Recursive Diffusion Layers for - Semantic Scholar

Download PDF
Comment
Report 5 Downloads 70 Views
Recursive Diffusion Layers for (Lightweight) Block Ciphers and Hash Functions Shengbao Wu Mingsheng Wang

Wenling Wu

Institute of Software, Chinese Academy of Sciences; State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

August 17, 2012

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

1 / 22

Outline

Introduction MDS diffusion layers recursive strategy

Preliminaries and Our Strategy matrices over commutative rings how to judge an MDS matrix our strategy and some criteria

Main Results LFSRs, GFS and other manners

Conclusion and Future Work

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

2 / 22

Introduction–MDS Diffusion Layer

Diffusion layer and its role. One of the core components in a block cipher, and also widely used in many other cryptographic primitives, e.g., hash functions. Influences both the security and the efficiency of a cryptographic primitive. Provide security against differential cryptanalysis and linear cryptanalysis. An elaborate diffusion layer may enhance the performance of a primitive.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

3 / 22

Introduction–MDS Diffusion Layer

Diffusion layer and its role. One of the core components in a block cipher, and also widely used in many other cryptographic primitives, e.g., hash functions. Influences both the security and the efficiency of a cryptographic primitive. Provide security against differential cryptanalysis and linear cryptanalysis. An elaborate diffusion layer may enhance the performance of a primitive.

Diffusion layers with maximum branch numbers. Joan Daemen’s PhD thesis proposed to use an MDS matrix as the diffusion layer. Also called an MDS diffusion layer.

Until now, MDS matrices have been employed as the diffusion layers of many block ciphers, such as, SHARK, AES, CLEFIA. Shortage: they cannot be implemented in an extremely compact way on hardware.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

3 / 22

Introduction–MDS Diffusion Layer

Diffusion layer and its role. One of the core components in a block cipher, and also widely used in many other cryptographic primitives, e.g., hash functions. Influences both the security and the efficiency of a cryptographic primitive. Provide security against differential cryptanalysis and linear cryptanalysis. An elaborate diffusion layer may enhance the performance of a primitive.

Diffusion layers with maximum branch numbers. Joan Daemen’s PhD thesis proposed to use an MDS matrix as the diffusion layer. Also called an MDS diffusion layer.

Until now, MDS matrices have been employed as the diffusion layers of many block ciphers, such as, SHARK, AES, CLEFIA. Shortage: they cannot be implemented in an extremely compact way on hardware.

Thus, how to construct MDS diffusion layers with low-cost hardware implementations is a challenge for designers.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

3 / 22

Introduction—Recursive Strategy In CRYPTO 2011, PHOTON first answered this question, that is, to construct MDS diffusion layers with a recursive manner. Also used in LED lightweight block cipher.

The new strategy constructs a diffusion layer with a linear feedback shift register (LFSR, see below). Each Li is chosen as the multiplication with an element in F2n , where n is the bit length of each bundle xi .

In FSE 2012, Sajadieh et. al extended PHOTON’s strategy to choose each Li as a linear transformation of Fn2 . Provides more choices in constructing diffusion layers.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

4 / 22

Introduction—Our Contributions

We follow and extend the recursive strategy to construct more lightweight MDS diffusion layers. Construct MDS diffusion layers with branch number from 5 to 9 using LFSRs. Construct them using Generalized Feistel Structures (GFS). Construct them by increasing the number of iterations and using bit-level LFSRs.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

5 / 22

Preliminaries—Matrices over a Commutative Ring (1) Suppose A = (Ai,j )1≤i≤s,1≤j≤s is an s × s matrix over a commutative ring R. Definition ([1]) The determinant of A, denoted by det(A), is the following element of R: X det(A) = sgn(σ)A1,σ(1) A2,σ(2) · · · As,σ(s) ,

(1)

σ∈P(s)

where P(s) denotes the set of all permutations on s letters, and sgn(σ) ∈ {1, −1} denotes the sign of σ. Theorem ([1]) A is invertible if and only if det(A) ∈ U(R), where U(R) is the set of all invertible elements in ring R.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

6 / 22

Preliminaries—Matrices over a Commutative Ring (2)

Suppose L is an invertible matrix over F2 , and X X S={ a−i L−i + a0 + aj Lj : i, j ∈ Z+ , a−i , a0 , aj ∈ F2 },

(2)

then F2 [L, L−1 ] := (S, +, ·) is a commutative ring, where + is the addition of F2 and · is the multiplication of polynomials.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

7 / 22

Preliminaries—How to Judge an MDS Matrix

Suppose D is a matrix composed of linear transformations of Fn2 , that is,   D1,1 D1,2 · · · D1,m−t  D2,1 D2,2 · · · D2,m−t    D= . , .. .. ..  ..  . . . Dt,1 Dt,2 · · · Dt,m−t

(3)

where each Di,j is an n × n matrix over F2 . Theorem ([2]) An F2 -linear [m, t] code with generator matrix G = [It×t Dt×(m−t) ] is an MDS code if and only if every square submatrix of D is invertible.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

8 / 22

Main Strategy 1. Choose a structure and construct its transition matrix A. 2. Set each undetermined element of A to be an element of F2 [L, L−1 ]. Choose an iteration number d and compute D = Ad as the final diffusion layer.

