the marvellous universe of arithmetization oriented
play

The Marvellous Universe of Arithmetization-Oriented Primitives - PowerPoint PPT Presentation

Oct 23, 2022 •180 likes •690 views

The Marvellous Universe of Arithmetization-Oriented Primitives Abdelrahaman Aly, Tomer Ashur , Eli Ben-Sasson, Siemen Dhooghe, Alan Szepieniec The Goal The goal is to design a hash function that: The Goal The goal is to design a hash

  1. The Marvellous Universe of Arithmetization-Oriented Primitives Abdelrahaman Aly, Tomer Ashur , Eli Ben-Sasson, Siemen Dhooghe, Alan Szepieniec

  2. The Goal ◮ The goal is to design a hash function that:

  3. The Goal ◮ The goal is to design a hash function that: ◮ is secure;

  4. The Goal ◮ The goal is to design a hash function that: ◮ is secure; ◮ operates on field elements (e.g., no bit fiddling);

  5. The Goal ◮ The goal is to design a hash function that: ◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number of field multiplications.

  6. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number of field multiplications.

  7. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ Is secure; ◮ operates on field elements (e.g., no bit fiddling); ◮ minimizes the number of field multiplications.

  8. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ Is secure; ◮ operates on field ◮ natively operates on elements in GF(2 8 ); elements (e.g., no bit fiddling); ◮ minimizes the number of field multiplications.

  9. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ Is secure; ◮ operates on field ◮ natively operates on elements in GF(2 8 ); elements (e.g., no bit ◮ well understood and fiddling); ◮ minimizes the number heavily cryptanaylzed; of field multiplications. but

  10. The Goal ◮ The goal is to design a ◮ AES! hash function that: ◮ is secure; ◮ Is secure; ◮ operates on field ◮ natively operates on elements in GF(2 8 ); elements (e.g., no bit ◮ well understood and fiddling); ◮ minimizes the number heavily cryptanaylzed; of field multiplications. but ◮ does not minimize the number of field multiplications.

  11. AES as a Starting Point ◮ AES has 4 operations: ◮ S-box ◮ ShiftRows ◮ MixColumns (a) S-box (b) ShiftRows ◮ AddRoundKey (c) (d) MixColumns AddRoundKey

  12. AES as a Starting Point ◮ AES has 4 operations: ◮ S-box ◮ ShiftRows ◮ MixColumns (a) S-box (b) ShiftRows ◮ AddRoundKey ◮ All the multiplications are inside the S-box (c) (d) MixColumns AddRoundKey

  13. The S-box ◮ The S-box consists of two operations: ◮ Multiplicative inverse (11 multiplications) (see Damg˚ ard & Keller FC’10) ◮ Affine polynomial (7 multiplications)

  14. Cost ◮ Multiplications per S-box: (11 + 7) = 18

  15. Cost ◮ Multiplications per S-box: (11 + 7) = 18 ◮ Multiplications per round: (11 + 7) · 16 = 288

  16. Cost ◮ Multiplications per S-box: (11 + 7) = 18 ◮ Multiplications per round: (11 + 7) · 16 = 288 ◮ Multiplications per AES evaluation: (11 + 7) · 16 10 = 2880 · ���� ���� � �� � state rounds S-box

  17. Observations ◮ Non-procedural computation

  18. Non-Procedural Computation ◮ Verification, not computation

  19. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can

  20. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can ◮ directly compute ( x 1 ) 254 ; or

  21. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can ◮ directly compute ( x 1 ) 254 ; or ◮ check if x 1 · y 1 = 1

  22. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can ◮ directly compute ( x 1 ) 254 ; or ◮ check if x 1 · y 1 = 1 ◮ Don’t forget 0 → 0: x (1 − xy ) = 0

  23. Non-Procedural Computation ◮ Verification, not computation ◮ Given ( x 1 , y 1 ) to verify that y 1 = 1 x 1 we can ◮ directly compute ( x 1 ) 254 ; or ◮ check if x 1 · y 1 = 1 ◮ Don’t forget 0 → 0: x (1 − xy ) = 0 ◮ Cost of the multiplicative inverse 11 2

  24. Cost ◮ Multiplications per AES evaluation (old): (11 + 7) · 16 10 = 2880 · ���� ���� � �� � state rounds S-box

  25. Cost ◮ Multiplications per AES evaluation (old): (11 + 7) · 16 10 = 2880 · ���� ���� � �� � state rounds S-box ◮ Multiplications per AES evaluation (new): (2 + 7) · 16 10 = 1440 (50% of AES-128) · ���� ���� � �� � state rounds S-box

  26. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable

  27. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree

  28. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree ◮ Take two linearized polynomials of degree 4 and compose one with the inverse of the other. This

  29. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree ◮ Take two linearized polynomials of degree 4 and compose one with the inverse of the other. This ◮ Requires many multiplications to compute directly; but

  30. The Affine Polynomial i c i · 2 2 i (linearized polynomials) ◮ Polynomials of the form � are efficiently computable ◮ The inverse of a low degree, linearized polynomial is not linearized nor low-degree ◮ Take two linearized polynomials of degree 4 and compose one with the inverse of the other. This ◮ Requires many multiplications to compute directly; but ◮ requires only (2 + 2) = 4 a few multiplications to verify.

