Thesis Progress Report #5
Thesis Progress Report #5
Christopher A. Wood
April 29, 2013
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Agenda
1 Revisiting last week’s questions
2 Algebraic Complexity of AES-like S-boxes
3 Boolean Function Constructions
4 Software Optimizations for S-Box
5 16-Bit Circuit for Multiplicative Inverse Calculation
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Revisiting last week’s questions
Questions Answered
How many irreducible and primitive polynomials exist for extensionfields GF((2n)m)?
(n,m) = (2,2) = 18
(n,m) = (2,3) = 180
(n,m) = (3,2) = 504
(n,m) = (2,4) = 1800
(n,m) = (4,2) = 10800
...
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
Determining the algebraic complexity
The AES S-box is a function S(x) = L(x)⊕b, where L(x) is alinear function over GF(2).There are many ways to represent S(x) as a polynomialequation:
Lagrangian interpolationPolynomial linearizationq-ary polynomial deduction
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
Lagrangian Interpolation
For any function F : Zn→ Zn with input x1, . . . ,xn and outputy1, . . . ,yn, we may find a polynomial representation P(x) as follows:
P(x) =k−1
∑i=0
Pi(x),
where
Pi(x) = yi
k
∏j=1,j 6=i
x− xj
xi − xj
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
A Simple Example
Let F : GF(22)→ GF(22) be a function defined inGF(22)/p(x) = x2 + x + 1 by the following map:
0→ 1
1→ α
α → α + 1
α + 1→ 0
For Lagrangian interpolation, we need polynomials fz(x) with theproperty fz(x) = 1 and fz(y) = 0 if y 6= z.
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
A Simple Example
Start by constructing the polynomialg(x) = (x−1)(x−α)(x− (α + 1)). Note that if x ∈ GF(22)\{0},then g(x) = 0.
Therefore, we pick f0(x) = g(x)/g(0), where g(0) = 1 ·α · (α + 1) = 1
Thus, f0(x) = g(x), which makes this very easy. Expanding out g(x)yields:
g(x) = (x−1)(x−α)(x− (α + 1))
= (x2− x− xα + α)(x− (α + 1))
= x3− x2− x2α + xα− x2
α− xα− xα2−α
2 + x2− x− xα + α = x3 + 1,
after reduction with p(x) = x2 + x + 1, of course.
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
A Simple Example
We may find the other polynomials f1(x), fα (x), fα+1(x) by linearsubstitutions:
fz(x) = f0(x− z)
(A textbook informed me of this fact)
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
A Simple Example
Now we can do interpolation as follows:
q(x) = F(0)f0(x) + F(1)f1(x) + F(α)fα (x) + F(α + 1)fα+1(x)
= x2(α + 1) + 1
A simple check...
q(α) = (α)2(α + 1) + 1 = α3 + α
2 + 1 = α + 1
q(1) = (1)2(α + 1) + 1 = α
q(0) = (0)2(α + 1) + 1 = 1
q(α + 1) = (α + 1)2(α + 1) + 1 = α3 + α + α
2 = 0
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
Lagrangian Lesson
The method is more symbolic than computational (at first glance), soperhaps there’s a better way to estimate the complexity...
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
Polynomial Linearization
Any linear function A over GF(2k ) can be represented as amatrix multiplication
Similarly, such functions can be represented by a linearizedpolynomial:
f (α) =k−1
∑i=0
λiα2i
Solve for λi by setting up and solving a system of linear equations
Select some α , compute A(α) and α2ifor all 0≤ i ≤ k−1
Solve for each λi using Gaussian elimination
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
Bounds on Algebraic Expression
The upper bound on the number of terms in an algebraic expressionfor affine-power functions
F(x) = A(P(x))
in GF(2n) is n + 1
The forward AES S-box, F(X) = L(x−1) = L(x254), has 9 terms:
L(x) =7
∑i=0
λix2i
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Algebraic Complexity of AES-like S-boxes
Increasing the Algebraic Complexity
Affine-power-affine functions: F(x) = A◦P ◦AIncreases algebraic complexity without affecting othercryptographic properties (strict avalanche, nonlinearity, differentialuniformity, algebraic degree)This increased the algebgraic complexity from 9 to 253
Gray code augmentation: F(x) = L◦P ◦GA gray code is a binary numeral system where two successivevalues differ by a single bitG is gray-code conversion from an element x ∈ GF(2n) to acorresponding gray-codeConversion process: yi = xi+1⊕ xi and yn = xn
Möbius transformation: f (z) = az+bcz+d , where a,b,c,d ∈ GF(2k ).
