1 / 21

Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware

Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware. SAC 2013, Burnaby, Canada. Thomas Pöppelmann and Tim Güneysu Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany. Agenda. Introduction Ring-LWE Encryption Lattice Processor Results

dante
Télécharger la présentation

Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Practical Lattice-Based Public-KeyEncryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmannand Tim Güneysu Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany

  2. Agenda • Introduction • Ring-LWE Encryption • LatticeProcessor • Results • Conclusion

  3. Motivation • Advantages of lattices: • Post-quantum security • Security proofs • Versatility • Goal of this work: • Provide a simple and reusable hardware building block • Starting point to solve more advanced implementation problems • Make source code available • Deal with aspects important in practice • Ciphertext expansion • Error rate

  4. Agenda • Introduction • Ring-LWE Encryption • LatticeProcessor • Results • Conclusion

  5. Recap: Ideal Lattices • Ideal lattices correspond to ideals in the ring with being a power of two and being a prime such that (*) • Introduces algebraic structure into previously random lattices – no serious advantage for attackers so far • Most standard lattice problems have an ideal lattice counterpart • Polynomial multiplication is the basic operation • Runtime ) when using the number theoretic transform (NTT) • with • Ring-LWE problem requires to distinguish whether samples are with or uniformly random • Decisional problem as hard as search • is a small discrete Gaussian distribution (*) Other choices are also possible but this one has emerged as standard for security and efficiency.

  6. LWE-Encryption Enc(): Ciphertext: Dec(): Output Gen: Choose ,. Compute x + x + + x + [LP11] Richard Lindner, Chris Peikert: Better Key Sizes (and Attacks) for LWE-Based Encryption. CT-RSA 2011

  7. LWE-Encryption • Parameters: 128-bit CPA security (=256,=7681,=11.32) • Approx. 1600 bit secret key • 3328 bit public key • Message expansion factor 26 • Encoding/Decoding: Small noise still present after decryption • One message bit is encoded into one coefficient of the polynomial (q/2) • May fail with low probability • Optimization • Use different encoding • Remove some LSBs of ciphertext coefficients

  8. Agenda • Introduction • Ring-LWE Encryption • LatticeProcessor • Results • Conclusion

  9. Reconfigurable Hardware (FPGA) • Field Programmable Gate Array (FPGA) • A chip containing programmable logic blocks • Logic blocks are connected by a configurable interconnect • Limited number of dedicated „hard-cores“ like block memory or embedded multipliers (DSPs) are available • Hardware is inherently parallel • Time vs. area

  10. The Challenge • Ring-LWE encryption and also other schemes (e.g., signature schemes) basically just require polynomial arithmetic • So far results are only available for polynomial multiplication • Temporary values have to be stored • Operations for addition and subtraction are necessary • An easy interface is required Solution: Build a lattice processor/micro-code engine

  11. Lattice Processor • Supports any power of two and prime satisfying • Configurable amount of registers (register = polynomial) • Discrete Gaussian sampler using the inverse transform method • Instruction set (simplified): • NTT: Perform NTT on register ( cycles) • PW_MUL: Point-wise multiplication of two polynomials ( cycles) • INTT: Perform inverse NTT on register ( cycles) • ADD: Add two polynomials ( cycles) • SUB: Subtract two polynomials ( cycles) • MOV: Transfer polynomial or obtain polynomial from the sampler

  12. LatticeProcessor

  13. Optimizing Encryption Key Generation • ,. Compute • =NTT (), =NTT (), Encryption • NTT () Note: Straightforward version would require at least two multiplications: 3+6n

  14. Agenda • Introduction • Ring-LWE Encryption • Lattice Processor • Results • Conclusion

  15. Results • Implemented encryption scheme on Spartan-6 and Virtex-6 for medium security (n=256,q=7681) and high security (n=512, q=12289) • Core supports encryption, decryption and key generation • Gaussian sampler is bounded with relatively low precision

  16. Post-place-and-route performance on a Virtex-6 LX75T FPGA. Performance and Resources

  17. Comparison with Previous Work Compared to previous implementation by Göttert et al. from CHES 2012 Three times slower Up to 60 times lower area While speed is important the design has to fit onto a reasonably sized FPGAs Hardware allows parallel placement to make up for lower speed Higher flexibility with one general purpose core (Gen/Enc/Dec) [Göttert et al.] Norman Göttert, Thomas Feller, Michael Schneider, Johannes Buchmann, Sorin A. Huss: On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes. CHES 2012

  18. Comparison with Other Schemes

  19. Agenda • Introduction • Ring-LWE Encryption • Lattice Processor • Results • Conclusion

  20. Future Work and Conclusion Conclusion • Flexible building block for a large number of applications in ideal lattice-based cryptography • Source code (VHDL) of the encryption scheme/lattice processor available for evaluation at http://www.sha.rub.de/research/projects/lattice/ Future Work • Side-channel evaluation • Bimodal Lattice Signature Scheme (BLISS), Crypto 2013 • Performance and resource optimization • Implementation and acceleration of high-level constructions like homomorphic encryption or IBE

  21. Towards Practical Lattice-Based Public-KeyEncryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmannand Tim Güneysu Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany • Thank You for Your Attention! • Any Questions?

More Related