Hardware Implementation of the Code-based Key Encapsulation Mechanism using Dyadic GS Codes (DAGS)

Transcription

1 Hardware Implementation of the Code-based Key Encapsulation Mechanism using Dyadic GS Codes (DAGS) Viet Dang and Kris Gaj ECE Department George Mason University Fairfax, VA, USA

2 Introduction to DAGS The first KEM using quasi-dyadic approach for Generalized Srivastava codes Achieve IND-CCA security by applying recent framework in Hofheinz et al. Shortish public and private keys Relatively efficient encapsulation and decapsulation algorithm 2

3 DAGS Sizes Parameter Set Public Key Size (in bytes) Private Key Size (in bytes) Ciphertext Size (in bytes) DAGS_1 6,760 2, DAGS_3 8,448 3, DAGS_5 11,616 6,336 1,616 3

4 DAGS Key Encapsulation Mechanism Alice Bob KEM.KeyGen (sk,pk) pk C KEM.Encaps(pk) (K,C) KEM.Decaps(sk) K Shared Key := K 4

5 Design Methodology Optimization for speed Minimum latency Maximum number of operations per second Key generation performed externally, e.g., in software No countermeasures against side-channel attacks Full compliance with the latest DAGS specification Single module for both Encapsulation and Decapsulation 5

6 GMU Hardware API 6

7 Design Methodology Language: VHDL Approach: Manual design based on specification & reference software implementation Verification: Simulation using test vectors generated using reference software implementation Simulator: Vivado Simulator Synthesis & Implementation: Vivado ver Target: FPGA Family: Xilinx Kintex-7 UltraSCALE Device: XCKU035-FFVA1156 Technology: 20nm CMOS FPGA Tool Option Optimization: Minerva (developed by GMU) 7

8 DAGS parameters Description DAGS_3 DAGS_5 n Code length k Code dimension w Number of errors l Shared secret length F q Base Field/ Subfield F 2 6 F 2 6 F q m Extension Field F 2 12 F

9 Multiplication in Extension Field Reduce extension field multiplication to base field multiplication p, q ε GF 2 12, a 1, b 1, a 2, b 2 ε GF 2 6 ቊ p = a 1x + b 1 q = a 2 x + b 2 p q = a 1 x + b 1 a 2 x + b 2 mod x 2 + α 65 x + α 65 = = x a 1 a 2 α 65 + a 1 b 2 + a 2 b 1 + a 1 a 2 α 65 + b 1 b 2 α 65 = γ a primitive element in base field 9

10 Multiplication in Extension Field p q = x a 1 a 2 α 65 + a 1 b 2 + a 2 b 1 + a 1 a 2 α 65 + b 1 b 2 Resources used: 4 MUL, 1 CMUL, 3 ADD Critical path: 1 MUL + 1 CMUL + 1 ADD 10

11 Direct Inversion in Extension Field Direct inversion: reduces extension field inversion to subfield inversion. p, q ε GF 2 12, a 1, b 1, a 2, b 2 ε GF 2 6 q = p 1 ቊ p = a 1x + b 1 q = a 2 x + b 2 p q = a 1 x + b 1 a 2 x + b 2 mod x 2 + α 65 x + α 65 = 1 a 2 = a 1 α 65 a b 1 α 65 a 1 + b 1 1 b 2 = (α 65 a 1 + b 1 ) α 65 a b 1 α 65 a 1 + b

12 Direct Inversion in Extension Field a 2 = a 1 α 65 a b 1 α 65 a 1 + b 1 1 b 2 = (α 65 a 1 + b 1 ) α 65 a b 1 α 65 a 1 + b 1 1 Resources used: 1 INV, 3 MUL, 1 CMUL, 2 ADD Critical path: 1 CMUL + 1 ADD +1 MUL + 1 ADD + 1 INV + 1 MUL 12

13 Encapsulation K k Shared Key l bytes RAND k k k k G H k k k k Error Gen k n + n n n+k DAGS_3 DAGS_5 n k k k w l G, H SHA-3 Extendable Output Function K SHA3-512 hash function 13

14 Generator Matrix G pub 14

15 G pub generator DAGS_3 DAGS_5 n s k ME: Matrix Expander 15

16 Dyadic Matrix Example M i j = S[i j] S = {S 0, S 1, S 2, S 3, S 4, S 5, S 6, S[7]} M = S 0 S 1 S 2 S 3 S 4 S 5 S 6 S[7] S 1 S 0 S 3 S 2 S 5 S 4 S 7 S[6] S 2 S 3 S 0 S 1 S 6 S 7 S 4 S[5] S 3 S 2 S 1 S 0 S 7 S 6 S 5 S[4] S 4 S 5 S 6 S 7 S 0 S 1 S 2 S[3] S 5 S 4 S 7 S 6 S 1 S 0 S 3 S[2] S 6 S 7 S 4 S 4 S 2 S 3 S 0 S[1] S 7 S 6 S 5 S 5 S 3 S 2 S 1 S[0] 16

17 Dyadic Matrix Expander Example In: {S 0, S 1, S 2, S 3, S 4, S 5, S 6, S[7]} Out: {S 2, S 3, S 0, S 1, S 6, S 7, S 4, S 5 } 17

18 Error Generation DAGS_3 DAGS_5 n k w L SHA-3 Extendable Output Function 18

19 Error Generator 19

20 Extendable-Output Function SHAKE: based on Keccak hash function Generalization of a cryptographic hash function with arbitrary output length. Modified Basic Iterative with Padding Design from GMU. 20

