fpga implementation and comparison of protections against
play

FPGA Implementation and Comparison of Protections Against SCAs for - PowerPoint PPT Presentation

Dec 18, 2022 •13 likes •546 views

FPGA Implementation and Comparison of Protections Against SCAs for RLWE Timo Zijlstra 1 Karim Bigou 2 Arnaud Tisserand 1 1 CNRS Lab-STICC UMR 6285, UBS 2 Universit e de Bretagne Occidentale - Lab-STICC UMR CNRS 6285 December 17, 2019 Timo

  1. FPGA Implementation and Comparison of Protections Against SCAs for RLWE Timo Zijlstra 1 Karim Bigou 2 Arnaud Tisserand 1 1 CNRS Lab-STICC UMR 6285, UBS 2 Universit´ e de Bretagne Occidentale - Lab-STICC UMR CNRS 6285 December 17, 2019 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 1 / 26

  2. Overview RLWE-based Cryptography 1 Side channel vulnerabilities 2 Countermeasures against SCA 3 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 2 / 26

  3. RLWE Encryption scheme [LPR10] LWE cryptography introduced by Regev [Reg05] Ring-LWE (RLWE) first appeared in [LPR10] Keys, ciphertexts are polynomials in Z q [ x ] / ( x n + 1) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 3 / 26

  4. RLWE Encryption scheme [LPR10] LWE cryptography introduced by Regev [Reg05] Ring-LWE (RLWE) first appeared in [LPR10] Keys, ciphertexts are polynomials in Z q [ x ] / ( x n + 1) Alice ( KeyGen , Decrypt ) : Bob ( Encrypt ) : $ ← − random polynomial a $ ← − poly w/ small coefficients s , e a , b $ b ← a · s + e − − → e 1 , e 2 , e 3 ← − small c 1 ← a · e 1 + e 2 µ ′ ← D ( c 2 − c 1 · s ) c 1 , c 2 ← − − − c 2 ← b · e 1 + e 3 + E ( µ ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 3 / 26

  5. Encryption scheme in pictures 1. Encode E : 0 �→ 0 and 1 �→ q 2 . q/4 q/2 0 3q/4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

  6. Encryption scheme in pictures 2. Encryption : ciphertext coefficient 1. Encode E : 0 �→ 0 and 1 �→ q 2 . distribution is uniformly random over Z q . q/4 q/4 q/2 0 q/2 0 3q/4 3q/4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

  7. Encryption scheme in pictures 2. Encryption : ciphertext coefficient 1. Encode E : 0 �→ 0 and 1 �→ q 2 . distribution is uniformly random over Z q . q/4 q/4 q/2 0 q/2 0 3q/4 3q/4 3. Decryption : result is close to E ( µ ). q/4 q/2 0 3q/4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

  8. Encryption scheme in pictures 2. Encryption : ciphertext coefficient 1. Encode E : 0 �→ 0 and 1 �→ q 2 . distribution is uniformly random over Z q . q/4 q/4 q/2 0 q/2 0 3q/4 3q/4 3. Decryption : result is close to E ( µ ). 4. Decode D : left �→ 1, right �→ 0 q/4 q/4 q/2 1 0 q/2 0 0 3q/4 3q/4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

  9. Decryption function Input: ciphertext c 1 , c 2 Compute d = c 2 − c 1 · s Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 5 / 26

  10. Decryption function Input: ciphertext c 1 , c 2 Compute d = c 2 − c 1 · s → use NTT: d ← c 2 − NTT − 1 ( ˆ c 1 · ˆ s ) Multiplication in NTT domain is point-wise: � � c 1 · ˆ s = c 1 , 1 · ˆ mod q , . . . , ˆ c 1 , n · ˆ mod q ˆ ˆ s 1 s n 1 polynomial multipication takes n multiplications in Z q Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 5 / 26