D is MDS ⇔ each square submatrix of D is invertible ⇔ the determinant of each square submatrix of D is an invertible element of F2 [L, L−1 ].

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

9 / 22

Main Strategy 1. Choose a structure and construct its transition matrix A. 2. Set each undetermined element of A to be an element of F2 [L, L−1 ]. Choose an iteration number d and compute D = Ad as the final diffusion layer.

D is MDS ⇔ each square submatrix of D is invertible ⇔ the determinant of each square submatrix of D is an invertible element of F2 [L, L−1 ].

3. Calculate the determinants of all square submatrices of D as the conditions, which is a set of polynomials in F2 [L, L−1 ]. If zero is in the condition set, return to step 2.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

9 / 22

Main Strategy 1. Choose a structure and construct its transition matrix A. 2. Set each undetermined element of A to be an element of F2 [L, L−1 ]. Choose an iteration number d and compute D = Ad as the final diffusion layer.

D is MDS ⇔ each square submatrix of D is invertible ⇔ the determinant of each square submatrix of D is an invertible element of F2 [L, L−1 ].

3. Calculate the determinants of all square submatrices of D as the conditions, which is a set of polynomials in F2 [L, L−1 ]. If zero is in the condition set, return to step 2.

4. Search whether there exists any L such that all polynomials generated in step 3 are invertible elements in F2 [L, L−1 ]. Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

9 / 22

Some Criteria

P (i) k Choose Li = ak · L with few terms. That is, the number of 1’s in the (i) (i) (i) coefficient list [. . . , a−1 , a0 , a1 , . . . ] should be as few as possible. The degrees of L and L−1 are also chosen to be low. The integer d should be chosen as small as possible. The linear transformation L should be low-cost in hardware implementation. Our chief targets are linear transformations with no more than one XOR gate (about 2.66 GE). The multiplication with a root of an irreducible polynomial will be the secondary choices.

Additionally, for practical applications, we expect that MDS diffusion layers proposed in this paper should have examples for n = 4 and n = 8.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

10 / 22

Results—Part One, LFSRs (1) Try to construct matrix A such that D = Ad is an MDS matrix.

Cost (XOR gates): (s − 1)n +

s X

#Li ,

(4)

i=1

where #Li is the cost of Li in hardware implementation. (s)

Use Alfsr = [L1 , L2 , . . . , Ls ] to represent the choice of A.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

11 / 22

Results—Part One, LFSRs (2)

MDS diffusion layers for 4 ≤ s ≤ 8, together with the cost in hardware implementation and the number of conditions.

Table:

s 4 5 6 7 8

(s)

Alfsr (d = s) [L, 1, 1, L2 ] [1, L2 , L−1 , L−1 , L2 ] [1, L−2 , L−1 , L2 , L−1 , L−2 ] [1, L, L−5 , 1, 1, L−5 , L] [1, L−3 , L, L3 , L2 , L3 , L, L−3 ]

Shengbao Wu (Institute of Software,CAS)

Cost (XOR gates) 3n + #L + #L2 4n + 2(#L2 + #L−1 ) 5n + #L2 + 2(#L−2 + #L−1 ) 6n + 2(#L + #L−5 ) 7n + #L2 + 2(#L + #L3 + #L−3 )

Recursive Diffusion Layers

No. 12 21 90 592 2629

August 17, 2012

12 / 22

Results—Part One, LFSRs (3) (s)

Table:

Lightweight linear transformations L for Alfsr with 4 ≤ s ≤ 8.

Length of each bundle n=4 n=8 n = 16 n = 16 n = 32 n = 32 n = 64 n = 64 n = 64

example of L [[2, 3], 3, 4, 1] [[5, 6], 7, 5, 8, 4, 3, 1, 2] [[1, 2], 3, 4, . . . , 16, 1] [[2, 6], 3, 4, . . . , 16, 1] [[2, 4], 3, 4, . . . , 32, 1] [[2, 10], 3, 4, . . . , 32, 1] [[2, 6], 3, 4, . . . , 64, 1] [[2, 3], 3, 4, . . . , 64, 1] [[2, 17], 3, 4, . . . , 64, 1] 

0  0  Note: [[2, 3], 3, 4, 1] is the representation of matrix  0 1 Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

fit for s = 4, 5, 6, 7, 8 s = 4, 5, 6, 7, 8 s = 4, 5, 6 s = 7, 8 s=4 s = 5, 6, 7, 8 s=4 s = 6, 7 s = 5, 8 1 0 0 0

1 1 0 0

 0 0  . 1  0 August 17, 2012

13 / 22

Results—Part One, LFSRs (4)

Our proposals can be used to replace those given in the PHOTON lightweight hash family to gain smaller hardware implementations. Table:

Comparison of our diffusion layers with those used in PHOTON.

