saber on arm
play

Saber on ARM CCA-secure module lattice-based key encapsulation on - PowerPoint PPT Presentation

Nov 21, 2022 •297 likes •613 views

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES, Amsterdam 11 th September, 2018 Joint work with : Jose Maria Bermudo Mera Sujoy Sinha Roy Ingrid Verbauwhede Saber: CCA secure post-quantum KEM*

  1. Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES, Amsterdam 11 th September, 2018 Joint work with : Jose Maria Bermudo Mera Sujoy Sinha Roy Ingrid Verbauwhede

  2. Saber: CCA secure post-quantum KEM* ● Module-LWR : Trade off between Standard and Ideal lattice ● , ● Inherent noise→ Less randomness ● Efficient ● Flexible : ● Increase/decrease matrix dimension to increase/decrease security ● Basic operations stay same→ High code reusability ● All moduli are power of two ○ Easy rounding ○ Easy modular reduction in HW/SW ○ Precludes use of NTT ● Combination of Toom-Cook, Karatsuba and Schoolbook. J.-P. D’Anvers, A. Karmakar, S. Sinha Roy, and F. Vercauteren. Saber: Module-lwr based key exchange, cpa-secure encryption and cca-secure kem. In A. Joux, A. Nitaj, and T. Rachidi, editors, Progress in Cryptology – AFRICACRYPT 2018, 1 https://eprint.iacr.org/2018/230.pdf

  3. Polynomial Multiplication

  4. Polynomial multiplication C=A X B Toom-Cook+Karatsuba+School-book ● A and B are polynomials of size 256. 256 256 . . . . . . . B . . . . . . . A . . . . Toom-Cook . . . . 1 7 Toom-Cook 7 1 4-way 4-way 2 ` 2 ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 64 64 64 2

  5. Polynomial multiplication C=A X B Toom-Cook+Karatsuba+School-book 256 256 . . . . . . . . . . . . . . B A 1 . . . . Toom-Cook . . . . Toom-Cook 7 1 4-way 7 4-way 2 2 ` ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . Karatsuba 1 64 . . . . . . 9 Karatsuba 1 64 . . . . . . 9 2-level 2-level . . . . . . . . . . . . . . . . 16 16 16 16 2

  6. Polynomial multiplication C=A X B Toom-Cook+Karatsuba+School-book 256 256 . . . . . . . . . . . . . . B A 1 . . . . Toom-Cook 1 . . . . Toom-Cook 7 4-way 7 4-way 2 ` 2 ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . Karatsuba 1 64 . . . . . . 9 Karatsuba 1 64 . . . . . . 9 2-level 2-level . . . . . . . . . . . . . . . . 16 16 X School-book X 2

  7. This work

  8. Goal • Saber is very efficient on high-end processors • We show that, Saber is also efficient on low end processors like Cortex-M0 and Cortex-M4 Cortex-M0: XMC2Go by Infineon Cortex-M4: STM32F4-discovery by STMicroelectronics - Reduced instruction set - Only 8 registers for data processing - DSP instructions instructions - 14 registers fully available - 16 KB of RAM - 192 KB of RAM 3

  9. This work • A high speed implementation on Cortex-M4 • Efficient use of DSP instructions on M4 • Fewer instructions to perform a School-Book multiplication • An `in-register` implementation of Toom-Cook multiplication • Fewer access to memory • A memory-efficient implementation on Cortex-M0 • A `Just-In-Time` approach to generate the elements of public matrix • Memory efficient in-place Karatsuba multiplication 4

  10. Schoolbook multiplication ● Each coefficient is 13 bits long → fits in half word of a register ● Multiplications between half words can be done by SMLA( B / T )( B / T ) instruction SMLA( B / T )( B / T )(r a , r b , r c , r d ) := r a ← r b 0/1 * r c 0/1 + r d • 16 32 5

  11. Schoolbook multiplication ● Each coefficient fits in half word of a register ● Multiplications between half words can be done by SMLA( B / T )( B / T ) instruction SMLA( B / T )( B / T )(r a , r b , r c , r d ) := r a ← r b 0/1 * r c 0/1 + r d • 16 32 16 instructions ! 5