  11. Side Channel Analysis model Attack each modular multiplication separately during decryption Hypothesis: for each c · s mod q , the power trace allows to guess: HW( c · s mod q ) + N (0 , σ ) HW modular memory mul. Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 6 / 26

  12. Side Channel Analysis model Attack each modular multiplication separately during decryption Hypothesis: for each c · s mod q , the power trace allows to guess: HW( c · s mod q ) + N (0 , σ ) HW modular memory mul. CPA Attack: 1 Generate random ciphertexts 2 Predict power traces 3 Measure power traces during decryption 4 Compute correlation between traces and predictions 5 Maximum correlation is obtained for the correct guess Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 6 / 26

  13. Side Channel Attack simulation Simulate CPA in SageMath: Machine executing one instruction per cycle Correlations from CPA: Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 7 / 26

  14. Countermeasures Randomize computations How to obtain correct results from randomized computations? Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  15. Countermeasures Randomize computations How to obtain correct results from randomized computations? Masking [RRVV15] 1 [RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  16. Countermeasures Randomize computations How to obtain correct results from randomized computations? Masking [RRVV15] 1 [RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA Blinding and Shifting [Saa18] 2 We implement on FPGA Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  17. Countermeasures Randomize computations How to obtain correct results from randomized computations? Masking [RRVV15] 1 [RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA Blinding and Shifting [Saa18] 2 We implement on FPGA Permutation (randomize the order of computations) 3 We propose 2 methods Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  18. Countermeasures Randomize computations How to obtain correct results from randomized computations? Masking [RRVV15] 1 [RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA Blinding and Shifting [Saa18] 2 We implement on FPGA Permutation (randomize the order of computations) 3 We propose 2 methods Redundant secret key representation 4 Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

  19. Countermeasure: Blinding [Saa18] For all integers a , b : a c 1 · b s = ( ab )( c 1 · s ) Reminder Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 9 / 26

  20. Countermeasure: Blinding [Saa18] For all integers a , b : a c 1 · b s = ( ab )( c 1 · s ) 1 Pick some random a , b ∈ Z / q Z and compute ( ab ) − 1 2 Compute a c 1 · b s Reminder 3 Multiply by ( ab ) − 1 and subtract c 2 Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) to obtain correct d 4 Decode → [Saa18]: use pre-computed roots of unity ω i , ω j , ω n − i − j Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 9 / 26

  21. Countermeasure: Blinding [Saa18] For all integers a , b : a c 1 · b s = ( ab )( c 1 · s ) 1 Pick some random a , b ∈ Z / q Z and compute ( ab ) − 1 2 Compute a c 1 · b s Reminder 3 Multiply by ( ab ) − 1 and subtract c 2 Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) to obtain correct d 4 Decode → [Saa18]: use pre-computed roots of unity ω i , ω j , ω n − i − j Computation of c 1 · s randomized at each run. d is not randomized = ⇒ decoding algorithm is not protected → use the blinding method in combination with another countermeasure. Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 9 / 26

  22. Countermeasure: Shifting [Saa18] 1 Multiply s and c 1 by x i and x j respectively, for random i , j < n 2 Obtain c 1 s x i + j 3 Multiply by x − ( i + j ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 10 / 26

  23. Countermeasure: Shifting [Saa18] 1 Multiply s and c 1 by x i and x j respectively, for random i , j < n 2 Obtain c 1 s x i + j 3 Multiply by x − ( i + j ) In Z q [ x ] / ( x n + 1) : multiply by x i ⇐ ⇒ shift i positions to the right → easy to compute NTT domain: pointwise multiplication by NTT ( x i ) = (1 , ω i , ω 2 i , . . . ) → still easy to compute (since ω i is pre-computed for all i < n ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 10 / 26

