saber module lwr based kem
play

SABER: Module-LWR based KEM Round 2 J. P. DAnvers A. Karmakar S. - PowerPoint PPT Presentation

Jun 02, 2023 •552 likes •969 views

SABER: Module-LWR based KEM Round 2 J. P. DAnvers A. Karmakar S. S. Roy F. Vercauteren KU Leuven August 22, 2019 0 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 1 SABER 1 Outline 1 Introduction 2 Round 2

  1. SABER: Module-LWR based KEM Round 2 J. P. D’Anvers A. Karmakar S. S. Roy F. Vercauteren KU Leuven August 22, 2019

  2. 0 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 1 SABER

  3. 1 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 2 SABER

  4. 1 General LWE based scheme Alice Bob A ← U ( Z l × l A A ) q s e ← small ( Z l × 1 e s,e s ) q b A e ′′ ← small ( Z 1 × l b b,A A b A s e s e e b b = A A · s s + e e s s ′ ,e e ′ ,e ) q ✲ b ′ T = A A T · s s ′ + e b b A s e ′ e b ′ · s v ′ T = b b T · s s ′ + e e ′′ + q b b b ′ , v ′ v = b b s s b s e 2 m ✛ m ′ = ⌊ 2 q ( v ′ − v ) ⌉ 3 SABER

  5. 1 SABER ◮ Module: • Polynomial ring R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 • Rank of module 2 , 3 , 4 depending on security level ⊕ Flexibility: only one polynomial multiplication 4 SABER

  6. 1 SABER Alice Bob A ← U ( R l × l A A ) q s e ← small ( R l × 1 e s s,e ) q b A e ′′ ← small ( R 1 × l b b,A A b A s e s e e b b = A A · s s + e e s s ′ ,e e ′ ,e ) q ✲ b ′ T = A A T · s s ′ + e b b A s e ′ e b ′ · s v ′ T = b b T · s s ′ + e e ′′ + q b b b ′ , v ′ v = b b s s b s e 2 m ✛ m ′ = ⌊ 2 q ( v ′ − v ) ⌉ 5 SABER

  7. 1 Module-LWR: SABER ◮ Module: • Polynomial ring R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 • Rank of module 2 , 3 , 4 depending on security level ⊕ Flexibility: only one polynomial multiplication ◮ Learning with Rounding e e e ⊕ No generation of e e,e e ′ ,e e ′′ ⊕ Efficient bandwidth usage 6 SABER

  8. 1 SABER Alice Bob A ← U ( R l × l A A ) q s s ← small ( R l × 1 s ) q b A s ′ ← small ( R 1 × l b b,A A b = ⌊ p b A s s b q A A · s s ⌉ s ) q ✲ b ′ T = ⌊ p A T · s b A s b q A s ′ ⌉ b ′ · s v ′ T = ⌊ T b T · s s ′ + T b b b ′ , v ′ v = b b s s p b b s 2 m ⌉ ✛ m ′ = ⌊ 2 q ( v ′ − p T v ) ⌉ 7 SABER

  9. 1 Module-LWR: SABER ◮ Module: • Polynomial ring R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 • Rank of module 2 , 3 , 4 depending on security level ⊕ Flexibility: only one polynomial multiplication ◮ Learning with Rounding e e e ⊕ no generation of e e,e e ′ ,e e ′′ ⊕ efficient bandwidth usage ◮ power-of-two ⊕ easy sampling ⊕ no modular arithmetic ⊕ easy rounding = add constant and chop ⊖ no NTT for fast multiplication ⊕ Toom-Cook ⊕ easier masking 8 SABER

  10. 1 SABER Alice Bob A ← U ( R l × l ) A A q s ← small ( R l × 1 s s ) q s ′ ← small ( R 1 × l b b b,A A A h ) ≫ log 2 ( q b b = ( A A A · s s + h s h p ) s ) b s q ✲ b ′ T = ( A A T · s s ′ + h h ) ≫ log 2 ( q b A s h p ) b b ′ · s b ′ , v ′ v ′ T = ( b b T · s s ′ + h 1 + p b b 2 m ) ≫ log 2 ( p v = b b s s b s T ) m ′ = ⌊ 2 p ( v ′ − p ✛ T v ) ⌉ 9 SABER

