saber module lwr based kem
play

SABER: Module-LWR based KEM Round 2 J. P. DAnvers A. Karmakar S. - PowerPoint PPT Presentation

Jun 02, 2023 •552 likes •969 views

SABER: Module-LWR based KEM Round 2 J. P. DAnvers A. Karmakar S. S. Roy F. Vercauteren KU Leuven August 22, 2019 0 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 1 SABER 1 Outline 1 Introduction 2 Round 2

  1. SABER: Module-LWR based KEM Round 2 J. P. D’Anvers A. Karmakar S. S. Roy F. Vercauteren KU Leuven August 22, 2019

  2. 0 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 1 SABER

  3. 1 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 2 SABER

  4. 1 General LWE based scheme Alice Bob A ← U ( Z l × l A A ) q s e ← small ( Z l × 1 e s,e s ) q b A e ′′ ← small ( Z 1 × l b b,A A b A s e s e e b b = A A · s s + e e s s ′ ,e e ′ ,e ) q ✲ b ′ T = A A T · s s ′ + e b b A s e ′ e b ′ · s v ′ T = b b T · s s ′ + e e ′′ + q b b b ′ , v ′ v = b b s s b s e 2 m ✛ m ′ = ⌊ 2 q ( v ′ − v ) ⌉ 3 SABER

  5. 1 SABER ◮ Module: • Polynomial ring R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 • Rank of module 2 , 3 , 4 depending on security level ⊕ Flexibility: only one polynomial multiplication 4 SABER

  6. 1 SABER Alice Bob A ← U ( R l × l A A ) q s e ← small ( R l × 1 e s s,e ) q b A e ′′ ← small ( R 1 × l b b,A A b A s e s e e b b = A A · s s + e e s s ′ ,e e ′ ,e ) q ✲ b ′ T = A A T · s s ′ + e b b A s e ′ e b ′ · s v ′ T = b b T · s s ′ + e e ′′ + q b b b ′ , v ′ v = b b s s b s e 2 m ✛ m ′ = ⌊ 2 q ( v ′ − v ) ⌉ 5 SABER

  7. 1 Module-LWR: SABER ◮ Module: • Polynomial ring R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 • Rank of module 2 , 3 , 4 depending on security level ⊕ Flexibility: only one polynomial multiplication ◮ Learning with Rounding e e e ⊕ No generation of e e,e e ′ ,e e ′′ ⊕ Efficient bandwidth usage 6 SABER

  8. 1 SABER Alice Bob A ← U ( R l × l A A ) q s s ← small ( R l × 1 s ) q b A s ′ ← small ( R 1 × l b b,A A b = ⌊ p b A s s b q A A · s s ⌉ s ) q ✲ b ′ T = ⌊ p A T · s b A s b q A s ′ ⌉ b ′ · s v ′ T = ⌊ T b T · s s ′ + T b b b ′ , v ′ v = b b s s p b b s 2 m ⌉ ✛ m ′ = ⌊ 2 q ( v ′ − p T v ) ⌉ 7 SABER

  9. 1 Module-LWR: SABER ◮ Module: • Polynomial ring R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 • Rank of module 2 , 3 , 4 depending on security level ⊕ Flexibility: only one polynomial multiplication ◮ Learning with Rounding e e e ⊕ no generation of e e,e e ′ ,e e ′′ ⊕ efficient bandwidth usage ◮ power-of-two ⊕ easy sampling ⊕ no modular arithmetic ⊕ easy rounding = add constant and chop ⊖ no NTT for fast multiplication ⊕ Toom-Cook ⊕ easier masking 8 SABER

  10. 1 SABER Alice Bob A ← U ( R l × l ) A A q s ← small ( R l × 1 s s ) q s ′ ← small ( R 1 × l b b b,A A A h ) ≫ log 2 ( q b b = ( A A A · s s + h s h p ) s ) b s q ✲ b ′ T = ( A A T · s s ′ + h h ) ≫ log 2 ( q b A s h p ) b b ′ · s b ′ , v ′ v ′ T = ( b b T · s s ′ + h 1 + p b b 2 m ) ≫ log 2 ( p v = b b s s b s T ) m ′ = ⌊ 2 p ( v ′ − p ✛ T v ) ⌉ 9 SABER

