sidh on arm
play

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum - PowerPoint PPT Presentation

Dec 20, 2023 •217 likes •593 views

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

  1. SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi Hu (Central South University)

  2. Outline • Short Overview • Post-quantum supersingular isogeny Diffie-Hellman (SIDH) key exchange • Supersingular isogeny key encapsulation (SIKE) protocol • Our implementation • Optimized implementations for 32-bit ARMv7 • Optimized implementations for 64-bit ARMv8 • Implementation results • Conclusion 1

  3. Post-Quantum Cryptography (Isogeny) • RSA and ECC: integer factorization and ECDLP • Hard problems can be solved by Shor’s algorithm in a quantum computer. • Quantum-Resistant Cryptography • NIST launches the post-quantum cryptography standardization project. “The goal of this process is to select a number of acceptable candidate cryptosystems for standardization.” • Code, Lattice, Hash, Multivariate, Isogeny … • Isogeny-based cryptography: (conjectured to be) hard for quantum computers • Supersingular isogeny Diffie-Hellman (SIDH) key exchange was proposed by Jao and De Feo in 2011 . • Among all the submitted post-quantum candidates, SIDH uses the smallest keys 2

  4. Mobile Platform (32-bit/64-bit ARM) Platform ARM Cortex-A15 ARM Cortex-A53 ARM Cortex-A72 Architecture 32-bit ARMv7 64-bit ARMv8 64-bit ARMv8 Frequency 2.0 GHz 1.512 GHz 1.992 GHz No. registers 15 31 31 No. registers (NEON) 16 32 32 Application Wearable devices Smartphones 3

  5. Previous Works • Hardware Implementation • FPGA: • Koziel et al. [INDOCRYPT’16, TCAS’17] • Software Implementation • 64-bit Intel processor: • Costello et al. [CRYPTO’16, EUROCRYPT’17], Faz- Hernández et al. [ToC’17], Zanon et al. [PQCrypto’18] • 64-bit ARM processor: • Jalali et al. [SAC’17]  this work [CHES’18] • 32-bit ARM processor: • Koziel et al. [CANS’16]  this work [CHES’18] 4

  6. Motivation Type Algorithm Advantage Disadvantage Code McEliece  Fast computation  Long key size Hash XMSS, SPHINCS  Security proof  Long signature size  Difficulty of Lattice (ring)-LWE  Fast computation parameter selection  Short signature size Multivariate UOV, Rainbow  Long key size  Fast computation Isogeny SIDH, SIKE  Short key size  Slow computation • All PQC candidates have their own pros and cons . • Disadvantage of SIDH/SIKE is slow computation. • In this talk, we address this problem on 32-bit and 64-bit ARM processors. 5

  7. Contribution • Unified ARM/NEON multiplication: instruction level parallelism • New Montgomery reduction: “ UMAAL ” + “ hybrid-scanning ” • Efficient Implementation of SIDH: • p503 ( 88 msec ) / p751 ( 292 msec ) on 32-bit ARMv7-A @2.0GHz • p503 ( 45 msec ) on 64-bit ARMv8-A @1.992GHz 6

  8. Outline • Short Overview • Post-quantum supersingular isogeny Diffie-Hellman (SIDH) key exchange • Supersingular isogeny key encapsulation (SIKE) protocol • Our implementation • Optimized implementations for 32-bit ARMv7 • Optimized implementations for 64-bit ARMv8 • Implementation results • Conclusion 7

  9. Post-quantum key exchange algorithm • Supersingular Isogeny Diffie-Hellman (SIDH) • Shared key generation between two parties over an insecure communication channel. • SIDH works with the set of supersingular elliptic curves over 𝔾 𝑞 2 and their isogenies. 𝐹 𝐵𝐶 = Φ ′ 𝐵 + 𝑡 𝐵 𝑅 𝐵 , 𝑄 𝐶 + 𝑡 𝐶 𝑅 𝐶 ≅ 𝐹 𝐶𝐵 = Φ ′ 𝐶 Φ 𝐵 𝐹 0 ≅ 𝐹 0 / 𝑄 𝐵 Φ 𝐶 𝐹 0 8

