parameterized hardware accelerators for lattice based
play

Parameterized Hardware Accelerators for Lattice-Based Cryptography - PowerPoint PPT Presentation

Dec 31, 2023 •21 likes •711 views

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

  1. Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 – September 14, 2020

  2. Outline • Yet another hardware design for a lattice-based scheme? • qTESLA • Hardware blocks • Binary-search CDT sampler • NTT-based polynomial multiplier • Software-hardware co-design on RISC-V • Evaluation 1

  3. Yet another hardware design for a lattice-based scheme? 2

  4. Existing lattice-based hardware designs Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Flexible N/A co-design 3

  5. Existing lattice-based hardware designs Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Flexible N/A co-design 4

  6. Existing lattice-based hardware designs Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Flexible N/A co-design 5

  7. Existing lattice-based hardware designs Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Flexible N/A co-design 6

  8. Our new lattice-based hardware design Security architecture Lattice-based scheme Standard Hardware Existing designs Accelerated parameters IO Building blocks Partly Fixed Fixed Specific scheme N/A Specific scheme Full hardware design Fully Fixed Fixed N/A Software-hardware Specific scheme Partly Fixed Fixed N/A co-design Our new design Fully Flexible Tunable Universal applicability Portable 7

  9. Our new lattice-based hardware design ü Full acceleration Accelerator config. ü Flexible security parameters 32/64-bit Accelerator AMBA Bus ü Tunable hardware architecture config. ü Universal applicability to lattice- Accelerator based schemes config. ü Portable among different platforms 8

  10. qTESLA 9

  11. qTESLA Round 2 Reference C submission in implementation PQ standardization liboqs library BouncyCastle library See qtesla.org 10

  12. qTESLA ü Secure against classical and quantum adversaries Round 2 Reference C submission in implementation PQ standardization liboqs library BouncyCastle library See qtesla.org 11

  13. qTESLA ü Secure against classical and quantum adversaries Round 2 Reference C ü Implementation security submission in implementation PQ standardization liboqs library BouncyCastle library See qtesla.org 12

  14. qTESLA ü Secure against classical and quantum adversaries Round 2 Reference C ü Implementation security submission in implementation PQ ü Simple arithmetic operations standardization liboqs library BouncyCastle library See qtesla.org 13

  15. qTESLA ü Secure against classical and quantum adversaries Round 2 Reference C ü Implementation security submission in implementation PQ ü Simple arithmetic operations standardization ü Provable-secure parameters liboqs library BouncyCastle Parameter set Public key size (in B) Signature size (in B) library qTESLA-p-I 14, 880 2, 592 qTESLA-p-III 38, 432 5, 664 See qtesla.org 14

  16. qTESLA‘s sign and verify Signature generation Input: sk, m Output: signature z, c 15

  17. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Output: signature z, c 16

  18. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Output: signature z, c 17

  19. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify Output: signature z, c 18

  20. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify ü û Compute potential signature z = y + sc Output: signature z, c 19

  21. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify ü û Compute potential signature z = y + sc Check to ensure security Output: signature z, c 20

  22. qTESLA‘s sign and verify Signature generation Input: sk, m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify û ü Compute potential signature z = y + sc Check to ensure security û ü Output: signature z, c 21

  23. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c(sk, y, m) Check to ensure acceptance during verify û ü Compute potential signature z = y + sc Check to ensure security û ü Output: signature z, c Output: or û ü 22

  24. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c - (pk, z, c, m) Hash c(sk, y, m) Check to ensure acceptance during verify û ü Compute potential signature z = y + sc Check to ensure security û ü Output: signature z, c Output: or û ü 23

  25. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Check c , = c ? Check to ensure acceptance during verify û ü Compute potential signature z = y + sc Check to ensure security û ü Output: signature z, c Output: or û ü 24

  26. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Check c , = c ? Check to ensure acceptance during verify û ü ü Compute potential signature z = y + sc Check to ensure security Check security property û ü Output: signature z, c Output: or û ü 25

  27. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Check c , = c ? Check to ensure acceptance during verify û ü ü Compute potential signature z = y + sc Check to ensure security Check security property û ü ü Output: signature z, c Output: or û ü 26

  28. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Check c , = c ? Check to ensure acceptance during verify û ü û ü Compute potential signature z = y + sc Check to ensure security Check security property û û ü ü Output: signature z, c Output: or û ü 27

  29. qTESLA‘s sign and verify Signature verification Signature generation Input: sk, m Input: pk, z, c , m Sample random y polynomial Hash c , (pk, z, c, m) Hash c(sk, y, m) Simple operations: • Sampling Check c , = c ? Check to ensure acceptance during verify • Hashing û ü • Comparison û ü Compute potential signature z = y + sc • Multiplication and addition Check to ensure security Check security property û û ü ü Output: signature z, c Output: or û ü 28

  30. Hardware blocks for lattice-based schemes 29

  31. Lattice-based hardware blocks qTESLA Key Signing Verification generation Gauss Hash Poly. Sparse poly. sampler function Multiplication multiplication (4.5%) (39.4%) (27.9%) (6.3%) Respective subroutines (% of runtime) 30

