compact and simple rlwe based key encapsulation mechanism
play

Compact and Simple RLWE Based Key Encapsulation Mechanism Erdem Alkm - PowerPoint PPT Presentation

Jan 10, 2024 •23 likes •413 views

Compact and Simple RLWE Based Key Encapsulation Mechanism Erdem Alkm 1 Yusuf Alper Bilgin 2,3 Murat Cenk 3 1 Department of Computer Engineering, Ondokuz Mays University, Turkey 2 Aselsan Inc., Turkey 3 Institude of Applied Mathematics, Middle

  1. Compact and Simple RLWE Based Key Encapsulation Mechanism Erdem Alkım 1 Yusuf Alper Bilgin 2,3 Murat Cenk 3 1 Department of Computer Engineering, Ondokuz Mayıs University, Turkey 2 Aselsan Inc., Turkey 3 Institude of Applied Mathematics, Middle East Technical University, Turkey � y.alperbilgin@gmail.com October 3, 2019 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 1 / 20

  2. Overview Introduction 1 Implementation Details 2 Results 3 Future Works 4 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 2 / 20

  3. NIST PQC Standardization Project Moody, PQC Workshop, 2019 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 3 / 20

  4. RLWE based KEM - Newhope Alkim et al., ePrint 2016/1157 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 4 / 20

  5. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  6. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Advantages of NTT: • High performance Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  7. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Advantages of NTT: • High performance • Memory efficient Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  8. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Advantages of NTT: • High performance • Memory efficient • Randoms directly sampled in NTT domain Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  9. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Advantages of NTT: Disadvantages: • High performance • Limited parametrization • Memory efficient • Randoms directly sampled in NTT domain Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  10. NewHope-Compact • A smaller and faster instantiation of NewHope Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  11. NewHope-Compact • A smaller and faster instantiation of NewHope • Utilizing recent advances on NTT Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  12. NewHope-Compact • A smaller and faster instantiation of NewHope • Utilizing recent advances on NTT • Reduce parameter q (12289 → 3329) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  13. NewHope-Compact • A smaller and faster instantiation of NewHope • Utilizing recent advances on NTT • Reduce parameter q (12289 → 3329) • Hybrid polynomial multiplication (NTT + Karatsuba) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  14. NewHope-Compact • A smaller and faster instantiation of NewHope • Utilizing recent advances on NTT • Reduce parameter q (12289 → 3329) • Hybrid polynomial multiplication (NTT + Karatsuba) • Achieving a security level equivalent to Kyber768 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  15. Number Theoretic Transform a ∈ Z q [ X ] / ( X n + 1) n − 1 n − 1 � a i X i , where ˆ � a j ω ij NTT( a ) = ˆ a = ˆ a i = mod q i =0 j =0 n − 1 n − 1 NTT − 1 (ˆ � a i X i , where a i = n − 1 � a j ω − ij � � a ) = a = ˆ mod q i =0 j =0 where ω n = 1 mod q Yusuf Alper Bilgin NewHope-Compact October 3, 2019 7 / 20

  16. Number Theoretic Transform a ∈ Z q [ X ] / ( X n + 1) n − 1 n − 1 � a i X i , where ˆ � a j ω ij NTT( a ) = ˆ a = ˆ a i = mod q i =0 j =0 n − 1 n − 1 NTT − 1 (ˆ � a i X i , where a i = n − 1 � a j ω − ij � � a ) = a = ˆ mod q i =0 j =0 where ω n = 1 mod q Polynomial Multiplication c = NTT − 1 (NTT ( a ) ◦ NTT ( b )) where a , b , c ∈ R q Yusuf Alper Bilgin NewHope-Compact October 3, 2019 7 / 20

  17. Butterflies x (0) ˆ x (0) x (0) x (0) ˆ γ i γ i -1 -1 x (1) × ˆ x (1) x (1) × x (1) ˆ Figure: Cooley-Tukey Butterfly Figure: Gentleman-Sande Butterfly Yusuf Alper Bilgin NewHope-Compact October 3, 2019 8 / 20

  18. CRT Map of NewHope512 Let γ 512 = − 1 mod 12289. Z 12289 / ( x 512 + 1) ∼ = Z 12289 / ( x − γ ) × · · · × Z 12289 / ( x − γ 511 ) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 9 / 20

