compact and simple rlwe based key encapsulation mechanism
play

Compact and Simple RLWE Based Key Encapsulation Mechanism Erdem Alkm - PowerPoint PPT Presentation

Jan 10, 2024 •23 likes •413 views

Compact and Simple RLWE Based Key Encapsulation Mechanism Erdem Alkm 1 Yusuf Alper Bilgin 2,3 Murat Cenk 3 1 Department of Computer Engineering, Ondokuz Mays University, Turkey 2 Aselsan Inc., Turkey 3 Institude of Applied Mathematics, Middle

  1. Compact and Simple RLWE Based Key Encapsulation Mechanism Erdem Alkım 1 Yusuf Alper Bilgin 2,3 Murat Cenk 3 1 Department of Computer Engineering, Ondokuz Mayıs University, Turkey 2 Aselsan Inc., Turkey 3 Institude of Applied Mathematics, Middle East Technical University, Turkey � y.alperbilgin@gmail.com October 3, 2019 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 1 / 20

  2. Overview Introduction 1 Implementation Details 2 Results 3 Future Works 4 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 2 / 20

  3. NIST PQC Standardization Project Moody, PQC Workshop, 2019 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 3 / 20

  4. RLWE based KEM - Newhope Alkim et al., ePrint 2016/1157 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 4 / 20

  5. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  6. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Advantages of NTT: • High performance Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  7. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Advantages of NTT: • High performance • Memory efficient Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  8. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Advantages of NTT: • High performance • Memory efficient • Randoms directly sampled in NTT domain Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  9. Multiplication Algorithms Fast multiplication algorithms: NTT, Karatsuba and Tom-Cook Advantages of NTT: Disadvantages: • High performance • Limited parametrization • Memory efficient • Randoms directly sampled in NTT domain Yusuf Alper Bilgin NewHope-Compact October 3, 2019 5 / 20

  10. NewHope-Compact • A smaller and faster instantiation of NewHope Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  11. NewHope-Compact • A smaller and faster instantiation of NewHope • Utilizing recent advances on NTT Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  12. NewHope-Compact • A smaller and faster instantiation of NewHope • Utilizing recent advances on NTT • Reduce parameter q (12289 → 3329) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  13. NewHope-Compact • A smaller and faster instantiation of NewHope • Utilizing recent advances on NTT • Reduce parameter q (12289 → 3329) • Hybrid polynomial multiplication (NTT + Karatsuba) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  14. NewHope-Compact • A smaller and faster instantiation of NewHope • Utilizing recent advances on NTT • Reduce parameter q (12289 → 3329) • Hybrid polynomial multiplication (NTT + Karatsuba) • Achieving a security level equivalent to Kyber768 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 6 / 20

  15. Number Theoretic Transform a ∈ Z q [ X ] / ( X n + 1) n − 1 n − 1 � a i X i , where ˆ � a j ω ij NTT( a ) = ˆ a = ˆ a i = mod q i =0 j =0 n − 1 n − 1 NTT − 1 (ˆ � a i X i , where a i = n − 1 � a j ω − ij � � a ) = a = ˆ mod q i =0 j =0 where ω n = 1 mod q Yusuf Alper Bilgin NewHope-Compact October 3, 2019 7 / 20

  16. Number Theoretic Transform a ∈ Z q [ X ] / ( X n + 1) n − 1 n − 1 � a i X i , where ˆ � a j ω ij NTT( a ) = ˆ a = ˆ a i = mod q i =0 j =0 n − 1 n − 1 NTT − 1 (ˆ � a i X i , where a i = n − 1 � a j ω − ij � � a ) = a = ˆ mod q i =0 j =0 where ω n = 1 mod q Polynomial Multiplication c = NTT − 1 (NTT ( a ) ◦ NTT ( b )) where a , b , c ∈ R q Yusuf Alper Bilgin NewHope-Compact October 3, 2019 7 / 20

  17. Butterflies x (0) ˆ x (0) x (0) x (0) ˆ γ i γ i -1 -1 x (1) × ˆ x (1) x (1) × x (1) ˆ Figure: Cooley-Tukey Butterfly Figure: Gentleman-Sande Butterfly Yusuf Alper Bilgin NewHope-Compact October 3, 2019 8 / 20

  18. CRT Map of NewHope512 Let γ 512 = − 1 mod 12289. Z 12289 / ( x 512 + 1) ∼ = Z 12289 / ( x − γ ) × · · · × Z 12289 / ( x − γ 511 ) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 9 / 20

