 So, this talk is about lightweight multiplication in finite fields and application to linear layer of block ciphers. And this is joint work with Torsten Kranz and Gregor Leander. So, you probably all know the common block cipher design of a substitution permutation network, which is based on a round iterated key alternating cipher. And every round consists of an S-box layer, which is made up on the parallel application of n-bit S-boxes followed by a linear layer, which is for mixing the outputs of the S-box over the whole state. And today we focus on the construction of this linear layer. And if you want to design it, the goal is always to optimize it once in terms of security of course, and it's a second step in terms of efficiency. And lots of constructions of linear layers we know are based on so-called maximum distance separable codes or also called MDS codes. And lots of ciphers follow this approach. And for example, the well-known AES is one of these examples. And the advantage of this code-based approach is the so-called wide ray strategy, which allows for strong arguments on the security of a primitive. So let me give you an example. What does MDS matrix mean? And it means that it reaches an optimal branch number over two consecutive rounds, which means that we can guarantee an optimal number of active S-boxes for differential and linear attacks. And if you are not familiar with differential and linear attacks, all you have to remember in this talk is that an equivalent formulation is that every square submatrix has to be non-singular. And then the matrix will be MDS. And in this example, you see that if we choose a generic field element alpha, then we can make this matrix MDS for a suitable alpha. And the conditions on this property can be phrased as polynomials in alpha. All you have to do is you have to compute the determinants of all these submatrices. And then you can see a list of equations, so a list of polynomials for which alpha does not need, does not have to, should not be a root of this polynomials. Okay, so for example, alpha should not be equal to zero because otherwise we would have a zero entry, which is a one times one matrix with determinant zero, or if you consider, okay, if you consider other matrices, then you see that these, the other equations have to, have to hold. So then we have two elementary questions we want to address. The first is how to multiply with an element alpha most efficiently. And the second question is how to use the knowledge of the efficient multiplication with a fixed element to construct lightweight MDS matrices. And there is some recent related work on these questions from FSE 2015-2016 and recently from Africa Group 2016. And the FSE papers are about constructing lightweight MDS matrices under polynomial basis for the finite field. And the Africa Group paper focus on the extra count distribution of elements on a more than polynomial basis. And in this talk we also focus on all possible basis for the finite field representation. So let me first go to, go to this question, how to multiply with an element alpha most efficiently. So we have given such an element and we want to consider the function F alpha, which maps an element beta to the element beta multiplied by alpha. And there is a natural representation of the finite field as a vector space within, within components. So if we want to, to consider this finite field as a, as an n dimensional vector space, we have to choose a particular basis for this representation. And if we, if we have chosen the basis for this vector space, then we can, can formulate this, this mapping as a matrix multiplication with a matrix depending on this basis because the function multiplying with a fixed element alpha is a linear function and a linear function can be represented with a matrix multiplication. All, what we have, what we need now is, we need an appropriate metric for the efficiency of a matrix, which is called the extra count of a matrix. We define it as follows. For an n dimensional vector, we consider the linear function x or ij, which does x or the is component to the j's component and stores the value in the, in the is component. And in matrix notation, this is just the identity matrix plus one additional, one entry in the is row and the j's column and all the other entries are zero. And now we define the extra count of an invertible matrix as the smallest number t such that m can be represented as t of these x or factors. And then we are free of applying a permutation matrix afterwards because permutation in hardware does not cost any extra operations. So there is to note that we are also free to apply this permutation matrices after every x or step, but without loss of generality, we can, we can just permute at the end. So now we know how to measure efficiency. We just compute the number of x or operations needed to implement this matrix M alpha. And it is to note that for technical reasons, we here restrict to x or operations without using temporary registers. That means we are using in place operations. So we are not allowed to store an intermediate value in an external register and use it afterwards. If you overwrite it here, then it is overwritten. But it makes no difference if the extra count is smaller or equal to two. And since all of our constructions will have an extra count smaller or equal to two, this makes no difference in our case. So let me give an example of this choice of basis operation. So if we represent our finite field in polynomial terms, which means we represent all elements as polynomials, and then we compute modulo the, an irreducible polynomial, then we can consider the so-called polynomial basis, which is made up on this powers of x. And if we now want to multiply with an element, with the element x, then the appropriate matrix will be of this form. And this is intuitively, this is, you can see why this is the case. It's just left shift if you want to multiply a polynomial with x, then you shift the coefficients one position to the left, and later you substitute the x to the four term by this x plus one, which you can see here in the last column. So there's a special, this is a special kind of matrix, this is a so-called companion matrix of this irreducible polynomial. And in general, the companion matrix is defined as follows. For a polynomial in GF, in GF2, the companion matrix is defined as having all ones in this minor diagonal, and the coefficient of the polynomial in the last column. So back to our question. For a given field element, what is the most efficient basis? We want to answer the following, which field elements can be implemented most efficiently? So we kind of turn the question around. And the first step we did is we tried to identify elements with