Enhanced Lattice-Based Signatures on Reconfigurable Hardware

Size: px

Start display at page:

Download "Enhanced Lattice-Based Signatures on Reconfigurable Hardware"

Jessica Park
6 years ago
Views:

1 Enhanced Lattice-Based Signatures on Reconfigurable Hardware Thomas Pöppelmann 1 Léo Ducas 2 Tim Güneysu 1 1 Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany 2 University of California, San-Diego, USA September 2014, CHES Workshop 1 / 23

2 Enhanced Lattice-Based Signatures on Reconfigurable Hardware 1 Introduction 2 Algorithmic contributions 3 Implementation and Performances 4 Conclusion 2 / 23

3 Lattice Based Cryptography Many theoretical advantages over ECC/RSA: Strong theoretical guarentee of hardness Resist known quantum algorithms Very versatile: PKE, Signatures, IBE, FHE... Asymptotically efficient O(n 2 ) or even O(n log n). In practice? Simple and very fast PKE (NTRU-Encrypt, LWE Encryption). Efficient signatures have been more problematic. 3 / 23

4 BLISS: An optimized Signature Scheme Signature without Trapdoors (Fiat-Shamir transform). [Lyu09] Fiat-Shamir with aborts ( 50Kbits) [Lyu12] Abort Rate improved using Gaussians ( 12Kbits) DDLL13] Abort Rate improved using Bimodal Gaussians ( 5Kbits) BLISS vs. ECDSA vs. RSA on Software Scheme. Security Sign Size Sign./s Ver./s BLISS-I 128 bits 5.5kbits 8k 33k RSA bits 2kbits 0.8k 27k RSA bits 4kbits 0.1k 7.5k ECDSA bits 512 bits 9.5k 2.5k BLISS [DDLL13] compared to OpenSSL implem. of RSA and ECDSA on x / 23

5 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id 5 / 23

6 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id Sample y D m Z,σ, short w = Ay Z n 5 / 23

7 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id Sample y D m Z,σ, short w = Ay Z n c Sample c Z k, short 5 / 23

8 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id Sample y D m Z,σ, short z = y ± Sc Abort with proba. DZ,σ m (z)/m Dm Z,σ (z ± Sc) w = Ay Z n c z Sample c Z k, short Rejection probability is such that z D m Z,σ is independent from S. 5 / 23

9 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id Sample y D m Z,σ, short z = y ± Sc Abort with proba. DZ,σ m (z)/m Dm Z,σ (z ± Sc) Check w = Ay Z n c z Sample c Z k, short that z is short, and Az = Tc + w mod q Rejection probability is such that z D m Z,σ is independent from S. 5 / 23

10 Hardware Implementation of BLISS The two costly steps are: 6 / 23

11 Hardware Implementation of BLISS The two costly steps are: Polynomial multiplications Ay in Z q [X ]/(Φ 2n (X )) Already addressed in [PG13] and [RVM + 14] (next talk) 6 / 23

12 Hardware Implementation of BLISS The two costly steps are: Polynomial multiplications Ay in Z q [X ]/(Φ 2n (X )) Already addressed in [PG13] and [RVM + 14] (next talk) Discrete Gaussian Sampling y DZ,σ m for large σ Needs high precision sampling (learning attacks) Long Floating Points Arith. [GPV08] Slow algorithms [DDLL13] Large tables/trees [DG14] 6 / 23

13 Hardware Implementation of BLISS The two costly steps are: Polynomial multiplications Ay in Z q [X ]/(Φ 2n (X )) Already addressed in [PG13] and [RVM + 14] (next talk) Discrete Gaussian Sampling y DZ,σ m for large σ Needs high precision sampling (learning attacks) Long Floating Points Arith. [GPV08] Slow algorithms [DDLL13] Large tables/trees [DG14] Most of our contributions deal with hardware implementation of Discrete Gaussian Sampling. 6 / 23

14 Algorithmic contributions to Gaussian samping We focus on the fastest method to sample Discrete Gaussian using Cumulative Distribution Tables (CDT). Operation: Binary search accelerated by guide tables Problem: Naïve implementation would require 42KB 7 / 23

15 Algorithmic contributions to Gaussian samping We focus on the fastest method to sample Discrete Gaussian using Cumulative Distribution Tables (CDT). Operation: Binary search accelerated by guide tables Problem: Naïve implementation would require 42KB We introduce two new techniques: Gaussian sampling by convolution Kullback-Leibler-divergence based security argument Our algorithm requires a table of 2.1KB, and is almost as fast 7 / 23

