Suyash Bagad
Cryptography Engineer
UltraPlonk: Part II
Crypto Study Club
28th Sept 2022
Blake2s Basics
\texttt{blake2s}(
``
\texttt{\textcolor{grey}{The quick brown fox jumps over the lazy dog}}
"
) =
\texttt{\textcolor{grey}{606beeec743ccbeff6cbcdf5d5302aa855c256c29b88c8ed331ea1a6bf3c8812}}
- Blake2s hash function improves upon BLAKE (SHA-3 finalist)
- Input byte-length \(l \le 2^{64}\), fixed output byte-length \(L=32\)
\texttt{\textcolor{grey}{The quick brown fox jumps over the lazy dog}}
- Blake2s hash function improves upon BLAKE (SHA-3 finalist)
- Input byte-length \(l \le 2^{64}\), fixed output byte-length \(L=32\)
m^{0}
Blake2s Basics
\texttt{\textcolor{grey}{The quick brown fox jumps over the lazy dog}}
- Blake2s hash function improves upon BLAKE (SHA-3 finalist)
- Input byte-length \(l \le 2^{64}\), fixed output byte-length \(L=32\)
m^{0}
m^{1}
Blake2s Basics
\texttt{\textcolor{grey}{The quick brown fox jumps over the lazy dog}}
- Blake2s hash function improves upon BLAKE (SHA-3 finalist)
- Input byte-length \(l \le 2^{64}\), fixed output byte-length \(L=32\)
m^{0}
m^{1}
m^{2}
Blake2s Basics
\texttt{\textcolor{grey}{The quick brown fox jumps over the lazy dog}}
- Blake2s hash function improves upon BLAKE (SHA-3 finalist)
- Input byte-length \(l \le 2^{64}\), fixed output byte-length \(L=32\)
m^{0}
m^{1}
m^{2}
m^7
\dots
\textcolor{grey}{\texttt{00000}}
f
h^0 = \textsf{IV}
f
h^1
f
h^2
\dots
f
h^7
H(s)
Blake2s Basics
Blake2s Compression
m^{i}
h^i
f
\textsf{round}_1
\textsf{round}_2
\textsf{round}_3
\textsf{round}_{10}
\vdots
G(0), G(1), \dots, G(7)
G(0), G(1), \dots, G(7)
G(0), G(1), \dots, G(7)
G(0), G(1), \dots, G(7)
\vdots
- Each compression contains 10 rounds
- Each round contains 8 calls of function \(G\)
- A total of \(10\times 8 = 80\) calls to \(G(a,b,c,d | m^i)\):
- Internal state \(V\) is initialised as:
V =
\begin{pmatrix}
v_0 & v_1 & v_2 & v_3 \\
v_4 & v_5 & v_6 & v_7 \\
v_8 & v_9 & v_{10} & v_{11} \\
v_{12} & v_{13} & v_{14} & v_{15} \\
\end{pmatrix}
\leftarrow
\begin{pmatrix}
h_0^i & h_1^i & h_2^i & h_3^i \\
h_4^i & h_5^i & h_6^i & h_7^i \\
\text{IV}_0 & \text{IV}_1 & \text{IV}_2 & \text{IV}_{3} \\
t_0 \oplus \text{IV}_{4} & t_1 \oplus \text{IV}_{5} & f_0 \oplus \text{IV}_{6} & f_1 \oplus \text{IV}_{7} \\
\end{pmatrix}
\begin{aligned}
a &\leftarrow a + b + m_{\sigma_r[2i]} \\
d &\leftarrow \text{ROTR}^{16}(d \oplus a) \\
c &\leftarrow c+d \\
b &\leftarrow \text{ROTR}^{12}(b \oplus c)
\end{aligned}
\begin{aligned}
a &\leftarrow a + b + m_{\sigma_r[2i+1]} \\
d &\leftarrow \text{ROTR}^{8}(d \oplus a) \\
c &\leftarrow c+d \\
b &\leftarrow \text{ROTR}^{7}(b \oplus c) \\
\end{aligned}
- We need the following operations to be performed in the circuit
Blake2s Using Lookups
\begin{aligned}
a \oplus b &=
00
110011
001010
111011
010001
110011
\\[5pt]
\text{ROTR}^{16}(a \oplus b) &=
\underbrace{\textcolor{red}{1011}
\textcolor{red}{010001}
\textcolor{red}{110011} }_{16}
00
110011
001010
11 \\
\text{ROTR}^{12}(a \oplus b) &=
\underbrace{\textcolor{red}{010001}
\textcolor{red}{110011} }_{12}
00
110011
001010
111011 \\
\text{ROTR}^{8}(a \oplus b) &=
\underbrace{ \textcolor{red}{01}
\textcolor{red}{110011} }_{8}
00
110011
001010
111011
0100
\\
\text{ROTR}^{7}(a \oplus b) &=
\underbrace{ \textcolor{red}{1}
\textcolor{red}{110011} }_{7}
00
110011
001010
111011
01000
\end{aligned}
\begin{aligned}
a &=
10 110100 101000 000010 100000 100011
\\[1pt]
b &=
10 000111 100010 111001 110000 010000
\end{aligned}
- How do we design lookup tables for these?