  11. 1 SABER ◮ binomial secret distribution ⊕ easy sampling 10 SABER

  12. 1 SABER ◮ binomial secret distribution ⊕ easy sampling ◮ No error correcting code ⊕ simpler implementation ⊕ easier masking 10 SABER

  13. 1 SABER - parameters ◮ R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 ◮ public key / ciphertext in R p and R T with p = 2 10 and T = 2 4 ◮ Centered binomial distribution with 8 coins ( [ − 4 , 4] ) 11 SABER

  14. 1 SABER - parameters ◮ R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 ◮ public key / ciphertext in R p and R T with p = 2 10 and T = 2 4 ◮ Centered binomial distribution with 8 coins ( [ − 4 , 4] ) ◮ IND-CCA secure KEM version using FO-transformation 11 SABER

  15. 1 SABER - parameters ◮ R q = Z q [ X ] / ( X 256 + 1) with q = 2 13 ◮ public key / ciphertext in R p and R T with p = 2 10 and T = 2 4 ◮ Centered binomial distribution with 8 coins ( [ − 4 , 4] ) ◮ IND-CCA secure KEM version using FO-transformation ◮ Public Key: 992 Bytes ◮ Ciphertext: 1088 Bytes ◮ Failure probability: 2 − 136 ◮ Security: 185 bits 11 SABER

  16. 1 SABER Sec Cat fail prob Classical Quantum pk (B) sk (B) ciphertext (B) LightSaber-KEM: k = 2 , n = 256 , q = 2 13 , p = 2 10 , T = 2 3 , µ = 10 2 − 120 1 126 115 672 1568 736 Saber-KEM: k = 3 , n = 256 , q = 2 13 , p = 2 10 , T = 2 4 , µ = 8 2 − 136 3 199 181 992 2304 1088 FireSaber-KEM: k = 4 , n = 256 , q = 2 13 , p = 2 10 , T = 2 6 , µ = 6 2 − 165 5 270 246 1312 3040 1472 Table: Security and correctness of Saber.KEM. 12 SABER

  17. 2 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 13 SABER

  18. 2 Changes for Round 2 ◮ Generation of matrix A A A 14 SABER

  19. 2 Changes for Round 2 ◮ Generation of matrix A A A A T • multiplication with A A A and A A • just-in-time possible for A A A • speed-up preferred in encryption 14 SABER

  20. 2 Serial vs parallel generation of A ◮ software • Keccak-Absorb() is more expensive than Keccak-Extract() • Hence, serial SHAKE is faster on non-vectorized microcontrollers • But, slower on Intel AVX 15 SABER

  21. 2 Serial vs parallel generation of A ◮ software • Keccak-Absorb() is more expensive than Keccak-Extract() • Hence, serial SHAKE is faster on non-vectorized microcontrollers • But, slower on Intel AVX ◮ hardware • Keccak core consumes 33% of overall area [BPC19] (including memory) • Keccak-Extract produces RND every 28 cycles • Polynomial multiplier consumes RND much slower than Keccak can produce • Serial Keccak makes implementation simpler 15 SABER

  22. 2 Changes for Round 2 ◮ Generation of matrix A A A 16 SABER

  23. 2 Changes for Round 2 ◮ Generation of matrix A A A ◮ Rounding = add constant + chopping ◮ one of the constants changed for security proof 16 SABER

  24. 2 Changes for Round 2 ◮ Generation of matrix A A A ◮ Rounding = add constant + chopping ◮ one of the constants changed for security proof ◮ (Debated) smaller secret variance ◮ e.g. trinary binomial distribution ◮ would reduce public key and ciphertext size with ± 10% ◮ too aggressive 16 SABER

  25. 3 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 17 SABER

  26. 3 Software Implementations ◮ Haswell AVX2 (KU Leuven, Belgium [DKRV18]) • IND-CCA encapsulation/decapsulation 122K, 120K cycles 18 SABER