  19. CRT Map of NewHope512 Let γ 512 = − 1 mod 12289. Z 12289 / ( x 512 + 1) ∼ = Z 12289 / ( x − γ ) × · · · × Z 12289 / ( x − γ 511 ) Z 12289 / ( x 512 + 1) = Z q / ( x 512 − γ 512 ) Z 12289 / ( x 256 − γ 256 ) Z 12289 / ( x 256 + γ 256 ) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 9 / 20

  20. CRT Map of NewHope512 Z 12289 / ( x 512 − γ 512 ) x 256 − γ 256 x 256 + γ 256 = x 256 − γ 768 x 128 − γ 128 x 128 + γ 128 x 128 − γ 768 x 128 + γ 768 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 9 / 20

  21. CRT Map of NewHope512 Z 12289 / ( x 512 − γ 512 ) x 256 − γ 256 x 256 + γ 256 x 128 − γ 128 x 128 + γ 128 x 128 − γ 768 x 128 + γ 768 . . . . . . . . . . . . x 2 − γ 2 x 2 + γ 510 · · · x − γ x + γ · · · x − γ 511 x + γ 511 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 9 / 20

  22. CRT Map of NewHope-Compact512 Let γ 128 = − 1 mod 3329. Z 3329 / ( x 512 + 1) ∼ = Z 3329 / ( x 4 − γ ) × · · · × Z 3329 / ( x 4 − γ 127 ) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 10 / 20

  23. CRT Map of NewHope-Compact512 Let γ 128 = − 1 mod 3329. Z 3329 / ( x 512 + 1) ∼ = Z 3329 / ( x 4 − γ ) × · · · × Z 3329 / ( x 4 − γ 127 ) Z 3329 / ( x 512 + 1) = Z 3329 / ( x 512 − γ 128 ) Z 3329 / ( x 256 − γ 64 ) Z 3329 / ( x 256 + γ 64 ) Yusuf Alper Bilgin NewHope-Compact October 3, 2019 10 / 20

  24. CRT Map of NewHope-Compact512 Z 3329 / ( x 512 − γ 128 ) x 256 − γ 64 x 256 + γ 64 = x 256 − γ 192 x 128 − γ 32 x 128 + γ 32 x 128 − γ 96 x 128 + γ 96 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 10 / 20

  25. CRT Map of NewHope-Compact512 Z 3329 / ( x 512 − γ 128 ) x 256 − γ 64 x 256 + γ 64 x 128 − γ 32 x 128 + γ 32 x 128 − γ 96 x 128 + γ 96 . . . . . . . . . . . . x 8 − γ 2 x 8 + γ 126 · · · x 4 − γ x 4 + γ x 4 − γ 127 x 4 + γ 127 · · · Yusuf Alper Bilgin NewHope-Compact October 3, 2019 10 / 20

  26. CRT Map of NewHope-Compact1024 Z 3329 / ( x 1024 − γ 128 ) x 512 − γ 64 x 512 + γ 64 x 256 − γ 32 x 256 + γ 32 x 256 − γ 96 x 256 + γ 96 . . . . . . . . . . . . x 16 − γ 2 x 16 + γ 126 · · · x 8 − γ x 8 + γ x 8 − γ 127 x 8 + γ 127 · · · Yusuf Alper Bilgin NewHope-Compact October 3, 2019 11 / 20

  27. Karatsuba Multiplication with Reduction Let a , b and c ∈ Z q / ( X 4 − r ) where r = γ i . 1: function basemul( a , b ) d ← Apply One-Iteration Karatsuba 1 to get d = a · b where d is a 2: degree 6 polynomial c [0] ← d [0] + d [4] · r ⊲ + and · for modular reduction 3: c [1] ← d [1] + d [5] · r 4: c [2] ← d [2] + d [6] · r 5: c [3] ← d [3] 6: return c 7: 8: end function 1 Weimerskirch and Paar, ePrint 2006/224 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 12 / 20

  28. Computation Costs of Polynomial Multiplications Z 3329 / ( x 512 + 1) ❛❛❛❛❛❛❛❛❛❛❛❛ Operations # of Multiplications # of Additions Multiplication Methods Hybrid NTT-Schoolbook 7808 12288 Multiplication Hybrid NTT-Karatsuba 7040 14592 Multiplication Yusuf Alper Bilgin NewHope-Compact October 3, 2019 13 / 20

  29. Computation Costs of Polynomial Multiplications Z 3329 / ( x 512 + 1) ❛❛❛❛❛❛❛❛❛❛❛❛ Operations # of Multiplications # of Additions Multiplication Methods Hybrid NTT-Schoolbook 7808 12288 Multiplication Hybrid NTT-Karatsuba 7040 14592 Multiplication Cycle counts ( × 10 3 ) Method Schoolbook 21,7 Karatsuba 14,2 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 13 / 20