  31. Cost ◮ Multiplications per AES evaluation (old): (2 + 7) · 16 10 = 1440 (50% of AES-128) · ���� ���� � �� � state rounds S-box

  32. Cost ◮ Multiplications per AES evaluation (old): (2 + 7) · 16 10 = 1440 (50% of AES-128) · ���� ���� � �� � state rounds S-box ◮ Multiplications per AES evaluation (new): (2 + (2 + 2)) · 16 10 = 960 (33% of AES-128) · ���� ���� � �� � state rounds S-box

  33. Observations ◮ Non-determinism ◮ Cost of multiplication is independent of the field size

  34. Reducing the State ◮ Instead of a 4 × 4 state of bytes, we now use a 1 x 1 state of 128-bit elements.

  35. Reducing the State ◮ Instead of a 4 × 4 state of bytes, we now use a 1 x 1 state of 128-bit elements. ◮ No need for ShiftRows and MixColumns

  36. Reducing the State ◮ Instead of a 4 × 4 state of bytes, we now use a 1 x 1 state of 128-bit elements. ◮ No need for ShiftRows and MixColumns ◮ One S-box per round

  37. Cost ◮ Multiplications per AES evaluation (old): (2 + (2 + 2)) · 16 10 = 960 (33% of AES-128) · ���� ���� � �� � state rounds S-box

  38. Cost ◮ Multiplications per AES evaluation (old): (2 + (2 + 2)) · 16 10 = 960 (33% of AES-128) · ���� ���� � �� � state rounds S-box ◮ Multiplications per AES evaluation (new): (2 + (2 + 2)) 1 10 = 60 (2% of AES-128) · · ���� ���� � �� � state rounds S-box

  39. Setting the Number of Rounds ◮ The way to determine the proper number of rounds is to try all known attacks, see which one reaches most rounds, add a safety margin, and viola!

  40. Observations ◮ Non-determinism ◮ Cost of multiplication is independent of the field size ◮ Increasing the field size kills statistical attacks (e.g., differential and linear cryptanalysis) faster

  41. Jarvis

  42. Alas

  43. Vision ◮ An m × 1 state ◮ MDS matrix to mix the elements ◮ Alternate between a linearized polynomial of low degree and its inverse ◮ Particular attention to Gr¨ obner basis attacks

  44. Vision

  45. Rescue ◮ Operates over prime fields ◮ Alternate between x α (e.g., α = 3) and x 1 a (resp., cubic root)

  46. Rescue

  47. Breaking News

  48. Cleaning Roberto’s Mess

  49. The Team

Recommend

BLOOMIN' MARVELLOUS WHY PROBABLY CAN BE BETTER THAN DEFINITELY Adrian Colyer, @adriancolyer

BLOOMIN' MARVELLOUS WHY PROBABLY CAN BE BETTER THAN DEFINITELY Adrian Colyer, @adriancolyer

BLOOMIN' MARVELLOUS WHY PROBABLY CAN BE BETTER THAN DEFINITELY Adrian Colyer, @adriancolyer AGENDA Introduction & motivation Bloom filters Tuning Hashing Related applications of PDSs TRAFFIC SURVEILLANCE For every traffic camera in

920 views • 44 slides
Star A large, glowing ball of gas that generates heat and light through nuclear fusion Planet

Star A large, glowing ball of gas that generates heat and light through nuclear fusion Planet

Chapter 1 1.1 A Modern View of the Our Place in the Universe Universe Our goals for learning: What is our place in the universe? How did we come to be? How can we know what the universe was like in the past? Can we see the

118 views • 8 slides
Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin

Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin

S C I E N C E P A S S I O N T E C H N O L O G Y Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin Albrecht Carlos Cid Lorenzo Grassi Dmitry Khovratovich Reinhard Lfenegger

895 views • 61 slides
Wedding Planner in Santorini Marvellous Wedding Wedding Venues Presentation Wedding planner

Wedding Planner in Santorini Marvellous Wedding Wedding Venues Presentation Wedding planner

Wedding Planner in Santorini Marvellous Wedding Wedding Venues Presentation Wedding planner in Santorini Marv rvel ellou ous Wedding was created to meet all your special needs to make this day absolut lutely ely unique ue and

314 views • 19 slides
REVELATION 15 GODS GREAT AND MARVELLOUS DEEDS AND OUR WORSHIP Series The future has already

REVELATION 15 GODS GREAT AND MARVELLOUS DEEDS AND OUR WORSHIP Series The future has already

REVELATION 15 GODS GREAT AND MARVELLOUS DEEDS AND OUR WORSHIP Series The future has already begun #12 IBC Eindhoven, 26 April 2020 Its not fair! HOW LONG? Revelation 6:10 + Psalm 13 + many others! REVELATION 15:1 Another great and

146 views • 10 slides
BIG BANG: beginning of Time Early times in the Universe were really Hot Stuff!! If the

BIG BANG: beginning of Time Early times in the Universe were really Hot Stuff!! If the

ASTR 1120 OUR Universe: General Astronomy: Accelerating Universe REVIEW Stars & Galaxies Dark Energy is causing the FINAL: Saturday, Dec 12th, 7:30pm, HERE expansion of ALTERNATE FINAL : Monday, Dec 7th, 5:30pm the universe

599 views • 10 slides
The Marvellous Neutrino Carlo Rubbia CERN, Geneva, Switzerland Institute for Advanced

The Marvellous Neutrino Carlo Rubbia CERN, Geneva, Switzerland Institute for Advanced

The Marvellous Neutrino Carlo Rubbia CERN, Geneva, Switzerland Institute for Advanced Sustainability Studies Potsdam, Germany A tribute to Milla Baldo Ceolin Milla Baldo Ceolin, la signora dei neutrini MILLA.Nov2012 Slide# : 2 The high

761 views • 43 slides
Science Forces and Magnets Year One Science | Year 3 | Forces and Magnets | Marvellous Magnets |

Science Forces and Magnets Year One Science | Year 3 | Forces and Magnets | Marvellous Magnets |

Science Forces and Magnets Year One Science | Year 3 | Forces and Magnets | Marvellous Magnets | Lesson 6 Ai Aim I can explain that magnets attract some materials. Succe Success Cri Criteri ria I can identify materials that are

366 views • 12 slides
Lecture 25: Modern Physics and the Universe The Universe We Live In Announcements Cosmology:

Lecture 25: Modern Physics and the Universe The Universe We Live In Announcements Cosmology:

Lecture 25: Modern Physics and the Universe The Universe We Live In Announcements Cosmology: Past, Present, Future Schedule: Today: Current Physics - The Universe March ( parts of Ch. 12 , 20) Big Bang Report/Essay Due Today Next

313 views • 7 slides
9. The Universe 9.1 The Universe and Solar System 9.2 Seasons and the Moon 9.1 The Universe

9. The Universe 9.1 The Universe and Solar System 9.2 Seasons and the Moon 9.1 The Universe

9. The Universe 9.1 The Universe and Solar System 9.2 Seasons and the Moon 9.1 The Universe and Solar System What is a galaxy? A system of stars, star systems (like our solar system), dust, and any other objects within range of the star

819 views • 26 slides
The Universe: What We Know and What we Don t Fundamental Physics Cosmology Elementary

The Universe: What We Know and What we Don t Fundamental Physics Cosmology Elementary

The Universe: What We Know and What we Don t Fundamental Physics Cosmology Elementary Particle Physics 1 Cosmology Study of the universe at the largest scale How big is the universe? Where did the universe come from?

577 views • 38 slides
+ An Introduction to Particle Physics + The Universe started with a Big Bang + The Universe

+ An Introduction to Particle Physics + The Universe started with a Big Bang + The Universe

+ An Introduction to Particle Physics + The Universe started with a Big Bang + The Universe started with a Big Bang What is our Universe made of? Particle physics aims to understand Elementary (fundamental) particles

683 views • 45 slides
The Answer to Life, the Universe and Everything Douglas Adams, Life, the Universe and Everything,

The Answer to Life, the Universe and Everything Douglas Adams, Life, the Universe and Everything,

The Answer to Life, the Universe and Everything Douglas Adams, Life, the Universe and Everything, Harmony Books, 1982. WELCOME TO THE ELM STREET DAILY MIRROR 42

520 views • 9 slides
Herbrand Theory 1 Herbrand universe The Herbrand universe T ( F ) of a closed formula F in Skolem

Herbrand Theory 1 Herbrand universe The Herbrand universe T ( F ) of a closed formula F in Skolem

