high speed instruction set coprocessor for lattice based
play

High-speed Instruction-set Coprocessor for Lattice-based Key - PowerPoint PPT Presentation

Aug 20, 2022 •104 likes •482 views

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

  1. High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020

  2. Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA + 20] reported that “SABER is one of the most promising KEM schemes to be considered for stan- dardization at the end of the third round.” Saber’s unique design choices • Different implementation approaches from other lattice-based protocols • Non-NTT based polynomial multipliers 1/15

  3. The Saber protocol [DKSRV18] seed A ← random () Key Generation A = gen ( seed A ) A A s ← small _ vec () seed A , b A T · s ⌊︂ p ⌉︂ b = b b q A A 2/15

  4. The Saber protocol [DKSRV18] seed A ← random () Key Generation A = gen ( seed A ) A A s ← small _ vec () A = gen ( seed A ) A A seed A , b A T · s ⌊︂ p ⌉︂ b = s ′ ← small _ vec () Encryption b b q A A ⌊︂ p A · s ′ ⌉︂ b ′ b ′ b ′ = q A A b ′ , c m ⌊︂ T b T s ′ + T ⌉︂ c m = b p b 2 m 2/15

  5. The Saber protocol [DKSRV18] seed A ← random () Key Generation A = gen ( seed A ) A A s ← small _ vec () A = gen ( seed A ) A A seed A , b A T · s ⌊︂ p ⌉︂ b = s ′ ← small _ vec () Encryption b b q A A ⌊︂ p A · s ′ ⌉︂ b ′ b ′ b ′ = q A A b ′ , c m Decryption v = b ′ b ′ T s b ′ ⌊︂ T b T s ′ + T ⌉︂ c m = b ⌊︂ 2 p b 2 m ⌉︂ m = q ( v − p T c m ) 2/15

  6. The Saber protocol [DKSRV18] seed A ← random () Key Generation A = gen ( seed A ) A A s ← small _ vec () A = gen ( seed A ) A A seed A , b A T · s ⌊︂ p ⌉︂ b = s ′ ← small _ vec () Encryption b b q A A ⌊︂ p A · s ′ ⌉︂ b ′ b ′ b ′ = q A A b ′ , c m Decryption v = b ′ b ′ T s b ′ ⌊︂ T b T s ′ + T ⌉︂ c m = b ⌊︂ 2 p b 2 m ⌉︂ m = q ( v − p T c m ) Key Encapsulation Mechanism Saber.KEM is obtained via the Fujisaki-Okamoto (FO) transform. Implementation-wise, the FO consists mainly of SHA/SHAKE calls. 2/15

  7. Performance bottlenecks The majority of computations involve 1. SHA/SHAKE 2. Computing polynomial multiplication 3/15

  8. Performance bottlenecks The majority of computations involve 1. SHA/SHAKE – 70/80% of computations in software – Keccak is very fast in hardware – High-speed implementation by the Keccak team – Serialized SHA(KE) in Saber −→ one core 2. Computing polynomial multiplication 3/15

  9. Performance bottlenecks The majority of computations involve 1. SHA/SHAKE – 70/80% of computations in software – Keccak is very fast in hardware – High-speed implementation by the Keccak team – Serialized SHA(KE) in Saber −→ one core 2. Computing polynomial multiplication 3/15

  10. Performance bottlenecks The majority of computations involve 1. SHA/SHAKE – 70/80% of computations in software – Keccak is very fast in hardware – High-speed implementation by the Keccak team – Serialized SHA(KE) in Saber −→ one core 2. Computing polynomial multiplication – The main focus of this work 3/15

  11. Polynomial multiplication in Saber The main characteristics • Module-LWR – Different module ranks for different security levels – All polynomials have degree 255 • Small secrets – Secret polynomial coefficients in [ − 3 , 3 ] , [ − 4 , 4 ] or [ − 5 , 5 ] • Power-of-2 moduli – Multiplication modulo 2 13 or 2 10 – Free modular reduction – No NTT 4/15