  12. Schoolbook multiplication • DSP instruction SMLADX : Cross multiplies register half words SMLADX(r a , r b , r c , r d ) := r a ← r b 0 * r c 1 + r b 1 * r c 0 + r d • 16 32 5

  13. Schoolbook multiplication Replace r a → c 1 , r b → a, r c → b, r d → 0, • • SMLADX(c 1 , a, b, 0) := c 1 ← a 0 * b 1 + a 1 * b 0 16 SMLADX 32 Instruction count reduces 2 → 1 5

  14. Schoolbook multiplication Replace r a → c 1 , r b → a, r c → b, r d → 0, • • SMLADX(c 1 , a, b, 0) := c 1 ← a 0 * b 1 + a 1 * b 0 16 SMLADX 32 Similarly Total Instruction count 12 25% reduction 5

  15. Schoolbook multiplication • Pack non-adjacent coefficients in spare register using PKHBT • Apply SMLADX again 16 PKHBT 32 SMLADX Total Instruction count 11 ! 5

  16. Schoolbook multiplication • ≅ 37.5% reduction in instruction count for one Schoolbook multiplication • A basic unrolled 16 X 16 multiplication requires only 168 SMLA instructions • A single Schoolbook multiplication takes only 587 clock cycles 6

  17. Toom-Cook multiplication • During evaluation phase of Toom-Cook multiplication polynomial A (& B) is divided in 4 smaller polynomials A 3 -A 0 each with 64 coefficients • Further, we need to create weighted sums of these polynomials • In a simple method, for each aw i it needs to access all 64 coefficients of A 0 -A 3 i.e 256 memory accesses 7

  18. Normal method . . . . . . . . Registers a i A 0 0 a i 0 a 1 . . . . . . . . a i a i 1 2 A 1 . . . . . . . . aw 2 a i aw i 3 2 i +a i 1 +a i 2 +a i a 0 3 . . . . . . . . a i 2 . A 2 . . . . . . . a i . . . . . 3 A 3 . 7

  19. Memory access efficient method Registers . . . . . . . . a i A 0 0 . . . . . . . . aw 1 aw i a i 1 0 a i 1 . . . . . . . . a i a i 1 2 A 1 . . . . . . . . aw 2 aw i a i 2 3 . . . . . . . . . . . a i . . 2 A 2 . i +8a i 3a 0 1 . 4a i 2 +a i . 3 . . . . . . . . . a i . . . . . . . . . aw 5 3 aw i A 3 5 . ● Vertical coefficient scanning approach ● Use spare registers ● Perform more `in-register` operations to generate weighted coefficients 8

  20. Memory access efficient method Registers . . . . . . . . a i A 0 0 . . . . . . . . aw 1 aw i a i 1 0 a i 1 . . . . . . . . a i a i 1 2 A 1 . . . . . . . . aw 2 aw i a i 2 3 . . . . . . . . . . . a i . . 2 A 2 . i +8a i 3a 0 1 . 4a i 2 +a i . 3 . . . . . . . . . a i . . . . . . . . . aw 5 3 aw i A 3 5 . ● Number of memory accesses decrease from 5*256 to 256 only ● Memory requirement increases. 8

  21. Memory Optimization

  22. Generation of the Public matrix. • The public matrix , requires a huge memory to generate. 3744 bytes . . . . . . . . . . . Random seed SHAKE-128() a 00 a 01 a 02 a 10 a 11 a 12 a 20 a 21 a 22 9

  23. Generation of the Public matrix. • We use a `Just-in-Time` strategy to reuse a smaller space for each element polynomial. Random seed 280 bytes . . . . . . . . . . . S Keccak-squeeze() Keccak-absorb() a 00 a 01 a 02 a 10 a 11 a 12 a 20 a 21 a 22 10

  24. Generation of the Public matrix. • We use a `Just-in-Time` strategy to reuse a smaller space for each element polynomial. Random seed 280 bytes . . . . . . . . . . . S Keccak-squeeze() Keccak-absorb() a 00 a 01 a 02 a 10 a 11 a 12 a 20 a 21 a 22 10

  25. Generation of the Public matrix. • We use a `Just-in-Time` strategy to reuse a smaller space for each element polynomial. Random seed 280 bytes . . . . . . . . . . . S Keccak-squeeze() Keccak-absorb() a 00 a 01 a 02 a 10 a 11 a 12 a 20 a 21 a 22 10

