implementing post quantum cryptography
play

Implementing post-quantum cryptography Peter Schwabe Radboud - PowerPoint PPT Presentation

Apr 27, 2023 •269 likes •1.44k views

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Part I: How to make software secure Implementing post-quantum cryptography 2 Timing

  1. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? ◮ Bernstein, 2005: “Does this guarantee constant-time S-box lookups? No!” ◮ Osvik, Shamir, Tromer, 2006: “This is insufficient on processors which leak low address bits” ◮ Reasons: ◮ Cache-bank conflicts ◮ Failed store-to-load forwarding ◮ . . . Implementing post-quantum cryptography 10

  2. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? ◮ Bernstein, 2005: “Does this guarantee constant-time S-box lookups? No!” ◮ Osvik, Shamir, Tromer, 2006: “This is insufficient on processors which leak low address bits” ◮ Reasons: ◮ Cache-bank conflicts ◮ Failed store-to-load forwarding ◮ . . . ◮ OpenSSL is using it in BN_mod_exp_mont_consttime Implementing post-quantum cryptography 10

  3. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? ◮ Bernstein, 2005: “Does this guarantee constant-time S-box lookups? No!” ◮ Osvik, Shamir, Tromer, 2006: “This is insufficient on processors which leak low address bits” ◮ Reasons: ◮ Cache-bank conflicts ◮ Failed store-to-load forwarding ◮ . . . ◮ OpenSSL is using it in BN_mod_exp_mont_consttime ◮ Brickell (Intel), 2011: yeah, it’s fine as a countermeasure Implementing post-quantum cryptography 10

  4. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? ◮ Bernstein, 2005: “Does this guarantee constant-time S-box lookups? No!” ◮ Osvik, Shamir, Tromer, 2006: “This is insufficient on processors which leak low address bits” ◮ Reasons: ◮ Cache-bank conflicts ◮ Failed store-to-load forwarding ◮ . . . ◮ OpenSSL is using it in BN_mod_exp_mont_consttime ◮ Brickell (Intel), 2011: yeah, it’s fine as a countermeasure ◮ Bernstein, Schwabe, 2013: Demonstrate timing variability for access within one cache line Implementing post-quantum cryptography 10

  5. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? ◮ Bernstein, 2005: “Does this guarantee constant-time S-box lookups? No!” ◮ Osvik, Shamir, Tromer, 2006: “This is insufficient on processors which leak low address bits” ◮ Reasons: ◮ Cache-bank conflicts ◮ Failed store-to-load forwarding ◮ . . . ◮ OpenSSL is using it in BN_mod_exp_mont_consttime ◮ Brickell (Intel), 2011: yeah, it’s fine as a countermeasure ◮ Bernstein, Schwabe, 2013: Demonstrate timing variability for access within one cache line ◮ Yarom, Genkin, Heninger: CacheBleed attack “is able to recover both 2048-bit and 4096-bit RSA secret keys from OpenSSL 1.0.2f running on Intel Sandy Bridge processors after observing only 16,000 secret-key operations (decryption, signatures).” Implementing post-quantum cryptography 10

  6. Countermeasure uint32_t table[TABLE_LENGTH]; uint32_t lookup(size_t pos) { size_t i; int b; uint32_t r = table[0]; for(i=1;i<TABLE_LENGTH;i++) { b = (i == pos); cmov(&r, &table[i], b); // See "eliminating branches" } return r; } Implementing post-quantum cryptography 11

  7. Countermeasure uint32_t table[TABLE_LENGTH]; uint32_t lookup(size_t pos) { size_t i; int b; uint32_t r = table[0]; for(i=1;i<TABLE_LENGTH;i++) { b = (i == pos); /* DON’T! Compiler may do funny things! */ cmov(&r, &table[i], b); } return r; } Implementing post-quantum cryptography 11

  8. Countermeasure uint32_t table[TABLE_LENGTH]; uint32_t lookup(size_t pos) { size_t i; int b; uint32_t r = table[0]; for(i=1;i<TABLE_LENGTH;i++) { b = isequal(i, pos); cmov(&r, &table[i], b); } return r; } Implementing post-quantum cryptography 11

  9. Countermeasure, part 2 int isequal(uint32_t a, uint32_t b) { size_t i; uint32_t r = 0; unsigned char *ta = (unsigned char *)&a; unsigned char *tb = (unsigned char *)&b; for(i=0;i<sizeof(uint32_t);i++) { r |= (ta[i] ^ tb[i]); } r = (-r) >> 31; return (int)(1-r); } Implementing post-quantum cryptography 11

  10. Part II: How to make software fast Implementing post-quantum cryptography 12

  11. Vector computations Scalar computation Vectorized computation ◮ Load 32 -bit integer a ◮ Load 4 consecutive 32 -bit integers ( a 0 , a 1 , a 2 , a 3 ) ◮ Load 32 -bit integer b ◮ Load 4 consecutive 32 -bit integers ◮ Perform addition ( b 0 , b 1 , b 2 , b 3 ) c ← a + b ◮ Perform addition ( c 0 , c 1 , c 2 , c 3 ) ← ◮ Store 32 -bit integer c ( a 0 + b 0 , a 1 + b 1 , a 2 + b 2 , a 3 + b 3 ) ◮ Store 128 -bit vector ( c 0 , c 1 , c 2 , c 3 ) Implementing post-quantum cryptography 13