  30. Parameter Sets Table: Parameters of n=512 Parameter Set Newhope512 NH-Compact512 Dimension n 512 512 Modulus q 12289 3329 Noise Parameter k 8 2 Table: Parameters of n=1024 Parameter Set Newhope1024 NH-Compact1024 Dimension n 1024 1024 Modulus q 12289 3329 Noise Parameter k 8 2 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 14 / 20

  31. Sizes in bytes 512-CCA-KEM Parameter Set NewHope NewHope-Compact | pk | 928 800 | sk | 1888 1632 | ciphertext | 1120 992 1024-CCA-KEM Parameter Set NewHope NewHope-Compact | pk | 1824 1568 | sk | 3680 3168 | ciphertext | 2208 2080 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 15 / 20

  32. Cycle counts ( × 10 3 ) of C reference (non-optimized) implementations CCA-KEM-512 Operations Kyber NewHope NewHope-Compact 121 . 6 119 . 2 89 . 3 Gen Encaps 164 180 . 2 147 197 . 5 203 . 4 176 . 1 Decaps Total 483 . 1 502 . 8 412 . 4 CCA-KEM-1024 Operations Kyber NewHope NewHope-Compact 324 . 6 237 . 8 186 . 4 Gen 381 . 4 365 . 2 321 . 8 Encaps Decaps 431 . 4 417 . 5 395 Total 1137 . 4 1020 . 5 902 . 2 Performed on Intel Skylake Core i7-6500U Yusuf Alper Bilgin NewHope-Compact October 3, 2019 16 / 20

  33. NewHope-Compact768 Inspired by NTTRU 1 Z 3457 / ( X 768 − X 384 + 1) and let ζ 1 and ζ 2 are two primitive sixth root of unity. Z 3457 / ( X 768 − X 384 + 1) Z 3457 / ( x 384 − ζ 1 ) Z 3457 / ( x 384 − ζ 2 ) 1 Lyubashevsky and Seiler, CHES 2019 Yusuf Alper Bilgin NewHope-Compact October 3, 2019 17 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 ,

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 ,

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 , Alessandro Barenghi 2 , Franco Chiaraluce 1 , Gerardo Pelosi 2 , Paolo Santini 1 1 Universit` a Politecnica delle Marche (m.baldi@univpm.it,

674 views • 52 slides
WHAT IS AN INTERSTATE COMPACT? 2 WHAT IS AN INTERSTATE COMPACT? Simple, versatile and proven

WHAT IS AN INTERSTATE COMPACT? 2 WHAT IS AN INTERSTATE COMPACT? Simple, versatile and proven

WHAT IS AN INTERSTATE COMPACT? 2 WHAT IS AN INTERSTATE COMPACT? Simple, versatile and proven tool Effective means of cooperatively addressing common problems Allows states to respond to national priorities with one voice Retains

448 views • 32 slides
IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong

IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong

IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong Jiang , Zhenfeng Zhang , Long Chen , Hong Wang Zhi Ma Chinese State Key Laboratory of Mathematical Engineering and

577 views • 46 slides
Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser 2 , Andrea Hoeller 2 , oppelmann 3 , Fernando Virdia 1 , Andreas Wallner 2 Thomas P 1 Information Security Group, Royal Holloway, University of

1.17k views • 33 slides
Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser 2 , Andrea Hoeller 2 , oppelmann 3 , Fernando Virdia 1 , Andreas Wallner 2 Thomas P 1 Information Security Group, Royal Holloway, University of

726 views • 53 slides
Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan

Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan

Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan University, China June 28, 2017 Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 1 / 39 Outline 1 Introduction

601 views • 39 slides
SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

LAB 117 & VoIP LAB SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP Platform in Taiwan Taiwan 19th APAN Meeting in Bangkok, January 2005 Ines Sok-Ian Sou and Prof. Quincy Wu Dept. of

293 views • 27 slides
Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

slide 1 gaius Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a network packet or frame encapsulation refers to how the network interface uses packet switching hardware two machines

499 views • 27 slides
What is an Interstate Compact? Simple, versatile and proven tool Effective means of

What is an Interstate Compact? Simple, versatile and proven tool Effective means of

What is an Interstate Compact? Simple, versatile and proven tool Effective means of cooperatively addressing common problems Contract between states Creates economies of scale Responds to national priorities with one voice

397 views • 21 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

546 views • 9 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

240 views • 7 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

751 views • 7 slides
High Performance Insulation based on Nanostructure encapsulation of air Theme: EeB.NMP.2010 1