  26. Generation of the Public matrix. • We use a `Just-in-Time` strategy to reuse a smaller space for each element polynomial. Random seed 280 bytes . . . . . . . . . . . S Keccak-squeeze() Keccak-absorb() a 00 a 01 a 02 a 10 a 11 a 12 a 20 a 21 a 22 • Requires some bookkeeping. Memory requirement is ≅ 1/9 th of the initial requirement • 10

  27. Results & Conclusion

  28. Comparison to other NIST-PQC candidates Cryptosystem Platform Key generation Encapsulation Decapsulation Multiplication • [Kcycles]/[bytes] [Kcycles]/[bytes] [Kcycles]/[bytes] [type] NewHope-CCA Cortex-M4 1,246 / 11,160 1,966 / 17,456 1,977 / 19,656 NTT * Kyber* Cortex-M4 1,200 / 10,304 1,497 / 13,464 1,526 / 14,624 NTT Saber-speed Cortex-M4 1,147 / 13,883 1,444 / 16,667 1,543 / 17,763 TC+Kara+SB Saber-memory Cortex-M4 1,165 / 6,931 1,530 / 7,019 1,635 / 8,115 TC+Kara+SB Saber-mem-M0 Cortex-M0 4,786 / 5,031 6,328 / 5,119 7,509 / 6,215 TC+Kara+SB *pqm4 post-quantum crypto library for the arm cortex-m4. https://github.com/ mupq/pqm4, 2018. [ accessed 15-April-2018] 11

  29. Conclusion • Module-Lattice based cryptography can be practical on resource constrained devices • Cortex-M0 → max memory ≅ 6.2 KB, run time < 250 ms Memory requirement 1/3 rd of the reference implementation • • Cortex-M4 → max memory ≅ 17 KB, run time < 9 ms • Run time 5-8 times less than the reference • The optimizations can be applied on top of each other. • Choice of parameters is very crucial • For small dimensions, asymptotically slower Toom-Cook, Karatsuba multiplication can be very competitive • Irregular memory access of NTT • Utilization of special instructions 12

  30. Thank you !

Recommend

Embracer Group acquires Saber Interactive Investor presentation 19 February 2020 Saber

Embracer Group acquires Saber Interactive Investor presentation 19 February 2020 Saber

Embracer Group acquires Saber Interactive Investor presentation 19 February 2020 Saber Interactive at a glance GLOBAL BUSINESS TRACK RECORD OF OWN/LICENSED IPs US-based game developer Founded by Matthew Karch (CEO) and Andrey Iones

314 views • 18 slides
Mission Introduction Launch a 1-2 kg payload on a suborbital flight to an altitude of ~100 km

Mission Introduction Launch a 1-2 kg payload on a suborbital flight to an altitude of ~100 km

Overview of the SABER Mission and Launch Vehicle Design S uborbital 4/5/2018 A tmospheric B alloon E levated R ocket SABER: INSERT Presentation Name SABER: Suborbital Atmospheric Balloon Elevated Rocket 4/5/2018 Mission Introduction Launch

495 views • 26 slides
High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

482 views • 37 slides
Saber Platform Presentation Agenda Overview portal Explanation &amp; Requirements Support

Saber Platform Presentation Agenda Overview portal Explanation &amp; Requirements Support

Saber Platform Presentation Agenda Overview portal Explanation &amp; Requirements Support portal Review Open Discussion Overview Introduction Saber is an integrated e-service that allows traders to register their enterprise and the

408 views • 23 slides
SABER: Module-LWR based KEM Round 2 J. P. DAnvers A. Karmakar S. S. Roy F. Vercauteren KU

SABER: Module-LWR based KEM Round 2 J. P. DAnvers A. Karmakar S. S. Roy F. Vercauteren KU

SABER: Module-LWR based KEM Round 2 J. P. DAnvers A. Karmakar S. S. Roy F. Vercauteren KU Leuven August 22, 2019 0 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 1 SABER 1 Outline 1 Introduction 2 Round 2

969 views • 40 slides
Confluence of the Call-By-Value -calculus Karim NOUR and Khelifa SABER LAMA - Equipe

Confluence of the Call-By-Value -calculus Karim NOUR and Khelifa SABER LAMA - Equipe

