cryptography for embedded devices
play

Cryptography for Embedded Devices Tobias Oder Ruhr-University - PowerPoint PPT Presentation

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n


  1. Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017

  2. Lattice-based Cryptography • Set of vectors in n -dimensional space define a basis Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 2

  3. Lattice-based Cryptography • Efficiency • Scalability • Versatility – Encryption – Digital signatures – Key exchange – Advanced constructions (IBE, FHE,…) Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 3

  4. Learning with Errors Given A and b = As Task: Find s ➢ Easy to solve Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 4

  5. Learning with Errors Given A and b = As Task: Find s ➢ Easy to solve Given A and b = As + e Task: Find s ➢ Hard problem Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 5

  6. Lattice Classes Standard or random lattices • Unstructured matrices • Main Operation: matrix-vector multiplication Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 6

  7. Lattice Classes Standard or random lattices • Unstructured matrices • Main Operation: matrix-vector multiplication Ring or ideal lattices • Smaller parameters • Faster implementations • Smaller implementations • Main Operation: polynomial multiplication But less trust in security due to structure! Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 7

  8. Module Lattices Idea: Find a trade-off between the advantages of both classes Efficiency Security Main operation: Matrix-vector multiplication • But matrix elements are polynomials! Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 8

  9. Schemes Non-exhaustive list Encryption Signature Key Exchange Standard LWE Encrypt TESLA Frodo Lattices Bai-Galbraith GPV Ideal Ring-LWE Encrypt BLISS „A new hope “ Lattices NTRU Encrypt GLP Ring-TESLA Module Kyber Dilithium CCA2-secure Lattices Dilithium-G Kyber Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 9

  10. Schemes Non-exhaustive list Encryption Signature Key Exchange Standard LWE Encrypt TESLA Frodo Lattices Bai-Galbraith GPV Ideal Ring-LWE Encrypt BLISS „A new hope “ Lattices NTRU Encrypt GLP Ring-TESLA Module Kyber Dilithium CCA2-secure Lattices Dilithium-G Kyber Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 10

  11. Schemes Non-exhaustive list Encryption Signature Key Exchange Standard LWE Encrypt TESLA Frodo Lattices Bai-Galbraith GPV Ideal Ring-LWE Encrypt BLISS „A new hope “ Lattices NTRU Encrypt GLP Ring-TESLA Module Kyber Dilithium CCA2-secure Lattices Dilithium-G Kyber Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 11

  12. Implementation on Embedded Devices • What are the goals? – Throughput/latency – Code size/area – Power/energy Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 12

  13. Implementation on Embedded Devices • What are the goals? – Throughput/latency – Code size/area – Power/energy • Cross-disciplinary work and interaction between engineers and cryptographers required – Parameter selection and design decisions can make schemes more efficient but also weaker Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 13

  14. Implementation on Embedded Devices • What are the goals? – Throughput/latency – Code size/area – Power/energy • Cross-disciplinary work and interaction between engineers and cryptographers required – Parameter selection and design decisions can make schemes more efficient but also weaker • Cover side-channels – Timing, Cache, Simple Power Analysis – Differential Power Analysis, EM Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 14

  15. NTT • Polynomial multiplication is a major building block for ideal and module lattice-based cryptography • NTT is a fast Fourier transform in integer rings – Polynomial multiplication in O(n log n) instead of O(n²) Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 15

  16. NTT • Polynomial multiplication is a major building block for ideal and module lattice-based cryptography • NTT is a fast Fourier transform in integer rings – Polynomial multiplication in O(n log n) instead of O(n²) • Powers of primitive root of unitiy ω („ twiddle factors “) required – Stored in tables – Computed on-the-fly Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 16

  17. NTT • Polynomial multiplication is a major building block for ideal and module lattice-based cryptography • NTT is a fast Fourier transform in integer rings – Polynomial multiplication in O(n log n) instead of O(n²) • Powers of primitive root of unitiy ω („ twiddle factors “) required – Stored in tables – Computed on-the-fly • Core operation is a so-called „ butterfly “ – Gentleman-Sande – Cooley-Tukey Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 17

  18. NTT Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 18

  19. NTT Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 19

  20. Gaussian Sampling Cumulative Distribution Table (CDT) Rejection Sampling Sampling Bernoulli Sampling Knuth-Yao Sampling Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 20

  21. CCA2-Security • Plain Ring-LWE encryption is only secure against chosen- plaintext attackers (CPA) • Many use cases require security against chosen-ciphertext attackers (CCA) – Attacker has access to a decryption oracle • Generic Fujisaki-Okamoto transform – Tweak by Targhi and Unruh for post-quantum security – Expensive re-encryption in decryption Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 21

  22. Masking Ring-LWE Components to be masked in CCA2-secure Ring-LWE • PRNG/Hash • NTT • Sampler • Encoding/Decoding See our implementation: ia.cr/2016/1109 together with Tobias Schneider, Thomas Pöppelmann, and Tim Güneysu Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 22

  23. Identity-based Encryption (IBE) • Demand for advanced security services (e.g., smart environments) • Concept : Extend asymmetric encryption scheme based on public identifier ID X (e.g., given name, MAC, e-mail address, etc.) PK M , SK M Trusted Third Master Authority Party (TTP) PK M , SK A PK M , SK B ID A ID B Alice Bob Enc(PK M , ID B , msg) Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 23

  24. IBE Implementation • Implementation of encryption and decryption of [DPL14] feasible on embedded devices • Key generation memory-wise and computationally expensive [DPL14] Efficient Identity-Based Encryption over NTRU Lattices, Léo Ducas, Thomas Prest, Vadim Lyubashevsky, ASIACRYPT 2014 Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 24

  25. IBE Implementation • Implementation of encryption and decryption of [DPL14] feasible on embedded devices • Key generation memory-wise and computationally expensive • Cortex-M4 microcontroller – Enc/Dec: 6/2 ms • Spartan6 FPGA – Enc/Dec: 80/54 µs [DPL14] Efficient Identity-Based Encryption over NTRU Lattices, Léo Ducas, Thomas Prest, and Vadim Lyubashevsky, ASIACRYPT 2014 Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 25

  26. Conclusion Lattice-based cryptography is practical on embedded devices! Future Work • Side-channel security • Efficient IBE key generation • More cryptanalysis Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 26

  27. Thank You For Your Attention!

Recommend


More recommend