  32. Lattice-based hardware blocks • A unified hardware core for both SHAKE-128/256 and cSHAKE-128/256 • A novel, parameterized binary-search CDT sampler in hardware • A novel, fully pipelined NTT-based polynomial multiplier • A parameterized sparse polynomial multiplier qTESLA • A lightweight Hmax-Sum module Key Signing Verification generation Gauss Hash Poly. Sparse poly. sampler function Multiplication multiplication (4.5%) (39.4%) (27.9%) (6.3%) Respective subroutines (% of runtime) 31

  33. Lattice-based hardware blocks • A unified hardware core for both SHAKE-128/256 and cSHAKE-128/256 • A novel, parameterized binary-search CDT sampler in hardware • A novel, fully pipelined NTT-based polynomial multiplier • A parameterized sparse polynomial multiplier • A lightweight Hmax-Sum module 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

R265: Advanced Topics in Computer Architecture Seminar 7: HW accelerators and accelerators for

R265: Advanced Topics in Computer Architecture Seminar 7: HW accelerators and accelerators for

R265: Advanced Topics in Computer Architecture Seminar 7: HW accelerators and accelerators for machine learning Robert Mullins This lecture Computer architecture trends Hardware accelerators Design choices and trade-offs Hardware

384 views • 22 slides
The Future Directions of Dataflow-Based Reconfigurable Hardware Accelerators Francesca Palumbo 1 ,

The Future Directions of Dataflow-Based Reconfigurable Hardware Accelerators Francesca Palumbo 1 ,

The Future Directions of Dataflow-Based Reconfigurable Hardware Accelerators Francesca Palumbo 1 , Claudio Rubattu 1,2 , Carlo Sau 3 , Tiziana Fanni 3 , Luigi Raffo 3 1 University of Sassari, PolComIng Information Engineering Group 2 University

981 views • 95 slides
Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational

Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational

Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational Redundancies Duvindu Piyasena, Rukshan Wickramasinghe, Debdeep Paul, Siew-Kei Lam and Meiqing Wu School of Computer Science and Engineering (SCSE)

334 views • 10 slides
Modeling and Predicting Application Performance on Hardware Accelerators Presented by: Alexander

Modeling and Predicting Application Performance on Hardware Accelerators Presented by: Alexander

1/35 Modeling and Predicting Application Performance on Hardware Accelerators Presented by: Alexander Breslow Authors: Mitesh Meswani*, Laura Carrington*, Didem Unat, Allan Snavely, Scott Baden, and Steve Poole *San Diego Supercomputer

634 views • 37 slides
CS5412/LECTURE 23 Ken Birman HARDWARE ACCELERATORS CS5412 Spring 2020

CS5412/LECTURE 23 Ken Birman HARDWARE ACCELERATORS CS5412 Spring 2020

CS5412/LECTURE 23 Ken Birman HARDWARE ACCELERATORS CS5412 Spring 2020 HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2020SP 1 IN THE EARLY DAYS, DIVIDE AND CONQUER SUFFICED People broke web page computations into a first -tier, and then a bank of

678 views • 44 slides
Execution Time Prediction for Energy- Efficient Hardware Accelerators Tao Chen, Alex Rucker, and

Execution Time Prediction for Energy- Efficient Hardware Accelerators Tao Chen, Alex Rucker, and

Execution Time Prediction for Energy- Efficient Hardware Accelerators Tao Chen, Alex Rucker, and G. Edward Suh Computer Systems Laboratory Cornell University Accelerators in Interactive Computing Systems Interactive systems have response

448 views • 17 slides
An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for Supercomputers Workshop June 12 2018 Rob Gardner Jared Smolens Kishore Pusukuri Oracle Inc Arm Inc NetApp Inc Multicore Systems &

692 views • 24 slides
CS5412 / LECTURE 25 Ken Birman PROGRAMMING HARDWARE Spring, 2020 ACCELERATORS

CS5412 / LECTURE 25 Ken Birman PROGRAMMING HARDWARE Spring, 2020 ACCELERATORS

CS5412 / LECTURE 25 Ken Birman PROGRAMMING HARDWARE Spring, 2020 ACCELERATORS HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2020SP 1 SUPPOSE THAT YOU PURCHASE A GPU. HOW WOULD YOU PROGRAM IT? GPUs come with a collection of existing software

272 views • 11 slides
Building Blocks: Hardware Processors, Cores, Memory and Accelerators Funding Partners

Building Blocks: Hardware Processors, Cores, Memory and Accelerators Funding Partners

Building Blocks: Hardware Processors, Cores, Memory and Accelerators Funding Partners bioexcel.eu 1 Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License.