16 1 Introduction 2 Algorithmic contributions 3 Implementation and Performances 4 Conclusion 8 / 23

17 (Discrete) Gaussians convolutions A convolution of gaussians is a gaussian. 9 / 23

18 (Discrete) Gaussians convolutions And what about discrete Gaussians? 9 / 23

19 (Discrete) Gaussians convolutions Well, depending on the parameter... 9 / 23

20 (Discrete) Gaussians convolutions It may seem quite Gaussian. 9 / 23

21 Peikert s Convolution Theorem Lemma (Adapted from [Pei10]) Let x 1 D Z,σ1, x 2 D Z,σ2 and set σ3 2 = σ1 2 + σ2 2, and σ 2 = σ1 2 + σ2 2. If σ 1 ω( log n) and σ 3 k ω( log n), then: x 1 + kx 2 D Z,σ. Application to BLISS-I: We can sample two variables x 1, x 2 of deviation σ = 19.5 to obtain x = x x 2, of deviation σ = 215. Impact: Size of table is reduced from 42KB to 4.5KB. Running time is less than doubled (binary search is faster for σ ). 10 / 23

22 Kullback-Leibler divergence Definition (Kullback-Leibler Divergence) Let P and Q be distribution over S. The KL divergence, of Q from P is defined as: D KL (P Q) = ( ) P(i) ln P(i). Q(i) i S KL-divergence allows the same arguments as Statistical Distance: Fact (Addivity and Datta Processing inequality) D KL (P 0 P 1 Q 0 Q 1 ) = D KL (P 0 Q 0 ) + D KL (P 1 Q 1 ) for any function f : D KL (f (P) f (Q)) D KL (P Q) 11 / 23

23 Kullback-Leibler vs. Statistical distance: Example B 1 2 Exact Sampler : 0 1 n A 0 : B 0 Secure 12 / 23

24 Kullback-Leibler vs. Statistical distance: Example B 1 2 Exact Sampler Approx. Sampler : 0 1 B 1 2 +ɛ : 0 1 n n A A : B 0 Secure Broken : B / 23

25 Kullback-Leibler vs. Statistical distance: Example B 1 2 Exact Sampler Approx. Sampler : 0 1 B 1 2 +ɛ : 0 1 n n A A : B 0 Secure Broken : B 1 3 Statistical distance argument (B 1, B 1 +ɛ) = Θ(ɛ), (B 0, B 1 ) = Θ(1) n Θ(1/ɛ) 12 / 23

26 Kullback-Leibler vs. Statistical distance: Example B 1 2 Exact Sampler Approx. Sampler : 0 1 B 1 2 +ɛ : 0 1 n n A A : B 0 Secure Broken : B 1 3 KL-Divergence argument D KL (B 1 B 1 +ɛ) = Θ(ɛ2 ), D KL (B 0 B 1 ) = Θ(1) n Θ(1/ɛ 2 ) 12 / 23

27 Kullback-Leibler vs. Statistical distance: Rule of Thumb Averaged absolute error (P, Q) = 1 2 D KL Averaged squared relative error i P(i) Q(i) D KL (P Q) 2 P(i) Q(i) i P(i) 2 P(i). Limits of KL-divergence D KL is not symmetric Can be worse than (e.g. Tailcutting) Improvements only for reduction to Search Problems 13 / 23

28 Truncating Cumulative Distribution Table Full CDT / 23

29 Truncating Cumulative Distribution Table Truncating left-most zeros / 23

30 Truncating Cumulative Distribution Table Truncating right-most bits using KL-divergence / 23

31 1 Introduction 2 Algorithmic contributions 3 Implementation and Performances 4 Conclusion 15 / 23

32 FPGA Implementation of BLISS-I : CDT Sampler Trivium Trivium Trivium Uniform LIFO Ring Buffer 128x8 BinSearch i j Comparator max min Reverse Table:tR Address Exponents Table:tE Startt Table:tS Table:tT 1-1 RAM:tB 0:tttttttttt0 1:tttttttttt0 ''' 1992:tt :t198 x 1. x x Ring-buffer to store random numbers generated by Trivium instantiation Binary-search component operates on block RAM B Biggest challenge: Critical path of binary search 16 / 23

