high speed instruction set coprocessor for lattice based
play

High-speed Instruction-set Coprocessor for Lattice-based Key - PowerPoint PPT Presentation

Aug 20, 2022 •104 likes •482 views

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

  1. High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020

  2. Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA + 20] reported that “SABER is one of the most promising KEM schemes to be considered for stan- dardization at the end of the third round.” Saber’s unique design choices • Different implementation approaches from other lattice-based protocols • Non-NTT based polynomial multipliers 1/15

  3. The Saber protocol [DKSRV18] seed A ← random () Key Generation A = gen ( seed A ) A A s ← small _ vec () seed A , b A T · s ⌊︂ p ⌉︂ b = b b q A A 2/15

  4. The Saber protocol [DKSRV18] seed A ← random () Key Generation A = gen ( seed A ) A A s ← small _ vec () A = gen ( seed A ) A A seed A , b A T · s ⌊︂ p ⌉︂ b = s ′ ← small _ vec () Encryption b b q A A ⌊︂ p A · s ′ ⌉︂ b ′ b ′ b ′ = q A A b ′ , c m ⌊︂ T b T s ′ + T ⌉︂ c m = b p b 2 m 2/15

  5. The Saber protocol [DKSRV18] seed A ← random () Key Generation A = gen ( seed A ) A A s ← small _ vec () A = gen ( seed A ) A A seed A , b A T · s ⌊︂ p ⌉︂ b = s ′ ← small _ vec () Encryption b b q A A ⌊︂ p A · s ′ ⌉︂ b ′ b ′ b ′ = q A A b ′ , c m Decryption v = b ′ b ′ T s b ′ ⌊︂ T b T s ′ + T ⌉︂ c m = b ⌊︂ 2 p b 2 m ⌉︂ m = q ( v − p T c m ) 2/15

  6. The Saber protocol [DKSRV18] seed A ← random () Key Generation A = gen ( seed A ) A A s ← small _ vec () A = gen ( seed A ) A A seed A , b A T · s ⌊︂ p ⌉︂ b = s ′ ← small _ vec () Encryption b b q A A ⌊︂ p A · s ′ ⌉︂ b ′ b ′ b ′ = q A A b ′ , c m Decryption v = b ′ b ′ T s b ′ ⌊︂ T b T s ′ + T ⌉︂ c m = b ⌊︂ 2 p b 2 m ⌉︂ m = q ( v − p T c m ) Key Encapsulation Mechanism Saber.KEM is obtained via the Fujisaki-Okamoto (FO) transform. Implementation-wise, the FO consists mainly of SHA/SHAKE calls. 2/15

  7. Performance bottlenecks The majority of computations involve 1. SHA/SHAKE 2. Computing polynomial multiplication 3/15

  8. Performance bottlenecks The majority of computations involve 1. SHA/SHAKE – 70/80% of computations in software – Keccak is very fast in hardware – High-speed implementation by the Keccak team – Serialized SHA(KE) in Saber −→ one core 2. Computing polynomial multiplication 3/15

  9. Performance bottlenecks The majority of computations involve 1. SHA/SHAKE – 70/80% of computations in software – Keccak is very fast in hardware – High-speed implementation by the Keccak team – Serialized SHA(KE) in Saber −→ one core 2. Computing polynomial multiplication 3/15

  10. Performance bottlenecks The majority of computations involve 1. SHA/SHAKE – 70/80% of computations in software – Keccak is very fast in hardware – High-speed implementation by the Keccak team – Serialized SHA(KE) in Saber −→ one core 2. Computing polynomial multiplication – The main focus of this work 3/15

  11. Polynomial multiplication in Saber The main characteristics • Module-LWR – Different module ranks for different security levels – All polynomials have degree 255 • Small secrets – Secret polynomial coefficients in [ − 3 , 3 ] , [ − 4 , 4 ] or [ − 5 , 5 ] • Power-of-2 moduli – Multiplication modulo 2 13 or 2 10 – Free modular reduction – No NTT 4/15

  12. Our polynomial multiplication approach The alternatives to NTT The Number Theoretic Transform (NTT) requires the modulus to be prime In software: improved Toom-Cook ([BMKV20], also at CHES 2020) In hardware: • Toom-Cook/Karatsuba not convenient because recursive • High parallelism • Ad-hoc solutions 5/15