  12. Vector computations Scalar computation Vectorized computation ◮ Load 32 -bit integer a ◮ Load 4 consecutive 32 -bit integers ( a 0 , a 1 , a 2 , a 3 ) ◮ Load 32 -bit integer b ◮ Load 4 consecutive 32 -bit integers ◮ Perform addition ( b 0 , b 1 , b 2 , b 3 ) c ← a + b ◮ Perform addition ( c 0 , c 1 , c 2 , c 3 ) ← ◮ Store 32 -bit integer c ( a 0 + b 0 , a 1 + b 1 , a 2 + b 2 , a 3 + b 3 ) ◮ Store 128 -bit vector ( c 0 , c 1 , c 2 , c 3 ) ◮ Perform the same operations on independent data streams (SIMD) ◮ Vector instructions available on most “large” processors ◮ Instructions for vectors of bytes, integers, floats . . . Implementing post-quantum cryptography 13

  13. Vector computations Scalar computation Vectorized computation ◮ Load 32 -bit integer a ◮ Load 4 consecutive 32 -bit integers ( a 0 , a 1 , a 2 , a 3 ) ◮ Load 32 -bit integer b ◮ Load 4 consecutive 32 -bit integers ◮ Perform addition ( b 0 , b 1 , b 2 , b 3 ) c ← a + b ◮ Perform addition ( c 0 , c 1 , c 2 , c 3 ) ← ◮ Store 32 -bit integer c ( a 0 + b 0 , a 1 + b 1 , a 2 + b 2 , a 3 + b 3 ) ◮ Store 128 -bit vector ( c 0 , c 1 , c 2 , c 3 ) ◮ Perform the same operations on independent data streams (SIMD) ◮ Vector instructions available on most “large” processors ◮ Instructions for vectors of bytes, integers, floats . . . ◮ Need to interleave data items (e.g., 32 -bit integers) in memory ◮ Compilers will not help with vectorization Implementing post-quantum cryptography 13

  14. Vector computations Scalar computation Vectorized computation ◮ Load 32 -bit integer a ◮ Load 4 consecutive 32 -bit integers ( a 0 , a 1 , a 2 , a 3 ) ◮ Load 32 -bit integer b ◮ Load 4 consecutive 32 -bit integers ◮ Perform addition ( b 0 , b 1 , b 2 , b 3 ) c ← a + b ◮ Perform addition ( c 0 , c 1 , c 2 , c 3 ) ← ◮ Store 32 -bit integer c ( a 0 + b 0 , a 1 + b 1 , a 2 + b 2 , a 3 + b 3 ) ◮ Store 128 -bit vector ( c 0 , c 1 , c 2 , c 3 ) ◮ Perform the same operations on independent data streams (SIMD) ◮ Vector instructions available on most “large” processors ◮ Instructions for vectors of bytes, integers, floats . . . ◮ Need to interleave data items (e.g., 32 -bit integers) in memory ◮ Compilers will not really help with vectorization Implementing post-quantum cryptography 13

  15. Why is this so great? ◮ Consider the Intel Skylake processor Implementing post-quantum cryptography 14

  16. Why is this so great? ◮ Consider the Intel Skylake processor ◮ 32-bit load throughput: 2 per cycle ◮ 32-bit add throughput: 4 per cycle ◮ 32-bit store throughput: 1 per cycle Implementing post-quantum cryptography 14

  17. Why is this so great? ◮ Consider the Intel Skylake processor ◮ 32-bit load throughput: 2 per cycle ◮ 32-bit add throughput: 4 per cycle ◮ 32-bit store throughput: 1 per cycle ◮ 256-bit load throughput: 2 per cycle ◮ 8 × 32-bit add throughput: 3 per cycle ◮ 256-bit store throughput: 1 per cycle Implementing post-quantum cryptography 14

  18. Why is this so great? ◮ Consider the Intel Skylake processor ◮ 32-bit load throughput: 2 per cycle ◮ 32-bit add throughput: 4 per cycle ◮ 32-bit store throughput: 1 per cycle ◮ 256-bit load throughput: 2 per cycle ◮ 8 × 32-bit add throughput: 3 per cycle ◮ 256-bit store throughput: 1 per cycle ◮ Vector instructions are almost as fast as scalar instructions but do 8 × the work Implementing post-quantum cryptography 14

  19. Why is this so great? ◮ Consider the Intel Skylake processor ◮ 32-bit load throughput: 2 per cycle ◮ 32-bit add throughput: 4 per cycle ◮ 32-bit store throughput: 1 per cycle ◮ 256-bit load throughput: 2 per cycle ◮ 8 × 32-bit add throughput: 3 per cycle ◮ 256-bit store throughput: 1 per cycle ◮ Vector instructions are almost as fast as scalar instructions but do 8 × the work ◮ Situation on other architectures/microarchitectures is similar ◮ Reason: cheap way to increase arithmetic throughput (less decoding, address computation, etc.) Implementing post-quantum cryptography 14

  20. Take-home message “Big multipliers are pre-quantum, vectorization is post-quantum” Implementing post-quantum cryptography 15

  21. Standard-lattice-based schemes ◮ Standard-lattices operate on matrices over Z q , for “small” q ◮ These are trivially vectorizable ◮ So trivial that even compilers may do it! Implementing post-quantum cryptography 16

  22. Standard-lattice-based schemes ◮ Standard-lattices operate on matrices over Z q , for “small” q ◮ These are trivially vectorizable ◮ So trivial that even compilers may do it! ◮ Standard-lattice-based signatures (e.g., Bai-Galbraith): ◮ Multiple attempts for signing (rejection sampling) ◮ Each attempt: compute Av for fixed A Implementing post-quantum cryptography 16