optimal x-account based on a search. So we randomly generated n times n matrices with x-account one. We know the form of these matrices, so they must be permutation matrices with one additional nonzero entry. And then we checked if this matrix corresponds to a basis and an alpha such that m is this m alpha beta, so the multiplication with the element alpha. So how to check this? You can come up with the following theorem that says that a matrix corresponds to an element multiplication if and only if the minimal polynomial of this matrix is irreducible. And to remember the minimal polynomial is the polynomial of least degree such that if you, such that when you evaluate the polynomial on the matrix, then it will evaluate to zero. And now we can check if this condition here is fulfilled. If we do this, you can see, easily see, there exists this element with an x-account of one for gf2 to the two, two to the three, four, five, six, seven. So the question is, does it go on forever? And unfortunately, it is not the case. So even in this very important field, gf2 to the eight, it is not possible to find an element with a lowest x-account of one. So why is it the case? We can derive the following sufficient and necessary condition given an element alpha. Then for this element, there exists a basis such that we have this matrix representing multiplication with alpha with an x-account of one if and only if the minimal polynomial of the field element is a trinomial of degree n. By trinomial, I mean a trinomial, a polynomial with weight three. So it has three nonzero coefficients. So the first one direction is very easy to see. We just choose this matrix as a companion matrix of the minimal polynomial of the field element. And then by the construction of the companion matrix, it will only consist of a permutation matrix plus an other nonzero entry. So the more interesting case is that having a trinomial of degree n is also a necessary condition. Then the proof idea for this is if we consider an element alpha and a basis b for the field and suppose we have a matrix with an x-account of one, the first thing you can show is then that this matrix is permutation similar to this form. So we know the structure of the permutation we apply. And since the x-account is invariant under permutation similarity, we then only have to show that the minimal polynomial of this matrix is a trinomial of degree n. And this is more easier because we already know the structure of this matrix. And now we see why it's clear that there are no elements with x-account one in this field because there does no exist an irreducible trinomial of degree eight. And so there are much more other fields for this is the case that there exists no irreducible trinomials. And for example, by a result of one from 1962, there are no irreducible trinomials of degree eight k for any natural number k. So for all these fields, we cannot find elements with an x-account equal to one. And so another thing we investigated is if there are elements with an x-account of one, how many elements are there in a field for a fixed basis? And you can see that there are at most two elements with an x-account of one. And the other element is necessarily the multiplicative inverse of the first element for a fixed basis. So what about an x-account of two? Now we characterize elements with an x-account of one. What about higher x-accounts? And in fact, this turns out to be very difficult to understand the structure here. So we only have experimental results here. And in particular, for any field dimension up to 2048 for which no irreducible trinomial of this degree exists, we found an element alpha in the basis such that the x-account of this element is equal to two. Because of our necessary and sufficient condition for the x-account of one, these results are proven to be optimal. So we found optimal x-accounts for fields up to gf2 to the 48. And it is open to characterize elements with higher x-account in general. Because the structure seems to be quite difficult to capture. What we conjecture is that if we want to have an x-account of two, then the minimal polynomial of the element has to be of weight smaller or equal to five. Because in all our experiments, if we have an x-account of two, then we always have a pentanomial or a trinomial in a subfield. And this is also interesting to see if we are in a subfield, which means that the minimal polynomial does not have full degree, then the x-account can never be one. If you go to higher fields, for example, gf2 to the eight, then the x-account of the subfield elements are among the highest x-accounts, which is quite interesting. And what is also interesting is that not every minimal pentanomials lead to an x-account of two. So there are pentanomials which have a minimal x-account of three. Which indicates that this structure is not that easy to see. So now let me come to our next question, how to use the knowledge of the lightweight field elements to construct lightweight MDS matrices. So let me come back to the example. In this example, we have a generic element alpha. And what we want to do is we want to replace this generic element by elements with the lightest x-account in order to reduce the x-account of this MDS matrix. So our goal is to minimize the overhead for the multiplications. Why? Because you always have a static part for summing up the exponentiation results. And what you can optimize is the overhead for these multiplications here. And we concentrate on circuland matrices here with the powers of an element alpha. So if we denote the x-account of some element by this weight x-os symbol, then if we want to compute the x-account of alpha to the power plus minus k, you can see that this is bounded by k times the x-account of alpha. This is because the x-account is the same for the inverse. And then you can always implement alpha k times, and you have implemented alpha to the power of k. So we did a generic search for the MDS matrix dimension up to 8 times 8. And if we denote the sum of the absolute values of the exponents k by w, then our algorithm is as follows. We searched for w1 up to a predefined value w max and constructed all circuland matrices with alpha to some power, such that the absolute value of the exponents sums up to w. And then we can bound the x-account overhead per row by this w times the weight of alpha. And so the algorithm returns an MDS matrix M with the smallest number w. So and in our cases this leads to slightly lighter MDS matrices known so far from the FSE 2015 and 2016 papers, so we're able to slightly reduce the x-account here if we use the knowledge of how to choose different bases for the representation of the finite fields. So this concludes my talk and thanks for your attention.