  10. Supersingular Isogeny Key Encapsulation (SIKE) • SIDH is not secure when keys are reused (Galbraith-Petit-Shani-Ti 2016) • SIKE: (Costello – De Feo – Jao – Longa – Naehrig – Renes 2017) • IND-CCA secure key encapsulation based on SIDH. • Uses a variant of Hofheinz – Hövelmanns – Kiltz (HHK) transform: IND-CPA PKE → IND-CCA KEM • For a starting curve 𝐹 0 / 𝔾 𝑞 2 : 𝑧 2 = 𝑦 3 + 𝑦 , where 𝑞 = 2 𝑓𝐵 3 𝑓𝐶 − 1 Scheme classicalsec. quantumsec. Securitylevel 𝑓 𝐵 , 𝑓 𝐶 (SIKEp + log 2 𝑞 ) SIKEp503 (250,159) 126 bits 84 bits AES-128 (NIST level 1) SIKEp751 (372,239) 188 bits 125 bits AES-192 (NIST level 3) 9 SIKEp964 (486,301) 241 bits 161 bits AES-256 (NIST level 5)

  11. Outline • Short Overview • Post-quantum supersingular isogeny Diffie-Hellman (SIDH) key exchange • Supersingular isogeny key encapsulation (SIKE) protocol • Our implementation • Optimized implementations for 32-bit ARMv7 • Optimized implementations for 64-bit ARMv8 • Implementation results • Conclusion 10

  12. Multiplication Instruction (32-bit ARMv7) 32 bits 32 bits ARM NEON R0 V0 a0 a3 a2 a1 a0 × × × R1 V1 b0 b3 b2 b1 b0 + V2 R2 a1b0 a0b0 c0 64 bits + R3 d0 UMULL R3, R2 a0b0 + c0 + d0 64 bits 11 UMAAL

  13. Previous Multiprecision Multiplication (32-bit ARMv7) C[14] C[7] C[14] C[7] C[0] C[0] A[7]B[0] A[7]B[0] 1 4 A[0]B[0] A[7]B[7] A[7]B[7] A[0]B[0] 3 2 A[0]B[7] A[0]B[7] Consecutive Operand Caching ( COC ) for ARM Cascade Operand Scanning ( COS ) for NEON Bitlength Method Instruction Timings [ 𝒅𝒅 ] COC ARM (UMAAL) 158 BEST 256-bit COS NEON (UMULL) 188 COC ARM (UMAAL) 596 BEST 512-bit COS NEON (UMULL) 632 12 Target processor: 32-bit ARM Cortex-A15

  14. Proposed Multiprecision Multiplication (32-bit ARMv7) • Instruction level parallelism • ARM and NEON instructions are issued together • Karatsuba multiplication: m -bit multiplication ( 𝐵 𝐼 ∙ 𝐶 𝐼 ∙ 2 𝑛 + 𝐵 𝐼 ∙ 𝐶 𝐼 + 𝐵 𝑀 ∙ 𝐶 𝑀 − 𝐵 𝐼 − 𝐵 𝑀 ∙ 𝐶 𝐼 − 𝐶 𝑀 ∙ 2 𝑛/2 + 𝐵 𝑀 ∙ 𝐶 𝑀 ) • Two 𝒏/𝟑 -bit multiplication in ARM • One 𝒏/𝟑 -bit multiplication in NEON 13

  15. ARM Operand Operand subtraction 1 passing NEON 15

  16. ARM C[0] C[14] C[7] Operand Operand subtraction 1 passing NEON 3 3 C[6] 2 C[10] C[4] C[0] C[14] 4 4 2 A[7]B[7] A[0]B[0] C[8] 16

  17. ARM C[0] C[14] C[7] Operand Operand subtraction 1 passing NEON 3 3 C[6] Result 2 C[10] C[4] passing C[0] C[14] 4 4 2 A[7]B[7] A[0]B[0] C[8] Result accumulation 5 17

  18. Proposed Multiprecision Multiplication (32-bit ARMv7) Bitlength Method Instruction Timings [ 𝒅𝒅 ] COC ARM 596 GMP-6.1.2 ARM 1,138 512-bit 1.26x COS NEON 632 This work ARM/NEON 470 GMP-6.1.2 ARM 2,408 2.64x 768-bit This work ARM/NEON 912 Target processor: 32-bit ARM Cortex-A15 18

  19. Proposed Modular Reduction (32-bit ARMv7) • m -bit modular reduction using Montgomery reduction • Two 𝒏/𝟑 -bit multiplication in ARM • Two 𝒏/𝟑 -bit multiplication in NEON 19