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Boolean Function Constructions
General Maiorana-McFarland Construction
Concatenate small affine functions to form higher-order functions
(Hopefully) the result is an equally strong Boolean function
All MM Boolean functions have an annihilator of degree(n− r + 1), where r is the number of variables of affine functionswhich are used (concatenated) to construct the function
As r decreases the annihilator degree increases, makingalgebraic attacks easier (it simplifies the equations)
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Boolean Function Constructions
Linear Codes
A [n,k ,d ]-code (binary code) is a subspace of Fn2 = GF(2)n
n is the length, k is the rank, d is the minimum (Hamming)distance between each codeword in the subspace
The vectors of a binary linear code are called the codewords
As a subspace, there exists a basis B for the code, which is oftenrepresented as a generator matrix G
Many codes of cryptographic interest: Hamming,Walsh-Hadamard, . . .
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Boolean Function Constructions
Candidate Codes
Hamming Code: a special type of binary [n,k ,3] codeMainly used for error detection/correction, but we can use it forresilient BF constructions
Hadamard Code: a special type of binary [2k ,k ,2k−1] code
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Boolean Function Constructions
Construction Idea for t-resilient
Let f1, . . . , f2n−r be 2n−r affine Boolean functions of length 2r (i.e.the truth table has 2r entries)
Concatenating f1, . . . , f2n−r yeilds a string of length 2n
Let g(xn, . . . ,xr+1) be a nonlinear function and let h(xr , . . . ,x1) bea linear (affine) function, and letf (xn, . . . ,x1) = g(xn, . . . ,xr+1)⊕h(xr , . . . ,x1)
*Note: all Boolean functions are (t + 1) degenerate, for reasons thatare discussed in the paper :-)
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Boolean Function Constructions
Construction Idea for t-resilient
Select a [n = u,k = m,d = t + 1] code and construct a(2m−1)×m matrix with codewords from C s.t.{c1Di,1⊕·· ·⊕ cmDi,m : i ≤ 1≤ 2m−1}= C \{0̄}. Let L(C) be a(2m−1)×m matrix whose entries are u-variable functionsdefined by Li,j(x1, . . . ,xu))
Define an (p,m) S-box with component functions G1, . . . ,Gm,and let L(C,k , l) be an (l− k + 1)×m matrix whose i, j th entry is
Gj(y1, . . . ,yp)⊕Lk+i−1,j(x1, . . . ,xu).
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Boolean Function Constructions
Construction Continued
If l− k + 1 = 2r then G⊕L(C,k , l) is an (r + p + u,m) S-box:
Fj(z1, . . . ,zr ,y1, . . . ,yp,x1, . . . ,xu) = Gj(y1, . . . ,yp)⊕Lk+i−1,j(x1, . . . ,xu)
Goal: Let m = 16, find other parameters that make theconstruction “work”
Need to select good (p,16) S-boxes G1, . . . ,Gm and find a good[n,16, t + 1] code word
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Software Optimizations for S-Box
Software Optimizations for S-Box
Extended Euclidean Algorithm - Straightforward
Binary Extended Euclidean Algorithm - Optimized version of EEAfor fields of characteristic 2
Normal basis conversion with Fermat’s Theorem - Two matrixmultiplications with some shifting and multiplying
Almost Inverse Algorithm - Compute A−1xk mod f (x) and thenreduce by xk
Bitsliced implementation - Carnright investigates this techniquewith his normal basis optimizations
LUTs - Not a goal, but always an option...
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
Software Optimizations for S-Box
Software Optimizations for S-Box - Metrics
These can be captured with gprof for different platforms...
