efficient ring lwe encryption on 8 bit avr processors
play

Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 - PowerPoint PPT Presentation

Mar 03, 2023 •369 likes •1.4k views

Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy 3 adl 1 Howon Kim 2 Ingrid Verbauwhede 3

  1. Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Ring-LWE Encryption Scheme . Number Theoretic Transform i =0 a i x i ∈ Z q in the n -th Polynomial multiplication a ( x ) = ∑ n − 1 roots of unity ω i n Algorithm 1: Iterative Number Theoretic Transform Require: Polynomial a ( x ), n -th root of unity ω Ensure: Polynomial a ( x ) = NTT ( a ) 1: a ← BitReverse ( a ) 2: for i from 2 by 2 i to n do ω i ← ω n / i 3: , ω ← 1 n 4: for j from 0 by 1 to i / 2 − 1 do 5: for k from 0 by i to n − 1 do 1 2 ⃝ U ← a [ k + j ], ⃝ V ← ω · a [ k + j + i / 2] 6: 3 4 ⃝ a [ k + j ] ← U + V , ⃝ a [ k + j + i / 2] ← U − V 7: 8: end for 9: ω ← ω · ω i 10: end for 11: end for . . . . . . . . . . . . . . . . . . . . 12: return a .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 11 / 60

  2. Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Ring-LWE Encryption Scheme . Gaussian Sampler Random walk by Discrete Distribution Generating tree Algorithm 2: Low-level implementation of Knuth-Yao sampling Require: Probability matrix P mat , random number r , modulus q Ensure: Sample value s 1: d ← 0 2: for col from 0 by 1 to MAXCOL do 3: d ← 2 d + ( r &1); r ← r ≫ 1 4: for row from MAXROW by − 1 to 0 do d ← d − P mat [ row ][ col ] 5: 6: if d = − 1 then 7: if ( r &1) = 1 then 8: return q − row 9: else 10: return row 11: end if 12: end if 13: end for 14: end for 15: return 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 12 / 60

  3. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Outline . . 1 Short Overview . . 2 Ring-LWE Encryption Scheme . . 3 Our Implementation Optimization Techniques for NTT Computation Optimization of the Knuth-Yao Sampler . . 4 Implementation Results Comparison with Related Work . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 13 / 60

  4. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Outline . . 1 Short Overview . . 2 Ring-LWE Encryption Scheme . . 3 Our Implementation Optimization Techniques for NTT Computation Optimization of the Knuth-Yao Sampler . . 4 Implementation Results Comparison with Related Work . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 14 / 60

  5. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Parameter Selection ( n , q , σ ) for Ring-LWE √ 128-bit security level: (256 , 7681 , 11 . 31 / 2 π ) √ 256-bit security level: (512 , 12289 , 12 . 18 / 2 π ) Discrete Gaussian sampler: 12 σ . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 15 / 60

  6. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Parameter Selection ( n , q , σ ) for Ring-LWE √ 128-bit security level: (256 , 7681 , 11 . 31 / 2 π ) √ 256-bit security level: (512 , 12289 , 12 . 18 / 2 π ) Discrete Gaussian sampler: 12 σ LUT based Twiddle Factor: ω n and ω · ω i [LATINCRYPT’12] . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 15 / 60

  7. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Parameter Selection ( n , q , σ ) for Ring-LWE √ 128-bit security level: (256 , 7681 , 11 . 31 / 2 π ) √ 256-bit security level: (512 , 12289 , 12 . 18 / 2 π ) Discrete Gaussian sampler: 12 σ LUT based Twiddle Factor: ω n and ω · ω i [LATINCRYPT’12] Negative wrapped convolution: Reduce coefficient [CHES’14] . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 15 / 60

