Exchange on Low-Cost FPGAs Tobias Oder and Tim Gneysu - - PowerPoint PPT Presentation

exchange on low cost fpgas
SMART_READER_LITE
LIVE PREVIEW

Exchange on Low-Cost FPGAs Tobias Oder and Tim Gneysu - - PowerPoint PPT Presentation

Apr 18, 2023 305 likes •562 views

Implementing the NewHope-Simple Key Exchange on Low-Cost FPGAs Tobias Oder and Tim Gneysu Ruhr-University Bochum Latincrypt 2017 20.09.2017 Public-Key Crypto and Long-Term Security NewHope on FPGA | Tobias Oder and Tim Gneysu |

slide-1
SLIDE 1

20.09.2017

Implementing the NewHope-Simple Key Exchange on Low-Cost FPGAs

Tobias Oder and Tim Güneysu Ruhr-University Bochum

Latincrypt 2017

slide-2
SLIDE 2

2 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Public-Key Crypto and Long-Term Security

slide-3
SLIDE 3

3 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

  • Five main branches
  • f post-quantum crypto:

– Code-based – Lattice-based – Hash-based – Multivariate-quadratic – Supersingular elliptic curve isogenies

Lattice-Based Cryptography

slide-4
SLIDE 4

4 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Ring or ideal lattices

  • smaller parameters
  • faster implementations
  • smaller implementations

But less trust in security due to structure! Ideal: polynomial multiplication Standard: matrix-vector multiplication Module lattices somewhere inbetween

Standard Lattices vs Ideal Lattices

slide-5
SLIDE 5

5 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Given A and b = As Task: Find s ➢ Easy to solve

Learning with Errors

slide-6
SLIDE 6

6 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Given A and b = As Task: Find s ➢ Easy to solve Given A and b = As + e Task: Find s ➢ Hard problem

Learning with Errors

slide-7
SLIDE 7

7 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: NewHope without reconciliation (2016), http://cryptojedi.org/papers/#newhopesimple

A New Hope - Simple

slide-8
SLIDE 8

8 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

A New Hope

slide-9
SLIDE 9

9 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Implementation for Xilinx Aritx-7 FPGA

  • NTT for polynomial multiplication in O(n log n)
  • Binomial sampler to generate error polynomials
  • SHAKE-128 for Parse
  • Optimize for low-area footage, but maintain a decent

performance

Challenges for HW Implementation

slide-10
SLIDE 10

10 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Our Design - Server

slide-11
SLIDE 11

11 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Our Design - Client

slide-12
SLIDE 12

12 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Sever-side Operations I

slide-13
SLIDE 13

13 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Client-side Operations

slide-14
SLIDE 14

14 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Sever-side Operations II

slide-15
SLIDE 15

15 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

We compare our results with

  • Thomas Pöppelmann and Tim Güneysu: Towards practical lattice-

based public-key encryption, SAC 2013

  • Sujoy Sinha Roy and Frederik Vercauteren and Nele Mentens and

Donald Donglong Chen and Ingrid Verbauwhede: Compact Ring- LWE based cryptoprocessor, CHES 2014

  • Po-Chun Kuo and Wen-Ding Li and Yu-Wei Chen and Yuan-Che

Hsu and Bo-Yuan Peng and Chen-Mou Cheng and Bo-Yin Yang: Post-Quantum Key Exchange on FPGAs, ePrint, 2017

Comparison

slide-16
SLIDE 16

16 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Resource consumption

Implementation Scheme LUTs FFs BRAMs DSPs Roy et al. R-LWE Encrypt 1,536 953 3 1 Pöppelmann et al. R-LWE Encrypt 5,595 4,760 14 1 Kuo et al. NewHope 12,340 6,098 14 29 Our (server) NewHope Simple 5,142 4,452 4 2 Our (client) NewHope Simple 4,498 4,635 4 2

slide-17
SLIDE 17

17 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Resource consumption

Implementation Scheme LUTs FFs BRAMs DSPs Roy et al. R-LWE Encrypt 1,536 953 3 1 Pöppelmann et al. R-LWE Encrypt 5,595 4,760 14 1 Kuo et al. NewHope 12,340 6,098 14 29 Our (server) NewHope Simple 5,142 4,452 4 2 Our (client) NewHope Simple 4,498 4,635 4 2

slide-18
SLIDE 18

18 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Resource consumption

Implementation Scheme LUTs FFs BRAMs DSPs Roy et al. R-LWE Encrypt 1,536 953 3 1 Pöppelmann et al. R-LWE Encrypt 5,595 4,760 14 1 Kuo et al. NewHope 12,340 6,098 14 29 Our (server) NewHope Simple 5,142 4,452 4 2 Our (client) NewHope Simple 4,498 4,635 4 2

slide-19
SLIDE 19

19 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Resource consumption

Implementation Scheme LUTs FFs BRAMs DSPs Roy et al. R-LWE Encrypt 1,536 953 3 1 Pöppelmann et al. R-LWE Encrypt 5,595 4,760 14 1 Kuo et al. NewHope 12,340 6,098 14 29 Our (server) NewHope Simple 5,142 4,452 4 2 Our (client) NewHope Simple 4,498 4,635 4 2

slide-20
SLIDE 20

20 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Performance results

Implementation Scheme Frequency Cycles µs/Operation Roy et al. (Enc) R-LWE Encrypt 278 MHz 13,300 47 Roy et al. (Dec) R-LWE Encrypt 278 MHz 5,800 21 Pöppelmann et al. (Enc) R-LWE Encrypt 251 MHz 13,769 55 Pöppelmann et al. (Dec) R-LWE Encrypt 251 MHz 8,883 35 Kuo et al. (server) NewHope 114 MHz 11,400 100 Kuo et al. (client) NewHope 114 MHz 11,300 99 Our (server) NewHope Simple 125 MHz 171,124 1,369 Our (client) NewHope Simple 117 MHz 179,292 1,532

slide-21
SLIDE 21

21 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

Performance results

Implementation Scheme Frequency Cycles µs/Operation Roy et al. (Enc) R-LWE Encrypt 278 MHz 13,300 47 Roy et al. (Dec) R-LWE Encrypt 278 MHz 5,800 21 Pöppelmann et al. (Enc) R-LWE Encrypt 251 MHz 13,769 55 Pöppelmann et al. (Dec) R-LWE Encrypt 251 MHz 8,883 35 Kuo et al. (server) NewHope 114 MHz 11,400 100 Kuo et al. (client) NewHope 114 MHz 11,300 99 Our (server) NewHope Simple 125 MHz 171,124 1,369 Our (client) NewHope Simple 117 MHz 179,292 1,532

slide-22
SLIDE 22

22 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

What makes our numbers worse than those of R-LWE implementations?

  • Parameter sizes
  • More components
  • Key generation
  • On-the-fly generation of a
  • Security level

Comparison

slide-23
SLIDE 23

23 NewHope on FPGA | Tobias Oder and Tim Güneysu | Ruhr-University Bochum | 20.09.2017

  • NewHope-Simple is well suited for implementations on

constrained devices

– Low area footprint – Practical performance

  • VHDL source code will be made available for verification soon:

– http://www.seceng.rub.de/

  • Our implementation is constant time

– DPA-resistant implementation is future work

Conclusions

slide-24
SLIDE 24

Thank You For Your Attention! Any Questions?