parameterized hardware accelerators for lattice based
play

Parameterized Hardware Accelerators for Lattice-Based Cryptography - PowerPoint PPT Presentation

Dec 31, 2023 •21 likes •711 views

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

  1. Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 – September 14, 2020

  2. Outline • Yet another hardware design for a lattice-based scheme? • qTESLA • Hardware blocks • Binary-search CDT sampler • NTT-based polynomial multiplier • Software-hardware co-design on RISC-V • Evaluation 1

  3. Yet another hardware design for a lattice-based scheme? 2

  4. Existing lattice-based hardware designs Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Flexible N/A co-design 3

  5. Existing lattice-based hardware designs Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Flexible N/A co-design 4

  6. Existing lattice-based hardware designs Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Flexible N/A co-design 5

  7. Existing lattice-based hardware designs Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Flexible N/A co-design 6

  8. Our new lattice-based hardware design Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Fixed N/A co-design Our new design Fully Flexible Tunable Universal applicability Portable 7

  9. Our new lattice-based hardware design ü Full acceleration Accelerator config. ü Flexible security parameters 32/64-bit Accelerator AMBA Bus ü Tunable hardware architecture config. ü Universal applicability to lattice- Accelerator based schemes config. ü Portable among different platforms 8

  10. qTESLA 9

  11. qTESLA Round 2 Reference C submission in implementation PQ standardization liboqs library BouncyCastle library See qtesla.org 10

  12. qTESLA ü Secure against classical and quantum adversaries Round 2 Reference C submission in implementation PQ standardization liboqs library BouncyCastle library See qtesla.org 11

  13. qTESLA ü Secure against classical and quantum adversaries Round 2 Reference C ü Implementation security submission in implementation PQ standardization liboqs library BouncyCastle library See qtesla.org 12

  14. qTESLA ü Secure against classical and quantum adversaries Round 2 Reference C ü Implementation security submission in implementation PQ ü Simple arithmetic operations standardization liboqs library BouncyCastle library See qtesla.org 13

  15. qTESLA ü Secure against classical and quantum adversaries Round 2 Reference C ü Implementation security submission in implementation PQ ü Simple arithmetic operations standardization ü Provable-secure parameters liboqs library BouncyCastle Parameter set Public key size (in B) Signature size (in B) library qTESLA-p-I 14, 880 2, 592 qTESLA-p-III 38, 432 5, 664 See qtesla.org 14

  16. qTESLA‘s sign and verify Signature generation Input: sk, m Output: signature z, c 15

  17. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Output: signature z, c 16

  18. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Output: signature z, c 17

  19. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify Output: signature z, c 18

  20. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify ü û Compute potential signature z = y + sc Output: signature z, c 19

  21. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify ü û Compute potential signature z = y + sc Check to ensure security Output: signature z, c 20

  22. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify û ü Compute potential signature z = y + sc Check to ensure security û ü Output: signature z, c 21

  23. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify û ü Compute potential signature z = y + sc Check to ensure security û ü Output: signature z, c Output: or û ü 22

  24. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c - (pk, z, c, m) Hash c(sk, y, m) Check to ensure acceptance during verify û ü Compute potential signature z = y + sc Check to ensure security û ü Output: signature z, c Output: or û ü 23

  25. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Check c , = c ? Check to ensure acceptance during verify û ü Compute potential signature z = y + sc Check to ensure security û ü Output: signature z, c Output: or û ü 24

  26. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Check c , = c ? Check to ensure acceptance during verify û ü ü Compute potential signature z = y + sc Check to ensure security Check security property û ü Output: signature z, c Output: or û ü 25

  27. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Check c , = c ? Check to ensure acceptance during verify û ü ü Compute potential signature z = y + sc Check to ensure security Check security property û ü ü Output: signature z, c Output: or û ü 26

  28. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Check c , = c ? Check to ensure acceptance during verify û ü û ü Compute potential signature z = y + sc Check to ensure security Check security property û û ü ü Output: signature z, c Output: or û ü 27

  29. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Simple operations: • Sampling Check c , = c ? Check to ensure acceptance during verify • Hashing û ü • Comparison û ü Compute potential signature z = y + sc • Multiplication and addition Check to ensure security Check security property û û ü ü Output: signature z, c Output: or û ü 28

  30. Hardware blocks for lattice-based schemes 29

  31. Lattice-based hardware blocks qTESLA Key Signing Verification generation Gauss Hash Poly. Sparse poly. sampler function Multiplication multiplication (4.5%) (39.4%) (27.9%) (6.3%) Respective subroutines (% of runtime) 30