Confluence of the Call-By-Value -calculus Karim NOUR and Khelifa SABER LAMA - Equipe de logique Universit e de Chamb ery 73376 Le Bourget du Lac e-mail: { knour, ksabe } @univ-savoie.fr 1 Plan 1. The -calculus

464 views • 14 slides
Planetary Control Team Saber Programmers: Ishpreet, Alex Designers: Ivan, Brandon Overview -

Planetary Control Team Saber Programmers: Ishpreet, Alex Designers: Ivan, Brandon Overview -

Planetary Control Team Saber Programmers: Ishpreet, Alex Designers: Ivan, Brandon Overview - Top down, 2.5D strategy game mixed with third person action combat. - Select 4 units from the roster and move them strategically to get the

255 views • 14 slides
Patterns of corrective feedback in EFL Dyadic Classroom Interaction Mansour Amini 1 , Saber Alavi

Patterns of corrective feedback in EFL Dyadic Classroom Interaction Mansour Amini 1 , Saber Alavi

The 8th Hatyai National and International Conference Thursday, June 2 2, 202 7 at Hatyai University Patterns of corrective feedback in EFL Dyadic Classroom Interaction Mansour Amini 1 , Saber Alavi 2* , Ali Zahabi 3 , Etienne Vorster 4 1 Faculty of

462 views • 10 slides
Bayes' Nets Robert Platt Saber Shokat Fadaee Northeastern University The slides are

Bayes' Nets Robert Platt Saber Shokat Fadaee Northeastern University The slides are

Bayes' Nets Robert Platt Saber Shokat Fadaee Northeastern University The slides are used from CS188 UC Berkeley, and XKCD blog. CS 188: Artificial Intelligence Bayes Nets Instructors: Dan Klein and Pieter Abbeel --- University of

531 views • 34 slides
SOLID WASTE DISPOSAL PROCESSES FOR ISOLATED PATIENTS WITH INFECTIOUS DISEASE Deborah Saber, PhD,

SOLID WASTE DISPOSAL PROCESSES FOR ISOLATED PATIENTS WITH INFECTIOUS DISEASE Deborah Saber, PhD,

SOLID WASTE DISPOSAL PROCESSES FOR ISOLATED PATIENTS WITH INFECTIOUS DISEASE Deborah Saber, PhD, RN, CCRN-K Broad Brush Background Solid waste is defined as unwanted solid material at the time of generation and it is one of the most

522 views • 18 slides
Test Beam Capabilities at SLAC Carsten Hast Stanford Linear Accelerator Center SABER, a new

Test Beam Capabilities at SLAC Carsten Hast Stanford Linear Accelerator Center SABER, a new

Test Beam Capabilities at SLAC Carsten Hast Stanford Linear Accelerator Center SABER, a new facility in the South Arc (South Arc Beam Experimental Region) End Station A (ESA) Test Beams beyond 2008 in the LCLS Area FermiLab Test

250 views • 21 slides
Th The e Ch ChEMU ev evaluation campaign: Na Named d entity y recogni gnition n and nd

Th The e Ch ChEMU ev evaluation campaign: Na Named d entity y recogni gnition n and nd

Th The e Ch ChEMU ev evaluation campaign: Na Named d entity y recogni gnition n and nd event ex extraction of chemical reactions from patents Karin Verspoor, Tim Baldwin, Trevor Cohn, Saber Akhondi, Dat Quoc Nguyen, Christian

176 views • 5 slides
St Strategie ies from Bio iolo logy to Tr Transform Undergraduate ST STEM Teachin ing and

St Strategie ies from Bio iolo logy to Tr Transform Undergraduate ST STEM Teachin ing and

St Strategie ies from Bio iolo logy to Tr Transform Undergraduate ST STEM Teachin ing and Le Learning Krystle Cobian, Sylvia Hurtado, Kevin Eagan, Liz Roth-Johnson University of California, Los Angeles SABER West January 2018 HIGHER

437 views • 33 slides
Algorithms for Auto-tuning OpenACC Accelerated Kernels Fatemah

Algorithms for Auto-tuning OpenACC Accelerated Kernels Fatemah

Outline Algorithms for Auto-tuning OpenACC Accelerated Kernels Fatemah Al-Zayer 1 , Ameerah Al-Mu2ry 1 , Mona Al-Shahrani 1, Saber Feki 2 , and David Keyes 1