  19. CRT Map of NewHope512 Let γ 512 = − 1 mod 12289. Z 12289 / ( x 512 + 1) ∼ = Z 12289 / ( x − γ ) × · · · × Z 12289 / ( x − γ 511 ) Z 12289 / ( x 512 + 1) = Z q / ( x 512 − γ 512 ) Z 12289 / ( x 256 − γ 256 ) Z 12289 / ( x 256 + γ 256 ) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 9 / 20

  20. CRT Map of NewHope512 Z 12289 / ( x 512 − γ 512 ) x 256 − γ 256 x 256 + γ 256 = x 256 − γ 768 x 128 − γ 128 x 128 + γ 128 x 128 − γ 768 x 128 + γ 768 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 9 / 20

  21. CRT Map of NewHope512 Z 12289 / ( x 512 − γ 512 ) x 256 − γ 256 x 256 + γ 256 x 128 − γ 128 x 128 + γ 128 x 128 − γ 768 x 128 + γ 768 . . . . . . . . . . . . x 2 − γ 2 x 2 + γ 510 · · · x − γ x + γ · · · x − γ 511 x + γ 511 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 9 / 20

  22. CRT Map of NewHope-Compact512 Let γ 128 = − 1 mod 3329. Z 3329 / ( x 512 + 1) ∼ = Z 3329 / ( x 4 − γ ) × · · · × Z 3329 / ( x 4 − γ 127 ) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 10 / 20

  23. CRT Map of NewHope-Compact512 Let γ 128 = − 1 mod 3329. Z 3329 / ( x 512 + 1) ∼ = Z 3329 / ( x 4 − γ ) × · · · × Z 3329 / ( x 4 − γ 127 ) Z 3329 / ( x 512 + 1) = Z 3329 / ( x 512 − γ 128 ) Z 3329 / ( x 256 − γ 64 ) Z 3329 / ( x 256 + γ 64 ) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 10 / 20

  24. CRT Map of NewHope-Compact512 Z 3329 / ( x 512 − γ 128 ) x 256 − γ 64 x 256 + γ 64 = x 256 − γ 192 x 128 − γ 32 x 128 + γ 32 x 128 − γ 96 x 128 + γ 96 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 10 / 20

  25. CRT Map of NewHope-Compact512 Z 3329 / ( x 512 − γ 128 ) x 256 − γ 64 x 256 + γ 64 x 128 − γ 32 x 128 + γ 32 x 128 − γ 96 x 128 + γ 96 . . . . . . . . . . . . x 8 − γ 2 x 8 + γ 126 · · · x 4 − γ x 4 + γ x 4 − γ 127 x 4 + γ 127 · · · Yusuf Alper Bilgin NewHope-Compact October 3, 2019 10 / 20

  26. CRT Map of NewHope-Compact1024 Z 3329 / ( x 1024 − γ 128 ) x 512 − γ 64 x 512 + γ 64 x 256 − γ 32 x 256 + γ 32 x 256 − γ 96 x 256 + γ 96 . . . . . . . . . . . . x 16 − γ 2 x 16 + γ 126 · · · x 8 − γ x 8 + γ x 8 − γ 127 x 8 + γ 127 · · · Yusuf Alper Bilgin NewHope-Compact October 3, 2019 11 / 20

  27. Karatsuba Multiplication with Reduction Let a , b and c ∈ Z q / ( X 4 − r ) where r = γ i . 1: function basemul( a , b ) d ← Apply One-Iteration Karatsuba 1 to get d = a · b where d is a 2: degree 6 polynomial c [0] ← d [0] + d [4] · r ⊲ + and · for modular reduction 3: c [1] ← d [1] + d [5] · r 4: c [2] ← d [2] + d [6] · r 5: c [3] ← d [3] 6: return c 7: 8: end function 1 Weimerskirch and Paar, ePrint 2006/224 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 12 / 20

  28. Computation Costs of Polynomial Multiplications Z 3329 / ( x 512 + 1) ❛❛❛❛❛❛❛❛❛❛❛❛ Operations # of Multiplications # of Additions Multiplication Methods Hybrid NTT-Schoolbook 7808 12288 Multiplication Hybrid NTT-Karatsuba 7040 14592 Multiplication Yusuf Alper Bilgin NewHope-Compact October 3, 2019 13 / 20

