Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017
Lattice-based Cryptography • Set of vectors in n -dimensional space define a basis Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 2
Lattice-based Cryptography • Efficiency • Scalability • Versatility – Encryption – Digital signatures – Key exchange – Advanced constructions (IBE, FHE,…) Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 3
Learning with Errors Given A and b = As Task: Find s ➢ Easy to solve Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 4
Learning with Errors Given A and b = As Task: Find s ➢ Easy to solve Given A and b = As + e Task: Find s ➢ Hard problem Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 5
Lattice Classes Standard or random lattices • Unstructured matrices • Main Operation: matrix-vector multiplication Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 6
Lattice Classes Standard or random lattices • Unstructured matrices • Main Operation: matrix-vector multiplication Ring or ideal lattices • Smaller parameters • Faster implementations • Smaller implementations • Main Operation: polynomial multiplication But less trust in security due to structure! Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 7
Module Lattices Idea: Find a trade-off between the advantages of both classes Efficiency Security Main operation: Matrix-vector multiplication • But matrix elements are polynomials! Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 8
Schemes Non-exhaustive list Encryption Signature Key Exchange Standard LWE Encrypt TESLA Frodo Lattices Bai-Galbraith GPV Ideal Ring-LWE Encrypt BLISS „A new hope “ Lattices NTRU Encrypt GLP Ring-TESLA Module Kyber Dilithium CCA2-secure Lattices Dilithium-G Kyber Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 9
Schemes Non-exhaustive list Encryption Signature Key Exchange Standard LWE Encrypt TESLA Frodo Lattices Bai-Galbraith GPV Ideal Ring-LWE Encrypt BLISS „A new hope “ Lattices NTRU Encrypt GLP Ring-TESLA Module Kyber Dilithium CCA2-secure Lattices Dilithium-G Kyber Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 10
Schemes Non-exhaustive list Encryption Signature Key Exchange Standard LWE Encrypt TESLA Frodo Lattices Bai-Galbraith GPV Ideal Ring-LWE Encrypt BLISS „A new hope “ Lattices NTRU Encrypt GLP Ring-TESLA Module Kyber Dilithium CCA2-secure Lattices Dilithium-G Kyber Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 11
Implementation on Embedded Devices • What are the goals? – Throughput/latency – Code size/area – Power/energy Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 12
Implementation on Embedded Devices • What are the goals? – Throughput/latency – Code size/area – Power/energy • Cross-disciplinary work and interaction between engineers and cryptographers required – Parameter selection and design decisions can make schemes more efficient but also weaker Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 13
Implementation on Embedded Devices • What are the goals? – Throughput/latency – Code size/area – Power/energy • Cross-disciplinary work and interaction between engineers and cryptographers required – Parameter selection and design decisions can make schemes more efficient but also weaker • Cover side-channels – Timing, Cache, Simple Power Analysis – Differential Power Analysis, EM Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 14
NTT • Polynomial multiplication is a major building block for ideal and module lattice-based cryptography • NTT is a fast Fourier transform in integer rings – Polynomial multiplication in O(n log n) instead of O(n²) Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 15
NTT • Polynomial multiplication is a major building block for ideal and module lattice-based cryptography • NTT is a fast Fourier transform in integer rings – Polynomial multiplication in O(n log n) instead of O(n²) • Powers of primitive root of unitiy ω („ twiddle factors “) required – Stored in tables – Computed on-the-fly Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 16
NTT • Polynomial multiplication is a major building block for ideal and module lattice-based cryptography • NTT is a fast Fourier transform in integer rings – Polynomial multiplication in O(n log n) instead of O(n²) • Powers of primitive root of unitiy ω („ twiddle factors “) required – Stored in tables – Computed on-the-fly • Core operation is a so-called „ butterfly “ – Gentleman-Sande – Cooley-Tukey Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 17
NTT Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 18
NTT Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 19
Gaussian Sampling Cumulative Distribution Table (CDT) Rejection Sampling Sampling Bernoulli Sampling Knuth-Yao Sampling Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 20
CCA2-Security • Plain Ring-LWE encryption is only secure against chosen- plaintext attackers (CPA) • Many use cases require security against chosen-ciphertext attackers (CCA) – Attacker has access to a decryption oracle • Generic Fujisaki-Okamoto transform – Tweak by Targhi and Unruh for post-quantum security – Expensive re-encryption in decryption Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 21
Masking Ring-LWE Components to be masked in CCA2-secure Ring-LWE • PRNG/Hash • NTT • Sampler • Encoding/Decoding See our implementation: ia.cr/2016/1109 together with Tobias Schneider, Thomas Pöppelmann, and Tim Güneysu Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 22
Identity-based Encryption (IBE) • Demand for advanced security services (e.g., smart environments) • Concept : Extend asymmetric encryption scheme based on public identifier ID X (e.g., given name, MAC, e-mail address, etc.) PK M , SK M Trusted Third Master Authority Party (TTP) PK M , SK A PK M , SK B ID A ID B Alice Bob Enc(PK M , ID B , msg) Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 23
IBE Implementation • Implementation of encryption and decryption of [DPL14] feasible on embedded devices • Key generation memory-wise and computationally expensive [DPL14] Efficient Identity-Based Encryption over NTRU Lattices, Léo Ducas, Thomas Prest, Vadim Lyubashevsky, ASIACRYPT 2014 Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 24
IBE Implementation • Implementation of encryption and decryption of [DPL14] feasible on embedded devices • Key generation memory-wise and computationally expensive • Cortex-M4 microcontroller – Enc/Dec: 6/2 ms • Spartan6 FPGA – Enc/Dec: 80/54 µs [DPL14] Efficient Identity-Based Encryption over NTRU Lattices, Léo Ducas, Thomas Prest, and Vadim Lyubashevsky, ASIACRYPT 2014 Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 25
Conclusion Lattice-based cryptography is practical on embedded devices! Future Work • Side-channel security • Efficient IBE key generation • More cryptanalysis Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 26
Thank You For Your Attention!
Recommend
More recommend