306 views • 27 slides
www.oneproject.eu 1 INTERREG IVC ONE is a project funded under INTERREG IV C Programme INTERREG

www.oneproject.eu 1 INTERREG IVC ONE is a project funded under INTERREG IV C Programme INTERREG

ONE Project introduction SABER 27 June 2013 workshop Dsire Bua CSI Piemonte desiree.bua@csi.it www.oneproject.eu 1 INTERREG IVC ONE is a project funded under INTERREG IV C Programme INTERREG IV C promotes interregional cooperation

166 views • 12 slides
An Unusual Presentation of Leptospirosis in an urban setting as an overlooked cause of multiorgan

An Unusual Presentation of Leptospirosis in an urban setting as an overlooked cause of multiorgan

Bangladesh Crit Care J March 2019; 7 (1): 51-54 Case Report An Unusual Presentation of Leptospirosis in an urban setting as an overlooked cause of multiorgan failure Md. Tarek Alam 1* , Sadia Saber 2 , Rafa Faaria Alam 3 , Mohammad Monower

516 views • 4 slides
Environmental Issues Related to the Gas Industry Environmental Monitoring, Evaluation &amp;

Environmental Issues Related to the Gas Industry Environmental Monitoring, Evaluation &amp;

Environmental Issues Related to the Gas Industry Environmental Monitoring, Evaluation &amp; Protection in NY: Linking Science &amp; Policy Sept. 25, 2005 Diane Saber, Ph.D. Gas Technology Institute Des Plaines, IL Technology Development vs.

159 views • 13 slides
Alexandros Koliousis a.koliousis@imperial.ac.uk Joint work with Matthias Weidlich, Raul Castro

Alexandros Koliousis a.koliousis@imperial.ac.uk Joint work with Matthias Weidlich, Raul Castro

Window-Based Hybrid Stream Processing for Heterogeneous Architectures github.com/lsds/saber Alexandros Koliousis a.koliousis@imperial.ac.uk Joint work with Matthias Weidlich, Raul Castro Fernandez, Alexander L. Wolf, Paolo Costa &amp; Peter

280 views • 17 slides
CSEE 4840 Embedded systems Design Anusha Dachepally (ad2657) Raghu Binnamangalam (rsb2145)

CSEE 4840 Embedded systems Design Anusha Dachepally (ad2657) Raghu Binnamangalam (rsb2145)

CSEE 4840 Embedded systems Design Anusha Dachepally (ad2657) Raghu Binnamangalam (rsb2145) Devesh Dedhia (ddd2121) Roopa Kakarlapudi (rk2489) Overview Motivation Goals Real Time Video Display Color detection Light saber

411 views • 21 slides
Team iGEM Paris-Saclay GEMOTE Project (Gene Expression Modulated by Temperature) Students :

Team iGEM Paris-Saclay GEMOTE Project (Gene Expression Modulated by Temperature) Students :

Team iGEM Paris-Saclay GEMOTE Project (Gene Expression Modulated by Temperature) Students : Audrey, Benjamin, Jrmie, Julien, Lucille, Pierre, Saber, Thibault, Yohann Advisors : Solenne, Nguyen Instructors : Jean-Luc, Philippe, Sylvie Outline

381 views • 36 slides
Infrared Radiation in the Thermosphere from 2002 1947 to 2019 Linda Hunt, SSAI, Hampton, VA

Infrared Radiation in the Thermosphere from 2002 1947 to 2019 Linda Hunt, SSAI, Hampton, VA

Infrared Radiation in the Thermosphere from 2002 1947 to 2019 Linda Hunt, SSAI, Hampton, VA Marty Mlynczak, NASA Langley, Hampton, VA James M. Russell, Hampton Univ., Hampton, VA B. Thomas Marshall, GATS, Inc., Newport News, VA The SABER

911 views • 54 slides
Final exam effects Textures I Final exam effects Final exam effects Lighting Grads

Final exam effects Textures I Final exam effects Final exam effects Lighting Grads

Final exam effects Textures I Final exam effects Final exam effects Lighting Grads Light saber Research and implementation plan Stage lighting Textures Teams Coffee froth Implementation Donuts Coke Can

224 views • 10 slides

More recommend