  29. Computation Costs of Polynomial Multiplications Z 3329 / ( x 512 + 1) ❛❛❛❛❛❛❛❛❛❛❛❛ Operations # of Multiplications # of Additions Multiplication Methods Hybrid NTT-Schoolbook 7808 12288 Multiplication Hybrid NTT-Karatsuba 7040 14592 Multiplication Cycle counts ( × 10 3 ) Method Schoolbook 21,7 Karatsuba 14,2 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 13 / 20

  30. Parameter Sets Table: Parameters of n=512 Parameter Set Newhope512 NH-Compact512 Dimension n 512 512 Modulus q 12289 3329 Noise Parameter k 8 2 Table: Parameters of n=1024 Parameter Set Newhope1024 NH-Compact1024 Dimension n 1024 1024 Modulus q 12289 3329 Noise Parameter k 8 2 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 14 / 20

  31. Sizes in bytes 512-CCA-KEM Parameter Set NewHope NewHope-Compact | pk | 928 800 | sk | 1888 1632 | ciphertext | 1120 992 1024-CCA-KEM Parameter Set NewHope NewHope-Compact | pk | 1824 1568 | sk | 3680 3168 | ciphertext | 2208 2080 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 15 / 20

  32. Cycle counts ( × 10 3 ) of C reference (non-optimized) implementations CCA-KEM-512 Operations Kyber NewHope NewHope-Compact 121 . 6 119 . 2 89 . 3 Gen Encaps 164 180 . 2 147 197 . 5 203 . 4 176 . 1 Decaps Total 483 . 1 502 . 8 412 . 4 CCA-KEM-1024 Operations Kyber NewHope NewHope-Compact 324 . 6 237 . 8 186 . 4 Gen 381 . 4 365 . 2 321 . 8 Encaps Decaps 431 . 4 417 . 5 395 Total 1137 . 4 1020 . 5 902 . 2 Performed on Intel Skylake Core i7-6500U Yusuf Alper Bilgin NewHope-Compact October 3, 2019 16 / 20

  33. NewHope-Compact768 Inspired by NTTRU 1 Z 3457 / ( X 768 − X 384 + 1) and let ζ 1 and ζ 2 are two primitive sixth root of unity. Z 3457 / ( X 768 − X 384 + 1) Z 3457 / ( x 384 − ζ 1 ) Z 3457 / ( x 384 − ζ 2 ) 1 Lyubashevsky and Seiler, CHES 2019 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 17 / 20

Recommend

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 ,

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 ,

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 , Alessandro Barenghi 2 , Franco Chiaraluce 1 , Gerardo Pelosi 2 , Paolo Santini 1 1 Universit` a Politecnica delle Marche (m.baldi@univpm.it,

674 views • 52 slides
WHAT IS AN INTERSTATE COMPACT? 2 WHAT IS AN INTERSTATE COMPACT? Simple, versatile and proven

WHAT IS AN INTERSTATE COMPACT? 2 WHAT IS AN INTERSTATE COMPACT? Simple, versatile and proven

WHAT IS AN INTERSTATE COMPACT? 2 WHAT IS AN INTERSTATE COMPACT? Simple, versatile and proven tool Effective means of cooperatively addressing common problems Allows states to respond to national priorities with one voice Retains

448 views • 32 slides
IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong

IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong

IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong Jiang , Zhenfeng Zhang , Long Chen , Hong Wang Zhi Ma Chinese State Key Laboratory of Mathematical Engineering and

577 views • 46 slides
Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser 2 , Andrea Hoeller 2 , oppelmann 3 , Fernando Virdia 1 , Andreas Wallner 2 Thomas P 1 Information Security Group, Royal Holloway, University of

1.17k views • 33 slides
Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser 2 , Andrea Hoeller 2 , oppelmann 3 , Fernando Virdia 1 , Andreas Wallner 2 Thomas P 1 Information Security Group, Royal Holloway, University of

726 views • 53 slides
Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan

Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan

Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan University, China June 28, 2017 Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 1 / 39 Outline 1 Introduction

601 views • 39 slides
SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

LAB 117 & VoIP LAB SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP Platform in Taiwan Taiwan 19th APAN Meeting in Bangkok, January 2005 Ines Sok-Ian Sou and Prof. Quincy Wu Dept. of

