thomas pöppelmann [email protected] hardware security group horst görtz institute for it...
TRANSCRIPT
- Slide 1
- Thomas Pppelmann [email protected] Hardware Security Group Horst Grtz Institute for IT Security 05.06.2015 Implementing Lattice-Based Cryptography on Embedded Devices Summer school on real-world crypto and privacy
- Slide 2
- Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.20152
- Slide 3
- Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.20153
- Slide 4
- Why Implementation of Lattices? Why focus on lattice-based cryptography? We can get signatures and public key encryption out of lattices and also more (IBE, FHE) A lot of development on theory side; schemes are getting better and better Implementation of lattices is a young field; only done for 3- 4 years now (except for NTRU) 05.06.20154
- Slide 5
- Implementation Conditions that have to be met for implementation Parameters, parameters, parameters Security level should be known What are the goals? Throughput, latency, and power/energy Code size/area (drives costs) Small key, ciphertext, and signature size Cross-disciplinary work and interaction between engineers and cryptographers required Parameter selection and design decisions can make schemes more efficient but also weaker 05.06.20155
- Slide 6
- To be Ideal or not Ideal? Random LatticesIdeal Lattices 05.06.20156 Two important lines of research: random lattices and ideal lattices Big impact on implementation (theory not that much) Security for random lattices is better understood (ideal lattices are more structured) Implementation of random lattice signatures: High-speed signatures from standard lattices, zgr Dagdelen, Rachid El Bansarkhani, Florian Gpfert, Tim Gneysu, Tobias Oder, Thomas Pppelmann, Ana Helena Snchez, Peter Schwabe, Latincrypt14
- Slide 7
- Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.20157
- Slide 8
- Learning with Errors Solving of a system of linear equations 05.06.20158 411110 55953 39010 1332 12734 65114 3350 4 8 1 10 4 12 9 Blue is given; Find (learn) red => Solve linear system 6 9 11 Use Gaussian elimination secret (slides stolen from talk by Douglas Stebila at RWC15)
- Slide 9
- Learning with Errors Solving of a system of linear equations 05.06.20159 411110 55953 39010 1332 12734 65114 3350 4 8 1 10 4 12 9 Blue is given; Find red => Learning with errors 6 9 11 secret 0 1 1 1 0 random small noise looks random (slides stolen from talk by Douglas Stebila at RWC15)
- Slide 10
- (Ring) Learning with Errors From learning with errors to ring-learning with errors 05.06.201510 411110 34111 2341 12234 9 23 109122 1110912 411110 Only one line has to be stored
- Slide 11
- Ring Learning with Errors 05.06.201511 3423 1-20 010 324312 random small secret (Gaussian) small error (Gaussian) random
- Slide 12
- Ring Learning with Errors 05.06.201512 3423 1-20 010 324312 random small secret (Gaussian) small error (Gaussian) random
- Slide 13
- 05.06.201513
- Slide 14
- 05.06.201514
- Slide 15
- Discrete Gaussian Distribution 05.06.201515 -15011020502-1900572 Uniform 4-801 Uniform * Gaussian = Uniform Gaussian * Gaussian = larger Gaussian Gaussian e
- Slide 16
- 16 Gaussian Sampling: Options Rejection Sampling Bernoulli Sampling Knuth-Yao Sampling Cumulative Distribution Table (CDT) Sampling 05.06.2015 [DG14] Efficient sampling from discrete Gaussians for lattice-based cryptography on a constrained device, Dwarakanath and Galbraith, Applicable Algebra in Engineering, Communication and Computing, 2014 [DDLL14] Lattice Signatures and Bimodal Gaussians, Lo Ducas and Alain Durmus and Tancrde Lepoint and Vadim Lyubashevsky, CRYPTO '13
- Slide 17
- Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.201517
- Slide 18
- Ring-LWE Encryption: Scheme [LP11/LPR10] 14. Aug. 2013 x x + ++ x+ 18 large small
- Slide 19
- Ring-LWE Encryption: Parameters 14. Aug. 201319 0110 02046 0 402190726314024 0110
- Slide 20
- Ring-LWE Encryption: Parameters 14. Aug. 201320
- Slide 21
- Outline Motivation Ring-learning with errors (RLWE) Public-key encryption based on RLWE Area-optimized implementation High-performance implementation 05.06.201521
- Slide 22
- 05.06.201522 Simple Implementation of RLWE-Encryption void encrypt(poly a, poly p, unsigned char * plaintext, poly c1, poly c2) { int i,j; poly e1,e2,e3; gauss_poly(e1); gauss_poly(e2); gauss_poly(e3); poly_init(c1, 0, n); // init with 0 poly_init(c2, 0, n); // init with 0 for(i = 0;i < n; i++){ // multiplication loops for(j = 0; j=n ? -1 : 1))); c2[(i + j) % n] = modq(c2[(i + j) % n] + (p[i] * e1[j] * (i+j>=n ? -1 : 1))); } c1[i] = modq(c1[i] + e2[i]); c2[i] = (plaintext[i>>3] & (1