  8. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Parameter Selection ( n , q , σ ) for Ring-LWE √ 128-bit security level: (256 , 7681 , 11 . 31 / 2 π ) √ 256-bit security level: (512 , 12289 , 12 . 18 / 2 π ) Discrete Gaussian sampler: 12 σ LUT based Twiddle Factor: ω n and ω · ω i [LATINCRYPT’12] Negative wrapped convolution: Reduce coefficient [CHES’14] Changing of the j and k -loops in the NTT [HOST’13] . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 15 / 60

  9. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Parameter Selection ( n , q , σ ) for Ring-LWE √ 128-bit security level: (256 , 7681 , 11 . 31 / 2 π ) √ 256-bit security level: (512 , 12289 , 12 . 18 / 2 π ) Discrete Gaussian sampler: 12 σ LUT based Twiddle Factor: ω n and ω · ω i [LATINCRYPT’12] Negative wrapped convolution: Reduce coefficient [CHES’14] Changing of the j and k -loops in the NTT [HOST’13] Merging of the scaling operation by n − 1 in INTT [CHES’14] . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 15 / 60

  10. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . MOV-and-ADD Coefficient Multiplication (Step1): 1 mul, 1 movw a H a L b H b L a L × b L r 1 r 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 16 / 60

  11. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . MOV-and-ADD Coefficient Multiplication (Step2): 1 mul, 1 movw a H a L b H b L a L × b L a H × b H r 3 r 2 r 1 r 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 17 / 60

  12. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . MOV-and-ADD Coefficient Multiplication (Step3): 1 mul, 3 add a H a L b H b L a L × b L a H × b H a H × b L r 3 r 2 r 1 r 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 18 / 60

  13. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . MOV-and-ADD Coefficient Multiplication (Step4): 1 mul, 3 add a H a L b H b L a L × b L a H × b H a H × b L a L × b H r 3 r 2 r 1 r 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 19 / 60

  14. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . MOV-and-ADD Coefficient Multiplication (Total): 4 mul, 2 movw, 6 add instructions (16 cycles) a H a L b H b L a L × b L a H × b H a H × b L a L × b H r 3 r 2 r 1 r 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 20 / 60

  15. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Approximation based reduction [ACM TEC’15] . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 21 / 60

  16. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Approximation based reduction [ACM TEC’15] Position of 1’s in (2 w × 1 / q ) → p 1 , ..., p l . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 21 / 60

  17. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Approximation based reduction [ACM TEC’15] Position of 1’s in (2 w × 1 / q ) → p 1 , ..., p l ⌊ z / q ⌋ ∼ = ∑ l i =1 ( z ≫ ( w − p i )) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 21 / 60

  18. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Approximation based reduction [ACM TEC’15] Position of 1’s in (2 w × 1 / q ) → p 1 , ..., p l ⌊ z / q ⌋ ∼ = ∑ l i =1 ( z ≫ ( w − p i )) z mod q ∼ = z − q × ⌊ z / q ⌋ . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 21 / 60

  19. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Approximation based reduction [ACM TEC’15] Position of 1’s in (2 w × 1 / q ) → p 1 , ..., p l ⌊ z / q ⌋ ∼ = ∑ l i =1 ( z ≫ ( w − p i )) z mod q ∼ = z − q × ⌊ z / q ⌋ ⌊ z / 7681 ⌋ ∼ = ( z ≫ 13) + ( z ≫ 17) + ( z ≫ 21) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 21 / 60

  20. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . SAMS2 (Step1-1): shifting ( z ≫ 17) r 3 r 2 r 1 r 0 ( r 3, r 2, r 1) » 1 ( s 1, s 0) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 22 / 60

  21. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . SAMS2 (Step1-2): shifting ( z ≫ 13) r 3 r 2 r 1 r 0 ( r 3, r 2, r 1) » 1 ( s 1, s 0) ( s 1, s 0, sx ) » 4 ( t 1, t 0) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 23 / 60