  23. Standard-lattice-based schemes ◮ Standard-lattices operate on matrices over Z q , for “small” q ◮ These are trivially vectorizable ◮ So trivial that even compilers may do it! ◮ Standard-lattice-based signatures (e.g., Bai-Galbraith): ◮ Multiple attempts for signing (rejection sampling) ◮ Each attempt: compute Av for fixed A ◮ More efficient: ◮ Compute multiple products Av i ◮ Typically ignore some results Implementing post-quantum cryptography 16

  24. Standard-lattice-based schemes ◮ Standard-lattices operate on matrices over Z q , for “small” q ◮ These are trivially vectorizable ◮ So trivial that even compilers may do it! ◮ Standard-lattice-based signatures (e.g., Bai-Galbraith): ◮ Multiple attempts for signing (rejection sampling) ◮ Each attempt: compute Av for fixed A ◮ More efficient: ◮ Compute multiple products Av i ◮ Typically ignore some results ◮ Reason: reuse coefficients of A in cache Implementing post-quantum cryptography 16

  25. Structured lattices ◮ Structured lattices (NTRU, RLWE, MLWE) work with polynomials ◮ Most important operation: multiply polynomials ◮ Obvious question: How do we vectorize polynomial multiplication? Implementing post-quantum cryptography 17

  26. Structured lattices ◮ Structured lattices (NTRU, RLWE, MLWE) work with polynomials ◮ Most important operation: multiply polynomials ◮ Obvious question: How do we vectorize polynomial multiplication? ◮ Let’s take an example: r 0 = f 0 g 0 r 1 = f 0 g 1 + f 1 g 0 r 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 r 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 r 4 = f 1 g 3 + f 2 g 2 + f 3 g 1 r 5 = f 2 g 3 + f 3 g 2 r 6 = f 3 g 3 Implementing post-quantum cryptography 17

  27. Structured lattices ◮ Structured lattices (NTRU, RLWE, MLWE) work with polynomials ◮ Most important operation: multiply polynomials ◮ Obvious question: How do we vectorize polynomial multiplication? ◮ Let’s take an example: r 0 = f 0 g 0 r 1 = f 0 g 1 + f 1 g 0 r 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 r 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 r 4 = f 1 g 3 + f 2 g 2 + f 3 g 1 r 5 = f 2 g 3 + f 3 g 2 r 6 = f 3 g 3 ◮ Can easily load ( f 0 , f 1 , f 2 , f 3 ) and ( g 0 , g 1 , g 2 , g 3 ) ◮ Multiply, obtain ( f 0 g 0 , f 1 g 1 , f 2 g 2 , f 3 g 3 ) Implementing post-quantum cryptography 17

  28. Structured lattices ◮ Structured lattices (NTRU, RLWE, MLWE) work with polynomials ◮ Most important operation: multiply polynomials ◮ Obvious question: How do we vectorize polynomial multiplication? ◮ Let’s take an example: r 0 = f 0 g 0 r 1 = f 0 g 1 + f 1 g 0 r 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 r 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 r 4 = f 1 g 3 + f 2 g 2 + f 3 g 1 r 5 = f 2 g 3 + f 3 g 2 r 6 = f 3 g 3 ◮ Can easily load ( f 0 , f 1 , f 2 , f 3 ) and ( g 0 , g 1 , g 2 , g 3 ) ◮ Multiply, obtain ( f 0 g 0 , f 1 g 1 , f 2 g 2 , f 3 g 3 ) ◮ And now what? Implementing post-quantum cryptography 17

  29. Structured lattices ◮ Structured lattices (NTRU, RLWE, MLWE) work with polynomials ◮ Most important operation: multiply polynomials ◮ Obvious question: How do we vectorize polynomial multiplication? ◮ Let’s take an example: r 0 = f 0 g 0 r 1 = f 0 g 1 + f 1 g 0 r 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 r 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 r 4 = f 1 g 3 + f 2 g 2 + f 3 g 1 r 5 = f 2 g 3 + f 3 g 2 r 6 = f 3 g 3 ◮ Can easily load ( f 0 , f 1 , f 2 , f 3 ) and ( g 0 , g 1 , g 2 , g 3 ) ◮ Multiply, obtain ( f 0 g 0 , f 1 g 1 , f 2 g 2 , f 3 g 3 ) ◮ And now what? ◮ Looks like we need to shuffle a lot! Implementing post-quantum cryptography 17

  30. Karatsuba and Toom ◮ Our polynomials have many more coefficients (say, 256 – 1024) ◮ Idea: use Karatsuba’s trick: ◮ consider n = 2 k -coefficient polynomials f and g ◮ Split multiplication f · g into 3 half-size multiplications ( f ℓ + X k f h ) · ( g ℓ + X k g h ) = f ℓ g ℓ + X k ( f ℓ g h + f h g ℓ ) + X n f h g h = f ℓ g ℓ + X k (( f ℓ + f h )( g ℓ + g h ) − f ℓ g ℓ − f h g h ) + X n f h g h Implementing post-quantum cryptography 18