  20. Operand ARM passing NEON 20

  21. T[14] T[7] T[0] Operand Q[7]M[0] ARM passing NEON 3 T[6] 2 1 T[0] 1 4 T[10] T[4] T[10] Operand Q[7]M[7] Q[0]M[0] 4 3 passing 2 T[4] T[14] T[8] 21 Q[0]M[7]

  22. T[14] T[7] T[0] Operand Q[7]M[0] ARM passing NEON 3 T[6] 2 1 T[0] 1 4 T[10] T[4] T[10] Q[7]M[7] Operand Q[0]M[0] 4 3 passing 2 T[4] T[14] T[8] Result Result 22 5 passing Accumulation Q[0]M[7]

  23. Modular Reduction for SIDH • Efficient Montgomery reduction: Montgomery-friendly modulus • The lower word of the modulus is 𝟑 𝒙 − 𝟐  Montgomery constant is equal to 1. • Multiplications with an all-ones word ( 𝑈 × 0𝑦𝐺𝐺𝐺𝐺𝐺𝐺𝐺𝐺  𝑈 × 2 32 − 𝑈 ): shifts and subtractions • (e.g., 𝑞503 = 2 250 3 159 − 1 ) 0x4066F541811E1E6045C6BDDA77A4D01B9BF6C87B7E7DAF13085BDA2211E7A0AB FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (in hexadecimal) • A modulus M+1 turns the lower part of the modulus into all-zero words • (e.g., 𝑞503 + 1 = 2 250 3 159 ) 0x4066F541811E1E6045C6BDDA77A4D01B9BF6C87B7E7DAF13085BDA2211E7A0AC 00000000000000000000000000000000000000000000000000000000000000 (in hexadecimal) 23

  24. Proposed Modular Reduction for SIDH (32-bit ARMv7) • m -bit modular reduction using Montgomery reduction • One 𝒏/𝟑 -bit multiplication in ARM • One 𝒏/𝟑 -bit multiplication in NEON 24

  25. Operand ARM passing NEON 25

  26. T[10] T[3] T[14] Operand ARM passing Q[7]M[3] NEON T[10] 2 1 2 T[3] Q[7]M[7] T[14] T[7] 1 Q[0]M[3] 26 Q[0]M[7]

  27. T[10] T[3] T[14] Operand ARM passing Q[7]M[3] NEON T[10] 2 1 2 T[3] Q[7]M[7] T[14] T[7] 1 Result Q[0]M[3] 3 Accumulation 27 Q[0]M[7]

  28. Outline • Short Overview • Post-quantum supersingular isogeny Diffie-Hellman (SIDH) key exchange • Supersingular isogeny key encapsulation (SIKE) protocol • Our implementation • Optimized implementations for 32-bit ARMv7 • Optimized implementations for 64-bit ARMv8 • Implementation results • Conclusion 28

  29. Multiplication Instruction (64-bit ARMv8) X0 X0 a0 a0 × × X1 X1 b0 b0 a1b0 a0b0 a0b0 a0b0 64 bits 64 bits X3 X2 X3 X2 MUL UMULH 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael

Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael

Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael Naehrig 1 Joost Renes 3 David Urbanik 2 1 Microsoft Research, Redmond, USA 2 University of Waterloo, Ontario, Canada 3 Radboud University, Nijmegen, The

835 views • 44 slides
Magical parallel variant of SIDH Daniel Cervantes-V azquez Eduardo

Magical parallel variant of SIDH Daniel Cervantes-V azquez Eduardo

A Magical parallel variant of SIDH Daniel Cervantes-V azquez Eduardo Ochoa-Jim enez Francisco Rodr guez-Henr quez September 10, 2018 A Cervantes-Ochoa-Rodr guez Magical

411 views • 18 slides
Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange

Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange

https://microsoft.com/en-us/research/people/plonga http://patricklonga.com Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange from supersingular isogenies: Preliminaries SIDH SIKE

1.82k views • 154 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Cooperative Task Management without Manual Stack Management or, Event-driven Programming is Not

Cooperative Task Management without Manual Stack Management or, Event-driven Programming is Not

Cooperative Task Management without Manual Stack Management or, Event-driven Programming is Not the Opposite of Threaded Programming Atul Adya, Jon Howell, Marvin Theimer, William J. Bolosky, John R. Douceur Microsoft Research Presented by Li

