RNS Arithmetic Approach in Lattice-based Cryptography Accelerating - - PowerPoint PPT Presentation

22nd IEEE Symposium on Computer Arithmetic

RNS Arithmetic Approach in Lattice-based Cryptography

Accelerating the ”Rounding-off” Core Procedure

Jean-Claude Bajard✝, Julien Eynard✝ Nabil Merkiche✝✿, Thomas Plantard❀

✝Sorbonne Universit´

es, UPMC Univ Paris 06, CNRS, LIP6 UMR 7606, France

✿DGA/MI, Rennes, France ❀University of Wollongong, CCISR, Wollongong, Australia

June 23rd, 2015

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 1 / 20

Context & Motivation

Lattice-based cryptography (LBC)

post-quantum security homomorphic encryption properties average-case to worst-case reductions scalar products, vector-matrix products, with huge dimensions

Why Residue Number Systems (RNS) ?

natural and easy concurrency for basic operations easy scalability natural matching with GPU, multi-core CPU, FPGA features Ñ optimization of LBC primitives at the arithmetical level ? here, focus on Babai’s round-off algorithm

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 2 / 20

Outline

Essentials about RNS & lattices Closest vector problem & Round-off algorithm Round-off and RNS arithmetic Considerations about FPGA implementation Conclusion

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 3 / 20

Essentials

Residue Number Systems (RNS)

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 4 / 20

Essentials

Lattices

(full-rank) lattice L : discrete additive subgroup of Rℓ ù ”regular grid”

L ✏ r1Z ❵ . . . ❵ rℓZ, r1, . . . , rℓ independant vectors of Rℓ matrix R ✏ ♣r1, . . . , rℓq⊺ : a basis of L (for ℓ ➙ 2, infinite number of basis) Closest Vector Problem (CVP) : given c P Zℓ, compute v P L such that ⑥c ✁ v⑥ ↕ ⑥c ✁ z⑥ for all z P L

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 5 / 20

Solving the CVP

with Babai’s Round-off algorithm, given a basis R of L

change of basis Ñ rounding components Ñ return to canonical basis c ✂ R✁1 tc ✂ R✁1s tc ✂ R✁1s ✂ R L Zℓ L

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 6 / 20

Solving the CVP

Cryptographic interest of CVP

hard to find a close vector via a ”bad” basis B of L hard to compute a ”good” basis from a bad one

GGH-like cryptosystem (1997)

public key : bad basis, private key : good basis plaintext + lattice vector = ciphertext (GGH, 1997) deciphering : solving CVP (through round-off algorithm)

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 7 / 20

Adapting the round-off to RNS arithmetic

Common simplification step

c ✏ tcR✁1sR p with p P Zℓ ❳

• ♣✁ 1

2, 1 2qℓ ✂ R

✟ Ñ Babai’s condition : σρR ➔ 1 2 with ⑥p⑥✽ ↕ σ and max

1↕j↕ℓ ℓ

➦

i✏1

⑤♣R✁1qi,j⑤ tcR✁1s mod mσ with mσ ➙ 2σ 1 ñ p ✏ ♣c ✁ tcR✁1sRq modc mσ Ñ just need to compute tcR✁1s mod mσ

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 8 / 20

Adapting the round-off to RNS arithmetic

Problems

tcR✁1s : rational expression and round-off function

Solutions

R✁1 ✏ R✶

d , d ✏ det R P Z and R✶ ✏ Comat♣Rq⊺ P Zℓ✂ℓ

t a

bs ✏ t a b 1 2✉ ✏ 2ab✁⑤2ab⑤2b 2b

exact division : doable in RNS tcR✁1s ✏ 2cR✶ d ✁ ⑤2cR✶ d⑤2d 2d , d ✏ ♣d, . . . , dq

New problem

complete modular reduction ⑤2cR✶ d⑤2d in RNS ?

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 9 / 20

Adapting the round-off to RNS arithmetic

Efficient RNS Montgomery modular reduction

precomputations : ˜ R P ✈0, 2d✈ℓ2, ˜ d P ✈0, 2d✈ℓ RNS base B with size M ✏ ➧

mPB m → ⑥c˜

R ˜ d⑥✽④2d ✒ ⑥c⑥1

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 10 / 20

Adapting the round-off to RNS arithmetic

What we obtain

RNS reduction gives : ⑤2cR✶ d⑤2d 2d ✂ e finally we compute 2cR✶d✁⑤2cR✶d⑤2d✁2d✂e

2d

✏ tcR✁1s ✁ e how to correct e ?

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 11 / 20

Adapting the round-off to RNS arithmetic

Hybrid representation RNS-Mixed Radix System (previous work)

burdensome RNS-to-MRS conversion (intrinsically sequential) large RNS base B✶ : M✶ → ♣n 1q ✂ 2d ➙ ⑤2cR✶ d⑤2d 2de Ñ how to do better ? (i.e. pure RNS approach)

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 12 / 20

Adapting the round-off to RNS arithmetic

New strategy to correct the error vector e P t0, . . . , n✉ℓ

do not focus on ⑤2cR✶ d⑤2d 2d ✂ e but on the whole formula : 2cR✶ d ✁ ⑤2cR✶ d⑤2d ✁ 2d ✂ e 2d ✏ tcR✁1s ✁ e idea : γ P Z such that ♣tcR✁1s ✁ eq mod γ ✏ ♣✁eq mod γ ù e ? (γ enabling to extract the error) to recover e from ♣✁eq mod γ : easy, take γ → n ➙ ⑥e⑥✽ to guarantee tcR✁1s ✏ 0 mod γ whatever c is... no reason to happen !