  31. Karatsuba and Toom ◮ Our polynomials have many more coefficients (say, 256 – 1024) ◮ Idea: use Karatsuba’s trick: ◮ consider n = 2 k -coefficient polynomials f and g ◮ Split multiplication f · g into 3 half-size multiplications ( f ℓ + X k f h ) · ( g ℓ + X k g h ) = f ℓ g ℓ + X k ( f ℓ g h + f h g ℓ ) + X n f h g h = f ℓ g ℓ + X k (( f ℓ + f h )( g ℓ + g h ) − f ℓ g ℓ − f h g h ) + X n f h g h ◮ Apply recursively to obtain 9 quarter-size multiplications, 27 eighth-size multiplications etc. Implementing post-quantum cryptography 18

  32. Karatsuba and Toom ◮ Our polynomials have many more coefficients (say, 256 – 1024) ◮ Idea: use Karatsuba’s trick: ◮ consider n = 2 k -coefficient polynomials f and g ◮ Split multiplication f · g into 3 half-size multiplications ( f ℓ + X k f h ) · ( g ℓ + X k g h ) = f ℓ g ℓ + X k ( f ℓ g h + f h g ℓ ) + X n f h g h = f ℓ g ℓ + X k (( f ℓ + f h )( g ℓ + g h ) − f ℓ g ℓ − f h g h ) + X n f h g h ◮ Apply recursively to obtain 9 quarter-size multiplications, 27 eighth-size multiplications etc. ◮ Generalization: Toom-Cook. Obtain, e.g., 5 third-size multiplications ◮ Split into sufficiently many “small” multiplications, vectorize across those Implementing post-quantum cryptography 18

  33. Transposing/Interleaving ◮ Small example: compute a · b , c · d , e · f , g · h ◮ Each factor with 3 coefficients, e.g., a = a 0 + a 1 X + a 2 X 2 Implementing post-quantum cryptography 19

  34. Transposing/Interleaving ◮ Small example: compute a · b , c · d , e · f , g · h ◮ Each factor with 3 coefficients, e.g., a = a 0 + a 1 X + a 2 X 2 ◮ Coefficients in memory: a0, a1, a2, b0, b1, b2, c0,..., h1, h2 Implementing post-quantum cryptography 19

  35. Transposing/Interleaving ◮ Small example: compute a · b , c · d , e · f , g · h ◮ Each factor with 3 coefficients, e.g., a = a 0 + a 1 X + a 2 X 2 ◮ Coefficients in memory: a0, a1, a2, b0, b1, b2, c0,..., h1, h2 ◮ Problem: ◮ Vector loads will yield v 0 = ( a 0 , a 1 , a 2 , b 0 ) . . . v 6 = ( g 2 , h 0 , h 1 , h 2 ) ◮ However, we need v 0 = ( a 0 , c 0 , e 0 , h 0 ) . . . v 6 = ( b 2 , d 2 , f 2 , g 2 ) Implementing post-quantum cryptography 19

  36. Transposing/Interleaving ◮ Small example: compute a · b , c · d , e · f , g · h ◮ Each factor with 3 coefficients, e.g., a = a 0 + a 1 X + a 2 X 2 ◮ Coefficients in memory: a0, a1, a2, b0, b1, b2, c0,..., h1, h2 ◮ Problem: ◮ Vector loads will yield v 0 = ( a 0 , a 1 , a 2 , b 0 ) . . . v 6 = ( g 2 , h 0 , h 1 , h 2 ) ◮ However, we need v 0 = ( a 0 , c 0 , e 0 , h 0 ) . . . v 6 = ( b 2 , d 2 , f 2 , g 2 ) ◮ Solution: transpose data matrix (or interleave words): a0, c0, e0, h0, a1, c1, e1,..., f2, g2 Implementing post-quantum cryptography 19

  37. Two applications of Karatsuba/Toom Streamlined NTRU Prime 4591 761 ◮ Multiply in the ring R = Z 4591 [ X ] / ( X 761 − X − 1) ◮ Pad input polynomial to 768 coefficients ◮ 5 levels of Karatsuba: 243 multiplications of 24 -coefficient polynomials ◮ Massively lazy reduction using double-precision floats ◮ 28 682 Haswell cycles for multiplication in R Implementing post-quantum cryptography 20

  38. Two applications of Karatsuba/Toom Streamlined NTRU Prime 4591 761 ◮ Multiply in the ring R = Z 4591 [ X ] / ( X 761 − X − 1) ◮ Pad input polynomial to 768 coefficients ◮ 5 levels of Karatsuba: 243 multiplications of 24 -coefficient polynomials ◮ Massively lazy reduction using double-precision floats ◮ 28 682 Haswell cycles for multiplication in R NTRU-HRSS-KEM ◮ Multiply in the ring R = Z 8192 [ X ] / ( X 701 − 1) ◮ Use Toom-Cook to split into 7 quarter-size, then 2 levels of Karatsuba ◮ Obtain 63 multiplications of 44 -coefficient polynomials ◮ 11 722 Haswell cycles for multiplication in R Implementing post-quantum cryptography 20

  39. We can do better: NTTs ◮ Many LWE/MLWE systems use very specific parameters: ◮ Work in polynomial ring R = Z q [ X ] / ( X n + 1) ◮ Choose n a power of 2 ◮ Choose q prime, s.t. 2 n divides ( q − 1) Implementing post-quantum cryptography 21

  40. We can do better: NTTs ◮ Many LWE/MLWE systems use very specific parameters: ◮ Work in polynomial ring R = Z q [ X ] / ( X n + 1) ◮ Choose n a power of 2 ◮ Choose q prime, s.t. 2 n divides ( q − 1) ◮ Examples: NewHope ( n = 1024 , q = 12289 ), Kyber ( n = 256 , q = 7681 ) Implementing post-quantum cryptography 21

