RNS Arithmetic Approach in Lattice-based Cryptography Accelerating - PowerPoint PPT Presentation

22nd IEEE Symposium on Computer Arithmetic RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the ”Rounding-off” Core Procedure Jean-Claude Bajard ✝ , Julien Eynard ✝ Nabil Merkiche ✝✿ , Thomas Plantard ❀ ✝ Sorbonne Universit´ es, UPMC Univ Paris 06, CNRS, LIP6 UMR 7606, France ✿ DGA/MI, Rennes, France ❀ University of Wollongong, CCISR, Wollongong, Australia June 23rd, 2015 Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 1 / 20

Context & Motivation Lattice-based cryptography (LBC) post-quantum security homomorphic encryption properties average-case to worst-case reductions scalar products, vector-matrix products, with huge dimensions Why Residue Number Systems (RNS) ? natural and easy concurrency for basic operations easy scalability natural matching with GPU, multi-core CPU, FPGA features Ñ optimization of LBC primitives at the arithmetical level ? here, focus on Babai’s round-off algorithm Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 2 / 20

Outline Essentials about RNS & lattices Closest vector problem & Round-off algorithm Round-off and RNS arithmetic Considerations about FPGA implementation Conclusion Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 3 / 20

Essentials Residue Number Systems (RNS) Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 4 / 20

Essentials Lattices (full-rank) lattice L : discrete additive subgroup of R ℓ ù ”regular grid” L ✏ r 1 Z ❵ . . . ❵ r ℓ Z , r 1 , . . . , r ℓ independant vectors of R ℓ matrix R ✏ ♣ r 1 , . . . , r ℓ q ⊺ : a basis of L (for ℓ ➙ 2, infinite number of basis) Closest Vector Problem (CVP) : given c P Z ℓ , compute v P L such that ⑥ c ✁ v ⑥ ↕ ⑥ c ✁ z ⑥ for all z P L Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 5 / 20

Solving the CVP with Babai’s Round-off algorithm, given a basis R of L change of basis rounding components return to canonical basis Ñ Ñ c ✂ R ✁ 1 t c ✂ R ✁ 1 s t c ✂ R ✁ 1 s ✂ R Z ℓ L L Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 6 / 20

Solving the CVP Cryptographic interest of CVP hard to find a close vector via a ”bad” basis B of L hard to compute a ”good” basis from a bad one GGH-like cryptosystem (1997) public key : bad basis, private key : good basis plaintext + lattice vector = ciphertext (GGH, 1997) deciphering : solving CVP (through round-off algorithm) Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 7 / 20

Adapting the round-off to RNS arithmetic Common simplification step c ✏ t cR ✁ 1 s R � p with p P Z ℓ ❳ 2 q ℓ ✂ R ♣✁ 1 2 , 1 � ✟ ℓ Ñ Babai’s condition : σρ R ➔ 1 ⑤♣ R ✁ 1 q i , j ⑤ 2 with ⑥ p ⑥ ✽ ↕ σ and max ➦ 1 ↕ j ↕ ℓ i ✏ 1 t cR ✁ 1 s mod m σ with m σ ➙ 2 σ � 1 ñ p ✏ ♣ c ✁ t cR ✁ 1 s R q modc m σ Ñ just need to compute t cR ✁ 1 s mod m σ Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 8 / 20

Adapting the round-off to RNS arithmetic Problems t cR ✁ 1 s : rational expression and round-off function Solutions R ✁ 1 ✏ R ✶ d , d ✏ det R P Z and R ✶ ✏ Comat ♣ R q ⊺ P Z ℓ ✂ ℓ 2 ✉ ✏ 2 a � b ✁⑤ 2 a � b ⑤ 2 b t a b s ✏ t a b � 1 exact division : doable in RNS 2 b t cR ✁ 1 s ✏ 2 cR ✶ � d ✁ ⑤ 2 cR ✶ � d ⑤ 2 d , d ✏ ♣ d , . . . , d q 2 d New problem complete modular reduction ⑤ 2 cR ✶ � d ⑤ 2 d in RNS ? Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 9 / 20

Adapting the round-off to RNS arithmetic Efficient RNS Montgomery modular reduction precomputations : ˜ R P ✈ 0 , 2 d ✈ ℓ 2 , ˜ d P ✈ 0 , 2 d ✈ ℓ m P B m → ⑥ c ˜ R � ˜ RNS base B with size M ✏ ➧ d ⑥ ✽ ④ 2 d ✒ ⑥ c ⑥ 1 Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 10 / 20

Adapting the round-off to RNS arithmetic What we obtain RNS reduction gives : ⑤ 2 cR ✶ � d ⑤ 2 d � 2 d ✂ e finally we compute 2 cR ✶ � d ✁⑤ 2 cR ✶ � d ⑤ 2 d ✁ 2 d ✂ e ✏ t cR ✁ 1 s ✁ e 2 d how to correct e ? Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 11 / 20

Adapting the round-off to RNS arithmetic Hybrid representation RNS-Mixed Radix System (previous work) burdensome RNS-to-MRS conversion (intrinsically sequential) large RNS base B ✶ : M ✶ → ♣ n � 1 q ✂ 2 d ➙ ⑤ 2 cR ✶ � d ⑤ 2 d � 2 d e Ñ how to do better ? ( i.e. pure RNS approach) Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 12 / 20