  12. Our polynomial multiplication approach The alternatives to NTT The Number Theoretic Transform (NTT) requires the modulus to be prime In software: improved Toom-Cook ([BMKV20], also at CHES 2020) In hardware: • Toom-Cook/Karatsuba not convenient because recursive • High parallelism • Ad-hoc solutions 5/15

  13. Our polynomial multiplication approach The alternatives to NTT The Number Theoretic Transform (NTT) requires the modulus to be prime In software: improved Toom-Cook ([BMKV20], also at CHES 2020) In hardware: • Toom-Cook/Karatsuba not convenient because recursive ⇒ Schoolbook algorithm • High parallelism • Ad-hoc solutions 5/15

  14. The schoolbook algorithm The alternatives to NTT Algorithm: Schoolbook algorithm acc ( x ) ← 0 for i = 0 ; i < 256 ; i++ do for j = 0 ; j < 256 ; j++ do acc [ j ] = acc [ j ] + b [ j ] · a [ i ] b = b · x mod 〈 x 256 + 1 〉 return acc 6/15

  15. The schoolbook algorithm The alternatives to NTT Algorithm: Schoolbook algorithm acc ( x ) ← 0 for i = 0 ; i < 256 ; i++ do for j = 0 ; j < 256 ; j++ do acc [ j ] = acc [ j ] + b [ j ] · a [ i ] b = b · x mod 〈 x 256 + 1 〉 return acc negacyclic shift 6/15

  16. The schoolbook algorithm The alternatives to NTT Algorithm: Schoolbook algorithm acc ( x ) ← 0 Advantages for i = 0 ; i < 256 ; i++ do • Simple implementation for j = 0 ; j < 256 ; j++ do • High flexibility acc [ j ] = acc [ j ] + b [ j ] · a [ i ] b = b · x mod 〈 x 256 + 1 〉 • Great performance return acc negacyclic shift 6/15

  17. Multiply and ACcumulate (MAC) units How to compute coefficient-wise operations s[i] a[j] MAC • Small secrets −→ bitshift & add multiplication • Power-of-two moduli −→ no modular reduction 1 acc[i] 7/15

  18. Multiply and ACcumulate (MAC) units How to compute coefficient-wise operations s[i] a[j] MAC • Small secrets −→ bitshift & add multiplication • Power-of-two moduli −→ no modular reduction ⇓ 1 A MAC unit requires little area (50 LUTs) acc[i] 7/15

  19. Multiply and ACcumulate (MAC) units How to compute coefficient-wise operations s[i] a[j] MAC • Small secrets −→ bitshift & add multiplication • Power-of-two moduli −→ no modular reduction ⇓ 1 A MAC unit requires little area (50 LUTs) We use 256 MACs in parallel acc[i] 7/15

  20. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  21. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  22. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  23. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  24. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  25. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier Performance A full polynomial multiplication can be computed in 256 cycles! 8/15

  26. The full architecture An instruction-set coprocessor architecture Polynomial Vector-Vector Advantages Multiplier Data input and output • Modularity SHA3-256/ SHA3-512/ ⇓ SHAKE128 Communication • Generic framework Controller Bus Manager Binomial … ⇓ Sampler Data Memory • Other protocols (Block RAM) AddPack • Programmability AddRound Program Memory Verify Disadvantages CMOV • No parallelism CopyWords 9/15

  27. s[i] a[j] s[i] a[j] s[i-1] a[j+1] MAC MAC 1 1 acc[i] acc[i] Design extendability Unified architecture • LightSaber • Saber • FireSaber 10/15

  28. Design extendability Unified architecture s[i] a[j] s[i] a[j] s[i-1] a[j+1] • LightSaber MAC MAC • Saber • FireSaber ⇒ 1 1 Performance/area trade-offs • 512 multipliers acc[i] acc[i] • ∼ 20 % improvement in speed 10/15