  41. We can do better: NTTs ◮ Many LWE/MLWE systems use very specific parameters: ◮ Work in polynomial ring R = Z q [ X ] / ( X n + 1) ◮ Choose n a power of 2 ◮ Choose q prime, s.t. 2 n divides ( q − 1) ◮ Examples: NewHope ( n = 1024 , q = 12289 ), Kyber ( n = 256 , q = 7681 ) ◮ Big advantage: fast negacyclic number-theoretic transform ◮ Given g ∈ R , n -th primitive root of unity ω and ψ = √ ω , compute n − 1 � g i X i , with NTT ( g ) = ˆ g = ˆ i =0 n − 1 � ψ j g j ω ij , ˆ g i = j =0 Implementing post-quantum cryptography 21

  42. We can do better: NTTs ◮ Many LWE/MLWE systems use very specific parameters: ◮ Work in polynomial ring R = Z q [ X ] / ( X n + 1) ◮ Choose n a power of 2 ◮ Choose q prime, s.t. 2 n divides ( q − 1) ◮ Examples: NewHope ( n = 1024 , q = 12289 ), Kyber ( n = 256 , q = 7681 ) ◮ Big advantage: fast negacyclic number-theoretic transform ◮ Given g ∈ R , n -th primitive root of unity ω and ψ = √ ω , compute n − 1 � g i X i , with NTT ( g ) = ˆ g = ˆ i =0 n − 1 � ψ j g j ω ij , ˆ g i = j =0 ◮ Compute f · g as NTT − 1 ( NTT ( f ) ◦ NTT ( g )) Implementing post-quantum cryptography 21

  43. We can do better: NTTs ◮ Many LWE/MLWE systems use very specific parameters: ◮ Work in polynomial ring R = Z q [ X ] / ( X n + 1) ◮ Choose n a power of 2 ◮ Choose q prime, s.t. 2 n divides ( q − 1) ◮ Examples: NewHope ( n = 1024 , q = 12289 ), Kyber ( n = 256 , q = 7681 ) ◮ Big advantage: fast negacyclic number-theoretic transform ◮ Given g ∈ R , n -th primitive root of unity ω and ψ = √ ω , compute n − 1 � g i X i , with NTT ( g ) = ˆ g = ˆ i =0 n − 1 � ψ j g j ω ij , ˆ g i = j =0 ◮ Compute f · g as NTT − 1 ( NTT ( f ) ◦ NTT ( g )) ◮ NTT − 1 is essentially the same computation as NTT Implementing post-quantum cryptography 21

  44. Zooming into the NTT ◮ FFT in a finite field ◮ Evaluate polynomial f = f 0 + f 1 X + · · · + f n − 1 X n − 1 at all n -th roots of unity ◮ Divide-and-conquer approach ◮ Write polynomial f as f 0 ( X 2 ) + Xf 1 ( X 2 ) Implementing post-quantum cryptography 22

  45. Zooming into the NTT ◮ FFT in a finite field ◮ Evaluate polynomial f = f 0 + f 1 X + · · · + f n − 1 X n − 1 at all n -th roots of unity ◮ Divide-and-conquer approach ◮ Write polynomial f as f 0 ( X 2 ) + Xf 1 ( X 2 ) ◮ Huge overlap between evaluating f ( β ) = f 0 ( β 2 ) + βf 1 ( β 2 ) and f ( − β ) = f 0 ( β 2 ) − βf 1 ( β 2 ) Implementing post-quantum cryptography 22

  46. Zooming into the NTT ◮ FFT in a finite field ◮ Evaluate polynomial f = f 0 + f 1 X + · · · + f n − 1 X n − 1 at all n -th roots of unity ◮ Divide-and-conquer approach ◮ Write polynomial f as f 0 ( X 2 ) + Xf 1 ( X 2 ) ◮ Huge overlap between evaluating f ( β ) = f 0 ( β 2 ) + βf 1 ( β 2 ) and f ( − β ) = f 0 ( β 2 ) − βf 1 ( β 2 ) ◮ f 0 has n/ 2 coefficients ◮ Evaluate f 0 at all ( n/ 2) -th roots of unity by recursive application ◮ Same for f 1 Implementing post-quantum cryptography 22

  47. Zooming into the NTT ◮ FFT in a finite field ◮ Evaluate polynomial f = f 0 + f 1 X + · · · + f n − 1 X n − 1 at all n -th roots of unity ◮ Divide-and-conquer approach ◮ Write polynomial f as f 0 ( X 2 ) + Xf 1 ( X 2 ) ◮ Huge overlap between evaluating f ( β ) = f 0 ( β 2 ) + βf 1 ( β 2 ) and f ( − β ) = f 0 ( β 2 ) − βf 1 ( β 2 ) ◮ f 0 has n/ 2 coefficients ◮ Evaluate f 0 at all ( n/ 2) -th roots of unity by recursive application ◮ Same for f 1 ◮ Apply recursively through log n levels Implementing post-quantum cryptography 22

  48. Vectorizing the NTT ◮ First thing to do: replace recursion by iteration ◮ Loop over log n levels with n/ 2 “butterflies” each ◮ Butterfly on level k : ◮ Pick up f i and f i +2 k ◮ Multiply f i +2 k by a power of ω to obtain t ◮ Compute f i +2 k ← a i − t ◮ Compute f i ← a i + t ◮ All n/ 2 butterflies on one level are independent ◮ Vectorize across those butterflies Implementing post-quantum cryptography 23