  24. Countermeasure: Shifting [Saa18] 1 Multiply s and c 1 by x i and x j respectively, for random i , j < n 2 Obtain c 1 s x i + j 3 Multiply by x − ( i + j ) In Z q [ x ] / ( x n + 1) : multiply by x i ⇐ ⇒ shift i positions to the right → easy to compute NTT domain: pointwise multiplication by NTT ( x i ) = (1 , ω i , ω 2 i , . . . ) → still easy to compute (since ω i is pre-computed for all i < n ) Shifted decryption: 1 Get random indices i , j < n 2 Compute NTT ( x i ) ⊙ s , NTT ( x j ) ⊙ c 1 and NTT ( x i + j ) ⊙ c 2 3 Decrypt and shift i + j positions to the left. Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 10 / 26

  25. Countermeasure: Masked Decryption [RRVV15] Use linearity: a ( b + c ) = ab + ac . Reminder Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

  26. Countermeasure: Masked Decryption [RRVV15] Use linearity: a ( b + c ) = ab + ac . 1 Generate a uniform random s ′ and let s ′′ ← s − s ′ . → then s = s ′ + s ′′ . Reminder Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

  27. Countermeasure: Masked Decryption [RRVV15] Use linearity: a ( b + c ) = ab + ac . 1 Generate a uniform random s ′ and let s ′′ ← s − s ′ . → then s = s ′ + s ′′ . Reminder 2 Compute (part of) the decryption function for both shares: Decrypt ( c 1 , c 2 ) = D ( c 2 − c 1 s ) d ′ ← c 2 − c 1 s ′ d ′′ ← − c 1 s ′′ Then D ( d ′ + d ′′ ) = µ . Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FPGA vs GPU Performance Comparison on the Implementation of FIR Filters FPGA. While comparing the

FPGA vs GPU Performance Comparison on the Implementation of FIR Filters FPGA. While comparing the

FPGA vs GPU Performance Comparison on the Implementation of FIR Filters FPGA. While comparing the performance of them, we Abstract choose different models for each platform to get fairer FIR filters find place in digital signal processing

569 views • 7 slides
RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

www.elvac.eu Marian Kuruc RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control, protection, data acquisition and communication Content Redesigned block of protections Global setting of measurement ranges

409 views • 10 slides
Efficient FPGA implementation of a Digital Transparent Satellite Processor G. Marini, V. Sulli, F.

Efficient FPGA implementation of a Digital Transparent Satellite Processor G. Marini, V. Sulli, F.

Efficient FPGA implementation of a Digital Transparent Satellite Processor G. Marini, V. Sulli, F. Santucci, M. Faccio University of LAquila, LAquila, Italy Outline Introduction Problem Definition Resolution Method FPGA

1.27k views • 22 slides
Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law Lise Johnson ljj2107@columbia.edu T-TIP Stakeholder Briefing May 21, 2014 US Law: When will a court find that the government has given an

236 views • 4 slides
Contents Introduction Pipelined FPGA DNN accelerators Roof-line Model and optimizing

Contents Introduction Pipelined FPGA DNN accelerators Roof-line Model and optimizing

FPGA implementation of Quantized (Deep) Neural Network (QNN) Accelerators Biruk Seyoum Phd Student, Scoula Superiore SantAnna, Pisa Contents Introduction Pipelined FPGA DNN accelerators Roof-line Model and optimizing FPGA DNN

587 views • 23 slides
FPGA Implementation of an Asynchronous Processor with Both Online and Offline Testing

FPGA Implementation of an Asynchronous Processor with Both Online and Offline Testing

FPGA Implementation of an Asynchronous Processor with Both Online and Offline Testing Capabilities Nikolaos Minas Matthew Marshall Gordon Russell Alex Yakovlev Outline Introduction. Error Detection/Correction overview. Information

730 views • 27 slides
FPGA What is a FPGA? How FPGAs work How do they work? Manufacturers

FPGA What is a FPGA? How FPGAs work How do they work? Manufacturers

2/21/2012 Content FPGA What is a FPGA? How FPGAs work How do they work? Manufacturers Distributed RAM History FPGA vs ASIC FPGA and Microprocessors Alternatives to FPGAs ETI135, Advanced Digital IC Design