  32. Lattice-based hardware blocks • A unified hardware core for both SHAKE-128/256 and cSHAKE-128/256 • A novel, parameterized binary-search CDT sampler in hardware • A novel, fully pipelined NTT-based polynomial multiplier • A parameterized sparse polynomial multiplier qTESLA • A lightweight Hmax-Sum module Key Signing Verification generation Gauss Hash Poly. Sparse poly. sampler function Multiplication multiplication (4.5%) (39.4%) (27.9%) (6.3%) Respective subroutines (% of runtime) 31

  33. Lattice-based hardware blocks • A unified hardware core for both SHAKE-128/256 and cSHAKE-128/256 • A novel, parameterized binary-search CDT sampler in hardware • A novel, fully pipelined NTT-based polynomial multiplier • A parameterized sparse polynomial multiplier • A lightweight Hmax-Sum module 32

Recommend

R265: Advanced Topics in Computer Architecture Seminar 7: HW accelerators and accelerators for

R265: Advanced Topics in Computer Architecture Seminar 7: HW accelerators and accelerators for

R265: Advanced Topics in Computer Architecture Seminar 7: HW accelerators and accelerators for machine learning Robert Mullins This lecture Computer architecture trends Hardware accelerators Design choices and trade-offs Hardware

384 views • 22 slides
The Future Directions of Dataflow-Based Reconfigurable Hardware Accelerators Francesca Palumbo 1 ,

The Future Directions of Dataflow-Based Reconfigurable Hardware Accelerators Francesca Palumbo 1 ,

The Future Directions of Dataflow-Based Reconfigurable Hardware Accelerators Francesca Palumbo 1 , Claudio Rubattu 1,2 , Carlo Sau 3 , Tiziana Fanni 3 , Luigi Raffo 3 1 University of Sassari, PolComIng Information Engineering Group 2 University

981 views • 95 slides
Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational

Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational

Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational Redundancies Duvindu Piyasena, Rukshan Wickramasinghe, Debdeep Paul, Siew-Kei Lam and Meiqing Wu School of Computer Science and Engineering (SCSE)

334 views • 10 slides
Modeling and Predicting Application Performance on Hardware Accelerators Presented by: Alexander

Modeling and Predicting Application Performance on Hardware Accelerators Presented by: Alexander

1/35 Modeling and Predicting Application Performance on Hardware Accelerators Presented by: Alexander Breslow Authors: Mitesh Meswani*, Laura Carrington*, Didem Unat, Allan Snavely, Scott Baden, and Steve Poole *San Diego Supercomputer

634 views • 37 slides
CS5412/LECTURE 23 Ken Birman HARDWARE ACCELERATORS CS5412 Spring 2020

CS5412/LECTURE 23 Ken Birman HARDWARE ACCELERATORS CS5412 Spring 2020

CS5412/LECTURE 23 Ken Birman HARDWARE ACCELERATORS CS5412 Spring 2020 HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2020SP 1 IN THE EARLY DAYS, DIVIDE AND CONQUER SUFFICED People broke web page computations into a first -tier, and then a bank of

678 views • 44 slides
Execution Time Prediction for Energy- Efficient Hardware Accelerators Tao Chen, Alex Rucker, and

Execution Time Prediction for Energy- Efficient Hardware Accelerators Tao Chen, Alex Rucker, and

Execution Time Prediction for Energy- Efficient Hardware Accelerators Tao Chen, Alex Rucker, and G. Edward Suh Computer Systems Laboratory Cornell University Accelerators in Interactive Computing Systems Interactive systems have response

448 views • 17 slides
An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for Supercomputers Workshop June 12 2018 Rob Gardner Jared Smolens Kishore Pusukuri Oracle Inc Arm Inc NetApp Inc Multicore Systems &

692 views • 24 slides
CS5412 / LECTURE 25 Ken Birman PROGRAMMING HARDWARE Spring, 2020 ACCELERATORS

CS5412 / LECTURE 25 Ken Birman PROGRAMMING HARDWARE Spring, 2020 ACCELERATORS

CS5412 / LECTURE 25 Ken Birman PROGRAMMING HARDWARE Spring, 2020 ACCELERATORS HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2020SP 1 SUPPOSE THAT YOU PURCHASE A GPU. HOW WOULD YOU PROGRAM IT? GPUs come with a collection of existing software

272 views • 11 slides
Building Blocks: Hardware Processors, Cores, Memory and Accelerators Funding Partners

Building Blocks: Hardware Processors, Cores, Memory and Accelerators Funding Partners

Building Blocks: Hardware Processors, Cores, Memory and Accelerators Funding Partners bioexcel.eu 1 Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License.

