Cryptography for Embedded Devices Tobias Oder Ruhr-University - - PowerPoint PPT Presentation

09.11.2017

Efficient Implementation of Lattice-based Cryptography for Embedded Devices

Tobias Oder Ruhr-University Bochum

Workshop on Cryptography for the Internet of Things and Cloud 2017

2 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• Set of vectors in n-dimensional space define a basis

Lattice-based Cryptography

3 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• Efficiency
• Scalability
• Versatility

– Encryption – Digital signatures – Key exchange – Advanced constructions (IBE, FHE,…)

Lattice-based Cryptography

4 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Given A and b = As Task: Find s ➢ Easy to solve

Learning with Errors

5 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Given A and b = As Task: Find s ➢ Easy to solve Given A and b = As + e Task: Find s ➢ Hard problem

Learning with Errors

6 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Standard or random lattices

• Unstructured matrices
• Main Operation: matrix-vector multiplication

Lattice Classes

7 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Standard or random lattices

• Unstructured matrices
• Main Operation: matrix-vector multiplication

Ring or ideal lattices

• Smaller parameters
• Faster implementations
• Smaller implementations
• Main Operation: polynomial multiplication

But less trust in security due to structure!

Lattice Classes

8 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Idea: Find a trade-off between the advantages of both classes Main operation: Matrix-vector multiplication

• But matrix elements are polynomials!

Module Lattices

Efficiency Security

9 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Non-exhaustive list

Schemes

Encryption Signature Key Exchange Standard Lattices LWE Encrypt TESLA Bai-Galbraith GPV Frodo Ideal Lattices Ring-LWE Encrypt NTRU Encrypt BLISS GLP Ring-TESLA „A new hope“ Module Lattices Kyber Dilithium Dilithium-G CCA2-secure Kyber

10 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Non-exhaustive list

Schemes

Encryption Signature Key Exchange Standard Lattices LWE Encrypt TESLA Bai-Galbraith GPV Frodo Ideal Lattices Ring-LWE Encrypt NTRU Encrypt BLISS GLP Ring-TESLA „A new hope“ Module Lattices Kyber Dilithium Dilithium-G CCA2-secure Kyber

11 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Non-exhaustive list

Schemes

Encryption Signature Key Exchange Standard Lattices LWE Encrypt TESLA Bai-Galbraith GPV Frodo Ideal Lattices Ring-LWE Encrypt NTRU Encrypt BLISS GLP Ring-TESLA „A new hope“ Module Lattices Kyber Dilithium Dilithium-G CCA2-secure Kyber

12 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• What are the goals?

– Throughput/latency – Code size/area – Power/energy

Implementation on Embedded Devices

13 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• What are the goals?

– Throughput/latency – Code size/area – Power/energy

• Cross-disciplinary work and interaction between engineers and

cryptographers required

– Parameter selection and design decisions can make schemes more efficient but also weaker

Implementation on Embedded Devices

14 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• What are the goals?

– Throughput/latency – Code size/area – Power/energy

• Cross-disciplinary work and interaction between engineers and

cryptographers required

– Parameter selection and design decisions can make schemes more efficient but also weaker

• Cover side-channels

– Timing, Cache, Simple Power Analysis – Differential Power Analysis, EM

Implementation on Embedded Devices

15 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• Polynomial multiplication is a major building block for ideal and

module lattice-based cryptography

• NTT is a fast Fourier transform in integer rings

– Polynomial multiplication in O(n log n) instead of O(n²)

NTT

16 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• Polynomial multiplication is a major building block for ideal and

module lattice-based cryptography

• NTT is a fast Fourier transform in integer rings

– Polynomial multiplication in O(n log n) instead of O(n²)

• Powers of primitive root of unitiy ω („twiddle factors“) required

– Stored in tables – Computed on-the-fly

NTT

17 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• Polynomial multiplication is a major building block for ideal and

module lattice-based cryptography

• NTT is a fast Fourier transform in integer rings

– Polynomial multiplication in O(n log n) instead of O(n²)

• Powers of primitive root of unitiy ω („twiddle factors“) required

– Stored in tables – Computed on-the-fly

• Core operation is a so-called „butterfly“

– Gentleman-Sande – Cooley-Tukey

NTT

18 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

NTT

19 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

NTT

20 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Gaussian Sampling

Rejection Sampling Bernoulli Sampling Knuth-Yao Sampling Cumulative Distribution Table (CDT) Sampling

21 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• Plain Ring-LWE encryption is only secure against chosen-

plaintext attackers (CPA)

• Many use cases require security against chosen-ciphertext

attackers (CCA)

– Attacker has access to a decryption oracle

• Generic Fujisaki-Okamoto transform

– Tweak by Targhi and Unruh for post-quantum security – Expensive re-encryption in decryption

CCA2-Security

22 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Components to be masked in CCA2-secure Ring-LWE

• PRNG/Hash
• NTT
• Sampler
• Encoding/Decoding

See our implementation: ia.cr/2016/1109 together with Tobias Schneider, Thomas Pöppelmann, and Tim Güneysu

Masking Ring-LWE

23 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• Demand for advanced security services (e.g., smart

environments)

• Concept: Extend asymmetric encryption scheme based on public

identifier IDX (e.g., given name, MAC, e-mail address, etc.)

Identity-based Encryption (IBE)

Enc(PKM, IDB, msg) Master Authority PKM, SKM

Trusted Third Party (TTP)

PKM, SKA PKM, SKB Alice Bob

IDA IDB

24 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• Implementation of encryption and decryption of [DPL14] feasible
• n embedded devices
• Key generation memory-wise and computationally expensive

[DPL14] Efficient Identity-Based Encryption over NTRU Lattices, Léo Ducas, Thomas Prest, Vadim Lyubashevsky, ASIACRYPT 2014

IBE Implementation

25 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

• Implementation of encryption and decryption of [DPL14] feasible
• n embedded devices
• Key generation memory-wise and computationally expensive
• Cortex-M4 microcontroller

– Enc/Dec: 6/2 ms

• Spartan6 FPGA

– Enc/Dec: 80/54 µs

[DPL14] Efficient Identity-Based Encryption over NTRU Lattices, Léo Ducas, Thomas Prest, and Vadim Lyubashevsky, ASIACRYPT 2014

IBE Implementation

26 Implementation of Lattice Crypto| Tobias Oder | Ruhr-University Bochum | 09.11.2017

Lattice-based cryptography is practical on embedded devices! Future Work

• Side-channel security
• Efficient IBE key generation
• More cryptanalysis

Conclusion

Thank You For Your Attention!