  27. 3 Software Implementations ◮ Haswell AVX2 (KU Leuven, Belgium [DKRV18]) • IND-CCA encapsulation/decapsulation 122K, 120K cycles ◮ ARM Cortex-M (KU Leuven, Belgium [KMRV18]) • Cortex-M4 (Speed) - encapsulation/decapsulation 1444 / 1543 K cycles • Cortex-M4 (Speed / Memory) - encapsulation/decapsulation 1530 / 1635 K cycles - encapsulation/decapsulation 7019 / 8115 bytes memory • Cortex-M0 (Memory) - encapsulation/decapsulation 6328 / 7509 K cycles - encapsulation/decapsulation 5119 / 6215 bytes memory 18 SABER

  28. 3 Hardware Implementations I ◮ High-speed HW (University of Birmingham, UK) • Instruction-set coprocessor architecture with all SABER components on HW • Generic HDL code: suitable for ASIC and FPGA implementation • IND-CPA encryption/decryption = 6/1.6 K cycles • IND-CCA encapsulation/decapsulation = ≈ 7 / 8 . 5 K cycles 19 SABER

  29. 3 Hardware Implementations I ◮ High-speed HW (University of Birmingham, UK) • Instruction-set coprocessor architecture with all SABER components on HW • Generic HDL code: suitable for ASIC and FPGA implementation • IND-CPA encryption/decryption = 6/1.6 K cycles • IND-CCA encapsulation/decapsulation = ≈ 7 / 8 . 5 K cycles ◮ Lightweight HW/SW codesign (KU Leuven, Belgium) • Encapsulation/decapsulation require ≈ 4 . 2 ms 19 SABER

  30. 3 Hardware Implementations I ◮ High-speed HW (University of Birmingham, UK) • Instruction-set coprocessor architecture with all SABER components on HW • Generic HDL code: suitable for ASIC and FPGA implementation • IND-CPA encryption/decryption = 6/1.6 K cycles • IND-CCA encapsulation/decapsulation = ≈ 7 / 8 . 5 K cycles ◮ Lightweight HW/SW codesign (KU Leuven, Belgium) • Encapsulation/decapsulation require ≈ 4 . 2 ms ◮ High-speed HW/SW codesign (George Mason University, USA / Military University of Technology, Poland [HOKG18]) • Encapsulation/decapsulation require ≈ 0 . 069 ms 19 SABER

  31. 3 Hardware Implementations II ◮ ASIC implementation (Tsinghua University, China) • Still in development • Polynomial multiplication • Area: 220626 um 2 (307193GE) • Max Freq: 400 MHz • Power: 4 . 34 mW 20 SABER

  32. 3 Masking ◮ First order masking can be achieved by arithmetic masking in polynomial multiplication and Boolean masking for decoding. ◮ Saber uses power-of-two modulus ◮ Thus masking methods can be combined by Debraize’s arithmetic to boolean conversion [Deb12] ◮ Time with masking roughly doubles. 21 SABER

  33. 4 Outline 1 Introduction 2 Round 2 changes 3 Implementations 4 Conclusion 22 SABER

  34. 4 Conclusion SABER is: ◮ Flexible 23 SABER

  35. 4 Conclusion SABER is: ◮ Flexible ◮ Simple 23 SABER

  36. 4 Conclusion SABER is: ◮ Flexible ◮ Simple ◮ Efficient 23 SABER

  37. 4 Conclusion SABER is: ◮ Flexible ◮ Simple ◮ Efficient ◮ More work in the pipeline 23 SABER

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES, Amsterdam 11 th September, 2018 Joint work with : Jose Maria Bermudo Mera Sujoy Sinha Roy Ingrid Verbauwhede Saber: CCA secure post-quantum KEM*

613 views • 30 slides
Embracer Group acquires Saber Interactive Investor presentation 19 February 2020 Saber

Embracer Group acquires Saber Interactive Investor presentation 19 February 2020 Saber

