fpga implementation and comparison of protections against
play

FPGA Implementation and Comparison of Protections Against SCAs for - PowerPoint PPT Presentation

Dec 18, 2022 •13 likes •546 views

FPGA Implementation and Comparison of Protections Against SCAs for RLWE Timo Zijlstra 1 Karim Bigou 2 Arnaud Tisserand 1 1 CNRS Lab-STICC UMR 6285, UBS 2 Universit e de Bretagne Occidentale - Lab-STICC UMR CNRS 6285 December 17, 2019 Timo

  1. FPGA Implementation and Comparison of Protections Against SCAs for RLWE Timo Zijlstra 1 Karim Bigou 2 Arnaud Tisserand 1 1 CNRS Lab-STICC UMR 6285, UBS 2 Universit´ e de Bretagne Occidentale - Lab-STICC UMR CNRS 6285 December 17, 2019 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 1 / 26

  2. Overview RLWE-based Cryptography 1 Side channel vulnerabilities 2 Countermeasures against SCA 3 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 2 / 26

  3. RLWE Encryption scheme [LPR10] LWE cryptography introduced by Regev [Reg05] Ring-LWE (RLWE) first appeared in [LPR10] Keys, ciphertexts are polynomials in Z q [ x ] / ( x n + 1) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 3 / 26

  4. RLWE Encryption scheme [LPR10] LWE cryptography introduced by Regev [Reg05] Ring-LWE (RLWE) first appeared in [LPR10] Keys, ciphertexts are polynomials in Z q [ x ] / ( x n + 1) Alice ( KeyGen , Decrypt ) : Bob ( Encrypt ) : $ ← − random polynomial a $ ← − poly w/ small coefficients s , e a , b $ b ← a · s + e − − → e 1 , e 2 , e 3 ← − small c 1 ← a · e 1 + e 2 µ ′ ← D ( c 2 − c 1 · s ) c 1 , c 2 ← − − − c 2 ← b · e 1 + e 3 + E ( µ ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 3 / 26

  5. Encryption scheme in pictures 1. Encode E : 0 �→ 0 and 1 �→ q 2 . q/4 q/2 0 3q/4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

  6. Encryption scheme in pictures 2. Encryption : ciphertext coefficient 1. Encode E : 0 �→ 0 and 1 �→ q 2 . distribution is uniformly random over Z q . q/4 q/4 q/2 0 q/2 0 3q/4 3q/4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

  7. Encryption scheme in pictures 2. Encryption : ciphertext coefficient 1. Encode E : 0 �→ 0 and 1 �→ q 2 . distribution is uniformly random over Z q . q/4 q/4 q/2 0 q/2 0 3q/4 3q/4 3. Decryption : result is close to E ( µ ). q/4 q/2 0 3q/4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

  8. Encryption scheme in pictures 2. Encryption : ciphertext coefficient 1. Encode E : 0 �→ 0 and 1 �→ q 2 . distribution is uniformly random over Z q . q/4 q/4 q/2 0 q/2 0 3q/4 3q/4 3. Decryption : result is close to E ( µ ). 4. Decode D : left �→ 1, right �→ 0 q/4 q/4 q/2 1 0 q/2 0 0 3q/4 3q/4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

  9. Decryption function Input: ciphertext c 1 , c 2 Compute d = c 2 − c 1 · s Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 5 / 26

  10. Decryption function Input: ciphertext c 1 , c 2 Compute d = c 2 − c 1 · s → use NTT: d ← c 2 − NTT − 1 ( ˆ c 1 · ˆ s ) Multiplication in NTT domain is point-wise: � � c 1 · ˆ s = c 1 , 1 · ˆ mod q , . . . , ˆ c 1 , n · ˆ mod q ˆ ˆ s 1 s n 1 polynomial multipication takes n multiplications in Z q Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 5 / 26