477 views • 30 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware Accelerators

COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware Accelerators

ACM/IEEE CODES+ISSS 2017, Seoul, South Korea COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware Accelerators Luca Piccolboni, Paolo Mantovani, Giuseppe Di Guglielmo, Luca Carloni Columbia University, New York,

624 views • 61 slides
Hardware Accelerators Francesca Palumbo 1 , Claudio Rubattu 1,2 , Carlo Sau 3 , Tiziana Fanni 3 ,

Hardware Accelerators Francesca Palumbo 1 , Claudio Rubattu 1,2 , Carlo Sau 3 , Tiziana Fanni 3 ,

Exploiting Dataflows for Reconfigurable Hardware Accelerators Francesca Palumbo 1 , Claudio Rubattu 1,2 , Carlo Sau 3 , Tiziana Fanni 3 , Luigi Raffo 3 1 University of Sassari, PolComIng Information Engineering Group 2 University of Rennes,

914 views • 88 slides
Accelerators Part 2 of 3: Lattice, Longitudinal Motion, Limitations Rende Steerenberg BE-OP CERN

Accelerators Part 2 of 3: Lattice, Longitudinal Motion, Limitations Rende Steerenberg BE-OP CERN

Accelerators Part 2 of 3: Lattice, Longitudinal Motion, Limitations Rende Steerenberg BE-OP CERN - Geneva Rende Steerenberg BND Graduate School 2 6 September 2017 CERN - Geneva Topics A Brief Recap and Transverse Optics Longitudinal

1.2k views • 76 slides
Cheaper, Faster Computing with hardware accelerators and NVM storage Sang-Woo Jun Assistant

Cheaper, Faster Computing with hardware accelerators and NVM storage Sang-Woo Jun Assistant

Cheaper, Faster Computing with hardware accelerators and NVM storage Sang-Woo Jun Assistant Professor Department of Computer Science University of California, Irvine 2018-10-05 About Me Sang-Woo Jun Ph.D. (2018) @ MIT Research

399 views • 21 slides
High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

482 views • 37 slides
API-Compilation for Image Hardware Accelerators Fabien Coelho & Franc ois Irigoin ANR

API-Compilation for Image Hardware Accelerators Fabien Coelho & Franc ois Irigoin ANR

Coelho & Irigoin MINES ParisTech API-Compilation for Image Hardware Accelerators Fabien Coelho & Franc ois Irigoin ANR project: FREIA software environment for image application development on modern architectures API-Compilation for

607 views • 19 slides
Accelerators For Everything Bolaji Bankole, Jens Ertman QsCores (Quasi-Specific Cores) What is a

Accelerators For Everything Bolaji Bankole, Jens Ertman QsCores (Quasi-Specific Cores) What is a

Accelerators For Everything Bolaji Bankole, Jens Ertman QsCores (Quasi-Specific Cores) What is a QsCore A hardware accelerator core connected to a CPU Composed to accelerate several specific segments of code Synthesized hardware

422 views • 18 slides
The Glass Half Full Using Programmable Hardware Accelerators in Analytical Databases Zsolt

The Glass Half Full Using Programmable Hardware Accelerators in Analytical Databases Zsolt

The Glass Half Full Using Programmable Hardware Accelerators in Analytical Databases Zsolt Istvn IMDEA Software Institute 1 IM IMDEA Soft ftware In Institute 16 Faculty in the areas of: Program Analysis and Verification

508 views • 32 slides
LogCA: A High-Level Performance Model for Hardware Accelerators Muhammad Shoaib Bin Altaf* David

LogCA: A High-Level Performance Model for Hardware Accelerators Muhammad Shoaib Bin Altaf* David

Everything should be made as simple as possible, but not simplerAlbert Einstein LogCA: A High-Level Performance Model for Hardware Accelerators Muhammad Shoaib Bin Altaf* David A. Wood University of Wisconsin-Madison * Now at AMD Research,

329 views • 19 slides
Chronos: Efficient Speculative Parallelism for Accelerators MALEEN ABEYDEERA, DANIEL SANCHEZ

Chronos: Efficient Speculative Parallelism for Accelerators MALEEN ABEYDEERA, DANIEL SANCHEZ

Chronos: Efficient Speculative Parallelism for Accelerators MALEEN ABEYDEERA, DANIEL SANCHEZ ASPLOS 2020 Current hardware accelerators are limited to easy parallelism Current Accelerators Chronos Target easy parallelism Targets hard

434 views • 22 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Efficient Data Supply for Hardware Accelerators with Prefetching and Access/ Execute Decoupling

Efficient Data Supply for Hardware Accelerators with Prefetching and Access/ Execute Decoupling

Cornell University Efficient Data Supply for Hardware Accelerators with Prefetching and Access/ Execute Decoupling Tao Chen and G. Edward Suh Computer Systems Laboratory Cornell University Accelerator-Rich Computing Systems Computing

357 views • 23 slides

More recommend