Presentation is loading. Please wait.

Presentation is loading. Please wait.

Thomas Pöppelmann Hardware Security Group Horst Görtz Institute for IT Security 05.06.2015 Implementing Lattice-Based Cryptography.

Published byAustin Watts Modified over 9 years ago

Similar presentations

Presentation on theme: "Thomas Pöppelmann Hardware Security Group Horst Görtz Institute for IT Security 05.06.2015 Implementing Lattice-Based Cryptography."— Presentation transcript:

1 Thomas Pöppelmann thomas.poeppelmann@rub.de Hardware Security Group Horst Görtz Institute for IT Security 05.06.2015 Implementing Lattice-Based Cryptography on Embedded Devices Summer school on real-world crypto and privacy

2 Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.20152

3 Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.20153

4 Why Implementation of Lattices? Why focus on lattice-based cryptography? – We can get signatures and public key encryption out of lattices and also more (IBE, FHE) – A lot of development on theory side; schemes are getting better and better – Implementation of lattices is a young field; only done for 3- 4 years now (except for NTRU) 05.06.20154

5 Implementation Conditions that have to be met for implementation – Parameters, parameters, parameters – Security level should be known What are the goals? – Throughput, latency, and power/energy – Code size/area (drives costs) – Small key, ciphertext, and signature size  Cross-disciplinary work and interaction between engineers and cryptographers required – Parameter selection and design decisions can make schemes more efficient but also weaker 05.06.20155

6 To be Ideal or not Ideal? Random LatticesIdeal Lattices 05.06.20156 Two important lines of research: random lattices and ideal lattices Big impact on implementation (theory not that much) Security for random lattices is better understood (ideal lattices are more structured) Implementation of random lattice signatures: High-speed signatures from standard lattices, Özgür Dagdelen, Rachid El Bansarkhani, Florian Göpfert, Tim Güneysu, Tobias Oder, Thomas Pöppelmann, Ana Helena Sánchez, Peter Schwabe, Latincrypt’14

7 Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.20157

8 Learning with Errors Solving of a system of linear equations 05.06.20158 411110 55953 39010 1332 12734 65114 3350 4 8 1 10 4 12 9 Blue is given; Find (learn) red => Solve linear system 6 9 11 Use Gaussian elimination secret (slides stolen from talk by Douglas Stebila at RWC’15)

9 Learning with Errors Solving of a system of linear equations 05.06.20159 411110 55953 39010 1332 12734 65114 3350 4 8 1 10 4 12 9 Blue is given; Find red => Learning with errors 6 9 11 secret 0 1 1 1 0 random small noise looks random (slides stolen from talk by Douglas Stebila at RWC’15)

10 (Ring) Learning with Errors From learning with errors to ring-learning with errors 05.06.201510 411110 34111 2341 12234 9 23 109122 1110912 411110 Only one line has to be stored

11 Ring Learning with Errors 05.06.201511 3423… 1-2…0 01…0 3243…12 random small secret (Gaussian) small error (Gaussian) random

12 Ring Learning with Errors 05.06.201512 3423… 1-2…0 01…0 3243…12 random small secret (Gaussian) small error (Gaussian) random

13 05.06.201513

14 05.06.201514

15 Discrete Gaussian Distribution 05.06.201515 -15011020502…-1900572 Uniform 4-8…01 Uniform * Gaussian = Uniform Gaussian * Gaussian = larger Gaussian Gaussian e

16 16 Gaussian Sampling: Options Rejection Sampling Bernoulli Sampling Knuth-Yao Sampling Cumulative Distribution Table (CDT) Sampling 05.06.2015 [DG14] Efficient sampling from discrete Gaussians for lattice-based cryptography on a constrained device, Dwarakanath and Galbraith, Applicable Algebra in Engineering, Communication and Computing, 2014 [DDLL14] Lattice Signatures and Bimodal Gaussians, Léo Ducas and Alain Durmus and Tancrède Lepoint and Vadim Lyubashevsky, CRYPTO '13

17 Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.201517

18 Ring-LWE Encryption: Scheme [LP11/LPR10] 14. Aug. 2013 x x + ++ x+ 18 large small

19 Ring-LWE Encryption: Parameters 14. Aug. 201319 01…10 02046… 0 4021907…26314024 01…10

20 Ring-LWE Encryption: Parameters 14. Aug. 201320

21 Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.201521

22 05.06.201522 Simple Implementation of RLWE-Encryption void encrypt(poly a, poly p, unsigned char * plaintext, poly c1, poly c2) { int i,j; poly e1,e2,e3; gauss_poly(e1); gauss_poly(e2); gauss_poly(e3); poly_init(c1, 0, n); // init with 0 poly_init(c2, 0, n); // init with 0 for(i = 0;i < n; i++){ // multiplication loops for(j = 0; j<n; j++){ c1[(i + j) % n] = modq(c1[(i + j) % n] + (a[i] * e1[j] * (i+j>=n ? -1 : 1))); c2[(i + j) % n] = modq(c2[(i + j) % n] + (p[i] * e1[j] * (i+j>=n ? -1 : 1))); } c1[i] = modq(c1[i] + e2[i]); c2[i] = (plaintext[i>>3] & (1<<(i%8))) ? modq(c2[i] + e3[i] + q/2) : modq(c2[i] + e3[i]); } Code will be made available: https://www.sha.rub.de/research/projects/lattice/ This has to be fast