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 13 / 20

Adapting the round-off to RNS arithmetic

Keep going...

Ñ compute tγcR✁1s ✏ 2γcR✶d✁⑤2γcR✶d⑤2d

2d

and see what happens :

1 uncomplete reduction ⑤2γcR✶ d⑤2d 2d ✂ e gives tγcR✁1s ✁ e 2 we can write tγcR✁1s ✏ γtcR✁1s tγpR✁1s

then we obtain : tγcR✁1s ✁ e ✏ γtcR✁1s tγpR✁1s ✁ e

New strategy : correcting the global error

♣tγcR✁1s ✁ eq mod γ ù ♣tγpR✁1s ✁ eq mod γ γ large enough gives : ♣tγpR✁1s ✁ eq mod γ ù tγpR✁1s ✁ e recall : σρR ➔ 1④2 ô σρR ↕ 1

2 ✁ ǫ for correct rounding

Ñ size of γ depends on ǫ : γ ✒ nǫ✁1 (n ✏ Card♣Bq)

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 14 / 20

Adapting the round-off to RNS arithmetic

Final full RNS algorithm

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 15 / 20

Adapting the round-off to RNS arithmetic

Completely in RNS if γ is a 1-modulus RNS base

Ñ in practice, size of modulus determined by hardware (e.g. 18 for some FPGA multipliers, 32/64 bits on CPU, etc)

Examples of binary size of acceptable γ’s

for 200 basis R Ð 4r ❄ ℓsI rand♣✈✁4, 4✇ℓ2q and ⑥p⑥✽ ↕ 3 (GGH challenges) and moduli of B having binary size ω

ℓ ω 11 12 13 14 15 16 17 18 19 20 200 18 12 46 44 46 32 10 6 2 2 32 6 48 45 47 33 11 6 2 2 300 18 29 51 68 28 13 4 7 32 20 55 63 37 12 5 7 1 400 18 15 141 33 7 3 1 32 4 134 50 8 3 1

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 16 / 20

Conclusions about new acceleration technique

vs RNS-MRS approach

γ depends on basis R ; worst-case : γ ✒ det R ù case RNS-MRS B✶ replaced by γ : -50% precomputations, -55/60% elementary modular multiplications (no more RNS-to-MRS conv.) fast RNS base conversion : straightforward parallelization and scaling Ñ tcR✁1s mod mσ in ℓ2 2nℓ concurrent steps in RNS channels (n ✏ Card♣Bq ✒ log ⑥c⑥1)

vs multi-precision arithmetic (theoretical analysis)

precomputations (vs R✁1 with sufficient precision) : ✒ 2% (ℓ ✏ 256), ✒ 0.5% (ℓ ✏ 1024) memory overhead number of word-based multiplications : RNS ✒ Karatsuba, Toom-Cook complexities straightforward concurrency + single-precision arithmetic

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 17 / 20

Towards an FPGA implementation ?

Why FPGA

cheap, flexible, natural fitting with concurrency properties of RNS previously successfully used for RNS finite field arithmetic

Principle of RNS architecture on FPGA

”Rower” unit : computes

k

➦

i✏1

aibi mod mj (core computation in fast RNS base conversion, and vector-matrix products)

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 18 / 20

Towards an FPGA implementation ?

Specific features

1 unit for γ : computation of centered remainder mod γ (γ ✏ 2θ1 ✁ 1 ù comparing to t γ

2✉ = checking θth bit)

1 unit for mσ : mσ ➔➔ other moduli

Results of analysis for ℓ P t64, 128✉

analysis for worst-case : det R P O♣2ℓ log ℓq (Hadamard’s bound) full RNS round-off CVP : 2ℓ2 2nℓ 13ℓ 6 cycles ù e.g. ✒ 20µs for ℓ ✏ 64 on 468 MHz Kintex-7 memory bottleneck : for ℓ ✏ 64, ✒ 1.7 Mbit (ok) ; for ℓ ✏ 128, ✒ 15.5 Mbit (not enough BRAM)

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 19 / 20

Conclusion & Future work

Conclusion

• ptimized CVP algorithm : c ✁ tcR✁1sR in 2ℓ2 O♣ℓ log ⑥c⑥1q

concurrent steps in small rings Z④miZ implementation on FPGA : memory bottleneck, even for not cryptographic dimensions of lattice

Future work

Beyond this first step... implementation on several architectures (GPU, multi-core CPU, clusters of FPGA, etc) identify other bottlenecks in LBC which could be accelerated through tools from computer arithmetic

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 20 / 20

Thank You ! Questions ?

jean-claude.bajard@lip6.fr julien.eynard@lip6.fr nabil.merkiche@intradef.gouv.fr thomaspl@uow.edu.au

Appendix

GGH like cryptosystem

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 22 / 20

Appendix

GGH like cryptosystem

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 23 / 20

Appendix

GGH like cryptosystem

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 24 / 20

Adapting the round-off to RNS arithmetic

Efficient RNS Montgomery modular reduction

requires an RNS base B Montgomery representations : ˜ R ✏ ⑤2M ✂ R✶⑤2d, ˜ d ✏ ⑤M ✂ d⑤2d RNS base B with size M ✏ ➧

mPB m → ⑥c˜

R ˜ d⑥✽④2d ✒ ⑥c⑥1

Bajard, Eynard, Merkiche, Plantard RNS Arithmetic Approach in Lattice-based Cryptography 25 / 20