Compact Ring LWE Cryptoprocessor

Transcription

1 1 Compact Ring LWE Cryptoprocessor CHES 2014 Sujoy Sinha Roy 1, Frederik Vercauteren 1, Nele Mentens 1, Donald Donglong Chen 2 and Ingrid Verbauwhede 1 1 ESAT/COSIC and iminds, KU Leuven 2 Electronic Engineering, City University of Hong Kong

2 Outline 2 Introduction to the ring-lwe problem and an encryption scheme Our optimization techniques Architecture of the ring-lwe Cryptoprocessor Results Conclusions

3 Modern Public Key Schemes 3 Modern public-key schemes RSA difficulty of factoring problem DSA/ECDSA difficulty of Discrete Logarithm problem Intractable using classical computers Threat Quantum computers destroy RSA, DSA and ECDSA

4 The Ring-LWE Problem 4 Defined over a ring A polynomial is chosen uniformly The secret is a fixed polynomial An error polynomial is sampled from Compute The ring-lwe distribution on consists of tuples Search ring-lwe problem: given many samples, find secret

5 5 Ring-LWE : Encryption Scheme

6 The Encryption Scheme : Key Generation 6 Key Generation : Choose two polynomials Compute The secret key is The public key is

7 7 The Encryption Scheme : Encryption/Decryption Encryption Input message m encoded to polynomial : Choose with coefficients from Ciphertext Decryption Decoding compares the decrypted message coefficients

8 LWE Cryptosystem : Block Level Diagram 8 Polynomials have 256 or 512 coefficients and each coefficient is 13 or 14 bit Standard deviation is small (less than 5)

9 Roadmap to Implementation 9 Ring-LWE based encryption Primitives Discrete Gaussian Sampler Polynomial Multiplier Full cryptosystem Discrete Gaussian sampler architecture ---- (Presented in SAC 2013) Knuth-Yao random walk High Precision Discrete Gaussian Sampling on FPGAs, SAC 2013

10 10 Polynomial Multiplication

11 Polynomial Multiplication Algorithms 11 Schoolbook multiplication : complexity n 2 Karatsuba multiplication : complexity n FFT based multiplication : complexity (n log n) Number Theoretic Transform (NTT) is a generalization of FFT n-th primitive root of unity in Involves integer arithmetic modulo q

12 Polynomial Multiplication : NTT 12 Polynomial multiplication : 2n point NTT :

13 Polynomial Multiplication : NTT 13 Polynomial multiplication : 2n point NTT : Special optimization : where Negative-wrapped convolution : using n point NTT is a power of two and prime Scaling and Final scaling is required to compute c(x) from

14 14 The basic NTT Algorithm

15 The NTT Algorithm 15 Fixed Computation Cost

16 NTT Core 16 Pöppelmann et al. Latincrypt 2012

17 17 Our Target : Compact Architecture Minimize Memory Requirement

18 Optimization in Area 18 This increases computation cost!

19 19 Computational Optimizations

20 Optimization in Computation: Step 1 20 Pöppelmann et al. Latincrypt 2012 Our Aysu et al. HOST 2013 Reduction in fixed computation overhead

21 Optimization in Computation: Step 2 21 Forward negative wrapped NTT requires pre-scaling of the input polynomials where Our implementation is free from this pre-scaling Reduction in the pre-scaling overhead

22 22 Optimization in Computation: Step 2

23 Optimization in Computation: Step 2 23 Reduction in pre-scaling overhead

24 24 Optimization Step 3 : Memory Access Scheme

25 Memory Access : Motivation 1 25 Two coefficients are accessed from RAM One arithmetic operation is performed Two new coefficients are written in RAM Arithmetic blocks remains idle

26 Memory Access : Motivation 2 26 Xilinx BRAM Slice of 18Kb Width of words : 36 bits Depth of RAM : 512 Polynomials in LWE LWE256 : q= 7681 (13 bit) LWE512 : q= (14 bit) Two coefficients can be stored in one word

27 27 Our memory efficient NTT

28 Optimization : Memory Access 28 In this scheme Two coefficients are in one word Two pairs are processed together

29 Optimization : Memory Access 29 No idle cycles BRAM efficiency

30 Optimization : Ring-LWE Encryption Scheme 30 Pöppelmann, SAC 2013 Encryption Our Scheme Encryption Decryption Decryption #NTT = 5 #NTT = 4

31 31 The NTT Core

32 32 The NTT Core

33 33 Memory Efficient NTT

34 34 The NTT Core

35 35 The NTT Core

36 36 The NTT Core

37 37 The NTT Core

38 38 The NTT Core

39 39 The NTT Core

40 40 The NTT Core

41 41 The NTT Core

42 42 The NTT Core : Pipeline

43 The Ring-LWE Cryptoprocessor 43 Instruction Set LOAD ENCODE-LOAD GAUSSIAN-LOAD FNTT INTT ADD CMULT REARRANGE READ

44 44 Results

45 45 Our Ring-LWE Cryptoprocessor : Results on Virtex 6

46 46 Comparison with previous Ring-LWE Implementation 1 RLWE, Our Implementation 2 RLWE, Pöppelmann et al. SAC 2013

47 Comparison with ECC (ECIES) 47 1 RLWE, Our Implementation 2 ECC, Rebeiro et al. CHES 2012

48 Conclusions and Future Work 48 Conclusions Hardware implementation of an instruction-set ring-lwe processor Optimizations in the NTT Architecture level accelerations Best area-time performance Future Work Lattice based signature scheme and fully-homomorphic encryption Discrete Gaussian sampling Larger polynomial multiplier

49 49 Thank You

50 50

51 51 Backup Slides

52 52 Comparison with NTRU

53 Comparison with McEliece 53 1 RLWE, Our Implementation 2 McEliece Cryptosystem by Ghosh et al. IEEE TC, 2014

54 54 All Comparisons