Embracer Group acquires Saber Interactive Investor presentation 19 February 2020 Saber Interactive at a glance GLOBAL BUSINESS TRACK RECORD OF OWN/LICENSED IPs US-based game developer Founded by Matthew Karch (CEO) and Andrey Iones

314 views • 18 slides
High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

482 views • 37 slides
Mission Introduction Launch a 1-2 kg payload on a suborbital flight to an altitude of ~100 km

Mission Introduction Launch a 1-2 kg payload on a suborbital flight to an altitude of ~100 km

Overview of the SABER Mission and Launch Vehicle Design S uborbital 4/5/2018 A tmospheric B alloon E levated R ocket SABER: INSERT Presentation Name SABER: Suborbital Atmospheric Balloon Elevated Rocket 4/5/2018 Mission Introduction Launch

495 views • 26 slides
Saber Platform Presentation Agenda Overview portal Explanation & Requirements Support

Saber Platform Presentation Agenda Overview portal Explanation & Requirements Support

Saber Platform Presentation Agenda Overview portal Explanation & Requirements Support portal Review Open Discussion Overview Introduction Saber is an integrated e-service that allows traders to register their enterprise and the

408 views • 23 slides
1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

MODULE SPECIFICATION Project Management and Credit Module Title: Level : 5 20 Presentation Techniques Value : Is this a Code of module Module code : ENG543 new NO being replaced : module? Cost Centre : GAME JACS3 code : F311

261 views • 4 slides
IMA Platform Computing Module based on Partial Reconfigurable FPGA R. F. Romero, O. Saotome, D.

IMA Platform Computing Module based on Partial Reconfigurable FPGA R. F. Romero, O. Saotome, D.

IMA Platform Computing Module based on Partial Reconfigurable FPGA R. F. Romero, O. Saotome, D. S. Loubach, E. G. O. Nbrega, I. Sander, I. S derquist 1 ABSTRACT The present work proposes an IMA module design approach based on partial

344 views • 12 slides
WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3 Status Boards Position Log Request for Assistance Mission/Task Significant Events Module 4 Forms Module 5 Links Module 6

847 views • 72 slides
Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio informatics .ca Module 7 Data Visualization Anamaria Crisan Learning Objectives of Module Understand the process of encoding and decoding

1.31k views • 79 slides
Module 3 Supervisory Transition Module 3: Superivsory Transition 1 Objectives Learn about

Module 3 Supervisory Transition Module 3: Superivsory Transition 1 Objectives Learn about

Module 2 was an overview about leadership. But, how do we or did we gain an opportunity to lead? Module 3 gives us insight into transitioning from an employee into a supervisor and/or manager. 0 Module 3 Supervisory Transition Module 3:

1.03k views • 18 slides
Module 12 Effective Communication, The Who Stakeholder Identification & Engagement 1 Module

Module 12 Effective Communication, The Who Stakeholder Identification & Engagement 1 Module

As you learned to take your leadership vision and create a progressive strategy in Module 11, it should be apparent that our stakeholders are a priority. Module 12 identifies how to effectively communicate with our stakeholders. 0 Module 12

473 views • 15 slides
Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 -

Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 -

Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 - Identifying the Building Blocks Module 4 - Reviewing a portfolio This Module Active vs Passive investing Off the shelf solutions Trackers and ETFs and

648 views • 32 slides
Confluence of the Call-By-Value -calculus Karim NOUR and Khelifa SABER LAMA - Equipe

Confluence of the Call-By-Value -calculus Karim NOUR and Khelifa SABER LAMA - Equipe

Confluence of the Call-By-Value -calculus Karim NOUR and Khelifa SABER LAMA - Equipe de logique Universit e de Chamb ery 73376 Le Bourget du Lac e-mail: { knour, ksabe } @univ-savoie.fr 1 Plan 1. The -calculus

464 views • 14 slides
Planetary Control Team Saber Programmers: Ishpreet, Alex Designers: Ivan, Brandon Overview -

Planetary Control Team Saber Programmers: Ishpreet, Alex Designers: Ivan, Brandon Overview -