  11. Side Channel Analysis model Attack each modular multiplication separately during decryption Hypothesis: for each c · s mod q , the power trace allows to guess: HW( c · s mod q ) + N (0 , σ ) HW modular memory mul. Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 6 / 26

  12. Side Channel Analysis model Attack each modular multiplication separately during decryption Hypothesis: for each c · s mod q , the power trace allows to guess: HW( c · s mod q ) + N (0 , σ ) HW modular memory mul. CPA Attack: 1 Generate random ciphertexts 2 Predict power traces 3 Measure power traces during decryption 4 Compute correlation between traces and predictions 5 Maximum correlation is obtained for the correct guess Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 6 / 26

  13. Side Channel Attack simulation Simulate CPA in SageMath: Machine executing one instruction per cycle Correlations from CPA: Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 7 / 26

  14. Countermeasures Randomize computations How to obtain correct results from randomized computations? Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  15. Countermeasures Randomize computations How to obtain correct results from randomized computations? Masking [RRVV15] 1 [RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  16. Countermeasures Randomize computations How to obtain correct results from randomized computations? Masking [RRVV15] 1 [RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA Blinding and Shifting [Saa18] 2 We implement on FPGA Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  17. Countermeasures Randomize computations How to obtain correct results from randomized computations? Masking [RRVV15] 1 [RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA Blinding and Shifting [Saa18] 2 We implement on FPGA Permutation (randomize the order of computations) 3 We propose 2 methods Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  18. Countermeasures Randomize computations How to obtain correct results from randomized computations? Masking [RRVV15] 1 [RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA Blinding and Shifting [Saa18] 2 We implement on FPGA Permutation (randomize the order of computations) 3 We propose 2 methods Redundant secret key representation 4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  19. Countermeasure: Blinding [Saa18] For all integers a , b : a c 1 · b s = ( ab )( c 1 · s ) Reminder Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 9 / 26

  20. Countermeasure: Blinding [Saa18] For all integers a , b : a c 1 · b s = ( ab )( c 1 · s ) 1 Pick some random a , b ∈ Z / q Z and compute ( ab ) − 1 2 Compute a c 1 · b s Reminder 3 Multiply by ( ab ) − 1 and subtract c 2 Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) to obtain correct d 4 Decode → [Saa18]: use pre-computed roots of unity ω i , ω j , ω n − i − j Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 9 / 26

  21. Countermeasure: Blinding [Saa18] For all integers a , b : a c 1 · b s = ( ab )( c 1 · s ) 1 Pick some random a , b ∈ Z / q Z and compute ( ab ) − 1 2 Compute a c 1 · b s Reminder 3 Multiply by ( ab ) − 1 and subtract c 2 Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) to obtain correct d 4 Decode → [Saa18]: use pre-computed roots of unity ω i , ω j , ω n − i − j Computation of c 1 · s randomized at each run. d is not randomized = ⇒ decoding algorithm is not protected → use the blinding method in combination with another countermeasure. Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 9 / 26

  22. Countermeasure: Shifting [Saa18] 1 Multiply s and c 1 by x i and x j respectively, for random i , j < n 2 Obtain c 1 s x i + j 3 Multiply by x − ( i + j ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 10 / 26

  23. Countermeasure: Shifting [Saa18] 1 Multiply s and c 1 by x i and x j respectively, for random i , j < n 2 Obtain c 1 s x i + j 3 Multiply by x − ( i + j ) In Z q [ x ] / ( x n + 1) : multiply by x i ⇐ ⇒ shift i positions to the right → easy to compute NTT domain: pointwise multiplication by NTT ( x i ) = (1 , ω i , ω 2 i , . . . ) → still easy to compute (since ω i is pre-computed for all i < n ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 10 / 26

