Ring-LWE Implementation Tobias Oder 1 , Tobias Schneider 2 , Thomas - - PowerPoint PPT Presentation

ring lwe implementation
SMART_READER_LITE
LIVE PREVIEW

Ring-LWE Implementation Tobias Oder 1 , Tobias Schneider 2 , Thomas - - PowerPoint PPT Presentation

Dec 23, 2023 361 likes •737 views

Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder 1 , Tobias Schneider 2 , Thomas Pppelmann 3 , Tim Gneysu 1,4 1 Ruhr-University Bochum, 2 Universit Catholique de Louvain, 3 Infineon Technologies AG, 4 DFKI 10.09.2018

slide-1
SLIDE 1

10.09.2018

Practical CCA2-Secure and Masked Ring-LWE Implementation

Tobias Oder1, Tobias Schneider2, Thomas Pöppelmann3, Tim Güneysu1,4

1Ruhr-University Bochum, 2Université Catholique de Louvain, 3Infineon Technologies AG, 4DFKI

CHES 2018

slide-2
SLIDE 2

2 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Motiviation

slide-3
SLIDE 3

3 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • NIST post-quantum standardization project
  • Various NIST submissions are based on Ring-LWE including

– NewHope – LIMA – (Kyber) – …

Ring-LWE

slide-4
SLIDE 4

4 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • NIST post-quantum standardization project
  • Various NIST submissions are based on Ring-LWE including

– NewHope – LIMA – (Kyber) – … Previous work – A masked ring-LWE implementation. O. Reparaz, S. Sinha Roy,

  • F. Vercauteren, I. Verbauwhede. CHES 2015

– Additively homomorphic ring-LWE masking. O. Reparaz, S. Sinha Roy, R. de Clercq, F. Vercauteren, I. Verbauwhede. PQCrypto 2016

Ring-LWE

slide-5
SLIDE 5

5 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Plain Ring-LWE encryption is only secure against chosen-

plaintext attackers (CPA)

  • Many use cases require security against chosen-ciphertext

attackers (CCA)

  • Generic Fujisaki-Okamoto transform

– Assumes negligible decryption error – Tweak by Targhi and Unruh for post-quantum security [TU16] – Expensive re-encryption in decryption

[TU16] E. E. Targhi and D. Unruh. Post-quantum security of the Fujisaki-Okamoto and OAEP

  • transforms. TCC 2016

CCA2-Security

slide-6
SLIDE 6

6 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

CCA2-secure Decryption

CCA2-Security

slide-7
SLIDE 7

7 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

CCA2-secure Decryption

CCA2-Security

slide-8
SLIDE 8

8 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

CCA2-secure Decryption

CCA2-Security

slide-9
SLIDE 9

9 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

CCA2-secure Decryption

CCA2-Security

slide-10
SLIDE 10

10 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Contribution

slide-11
SLIDE 11

11 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Our contribution:

CCA2-secure first-order masked Ring-LWE implementation

Embedded Implementation

slide-12
SLIDE 12

12 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Our contribution:

CCA2-secure first-order masked Ring-LWE implementation

  • Target platform ARM Cortex-M4

– Constrained computing capabilities/memory

Embedded Implementation

slide-13
SLIDE 13

13 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Our contribution:

CCA2-secure first-order masked Ring-LWE implementation

  • Target platform ARM Cortex-M4

– Constrained computing capabilities/memory

  • Secret-independent execution time as countermeasure against

timing attacks

  • Masking as countermeasure against Differential Power Analysis

– Boolean vs. arithmetic

Embedded Implementation

slide-14
SLIDE 14

14 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Components to be masked in CCA2-secure Ring-LWE