Planetary Control Team Saber Programmers: Ishpreet, Alex Designers: Ivan, Brandon Overview - Top down, 2.5D strategy game mixed with third person action combat. - Select 4 units from the roster and move them strategically to get the

255 views • 14 slides
Patterns of corrective feedback in EFL Dyadic Classroom Interaction Mansour Amini 1 , Saber Alavi

Patterns of corrective feedback in EFL Dyadic Classroom Interaction Mansour Amini 1 , Saber Alavi

The 8th Hatyai National and International Conference Thursday, June 2 2, 202 7 at Hatyai University Patterns of corrective feedback in EFL Dyadic Classroom Interaction Mansour Amini 1 , Saber Alavi 2* , Ali Zahabi 3 , Etienne Vorster 4 1 Faculty of

462 views • 10 slides
1 The objectives of this e-module are to learn how to register for a Data Universal Numbering

1 The objectives of this e-module are to learn how to register for a Data Universal Numbering

Welcome to our e-module series on How to Work with USAID. This e- module is the first part on Registering for Federal Award Systems and focuses on DUNS registration. This e-module is geared towards non- governmental organizations

498 views • 22 slides
Getting the Measure of Child Wellbeing with Rumbles Quest A Tool for Schools and Their

Getting the Measure of Child Wellbeing with Rumbles Quest A Tool for Schools and Their

Getting the Measure of Child Wellbeing with Rumbles Quest A Tool for Schools and Their Communities Dr Kate Freiberg and Professor Ross Homel Griffith Criminology Institute DATE PRESENTATION TOPIC June 17 th The power of a critical friend

265 views • 23 slides
RPAS Swarms in Disaster Management Missions Efficient Deployment through Optimized Mission

RPAS Swarms in Disaster Management Missions Efficient Deployment through Optimized Mission

DLR.de Chart 1 > ICRAT 2014 > Julia Zillies Doctorial Symposium > 30 May 2014 RPAS Swarms in Disaster Management Missions Efficient Deployment through Optimized Mission Planning Julia Zillies, Dagi Geister DLR.de Chart

170 views • 14 slides
Case study on open access journals in Economics and Business Studies and their engagement on the

Case study on open access journals in Economics and Business Studies and their engagement on the

Case study on open access journals in Economics and Business Studies and their engagement on the Web Kaltrina Nuredini, Atif Latif & Isabella Peters Altmetrics 17, Toronto, Canada 26.09.2017 ZBW is part of the Leibniz Association Die ZBW

389 views • 15 slides
1 2 3

1 2 3

1 2 3

217 views • 11 slides
Degree Progress Reports Whats been happening? DPR and Transfer Credit project started in July

Degree Progress Reports Whats been happening? DPR and Transfer Credit project started in July

Degree Progress Reports Whats been happening? DPR and Transfer Credit project started in July 20 14 9 9 4 active plans have been encoded: 215 graduate majors 330 undergraduate majors 54 graduate certificates 172 second

556 views • 34 slides
Explaining rankings Maartje ter Hoeve University of Amsterdam & Blendle Maartje ter Hoeve

Explaining rankings Maartje ter Hoeve University of Amsterdam & Blendle Maartje ter Hoeve

Explaining rankings Maartje ter Hoeve University of Amsterdam & Blendle Maartje ter Hoeve maartje.terhoeve@student.uva.nl C o n t e n t Answering Research Discussion and What and why? Rankings Blendle Related work research

875 views • 61 slides
Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman,

Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman,

Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman, Northern Illinois University, azimmerman5@niu.edu Al Nagy, John Carroll University, alnagy@jcu.edu 2016 Deloitte/KU Audit Symposium, May 20 8/16/2016 1

553 views • 17 slides
Zero-query information retrieval system no explicit query from user IR triggered by

Zero-query information retrieval system no explicit query from user IR triggered by

Zero-query information retrieval system no explicit query from user IR triggered by context cheap information for user 7 Zero-query information retrieval system 8 Context: Activity 9 Context: Activity Watching football

256 views • 22 slides

More recommend