  49. Vectorized NTT results ◮ Güneysu, Oder, Pöppelmann, Schwabe, 2013: ◮ 4480 Sandy Bridge cycles ( n = 512 , 23 -bit q ) ◮ Use double-precision floats to represent coefficients Implementing post-quantum cryptography 24

  50. Vectorized NTT results ◮ Güneysu, Oder, Pöppelmann, Schwabe, 2013: ◮ 4480 Sandy Bridge cycles ( n = 512 , 23 -bit q ) ◮ Use double-precision floats to represent coefficients ◮ Alkim, Ducas, Pöppelmann, Schwabe, 2016: ◮ 8448 Haswell cycles ( n = 1024 , 14 -bit q ) ◮ Still use doubles Implementing post-quantum cryptography 24

  51. Vectorized NTT results ◮ Güneysu, Oder, Pöppelmann, Schwabe, 2013: ◮ 4480 Sandy Bridge cycles ( n = 512 , 23 -bit q ) ◮ Use double-precision floats to represent coefficients ◮ Alkim, Ducas, Pöppelmann, Schwabe, 2016: ◮ 8448 Haswell cycles ( n = 1024 , 14 -bit q ) ◮ Still use doubles ◮ Longa, Naehrig, 2016: ◮ 9100 Haswell cycles ( n = 1024 , 14 -bit q ) ◮ Uses vectorized integer arithmetic Implementing post-quantum cryptography 24

  52. Vectorized NTT results ◮ Güneysu, Oder, Pöppelmann, Schwabe, 2013: ◮ 4480 Sandy Bridge cycles ( n = 512 , 23 -bit q ) ◮ Use double-precision floats to represent coefficients ◮ Alkim, Ducas, Pöppelmann, Schwabe, 2016: ◮ 8448 Haswell cycles ( n = 1024 , 14 -bit q ) ◮ Still use doubles ◮ Longa, Naehrig, 2016: ◮ 9100 Haswell cycles ( n = 1024 , 14 -bit q ) ◮ Uses vectorized integer arithmetic ◮ Seiler, 2018: ◮ 2784 Haswell cycles ( n = 1024 , 14 -bit q ) ◮ 460 Haswell cycles ( n = 256 , 13 -bit q ) ◮ Uses vectorized integer arithmetic Implementing post-quantum cryptography 24

  53. How about hashing? ◮ NTT-based multiplication is fast ◮ Consequence: “symmetric” parts in lattice-based crypto becomes significant overhead! ◮ Most important: hashes and XOFs Implementing post-quantum cryptography 25

  54. How about hashing? ◮ NTT-based multiplication is fast ◮ Consequence: “symmetric” parts in lattice-based crypto becomes significant overhead! ◮ Most important: hashes and XOFs ◮ Typical hash construction: ◮ Process message in blocks ◮ Each block modifies an internal state ◮ Cannot vectorize across blocks Implementing post-quantum cryptography 25

  55. How about hashing? ◮ NTT-based multiplication is fast ◮ Consequence: “symmetric” parts in lattice-based crypto becomes significant overhead! ◮ Most important: hashes and XOFs ◮ Typical hash construction: ◮ Process message in blocks ◮ Each block modifies an internal state ◮ Cannot vectorize across blocks ◮ Idea: Vectorize internal processing (permutation or compression function) ◮ Two problems: ◮ Often strong dependencies between instructions ◮ Need limited instruction-level parallelism for pipelining Implementing post-quantum cryptography 25

  56. How about hashing? ◮ NTT-based multiplication is fast ◮ Consequence: “symmetric” parts in lattice-based crypto becomes significant overhead! ◮ Most important: hashes and XOFs ◮ Typical hash construction: ◮ Process message in blocks ◮ Each block modifies an internal state ◮ Cannot vectorize across blocks ◮ Idea: Vectorize internal processing (permutation or compression function) ◮ Two problems: ◮ Often strong dependencies between instructions ◮ Need limited instruction-level parallelism for pipelining ◮ Consequence: consider designing with parallel hash/XOF calls! Implementing post-quantum cryptography 25

  57. PQCRYPTO � = Lattices ◮ So far we’ve looked at lattices, how about other PQCRYPTO? ◮ Code-based crypto (and some MQ -based crypto) need binary-field arithmetic ◮ Typical: operations in F 2 k for k ∈ 1 , . . . , 20 Implementing post-quantum cryptography 26

  58. PQCRYPTO � = Lattices ◮ So far we’ve looked at lattices, how about other PQCRYPTO? ◮ Code-based crypto (and some MQ -based crypto) need binary-field arithmetic ◮ Typical: operations in F 2 k for k ∈ 1 , . . . , 20 ◮ Most architectures don’t support this efficiently ◮ Traditional approach: use lookups (log tables) Implementing post-quantum cryptography 26

  59. PQCRYPTO � = Lattices ◮ So far we’ve looked at lattices, how about other PQCRYPTO? ◮ Code-based crypto (and some MQ -based crypto) need binary-field arithmetic ◮ Typical: operations in F 2 k for k ∈ 1 , . . . , 20 ◮ Most architectures don’t support this efficiently ◮ Traditional approach: use lookups (log tables) ◮ Obvious question: can vector operations help? Implementing post-quantum cryptography 26

  60. Bitslicing ◮ So far: vectors of bytes, 32-bit words, floats, . . . ◮ Consider now vectors of bits Implementing post-quantum cryptography 27