123 views • 10 slides
Scaling the Cascades Interconnect-aware FPGA implementation of Machine Learning problems Anand

Scaling the Cascades Interconnect-aware FPGA implementation of Machine Learning problems Anand

BRAM DSP URAM Scaling the Cascades Interconnect-aware FPGA implementation of Machine Learning problems Anand Samajdar, Tushar Garg, Tushar Krishna, Nachiket Kapre nachiket@uwaterloo.ca Claim Hard FPGA interconnect (cascades) e ffi ciently

993 views • 82 slides
A Very Compact FPGA Implementation of LED and PHOTON N. Nalla Anandakumar 1 , 2 Thomas Peyrin 2

A Very Compact FPGA Implementation of LED and PHOTON N. Nalla Anandakumar 1 , 2 Thomas Peyrin 2

A Very Compact FPGA Implementation of LED and PHOTON N. Nalla Anandakumar 1 , 2 Thomas Peyrin 2 Axel Poschmann 2 , 3 1 Society for Electronic Transactions and Security (SETS), India 2 Nanyang Technological University (NTU), Singapore 3 NXP

523 views • 34 slides
WWW.FPGA What is an FPGA? Field Programmable Gate Array Introduction to FPGA designs

WWW.FPGA What is an FPGA? Field Programmable Gate Array Introduction to FPGA designs

WWW.FPGA What is an FPGA? Field Programmable Gate Array Introduction to FPGA designs Generic logic cells + Programmable switches Why do we use it? High performance &amp; Flexible Shorter time to market Joachim Rodrigues

308 views • 8 slides
An FPGA Implementation of Reciprocal Sums for SPME Sam Lee and Paul Chow Edward S. Rogers Sr.

An FPGA Implementation of Reciprocal Sums for SPME Sam Lee and Paul Chow Edward S. Rogers Sr.

An FPGA Implementation of Reciprocal Sums for SPME Sam Lee and Paul Chow Edward S. Rogers Sr. Department of Electrical and Computer Engineering University of Toronto Objectives Accelerate part of Molecular Dynamics Simulation Smooth

666 views • 34 slides
Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp

Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp

Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp Koppermann, Fabrizio De Santis, Johann Heyszl and Georg Sigl History of High-Speed Curve Cryptography over Prime Fields 1 Point Addition on a

319 views • 16 slides
CSEE 4840 Embedded Systems LABYRINTH Dijkstras implementation on FPGA Ariel Faria Michelle

CSEE 4840 Embedded Systems LABYRINTH Dijkstras implementation on FPGA Ariel Faria Michelle

CSEE 4840 Embedded Systems LABYRINTH Dijkstras implementation on FPGA Ariel Faria Michelle Valente Utkarsh Gupta Veton Saliu Under the guidance of Prof. Stephen Edwards Overview and objectives Single source shortest path

641 views • 12 slides
Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal , Bu Lake, Alan Ehret, and Michel Kinsy Adaptive &amp; Secure Computing Systems Lab Department of Electrical &amp; Computer Engineering Boston

964 views • 48 slides
1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

INTRODUCTORY GUIDE 1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS SERVICE B A C K G R O U N D The Financial Protections Service was instigated following a recommendation of the Inquiry into the

184 views • 17 slides
An introduction to FPGA-based acceleration of neural networks Marco Pagani 1 What is an FPGA?

An introduction to FPGA-based acceleration of neural networks Marco Pagani 1 What is an FPGA?

An introduction to FPGA-based acceleration of neural networks Marco Pagani 1 What is an FPGA? Field-programmable gate array (FPGA) are integrated circuits designed to be con fi gured after manufacturing for implementing arbitrary logic

429 views • 15 slides
BBR Congestion Control: IETF 100 Update: BBR in shallow buffers Neal Cardwell, Yuchung Cheng, C.