  11. 1 SABER ◮ binomial secret distribution ⊕ easy sampling 10 SABER

  12. 1 SABER ◮ binomial secret distribution ⊕ easy sampling ◮ No error correcting code ⊕ simpler implementation ⊕ easier masking 10 SABER

  13. 1 SABER - parameters ◮ R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 ◮ public key / ciphertext in R p and R T with p = 2 10 and T = 2 4 ◮ Centered binomial distribution with 8 coins ( [ − 4 , 4] ) 11 SABER

  14. 1 SABER - parameters ◮ R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 ◮ public key / ciphertext in R p and R T with p = 2 10 and T = 2 4 ◮ Centered binomial distribution with 8 coins ( [ − 4 , 4] ) ◮ IND-CCA secure KEM version using FO-transformation 11 SABER

  15. 1 SABER - parameters ◮ R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 ◮ public key / ciphertext in R p and R T with p = 2 10 and T = 2 4 ◮ Centered binomial distribution with 8 coins ( [ − 4 , 4] ) ◮ IND-CCA secure KEM version using FO-transformation ◮ Public Key: 992 Bytes ◮ Ciphertext: 1088 Bytes ◮ Failure probability: 2 − 136 ◮ Security: 185 bits 11 SABER

  16. 1 SABER Sec Cat fail prob Classical Quantum pk (B) sk (B) ciphertext (B) LightSaber-KEM: k = 2 , n = 256 , q = 2 13 , p = 2 10 , T = 2 3 , µ = 10 2 − 120 1 126 115 672 1568 736 Saber-KEM: k = 3 , n = 256 , q = 2 13 , p = 2 10 , T = 2 4 , µ = 8 2 − 136 3 199 181 992 2304 1088 FireSaber-KEM: k = 4 , n = 256 , q = 2 13 , p = 2 10 , T = 2 6 , µ = 6 2 − 165 5 270 246 1312 3040 1472 Table: Security and correctness of Saber.KEM. 12 SABER

  17. 2 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 13 SABER

  18. 2 Changes for Round 2 ◮ Generation of matrix A A A 14 SABER

  19. 2 Changes for Round 2 ◮ Generation of matrix A A A A T • multiplication with A A A and A A • just-in-time possible for A A A • speed-up preferred in encryption 14 SABER

  20. 2 Serial vs parallel generation of A ◮ software • Keccak-Absorb() is more expensive than Keccak-Extract() • Hence, serial SHAKE is faster on non-vectorized microcontrollers • But, slower on Intel AVX 15 SABER

  21. 2 Serial vs parallel generation of A ◮ software • Keccak-Absorb() is more expensive than Keccak-Extract() • Hence, serial SHAKE is faster on non-vectorized microcontrollers • But, slower on Intel AVX ◮ hardware • Keccak core consumes 33% of overall area [BPC19] (including memory) • Keccak-Extract produces RND every 28 cycles • Polynomial multiplier consumes RND much slower than Keccak can produce • Serial Keccak makes implementation simpler 15 SABER

  22. 2 Changes for Round 2 ◮ Generation of matrix A A A 16 SABER

  23. 2 Changes for Round 2 ◮ Generation of matrix A A A ◮ Rounding = add constant + chopping ◮ one of the constants changed for security proof 16 SABER

  24. 2 Changes for Round 2 ◮ Generation of matrix A A A ◮ Rounding = add constant + chopping ◮ one of the constants changed for security proof ◮ (Debated) smaller secret variance ◮ e.g. trinary binomial distribution ◮ would reduce public key and ciphertext size with ± 10% ◮ too aggressive 16 SABER

  25. 3 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 17 SABER

  26. 3 Software Implementations ◮ Haswell AVX2 (KU Leuven, Belgium [DKRV18]) • IND-CCA encapsulation/decapsulation 122K, 120K cycles 18 SABER

  27. 3 Software Implementations ◮ Haswell AVX2 (KU Leuven, Belgium [DKRV18]) • IND-CCA encapsulation/decapsulation 122K, 120K cycles ◮ ARM Cortex-M (KU Leuven, Belgium [KMRV18]) • Cortex-M4 (Speed) - encapsulation/decapsulation 1444 / 1543 K cycles • Cortex-M4 (Speed / Memory) - encapsulation/decapsulation 1530 / 1635 K cycles - encapsulation/decapsulation 7019 / 8115 bytes memory • Cortex-M0 (Memory) - encapsulation/decapsulation 6328 / 7509 K cycles - encapsulation/decapsulation 5119 / 6215 bytes memory 18 SABER