  22. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . SAMS2 (Step1-3): shifting ( z ≫ 21) r 3 r 2 r 1 r 0 ( r 3, r 2, r 1) » 1 ( s 1, s 0) ( s 1, s 0, sx ) » 4 ( t 1, t 0) u 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 24 / 60

  23. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . SAMS2 (Step2): addition ( z ≫ 13) + ( z ≫ 17) + ( z ≫ 21) r 3 r 2 r 1 r 0 ( r 3, r 2, r 1) » 1 ( s 1, s 0) ( t 1, t 0) ( s 1, s 0, sx ) » 4 u 0 ( s 1, s 0) + ( t 1, t 0) + u 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 25 / 60

  24. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . SAMS2 (Step3): multiplication r 3 r 2 r 1 r 0 ( r 3, r 2, r 1) » 1 ( s 1, s 0) ( s 1, s 0, sx ) » 4 ( t 1, t 0) u 0 ( s 1, s 0) + ( t 1, t 0) + u 0 0x1e 0x1e × [( s 1, s 0) + ( t 1, t 0) + u 0] . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 26 / 60

  25. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . SAMS2 method, 1 ⃝ : shifting; 2 ⃝ : addition; 3 ⃝ : multiplication r 3 r 2 r 1 r 0 ( r 3, r 2, r 1) » 1 ( s 1, s 0) ( s 1, s 0, sx ) » 4 ( t 1, t 0) 2 1 u 0 ( s 1, s 0) + ( t 1, t 0) + u 0 3 0x1e 0x1e × [( s 1, s 0) + ( t 1, t 0) + u 0] . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 27 / 60

  26. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Incomplete modular arithmetic . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 28 / 60

  27. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Incomplete modular arithmetic Complete: s = a + b mod q . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 28 / 60

  28. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Incomplete modular arithmetic Complete: s = a + b mod q Incomplete: s = a + b mod 2 m where m = ⌈ log 2 q ⌉ . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 28 / 60

  29. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Incomplete modular arithmetic Complete: s = a + b mod q Incomplete: s = a + b mod 2 m where m = ⌈ log 2 q ⌉ Taking q = 7681 as an example . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 28 / 60

  30. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Incomplete modular arithmetic Complete: s = a + b mod q Incomplete: s = a + b mod 2 m where m = ⌈ log 2 q ⌉ Taking q = 7681 as an example Perform a normal coefficient addition . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 28 / 60

  31. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Incomplete modular arithmetic Complete: s = a + b mod q Incomplete: s = a + b mod 2 m where m = ⌈ log 2 q ⌉ Taking q = 7681 as an example Perform a normal coefficient addition Compare the results with 2 13 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 28 / 60

  32. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Incomplete modular arithmetic Complete: s = a + b mod q Incomplete: s = a + b mod 2 m where m = ⌈ log 2 q ⌉ Taking q = 7681 as an example Perform a normal coefficient addition Compare the results with 2 13 Conduct a subtraction of q where r > 2 13 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 28 / 60

  33. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Incomplete modular arithmetic Complete: s = a + b mod q Incomplete: s = a + b mod 2 m where m = ⌈ log 2 q ⌉ Taking q = 7681 as an example Perform a normal coefficient addition Compare the results with 2 13 Conduct a subtraction of q where r > 2 13 The operands are kept in [0 , 2 13 − 1] . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 28 / 60

  34. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Incomplete modular arithmetic Complete: s = a + b mod q Incomplete: s = a + b mod 2 m where m = ⌈ log 2 q ⌉ Taking q = 7681 as an example Perform a normal coefficient addition Compare the results with 2 13 Conduct a subtraction of q where r > 2 13 The operands are kept in [0 , 2 13 − 1] In the last iteration, the result back into the range [0 , q − 1] . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 28 / 60

  35. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Reducing the RAM for coefficients (Step 1): Initialized registers . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 29 / 60

  36. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 2): 13-bit coefficient ( a 0 ) is stored a 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 30 / 60