BBR Congestion Control: IETF 100 Update: BBR in shallow buffers Neal Cardwell, Yuchung Cheng, C.

BBR Congestion Control: IETF 100 Update: BBR in shallow buffers Neal Cardwell, Yuchung Cheng, C. Stephen Gunn, Soheil Hassas Yeganeh Ian Swett, Jana Iyengar, Victor Vasiliev Van Jacobson https://groups.google.com/d/forum/bbr-dev IETF 100:

477 views • 36 slides
Moment Matrices, Trace Matrices and the Radical of Ideals Agnes Szanto North Carolina State

Moment Matrices, Trace Matrices and the Radical of Ideals Agnes Szanto North Carolina State

Moment Matrices, Trace Matrices and the Radical of Ideals Agnes Szanto North Carolina State University In collaboration with Itnuit Janovitz-Freireich (North Carolina State University) Bernard Mourrain (GALAAD, INRIA), Lajos R onyai

857 views • 57 slides
Borel-de Siebenthal theory for real affine root systems R. Venkatesh Department of Mathematics,

Borel-de Siebenthal theory for real affine root systems R. Venkatesh Department of Mathematics,

Borel-de Siebenthal theory for real affine root systems R. Venkatesh Department of Mathematics, Indian Institute of Science, Bangalore, India June 04, 2018 R. Venkatesh Borel-de Siebenthal theory for real affine root systems Definitions Our

1.08k views • 74 slides
Roy L. Crole University of Leicester, UK Midlands Graduate School, University

Roy L. Crole University of Leicester, UK Midlands Graduate School, University

Midlands Graduate School, University of Birmingham, April 2008 1 Operational Semantics Abstract Machines and Correctness Roy L. Crole University of Leicester, UK Midlands Graduate School, University of

1.4k views • 110 slides
Classification Department Biosysteme Karsten Borgwardt Data Mining Course Basel Fall Semester

Classification Department Biosysteme Karsten Borgwardt Data Mining Course Basel Fall Semester

Classification Department Biosysteme Karsten Borgwardt Data Mining Course Basel Fall Semester 2016 66 / 164 What is Classification? Problem Given an object, which class of objects does it belong to? Given object x , predict its class label y

1.01k views • 99 slides
Securing Materialized Views: a Rewriting-Based Approach Sarah Nait Bahloul, Emmanuel Coquery and

Securing Materialized Views: a Rewriting-Based Approach Sarah Nait Bahloul, Emmanuel Coquery and

Securing Materialized Views: a Rewriting-Based Approach Sarah Nait Bahloul, Emmanuel Coquery and Mohand-Sad Hacid Universit de Lyon, France First Franco-American Workshop Security Outline Context Problem statement Related work

421 views • 31 slides
Non Convex Minimization using Convex Relaxation Some Hints to Formulate Equivalent Convex Energies

Non Convex Minimization using Convex Relaxation Some Hints to Formulate Equivalent Convex Energies

Non Convex Minimization using Convex Relaxation Some Hints to Formulate Equivalent Convex Energies Mila Nikolova ( CMLA, ENS Cachan, CNRS, France ) SIAM Imaging Conference (IS14) Hong Kong Minitutorial: May 13, 2014 Outline 1. Energy

455 views • 26 slides
Introduction to Seaborn DATA VIS UALIZ ATION W ITH S EABORN Chris Moftt Instructor Python

Introduction to Seaborn DATA VIS UALIZ ATION W ITH S EABORN Chris Moftt Instructor Python

Introduction to Seaborn DATA VIS UALIZ ATION W ITH S EABORN Chris Moftt Instructor Python Visualization Landscape The python visualization landscape is complex and can be overwhelming DATA VISUALIZATION WITH SEABORN Matplotlib

438 views • 18 slides

More recommend