477 views • 30 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware Accelerators

COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware Accelerators

ACM/IEEE CODES+ISSS 2017, Seoul, South Korea COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware Accelerators Luca Piccolboni, Paolo Mantovani, Giuseppe Di Guglielmo, Luca Carloni Columbia University, New York,

624 views • 61 slides
Hardware Accelerators Francesca Palumbo 1 , Claudio Rubattu 1,2 , Carlo Sau 3 , Tiziana Fanni 3 ,

Hardware Accelerators Francesca Palumbo 1 , Claudio Rubattu 1,2 , Carlo Sau 3 , Tiziana Fanni 3 ,

Exploiting Dataflows for Reconfigurable Hardware Accelerators Francesca Palumbo 1 , Claudio Rubattu 1,2 , Carlo Sau 3 , Tiziana Fanni 3 , Luigi Raffo 3 1 University of Sassari, PolComIng Information Engineering Group 2 University of Rennes,

914 views • 88 slides
Accelerators Part 2 of 3: Lattice, Longitudinal Motion, Limitations Rende Steerenberg BE-OP CERN

Accelerators Part 2 of 3: Lattice, Longitudinal Motion, Limitations Rende Steerenberg BE-OP CERN

Accelerators Part 2 of 3: Lattice, Longitudinal Motion, Limitations Rende Steerenberg BE-OP CERN - Geneva Rende Steerenberg BND Graduate School 2 6 September 2017 CERN - Geneva Topics A Brief Recap and Transverse Optics Longitudinal

1.2k views • 76 slides
Cheaper, Faster Computing with hardware accelerators and NVM storage Sang-Woo Jun Assistant

Cheaper, Faster Computing with hardware accelerators and NVM storage Sang-Woo Jun Assistant

Cheaper, Faster Computing with hardware accelerators and NVM storage Sang-Woo Jun Assistant Professor Department of Computer Science University of California, Irvine 2018-10-05 About Me Sang-Woo Jun Ph.D. (2018) @ MIT Research

399 views • 21 slides
High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

482 views • 37 slides
ADJOINT APPROACH TO ACCELERATOR LATTICE DESIGN* T.M.

ADJOINT APPROACH TO ACCELERATOR LATTICE DESIGN* T.M.

ADJOINT APPROACH TO ACCELERATOR LATTICE DESIGN* T.M. Antonsen, I. Haber, B. L. Beaudoin Ins6tute for Research in Electronics and Applied Physics

656 views • 13 slides
The UK - a natural home for global engineering and technology champions? Warren East January

The UK - a natural home for global engineering and technology champions? Warren East January

The UK - a natural home for global engineering and technology champions? Warren East January 2019 Certain material courtesy of ARM and Rolls-Royce Making an Engineer Certain material courtesy of ARM and Rolls-Royce Rolls-Royce: A Leading

988 views • 39 slides
Lecture 4: Smoothing Julia Hockenmaier juliahmr@illinois.edu 3324 Siebel Center Last

Lecture 4: Smoothing Julia Hockenmaier juliahmr@illinois.edu 3324 Siebel Center Last

CS447: Natural Language Processing http://courses.engr.illinois.edu/cs447 Lecture 4: Smoothing Julia Hockenmaier juliahmr@illinois.edu 3324 Siebel Center Last lectures key concepts Basic probability review: joint probability, conditional

412 views • 38 slides
Accuracy of Admissible Heuristic Functions in Selected Planning Domains Malte Helmert Robert

Accuracy of Admissible Heuristic Functions in Selected Planning Domains Malte Helmert Robert

Accuracy of Admissible Heuristic Functions in Selected Planning Domains Malte Helmert Robert Mattm uller Albert-Ludwigs-Universit at Freiburg, Germany AAAI 2008 Introduction Analyses Summary and Conclusion Outline Introduction 1

289 views • 26 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
Datacentre Acceleration Ted Zhang (z5019142) Meisi Li (z5119623) Han Zhao(z5099931) Nattamon

Datacentre Acceleration Ted Zhang (z5019142) Meisi Li (z5119623) Han Zhao(z5099931) Nattamon

Datacentre Acceleration Ted Zhang (z5019142) Meisi Li (z5119623) Han Zhao(z5099931) Nattamon Paiboon (z5176930) Background Data Centres Centralised computing and network infrastructure Cloud applications for storage and computation

640 views • 46 slides
STORK Worshop 26-27 November 2002 Bruges Aniyan Varghese aniyan.varghese@cec.eu.int European

STORK Worshop 26-27 November 2002 Bruges Aniyan Varghese aniyan.varghese@cec.eu.int European

Cryptography Research in FP6 Cryptography Research in FP6-I ST I ST STORK Worshop 26-27 November 2002 Bruges Aniyan Varghese aniyan.varghese@cec.eu.int European Commission DG I nformation Society European Commission DG I nformation

316 views • 12 slides
IDPAs Intra-Group Data Processing Agreements 21.10.2020 IAPP Switzerland KnowledgeNet Dr

IDPAs Intra-Group Data Processing Agreements 21.10.2020 IAPP Switzerland KnowledgeNet Dr

IDPAs Intra-Group Data Processing Agreements 21.10.2020 IAPP Switzerland KnowledgeNet Dr David Vasella, CIPP/E 1 Challenges and options for international groups 2 The challenge The reality : The law : International groups of

483 views • 14 slides

More recommend