Extended Euclidean Algorithm - TODO
Binary Extended Euclidean Algorithm - TODO
Normal basis conversion with Fermat’s Theorem - TODO
Almost Inverse Algorithm - TODO
Bitsliced implementation - TODO
LUTs - ;-)
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
16-Bit Circuit for Multiplicative Inverse Calculation
Complexity of Finite Field Multipliers
Claim: for small fields (e.g. GF(2k ),k ≤ 32) the arithmeticprocedures for software implementations are not affected by thefield polynomial.
Advanced algorithms such as the “comb” multiplier target fieldswhere single elements cannot fit within a single word
This is not true for hardware...If we’re going for area optimized designs, we want serial modules,otherwise we want parallel modulesSome bases yield more efficient arithmetic operations than othersThis leads us to Optimal Normal Bases
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
16-Bit Circuit for Multiplicative Inverse Calculation
Inverse by Fermat’s Theorem
By Fermat’s Theorem, α−1 ≡ α2k−2
2m−2 = 2 + 22 + 23 + · · ·+ 2m−1
This leads us to a simple square and multiply algorithm...
α−1 = α
2 ·α22 ·α23 · · · ·α2m−1
In a normal basis the cycle complexity is O(k) for computing thesuccessive powers of α , but the area complexity depends on the typeof multiplier used (e.g. using a ONB Type II basis one can implement aparallel multiplier with 1.5(k2− k) XOR gates [1])
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
16-Bit Circuit for Multiplicative Inverse Calculation
Inverse by Composite Field Computation
(bx + c)−1 = b(b2B + bcA + c2)−1x + (c + bA)(b2B + bcA + c2)−1
with A = 1 and B = λ
δ 1
x2 x λ
x-1 δ1 -1
×
×
×
δ 2 δ2 -1INVERSE IN SUBFIELD
INVERSE LOGIC
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
16-Bit Circuit for Multiplicative Inverse Calculation
Inverse by Composite Field Computation (continued)
5-stage pipeline design
δ 1
x2
x-1 δ1 -1
×
×
×
INVERSE CIRCUIT
1
1
1
2
2x λ
2
2
3
3
3
4
4
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
16-Bit Circuit for Multiplicative Inverse Calculation
Optimal Pipeline Selection Strategy (for FPGAs)
Algorithm 1 Pipeline Optimization Strategy1: Ec = Throughput(Mbits/s)/Area2: Opt ← False3: while Opt = False do4: Remove the pipeline state that contributes the lowest frequency
reduction5: Reimplement and resynthesize the design6: En = Throughput(Mbits/s)/Area7: if Ec > En then8: Opt = True9: end if
10: end while
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
16-Bit Circuit for Multiplicative Inverse Calculation
Inverse by Composite Field Computation (continued)
The next step is to synthesize the design and gather hardware metrics.
LUT count (FPGA - captured with Xilinx tools)
Register count (FPGA - captured with Xilinx tools)
Slice count (FPGA - captured with Xilinx tools)
Throughput in cycles/byte (FPGA - captured with Xilinx tools)
Power consumption (ASIC - captured with Synopsys) :-)
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
16-Bit Circuit for Multiplicative Inverse Calculation
References
1 Sunar, Berk, and Cetin Kaya Koc. "An efficient optimal normalbasis type II multiplier." Computers, IEEE Transactions on 50.1(2001): 83-87.
Christopher A. Wood Thesis Progress Report #5
Thesis Progress Report #5
16-Bit Circuit for Multiplicative Inverse Calculation
Action Items (perhaps overly ambitious...)
Optimize Galois field software for more efficient calculation ofpolynomials and transformation matricesFinish composite field decomposition chapterPolynomial and normal basis conversion code and preparation forOSG executionLiterature survey of S-box constructions and code for estimatingalgebraic complexityComplete the exhaustive list of all polynomials P(x), Q(y), andR(z) and the corresponding list of all transformation matrices(using OSG!)Hardware metrics of regular and non-pipelined 16-bit inverse ofcomposite field inverseImplement Carnright’s normal basis S-box(16,16)-Boolean function code using the prescribed approach
Next meeting: 5/13/13Christopher A. Wood Thesis Progress Report #5