  61. Bitslicing ◮ So far: vectors of bytes, 32-bit words, floats, . . . ◮ Consider now vectors of bits ◮ Perform arithmetic on those vectors using XOR , AND , OR ◮ “Simulate hardware implemenations in software” Implementing post-quantum cryptography 27

  62. Bitslicing ◮ So far: vectors of bytes, 32-bit words, floats, . . . ◮ Consider now vectors of bits ◮ Perform arithmetic on those vectors using XOR , AND , OR ◮ “Simulate hardware implemenations in software” ◮ Technique was introduced by Biham in 1997 for DES ◮ Bitslicing works for every algorithm ◮ Efficient bitslicing needs a huge amount of data-level parallelism Implementing post-quantum cryptography 27

  63. Bitslicing binary polynomials 4-coefficient binary polynomials ( a 3 x 3 + a 2 x 2 + a 1 x + a 0 ) , with a i ∈ { 0 , 1 } 4-coefficient bitsliced binary polynomials typedef unsigned char poly4; /* 4 coefficients in the low 4 bits */ typedef unsigned long long poly4x64[4]; void poly4_bitslice(poly4x64 r, const poly4 f[64]) { int i,j; for(i=0;i<4;i++) { r[i] = 0; for(j=0;j<64;j++) r[i] |= (unsigned long long)(1 & (f[j] >> i))<<j; } } Implementing post-quantum cryptography 28

  64. Bitsliced binary-polynomial multiplication typedef unsigned long long poly4x64[4]; typedef unsigned long long poly7x64[7]; void poly4x64_mul(poly7x64 r, const poly4x64 f, const poly4x64 g) { r[0] = f[0] & g[0]; r[1] = (f[0] & g[1]) ^ (f[1] & g[0]); r[2] = (f[0] & g[2]) ^ (f[1] & g[1]) ^ (f[2] & g[0]); r[3] = (f[0] & g[3]) ^ (f[1] & g[2]) ^ (f[2] & g[1]) ^ (f[3] & g[0]); r[4] = (f[1] & g[3]) ^ (f[2] & g[2]) ^ (f[3] & g[1]); r[5] = (f[2] & g[3]) ^ (f[3] & g[2]); r[6] = (f[3] & g[3]); } Implementing post-quantum cryptography 29

  65. McBits (revisited) ◮ Bernstein, Chou, Schwabe, 2013: High-speed code-based crypto ◮ Low-level: bitsliced arithmetic in F 2 k , k ∈ { 11 , . . . , 16 } Implementing post-quantum cryptography 30

  66. McBits (revisited) ◮ Bernstein, Chou, Schwabe, 2013: High-speed code-based crypto ◮ Low-level: bitsliced arithmetic in F 2 k , k ∈ { 11 , . . . , 16 } ◮ Higher level: ◮ Additive FFT for efficient root finding ◮ Transposed FFT for syndrome computation ◮ Batcher sort for random permutations Implementing post-quantum cryptography 30

  67. McBits (revisited) ◮ Bernstein, Chou, Schwabe, 2013: High-speed code-based crypto ◮ Low-level: bitsliced arithmetic in F 2 k , k ∈ { 11 , . . . , 16 } ◮ Higher level: ◮ Additive FFT for efficient root finding ◮ Transposed FFT for syndrome computation ◮ Batcher sort for random permutations ◮ Results: ◮ 75 935 744 Ivy Bridge cycles for 256 decodings at ≈ 256 -bit pre-quantum security ◮ Not 75 935 744 / 256 = 296 624 cycles for one decoding ◮ Reason: Need 256 independent decodings for parallelism Implementing post-quantum cryptography 30

  68. McBits (revisited) ◮ Bernstein, Chou, Schwabe, 2013: High-speed code-based crypto ◮ Low-level: bitsliced arithmetic in F 2 k , k ∈ { 11 , . . . , 16 } ◮ Higher level: ◮ Additive FFT for efficient root finding ◮ Transposed FFT for syndrome computation ◮ Batcher sort for random permutations ◮ Results: ◮ 75 935 744 Ivy Bridge cycles for 256 decodings at ≈ 256 -bit pre-quantum security ◮ Not 75 935 744 / 256 = 296 624 cycles for one decoding ◮ Reason: Need 256 independent decodings for parallelism ◮ Chou, CHES 2017: use internal parallelism ◮ Target even higher security ( 297 bits pre-quantum) ◮ Does not require independent decryptions ◮ Even faster, even when considering throughput Implementing post-quantum cryptography 30

  69. How about MQ ? ◮ Most important operation: evaluate system of quadratic equations ◮ Massively parallel, efficiently vectorizable Implementing post-quantum cryptography 31

  70. How about MQ ? ◮ Most important operation: evaluate system of quadratic equations ◮ Massively parallel, efficiently vectorizable ◮ Distinguish 3 (or 4) different cases, depending on the field ◮ F 31 : 16-bit-word vector elements, use integer arithmetic Implementing post-quantum cryptography 31

  71. How about MQ ? ◮ Most important operation: evaluate system of quadratic equations ◮ Massively parallel, efficiently vectorizable ◮ Distinguish 3 (or 4) different cases, depending on the field ◮ F 31 : 16-bit-word vector elements, use integer arithmetic ◮ F 2 / F 4 : Use bitslicing Implementing post-quantum cryptography 31