  13. Our polynomial multiplication approach The alternatives to NTT The Number Theoretic Transform (NTT) requires the modulus to be prime In software: improved Toom-Cook ([BMKV20], also at CHES 2020) In hardware: • Toom-Cook/Karatsuba not convenient because recursive ⇒ Schoolbook algorithm • High parallelism • Ad-hoc solutions 5/15

  14. The schoolbook algorithm The alternatives to NTT Algorithm: Schoolbook algorithm acc ( x ) ← 0 for i = 0 ; i < 256 ; i++ do for j = 0 ; j < 256 ; j++ do acc [ j ] = acc [ j ] + b [ j ] · a [ i ] b = b · x mod 〈 x 256 + 1 〉 return acc 6/15

  15. The schoolbook algorithm The alternatives to NTT Algorithm: Schoolbook algorithm acc ( x ) ← 0 for i = 0 ; i < 256 ; i++ do for j = 0 ; j < 256 ; j++ do acc [ j ] = acc [ j ] + b [ j ] · a [ i ] b = b · x mod 〈 x 256 + 1 〉 return acc negacyclic shift 6/15

  16. The schoolbook algorithm The alternatives to NTT Algorithm: Schoolbook algorithm acc ( x ) ← 0 Advantages for i = 0 ; i < 256 ; i++ do • Simple implementation for j = 0 ; j < 256 ; j++ do • High flexibility acc [ j ] = acc [ j ] + b [ j ] · a [ i ] b = b · x mod 〈 x 256 + 1 〉 • Great performance return acc negacyclic shift 6/15

  17. Multiply and ACcumulate (MAC) units How to compute coefficient-wise operations s[i] a[j] MAC • Small secrets −→ bitshift & add multiplication • Power-of-two moduli −→ no modular reduction 1 acc[i] 7/15

  18. Multiply and ACcumulate (MAC) units How to compute coefficient-wise operations s[i] a[j] MAC • Small secrets −→ bitshift & add multiplication • Power-of-two moduli −→ no modular reduction ⇓ 1 A MAC unit requires little area (50 LUTs) acc[i] 7/15

  19. Multiply and ACcumulate (MAC) units How to compute coefficient-wise operations s[i] a[j] MAC • Small secrets −→ bitshift & add multiplication • Power-of-two moduli −→ no modular reduction ⇓ 1 A MAC unit requires little area (50 LUTs) We use 256 MACs in parallel acc[i] 7/15

  20. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  21. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  22. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  23. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  24. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier 8/15

  25. The polynomial multiplier BRAM small polynomial buffer coeffcient secret polynomial selector 4 ... MAC MAC MAC polynomial accumulator multiplier Performance A full polynomial multiplication can be computed in 256 cycles! 8/15

  26. The full architecture An instruction-set coprocessor architecture Polynomial Vector-Vector Advantages Multiplier Data input and output • Modularity SHA3-256/ SHA3-512/ ⇓ SHAKE128 Communication • Generic framework Controller Bus Manager Binomial … ⇓ Sampler Data Memory • Other protocols (Block RAM) AddPack • Programmability AddRound Program Memory Verify Disadvantages CMOV • No parallelism CopyWords 9/15

  27. s[i] a[j] s[i] a[j] s[i-1] a[j+1] MAC MAC 1 1 acc[i] acc[i] Design extendability Unified architecture • LightSaber • Saber • FireSaber 10/15

  28. Design extendability Unified architecture s[i] a[j] s[i] a[j] s[i-1] a[j+1] • LightSaber MAC MAC • Saber • FireSaber ⇒ 1 1 Performance/area trade-offs • 512 multipliers acc[i] acc[i] • ∼ 20 % improvement in speed 10/15

  29. Performance Results Running on a Ultrascale+ XCZU9EG-2FFVB1156 FPGA Key Generation Encapsulation Decapsulation Polynomial multiplication Keccak computations Other operations Total cycles 5,453 6,618 8,034 21.8 μ μ s μ 26.5 μ μ μ s 32.1 μ μ μ s Total time Throughput 45,872 op/s 37,776 op/s 31,118 op/s 11/15

  30. Area Results Running on a Ultrascale+ XCZU9EG-2FFVB1156 FPGA LUTs Flip flops DSPs BRAM Tiles Total 23,686 0 2 9,805 % 8.6 % 0 % 0.2 % 1.8 % It is possible to fit 11 coprocessors, achieving a throughput of 504k / 416k / 342k op/s 12/15

