putting wings on sphincs
play

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April - PowerPoint PPT Presentation

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical University of Denmark, Cybercrypt SPHINCS SPHINCS Hash-based signature scheme Stateless 128-bit post-quantum security Sizes: Public


  1. Putting wings on SPHINCS PQCRYPTO Conference Stefan K¨ olbl April 10th, 2018 Technical University of Denmark, Cybercrypt

  2. SPHINCS SPHINCS • Hash-based signature scheme • Stateless • 128-bit post-quantum security • Sizes: • Public Key: 1KB • Secret Key: 1KB • Signature: 41KB https://sphincs.cr.yp.to/ 1

  3. How to instantiate SPHINCS? 1

  4. SPHINCS Main components: • One-time Signature (WOTS) • Few-time Signature (HORST) • Merkle-Tree 2

  5. SPHINCS Level 1 . . . Level 2 32x Level 12 HORST Message 3

  6. SPHINCS pk OTS sign . . . . . . . . . pk pk pk pk OTS sign 4

  7. SPHINCS What is computed? • Many calls to a hash function... • ...but using short input only. f f f f 5

  8. SPHINCS For one signature • ≈ 450.000 times F • ≈ 90.000 times H { 0 , 1 } 512 { 0 , 1 } 256 H { 0 , 1 } 256 { 0 , 1 } 256 F 6

  9. Cryptographic Hash Functions Which hash function could we use? • Standards • SHA256 • SHA-3 • ChaCha12 permutation • Keccak • Haraka • Simpira 7

  10. Cryptographic Hash Functions SHA-2 (FIPS PUB 180-4) • 512-bit Message Blocks • Padding... M 1 M 2 M n h 1 h n +1 f f f IV 8

  11. Cryptographic Hash Functions SHA3-256 (FIPS PUB 202) • 1600-bit Permutation • 1088-bit Message Blocks h M 0 M 1 M 2 h 0 h 1 r 0 π π π π π c 0 9

  12. Cryptographic Hash Functions Other Keccak variants: • Use 800-bit permutation? • Use less rounds (Kangaroo12 1 ). • Best preimage attack on 4 rounds 2 . 0 see https://eprint.iacr.org/2016/770 0 Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak, Asiacrypt 2016 10

  13. Cryptographic Hash Functions ChaCha12 • Suggested in SPHINCS paper. • Use ChaCha12 permutation in sponge. • Great software performance with vectorization. 11

  14. Cryptographic Hash Functions Haraka: A short-input hash function 3 • Permutation based on AES rounds. • SPN construction. • 256- and 512-bit permutation. trunc x H ( x ) π 3 https://eprint.iacr.org/2016/098 12

  15. Cryptographic Hash Functions Simpira 4 • Permutation based on AES rounds. • Feistel construction. • 256- and 512-bit permutation. trunc x H ( x ) π 4 https://eprint.iacr.org/2016/122 13

  16. Microarchitectures SPHINCS not well suited for small devices 5 • Signature size larger than RAM for some devices. • Computational costs for signing high... • ... but verification is cheap. Focus on highend platforms: • Intel Haswell/Skylake, AMD Ryzen • ARM Cortex A57/A72 5 see https://eprint.iacr.org/2015/1042 14

  17. Microarchitectures How to get a fast implementation? • Vectorization (AVX2, NEON, AVX-512) • Hardware Support (AES, SHA-2, SHA-3) • Utilize pipeline 15

  18. Microarchitectures Vector Instructions X 7 X 6 X 5 X 4 X 3 X 2 X 1 X 0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ Y 7 Y 6 Y 5 Y 4 Y 3 Y 2 Y 1 Y 0 = = = = = = = = Z 7 Z 6 Z 5 Z 4 Z 3 Z 2 Z 1 Z 0 • Apply same operation on all elements of the vector. • Use independet inputs. 16

  19. Microarchitectures Pipelining • Latency • Inverse Throughput Cycles aesenc aesenc aesenc L aesenc 17

  20. Microarchitectures Pipelining • Latency • Inverse Throughput Cycles aesenc aesenc aesenc aesenc aesenc aesenc T − 1 aesenc 17

  21. Microarchitectures Pipelining • Latency • Inverse Throughput Cycles aesenc aesenc aesenc aesenc aesenc aesenc aesenc aesenc aesenc T − 1 aesenc 17

  22. Platforms Performance varies a lot depending on the platform Latency inv. Throughput Platform Instruction Skylake vectorized XOR 1 0.33 Ryzen vectorized XOR 1 0.5 Cortex A57 vectorized XOR 3 2 18

  23. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • ChaCha12 • Haraka • Simpira 19

  24. Implementations How to implement those functions efficiently? • SHA-2 • 32-bit word oriented • Vectorize • Hardware Support • Keccak[ b = 800] • ChaCha12 • Haraka • Simpira 19