  37. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 3): Other coefficients ( a 1 ∼ 12 ) are stored a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 31 / 60

  38. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 4): Coefficient ( a 13 ) is stored a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 32 / 60

  39. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 5): Remaining coefficients ( a 14 ∼ 15 ) are stored a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 33 / 60

  40. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Updating coefficient ( a 12 ) a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 34 / 60

  41. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 1): Clear the lower 13-bit a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 35 / 60

  42. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 2): Add with target register a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 36 / 60

  43. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Updating coefficient ( a 13 ) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 37 / 60

  44. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 1): Divide the coefficient into 5 limbs . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 38 / 60

  45. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 2): Shift the coefficient » 1 » 4 » 7 » 10 » 13 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 39 / 60

  46. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 3): Select the memory a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 40 / 60

  47. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 4): Clear the 14th bit a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 41 / 60

  48. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 5): Add with target register a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 42 / 60

  49. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 6): Select the memory a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 43 / 60

  50. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 7): Clear the higher 3-bit a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 44 / 60

  51. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . (Step 8): Add with target register a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 45 / 60

  52. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization Techniques for NTT Computation . Optimized Storages: 16 13-bit elements in 26 bytes a 12 a 11 a 10 a 9 a 8 a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 a 13 a 14 a 15 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 46 / 60

  53. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Outline . . 1 Short Overview . . 2 Ring-LWE Encryption Scheme . . 3 Our Implementation Optimization Techniques for NTT Computation Optimization of the Knuth-Yao Sampler . . 4 Implementation Results Comparison with Related Work . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 47 / 60

  54. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . Algorithm 3: Bit Scanning 1: for row from MAXROW by − 1 to 0 do d ← d − P mat [ row ][ col ] { Bit wise computations } 2: 3: . . . omit . . . 4: end for Algorithm 4: Byte Scanning 1: for row from MAXROW by − 8 to 0 do if ( P mat [ row ][ col ] ∥ . . . ∥ P mat [ row − 7][ col ]) > 0 then 2: sum = ∑ row − 7 i = row ( P mat [ i ][ col ]) 3: d ← d − sum { Byte wise computations } 4: 5: . . . omit . . . end if 6: 7: end for Byte scanning saves 7 branch operations at the expense of 1 sub . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 48 / 60

  55. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . Comparison between BitScanning and ByteScanning Bit Scanning Byte Scanning . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 49 / 60

  56. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . (Step 1):BitScanning (1-bit), ByteScanning (1-byte) Bit Scanning Byte Scanning . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 50 / 60

  57. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . (Step 2):BitScanning (2-bit), ByteScanning (2-byte) Bit Scanning Byte Scanning . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 51 / 60

  58. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . Pseudo Random Number Generation . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 52 / 60

  59. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . Pseudo Random Number Generation AES block cipher with counter mode . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 52 / 60

  60. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . Pseudo Random Number Generation AES block cipher with counter mode ATxmega128A1 supports AES engine (375 cycles) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 52 / 60

  61. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . Pseudo Random Number Generation AES block cipher with counter mode ATxmega128A1 supports AES engine (375 cycles) SW requires 1.9K cycles and 2KB ROM . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 52 / 60

  62. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . Pseudo Random Number Generation AES block cipher with counter mode ATxmega128A1 supports AES engine (375 cycles) SW requires 1.9K cycles and 2KB ROM Parallel Computations . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 52 / 60

  63. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . Pseudo Random Number Generation AES block cipher with counter mode ATxmega128A1 supports AES engine (375 cycles) SW requires 1.9K cycles and 2KB ROM Parallel Computations AES engine and processor are executed simultaneously . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 52 / 60

