Transcript slides - SAC 2013

Towards Practical Lattice-Based Public-Key
Encryption on Reconfigurable Hardware
SAC 2013, Burnaby, Canada
Thomas Pöppelmann and Tim Güneysu
Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany
14. Aug. 2013
Agenda
•
•
•
•
•
Introduction
Ring-LWE Encryption
Lattice Processor
Results
Conclusion
14. Aug. 2013
2
Motivation
• Advantages of lattices:
– Post-quantum security
– Security proofs
– Versatility
• Goal of this work:
– Provide a simple and reusable hardware building block
• Starting point to solve more advanced implementation problems
• Make source code available
– Deal with aspects important in practice
• Ciphertext expansion
• Error rate
14. Aug. 2013
3
Agenda
•
•
•
•
•
Introduction
Ring-LWE Encryption
Lattice Processor
Results
Conclusion
14. Aug. 2013
4
Recap: Ideal Lattices
• Ideal lattices correspond to ideals in the ring R = 𝑍𝑞 𝑥 / 𝑥 𝑛 + 1 with 𝑛
being a power of two and 𝑞 being a prime such that 𝑞 = 1 mod 2𝑛 (*)
– Introduces algebraic structure into previously random lattices – no serious
advantage for attackers so far
– Most standard lattice problems have an ideal lattice counterpart
• Polynomial multiplication is the basic operation
– Runtime 𝛰(𝑛 log(𝑛)) when using the number theoretic transform (NTT)
– 𝑎 ∗ 𝑏 = INTT NTT 𝑎 ∘ NTT 𝑏 with 𝑎, 𝑏 ∈ 𝑅
• Ring-LWE problem requires to distinguish whether samples
𝑎1 , 𝑡1 , … 𝑎𝑚 , 𝑡𝑚 are 𝑡𝑖 = 𝑎𝑠𝑖 + 𝑒𝑖 with 𝑎, 𝑠𝑖 ∈ 𝑅, 𝑒𝑖 ← 𝐷𝜎 or uniformly
random
– Decisional problem as hard as search
– 𝐷𝜎 is a small discrete Gaussian distribution
(*) Other choices are also possible but this one has emerged as standard for security and efficiency.
14. Aug. 2013
5
LWE-Encryption
Gen: Choose 𝑎 ← 𝑅 and 𝑟1 , 𝑟2 ← 𝐷𝜎 . Compute 𝑝 = 𝑟1 − 𝑎 ⋅ 𝑟2 ∈ R
𝑛 ): 𝑒 , 𝑒 , 𝑒
1 2 3
Enc(𝑎, 𝑝, 𝑚 ∈ 0,1
← 𝐷𝜎 .
𝑚 = 𝑒𝑛𝑐𝑜𝑑𝑒 𝑚 . Ciphertext:
[𝑐1 = 𝑎 ⋅ 𝑒1 +𝑒2 , 𝑐2 = 𝑝 ⋅ 𝑒1 +𝑒3 + 𝑚]
𝑎
x
+
𝐷𝜎
𝐷𝜎
𝑝
x
𝑚
Dec(𝑐 = [𝑐1 , 𝑐2 ], 𝑟2 ): Output
𝑑𝑒𝑐𝑜𝑑𝑒(𝑐1 ⋅ 𝑟2 +𝑐2 )
𝑐1
𝑐1
𝐷𝜎
+
+
𝑐2
𝑒𝑛𝑐𝑜𝑑𝑒
x
+
𝑟1
𝑐2
𝑑𝑒𝑐𝑜𝑑𝑒
𝑚
[LP11] Richard Lindner, Chris Peikert: Better Key Sizes (and Attacks) for LWE-Based Encryption. CT-RSA
2011
14. Aug. 2013
6
LWE-Encryption
• Parameters: 128-bit CPA security (𝑛=256,𝑞=7681,𝑠=11.32)
– Approx. 1600 bit secret key
– 3328 bit public key
– Message expansion factor 26
• Encoding/Decoding: Small noise 𝑒1 𝑟1 + 𝑒2 𝑟2 + 𝑒3 still present
after decryption
– One message bit is encoded into one coefficient of the
polynomial 𝑚 (0 ⇒ 0, 1 ⇒ q/2)
– May fail with low probability
• Optimization
– Use different encoding
– Remove some LSBs of ciphertext coefficients
14. Aug. 2013
7
Agenda
•
•
•
•
•
Introduction
Ring-LWE Encryption
Lattice Processor
Results
Conclusion
14. Aug. 2013
8
Reconfigurable Hardware (FPGA)
• Field Programmable Gate Array
(FPGA)
– A chip containing programmable
logic blocks
– Logic blocks are connected by a
configurable interconnect
– Limited number of dedicated
„hard-cores“ like block memory or
embedded multipliers (DSPs) are
available
• Hardware is inherently parallel
– Time vs. area
14. Aug. 2013
9
The Challenge
• Ring-LWE encryption and also other schemes (e.g.,
signature schemes) basically just require polynomial
arithmetic
– So far results are only available for polynomial
multiplication