  72. How about MQ ? ◮ Most important operation: evaluate system of quadratic equations ◮ Massively parallel, efficiently vectorizable ◮ Distinguish 3 (or 4) different cases, depending on the field ◮ F 31 : 16-bit-word vector elements, use integer arithmetic ◮ F 2 / F 4 : Use bitslicing ◮ F 16 / F 256 : Use vector-permute instructions for table lookups ◮ For F 256 use tower-field arithmetic on top of F 16 Implementing post-quantum cryptography 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven

Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven

Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven Executive School on Post-Quantum Cryptography 01 July 2019 Cryptography Motivation #1: Communication channels are spying on our data. Motivation

728 views • 42 slides
The Quantum Risk &amp; Post-Quantum Crypto JP Aumasson The Quantum Risk &amp; Post-Quantum

The Quantum Risk &amp; Post-Quantum Crypto JP Aumasson The Quantum Risk &amp; Post-Quantum

The Quantum Risk &amp; Post-Quantum Crypto JP Aumasson The Quantum Risk &amp; Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and Cryptography VI In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were

854 views • 42 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit Eindhoven 17 January 2016 8th Winter School on Quantum Cybersecurity Cryptography Motivation #1: Communication channels are spying on our

894 views • 68 slides
Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu Ruhr-Universitt Bochum &amp; DFKI 04.10.2017 Overview Goals Provide a high-level introduction to Post-Quantum Cryptography (PQC)

1.18k views • 113 slides
Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were actually doing things that are making us think like,

901 views • 41 slides
Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information (and generate

455 views • 19 slides
Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication linear expansion data codeword k n &gt; k noisy channel noisy

783 views • 52 slides
Using the lasso in Stata for inference in high-dimensional models David M. Drukker Executive

Using the lasso in Stata for inference in high-dimensional models David M. Drukker Executive

Using the lasso in Stata for inference in high-dimensional models David M. Drukker Executive Director of Econometrics Stata London Stata Conference 5-6 September 2019 Outline What are high-dimensional models? 1 What is the lasso? 2 Using

895 views • 41 slides
Top Down Design More Compute-in-a- Loop Patterns The BlackJack game, e.g., Nested Loops

Top Down Design More Compute-in-a- Loop Patterns The BlackJack game, e.g., Nested Loops

As you arrive: 1. Start up your computer and plug it in Plus in-class time 2. Log into Angel and go to CSSE 120 working on and 3. Do the Attendance Widget the PIN is on the board practicing these AND 4. Go to the course Schedule Page

538 views • 19 slides
The Case for (and Drawbacks of) Nominal GDP Targets Jeffrey Frankel Harpel Professor of Capital

The Case for (and Drawbacks of) Nominal GDP Targets Jeffrey Frankel Harpel Professor of Capital

The Case for (and Drawbacks of) Nominal GDP Targets Jeffrey Frankel Harpel Professor of Capital Formation and Growth, Harvard Kennedy School, Harvard University Prepared for Brookings Institution conference, Should the Fed stick with the 2

481 views • 10 slides
Outline Layered course overview Final exam and other logistics Post midterm 2 topics: caches

Outline Layered course overview Final exam and other logistics Post midterm 2 topics: caches

Outline Layered course overview Final exam and other logistics Post midterm 2 topics: caches CSci 2021: Final Exam Review Lecture Post midterm 2 topics: memory Stephen McCamant University of Minnesota, Computer Science &amp; Engineering Post

319 views • 6 slides
DUNE DAQ Testing Jon Sensenig, Pierre Lasorak, Lukas Arnold June 24, 2019 Jon Sensenig, Pierre

DUNE DAQ Testing Jon Sensenig, Pierre Lasorak, Lukas Arnold June 24, 2019 Jon Sensenig, Pierre

DUNE DAQ Testing Jon Sensenig, Pierre Lasorak, Lukas Arnold June 24, 2019 Jon Sensenig, Pierre Lasorak, Lukas Arnold DUNE DAQ Testing June 24, 2019 1 / 7 Parts of testing Hit sender Is working Memory throughput measurements Latency

166 views • 14 slides
The The Ov Overwhelm lm Loo oop: Running Your Business So It Doesnt Run un YOU or or...

The The Ov Overwhelm lm Loo oop: Running Your Business So It Doesnt Run un YOU or or...

8/20/2020 The The Ov Overwhelm lm Loo oop: Running Your Business So It Doesnt Run un YOU or or... ... How ow to o Eliminate e Over erwhel elm in n 4 4 Easy Steps Kris Murray President &amp; Founder August 20, 2020

470 views • 13 slides
RTOS &amp; LwIP on Zynq and Zedboard Dr. Heinz Rongen Forschungszentrum Jlich GmbH

RTOS &amp; LwIP on Zynq and Zedboard Dr. Heinz Rongen Forschungszentrum Jlich GmbH

RTOS &amp; LwIP on Zynq and Zedboard Dr. Heinz Rongen Forschungszentrum Jlich GmbH Zentralinstitut Systeme der Elektronik (ZEA-2) H.Rongen@fz-juelich.de Controller (The small ones ) - Single Chip Solutions / Applications - Internal

730 views • 18 slides
Probabilities Sven Koenig, USC Russell and Norvig, 3 rd Edition, Chapter 13 These slides are new

Probabilities Sven Koenig, USC Russell and Norvig, 3 rd Edition, Chapter 13 These slides are new

12/18/2019 Probabilities Sven Koenig, USC Russell and Norvig, 3 rd Edition, Chapter 13 These slides are new and can contain mistakes and typos. Please report them to Sven (skoenig@usc.edu). 1 Probabilities Robots face lots of uncertainty.

319 views • 10 slides

More recommend