and Concluding Remarks. 7

  19. Logic-Minimization Algorithms T in • Implement isomorphic transformation Input Rep. in GF((2 4 ) 2 ) matrices using smallest number of gates. • NP-hard problem [BMP08]. g T in 12 12 shared terms 8

  20. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. 9

  21. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. • Heuristics (with cancellation): Normal-BP (Boyar and Peralta [BP10]) 9

  22. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. • Heuristics (with cancellation): 1 Normal-BP (Boyar and Peralta [BP10]) 1. Test adding one gate 2. Compute Distance to each target (assuming no sharing) 3. Select a gate leading to the (min average Dist ) Resolve ties using different methods. 9

  23. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. Compute • Heuristics (with cancellation): 2 Dist 1 Normal-BP (Boyar and Peralta [BP10]) 1. Test adding one gate 2. Compute Distance to each target (assuming no sharing) 3. Select a gate leading to the (min average Dist ) Resolve ties using different methods. 9

  24. Logic-Minimization Algorithms (cont.) First 8 rows of T in • Implement isomorphic transformation matrices using smallest number of gates. • NP-hard problem [BMP08]. • Previous work • Cancellation-free search: Gates are never used to cancel-out common terms, Canright [Can05b] and Paar [Paa94]. Compute • Heuristics (with cancellation): 2 Dist 1 Normal-BP (Boyar and Peralta [BP10]) 1. Test adding one gate 3 2. Compute Distance to each target (assuming no sharing) 3. Select a gate leading to the (min average Dist ) Resolve ties using different methods. 9

Recommend

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

257 views • 22 slides
Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit ... overflow direction / higher addresses int main(int argc, char **argv) buf { stack growth char buf[0x10]; gets(buf); saved return address

911 views • 13 slides
Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr ) (mstampar@zsis.hr ) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.)

462 views • 35 slides
Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern University Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem

660 views • 46 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

Techorganic About PGP Disclaimer Vulnerabilities Musings from the brainpan 64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64- bit

451 views • 9 slides
Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does that mean? The guardian ofyour schools records Rule 2380 The RL knows what records are kept in your school The RL is the expert!

361 views • 13 slides
Recommendations for enhancing the implementation and utility of shared digital health records in

Recommendations for enhancing the implementation and utility of shared digital health records in

Recommendations for enhancing the implementation and utility of shared digital health records in rural Australian communities H. ALMOND a, , E. CUMMINGS b , P. TURNER a a School of Engineering & ICT, University of Tasmania b School of Health

309 views • 13 slides
Risk and Records at UTS Records Management Program > University Records, Governance Support

Risk and Records at UTS Records Management Program > University Records, Governance Support

THINK.CHANGE.DO Risk and Records at UTS Records Management Program > University Records, Governance Support Unit, Registrar, DVC (Corporate Services) 6 dedicated f/t positions > Devolved system 2 campuses (city campus over

325 views • 13 slides
Canadian Records Management February 2005 Summit Canadian Records Management Summit Calgary,

Canadian Records Management February 2005 Summit Canadian Records Management Summit Calgary,

Canadian Records Management February 2005 Summit Canadian Records Management Summit Calgary, Alberta February 21-24, 2006 Introduction What Makes RIM Programs Successful? Steps to Implementation How to Determine

315 views • 8 slides
AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis Framework for Good Recordkeeping Records are evidence of business Records system Records system Records Records characteristics

404 views • 21 slides
References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html Exploiting format string vulnerabilities https://crypto.stanford.edu/cs155/papers/for matstring-1.2.pdf Once upon a free()

427 views • 19 slides
A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management

A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management

RM1001 Records Custodian Training May 6, 2019 A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management important? 3. What is a Public Record? 4. What is Records Management? 5. Resources 2 1. Who is a

796 views • 33 slides
Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have

Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have

Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have Open Records Laws? Sunshine concept Examples of Records Transparent & Ethical Requests: Government Newspaper request for

281 views • 16 slides
Dimer Interpretations in Cluster Algebras: Smashing, Splitting, and Finding the Perfect Match

Dimer Interpretations in Cluster Algebras: Smashing, Splitting, and Finding the Perfect Match

Dimer Interpretations in Cluster Algebras: Smashing, Splitting, and Finding the Perfect Match Piriyakorn Piriyatamwong and Caledonia Wilson University of Minnesota Twin Cities REU in Combinatorics Monday July 30, 2018 Introduction Consider

463 views • 45 slides
Books and Records 1 Overview Records to be maintained Other Information 2 These se

Books and Records 1 Overview Records to be maintained Other Information 2 These se

Guidelines on maintaining Books and Records 1 Overview Records to be maintained Other Information 2 These se gu guidelin elines es are propo posed sed to be enacted cted as a part of the Regu gulati tions ons for External

283 views • 10 slides
WHAT ARE STUDENT RECORDS AND WHAT ARE PUBLIC RECORDS? (Whose Interests Are Being Served?)

WHAT ARE STUDENT RECORDS AND WHAT ARE PUBLIC RECORDS? (Whose Interests Are Being Served?)

WHAT ARE STUDENT RECORDS AND WHAT ARE PUBLIC RECORDS? (Whose Interests Are Being Served?) Presented by Jack B. Clarke, Jr. BEST BEST & KRIEGER LLP February 15, 2018 ACSA SYMPOSIUM ANAHEIM, CALIFORNIA AN OVERVIEW 1. The Basics: The

648 views • 50 slides
Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on

Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on

\x90\x90\x90\x90\x90\x90\x90\x90 Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on linux_x86_64 <fritsch+blackhat@in.tum.de> Hagen Fritsch Technische Universitt Mnchen Black Hat Europe

928 views • 49 slides
Public Records Public Records Public Records Office Public Records Office Finance Finance

Public Records Public Records Public Records Office Public Records Office Finance Finance

WA S H I N G T O N S T AT E U N I V E R S I T Y Public Records Public Records Public Records Office Public Records Office Finance Finance & & Adminis Administration ration May 2020 Overview Public Records Law Public

319 views • 9 slides
Welcome THE KNOW YOUR RECORDS PROGRAM provides information on how to access and do research

Welcome THE KNOW YOUR RECORDS PROGRAM provides information on how to access and do research

Welcome THE KNOW YOUR RECORDS PROGRAM provides information on how to access and do research using U.S. Federal Government records held at the National Archives and Records Administration. View hundreds of video recordings and materials at

644 views • 46 slides
Electronic Records Kris Stenson Electronic Records Archivist Illinois State Archives Outline

Electronic Records Kris Stenson Electronic Records Archivist Illinois State Archives Outline

The State Records Act and Electronic Records Kris Stenson Electronic Records Archivist Illinois State Archives Outline The State Records Act & Records Management Introduction to E-records Dealing with E-communications

647 views • 32 slides
Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday (review) 2 last few times encrypted code changing code polymorphic, metamorphic anti-VM/emulation anti-debugging stealth tunneling

817 views • 71 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Clerks Records Karen Gladney, Attorney At Law and Legal Counsel for CDCAT District Clerk Records

Clerks Records Karen Gladney, Attorney At Law and Legal Counsel for CDCAT District Clerk Records

Clerks Records Karen Gladney, Attorney At Law and Legal Counsel for CDCAT District Clerk Records Rules of Judicial Judicial Records Administration Rule 12 Records of the Judiciary Civil Court Case Records Tx Rules of Civil Procedure (non

426 views • 13 slides

More recommend