  64. Short Overview Ring-LWE Encryption Scheme Optimization Techniques for NTT Computation Our Implementation Optimization of the Knuth-Yao Sampler Implementation Results Conclusion . Optimization of the Knuth-Yao Sampler . Pseudo Random Number Generation AES block cipher with counter mode ATxmega128A1 supports AES engine (375 cycles) SW requires 1.9K cycles and 2KB ROM Parallel Computations AES engine and processor are executed simultaneously PRNG and KY sampling in same time . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 52 / 60

  65. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Outline . . 1 Short Overview . . 2 Ring-LWE Encryption Scheme . . 3 Our Implementation Optimization Techniques for NTT Computation Optimization of the Knuth-Yao Sampler . . 4 Implementation Results Comparison with Related Work . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 53 / 60

  66. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Performance Evaluation . Ex Execution tim time (in (in clo lock cycles) 4500000 4000000 3500000 3000000 2500000 2000000 1500000 1000000 500000 0 Key_Gen Enc Dec HS-256 ME-256 HS-512 ME-512 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 54 / 60

  67. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Performance Evaluation . Ex Execution tim time (in (in clo lock cycles) 4500000 4000000 3500000 3000000 2500000 2000000 1500000 1000000 500000 0 Key_Gen Enc Dec HS-256 ME-256 HS-512 ME-512 High speed (HS) is 2.3x faster than memory efficient (ME) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 54 / 60

  68. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Performance Evaluation . Execution tim Ex time (in (in clo lock cycles) 4500000 4000000 3500000 3000000 2500000 2000000 1500000 1000000 500000 0 Key_Gen Enc Dec HS-256 ME-256 HS-512 ME-512 High speed (HS) is 2.3x faster than memory efficient (ME) ME version requires sophisticated memory alignments . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 54 / 60

  69. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Memory Evaluation . RAM AM requirements (in (in bytes) 7000 6000 5000 4000 3000 2000 1000 0 Key_Gen Enc Dec Total HS-256 ME-256 HS-512 ME-512 . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 55 / 60

  70. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Memory Evaluation . RAM AM requirements (in (in bytes) 7000 6000 5000 4000 3000 2000 1000 0 Key_Gen Enc Dec Total HS-256 ME-256 HS-512 ME-512 Compared to HS, ME version reduces the RAM by 21 % . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 55 / 60

  71. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Memory Evaluation . RAM AM requirements (in (in bytes) 7000 6000 5000 4000 3000 2000 1000 0 Key_Gen Enc Dec Total HS-256 ME-256 HS-512 ME-512 Compared to HS, ME version reduces the RAM by 21 % HS and ME consume the 8K RAM by 77 % and 56 % . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 55 / 60

  72. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Outline . . 1 Short Overview . . 2 Ring-LWE Encryption Scheme . . 3 Our Implementation Optimization Techniques for NTT Computation Optimization of the Knuth-Yao Sampler . . 4 Implementation Results Comparison with Related Work . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 56 / 60

  73. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Comparison with Related Work . Implementation Key-Gen Enc Dec Boorghany (256) 2,770K 3,042K 1,368K P¨ oppelmann (256) n/a 1,314K 381K This work (HS-256) 589K 671K 275K P¨ oppelmann (512) n/a 3,279K 1,019K This work (HS-512) 2,165K 2,617K 686K . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 57 / 60

  74. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Comparison with Related Work . Implementation Key-Gen Enc Dec Boorghany (256) 2,770K 3,042K 1,368K P¨ oppelmann (256) n/a 1,314K 381K This work (HS-256) 589K 671K 275K P¨ oppelmann (512) n/a 3,279K 1,019K This work (HS-512) 2,165K 2,617K 686K Boorghany et al.: 4.5x faster (ENC, 256) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 57 / 60

  75. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Comparison with Related Work . Implementation Key-Gen Enc Dec Boorghany (256) 2,770K 3,042K 1,368K P¨ oppelmann (256) n/a 1,314K 381K This work (HS-256) 589K 671K 275K P¨ oppelmann (512) n/a 3,279K 1,019K This work (HS-512) 2,165K 2,617K 686K Boorghany et al.: 4.5x faster (ENC, 256) P¨ oppelmann et al.: 2x and 1.25x faster (ENC, 256/512) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 57 / 60