23 05.06.201523 Results in Software Implementation of RLWE-Encryption on the AVR 8-bit ATxmega processor running with 32 MHz SchoolMul Schoolbook multiplication (SchoolMul) Encryption is two multiplications and decryption one

24 Hardware Implementation: Low Area 2404.06.2014 We can’t do much about the RAMs Multiplication (DSP) Modular reduction (power ot two possible)

25 Hardware Implementation: Low Area Post-place-and-route performance on a Spartan-6 LX9 FPGA. 2504.06.2014 Area savings by power of two modulus

26 Ring-LWE: Can we do better? 05.06.201526 Can we do better?

27 Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation – The number theoretic transform (NTT) – Usage of the NTT for lattice-based crypto – Optimization of the NTT 05.06.201527

28 Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation – The number theoretic transform (NTT) – Usage of the NTT for lattice-based crypto – Optimization of the NTT 05.06.201528

29 Polynomial Multiplication Using the NTT 05.06.201529

30 NTT for Lattice Crypto/Convolution Theorem 09.10.2012

31 Negative Wrapped/Negacyclic Convolution 05.06.201531

32 Efficient Computation of the NTT (Textbook) 09.10.2012 twiddle factors

33 Outline Motivation Ring-Learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation – The number theoretic transform (NTT) – Usage of the NTT for lattice-based crypto – Optimization of the NTT 05.06.201533

34 Implementation of Ring-LWE Encryption 05.06.201534 Keys are stored in frequency domain Decryption it just one inverse transformation

35 Implementation of Ring-LWE Encryption 05.06.201535

36 Outline Motivation Ring-Learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized Implementation High-performance implementation – The number theoretic transform (NTT) – Usage of the NTT for lattice-based crypto – Optimization of the NTT 05.06.201536

37 Optimization of NTT Computation 05.06.201537

38 Optimization of NTT Computation 05.06.201538

39 Optimization of NTT Computation 05.06.201539

40 Optimization of NTT Computation 05.06.201540

41 Optimization of NTT Computation 05.06.201541 Code will be made available: https://www.sha.rub.de/research/projects/lattice/

42 Optimization of NTT Computation We save several steps compared to straightforward approach Almost no additional costs (if we store twiddle factors) – No multiplication by one in first stage anymore – Can be mitigated by using lookup tables if coefficients for e are small 05.06.201542 textbook Our work (*) (*) FFT people probably know most of these tricks

43 Optimization of NTT Computation 05.06.201543

44 Ring-LWE Encryption on ATXmega Moderate performance impact of larger parameter set Very fast decryption Some pitfalls in practice (only CPA and decryption errors) 05.06.201544

45 Ring-LWE Encryption on ATXmega 05.06.201545 Schoolbook was 12 million [POG15] High-Performance Ideal Lattice-Based Cryptography on 8-bit ATxmega Microcontrollers, Thomas Pöppelmann, Tobias Oder, and Tim Güneysu, to appear in Latincrypt’15 Code size is not increased much Sampler is the bottleneck now

46 Ring-LWE Encryption on FPGA 05.06.201546 NTT is very fast but still quite small Lots of improvement since [GFS+12]

47 Future Work Cryptanalysis Protection against all forms of side channels (timing, power, EM) Another look at original NTRU Performance improvements – Talk to signal processing people over the efficient implementation of the NTT – Evaluate more algorithms for polynomial multiplication 05.06.201547

48 Augment Cryptanalysis with Side-Channel SPA on RSA 05.06.201548 SPA on Sampler (obviously not measured) smalllarge zero small

49 Thomas Pöppelmann thomas.poeppelmann@rub.de Hardware Security Group Horst Görtz Institute for IT Security 05.06.2015 Implementing Lattice-Based Cryptography on Embedded Devices Summer school on real-world crypto and privacy Questions? Code: https://www.sha.rub.de/research/projects/lattice/https://www.sha.rub.de/research/projects/lattice/ Thanks to Tobias Oder and Tim Güneysu

Download ppt "Thomas Pöppelmann Hardware Security Group Horst Görtz Institute for IT Security 05.06.2015 Implementing Lattice-Based Cryptography."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
14. Aug. 2013 Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 11-12 Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.

Lecture Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.
By Claudia Fiorini, Enrico Martinelli, Fabio Massacci

By Claudia Fiorini, Enrico Martinelli, Fabio Massacci
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Lattice-Based Cryptography

Lattice-Based Cryptography
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
An Introduction to Cryptology and Coding Theory Discrete Math 2006.

An Introduction to Cryptology and Coding Theory Discrete Math 2006.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Lattice-Based Cryptography

Lattice-Based Cryptography
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Similar presentations

Ads by Google