  24. Countermeasure: Shifting [Saa18] 1 Multiply s and c 1 by x i and x j respectively, for random i , j < n 2 Obtain c 1 s x i + j 3 Multiply by x − ( i + j ) In Z q [ x ] / ( x n + 1) : multiply by x i ⇐ ⇒ shift i positions to the right → easy to compute NTT domain: pointwise multiplication by NTT ( x i ) = (1 , ω i , ω 2 i , . . . ) → still easy to compute (since ω i is pre-computed for all i < n ) Shifted decryption: 1 Get random indices i , j < n 2 Compute NTT ( x i ) ⊙ s , NTT ( x j ) ⊙ c 1 and NTT ( x i + j ) ⊙ c 2 3 Decrypt and shift i + j positions to the left. Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 10 / 26

  25. Countermeasure: Masked Decryption [RRVV15] Use linearity: a ( b + c ) = ab + ac . Reminder Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

  26. Countermeasure: Masked Decryption [RRVV15] Use linearity: a ( b + c ) = ab + ac . 1 Generate a uniform random s ′ and let s ′′ ← s − s ′ . → then s = s ′ + s ′′ . Reminder Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

  27. Countermeasure: Masked Decryption [RRVV15] Use linearity: a ( b + c ) = ab + ac . 1 Generate a uniform random s ′ and let s ′′ ← s − s ′ . → then s = s ′ + s ′′ . Reminder 2 Compute (part of) the decryption function for both shares: Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) d ′ ← c 2 − c 1 s ′ d ′′ ← − c 1 s ′′ Then D ( d ′ + d ′′ ) = µ . Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

Recommend

FPGA vs GPU Performance Comparison on the Implementation of FIR Filters FPGA. While comparing the

FPGA vs GPU Performance Comparison on the Implementation of FIR Filters FPGA. While comparing the

FPGA vs GPU Performance Comparison on the Implementation of FIR Filters FPGA. While comparing the performance of them, we Abstract choose different models for each platform to get fairer FIR filters find place in digital signal processing

569 views • 7 slides
RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

www.elvac.eu Marian Kuruc RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control, protection, data acquisition and communication Content Redesigned block of protections Global setting of measurement ranges

409 views • 10 slides
Efficient FPGA implementation of a Digital Transparent Satellite Processor G. Marini, V. Sulli, F.

Efficient FPGA implementation of a Digital Transparent Satellite Processor G. Marini, V. Sulli, F.

Efficient FPGA implementation of a Digital Transparent Satellite Processor G. Marini, V. Sulli, F. Santucci, M. Faccio University of LAquila, LAquila, Italy Outline Introduction Problem Definition Resolution Method FPGA

1.27k views • 22 slides
Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law Lise Johnson ljj2107@columbia.edu T-TIP Stakeholder Briefing May 21, 2014 US Law: When will a court find that the government has given an

236 views • 4 slides
Contents Introduction Pipelined FPGA DNN accelerators Roof-line Model and optimizing

Contents Introduction Pipelined FPGA DNN accelerators Roof-line Model and optimizing

FPGA implementation of Quantized (Deep) Neural Network (QNN) Accelerators Biruk Seyoum Phd Student, Scoula Superiore SantAnna, Pisa Contents Introduction Pipelined FPGA DNN accelerators Roof-line Model and optimizing FPGA DNN

587 views • 23 slides
FPGA Implementation of an Asynchronous Processor with Both Online and Offline Testing

FPGA Implementation of an Asynchronous Processor with Both Online and Offline Testing

FPGA Implementation of an Asynchronous Processor with Both Online and Offline Testing Capabilities Nikolaos Minas Matthew Marshall Gordon Russell Alex Yakovlev Outline Introduction. Error Detection/Correction overview. Information

730 views • 27 slides
FPGA What is a FPGA? How FPGAs work How do they work? Manufacturers

FPGA What is a FPGA? How FPGAs work How do they work? Manufacturers

2/21/2012 Content FPGA What is a FPGA? How FPGAs work How do they work? Manufacturers Distributed RAM History FPGA vs ASIC FPGA and Microprocessors Alternatives to FPGAs ETI135, Advanced Digital IC Design