  76. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Comparison with Related Work . Implementation Scheme Enc Dec Liu et al. RSA-1024 n/a 75,680K D¨ ull et al. (HS) ECC-255 27,800K 13,900K D¨ ull et al. (ME) ECC-255 28,293K 14,146K Aranha et al. ECC-233 11,796K 5,898K This work (HS) LWE-256 671K 275K This work (ME) LWE-256 1,532K 673K . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 58 / 60

  77. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Comparison with Related Work . Implementation Scheme Enc Dec Liu et al. RSA-1024 n/a 75,680K D¨ ull et al. (HS) ECC-255 27,800K 13,900K D¨ ull et al. (ME) ECC-255 28,293K 14,146K Aranha et al. ECC-233 11,796K 5,898K This work (HS) LWE-256 671K 275K This work (ME) LWE-256 1,532K 673K RSA: 278x faster (DEC, 1024) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 58 / 60

  78. Short Overview Ring-LWE Encryption Scheme Our Implementation Comparison with Related Work Implementation Results Conclusion . Comparison with Related Work . Implementation Scheme Enc Dec Liu et al. RSA-1024 n/a 75,680K D¨ ull et al. (HS) ECC-255 27,800K 13,900K D¨ ull et al. (ME) ECC-255 28,293K 14,146K Aranha et al. ECC-233 11,796K 5,898K This work (HS) LWE-256 671K 275K This work (ME) LWE-256 1,532K 673K RSA: 278x faster (DEC, 1024) ECC: 41x faster (ENC, 255) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 58 / 60

  79. Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Outline . . 1 Short Overview . . 2 Ring-LWE Encryption Scheme . . 3 Our Implementation Optimization Techniques for NTT Computation Optimization of the Knuth-Yao Sampler . . 4 Implementation Results Comparison with Related Work . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 59 / 60

  80. Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Conclusion . Compact Ring-LWE encryption for 8-bit platform . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 60 / 60

  81. Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Conclusion . Compact Ring-LWE encryption for 8-bit platform Fast NTT computation: “MOV-and-ADD” + “SAMS2” . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 60 / 60

  82. Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Conclusion . Compact Ring-LWE encryption for 8-bit platform Fast NTT computation: “MOV-and-ADD” + “SAMS2” Reducing the RAM consumption for coefficient . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . 60 / 60

  83. Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Conclusion . Compact Ring-LWE encryption for 8-bit platform Fast NTT computation: “MOV-and-ADD” + “SAMS2” Reducing the RAM consumption for coefficient Efficient techniques for Knuth-Yao sampler: “Byte-Scanning” . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 60 / 60

  84. Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Conclusion . Compact Ring-LWE encryption for 8-bit platform Fast NTT computation: “MOV-and-ADD” + “SAMS2” Reducing the RAM consumption for coefficient Efficient techniques for Knuth-Yao sampler: “Byte-Scanning” Faster than RSA (278x) and ECC (41x) . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 60 / 60

  85. Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Conclusion . Compact Ring-LWE encryption for 8-bit platform Fast NTT computation: “MOV-and-ADD” + “SAMS2” Reducing the RAM consumption for coefficient Efficient techniques for Knuth-Yao sampler: “Byte-Scanning” Faster than RSA (278x) and ECC (41x) More information: . . . . . . . . . . . . . . . . . . . . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . . .. .. . .. . .. . .. . .. . .. . .. . .. . .. . 60 / 60

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology New Security Challenges Current computer

411 views • 26 slides
Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika Brakerski Vinod Vaikuntanathan (Weizmann) (University of Toronto) CRYPTO 2011 Outsourcing Computation x Function x f f ( x ) medical records

520 views • 15 slides
CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1 2 Joint work with: C. Boura, N. Gama, D. Jetchev 1 / 30 Homomorphic encryption Given ( c 1 , c 2 , . . . , c k ) = ( E ( m 1 ) , E ( m 2 ) , . . .