- Goal: create slices to minimise non-linear terms
- Lets try slice size to be 7:
Blake2s Using Lookups
\begin{aligned}
a \oplus b &=
\textcolor{lightgreen}{0011} \ \textcolor{grey}{\|} \
\textcolor{pink}{0011001} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{0101110} \ \textcolor{grey}{\|} \
\textcolor{orange}{1101000} \ \textcolor{grey}{\|} \
\textcolor{yellow}{1110011}
\\[5pt]
\text{ROTR}^{16}(a \oplus b) &=
\underbrace{
\textcolor{skyblue}{10} \ \textcolor{grey}{\|} \
\textcolor{orange}{1101000} \ \textcolor{grey}{\|} \
\textcolor{yellow}{1110011}
}_{16} \ \textcolor{grey}{\|} \
\textcolor{lightgreen}{0011} \ \textcolor{grey}{\|} \
\textcolor{pink}{0011001} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{01011}
\\
\text{ROTR}^{12}(a \oplus b) &=
\underbrace{
\textcolor{orange}{01000} \ \textcolor{grey}{\|} \
\textcolor{yellow}{1110011}
}_{12} \ \textcolor{grey}{\|} \
\textcolor{lightgreen}{0011} \ \textcolor{grey}{\|} \
\textcolor{pink}{0011001} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{0101110} \ \textcolor{grey}{\|} \
\textcolor{orange}{11}
\\
\text{ROTR}^{8}(a \oplus b) &=
\underbrace{
\textcolor{orange}{0} \ \textcolor{grey}{\|} \
\textcolor{yellow}{1110011}
}_{8}\ \textcolor{grey}{\|} \
\textcolor{lightgreen}{0011} \ \textcolor{grey}{\|} \
\textcolor{pink}{0011001} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{0101110} \ \textcolor{grey}{\|} \
\textcolor{orange}{110100}
\\
\text{ROTR}^{7}(a \oplus b) &=
\underbrace{
\textcolor{yellow}{1110011}
}_{7}\ \textcolor{grey}{\|} \
\textcolor{lightgreen}{0011} \ \textcolor{grey}{\|} \
\textcolor{pink}{0011001} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{0101110} \ \textcolor{grey}{\|} \
\textcolor{orange}{1101000}
\end{aligned}
\texttt{// non-linear }
\text{ROTR}^{2}
\texttt{// non-linear }
\text{ROTR}^{5}
\texttt{// non-linear }
\text{ROTR}^{1}
\texttt{// linear }
\text{XOR}
- Here, we need to implement:
- Total table size:
- Can we reduce the table size by tweaking the slice size?
