HADES Strategy
Posted mutourend
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了HADES Strategy相关的知识,希望对你有一定的参考价值。
1. 引言
主要参考Grassi等人2019年论文《On a Generalization of Substitution-Permutation Networks: The HADES Design Strategy (Updated Version)》。
相关代码实现有:
block ciphers和cryptographic permutations通常设计为:
- iterate an efficiently implementable round function many times 使得结果看起来像随机的。
通常,对同一round function迭代调用足够多次数,可确保round function中的一些对称和结构属性肯定会消失。
基于HADES构建的cipher,其每轮中有以下三步组成:
- 1)Add Round Key:表示为 ARK ( ⋅ ) \\textARK(\\cdot) ARK(⋅)
- 2)SubWords:表示为 S-Box ( ⋅ ) \\textS-Box(\\cdot) S-Box(⋅)【每一轮使用的S-Box数量是不一样的。】
- 3)MixLayer:表示为 M ( ⋅ ) \\textM(\\cdot) M(⋅)
然后,最后一轮中,MixLayer操作可忽略:
HADES中的关键特性是每一轮的S-Box数量是不一样的:
- 一定数量的轮中,标记为 R F R_F RF,具有full S-Box layer,即 t t t个S-Box functions;
- 一定数量的轮中,标记为 R P R_P RP,具有partial S-Box layer,即 1 ≤ s < t 1\\leq s<t 1≤s<t个S-Box和 ( t − s ) (t-s) (t−s)个identity functions。
接下来仅考虑
s
=
1
s=1
s=1的情况。
令
R
F
=
2
⋅
R
f
R_F=2\\cdot R_f
RF=2⋅Rf,则总的轮数为
R
=
2
⋅
R
f
+
R
P
R=2\\cdot R_f+R_P
R=2⋅Rf+RP。
2. HADESMiMC
HADESMiMC中每一轮的
R
k
(
⋅
)
:
(
F
p
)
t
→
(
F
p
)
t
R_k(\\cdot):(\\mathbbF_p)^t\\rightarrow (\\mathbbF_p)^t
Rk(⋅):(Fp)t→(Fp)t定义为:
R
k
(
⋅
)
=
k
+
M
×
S
(
⋅
)
R_k(\\cdot)=k+M\\times \\mathcalS(\\cdot)
Rk(⋅)=k+M×S(⋅)
其中
k
∈
(
F
p
)
t
k\\in (\\mathbbF_p)^t
k∈(Fp)t 为secret subkey,
M
∈
(
F
p
)
t
×
t
M\\in (\\mathbbF_p)^t\\times t
M∈(Fp)t×t为定义了linear layer的invertible matrix,
S
(
⋅
)
:
(
F
p
)
t
→
(
F
p
)
t
\\mathcalS(\\cdot):(\\mathbbF_p)^t\\rightarrow (\\mathbbF_p)^t
S(⋅):(Fp)t→(Fp)t为S-Box layer。
对于full S-Box layers,定义
S
=
[
S
(
⋅
)
,
⋯
,
S
(
⋅
)
]
\\mathcalS=[S(\\cdot),\\cdots, S(\\cdot)]
S=[S(⋅),⋯,S(⋅)],对于partial S-Box layer,定义
S
=
[
S
(
⋅
)
,
I
(
⋅
)
,
⋯
,
I
(
⋅
)
]
\\mathcalS=[S(\\cdot), I(\\cdot),\\cdots,I(\\cdot)]
S=[S(⋅),I(⋅),⋯,I(⋅)]。其中
S
(
⋅
)
:
F
p
→
F
p
S(\\cdot):\\mathbbF_p\\rightarrow \\mathbbF_p
S(⋅):Fp→Fp为non-linear S-Box,
I
(
⋅
)
I(\\cdot)
I(⋅)为identity function。
对于素数域
p
p
p,non-linear S-Box定义为power map:
S-Box
(
x
)
=
x
α
\\textS-Box(x)=x^\\alpha
S-Box(x)=xα
其中 α ≥ 3 \\alpha\\geq 3 α≥3 为最小整数——满足 g c d ( p − 1 , α ) = 1 gcd(p-1,\\alpha)=1 gcd(p−1,α)=1(如当 g c d ( p − 1 , 3 ) = 1 gcd(p-1,3)=1 gcd(p−1,3)=1时 α = 3 \\alpha=3 α=3,当 g c d ( p − 1 , 3 ) ≠ 1 且 g c d ( p − 1 , 5 ) = 1 gcd(p-1,3)\\neq 1且gcd(p-1,5)=1 gcd(p−1,3)=1且gcd(p−1,5)=1时 α = 5 \\alpha=5 α=5)。
3. HADESMiMC代码解析
Dusk团队实现的 https://github.com/dusk-network/Hades252(Rust)中,定义了:
- 采用BLS12-381曲线, p = 0 x 73 e d a 753299 d 7 d 483339 d 80809 a 1 d 80553 b d a 402 f f f e 5 b f e f f f f f f f f 00000001 p=0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 p=0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001;
- R P = 59 , R F = 8 R_P=59,R_F=8 RP=59,RF=8,每一轮最多的input width为 5 5 5——即 t = 5 t=5 t=5;
/// Total ammount of full rounds that will be applied.
/// This is expressed as `RF` in the paper.
pub const TOTAL_FULL_ROUNDS: usize = 8;
/// Total ammount of partial rounds that will be applied.
/// This is expressed as `Rp` in the paper.
pub const PARTIAL_ROUNDS: usize = 59;
/// Maximum input width for the rounds
pub const WIDTH: usize = 5;
- Add Round Key
A
R
K
(
⋅
)
ARK(\\cdot)
ARK(⋅)定义为在
./assets/ark.bin中,总个数为960:
pub const ROUND_CONSTANTS: [BlsScalar; CONSTANTS] =
let bytes = include_bytes!("../assets/ark.bin");
let mut cnst = [BlsScalar::zero(); CONSTANTS];
......
fn add_round_key<'b, I>(&mut self, constants: &mut I, words: &mut [BlsScalar])
where
I: Iterator<Item = &'b BlsScalar>,
words.iter_mut().for_each(|w|
*w += Self::next_c(constants);
);
- S-Box ( x ) = x 5 \\textS-Box(x)=x^5 S-Box(x)=x5 实现为:
fn quintic_s_box(&mut self, value: &mut BlsScalar)
*value = value.square().square() * *value;
- MixLayer
M
(
⋅
)
\\textM(\\cdot)
M(⋅)定义在
./assets/mds.bin中,为 5 × 5 5\\times 5 5以上是关于HADES Strategy的主要内容,如果未能解决你的问题,请参考以下文章
下一个Hades?Steam好评89%《无间冥寺》横空出世!