Adapting the round-off to RNS arithmetic New strategy to correct the error vector e P t 0 , . . . , n ✉ ℓ do not focus on ⑤ 2 cR ✶ � d ⑤ 2 d � 2 d ✂ e but on the whole formula : 2 cR ✶ � d ✁ ⑤ 2 cR ✶ � d ⑤ 2 d ✁ 2 d ✂ e ✏ t cR ✁ 1 s ✁ e 2 d idea : γ P Z such that ♣ t cR ✁ 1 s ✁ e q mod γ ✏ ♣✁ e q mod γ ù e ? ( γ enabling to extract the error) to recover e from ♣✁ e q mod γ : easy, take γ → n ➙ ⑥ e ⑥ ✽ to guarantee t cR ✁ 1 s ✏ 0 mod γ whatever c is... no reason to happen ! Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 13 / 20

Adapting the round-off to RNS arithmetic Keep going... Ñ compute t γ cR ✁ 1 s ✏ 2 γ cR ✶ � d ✁⑤ 2 γ cR ✶ � d ⑤ 2 d and see what happens : 2 d 1 uncomplete reduction ⑤ 2 γ cR ✶ � d ⑤ 2 d � 2 d ✂ e gives t γ cR ✁ 1 s ✁ e 2 we can write t γ cR ✁ 1 s ✏ γ t cR ✁ 1 s � t γ pR ✁ 1 s then we obtain : t γ cR ✁ 1 s ✁ e ✏ γ t cR ✁ 1 s � t γ pR ✁ 1 s ✁ e New strategy : correcting the global error ♣ t γ cR ✁ 1 s ✁ e q mod γ ù ♣ t γ pR ✁ 1 s ✁ e q mod γ γ large enough gives : ♣ t γ pR ✁ 1 s ✁ e q mod γ ù t γ pR ✁ 1 s ✁ e recall : σρ R ➔ 1 ④ 2 ô σρ R ↕ 1 2 ✁ ǫ for correct rounding Ñ size of γ depends on ǫ : γ ✒ n ǫ ✁ 1 ( n ✏ Card ♣ B q ) Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 14 / 20

Adapting the round-off to RNS arithmetic Final full RNS algorithm Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 15 / 20

Adapting the round-off to RNS arithmetic Completely in RNS if γ is a 1-modulus RNS base Ñ in practice, size of modulus determined by hardware ( e.g. 18 for some FPGA multipliers, 32/64 bits on CPU, etc) Examples of binary size of acceptable γ ’s ❄ ℓ s I � rand ♣✈✁ 4 , � 4 ✇ ℓ 2 q and ⑥ p ⑥ ✽ ↕ 3 (GGH for 200 basis R Ð 4 r challenges) and moduli of B having binary size ω ℓ ω 11 12 13 14 15 16 17 18 19 20 18 0 12 46 44 46 32 10 6 2 2 200 32 6 48 45 47 33 11 6 2 2 0 18 0 0 29 51 68 28 13 4 7 0 300 32 0 20 55 63 37 12 5 7 1 0 18 0 15 141 33 7 3 0 1 0 0 400 32 4 134 50 8 3 0 1 0 0 0 Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 16 / 20

Conclusions about new acceleration technique vs RNS-MRS approach γ depends on basis R ; worst-case : γ ✒ det R ù case RNS-MRS B ✶ replaced by γ : -50% precomputations, -55/60% elementary modular multiplications (no more RNS-to-MRS conv.) fast RNS base conversion : straightforward parallelization and scaling Ñ t cR ✁ 1 s mod m σ in ℓ 2 � 2 n ℓ concurrent steps in RNS channels ( n ✏ Card ♣ B q ✒ log ⑥ c ⑥ 1 ) vs multi-precision arithmetic (theoretical analysis) precomputations (vs R ✁ 1 with sufficient precision) : ✒ � 2% ( ℓ ✏ 256), ✒ � 0 . 5% ( ℓ ✏ 1024) memory overhead number of word-based multiplications : RNS ✒ Karatsuba, Toom-Cook complexities straightforward concurrency + single-precision arithmetic Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 17 / 20

Towards an FPGA implementation ? Why FPGA cheap, flexible, natural fitting with concurrency properties of RNS previously successfully used for RNS finite field arithmetic Principle of RNS architecture on FPGA k ”Rower” unit : computes ➦ a i b i mod m j (core computation in fast RNS i ✏ 1 base conversion, and vector-matrix products) Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 18 / 20

Towards an FPGA implementation ? Specific features 1 unit for γ : computation of centered remainder mod γ ( γ ✏ 2 θ � 1 ✁ 1 ù comparing to t γ 2 ✉ = checking θ th bit) 1 unit for m σ : m σ ➔➔ other moduli Results of analysis for ℓ P t 64 , 128 ✉ analysis for worst-case : det R P O ♣ 2 ℓ log ℓ q (Hadamard’s bound) full RNS round-off CVP : 2 ℓ 2 � 2 n ℓ � 13 ℓ � 6 cycles ù e.g. ✒ 20 µ s for ℓ ✏ 64 on 468 MHz Kintex-7 memory bottleneck : for ℓ ✏ 64, ✒ 1.7 Mbit (ok) ; for ℓ ✏ 128, ✒ 15.5 Mbit (not enough BRAM) Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 19 / 20