249 views • 22 slides
DIV 26000 AND HEAT TRACE FOR MECHANICAL SYSTEMS ACE/ASM DOS AND DONTS OF HEAT TRACE IN

DIV 26000 AND HEAT TRACE FOR MECHANICAL SYSTEMS ACE/ASM DOS AND DONTS OF HEAT TRACE IN

DIV 26000 AND HEAT TRACE FOR MECHANICAL SYSTEMS ACE/ASM DOS AND DONTS OF HEAT TRACE IN CHAPTER 149 FROM A DIV 26000 ELECTRICAL CONTRACTOR PROSPECTIVE Dos: Donts: Give us a heat trace spec in DIV26 Double spec it with

492 views • 4 slides
Wildlife Corridors Background AB 498 (2015) by Assemblymember Levine AB 2087 (2016) by

Wildlife Corridors Background AB 498 (2015) by Assemblymember Levine AB 2087 (2016) by

Wildlife Corridors Background AB 498 (2015) by Assemblymember Levine AB 2087 (2016) by Assemblymember Levine Regional Conservation Investment Strategy (RCIS) SB 1 (2017) by Senator Beall Proposition 68 (2018) Wildlife

432 views • 6 slides
CENG 342 Digital Systems Algorithmic State Machine with Datapath (ASMD) Larry Pyeatt

CENG 342 Digital Systems Algorithmic State Machine with Datapath (ASMD) Larry Pyeatt

CENG 342 Digital Systems Algorithmic State Machine with Datapath (ASMD) Larry Pyeatt SDSM&T Finite State Machine Review Any Finite state machine with two inputs, two Mealy outputs, two Moore outputs, and up to four states can be

515 views • 28 slides
Fractions of Numbers Follow the slides 1 2 of 8 = __ Follow the step by step guide which will

Fractions of Numbers Follow the slides 1 2 of 8 = __ Follow the step by step guide which will

Fractions of Numbers Follow the slides 1 2 of 8 = __ Follow the step by step guide which will show you how to solve this. 1 2 of 8 = 1 Denominator 2 Split the number (that we are trying to find a fraction of) into two equal groups because

359 views • 15 slides
Aspect Based Sentiment Analysis Jared Kramer and Clara Gordon Overview Background Our

Aspect Based Sentiment Analysis Jared Kramer and Clara Gordon Overview Background Our

Aspect Based Sentiment Analysis Jared Kramer and Clara Gordon Overview Background Our Task Our Approach Results! Background Entity: The thing being described Aspect: A part of the thing being described The screen

482 views • 15 slides
Origin and future draft-kristensen-avt-rtp-h264-extension-00 split in two based on last IETF

Origin and future draft-kristensen-avt-rtp-h264-extension-00 split in two based on last IETF

Parameters for Static Macroblocks and Aspect Ratio in the RTP Payload Format for H.264 Video draft-ietf-avt-rtp-h264-params-00.txt Tom Kristensen, TANDBERG Roni Even, Polycom Origin and future draft-kristensen-avt-rtp-h264-extension-00

175 views • 5 slides
A L T EX template for presentation A Your name here Department of XXXX XXXX University Joint

A L T EX template for presentation A Your name here Department of XXXX XXXX University Joint

A L T EX template for presentation A Your name here Department of XXXX XXXX University Joint work with XXXX and XXXX Event, location, date, etc. Introduction 1/5 How to use this template? pdflatex slides.tex pdflatex

309 views • 8 slides
Toward the Optimal Bit Aspect Ratio in Magnetic Recording William E. Ryan Associate Professor

Toward the Optimal Bit Aspect Ratio in Magnetic Recording William E. Ryan Associate Professor

Toward the Optimal Bit Aspect Ratio in Magnetic Recording William E. Ryan Associate Professor The University of Arizona with contributions from Fan Wang, Roger Wood, and Yan Li March 25, 2004 Outline Background Channel Model

522 views • 26 slides
Responsive Web Design Introduction to Web Design Responsive Web Design Introduction to Web

Responsive Web Design Introduction to Web Design Responsive Web Design Introduction to Web

Responsive Web Design Introduction to Web Design Responsive Web Design Introduction to Web Design The control which designers know in the print medium, and A Dao of Web Design often desire in the web medium, is simply a function of the

297 views • 7 slides
Extruded meshes for high aspect ratio simulations in Firedrake and PyOP2 Gheoghe-Teodor (Doru)

Extruded meshes for high aspect ratio simulations in Firedrake and PyOP2 Gheoghe-Teodor (Doru)

