Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC

Itai Dinur, Angela Promitzer, Daniel Kales, Sebastian Ramacher, Christian Rechberger

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

LOWMC is a block cipher family designed in 2015 by Albrecht et al. It is optimized for practical instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs. LOWMC is used in the PICNIC signature scheme, submitted to NIST’s post-quantum standardization project and is a substantial building block in other novel post-quantum cryptosystems. Many LOWMC instances use a relatively recent design strategy (initiated by Gérard et al. at CHES 2013) of applying the non-linear layer to only a part of the state in each round, where the shortage of non-linear operations is partially compensated by heavy linear algebra. Since the high linear algebra complexity has been a bottleneck in several applications, one of the open questions raised by the designers was to reduce it, without introducing additional non-linear operations (or compromising security). In this paper, we consider LOWMC instances with block size n, partial non-linear layers of size s≤ n and r encryption rounds. We redesign LowMC’s linear components in a way that preserves its specification, yet improves LowMC’s performance in essentially every aspect. Most of our optimizations are applicable to all SP-networks with partial non-linear layers and shed new light on this relatively new design methodology. Our main result shows that when s< n, each LOWMC instance belongs to a large class of equivalent instances that differ in their linear layers. We then select a representative instance from this class for which encryption (and decryption) can be implemented much more efficiently than for an arbitrary instance. This yields a new encryption algorithm that is equivalent to the standard one, but reduces the evaluation time and storage of the linear layers from r· n 2 bits to about r· n 2 -(r-1) (n-s) 2 . Additionally, we reduce the size of LowMC’s round keys and constants and optimize its key schedule and instance generation algorithms. All of these optimizations give substantial improvements for small s and a reasonable choice of r. Finally, we formalize the notion of linear equivalence of block ciphers and prove the optimality of some of our results. Comprehensive benchmarking of our optimizations in various LOWMC applications (such as PICNIC) reveals improvements by factors that typically range between 2x and 40x in runtime and memory consumption.

Originalspracheenglisch
TitelAdvances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
Untertitel38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part I
Redakteure/-innenYuval Ishai, Vincent Rijmen
Herausgeber (Verlag)Springer
Seiten343-372
Seitenumfang30
ISBN (Print)978-3-030-17652-5
DOIs
PublikationsstatusVeröffentlicht - 2019
VeranstaltungEUROCRYPT 2019: 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques - Darmstadt, Deutschland
Dauer: 19 Mai 201923 Mai 2019
https://eurocrypt.iacr.org/2019/

Publikationsreihe

NameLecture Notes in Computer Science
Band11476

Konferenz

KonferenzEUROCRYPT 2019
LandDeutschland
OrtDarmstadt
Zeitraum19/05/1923/05/19
Internetadresse

Fingerprint

Block Ciphers
Cryptography
Equivalence
Partial
Encryption
Linear algebra
Optimization
Multiparty Computation
Homomorphic Encryption
Zero-knowledge Proof
Block Cipher
Cryptosystem
Benchmarking
Signature Scheme
Shortage
Standardization
Building Blocks
Design Methodology
Optimality
Schedule

Schlagwörter

    ASJC Scopus subject areas

    • !!Theoretical Computer Science
    • !!Computer Science(all)

    Dies zitieren

    Dinur, I., Promitzer, A., Kales, D., Ramacher, S., & Rechberger, C. (2019). Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC. in Y. Ishai, & V. Rijmen (Hrsg.), Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings: 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part I (S. 343-372). (Lecture Notes in Computer Science; Band 11476). Springer. https://doi.org/10.1007/978-3-030-17653-2_12

    Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC. / Dinur, Itai; Promitzer, Angela; Kales, Daniel; Ramacher, Sebastian; Rechberger, Christian.

    Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings: 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part I. Hrsg. / Yuval Ishai; Vincent Rijmen. Springer, 2019. S. 343-372 (Lecture Notes in Computer Science; Band 11476).

    Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

    Dinur, I, Promitzer, A, Kales, D, Ramacher, S & Rechberger, C 2019, Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC. in Y Ishai & V Rijmen (Hrsg.), Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings: 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part I. Lecture Notes in Computer Science, Bd. 11476, Springer, S. 343-372, Darmstadt, Deutschland, 19/05/19. https://doi.org/10.1007/978-3-030-17653-2_12
    Dinur I, Promitzer A, Kales D, Ramacher S, Rechberger C. Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC. in Ishai Y, Rijmen V, Hrsg., Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings: 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part I. Springer. 2019. S. 343-372. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-030-17653-2_12
    Dinur, Itai ; Promitzer, Angela ; Kales, Daniel ; Ramacher, Sebastian ; Rechberger, Christian. / Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC. Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings: 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part I. Hrsg. / Yuval Ishai ; Vincent Rijmen. Springer, 2019. S. 343-372 (Lecture Notes in Computer Science).
    @inproceedings{1c34a3b7d6c644a2b7662807a486f474,
    title = "Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC",
    abstract = "LOWMC is a block cipher family designed in 2015 by Albrecht et al. It is optimized for practical instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs. LOWMC is used in the PICNIC signature scheme, submitted to NIST’s post-quantum standardization project and is a substantial building block in other novel post-quantum cryptosystems. Many LOWMC instances use a relatively recent design strategy (initiated by G{\'e}rard et al. at CHES 2013) of applying the non-linear layer to only a part of the state in each round, where the shortage of non-linear operations is partially compensated by heavy linear algebra. Since the high linear algebra complexity has been a bottleneck in several applications, one of the open questions raised by the designers was to reduce it, without introducing additional non-linear operations (or compromising security). In this paper, we consider LOWMC instances with block size n, partial non-linear layers of size s≤ n and r encryption rounds. We redesign LowMC’s linear components in a way that preserves its specification, yet improves LowMC’s performance in essentially every aspect. Most of our optimizations are applicable to all SP-networks with partial non-linear layers and shed new light on this relatively new design methodology. Our main result shows that when s< n, each LOWMC instance belongs to a large class of equivalent instances that differ in their linear layers. We then select a representative instance from this class for which encryption (and decryption) can be implemented much more efficiently than for an arbitrary instance. This yields a new encryption algorithm that is equivalent to the standard one, but reduces the evaluation time and storage of the linear layers from r· n 2 bits to about r· n 2 -(r-1) (n-s) 2 . Additionally, we reduce the size of LowMC’s round keys and constants and optimize its key schedule and instance generation algorithms. All of these optimizations give substantial improvements for small s and a reasonable choice of r. Finally, we formalize the notion of linear equivalence of block ciphers and prove the optimality of some of our results. Comprehensive benchmarking of our optimizations in various LOWMC applications (such as PICNIC) reveals improvements by factors that typically range between 2x and 40x in runtime and memory consumption.",
    keywords = "Block cipher, Linear equivalence, LowMC, PICNIC signature scheme",
    author = "Itai Dinur and Angela Promitzer and Daniel Kales and Sebastian Ramacher and Christian Rechberger",
    year = "2019",
    doi = "10.1007/978-3-030-17653-2_12",
    language = "English",
    isbn = "978-3-030-17652-5",
    series = "Lecture Notes in Computer Science",
    publisher = "Springer",
    pages = "343--372",
    editor = "Yuval Ishai and Vincent Rijmen",
    booktitle = "Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings",

