Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding...
Transcript of Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding...
![Page 1: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/1.jpg)
Introduction Search Optimisation Results Conclusion
Finding Optimal Bitsliced Implementations of4× 4-bit S-boxes
SKEW 2011February 17, 2011
Markus Ullrich, Christophe De Canniere, Sebastiaan Indesteege,Ozgul Kucuk, Nicky Mouha and Bart Preneel
![Page 2: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/2.jpg)
Introduction Search Optimisation Results Conclusion
Contents
1 Introduction
2 Search
3 Optimisation
4 Results
5 Conclusion
![Page 3: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/3.jpg)
Introduction Search Optimisation Results Conclusion
Contents
1 Introduction
2 Search
3 Optimisation
4 Results
5 Conclusion
![Page 4: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/4.jpg)
Introduction Search Optimisation Results Conclusion
Problem
1 How can we find THE most efficient implementations ofs-boxes?
2 Can we find the optimal s-boxes covering all the s-boxes?
S-boxes limited to
4× 4-bit s-boxesInvertible s-boxes
![Page 5: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/5.jpg)
Introduction Search Optimisation Results Conclusion
Problem
1 How can we find THE most efficient implementations ofs-boxes?
2 Can we find the optimal s-boxes covering all the s-boxes?
S-boxes limited to
4× 4-bit s-boxesInvertible s-boxes
![Page 6: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/6.jpg)
Introduction Search Optimisation Results Conclusion
Architecture
Software implementationusing bitslicing
4+1 register
Instruction set
AND
OR
XOR
NOT
MOV
No parallelism
![Page 7: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/7.jpg)
Introduction Search Optimisation Results Conclusion
Contents
1 Introduction
2 Search
3 Optimisation
4 Results
5 Conclusion
![Page 8: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/8.jpg)
Introduction Search Optimisation Results Conclusion
Search
![Page 9: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/9.jpg)
Introduction Search Optimisation Results Conclusion
Search method
Enumerating all s-boxes in order of cost function
No heuristics
Limited to applications with monotonously increasing costfunctions
![Page 10: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/10.jpg)
Introduction Search Optimisation Results Conclusion
Equivalence
Affine equivalence:
Classification according to affineequivalenceDefinition: S1(x) = B(S2(Ax ⊕ a)⊕ b)Properties regarding linear anddifferential cryptanalysis invariant
![Page 11: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/11.jpg)
Introduction Search Optimisation Results Conclusion
Search
![Page 12: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/12.jpg)
Introduction Search Optimisation Results Conclusion
Contents
1 Introduction
2 Search
3 Optimisation
4 Results
5 Conclusion
![Page 13: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/13.jpg)
Introduction Search Optimisation Results Conclusion
Reducing the branching factor
Rule set from D. A. Osvik1
S-box invertibleNo double negationReading before overwritingUninitialised values cannot be readDouble nodes are dismissed
1Dag Arne Osvik: Speeding up Serpent. AES Candidate Conference 2000
![Page 14: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/14.jpg)
Introduction Search Optimisation Results Conclusion
Advanced caching
![Page 15: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/15.jpg)
Introduction Search Optimisation Results Conclusion
Advanced caching
![Page 16: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/16.jpg)
Introduction Search Optimisation Results Conclusion
Advanced caching
![Page 17: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/17.jpg)
Introduction Search Optimisation Results Conclusion
Advanced caching
![Page 18: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/18.jpg)
Introduction Search Optimisation Results Conclusion
Advanced caching
Initial approach: dismissing nodes that are equal
New approach: using affine equivalences
![Page 19: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/19.jpg)
Introduction Search Optimisation Results Conclusion
Contents
1 Introduction
2 Search
3 Optimisation
4 Results
5 Conclusion
![Page 20: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/20.jpg)
Introduction Search Optimisation Results Conclusion
Overview
Searched until cost of 12 instructions
more than 2 month on 8 Xeon cores with 64GB RAM
272 out of 302 classes found
Cover 90% of all s-boxes
For each of these classes:
RepresentativeAssembly code
![Page 21: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/21.jpg)
Introduction Search Optimisation Results Conclusion
Linear and differential properties
MLP −1/2 1/8 1/4 3/8 1/2|c | 1/4 1/2 3/4 1
min. cost - 9 9 0
MDP 1/8 1/4 3/8 1/2 5/8 3/4 7/8 1
min. cost - 9 10 6 9 6 - 0
![Page 22: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/22.jpg)
Introduction Search Optimisation Results Conclusion
‘Smallest s-box ever’
9 instructions
MDP = 1/4
MLP = 1/2 + 1/4
ASM code
0 MOV r4 r01 AND r0 r12 XOR r0 r23 OR r2 r14 XOR r2 r35 AND r3 r06 XOR r3 r47 AND r4 r28 XOR r1 r4
r0 r1 r2 r3
![Page 23: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/23.jpg)
Introduction Search Optimisation Results Conclusion
Compared with literature
Cipher S-box Class cost rep. cost s-boxinst. (cycl.)
Serpent S4, S5 9 11 19 (10)
S−14 ,S−1
5 10 12 19 (10)
S−10 ,S1 14 10 18 (10)
S0,S−11 15 10 18 (9)
S2,S−12 ,S6,S−1
6 16 11 16 (8)
S3,S−13 ,S7,S−1
7 not found - 18 (10)
Luffa Q 16 11 16 (6)
Noekeon S = S−1 13 9 16
![Page 24: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/24.jpg)
Introduction Search Optimisation Results Conclusion
A new design approach
Old approach
1 Designing the parts otherthan s-box
specifications get refinedmore and more
2 Finding s-boxes that fulfilthe requirements
New approach
1 Choosing an s-box class
2 Selecting the most efficientrepresentative as s-box
3 Designing the othercomponents of the cipher
![Page 25: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/25.jpg)
Introduction Search Optimisation Results Conclusion
Contents
1 Introduction
2 Search
3 Optimisation
4 Results
5 Conclusion
![Page 26: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/26.jpg)
Introduction Search Optimisation Results Conclusion
Open problems and future research
Verifying the new design approach
Affine equivalence and the NOT instruction
More advanced architectures (SSE, parallelisation)
Using other classification criteria
![Page 27: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/27.jpg)
Introduction Search Optimisation Results Conclusion
Conclusion
An approach to systematically search efficientimplementations of s-boxes has been presented
Most s-box classes have been found
Interesting tradeoffsCompared with literature
New design approach has been proposed
![Page 28: Finding Optimal Bitsliced Implementations of 44-bit S-boxesskew2011.mat.dtu.dk/slides/Finding Optimal Bitsliced... · 2011-02-15 · Serpent S 4, S 5 9 11 19 (10) S 1 4,S 1 5 10 12](https://reader034.fdocuments.in/reader034/viewer/2022050607/5fae467b2aa3dc2ddd7dabe4/html5/thumbnails/28.jpg)
Introduction Search Optimisation Results Conclusion
Questions
Questions?