497 views • 48 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
Adiantum: length-preserving encryption for entry-level processors Paul Crowley and Eric Biggers

Adiantum: length-preserving encryption for entry-level processors Paul Crowley and Eric Biggers

Adiantum: length-preserving encryption for entry-level processors Paul Crowley and Eric Biggers Google LLC March 28, 2019 Overview The problem The solution Section 1 The problem The problem Hardware (eg ARM CE) makes AES fast

801 views • 24 slides
Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information

Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information

Motivation Security Correctness Performance Bibliography Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R.

851 views • 64 slides
Efficient Join Processing across Heterogeneous Processors Henning Funke, Sebastian Bre, Stefan

Efficient Join Processing across Heterogeneous Processors Henning Funke, Sebastian Bre, Stefan

Efficient Join Processing across Heterogeneous Processors Henning Funke, Sebastian Bre, Stefan Noll, Jens Teubner December 15, 2015 1 / 14 GPUs IN DATABASES ARE LIKE A MUSCLE CAR IN A TRAFFIC JAM 3 / 14 Bottleneck 3 / 14 really? 3 / 14

216 views • 19 slides
Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu,

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu,

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu, and Lin Lyu 1. Shanghai Jiao Tong University 2. State Key Laboratory of Cryptology 3. Westone Cryptologic Research Center Asiacrypt 2016, Hanoi,

950 views • 73 slides
Efficient Transient-Fault Tolerance for Multithreaded Processors Using Dual-Thread Execution Yi

Efficient Transient-Fault Tolerance for Multithreaded Processors Using Dual-Thread Execution Yi

Efficient Transient-Fault Tolerance for Multithreaded Processors Using Dual-Thread Execution Yi Ma Huiyang Zhou Computer Science Department University of Central Florida Introduction Introduction Modern microprocessors are increasingly

243 views • 21 slides
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo, and Javier Lopez Network, Information and

929 views • 38 slides
Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1 / 13 Agenda 1 Polynomial rings, ideal lattices and Ring-LWE 2 Basic Ring-LWE encryption 3 Fully homomorphic encryption Selected bibliography:

840 views • 64 slides
Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng Zhou University of Connecticut Joint work with Juan Garay (AT&T) and Daniel Wichs (NYU) CRYPTO 2009 Outline Background New Approach

789 views • 36 slides
Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee Chonbuk National University, Republic of Korea June 14, 2019@ Workshop on Modern Trends in Cryptography Table of contents 1. Introduction 2.

537 views • 25 slides
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity . Arnab Roy 1 and Tyge Tiessen 1 ) Technical University of Denmark 1 Royal Holloway, University of London 2 TU Graz 3 1 (joint work with Martin Albrecht

275 views • 26 slides
Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David Derler , Tibor Jager , Daniel Slamanig , Christoph Striecks May 3, 2018E urocrypt 2018, Tel Aviv, Israel Key Establishment

1k views • 46 slides
Efficient Execution of Dependent Tasks on Many-Core Processors Hamza Rihani, Claire Maiza,

Efficient Execution of Dependent Tasks on Many-Core Processors Hamza Rihani, Claire Maiza,

Efficient Execution of Dependent Tasks on Many-Core Processors Hamza Rihani, Claire Maiza, Matthieu Moy Univ. Grenoble Alpes Verimag RTSOPS 2016, July 5, 2016 Context PE PE PE PE High Level Language PE PE PE PE i 1 o 1 2 3

248 views • 22 slides
Fresh Breeze A Radical Approach to Massively Parallel Architecture and Programming Jack Dennis

Fresh Breeze A Radical Approach to Massively Parallel Architecture and Programming Jack Dennis