High Performance Insulation based on Nanostructure encapsulation of air Theme: EeB.NMP.2010 1

High Performance Insulation based on Nanostructure encapsulation of air Theme: EeB.NMP.2010 1 http://www.hipin.eu The HIPIN project received funding from the European Union's Seventh Framework Programme for research, technological development

383 views • 17 slides
FlexFerno The foldable grill on the go FlexF FlexFerno erno is y is your foldable camping sto

FlexFerno The foldable grill on the go FlexF FlexFerno erno is y is your foldable camping sto

FlexFerno The foldable grill on the go FlexF FlexFerno erno is y is your foldable camping sto our foldable camping stove ve Lightweight, compactable Accor ccordion mechanism accommodates compact, dion mechanism accommodates compact,

342 views • 8 slides
Encapsulation grouping of subprograms and the data Encapsulation they manipulate

Encapsulation grouping of subprograms and the data Encapsulation they manipulate

Encapsulation grouping of subprograms and the data Encapsulation they manipulate Information hiding abstract data types type definition is hidden from the user variables of the type can be declared variables of the type

1.02k views • 15 slides
Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES, Amsterdam 11 th September, 2018 Joint work with : Jose Maria Bermudo Mera Sujoy Sinha Roy Ingrid Verbauwhede Saber: CCA secure post-quantum KEM*

613 views • 30 slides
Concepts in Object-Oriented Programming Languages Object-oriented design Primary

Concepts in Object-Oriented Programming Languages Object-oriented design Primary

CS 242 Outline of lecture Concepts in Object-Oriented Programming Languages Object-oriented design Primary object-oriented language concepts dynamic lookup encapsulation John Mitchell inheritance subtyping Program

479 views • 8 slides
Frame Relay Basic Configurations: Point to Point Frame Relay Basic Point to Point Configuration

Frame Relay Basic Configurations: Point to Point Frame Relay Basic Point to Point Configuration

Frame Relay Basic Configurations: Point to Point Frame Relay Basic Point to Point Configuration While we still have more lessons left to fully cover the major aspects of Frame Relay and its configuration, I wanted to include a couple of short,

325 views • 11 slides
The Object Factory Object-Oriented Programming in R: S3 & R6 pour refill Object-Oriented

The Object Factory Object-Oriented Programming in R: S3 & R6 pour refill Object-Oriented

OBJECT-ORIENTED PROGRAMMING IN R: S3 & R6 The Object Factory Object-Oriented Programming in R: S3 & R6 pour refill Object-Oriented Programming in R: S3 & R6 class generators are templates for objects a.k.a. factories

604 views • 25 slides
Accessible Near-Storage Computing with FPGAs Robert Schmid, Max Plauth, Lukas Wenzel, Felix

Accessible Near-Storage Computing with FPGAs Robert Schmid, Max Plauth, Lukas Wenzel, Felix

Accessible Near-Storage Computing with FPGAs Robert Schmid, Max Plauth, Lukas Wenzel, Felix Eberhardt, Andreas Polze Professorship for Operating Systems and Middleware, Hasso-Plattner-Institute Fifteenth European Conference on Computer Systems

136 views • 13 slides
Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum

1.74k views • 115 slides
Reasoning about Object Capa- bilities with Logical Relations and Effect Parametricity

Reasoning about Object Capa- bilities with Logical Relations and Effect Parametricity

Reasoning about Object Capa- bilities with Logical Relations and Effect Parametricity (EuroS&P 2016, Saarbrcken) Dominique Devriese 1 , Frank Piessens 1 , Lars Birkedal 2 1 iMinds-DistriNet, KU Leuven, 2 Aarhus University December 2015

387 views • 21 slides
SUAVE: Painless Extension for an Object-Oriented VHDL Peter J. Ashenden University of Adelaide

SUAVE: Painless Extension for an Object-Oriented VHDL Peter J. Ashenden University of Adelaide

SUAVE: Painless Extension for an Object-Oriented VHDL Peter J. Ashenden University of Adelaide Philip A. Wilsey, Dale E. Martin University of Cincinnati This work was partially supported by Wright Laboratory under USAF contract

195 views • 8 slides
Modularity and Object- oriented Abstractions Encapsulation, Dynamic binding, Subtyping and

Modularity and Object- oriented Abstractions Encapsulation, Dynamic binding, Subtyping and

Modularity and Object- oriented Abstractions Encapsulation, Dynamic binding, Subtyping and Inheritance 1 Modularity When we program, we try to solve a problem by Step1: decompose the problem into smaller sub- problems Step2: try to

279 views • 23 slides

More recommend