  28. 3 Hardware Implementations I ◮ High-speed HW (University of Birmingham, UK) • Instruction-set coprocessor architecture with all SABER components on HW • Generic HDL code: suitable for ASIC and FPGA implementation • IND-CPA encryption/decryption = 6/1.6 K cycles • IND-CCA encapsulation/decapsulation = ≈ 7 / 8 . 5 K cycles 19 SABER

  29. 3 Hardware Implementations I ◮ High-speed HW (University of Birmingham, UK) • Instruction-set coprocessor architecture with all SABER components on HW • Generic HDL code: suitable for ASIC and FPGA implementation • IND-CPA encryption/decryption = 6/1.6 K cycles • IND-CCA encapsulation/decapsulation = ≈ 7 / 8 . 5 K cycles ◮ Lightweight HW/SW codesign (KU Leuven, Belgium) • Encapsulation/decapsulation require ≈ 4 . 2 ms 19 SABER

  30. 3 Hardware Implementations I ◮ High-speed HW (University of Birmingham, UK) • Instruction-set coprocessor architecture with all SABER components on HW • Generic HDL code: suitable for ASIC and FPGA implementation • IND-CPA encryption/decryption = 6/1.6 K cycles • IND-CCA encapsulation/decapsulation = ≈ 7 / 8 . 5 K cycles ◮ Lightweight HW/SW codesign (KU Leuven, Belgium) • Encapsulation/decapsulation require ≈ 4 . 2 ms ◮ High-speed HW/SW codesign (George Mason University, USA / Military University of Technology, Poland [HOKG18]) • Encapsulation/decapsulation require ≈ 0 . 069 ms 19 SABER

  31. 3 Hardware Implementations II ◮ ASIC implementation (Tsinghua University, China) • Still in development • Polynomial multiplication • Area: 220626 um 2 (307193GE) • Max Freq: 400 MHz • Power: 4 . 34 mW 20 SABER

  32. 3 Masking ◮ First order masking can be achieved by arithmetic masking in polynomial multiplication and Boolean masking for decoding. ◮ Saber uses power-of-two modulus ◮ Thus masking methods can be combined by Debraize’s arithmetic to boolean conversion [Deb12] ◮ Time with masking roughly doubles. 21 SABER

  33. 4 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 22 SABER

  34. 4 Conclusion SABER is: ◮ Flexible 23 SABER

  35. 4 Conclusion SABER is: ◮ Flexible ◮ Simple 23 SABER

  36. 4 Conclusion SABER is: ◮ Flexible ◮ Simple ◮ Efficient 23 SABER

  37. 4 Conclusion SABER is: ◮ Flexible ◮ Simple ◮ Efficient ◮ More work in the pipeline 23 SABER

Recommend

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES, Amsterdam 11 th September, 2018 Joint work with : Jose Maria Bermudo Mera Sujoy Sinha Roy Ingrid Verbauwhede Saber: CCA secure post-quantum KEM*

613 views • 30 slides
Embracer Group acquires Saber Interactive Investor presentation 19 February 2020 Saber

Embracer Group acquires Saber Interactive Investor presentation 19 February 2020 Saber

Embracer Group acquires Saber Interactive Investor presentation 19 February 2020 Saber Interactive at a glance GLOBAL BUSINESS TRACK RECORD OF OWN/LICENSED IPs US-based game developer Founded by Matthew Karch (CEO) and Andrey Iones

314 views • 18 slides
High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

482 views • 37 slides
Mission Introduction Launch a 1-2 kg payload on a suborbital flight to an altitude of ~100 km

Mission Introduction Launch a 1-2 kg payload on a suborbital flight to an altitude of ~100 km

Overview of the SABER Mission and Launch Vehicle Design S uborbital 4/5/2018 A tmospheric B alloon E levated R ocket SABER: INSERT Presentation Name SABER: Suborbital Atmospheric Balloon Elevated Rocket 4/5/2018 Mission Introduction Launch