Fresh Breeze A Radical Approach to Massively Parallel Architecture and Programming Jack Dennis MIT-CSAIL Computer Science and Ar:ficial Intelligence Laboratory The Multi Core Challenge Many processing cores provides for high potential

918 views • 42 slides
Autotuning (2.5/2): TCE & Empirical compilers Prof. Richard Vuduc Georgia Institute of

Autotuning (2.5/2): TCE & Empirical compilers Prof. Richard Vuduc Georgia Institute of

Autotuning (2.5/2): TCE & Empirical compilers Prof. Richard Vuduc Georgia Institute of Technology CSE/CS 8803 PNA: Parallel Numerical Algorithms [L.19] Tuesday, March 11, 2008 1 Todays sources CS 267 at UCB (Demmel & Yelick)

840 views • 50 slides
Global HPCC Benchmarks in Chapel: STREAM Triad, Random Access, and FFT HPC Challenge BOF, SC06

Global HPCC Benchmarks in Chapel: STREAM Triad, Random Access, and FFT HPC Challenge BOF, SC06

Global HPCC Benchmarks in Chapel: STREAM Triad, Random Access, and FFT HPC Challenge BOF, SC06 Class 2 Submission November 14, 2006 Brad Chamberlain, Steve Deitz, Mary Beth Hribar, Wayne Wong Chapel Team, Cray Inc. Overview Chapel:

927 views • 16 slides
Advanced Digital Signal Processing Part 4: DFT and FFT Gerhard Schmidt

Advanced Digital Signal Processing Part 4: DFT and FFT Gerhard Schmidt

Advanced Digital Signal Processing Part 4: DFT and FFT Gerhard Schmidt Christian-Albrechts-Universitt zu Kiel Faculty of Engineering Institute of Electrical and Information Engineering Digital Signal Processing and System Theory DFT and FFT

986 views • 73 slides
Recursive neural networks for semantic interpretation Sam Bowman Department of Linguistics and

Recursive neural networks for semantic interpretation Sam Bowman Department of Linguistics and

Recursive neural networks for semantic interpretation Sam Bowman Department of Linguistics and NLP Group Stanford University with help from Chris Manning, Chris Potts, Richard Socher, Jeffrey Pennington, J.T. Chipman Recent progress on deep

664 views • 39 slides
Data Management Planning: Get up to date with DMPTool and DMPonline IDCC14 San Francisco, CA

Data Management Planning: Get up to date with DMPTool and DMPonline IDCC14 San Francisco, CA

Data Management Planning: Get up to date with DMPTool and DMPonline IDCC14 San Francisco, CA February 24, 2014 Who we are DMPOnline DMPTool Sarah Jones Sherry Lake Patrick McCann Sarah Shreeves Marta Ribeiro Who are you?

516 views • 17 slides
TYPES FOR EXACT REAL COMPUTATION (USING AERN2/HASKELL) Michal Kone n, Eike Neumann Aston

TYPES FOR EXACT REAL COMPUTATION (USING AERN2/HASKELL) Michal Kone n, Eike Neumann Aston

TYPES FOR EXACT REAL COMPUTATION (USING AERN2/HASKELL) Michal Kone n, Eike Neumann Aston University, Birmingham, UK CCC 2017, Nancy, Loria INTRODUCTION Why Haskell/ML/...? Conveniently supports new abstractions Can express a lot of

469 views • 28 slides
Parallel Fast Fourier Transforms Gavin J. Pringle Joahcim Hein Introduction The Fourier

Parallel Fast Fourier Transforms Gavin J. Pringle Joahcim Hein Introduction The Fourier

Parallel Fast Fourier Transforms Gavin J. Pringle Joahcim Hein Introduction The Fourier Transform What, who, why? Mathematics and and its inherent properties Discrete Fourier Transform Fast Fourier Transform, or FFT

542 views • 42 slides

More recommend