(s, n) PHOTON Ours Reduced(%)

P100 (5, 4) 75.33 GE 58.52 GE 22.3

Shengbao Wu (Institute of Software,CAS)

P144 (6, 4) 80 GE 74.48 GE 6.9

P196 (7, 4) 99 GE 95.76 GE 3.3

Recursive Diffusion Layers

P256 (8, 4) 145 GE 117.04 GE 19.3

P288 (6, 8) 144 GE 127.68 GE 11.3

August 17, 2012

14 / 22

Results—Part Two, GFS (1)

We construct MDS diffusion layers using Generalized Feistel Structures (GFS).

Figure:

Shengbao Wu (Institute of Software,CAS)

Generalized feistel structure.

Recursive Diffusion Layers

August 17, 2012

15 / 22

Results—Part Two, GFS (2) We need to construct a transition matrix A as following:  T U2 0 · · · 0 0  0 T U3 · · · 0 0   .. .. .. . .. .. A= . . .. . . .   0 0 0 · · · T U 2s U1 0 0 ··· 0 T 

    0 0 0 1 0 ,T = and Ui = 0 0 0 0 L2i−1 composed of linear transformations of Fn2 . where 0 =

    ,   0 L2i

(5)

 are 2 × 2 matrices

Cost (XOR gate): s

X s n+ #Li . 2

(6)

i=1

(s)

Also use Agfs = [L1 , L2 , . . . , Ls ] to represent the choice of A. Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

16 / 22

Results—Part Two, GFS (3)

MDS diffusion layers for s = 4, 6, 8, together with the cost in hardware implementation and the number of conditions.

Table:

s 4 6 8

(s)

Agfs (d = s) [L, 1, 1, L] [L, 1, 1, L2 , L, L2 ] [1, L4 , 1, L−1 , 1, L, 1, L2 ]

Shengbao Wu (Institute of Software,CAS)

Cost (XOR gates) 2n + 2#L 3n + 2(#L + #L2 ) 4n + #L4 + #L + #L−1 + #L2

Recursive Diffusion Layers

No. 7 196 8692

August 17, 2012

17 / 22

Comparison with Known Results

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

18 / 22

Results—Part Three, Other MDS Diffusion Layers

Increase the number of iterations. (4)

Example: Alfsr = [1, L, 0, 0] Branch number: 5 Number of iterations: 22 Cost (XOR gates): n + #L Conditions: 8

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

19 / 22

Results—Part Three, Other MDS Diffusion Layers

Increase the number of iterations. (4)

Example: Alfsr = [1, L, 0, 0] Branch number: 5 Number of iterations: 22 Cost (XOR gates): n + #L Conditions: 8

Bit-level LFSRs. Consider LFSRs with 16 bit length, and only the rightmost one or two bits are updated in an iteration. Try to find MDS diffusion layers with branch number 5 under 4-bit Sboxes. Example: y = x[1] ⊕ x[6] ⊕ x[8] ⊕ x[10] ⊕ x[13], z = x[2] ⊕ x[5] ⊕ x[7] ⊕ x[10]⊕ x[11] ⊕ x[13] ⊕ x[14], x[i] = x[i + 2] for 1 ≤ i ≤ 14, x[15] = y, x[16] = z. Costs 10 XOR gates and needs 8 iterations to reach branch number 5.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

19 / 22

Conclusions and Future Work Conclusions: Revisit the design strategy of PHOTON and FSE 2012, and construct a list of better MDS diffusion layers with branch number from 5 to 9. Construct MDS diffusion layers using GFS. Discuss some possible manners to construct MDS diffusion layers by increasing the number of iterations and using bit-level LFSRs.

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

20 / 22

Conclusions and Future Work Conclusions: Revisit the design strategy of PHOTON and FSE 2012, and construct a list of better MDS diffusion layers with branch number from 5 to 9. Construct MDS diffusion layers using GFS. Discuss some possible manners to construct MDS diffusion layers by increasing the number of iterations and using bit-level LFSRs. Future work: Can we construct MDS diffusion layers with new structures or new strategies? Can we obtain a lightweight linear transformation satisfying all conditions generalized in step 3 without much computation? Multiplication with a root of an irreducible polynomial can be observed from the condition set. Other linear transformations?

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

20 / 22

Thank you for your attention!

Questions?

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

21 / 22

Reference

Brown, W.C.: Matrices over commutative Rings. Monographs and textbooks in pure and applied mathematics. Marcel Dekker, inc. (1993) Blaum, M., Roth, R.M.: On Lowest Density MDS Codes. IEEE TRANSACTIONS ON INFORMATION THEORY, vol. 45(1), pp.46 – 59 (JANUARY 1999)

Shengbao Wu (Institute of Software,CAS)

Recursive Diffusion Layers

August 17, 2012

22 / 22

Recommend Documents