Extruded meshes for high aspect ratio simulations in Firedrake and PyOP2 Gheoghe-Teodor (Doru) Bercea (a) , Andrew TT McRae (b) , Lawrence Mitchell (c) , David A Ham, Paul HJ Kelly (a) gheorghe-teodor.bercea08@imperial.ac.uk (b)

638 views • 30 slides
Wing Design I Lecture 8 ME EN 415 Andrew Ning aning@byu.edu Span b Area S Sweep

Wing Design I Lecture 8 ME EN 415 Andrew Ning aning@byu.edu Span b Area S Sweep

Wing Design I Lecture 8 ME EN 415 Andrew Ning aning@byu.edu Span b Area S Sweep Joaquim Martins Thickness distribution t Chord distribution c Twist distribution Definitions Aspect ratio Mean aerodynamic chord

95 views • 9 slides
CS615 - Aspects of System Administration Networking I Department of Computer Science Stevens

CS615 - Aspects of System Administration Networking I Department of Computer Science Stevens

CS615 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration Networking I Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens.edu https://stevens.netmeister.org/615/

1.21k views • 73 slides
SAMSUNG SAAT: Reverse Engineering for Perform ance Analysis 2004.05.25. Seon-Ah Lee, Seung-Mo

SAMSUNG SAAT: Reverse Engineering for Perform ance Analysis 2004.05.25. Seon-Ah Lee, Seung-Mo

SAMSUNG SAAT: Reverse Engineering for Perform ance Analysis 2004.05.25. Seon-Ah Lee, Seung-Mo Cho, Sung-Kwan Heo Mobile Solution Group Software Center Samsung Electronics salee@samsung.com Softw are Center 1 SAMSUNG Agenda Introduction

499 views • 11 slides
Graph-theoretic methods in combinatorial (algebraic) topology Micha l Adamaszek Universit

Graph-theoretic methods in combinatorial (algebraic) topology Micha l Adamaszek Universit

Graph-theoretic methods in combinatorial (algebraic) topology Micha l Adamaszek Universit at Bremen Joint work with Jan Hladk y and Juraj Stacho Micha l Adamaszek Graph-theoretic methods 1 / Combinatorial (algebraic)

272 views • 16 slides
Formal Verification of Real Time Systems Timed Automata Radek Pel anek Basic Concepts

Formal Verification of Real Time Systems Timed Automata Radek Pel anek Basic Concepts

Basic Concepts Theoretical Results Practical Verification Summary Formal Verification of Real Time Systems Timed Automata Radek Pel anek Basic Concepts Theoretical Results Practical Verification Summary Aim of the Lecture knowledge of

849 views • 67 slides
Data types and printf Eric McCreath Learning c It is difficult to order how this material on c

Data types and printf Eric McCreath Learning c It is difficult to order how this material on c

Data types and printf Eric McCreath Learning c It is difficult to order how this material on c programming is presented such that content purely builds on previous content. Thus we just 'jump into' the c programming language and then focus on

366 views • 10 slides
Assemblers and Linkers CS 2253 Owen Kaser, UNBSJ Contents Review of assembler tasks A

Assemblers and Linkers CS 2253 Owen Kaser, UNBSJ Contents Review of assembler tasks A

Assemblers and Linkers CS 2253 Owen Kaser, UNBSJ Contents Review of assembler tasks A look at linker tasks Assembler implementation The location counter and symbol table Two-pass assembler Macros and conditional

598 views • 21 slides
Assembler Simon Cook 2013 European LLVM Conference, Paris This presentation Inspired by

Assembler Simon Cook 2013 European LLVM Conference, Paris This presentation Inspired by

Mini-Tutorial: How to implement an LLVM Assembler Simon Cook 2013 European LLVM Conference, Paris This presentation Inspired by previous tutorials. Covering some of the details easily tripped up on. Using the OpenRISC 1000 backend

202 views • 18 slides
Lab 5 CSE141L Announcements New lab due date policy Assigned Friday Due the next

Lab 5 CSE141L Announcements New lab due date policy Assigned Friday Due the next

Lab 5 CSE141L Announcements New lab due date policy Assigned Friday Due the next Friday or Due Sunday night for 10% off. Applies to current Lab 4, and the Lab 5. ClarificaHon About Memories Fetch unit Back end Fifo

187 views • 14 slides

More recommend