495 views • 26 slides
Saber Platform Presentation Agenda Overview portal Explanation & Requirements Support

Saber Platform Presentation Agenda Overview portal Explanation & Requirements Support

Saber Platform Presentation Agenda Overview portal Explanation & Requirements Support portal Review Open Discussion Overview Introduction Saber is an integrated e-service that allows traders to register their enterprise and the

408 views • 23 slides
1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

MODULE SPECIFICATION Project Management and Credit Module Title: Level : 5 20 Presentation Techniques Value : Is this a Code of module Module code : ENG543 new NO being replaced : module? Cost Centre : GAME JACS3 code : F311

261 views • 4 slides
IMA Platform Computing Module based on Partial Reconfigurable FPGA R. F. Romero, O. Saotome, D.

IMA Platform Computing Module based on Partial Reconfigurable FPGA R. F. Romero, O. Saotome, D.

IMA Platform Computing Module based on Partial Reconfigurable FPGA R. F. Romero, O. Saotome, D. S. Loubach, E. G. O. Nbrega, I. Sander, I. S derquist 1 ABSTRACT The present work proposes an IMA module design approach based on partial

344 views • 12 slides
WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3 Status Boards Position Log Request for Assistance Mission/Task Significant Events Module 4 Forms Module 5 Links Module 6

847 views • 72 slides
Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio informatics .ca Module 7 Data Visualization Anamaria Crisan Learning Objectives of Module Understand the process of encoding and decoding

1.31k views • 79 slides
Module 3 Supervisory Transition Module 3: Superivsory Transition 1 Objectives Learn about

Module 3 Supervisory Transition Module 3: Superivsory Transition 1 Objectives Learn about

Module 2 was an overview about leadership. But, how do we or did we gain an opportunity to lead? Module 3 gives us insight into transitioning from an employee into a supervisor and/or manager. 0 Module 3 Supervisory Transition Module 3:

1.03k views • 18 slides
Module 12 Effective Communication, The Who Stakeholder Identification & Engagement 1 Module

Module 12 Effective Communication, The Who Stakeholder Identification & Engagement 1 Module

As you learned to take your leadership vision and create a progressive strategy in Module 11, it should be apparent that our stakeholders are a priority. Module 12 identifies how to effectively communicate with our stakeholders. 0 Module 12

473 views • 15 slides
Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 -

Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 -

Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 - Identifying the Building Blocks Module 4 - Reviewing a portfolio This Module Active vs Passive investing Off the shelf solutions Trackers and ETFs and

648 views • 32 slides
Confluence of the Call-By-Value -calculus Karim NOUR and Khelifa SABER LAMA - Equipe

Confluence of the Call-By-Value -calculus Karim NOUR and Khelifa SABER LAMA - Equipe

Confluence of the Call-By-Value -calculus Karim NOUR and Khelifa SABER LAMA - Equipe de logique Universit e de Chamb ery 73376 Le Bourget du Lac e-mail: { knour, ksabe } @univ-savoie.fr 1 Plan 1. The -calculus

464 views • 14 slides
Planetary Control Team Saber Programmers: Ishpreet, Alex Designers: Ivan, Brandon Overview -

Planetary Control Team Saber Programmers: Ishpreet, Alex Designers: Ivan, Brandon Overview -

Planetary Control Team Saber Programmers: Ishpreet, Alex Designers: Ivan, Brandon Overview - Top down, 2.5D strategy game mixed with third person action combat. - Select 4 units from the roster and move them strategically to get the

255 views • 14 slides
Patterns of corrective feedback in EFL Dyadic Classroom Interaction Mansour Amini 1 , Saber Alavi

Patterns of corrective feedback in EFL Dyadic Classroom Interaction Mansour Amini 1 , Saber Alavi

The 8th Hatyai National and International Conference Thursday, June 2 2, 202 7 at Hatyai University Patterns of corrective feedback in EFL Dyadic Classroom Interaction Mansour Amini 1 , Saber Alavi 2* , Ali Zahabi 3 , Etienne Vorster 4 1 Faculty of

462 views • 10 slides
1 The objectives of this e-module are to learn how to register for a Data Universal Numbering