33 FPGA Implementation of BLISS-I : Signing PolyMul message Compute2U secret-key Rv R) temp( NTT R( RG ALU Decoder Gaussian FIFO sampler KBernoulli-or-CDT[ BRAM2U BRAM2Y/ BRAM2Y( Hash Ram2U Ram2M Keccak2f[(Fvv] ExtractPos Ram2Pos SparseMul Core2S/2( Core2S(2( Ram2S/ Ram2S( MAC MAC Core2S/2/ Core2S(2/ Ram2S/ Ram2S( MAC MAC Compression Z/ Compress Z( Rejection- Sampling Norm B expk xy f[ Scalar Trivium Z/ Z( reject c Number theoretic transform (NTT) multiplier (ay 1 ) Keccak-1600 hash function Fast sparse multiplier (z 1 = s 1 c + y 1, z 2 = s 2 c + y 2 ) 17 / 23

34 FPGA Implementation of BLISS-I : Results Algorithm LUT FF BRAM DSP OPs/s BLISS-1[Sign] 7,491 7, k signs/s BLISS-1[Ver] 5,275 4, ,4k verifs/s CDT-Sampler 928 1, ,4 M samp./s Bernoulli Sampler 1,178 1, ,4 M samp./s Results are given for a 1024-bit message on Spartan6-LX25-3 High-speed signing and verification DT sampler is twice as fast as Bernoulli sampler for similar resource consumption 18 / 23

35 FPGA Implementation of BLISS-I : Comparision Algorithm LUT FF BRAM DSP OPs/s BLISS-1[Sign] 7,491 7, ,958 signs/sec BLISS-1[Ver] 5,275 4, ,438 signs/sec GLP-1[Sign/Ver] 6,088 6, ,627/7,438 RSA-2048 [Sign] 4190 slices Curve ECDSA , /110 [Sign/Ver] LUT/FF pairs Implementation faster that RSA and prime curve ECC/ECDSA Faster, shorter and more secure than GLP lattice-signature Reasonable area consumption 19 / 23

36 Conclusion Lattice-based Crypto is ready. BLISS compares to standardized signature schemes, in both Software and Hardware New geometric analysis will make it even faster [D14, To appear, see Rump Session] Time has come for standardization of lattice-based cryptography. Provide alternative/fallbacks to ECC/RSA Mostly unpatended Motivate more work: Comprehensive Cryptanalysis, Improved Algorithms, Lightweight Implementation, Side Channel Attacks, / 23

37 Open Access, Open-Sources Full and updated paper: Software implementation: Hardware implementation: Thanks! 21 / 23

38 Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal gaussians. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 40 56, Santa Barbara, CA, USA, August 18 22, Springer, Berlin, Germany. Nagarjun C. Dwarakanath and Steven D. Galbraith. Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Applicable Algebra in Engineering, Communication and Computing, pages 1 22, Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Richard E. Ladner and Cynthia Dwork, editors, 40th ACM STOC, pages , Victoria, British Columbia, Canada, May 17 20, ACM Press. Vadim Lyubashevsky. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages , Tokyo, Japan, December 6 10, Springer, Berlin, Germany. 22 / 23

39 Vadim Lyubashevsky. Lattice signatures without trapdoors. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages , Cambridge, UK, April 15 19, Springer, Berlin, Germany. Chris Peikert. An efficient and parallel gaussian sampler for lattices. In Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages 80 97, Santa Barbara, CA, USA, August 15 19, Springer, Berlin, Germany. Thomas Pöppelmann and Tim Güneysu. Towards practical lattice-based public-key encryption on reconfigurable hardware. In Tanja Lange, Kristin Lauter, and Petr Lisonek, editors, SAC 2013, volume 8282 of LNCS, pages 68 85, Burnaby, BC, Canada, August 14 16, Springer, Berlin, Germany. Sujoy Sinha Roy, Frederik Vercauteren, Nele Mentens, Donald Donglong Chen, and Ingrid Verbauwhede. Compact Ring-LWE based cryptoprocessor. In CHES 14, / 23

Compact Ring LWE Cryptoprocessor

1 Compact Ring LWE Cryptoprocessor CHES 2014 Sujoy Sinha Roy 1, Frederik Vercauteren 1, Nele Mentens 1, Donald Donglong Chen 2 and Ingrid Verbauwhede 1 1 ESAT/COSIC and iminds, KU Leuven 2 Electronic Engineering,