Abstract
Lightweight cryptography features a small footprint and/or low computational complexity. Low-cost implementations of linear layers usually play an important role in lightweight cryptography. Although it has been shown by Boyar et al. that finding the optimal implementation of a linear layer is a Shortest Linear Program (SLP) problem and NP-hard, there exist a variety of heuristic methods to search for near-optimal solutions. This paper considers the low-latency criteria and focuses on the heuristic search of lightweight implementation for linear layers. Most of the prior approach iteratively combines the inputs (of linear layers) to reach the output, which can be regarded as the forward search. To better adapt the low-latency criteria, we propose a new framework of backward search that attempts to iteratively split every output (into an XORing of two bits) until all inputs appear. By bounding the time of splitting, the new framework can find a sub-optimal solution with a minimized depth of circuits.We apply our new search algorithm to linear layers of block ciphers and find many low-latency candidates for implementations. Notably, for AES Mixcolumns, we provide an implementation with 103 XOR gates with a depth of 3, which is among the best hardware implementations of the AES linear layer. Besides, we obtain better implementations in XOR gates for 54.3% of 4256 Maximum Distance Separable (MDS) matrices proposed by Li et al. at FSE 2019. We also achieve an involutory MDS matrix (in M4(GL(8, F2))) whose implementation uses the lowest number (i.e., 86, saving 2 from the state-of-the-art result) of XORs with the minimum depth.
Highlights
Lightweight cryptography has been applied in many fields, such as the Internet of Things (IoTs) and Radio-Frequency IDentification (RFID) tags
86/3d a For the block cipher, we optimize the matrix used in the linear layer. b The results only take the number of XOR gates into account. c The results take the number of XOR gates into account with respect to the minimum depth. d We show the lowest one from all the results
We investigate a new framework of heuristic search for the implementation of a given linear layer
Summary
Lightweight cryptography has been applied in many fields, such as the Internet of Things (IoTs) and Radio-Frequency IDentification (RFID) tags. Based on their heuristics, y4 is always generated with depth 3. We find that y4 can be generated with depth 2 and be used in subsequent implementation to reduce the number of XOR gates (see Table 1-right). Kumm et al proposed an algorithm called RPAG-CMM in [KHZ17] to solve the CMM problem with the minimum depth. We study the special version of RPAG-CMM for binary matrix and propose a new heuristic algorithm based on the backward framework for binary matrices. The main algorithm will be introduced in Algorithm 2, which is more relevant to the SLP problem
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