– Temporary values have to be stored
– Operations for addition and subtraction are necessary
– An easy interface is required
Solution: Build a lattice processor/micro-code engine
14. Aug. 2013
10
Lattice Processor
• Supports any power of two 𝑛 > 64 and prime 𝑞 satisfying 1 =
𝑞 mod 2𝑛
• Configurable amount of registers (register = polynomial)
• Discrete Gaussian sampler using the inverse transform method
• Instruction set (simplified):
–
–
–
–
–
–
𝑛
NTT: Perform NTT on register ( log(𝑛) cycles)
2
PW_MUL: Point-wise multiplication of two polynomials (𝑛 cycles)
𝑛
INTT: Perform inverse NTT on register ( log(𝑛) cycles)
2
ADD: Add two polynomials (𝑛 cycles)
SUB: Subtract two polynomials (𝑛 cycles)
MOV: Transfer polynomial or obtain polynomial from the sampler
14. Aug. 2013
11
Lattice Processor
14. Aug. 2013
12
Optimizing Encryption
Key Generation
1. 𝑟1 , 𝑟2 ← 𝐷𝜎 . Compute 𝑝 = 𝑟1 − 𝑎 ⋅ 𝑟2 ∈ R
2. 𝑎= NTT (𝑎), 𝑝= NTT (𝑝),
Encryption
1. 𝑒1 , 𝑒2 , 𝑒3 ← 𝐷𝜎
2.
3.
4.
5.
𝑒1 = NTT ( 𝑒1 )
ℎ1 = 𝑎 ∘ 𝑒1
ℎ2 = 𝑝 ∘ 𝑒1
6.
𝑐2 = INTT ℎ2 + 𝑒3 + 𝑒𝑛𝑐𝑜𝑑𝑒(𝑚)
𝑐1 = INTT ℎ1 + 𝑒2
Note: Straightforward version would require
at least two multiplications: 3𝑛 log 𝑛 +6n
14. Aug. 2013
3𝑛
1
𝑛
2
log(n) + 2𝑛
𝑛
𝑛
1
𝑛 log(𝑛) + 2𝑛
2
1
𝑛 log 𝑛 + 3𝑛
2
3
= 𝑛 log 𝑛 + 12𝑛
2
13
Agenda
•
•
•
•
•
Introduction
Ring-LWE Encryption
Lattice Processor
Results
Conclusion
14. Aug. 2013
14
Results
• Implemented encryption scheme on Spartan-6 and
Virtex-6 for medium security (n=256,q=7681) and
high security (n=512, q=12289)
• Core supports encryption, decryption and key
generation
• Gaussian sampler is bounded with relatively low
precision
14. Aug. 2013
15
Performance and Resources
Post-place-and-route performance on a Virtex-6 LX75T FPGA.
14. Aug. 2013
16
Comparison with Previous Work
•
Compared to previous implementation by Göttert et al. from CHES 2012
– Three times slower
– Up to 60 times lower area
•
While speed is important the design has to fit onto a reasonably sized FPGAs
– Hardware allows parallel placement to make up for lower speed
•
Higher flexibility with one general purpose core (Gen/Enc/Dec)
[Göttert et al.] Norman Göttert, Thomas Feller, Michael Schneider, Johannes Buchmann,
Sorin A. Huss: On the Design of Hardware Building Blocks for Modern Lattice-Based
Encryption Schemes. CHES 2012
14. Aug. 2013
17
Comparison with Other Schemes
14. Aug. 2013
18
Agenda
•
•
•
•
•
Introduction
Ring-LWE Encryption
Lattice Processor
Results
Conclusion
14. Aug. 2013
19
Future Work and Conclusion
Conclusion
• Flexible building block for a large number of applications in
ideal lattice-based cryptography
• Source code (VHDL) of the encryption scheme/lattice
processor available for evaluation at
http://www.sha.rub.de/research/projects/lattice/
Future Work
• Side-channel evaluation
• Bimodal Lattice Signature Scheme (BLISS), Crypto 2013
• Performance and resource optimization
• Implementation and acceleration of high-level constructions
like homomorphic encryption or IBE
14. Aug. 2013
20
Towards Practical Lattice-Based Public-Key
Encryption on Reconfigurable Hardware
SAC 2013, Burnaby, Canada
Thomas Pöppelmann and Tim Güneysu
Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany
14. Aug. 2013
Thank You for Your Attention!
Any Questions?