293 views • 27 slides
Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

slide 1 gaius Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a network packet or frame encapsulation refers to how the network interface uses packet switching hardware two machines

499 views • 27 slides
What is an Interstate Compact? Simple, versatile and proven tool Effective means of

What is an Interstate Compact? Simple, versatile and proven tool Effective means of

What is an Interstate Compact? Simple, versatile and proven tool Effective means of cooperatively addressing common problems Contract between states Creates economies of scale Responds to national priorities with one voice

397 views • 21 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

546 views • 9 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

240 views • 7 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

751 views • 7 slides
High Performance Insulation based on Nanostructure encapsulation of air Theme: EeB.NMP.2010 1

High Performance Insulation based on Nanostructure encapsulation of air Theme: EeB.NMP.2010 1

High Performance Insulation based on Nanostructure encapsulation of air Theme: EeB.NMP.2010 1 http://www.hipin.eu The HIPIN project received funding from the European Union's Seventh Framework Programme for research, technological development

383 views • 17 slides
FlexFerno The foldable grill on the go FlexF FlexFerno erno is y is your foldable camping sto

FlexFerno The foldable grill on the go FlexF FlexFerno erno is y is your foldable camping sto

FlexFerno The foldable grill on the go FlexF FlexFerno erno is y is your foldable camping sto our foldable camping stove ve Lightweight, compactable Accor ccordion mechanism accommodates compact, dion mechanism accommodates compact,

342 views • 8 slides
Encapsulation grouping of subprograms and the data Encapsulation they manipulate

Encapsulation grouping of subprograms and the data Encapsulation they manipulate

Encapsulation grouping of subprograms and the data Encapsulation they manipulate Information hiding abstract data types type definition is hidden from the user variables of the type can be declared variables of the type

1.02k views • 15 slides
Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES, Amsterdam 11 th September, 2018 Joint work with : Jose Maria Bermudo Mera Sujoy Sinha Roy Ingrid Verbauwhede Saber: CCA secure post-quantum KEM*

613 views • 30 slides
Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

11 September 2018 Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder , Markus Krausz , and Tim uneysu . G University of Bristol, UK; Ruhr-Universit at Bochum, Germany; and

890 views • 87 slides
Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

11 September 2018 Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder , Markus Krausz , and Tim uneysu . G University of Bristol, UK; Ruhr-Universit at Bochum, Germany; and

245 views • 21 slides
MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key

MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key

MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key Exchange Post-Quantum KX based on RLWE USENIX 2016 2/17 New Hope Key Exchange Post-Quantum KX based on RLWE USENIX 2016

586 views • 54 slides
The Objective A simple and cost-sustainable suspension mechanism, offering a reversible remedy

The Objective A simple and cost-sustainable suspension mechanism, offering a reversible remedy

The Objective A simple and cost-sustainable suspension mechanism, offering a reversible remedy (suspension + lock), without requiring expert appointment in default cases, with sufficient registrant protections that any unwarranted result could be

546 views • 3 slides
High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

482 views • 37 slides
Topic 3 Encapsulation - Implementing Classes And so, from Europe, we get things such as ...

Topic 3 Encapsulation - Implementing Classes And so, from Europe, we get things such as ...

Topic 3 Encapsulation - Implementing Classes And so, from Europe, we get things such as ... object-oriented analysis and design (a clever way of breaking up software programming instructions and data into small, reusable objects, based on

1.12k views • 53 slides
Quantifying the Encapsulation of Implemented Software Architectures @ericbouwers @avandeursen

Quantifying the Encapsulation of Implemented Software Architectures @ericbouwers @avandeursen

Quantifying the Encapsulation of Implemented Software Architectures @ericbouwers @avandeursen @jstvssr an implemented software architecture What is encapsulation? When applied correctly, the process of encapsulation ensures that the

755 views • 19 slides
Why C++? a better C type safe, e.g., I/O streams better support for ADTs, encapsulation

Why C++? a better C type safe, e.g., I/O streams better support for ADTs, encapsulation

Why C++? a better C type safe, e.g., I/O streams better support for ADTs, encapsulation object-oriented programming add inheritance to encapsulation OO isnt a silver bullet, but it helps in dealing with the complexity of

412 views • 15 slides

More recommend