123 views • 10 slides
Scaling the Cascades Interconnect-aware FPGA implementation of Machine Learning problems Anand

Scaling the Cascades Interconnect-aware FPGA implementation of Machine Learning problems Anand

BRAM DSP URAM Scaling the Cascades Interconnect-aware FPGA implementation of Machine Learning problems Anand Samajdar, Tushar Garg, Tushar Krishna, Nachiket Kapre nachiket@uwaterloo.ca Claim Hard FPGA interconnect (cascades) e ffi ciently

993 views • 82 slides
A Very Compact FPGA Implementation of LED and PHOTON N. Nalla Anandakumar 1 , 2 Thomas Peyrin 2

A Very Compact FPGA Implementation of LED and PHOTON N. Nalla Anandakumar 1 , 2 Thomas Peyrin 2

A Very Compact FPGA Implementation of LED and PHOTON N. Nalla Anandakumar 1 , 2 Thomas Peyrin 2 Axel Poschmann 2 , 3 1 Society for Electronic Transactions and Security (SETS), India 2 Nanyang Technological University (NTU), Singapore 3 NXP

523 views • 34 slides
WWW.FPGA What is an FPGA? Field Programmable Gate Array Introduction to FPGA designs

WWW.FPGA What is an FPGA? Field Programmable Gate Array Introduction to FPGA designs

WWW.FPGA What is an FPGA? Field Programmable Gate Array Introduction to FPGA designs Generic logic cells + Programmable switches Why do we use it? High performance &amp; Flexible Shorter time to market Joachim Rodrigues

308 views • 8 slides
An FPGA Implementation of Reciprocal Sums for SPME Sam Lee and Paul Chow Edward S. Rogers Sr.

An FPGA Implementation of Reciprocal Sums for SPME Sam Lee and Paul Chow Edward S. Rogers Sr.

An FPGA Implementation of Reciprocal Sums for SPME Sam Lee and Paul Chow Edward S. Rogers Sr. Department of Electrical and Computer Engineering University of Toronto Objectives Accelerate part of Molecular Dynamics Simulation Smooth

666 views • 34 slides
Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp

Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp

Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp Koppermann, Fabrizio De Santis, Johann Heyszl and Georg Sigl History of High-Speed Curve Cryptography over Prime Fields 1 Point Addition on a

319 views • 16 slides
CSEE 4840 Embedded Systems LABYRINTH Dijkstras implementation on FPGA Ariel Faria Michelle

CSEE 4840 Embedded Systems LABYRINTH Dijkstras implementation on FPGA Ariel Faria Michelle

CSEE 4840 Embedded Systems LABYRINTH Dijkstras implementation on FPGA Ariel Faria Michelle Valente Utkarsh Gupta Veton Saliu Under the guidance of Prof. Stephen Edwards Overview and objectives Single source shortest path

641 views • 12 slides
Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal , Bu Lake, Alan Ehret, and Michel Kinsy Adaptive &amp; Secure Computing Systems Lab Department of Electrical &amp; Computer Engineering Boston

964 views • 48 slides
1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

INTRODUCTORY GUIDE 1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS SERVICE B A C K G R O U N D The Financial Protections Service was instigated following a recommendation of the Inquiry into the

184 views • 17 slides
An introduction to FPGA-based acceleration of neural networks Marco Pagani 1 What is an FPGA?

An introduction to FPGA-based acceleration of neural networks Marco Pagani 1 What is an FPGA?