  25. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • 32-bit word oriented • Vectorize • ChaCha12 • Haraka • Simpira 19

  26. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • ChaCha12 • 32-bit word oriented • Vectorize • Haraka • Simpira 19

  27. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • ChaCha12 • Haraka • AES + permute • Simpira 19

  28. Implementations How to implement those functions efficiently? • SHA-2 • Keccak[ b = 800] • ChaCha12 • Haraka • Simpira • AES 19

  29. Tour de SPHINCS 19

  30. Tour de SPHINCS Intel Skylake • AVX2 (256-bit vector) • AES-NI 20

  31. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 • AVX2 (256-bit vector) Haraka • AES-NI Keccak SHA-256 Simpira 20

  32. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 • AVX2 (256-bit vector) Haraka • AES-NI Keccak SHA-256 142.06 Simpira 20

  33. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 • AVX2 (256-bit vector) Haraka • AES-NI Keccak 108.62 SHA-256 142.06 Simpira 20

  34. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 43.49 • AVX2 (256-bit vector) Haraka • AES-NI Keccak 108.62 SHA-256 142.06 Simpira 20

  35. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 43.49 • AVX2 (256-bit vector) Haraka • AES-NI Keccak 108.62 SHA-256 142.06 Simpira 28.40 20

  36. Tour de SPHINCS Signing (million cycles) Design Skylake Intel Skylake ChaCha12 43.49 • AVX2 (256-bit vector) Haraka 20.78 • AES-NI Keccak 108.62 SHA-256 142.06 Simpira 28.40 20

  37. Tour de SPHINCS AMD Ryzen • AVX2 (256-bit vector) • AES-NI (2 ports) • SHA256 instructions 21

  38. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 • AES-NI (2 ports) Haraka Keccak • SHA256 instructions SHA-256 Simpira 21

  39. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 • AES-NI (2 ports) Haraka Keccak 189.98 • SHA256 instructions SHA-256 Simpira 21

  40. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 63.42 • AES-NI (2 ports) Haraka Keccak 189.98 • SHA256 instructions SHA-256 Simpira 21

  41. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 63.42 • AES-NI (2 ports) Haraka Keccak 189.98 • SHA256 instructions SHA-256 53.33 Simpira 21

  42. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 63.42 • AES-NI (2 ports) Haraka Keccak 189.98 • SHA256 instructions SHA-256 53.33 Simpira 20.43 21

  43. Tour de SPHINCS Signing (million cycles) AMD Ryzen Design Ryzen • AVX2 (256-bit vector) ChaCha12 63.42 • AES-NI (2 ports) Haraka 15.54 Keccak 189.98 • SHA256 instructions SHA-256 53.33 Simpira 20.43 21

  44. Tour de SPHINCS ARM Cortex A57 • NEON (128-bit vector) • AES • SHA256 support 22

  45. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 • AES Haraka Keccak • SHA256 support SHA-256 Simpira 22

  46. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 • AES Haraka Keccak 376.90 • SHA256 support SHA-256 Simpira 22

  47. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 193.51 • AES Haraka Keccak 376.90 • SHA256 support SHA-256 Simpira 22

  48. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 193.51 • AES Haraka Keccak 376.90 • SHA256 support SHA-256 92.08 Simpira 22

  49. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 193.51 • AES Haraka Keccak 376.90 • SHA256 support SHA-256 92.08 Simpira 63.48 22

  50. Tour de SPHINCS Signing (million cycles) ARM Cortex A57 Design Cortex A57 • NEON (128-bit vector) ChaCha12 193.51 • AES Haraka 47.10 Keccak 376.90 • SHA256 support SHA-256 92.08 Simpira 63.48 22

  51. Formula SPHINCS Hash Performance for F 20 16.71 ChaCha 18 Haraka 16 Keccak Cycles per Byte 14 SHA256 12 Simpira 10 6.94 7.3 5.52 8 4.11 3.91 6 2.73 2.44 1.85 1.71 4 1.08 0.94 0.63 0.39 0.49 2 0 Skylake Ryzen Cortex-A57 23

  52. Formula SPHINCS Hash Performance for H 11 8.68 ChaCha 10 Haraka 7.15 9 Keccak Cycles per Byte 8 SHA256 7 Simpira 6 3.55 5 2.73 2.58 2.20 4 1.82 1.71 1.44 1.51 1.13 3 0.94 0.72 0.48 0.49 2 1 0 Skylake Ryzen Cortex-A57 24

  53. NIST PQ Competition Two variants of SPHINCS in NIST PQ competition: • Gravity-SPHINCS • Results directly apply. • Already uses Haraka. • SPHINCS+ • Tweakable Hash. • Needs to process slightly larger inputs. 25

Recommend


More recommend