First-order Predicate Logic Herbrand Theory 1 Herbrand universe The Herbrand universe T ( F ) of a closed formula F in Skolem form is the set of all terms that can be constructed using the function symbols in F . In the special case that F

539 views • 15 slides
The Jungle Universe About scales and physics in the cosmos Simon Portegies Zwart Sterrewacht

The Jungle Universe About scales and physics in the cosmos Simon Portegies Zwart Sterrewacht

The Jungle Universe About scales and physics in the cosmos Simon Portegies Zwart Sterrewacht Leiden Observation of the early universe (WMAP) Abel1689 Stephen's quintuplet The universe is multi-physics The universe is multi-scale Jungle

578 views • 44 slides
Make this universe yours Hoshikaze 2250, at a glance : An huge and wide Universe Actual

Make this universe yours Hoshikaze 2250, at a glance : An huge and wide Universe Actual

Make this universe yours Hoshikaze 2250, at a glance : An huge and wide Universe Actual concrete Achievements A collaborative and transmedia Project driven by a Non-for-Profit Association A dedicated creative Team The Hoshikaze

937 views • 69 slides
The first generations of stars Elisabetta Caffau GEPI 0.1 Primordial Universe Understanding

The first generations of stars Elisabetta Caffau GEPI 0.1 Primordial Universe Understanding

The first generations of stars Elisabetta Caffau GEPI 0.1 Primordial Universe Understanding the Universe: we have now a picture on What the Universe is made of For how long it has existed How it will evolve in future The knowledge is based

1.29k views • 53 slides
P Perturbations Perturbations P t t b ti b ti in Lee in Lee in Lee Wick Bouncing Universe

P Perturbations Perturbations P t t b ti b ti in Lee in Lee in Lee Wick Bouncing Universe

P Perturbations Perturbations P t t b ti b ti in Lee in Lee in Lee Wick Bouncing Universe in Lee-Wick Bouncing Universe Wick Bouncing Universe Wick Bouncing Universe Inyong Cho (Seoul National University of Science & Technology)

619 views • 37 slides
Cosmic Microwave Background: Fossil of the Fireball Universe Eiichiro Komatsu

Cosmic Microwave Background: Fossil of the Fireball Universe Eiichiro Komatsu

Cosmic Microwave Background: Fossil of the Fireball Universe Eiichiro Komatsu (Max-Planck-Institut fr Astrophysik) JSPS-Abend, Bonn, September 2, 2015 Seeing the Early Universe Astronomers often talk about the early Universe as if they

663 views • 41 slides
Chapter 1 Our Place in the Universe 1.1 A Modern View of the Universe Our goals for learning:

Chapter 1 Our Place in the Universe 1.1 A Modern View of the Universe Our goals for learning:

Chapter 1 Our Place in the Universe 1.1 A Modern View of the Universe Our goals for learning: What is our place in the universe? How did we come to be? How can we know what the universe was like in the past? Can we see the

780 views • 46 slides
The Science Missions of Columbia Tools for Viewing The Universe Tools for Viewing The Universe

The Science Missions of Columbia Tools for Viewing The Universe Tools for Viewing The Universe

The Science Missions of Columbia Tools for Viewing The Universe Tools for Viewing The Universe & Columbia Shuttle Added Corrective Optics to the Hubble Space Telescope Hubble Discovers a New View of The Cosmos 2.2 billion light-years away

491 views • 32 slides
Infomaker Digital Presentation Universe IM Presentation

Infomaker Digital Presentation Universe IM Presentation

Infomaker Digital Presentation Universe IM Presentation Universe public white paper, 20171025, Peter Mnsson/CTO. Infomakers Newspilot

361 views • 8 slides
Imperative vs. object- oriented paradigms 1 11/14/17 Imperative vs. object-oriented u

Imperative vs. object- oriented paradigms 1 11/14/17 Imperative vs. object-oriented u

11/14/17 CSCI-2320 Object-Oriented Paradigm: Ruby Mohammad T . Irfan Imperative vs. object- oriented paradigms 1 11/14/17 Imperative vs. object-oriented u Imperative u Procedural decomposition u Procedures are all powerful u Data is

582 views • 45 slides
Dark Matter Simulations for the Large-Scale Structure of the Universe Raul E. Angulo Advanced

Dark Matter Simulations for the Large-Scale Structure of the Universe Raul E. Angulo Advanced

Dark Matter Simulations for the Large-Scale Structure of the Universe Raul E. Angulo Advanced Workshop on Cosmological Structures ICTP, Trieste 1 Mayo 2015 Simulating structure formation in the Universe Most of the mass in the Universe is in

592 views • 38 slides

More recommend