cryptography for embedded devices
play

Cryptography for Embedded Devices Tobias Oder Ruhr-University - PowerPoint PPT Presentation

Mar 11, 2024 •318 likes •601 views

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

  1. Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017

  2. Lattice-based Cryptography • Set of vectors in n -dimensional space define a basis Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 2

  3. Lattice-based Cryptography • Efficiency • Scalability • Versatility – Encryption – Digital signatures – Key exchange – Advanced constructions (IBE, FHE,…) Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 3

  4. Learning with Errors Given A and b = As Task: Find s ➢ Easy to solve Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 4

  5. Learning with Errors Given A and b = As Task: Find s ➢ Easy to solve Given A and b = As + e Task: Find s ➢ Hard problem Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 5

  6. Lattice Classes Standard or random lattices • Unstructured matrices • Main Operation: matrix-vector multiplication Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 6

  7. Lattice Classes Standard or random lattices • Unstructured matrices • Main Operation: matrix-vector multiplication Ring or ideal lattices • Smaller parameters • Faster implementations • Smaller implementations • Main Operation: polynomial multiplication But less trust in security due to structure! Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 7

  8. Module Lattices Idea: Find a trade-off between the advantages of both classes Efficiency Security Main operation: Matrix-vector multiplication • But matrix elements are polynomials! Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 8

  9. Schemes Non-exhaustive list Encryption Signature Key Exchange Standard LWE Encrypt TESLA Frodo Lattices Bai-Galbraith GPV Ideal Ring-LWE Encrypt BLISS „A new hope “ Lattices NTRU Encrypt GLP Ring-TESLA Module Kyber Dilithium CCA2-secure Lattices Dilithium-G Kyber Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 9

  10. Schemes Non-exhaustive list Encryption Signature Key Exchange Standard LWE Encrypt TESLA Frodo Lattices Bai-Galbraith GPV Ideal Ring-LWE Encrypt BLISS „A new hope “ Lattices NTRU Encrypt GLP Ring-TESLA Module Kyber Dilithium CCA2-secure Lattices Dilithium-G Kyber Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 10

  11. Schemes Non-exhaustive list Encryption Signature Key Exchange Standard LWE Encrypt TESLA Frodo Lattices Bai-Galbraith GPV Ideal Ring-LWE Encrypt BLISS „A new hope “ Lattices NTRU Encrypt GLP Ring-TESLA Module Kyber Dilithium CCA2-secure Lattices Dilithium-G Kyber Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 11

  12. Implementation on Embedded Devices • What are the goals? – Throughput/latency – Code size/area – Power/energy Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 12

  13. Implementation on Embedded Devices • What are the goals? – Throughput/latency – Code size/area – Power/energy • Cross-disciplinary work and interaction between engineers and cryptographers required – Parameter selection and design decisions can make schemes more efficient but also weaker Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 13

  14. Implementation on Embedded Devices • What are the goals? – Throughput/latency – Code size/area – Power/energy • Cross-disciplinary work and interaction between engineers and cryptographers required – Parameter selection and design decisions can make schemes more efficient but also weaker • Cover side-channels – Timing, Cache, Simple Power Analysis – Differential Power Analysis, EM Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 14

  15. NTT • Polynomial multiplication is a major building block for ideal and module lattice-based cryptography • NTT is a fast Fourier transform in integer rings – Polynomial multiplication in O(n log n) instead of O(n²) Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 15

  16. NTT • Polynomial multiplication is a major building block for ideal and module lattice-based cryptography • NTT is a fast Fourier transform in integer rings – Polynomial multiplication in O(n log n) instead of O(n²) • Powers of primitive root of unitiy ω („ twiddle factors “) required – Stored in tables – Computed on-the-fly Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 16

  17. NTT • Polynomial multiplication is a major building block for ideal and module lattice-based cryptography • NTT is a fast Fourier transform in integer rings – Polynomial multiplication in O(n log n) instead of O(n²) • Powers of primitive root of unitiy ω („ twiddle factors “) required – Stored in tables – Computed on-the-fly • Core operation is a so-called „ butterfly “ – Gentleman-Sande – Cooley-Tukey Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 17

  18. NTT Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 18

  19. NTT Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 19

  20. Gaussian Sampling Cumulative Distribution Table (CDT) Rejection Sampling Sampling Bernoulli Sampling Knuth-Yao Sampling Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 20

  21. CCA2-Security • Plain Ring-LWE encryption is only secure against chosen- plaintext attackers (CPA) • Many use cases require security against chosen-ciphertext attackers (CCA) – Attacker has access to a decryption oracle • Generic Fujisaki-Okamoto transform – Tweak by Targhi and Unruh for post-quantum security – Expensive re-encryption in decryption Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 21