  31. Comparisons to other work Time in μ s Implementation Platform Frequency Area Key Encps Decps (MHz) LUT FF DSP BRAM Kyber [DFA + 20] Virtex-7 - 17.1 23.3 245 14k 11k 8 14 NewHope [ZYC + 20] Artix-7 40 62.5 24 200 6.8k 4.4k 2 8 FrodoKEM [HOKG18] Artix-7 45K 45K 47K 167 7.7K 3.5K 1 24 Virtex-7 ∗ SIKE [MLRB20] 8K 14K 15K 142 21K 14K 162 38 Saber [BMTK + 20] Artix-7 ∗ 3K 4K 3K 125 7.4K 7.3K 28 2 UltraScale+ ∗ Saber [DFAG19] - 60 65 322 13K 12K 256 4 Saber [this work] UltraScale+ 21.8 26.5 32.1 250 24K 10K 0 2 13/15 ∗ : HW/SW codesign

  32. Future work Other protocols • Kyber and other lattice-based schemes • Signature schemes? Lightweight implementation • Fewer multipliers Side-channel resistance • Masked implementation • Handle small coefficients 14/15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power Integrated Circuits 2009. 04. 27 Kwangseok Seo Seoul National University Outline Outline Introduction RTD/HEMT Integration Technology

369 views • 22 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
Floating Point Coprocessor Instructions Systems Design &amp; Programming CMPE 310 Coprocessor

Floating Point Coprocessor Instructions Systems Design &amp; Programming CMPE 310 Coprocessor

Floating Point Coprocessor Instructions Systems Design &amp; Programming CMPE 310 Coprocessor Basics The 80x87 is able to multiply, divide, add, subtract, find the sqrt and calculate transcenden- tal functions and logarithms. Data types

361 views • 12 slides
Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder Interface for Overview New linear position/velocity sensor Non-contact High resolution High speed Based on proven

320 views • 27 slides
A Standard f A S tandard for or High Quality High Quality Instruction Instruction

A Standard f A S tandard for or High Quality High Quality Instruction Instruction

Charles Smith, Ph.D. Executive Director, David P. Weikart Center for Youth Program Quality #readyby21 A Standard f A S tandard for or High Quality High Quality Instruction Instruction Higherorderengagement

386 views • 36 slides
1 CPI Cycles per Instruction Instruction Classes We can have different CPIs for different

1 CPI Cycles per Instruction Instruction Classes We can have different CPIs for different

Performance Introduction Many factors impact performance: Technology: basic circuit speed (clock speed, usually in MHz, now in GHz - billions of cycles per second) process technology (# of transistors per chip) Organization:

138 views • 3 slides
Using Machine Learning for Intent-based Provisioning in High-Speed Science Network Hocine

Using Machine Learning for Intent-based Provisioning in High-Speed Science Network Hocine

Using Machine Learning for Intent-based Provisioning in High-Speed Science Network Hocine Mahtout, Mariam Kiran, Anu Mercian, Bashir Mohammad Lawrence Berkeley National Lab HPE SNTA 2020 1 Problem Statement Intent-based networking research

1.27k views • 26 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (Mar. 1, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (Mar. 1, 2002) I E S R C E O

Systems Design &amp; Programming Coprocessor CMPE 310 Coprocessor Basics The 80x87 is able to multiply, divide, add, subtract, find the sqrt and calculate transcendental functions and logarithms. Data types include 16-, 32- and 64-bit signed

441 views • 12 slides
Easy Tank Speed Log 2017-05-18 2 Consilium STW Speed Log with Easy Installation Based on

Easy Tank Speed Log 2017-05-18 2 Consilium STW Speed Log with Easy Installation Based on

Easy Tank Speed Log 2017-05-18 2 Consilium STW Speed Log with Easy Installation Based on proven Acoustic Correlation principle Easy calibration Well proven technology 2017-05-18 3 Consilium High Performance Speed Log

367 views • 13 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp; Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL (WEST MIDLANDS CREWE) BILL Monday 19 March 2018 (Afternoon) In Committee Room 5 PRESENT: James Duddridge (Chair) Sandy Martin Mrs Sheryll

953 views • 57 slides
Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for Transportation Co., Ltd. (JIC) Index Trend of the HSR Project HSR Project in The World Superiority of Introducing HSR Transport Needs