An introduction to FPGA-based acceleration of neural networks Marco Pagani 1 What is an FPGA? Field-programmable gate array (FPGA) are integrated circuits designed to be con fi gured after manufacturing for implementing arbitrary logic

429 views • 15 slides
FPGA language ( HDL ). Overview 3 4 Component-Based Software Design LMES Component-Based

FPGA language ( HDL ). Overview 3 4 Component-Based Software Design LMES Component-Based

11/05/2016 Agenda The topics that will be addressed are: Overview on basic characteristics of the FPGA; Scheduling tasks on Reconfigurable FPGA reconfiguration capabilities; FPGA architectures Timing analysis for reconfigurable

299 views • 10 slides
Tips about an FPGA 02/09/2018 J.C. special topic FPGA ( field-programmable gate array ) FPGA :

Tips about an FPGA 02/09/2018 J.C. special topic FPGA ( field-programmable gate array ) FPGA :

Tips about an FPGA 02/09/2018 J.C. special topic FPGA ( field-programmable gate array ) FPGA : An integrated circuit (IC) designed to be configured by customer or designer after manufacturing -- Developed in ~80s -- Widely used (customer

303 views • 7 slides
Fixed-Point implementation of Lattice Wave Digital Filter: comparison and error analysis

Fixed-Point implementation of Lattice Wave Digital Filter: comparison and error analysis

Motivation SIF LWDF LWDF-to-SIF Example and comparison Summary Fixed-Point implementation of Lattice Wave Digital Filter: comparison and error analysis Anastasia Volkova, Thibault Hilaire Sorbonne Universit es, University Pierre and

868 views • 41 slides
FPGArt Painting with an FPGA Niklas Rother, Rebecca Cramer, Tim Oberschulte 23.03.2017 1 / 10

FPGArt Painting with an FPGA Niklas Rother, Rebecca Cramer, Tim Oberschulte 23.03.2017 1 / 10

FPGArt Painting with an FPGA Niklas Rother, Rebecca Cramer, Tim Oberschulte 23.03.2017 1 / 10 Contents Task Implementation What we learned... Statistics Demo 2 / 10 Task Create a painting application on an FPGA Use a PS/2 Mouse

402 views • 10 slides
FPGA-based Convolutional Neural Network Accelerator Ke Xu Xingyu Hou Manqi Yang Wenqi Jiang

FPGA-based Convolutional Neural Network Accelerator Ke Xu Xingyu Hou Manqi Yang Wenqi Jiang

FPGA-based Convolutional Neural Network Accelerator Ke Xu Xingyu Hou Manqi Yang Wenqi Jiang Outline Background Software Implementation Python / C implementation of VGG-16 Profiling and acceleration strategy

663 views • 20 slides
1 B-MAC Implementation B-MAC Implementation Low Power Listening (LPL) B-MAC = Link Protocol

1 B-MAC Implementation B-MAC Implementation Low Power Listening (LPL) B-MAC = Link Protocol

Presentation Outline Introduction B-MAC Implementation Versatile Low Power Media Access for B-MAC Results Wireless Sensor Networks Critique Comparison Presented By: Eitan Marder-Eppstein 2 Why is B-MAC Needed? B-MAC's Idea of MAC for WSN

574 views • 3 slides
GRVI Phalanx Update: A Massively Parallel RISC-V FPGA Accelerator Framework Jan Gray |

GRVI Phalanx Update: A Massively Parallel RISC-V FPGA Accelerator Framework Jan Gray |

GRVI Phalanx Update: A Massively Parallel RISC-V FPGA Accelerator Framework Jan Gray | jan@fpga.org | http://fpga.org CARRV2017: 2017/10/14 FPGA Datacenter Accelerators Are Almost Mainstream Catapult v2. Intel += Altera. OpenPOWER CAPI. AWS

508 views • 28 slides
HyperX Topology First At-Scale Implementation and Comparison to the Fat-Tree Outline 5-min

HyperX Topology First At-Scale Implementation and Comparison to the Fat-Tree Outline 5-min

Co-Authors: Prof. S. Matsuoka Ivan R. Ivanov Yuki Tsushima Tomoya Yuki Akihiro Nomura Shinichi Miura Nic McDonald Dennis L. Floyd Nicolas Dub HyperX Topology First At-Scale Implementation and Comparison to the Fat-Tree Outline

441 views • 22 slides

More recommend