  29. Performance Results Running on a Ultrascale+ XCZU9EG-2FFVB1156 FPGA Key Generation Encapsulation Decapsulation Polynomial multiplication Keccak computations Other operations Total cycles 5,453 6,618 8,034 21.8 μ μ s μ 26.5 μ μ μ s 32.1 μ μ μ s Total time Throughput 45,872 op/s 37,776 op/s 31,118 op/s 11/15

  30. Area Results Running on a Ultrascale+ XCZU9EG-2FFVB1156 FPGA LUTs Flip flops DSPs BRAM Tiles Total 23,686 0 2 9,805 % 8.6 % 0 % 0.2 % 1.8 % It is possible to fit 11 coprocessors, achieving a throughput of 504k / 416k / 342k op/s 12/15

  31. Comparisons to other work Time in μ s Implementation Platform Frequency Area Key Encps Decps (MHz) LUT FF DSP BRAM Kyber [DFA + 20] Virtex-7 - 17.1 23.3 245 14k 11k 8 14 NewHope [ZYC + 20] Artix-7 40 62.5 24 200 6.8k 4.4k 2 8 FrodoKEM [HOKG18] Artix-7 45K 45K 47K 167 7.7K 3.5K 1 24 Virtex-7 ∗ SIKE [MLRB20] 8K 14K 15K 142 21K 14K 162 38 Saber [BMTK + 20] Artix-7 ∗ 3K 4K 3K 125 7.4K 7.3K 28 2 UltraScale+ ∗ Saber [DFAG19] - 60 65 322 13K 12K 256 4 Saber [this work] UltraScale+ 21.8 26.5 32.1 250 24K 10K 0 2 13/15 ∗ : HW/SW codesign

  32. Future work Other protocols • Kyber and other lattice-based schemes • Signature schemes? Lightweight implementation • Fewer multipliers Side-channel resistance • Masked implementation • Handle small coefficients 14/15

Recommend

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power Integrated Circuits 2009. 04. 27 Kwangseok Seo Seoul National University Outline Outline Introduction RTD/HEMT Integration Technology

369 views • 22 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
Floating Point Coprocessor Instructions Systems Design &amp; Programming CMPE 310 Coprocessor

Floating Point Coprocessor Instructions Systems Design &amp; Programming CMPE 310 Coprocessor

Floating Point Coprocessor Instructions Systems Design &amp; Programming CMPE 310 Coprocessor Basics The 80x87 is able to multiply, divide, add, subtract, find the sqrt and calculate transcenden- tal functions and logarithms. Data types

361 views • 12 slides
Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder Interface for Overview New linear position/velocity sensor Non-contact High resolution High speed Based on proven

320 views • 27 slides
A Standard f A S tandard for or High Quality High Quality Instruction Instruction

A Standard f A S tandard for or High Quality High Quality Instruction Instruction

Charles Smith, Ph.D. Executive Director, David P. Weikart Center for Youth Program Quality #readyby21 A Standard f A S tandard for or High Quality High Quality Instruction Instruction Higherorderengagement

386 views • 36 slides
1 CPI Cycles per Instruction Instruction Classes We can have different CPIs for different

1 CPI Cycles per Instruction Instruction Classes We can have different CPIs for different

Performance Introduction Many factors impact performance: Technology: basic circuit speed (clock speed, usually in MHz, now in GHz - billions of cycles per second) process technology (# of transistors per chip) Organization:

138 views • 3 slides
Using Machine Learning for Intent-based Provisioning in High-Speed Science Network Hocine

Using Machine Learning for Intent-based Provisioning in High-Speed Science Network Hocine

Using Machine Learning for Intent-based Provisioning in High-Speed Science Network Hocine Mahtout, Mariam Kiran, Anu Mercian, Bashir Mohammad Lawrence Berkeley National Lab HPE SNTA 2020 1 Problem Statement Intent-based networking research