  • PRNG/Hash
  • NTT

– Polynomial multiplication

  • Binomial sampler (BS)
  • Encoding/Decoding

Masking Ring-LWE

𝑏 𝑞 x x BS + + + 𝑛 𝑓𝑜𝑑𝑝𝑒𝑓 𝑑1 𝑑2 BS BS 𝑑1 𝑑2 𝑠

1

x + 𝑒𝑓𝑑𝑝𝑒𝑓 𝑛 Ring-LWE CPA Encryption Ring-LWE CPA Decryption

slide-15
SLIDE 15

15 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Components to be masked in CCA2-secure Ring-LWE

  • PRNG/Hash  [BDPVA10]
  • NTT  straight-forward

– Polynomial multiplication

  • Binomial sampler (BS)
  • Encoding/Decoding

[BDPVA10] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Building power analysis resistant implementations of Keccak. Second SHA-3 candidate conference, 2010

Masking Ring-LWE

𝑏 𝑞 x x BS + + + 𝑛 𝑓𝑜𝑑𝑝𝑒𝑓 𝑑1 𝑑2 BS BS 𝑑1 𝑑2 𝑠

1

x + 𝑒𝑓𝑑𝑝𝑒𝑓 𝑛 Ring-LWE CPA Encryption Ring-LWE CPA Decryption

slide-16
SLIDE 16

16 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Components to be masked in CCA2-secure Ring-LWE

  • PRNG/Hash  [BDPVA10]
  • NTT  straight-forward

– Polynomial multiplication

  • Binomial Sampler (BS)
  • Encoding/Decoding

[BDPVA10] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Building power analysis resistant implementations of Keccak. Second SHA-3 candidate conference, 2010

Masking Ring-LWE

𝑏 𝑞 x x BS + + + 𝑛 𝑓𝑜𝑑𝑝𝑒𝑓 𝑑1 𝑑2 BS BS 𝑑1 𝑑2 𝑠

1

x + 𝑒𝑓𝑑𝑝𝑒𝑓 𝑛 Ring-LWE CPA Encryption Ring-LWE CPA Decryption

slide-17
SLIDE 17

17 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Encoding

slide-18
SLIDE 18

18 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Encoding transforms a bit string into a polynomial

– Without masking: 𝑑𝑝𝑓𝑔𝑔 = 𝑐𝑗𝑢 ⋅ ⌊𝑟 2⌋

Masked encoding

slide-19
SLIDE 19

19 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Encoding transforms a bit string into a polynomial

– Without masking: 𝑑𝑝𝑓𝑔𝑔 = 𝑐𝑗𝑢 ⋅ ⌊𝑟 2⌋ – With 𝑐𝑗𝑢′ ⊕ 𝑐𝑗𝑢′′ = 𝑐𝑗𝑢: 𝑑𝑝𝑓𝑔𝑔′ = 𝑐𝑗𝑢′ ⋅ ⌊𝑟 2⌋ 𝑑𝑝𝑓𝑔𝑔′′ = 𝑐𝑗𝑢′′ ⋅ 𝑟 2

Masked encoding

slide-20
SLIDE 20

20 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Encoding transforms a bit string into a polynomial

– Without masking: 𝑑𝑝𝑓𝑔𝑔 = 𝑐𝑗𝑢 ⋅ ⌊𝑟 2⌋ – With 𝑐𝑗𝑢′ ⊕ 𝑐𝑗𝑢′′ = 𝑐𝑗𝑢: 𝑑𝑝𝑓𝑔𝑔′ = 𝑐𝑗𝑢′ ⋅ ⌊𝑟 2⌋ 𝑑𝑝𝑓𝑔𝑔′′ = 𝑐𝑗𝑢′′ ⋅ 𝑟 2

  • q is a odd 

𝑟 2 + 𝑟 2 ≠ 𝑟

Problem: Result is off by one if 𝑐𝑗𝑢′ = 1 and 𝑐𝑗𝑢′′ = 1

Masked encoding

slide-21
SLIDE 21

21 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Solution: Add 𝑐𝑗𝑢′ ⋅ 𝑐𝑗𝑢′′ to the result