  22. Masking Ring-LWE Components to be masked in CCA2-secure Ring-LWE • PRNG/Hash • NTT • Sampler • Encoding/Decoding See our implementation: ia.cr/2016/1109 together with Tobias Schneider, Thomas Pöppelmann, and Tim Güneysu Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 22

  23. Identity-based Encryption (IBE) • Demand for advanced security services (e.g., smart environments) • Concept : Extend asymmetric encryption scheme based on public identifier ID X (e.g., given name, MAC, e-mail address, etc.) PK M , SK M Trusted Third Master Authority Party (TTP) PK M , SK A PK M , SK B ID A ID B Alice Bob Enc(PK M , ID B , msg) Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 23

  24. IBE Implementation • Implementation of encryption and decryption of [DPL14] feasible on embedded devices • Key generation memory-wise and computationally expensive [DPL14] Efficient Identity-Based Encryption over NTRU Lattices, Léo Ducas, Thomas Prest, Vadim Lyubashevsky, ASIACRYPT 2014 Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 24

  25. IBE Implementation • Implementation of encryption and decryption of [DPL14] feasible on embedded devices • Key generation memory-wise and computationally expensive • Cortex-M4 microcontroller – Enc/Dec: 6/2 ms • Spartan6 FPGA – Enc/Dec: 80/54 µs [DPL14] Efficient Identity-Based Encryption over NTRU Lattices, Léo Ducas, Thomas Prest, and Vadim Lyubashevsky, ASIACRYPT 2014 Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 25

  26. Conclusion Lattice-based cryptography is practical on embedded devices! Future Work • Side-channel security • Efficient IBE key generation • More cryptanalysis Implementation of Lattice Crypto | Tobias Oder | Ruhr-University Bochum | 09.11.2017 26

  27. Thank You For Your Attention!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

414 views • 20 slides
Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2

Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2

ELC 2010 Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2 Creating an Embedded Product Time to market Linux kernel Quality uClibc Features Busybox Cost Other open source

494 views • 35 slides
Cryptography basics for embedded developers Embedded Linux Conference, San Diego, 2016 "If

Cryptography basics for embedded developers Embedded Linux Conference, San Diego, 2016 "If

Cryptography basics for embedded developers Embedded Linux Conference, San Diego, 2016 "If you think cryptography is the solution to your problem, then you don't understand your problem " - Roger Needham Cryptography basics are

417 views • 25 slides
Embedded Device Cryptography in the Field Introduction Motivation State of Affairs Coping

Embedded Device Cryptography in the Field Introduction Motivation State of Affairs Coping

Embedded Device Cryptography in the Field Embedded Device Cryptography in the Field Introduction Motivation State of Affairs Coping Mechanisms Indefensible Alex Kropivny Local Attacks Trust Relationships Use Cases Factory Testing

699 views • 49 slides
Embedded Rust, by example of RIOT-OS applications Christian M. Ams uss <ca@etonomy.org>

Embedded Rust, by example of RIOT-OS applications Christian M. Ams uss <ca@etonomy.org>

Embedded Rust, by example of RIOT-OS applications Christian M. Ams uss <ca@etonomy.org> 2018-11-27 Embedded Devices 10kB 1MB ROM 1kB 100kB RAM Typical hardware: ARM Cortex-M3, eg. STM32 Embedded Devices

416 views • 28 slides
EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque

EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque

EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque Prsentation: Stphanie Delaune (CNRS) EMSEC team Embedded Security & Cryptography 7 permanent researchers, 12 PhD students, and 2 post-docs

308 views • 11 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This

Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This

Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This talk Introduction Economic aspects Why make secure products? Trust in embedded devices Verifying trust Conclusion Aurlien

649 views • 37 slides
Filesystem considerations for embedded devices ELC2015 03/25/15 Tristan Lelong Senior embedded

Filesystem considerations for embedded devices ELC2015 03/25/15 Tristan Lelong Senior embedded

Filesystem considerations for embedded devices ELC2015 03/25/15 Tristan Lelong Senior embedded software engineer Filesystem considerations ABSTRACT The goal of this presentation is to answer a question asked by several customers: which

1.36k views • 110 slides
What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur 1 EURECOM 2 Siemens AG 3 Ulm University Introduction Embedded

474 views • 29 slides
Agents for Handheld Agents for Handheld and Embedded Devices and Embedded Devices Tim Finin

Agents for Handheld Agents for Handheld and Embedded Devices and Embedded Devices Tim Finin

Agents for Handheld Agents for Handheld and Embedded Devices and Embedded Devices Tim Finin Tim Finin University of Maryland University of Maryland Baltimore County Baltimore County Presentation given at the Workshop on Cooperative tell