21 Decapsulation DAGS_3 DAGS_5 n k k k w l G, H SHA-3 Extendable Output Function K SHA3-512 hash function 21

22 Alternant Decoding Calculate syndrome polynomial S z from ciphertext and 2 vectors (Y and V) from private key Apply Extended Euclidean Algorithm to solve key equation, get σ z, ω(z) Evaluate σ z to get error position Evaluate ω(z) to get error value 22

23 Private Key Y = y 0 y 1 y 2 y n 1 V = v 0 v 1 v 2 v n 1 H = v 0 v 1 v n 1 2 v 0 2 v 1 2 v n 1 st 1 v 0 st 1 v 1 st 1 v n 1 y y y n 1 DAGS_3 DAGS_5 n s t

24 Syndrome Calculation S = H c = v 0 v 1 v n 1 2 v 0 2 v 1 2 v n 1 st 1 v 0 st 1 v 1 st 1 v n 1 y y y n 1 c 0 c 1 c 2 c n 1 S = s 0 s 1 s 2 s st 1 = σ n 1 i=0 y i c i σ n 1 i=0 y i c i v i n 1 2 y i c i v i σ i=0 n 1 st 1 y i c i v i σ i=0 S x = s st 1 z st 1 + s st 2 z st s 2 z 2 + s 1 z + s 0 24

25 Syndrome Calculation S = s 0 s 1 s 2 s st 1 = n 1 y i c i σ i=0 σ n 1 i=0 y i c i v i n 1 2 y i c i v i σ i=0 n 1 st 1 y i c i v i σ i=0 DAGS_3 DAGS_5 n s t

26 Solving key equation Find σ z : error locator polynominal ω z : error evaluator polynomial Key Equation: r z = S z u z mod z st with deg(r z ) st Calculate σ z = δ r z 2 and deg(u z ) st and ω (z) = δ u z 2 1 with st 2 = w with δ = r 0 = r 0 DAGS_3 DAGS_5 w s t

27 Extended Euclidean Algorithm q i z = r i 1 r i z z r i+1 z = r i 1 z + q i z r i z u i+1 z = u i 1 z + q i z u i z Termination: i q(z) r(z) u(z) 2 r 2 x = z st u 2 z = 0 1 deg(r i 1 z ) st q 1 x = zst S z 2 r 1 z = S(z) u 1 z = 1 0 q 0 (z) r 0 z u 0 (z) and deg(r i (z)) st 2 1 with st 2 = w 27

28 Polynomial Division = deg(r i 1 z ) deg(r i z ) t z = ldcoeff r i 1 z ldcoeff r i z 1 r i 1 z = r i 1 z + r i z t(z) 28

29 Polynomial Multiplication u i 1 z = u i 1 z + u i (z) q i,j z j 29

30 Polynomial Evaluation Root Finding Apply Chien search to evaluate σ x and ω(x) σ z = σ 0 + σ 1 z + σ 2 z σ st/2 z st/2 σ α i = σ 0 + σ 1 (α i ) + σ 2 (α i ) σ st/2 (α i ) st/2 = γ i,0 + γ i,1 + γ i,2 + + γ i,st/2 σ α i+1 = σ 0 + σ 1 (α i+1 ) + σ 2 (α i+1 ) σ st/2 (α i+1 ) st/2 = σ 0 + σ 1 α i α + σ 2 (α i ) 2 α σ st/2 (α i ) st/2 α st/2 = γ i,0 + γ i,1 α + γ i,2 α γ i,st/2 α st/2 30

31 Polynomial Evaluation Root Finding Chien search 31

32 Get Error Position and Value Error locator polynomial: st/2 σ z = (1 L i z) i=1 Evaluate error evaluator polynomial and get error value: ErrVal i = 1 ω V i Y i ς j i (1 V j V 1 i ) (i and j in range (0 to st/2)) 32

33 Tentative Result for DAGS_3 Software Hardware Speed Up Encapsulation 8,419,526 ns 78,318 ns Decapsulation 70,803,320 ns 1,034,085 ns 68.5 Software: Processor x64 Intel core with 16GiB of RAM compiled with GCC version Hardware: maximum frequency 43.2 MHz. 33

34 Timing Analysis of Encapsulation 34

35 Timing Analysis of Decapsulation 76.1 % 35

36 Implementation Results DAGS_3 Algorithm LUTs FFs Block Rams DAGS_3 189,213 (70.3%) 99,210 (16.0%) 3 Blocks LUTS FFs Block Rams Encoder/Decoder 142,724 65,002 2 Error Gen 17,069 17,058 1 Matrix Gen 20,453 4,

37 Conclusions First hardware implementation of DAGS scheme Fully compliant with the PQC Hardware API Hardware vs Software speed up of times for encapsulation and 68.5 times for decapsulation Needs improvement in maximum clock frequency and area Needs to be constant-time Our VHDL code will soon be made available as open-source 37

38 Acknowledgments Owners, inventors, developers and submitters of DAGS Gustavo Banegas 1, Paulo S. L. M. Barreto 2, Brice Odilon Boidje 3, Pierre Louis Cayrel 4, Gilbert Ndollane Dione 3, Kris Gaj 7, Cheikh Thiécoumba Gueye 3, Richard Haeussler 7, Jean Belo Klamti 3, Ousmane N diaye 3, Duc Tri Nguyen 7, Edoardo Persichetti 5, and Jefferson E. Ricardini 6 1 Technische Universiteit Eindhoven, The Netherlands 2 University of Washington Tacoma, USA 3 Université Cheikh Anta Diop, Dakar, Senegal 4 Laboratoire Hubert Curien, Saint Etienne, France 5 Florida Atlantic University, USA 6 Universidade de São Paulo, Brazil 7 George Mason University, USA Dr.Patrick Baier 38

39 Thank you! Questions? 39