  • Compute 𝑐𝑗𝑢′ ⋅ 𝑐𝑗𝑢′′ by splitting into subshares

𝑐𝑗𝑢′ 1 + 𝑐𝑗𝑢′ 2 ⋅ (𝑐𝑗𝑢′′(1) + 𝑐𝑗𝑢′′ 2 ) = 𝑐𝑗𝑢′(1) ⋅ 𝑐𝑗𝑢′′ 1 + 𝑐𝑗𝑢′ 1 ⋅ 𝑐𝑗𝑢′′ 2 + 𝑐𝑗𝑢′(2) ⋅ 𝑐𝑗𝑢′′ 1 + 𝑐𝑗𝑢′(2) ⋅ 𝑐𝑗𝑢′′ 2

  • Use fresh randomness to securely sum the cross-products

Masked encoding

slide-22
SLIDE 22

22 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Decoding

slide-23
SLIDE 23

23 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Input: Coefficient ∈ [0, 𝑟 − 1] Output: Decoded bit Idea:

  • Shift distribution of

coefficients

  • Apply arithmetic-to-

Boolean conversion

  • Extract sign bit

Masked decoding

slide-24
SLIDE 24

24 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Input: Coefficient ∈ [0, 𝑟 − 1] Output: Decoded bit Idea:

  • Shift distribution of

coefficients

  • Apply arithmetic-to-

Boolean conversion

  • Extract sign bit

Masked decoding

slide-25
SLIDE 25

25 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Input: Coefficient ∈ [0, 𝑟 − 1] Output: Decoded bit Idea:

  • Shift distribution of

coefficients

  • Apply arithmetic-to-

Boolean conversion

  • Extract sign bit

Masked decoding

slide-26
SLIDE 26

26 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Input: Coefficient ∈ [0, 𝑟 − 1] Output: Decoded bit Idea:

  • Shift distribution of

coefficients

  • Apply arithmetic-to-

Boolean conversion

  • Extract sign bit

Masked decoding

slide-27
SLIDE 27

27 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Binomial Sampler

slide-28
SLIDE 28

28 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Input: Boolean shares; Output: Arithmetic shares
  • Count Hamming weight as

σ𝑗=0

7

(𝑐𝑗𝑢′ 𝑗 ⊕ 𝑐𝑗𝑢′′ 𝑗 ) = σ𝑗=0

7

𝑐𝑗𝑢′ 𝑗 + 𝑐𝑗𝑢′′ 𝑗 − 2𝑐𝑗𝑢′(𝑗)𝑐𝑗𝑢′′(𝑗)

  • Compute 𝑐𝑗𝑢′(𝑗) ⋅ 𝑐𝑗𝑢′′(𝑗) by splitting into subshares

Masked sampler

slide-29
SLIDE 29

29 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Results

slide-30
SLIDE 30

30 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

T-test evaluation of the decoding (example)

  • Blue: first-order evaluation
  • Dashed red: second-order evaluation

Side-Channel Evaluation

slide-31
SLIDE 31

31 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Dimension n = 1024
  • Modulus q = 12289
  • Standard deviation ς = 2

Cortex-M4 Performance

slide-32
SLIDE 32

32 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Dimension n = 1024
  • Modulus q = 12289
  • Standard deviation ς = 2

Cortex-M4 Performance

slide-33
SLIDE 33

33 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Dimension n = 1024
  • Modulus q = 12289
  • Standard deviation ς = 2

Cortex-M4 Performance

slide-34
SLIDE 34

34 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

  • Dimension n = 1024
  • Modulus q = 12289
  • Standard deviation ς = 2

Cortex-M4 Performance

slide-35
SLIDE 35

35 CCA2-Secure and Masked Ring-LWE | Tobias Oder | Ruhr-University Bochum | 10.09.2018

Conclusion

  • First masking of a Ring-LWE-based scheme that

covers CCA2-security with first-order proof

  • New masked encoder & decoder
  • New masked sampler
  • Future work: Higher-order masking
slide-36
SLIDE 36

Thank You For Your Attention! Thank You For Your Attention!