2^{4 \times 2} +
2^{7 \times 2} +
2^{7 \times 2} +
2^{7 \times 2} +
2^{7 \times 2} = 65792
\text{XOR}, \
\text{ROTR}^1, \
\text{ROTR}^2, \
\text{ROTR}^5, \
Blake2s Using Lookups
- Lets try slice size to be 6:
\begin{aligned}
a \oplus b &=
\textcolor{red}{00} \ \textcolor{grey}{\|} \
\textcolor{lightgreen}{110011} \ \textcolor{grey}{\|} \
\textcolor{pink}{001010} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{111011} \ \textcolor{grey}{\|} \
\textcolor{orange}{010001} \ \textcolor{grey}{\|} \
\textcolor{yellow}{110011}
\\[5pt]
\text{ROTR}^{16}(a \oplus b) &=
\underbrace{
\textcolor{skyblue}{1011} \ \textcolor{grey}{\|} \
\textcolor{orange}{010001} \ \textcolor{grey}{\|} \
\textcolor{yellow}{110011}
}_{16} \ \textcolor{grey}{\|} \
\textcolor{red}{00} \ \textcolor{grey}{\|} \
\textcolor{lightgreen}{110011} \ \textcolor{grey}{\|} \
\textcolor{pink}{001010} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{11}
\\
\text{ROTR}^{12}(a \oplus b) &=
\underbrace{
\textcolor{orange}{010001} \ \textcolor{grey}{\|} \
\textcolor{yellow}{110011}
}_{12} \ \textcolor{grey}{\|} \
\textcolor{red}{00} \ \textcolor{grey}{\|} \
\textcolor{lightgreen}{110011} \ \textcolor{grey}{\|} \
\textcolor{pink}{001010} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{111011}
\\
\text{ROTR}^{8}(a \oplus b) &=
\underbrace{
\textcolor{orange}{01} \ \textcolor{grey}{\|} \
\textcolor{yellow}{110011}
}_{8}\ \textcolor{grey}{\|} \
\textcolor{red}{00} \ \textcolor{grey}{\|} \
\textcolor{lightgreen}{110011} \ \textcolor{grey}{\|} \
\textcolor{pink}{001010} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{111011} \ \textcolor{grey}{\|} \
\textcolor{orange}{0100}
\\
\text{ROTR}^{7}(a \oplus b) &=
\underbrace{
\textcolor{orange}{1} \ \textcolor{grey}{\|} \
\textcolor{yellow}{110011}
}_{7}\ \textcolor{grey}{\|} \
\textcolor{red}{00} \ \textcolor{grey}{\|} \
\textcolor{lightgreen}{110011} \ \textcolor{grey}{\|} \
\textcolor{pink}{001010} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{111011} \ \textcolor{grey}{\|} \
\textcolor{orange}{01000}
\end{aligned}
\texttt{// non-linear }
\text{ROTR}^{4}
\texttt{// linear }
\text{XOR}
\texttt{// non-linear }
\text{ROTR}^{2}
\texttt{// non-linear }
\text{ROTR}^1
- Here, we need to implement:
- Total table size:
2^{2 \times 2} +
2^{6 \times 2} +
2^{6 \times 2} +
2^{6 \times 2} +
2^{6 \times 2} = 16400
\text{ROTR}^{1},
\text{ROTR}^{2},
\text{ROTR}^{4},
\text{XOR}
Blake2s Using Lookups
\begin{aligned}
\text{ROTR}^{16}(a \oplus b) &=
\underbrace{
\textcolor{skyblue}{1011} \ \textcolor{grey}{\|} \
\textcolor{orange}{010001} \ \textcolor{grey}{\|} \
\textcolor{yellow}{110011}
}_{16} \ \textcolor{grey}{\|} \
\textcolor{red}{00} \ \textcolor{grey}{\|} \
\textcolor{lightgreen}{110011} \ \textcolor{grey}{\|} \
\textcolor{pink}{001010} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{11}
\end{aligned}
- Multi-table 1: \(\text{ROTR}^{16}(a \oplus b)\)
\begin{aligned}
a \oplus b &=
\textcolor{red}{00} \ \textcolor{grey}{\|} \
\textcolor{lightgreen}{110011} \ \textcolor{grey}{\|} \
\textcolor{pink}{001010} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{111011} \ \textcolor{grey}{\|} \
\textcolor{orange}{010001} \ \textcolor{grey}{\|} \
\textcolor{yellow}{110011}
\end{aligned}
- Linear shifts can be handled by scaling of slices by constants
\text{ROTR}^{16} \equiv
\Big\{
\textcolor{red}{\text{XOR}_2} \ \textcolor{grey}{\|} \
\textcolor{green}{\text{XOR}_6} \ \textcolor{grey}{\|} \
\textcolor{pink}{\text{XOR}_6} \ \textcolor{grey}{\|} \
\textcolor{skyblue}{\text{ROTR}^{4}} \ \textcolor{grey}{\|} \
\textcolor{orange}{\text{XOR}_6} \ \textcolor{grey}{\|} \
\textcolor{yellow}{\text{XOR}_6}
\Big\}
s_0
s_1
s_2
s_3
s_4
s_5
\begin{aligned}
\text{ROTR}^{16}(a \oplus b) &:=
\end{aligned}
2^{14}
+
2^{8}
2^{2}
2^{0}
2^{16}
2^{22}
+
+
+
+
- Similarly, we will have 3 more multi-tables
- Now lets dive into the code!
UltraPlonk: Part 2
By Suyash Bagad
UltraPlonk: Part 2
High-level summary of how Aztec works.
- 97