812 views • 67 slides
Continuing to secure the Internet of Things Connected embedded devices Everything in our

Continuing to secure the Internet of Things Connected embedded devices Everything in our

Safety & Security for the Connected World Continuing to secure the Internet of Things Connected embedded devices Everything in our embedded world is becoming connected to The Internet Other connected devices Personal devices

248 views • 11 slides
HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems Design, F. Vahid and T. Givargis) Embedded computing systems definition: Computing systems embedded within electronic devices. Hard to define

396 views • 26 slides
Parallel Fast Fourier Transforms Gavin J. Pringle Joahcim Hein Introduction The Fourier

Parallel Fast Fourier Transforms Gavin J. Pringle Joahcim Hein Introduction The Fourier

Parallel Fast Fourier Transforms Gavin J. Pringle Joahcim Hein Introduction The Fourier Transform What, who, why? Mathematics and and its inherent properties Discrete Fourier Transform Fast Fourier Transform, or FFT

542 views • 42 slides
TYPES FOR EXACT REAL COMPUTATION (USING AERN2/HASKELL) Michal Kone n, Eike Neumann Aston

TYPES FOR EXACT REAL COMPUTATION (USING AERN2/HASKELL) Michal Kone n, Eike Neumann Aston

TYPES FOR EXACT REAL COMPUTATION (USING AERN2/HASKELL) Michal Kone n, Eike Neumann Aston University, Birmingham, UK CCC 2017, Nancy, Loria INTRODUCTION Why Haskell/ML/...? Conveniently supports new abstractions Can express a lot of

469 views • 28 slides
Data Management Planning: Get up to date with DMPTool and DMPonline IDCC14 San Francisco, CA

Data Management Planning: Get up to date with DMPTool and DMPonline IDCC14 San Francisco, CA

Data Management Planning: Get up to date with DMPTool and DMPonline IDCC14 San Francisco, CA February 24, 2014 Who we are DMPOnline DMPTool Sarah Jones Sherry Lake Patrick McCann Sarah Shreeves Marta Ribeiro Who are you?

516 views • 17 slides
Recursive neural networks for semantic interpretation Sam Bowman Department of Linguistics and

Recursive neural networks for semantic interpretation Sam Bowman Department of Linguistics and

Recursive neural networks for semantic interpretation Sam Bowman Department of Linguistics and NLP Group Stanford University with help from Chris Manning, Chris Potts, Richard Socher, Jeffrey Pennington, J.T. Chipman Recent progress on deep

664 views • 39 slides
HW/SW Codesign Data Flow Software Implementation I ECE 522 Mapping DFGs to Software There are a

HW/SW Codesign Data Flow Software Implementation I ECE 522 Mapping DFGs to Software There are a

HW/SW Codesign Data Flow Software Implementation I ECE 522 Mapping DFGs to Software There are a wide variety of approaches of mapping DFGs to software Software Mapping of SDF Sequential Parallel single-processor multi-processor *Processor

351 views • 18 slides
Multi-Dimensional Indexing: FFT Use a transform to generate an index pattern that still

Multi-Dimensional Indexing: FFT Use a transform to generate an index pattern that still

Multi-Dimensional Indexing: FFT Use a transform to generate an index pattern that still contains all values in the range (0 to N-1). Size N n takes on values of n: 0, 1, 2, 3, ... N-2, N-1 or N, 1+N, 2+N, 3+N, ... 2N-2, 2N-1

1.04k views • 56 slides
EDUARDO GUENDELMAN, PHYSICS DEPARTMENT, BEN GURION UNIVERSITY, BEER SHEVA, ISRAEL. WITH EMIL

EDUARDO GUENDELMAN, PHYSICS DEPARTMENT, BEN GURION UNIVERSITY, BEER SHEVA, ISRAEL. WITH EMIL

EDUARDO GUENDELMAN, PHYSICS DEPARTMENT, BEN GURION UNIVERSITY, BEER SHEVA, ISRAEL. WITH EMIL NISSIMOV, SVETLANA PACHEVA AND ALEXANDER KAGANOVICH PRESENTED AT THE 8th Mathematical Physics Meeting : Summer School and Conference on Modern

298 views • 29 slides
Charm++ for Productivity and Performance A Submission to the 2011 HPC Class II Challenge

Charm++ for Productivity and Performance A Submission to the 2011 HPC Class II Challenge

Charm++ for Productivity and Performance A Submission to the 2011 HPC Class II Challenge Laxmikant V. Kale Anshu Arya Abhinav Bhatele Abhishek Gupta Nikhil Jain Pritish Jetley Jonathan Lifflander Phil Miller Yanhua Sun Ramprasad

437 views • 28 slides

More recommend