    }

    TY - GEN

    T1 - Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC

    AU - Dinur, Itai

    AU - Promitzer, Angela

    AU - Kales, Daniel

    AU - Ramacher, Sebastian

    AU - Rechberger, Christian

    PY - 2019

    Y1 - 2019

    N2 - LOWMC is a block cipher family designed in 2015 by Albrecht et al. It is optimized for practical instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs. LOWMC is used in the PICNIC signature scheme, submitted to NIST’s post-quantum standardization project and is a substantial building block in other novel post-quantum cryptosystems. Many LOWMC instances use a relatively recent design strategy (initiated by Gérard et al. at CHES 2013) of applying the non-linear layer to only a part of the state in each round, where the shortage of non-linear operations is partially compensated by heavy linear algebra. Since the high linear algebra complexity has been a bottleneck in several applications, one of the open questions raised by the designers was to reduce it, without introducing additional non-linear operations (or compromising security). In this paper, we consider LOWMC instances with block size n, partial non-linear layers of size s≤ n and r encryption rounds. We redesign LowMC’s linear components in a way that preserves its specification, yet improves LowMC’s performance in essentially every aspect. Most of our optimizations are applicable to all SP-networks with partial non-linear layers and shed new light on this relatively new design methodology. Our main result shows that when s< n, each LOWMC instance belongs to a large class of equivalent instances that differ in their linear layers. We then select a representative instance from this class for which encryption (and decryption) can be implemented much more efficiently than for an arbitrary instance. This yields a new encryption algorithm that is equivalent to the standard one, but reduces the evaluation time and storage of the linear layers from r· n 2 bits to about r· n 2 -(r-1) (n-s) 2 . Additionally, we reduce the size of LowMC’s round keys and constants and optimize its key schedule and instance generation algorithms. All of these optimizations give substantial improvements for small s and a reasonable choice of r. Finally, we formalize the notion of linear equivalence of block ciphers and prove the optimality of some of our results. Comprehensive benchmarking of our optimizations in various LOWMC applications (such as PICNIC) reveals improvements by factors that typically range between 2x and 40x in runtime and memory consumption.

    AB - LOWMC is a block cipher family designed in 2015 by Albrecht et al. It is optimized for practical instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs. LOWMC is used in the PICNIC signature scheme, submitted to NIST’s post-quantum standardization project and is a substantial building block in other novel post-quantum cryptosystems. Many LOWMC instances use a relatively recent design strategy (initiated by Gérard et al. at CHES 2013) of applying the non-linear layer to only a part of the state in each round, where the shortage of non-linear operations is partially compensated by heavy linear algebra. Since the high linear algebra complexity has been a bottleneck in several applications, one of the open questions raised by the designers was to reduce it, without introducing additional non-linear operations (or compromising security). In this paper, we consider LOWMC instances with block size n, partial non-linear layers of size s≤ n and r encryption rounds. We redesign LowMC’s linear components in a way that preserves its specification, yet improves LowMC’s performance in essentially every aspect. Most of our optimizations are applicable to all SP-networks with partial non-linear layers and shed new light on this relatively new design methodology. Our main result shows that when s< n, each LOWMC instance belongs to a large class of equivalent instances that differ in their linear layers. We then select a representative instance from this class for which encryption (and decryption) can be implemented much more efficiently than for an arbitrary instance. This yields a new encryption algorithm that is equivalent to the standard one, but reduces the evaluation time and storage of the linear layers from r· n 2 bits to about r· n 2 -(r-1) (n-s) 2 . Additionally, we reduce the size of LowMC’s round keys and constants and optimize its key schedule and instance generation algorithms. All of these optimizations give substantial improvements for small s and a reasonable choice of r. Finally, we formalize the notion of linear equivalence of block ciphers and prove the optimality of some of our results. Comprehensive benchmarking of our optimizations in various LOWMC applications (such as PICNIC) reveals improvements by factors that typically range between 2x and 40x in runtime and memory consumption.

    KW - Block cipher

    KW - Linear equivalence

    KW - LowMC

    KW - PICNIC signature scheme

    UR - http://www.scopus.com/inward/record.url?scp=85065918523&partnerID=8YFLogxK

    UR - https://graz.pure.elsevier.com/en/publications/linear-equivalence-of-block-ciphers-with-partial-nonlinear-layers-application-to-lowmc(1c34a3b7-d6c6-44a2-b766-2807a486f474).html

    U2 - 10.1007/978-3-030-17653-2_12

    DO - 10.1007/978-3-030-17653-2_12

    M3 - Conference contribution

    SN - 978-3-030-17652-5

    T3 - Lecture Notes in Computer Science

    SP - 343

    EP - 372

    BT - Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings

    A2 - Ishai, Yuval

    A2 - Rijmen, Vincent

    PB - Springer

    ER -