1.27k views • 26 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (Mar. 1, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (Mar. 1, 2002) I E S R C E O

Systems Design &amp; Programming Coprocessor CMPE 310 Coprocessor Basics The 80x87 is able to multiply, divide, add, subtract, find the sqrt and calculate transcendental functions and logarithms. Data types include 16-, 32- and 64-bit signed

441 views • 12 slides
Easy Tank Speed Log 2017-05-18 2 Consilium STW Speed Log with Easy Installation Based on

Easy Tank Speed Log 2017-05-18 2 Consilium STW Speed Log with Easy Installation Based on

Easy Tank Speed Log 2017-05-18 2 Consilium STW Speed Log with Easy Installation Based on proven Acoustic Correlation principle Easy calibration Well proven technology 2017-05-18 3 Consilium High Performance Speed Log

367 views • 13 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp; Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL (WEST MIDLANDS CREWE) BILL Monday 19 March 2018 (Afternoon) In Committee Room 5 PRESENT: James Duddridge (Chair) Sandy Martin Mrs Sheryll

956 views • 57 slides
Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for Transportation Co., Ltd. (JIC) Index Trend of the HSR Project HSR Project in The World Superiority of Introducing HSR Transport Needs

1.02k views • 25 slides
Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for NextGen-VLA antenna project Qinglong Li, Andreas Beling, Joe C. Campbell University of Virginia, Charlottesville, VA 22904 Outline High power photodiode

746 views • 25 slides
High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor Corporation Belgium Vision 2006 P E R F O R M Outline Introduction Architecture Analog high speed CIS Digital high speed CIS

593 views • 32 slides
Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on

Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on

Birmingham High Energy Physics Group - Particle Physics Seminar, University of Birmingham, 08.06.2016 Andreas Jttner Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on the lattice 4. Pushing

713 views • 52 slides
1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High

1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High

1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High Speed UK Connecting the Nation Who are we? Colin Elliff BSc CEng MICE Civil Engineering Principal, HSUK Quentin Macdonald

899 views • 85 slides
lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) -

lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) -

lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) - coprocessor 0 (kernel use, exception handing) February 17, 2016 lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) -

344 views • 5 slides
FPGA based High speed and low area cost pattern matching Jian Huang, Zongkai Yang, Xu Du, and Wei

FPGA based High speed and low area cost pattern matching Jian Huang, Zongkai Yang, Xu Du, and Wei

227886165 I FPGA based High speed and low area cost pattern matching Jian Huang, Zongkai Yang, Xu Du, and Wei Liu Department of Electronic and Information Engineering, Huazhong University of Science and Technology Abstract-Intrusion detection and

417 views • 5 slides
High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber

High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber

High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber Newcastle, 7 December 2012 What is high speed rail? High speed rail refers to passenger trains travelling at 250 km/h or more, on purpose-built tracks.

354 views • 11 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp;

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp;

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp; Approaches Security: Challenges &amp; Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
based on the High Speed Rail transportation in Middle East VAHID, ALIGHARDASHI Director General,

based on the High Speed Rail transportation in Middle East VAHID, ALIGHARDASHI Director General,

Sustainable Development based on the High Speed Rail transportation in Middle East VAHID, ALIGHARDASHI Director General, Infrastructure Engineering &amp; Supervision Bureau, The railways of Islamic Republic of Iran(RAI), Iran Wednesday, 8 th

385 views • 12 slides
High-speed dispersing between two deinking loops: are there optimisation possibilities?

High-speed dispersing between two deinking loops: are there optimisation possibilities?

High-speed dispersing between two deinking loops: are there optimisation possibilities? Benjamin FABRY and Bruno CARRE Niagara Falls, September 2007 Guideline Introduction Theoretical aspects High-speed dispersing between two

464 views • 44 slides

More recommend