1.02k views • 25 slides
Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for NextGen-VLA antenna project Qinglong Li, Andreas Beling, Joe C. Campbell University of Virginia, Charlottesville, VA 22904 Outline High power photodiode

746 views • 25 slides
High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor Corporation Belgium Vision 2006 P E R F O R M Outline Introduction Architecture Analog high speed CIS Digital high speed CIS

593 views • 32 slides
Simple Optimal Hitting Sets for Small-Success RL William M. Hoza 1 David Zuckerman 2 The

Simple Optimal Hitting Sets for Small-Success RL William M. Hoza 1 David Zuckerman 2 The

Simple Optimal Hitting Sets for Small-Success RL William M. Hoza 1 David Zuckerman 2 The University of Texas at Austin October 7 FOCS 2018 1Supported by the NSF GRFP under Grant DGE-1610403 and by a Harrington Fellowship from UT Austin

984 views • 84 slides
Heap Recycling for Lazy Languages Stefan Holdermans (Joint work with Jurriaan Hage) Dept. of

Heap Recycling for Lazy Languages Stefan Holdermans (Joint work with Jurriaan Hage) Dept. of

[ Faculty of Science Information and Computing Sciences] Heap Recycling for Lazy Languages Stefan Holdermans (Joint work with Jurriaan Hage) Dept. of Information and Computing Sciences, Utrecht University P.O. Box 80.089, 3508 TB Utrecht, The

369 views • 17 slides
Colorados Accountable Care Collaborative Phase II An Overview Kathryn M. Jantz ACC

Colorados Accountable Care Collaborative Phase II An Overview Kathryn M. Jantz ACC

Colorados Accountable Care Collaborative Phase II An Overview Kathryn M. Jantz ACC Strategy Lead What do we want the Medicaid healthcare delivery system to look like? 2 3 Medicaid Caseload Medicaid Caseload 1997-2015 Actuals and

566 views • 28 slides
3. Monte Carlo Simulations Understanding Molecular Simulation Molecular Simulations Molecular

3. Monte Carlo Simulations Understanding Molecular Simulation Molecular Simulations Molecular

3. Monte Carlo Simulations Understanding Molecular Simulation Molecular Simulations Molecular dynamics : solve equations of motion r 1 r 2 r n Monte Carlo : importance sampling r 1 r 2 r n Understanding Molecular Simulation Monte Carlo

1.02k views • 50 slides
Transactional Forest Strong Consistency for File Stores Jonathan DiLorenzo (Cornell)

Transactional Forest Strong Consistency for File Stores Jonathan DiLorenzo (Cornell)

Transactional Forest Strong Consistency for File Stores Jonathan DiLorenzo (Cornell) Kathleen Fisher (Tufts) Nate Foster (Cornell) Hugo Pacheco (Cornell) Richard Zhang (Cornell) WG 2.8 Kefalonia High-level languages o fg er a rich set

215 views • 19 slides
MDS/MPN MPN MDS Clonal hematopoietic stem cell disorders Overexuberant production of

MDS/MPN MPN MDS Clonal hematopoietic stem cell disorders Overexuberant production of

Discolosures Consulting income from Promedior, Inc. Advances in the Diagnosis of Myeloproliferative Neoplasms Robert P Hasserjian, MD Associate Professor Massachusetts General Hospital and Harvard Medical School Ineffective hematopoiesis

317 views • 20 slides
12/7/2012 1 12/7/2012 Chronic Myeloid Leukemia Chronic Myeloid Leukemia Diagnosis and

12/7/2012 1 12/7/2012 Chronic Myeloid Leukemia Chronic Myeloid Leukemia Diagnosis and

12/7/2012 1 12/7/2012 Chronic Myeloid Leukemia Chronic Myeloid Leukemia Diagnosis and Treatment Update Diagnosis and Treatment Update Neil Shah, MD PhD Division of Hematology/Oncology UCSF School of Medicine San Francisco, California CML

392 views • 15 slides
HSCT in childhood leukemia 29 th June, 2019 Kleebsabai Sanpakit, MD Division of

HSCT in childhood leukemia 29 th June, 2019 Kleebsabai Sanpakit, MD Division of

Wisdom of the Land HSCT in childhood leukemia 29 th June, 2019 Kleebsabai Sanpakit, MD Division of Hematology/Oncology Department of Pediatrics Faculty of Medicine, Siriraj Hospital Mahidol University Topics outline Overview principles of

506 views • 35 slides

More recommend