1 The objectives of this e-module are to learn how to register for a Data Universal Numbering

Welcome to our e-module series on How to Work with USAID. This e- module is the first part on Registering for Federal Award Systems and focuses on DUNS registration. This e-module is geared towards non- governmental organizations

498 views • 22 slides
6.15 Module 15: Research and Presentation Module Title Research and Presentation Module NFQ

6.15 Module 15: Research and Presentation Module Title Research and Presentation Module NFQ

6.15 Module 15: Research and Presentation Module Title Research and Presentation Module NFQ Level (only if an NFQ level can be 7 demonstrated) Module number/Reference BAAMT206 Parent Programme BA (Hons) in Audio and Music Technology Stage

340 views • 6 slides
Emergency Management Roles and Responsibilities Joe Myers Agenda MODULE 1 WHAT IS MODULE

Emergency Management Roles and Responsibilities Joe Myers Agenda MODULE 1 WHAT IS MODULE

Emergency Management Roles and Responsibilities Joe Myers Agenda MODULE 1 WHAT IS MODULE 2 MODULE 3 LAWS MODULE 4 UTILIZING MODULE 5 BLUE MODULE 6 FUNDING EMERGENCY COURTHOUSE AND AUTHORITIES THE UNIFIED

654 views • 40 slides
Bayes' Nets Robert Platt Saber Shokat Fadaee Northeastern University The slides are

Bayes' Nets Robert Platt Saber Shokat Fadaee Northeastern University The slides are

Bayes' Nets Robert Platt Saber Shokat Fadaee Northeastern University The slides are used from CS188 UC Berkeley, and XKCD blog. CS 188: Artificial Intelligence Bayes Nets Instructors: Dan Klein and Pieter Abbeel --- University of

531 views • 34 slides
SOLID WASTE DISPOSAL PROCESSES FOR ISOLATED PATIENTS WITH INFECTIOUS DISEASE Deborah Saber, PhD,

SOLID WASTE DISPOSAL PROCESSES FOR ISOLATED PATIENTS WITH INFECTIOUS DISEASE Deborah Saber, PhD,

SOLID WASTE DISPOSAL PROCESSES FOR ISOLATED PATIENTS WITH INFECTIOUS DISEASE Deborah Saber, PhD, RN, CCRN-K Broad Brush Background Solid waste is defined as unwanted solid material at the time of generation and it is one of the most

522 views • 18 slides
FUNCTIONAL ASSESSMENT FOR EARLY INTERVENTION Module 4 1 INTRODUCTIONS Who am I? Who

FUNCTIONAL ASSESSMENT FOR EARLY INTERVENTION Module 4 1 INTRODUCTIONS Who am I? Who

FUNCTIONAL ASSESSMENT FOR EARLY INTERVENTION Module 4 1 INTRODUCTIONS Who am I? Who are you? Expectations Syllabus Change- Module 4 quiz due 2/10/13 2 CLASS FORMAT Best Practices in Instruction Data Based Decision

541 views • 30 slides
os Module Today File I/O from last time Behind the scenes, this module loads a module

os Module Today File I/O from last time Behind the scenes, this module loads a module

os Module Today File I/O from last time Behind the scenes, this module loads a module for your particular operating system Slides 38-48 The os and sys modules Regardless of your actual OS, Python imports os The exec()

346 views • 11 slides
the eProcurement module 1 Creating a PSA over $20,000 2 Certain Fields Default based on User

the eProcurement module 1 Creating a PSA over $20,000 2 Certain Fields Default based on User

PSA/POS Pre-Authorization in the eProcurement module 1 Creating a PSA over $20,000 2 Certain Fields Default based on User Profile 3 Use the Requisition Name to find Req when searching after it is saved 4 85000000 = Health Care Services

1.03k views • 55 slides
Evil Module 1 Module 3 OS OS Module 2 Module 4 Safe? Safe? Yes! Yes! 5 6 1 5/23/10

Evil Module 1 Module 3 OS OS Module 2 Module 4 Safe? Safe? Yes! Yes! 5 6 1 5/23/10

5/23/10 A Travel Story Bryan Parno, Jonathan McCune, Adrian Perrig Carnegie Mellon University 1 2 Does program P compute F? Trust is CriAcal Is F what the programmer intended? Will I regret having done this? X Other Y Other F X Alice Y

429 views • 5 slides

More recommend