A MASKED RING-LWE IMPLEMENTATION Oscar Reparaz, Sujoy Sinha Roy, - - PowerPoint PPT Presentation

▶

Aug 27, 2023 100 likes •481 views

A MASKED RING-LWE IMPLEMENTATION Oscar Reparaz, Sujoy Sinha Roy, Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR 1 un protected ring-LWE decryption r2 m=th[INTT(c 1 *r 2 + c 2 )] 2 un protected ring-LWE

SLIDE 1

Oscar Reparaz, Sujoy Sinha Roy, Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR

A MASKED RING-LWE IMPLEMENTATION

1

SLIDE 2

unprotected ring-LWE decryption

m=th[INTT(c1*r 2+ c 2)]

2

SLIDE 3

unprotected ring-LWE decryption

r2 c1 c2

m=th[INTT(c1*r 2+ c 2)]

2

SLIDE 4

unprotected ring-LWE decryption

x x x x x x x x x x r2 c1 c2

m=th[INTT(c1*r 2+ c 2)]

2

SLIDE 5

unprotected ring-LWE decryption

x x x x x x x x x x + + + + + + + + + + r2 c1 c2

m=th[INTT(c1*r 2+ c 2)]

2

SLIDE 6

unprotected ring-LWE decryption

INTT x x x x x x x x x x + + + + + + + + + + r2 c1 c2

m=th[INTT(c1*r 2+ c 2)]

2

SLIDE 7

unprotected ring-LWE decryption

INTT x x x x x x x x x x + + + + + + + + + + th th th th th th th th th th r2 c1 c2 m

m=th[INTT(c1*r 2+ c 2)]

2

SLIDE 8

th operation

3

SLIDE 9

masking ring-LWE

Core idea: split the secret: r=r’+r’’

m=th[INTT(c1*r 2+ c 2)]

4

SLIDE 10

masking ring-LWE

Core idea: split the secret: r=r’+r’’

m=th[INTT(c1*r 2+ c 2)]

4

2 2 1

SLIDE 11

n the masked decoder

6

2 2 1

SLIDE 12

n the masked decoder

2 2 1

6

SLIDE 13

7

SLIDE 14

7

SLIDE 15

7

SLIDE 16

7

SLIDE 17

what happened?

could decode th(a) from quad(a’) and

quad(a’’)

– quad() return only 2 bits, so it will be easy to perform masked computation.

Idea: decode th(a) only from quad(a’) and

quad(a’’)

– large compression

8

SLIDE 18

decoding rules

There are 7 other more cases (“rules”)
There are 8 cases that don’t allow inferring

th(a)!

9

SLIDE 19

Cases where it fails

10

SLIDE 20

solution: refresh

Refresh the sharing:

a’ := a’ + D a’’ := a’’ – D And try again

Do not draw D from random, compute nice ones.

11

SLIDE 21

12

SLIDE 22

implementation costs

unprotected (CHES2014*)

1713 LUTs / 830 FFs / 1 DSP
Fmax = 120 MHz

protected (this work)

2014 LUTs / 959 FFs / 1 DSP
100 MHz

Parameter set: (n,q,s)=(256,7681,11.32) Xilinx Virtex-II xc2vp7 FPGA

* Synthetized on Virtex-II

13

SLIDE 23

implementation costs

unprotected (CHES2014*)

1713 LUTs / 830 FFs / 1 DSP
Fmax = 120 MHz
2.8 k cycles (23.5 us)

protected (this work)

2014 LUTs / 959 FFs / 1 DSP
100 MHz
7.5 k cycles (75.2 us)

Parameter set: (n,q,s)=(256,7681,11.32) Xilinx Virtex-II xc2vp7 FPGA

* Synthetized on Virtex-II

13

SLIDE 24

implementation costs

unprotected (CHES2014*)

1713 LUTs / 830 FFs / 1 DSP
Fmax = 120 MHz
2.8 k cycles (23.5 us)

protected (this work)

2014 LUTs / 959 FFs / 1 DSP
100 MHz
7.5 k cycles (75.2 us)

Parameter set: (n,q,s)=(256,7681,11.32) Xilinx Virtex-II xc2vp7 FPGA ECC: Rebeiro et.al. (CHES2012): 289 kcycles * LUT This work: 151 k cycles*LUTs

* Synthetized on Virtex-II

13

SLIDE 25

error rates

14

SLIDE 26

error rates

14

SLIDE 27

15

SLIDE 28

16

SLIDE 29

evaluation

17

SLIDE 30

PRNG off

18

SLIDE 31

PRNG on

19

SLIDE 32

second order

20

SLIDE 33

second order

21

SLIDE 34

Conclusion

Fully masked ring-LWE decryption

– outputs Boolean shares

Manageable overhead: x2.6 cycles wrt

unprotected

Small!
Bespoke decoder

– Error rate controlled

Practical evaluation

22

SLIDE 35

23

SLIDE 36

Oscar Reparaz, Sujoy Sinha Roy, Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR