standard lattice based key encapsulation on embedded
play

Standard Lattice-Based Key Encapsulation on Embedded Devices James - PowerPoint PPT Presentation

Oct 07, 2023 •20 likes •890 views

11 September 2018 Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder , Markus Krausz , and Tim uneysu . G University of Bristol, UK; Ruhr-Universit at Bochum, Germany; and

  1. 11 September 2018 Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe † , Tobias Oder ‡ , Markus Krausz ‡ , and Tim uneysu ‡∗ . G¨ † University of Bristol, UK; ‡ Ruhr-Universit¨ at Bochum, Germany; and ∗ DFKI, Germany.

  2. 11 September 2018 Outline Introduction ◮ Post-quantum cryptography ◮ Lattice-based cryptography ◮ Previous implementations Motivation ◮ NIST PQC standardisation ◮ Taking off the ring! Introduction to Frodo Microcontroller design Hardware design Results and performance analysis

  3. 11 September 2018 Section 1 Introductions

  4. 11 September 2018 Motivation What happens when quantum computers become a reality 10-15 years from now? Commonly used public-key cryptographic algorithms (based on integer factorization and discrete log problem) such as: RSA, DSA, Diffie-Hellman Key Exchange, ECC, ECDSA will be vulnerable to Shor’s algorithm and will no longer be secure. ◮ “Worse than Y2K: quantum computing and the end of privacy” – Forbes, 2018. ◮ “The quantum clock is ticking on encryption - and your data is under threat” – Wired, 2016. ◮ “Unbreakable: The race to protect our secrets from quantum hacks” – New Scientist, 2018.

  5. 11 September 2018 Motivation The industry is starting to take this threat seriously. Microsoft Research and IBM Research. Infineon and NXP Semiconductors. PQShield and ISARA. National Cyber Security Centre (NCSC) and probably more...

  6. 11 September 2018 Post-quantum cryptography Quantum computers exploit the power of parallelism. ◮ Some classically hard computational problems are now trivial. Shor’s Algorithm (1994) ◮ Can quickly factorise large numbers (exponential speed-up). ◮ Significant implications for current public-key cryptography. Grover’s Algorithm (1996) ◮ Can search an unsorted database faster than a conventional computer, effects symmetric-key cryptography, so AES-128 now 64-bit secure.

  7. 11 September 2018 Post-Quantum Cryptography NIST have started a post-quantum standardisation “competition”. ◮ Similar to previous AES and SHA-3 standardisations. Submissions breakdown: 42% lattice-based, 25% code-based, 18% multivariate, 9% other, 3% hash-based, 2% SIDH. ETSI researching requirements for quantum-safe real-world deployments.

  8. 11 September 2018 Related work (Microcontroller) Code-based relatively low memory consumption, slow performance. Lattices have good performance, isogenies significantly slower. Crypto. Scheme PQ Type Device Memory Cycles QC-MDPC Encrypt [HVMG13] Code ATxmega256 3705 Bytes 37,440,137 QC-MDPC Decrypt [HVMG13] Code ATxmega256 5496 Bytes 26,767,463 SIKE (Total) [SLLH18] Isogenies Cortex-A53 ≤ 35k Bytes 133,300,000 Saber Encaps [KMRV18] Lattice Cortex-M4 7k Bytes 1,530,000 Saber Decaps [KMRV18] Lattice Cortex-M4 8k Bytes 1,635,000 Kyber768 Encaps [pqm] Lattice Cortex-M4 13.5k Bytes 1,497,789 Kyber768 Decaps [pqm] Lattice Cortex-M4 14.5k Bytes 1,526,564 FrodoKEM-640-cSHAKE Encaps [pqm] Lattice Cortex-M4 58k Bytes 111,688,861 FrodoKEM-640-cSHAKE Decaps [pqm] Lattice Cortex-M4 68k Bytes 112,156,317 NewHope KEX [AJS16] Lattice Cortex-M4 23k Bytes 2,561,438 ECDH scalar multiplication [DHH + 15] ECC Cortex-M0 8k Bytes 3,589,850

  9. 11 September 2018 Related work (FPGA) Code-based systems have huge KeyGen / decryption, but fast encryption. Isogenies have fairly small designs but can be a lot slower. Table: FPGA consumption and performance of related post-quantum schemes. Crypto. Scheme PQ Type Device LUT/FF Slice DSP BRAM MHz Ops/sec Niederreiter KeyGen [WSN18] Code Stratix-V -/- 39122 - 827 230 75 Niederreiter Encrypt [WSN18] Code Stratix-V -/6977 4276 - 0 448 83k Niederreiter Decrypt [WSN18] Code Stratix-V -/48050 20815 - 88 290 12k SIDH (Total) [KAKJ17] Isogenies Virtex-7 13k/15k 5k 64 33 191 22 NewHope KEX Server [KLC + 17] Lattice Artix-7 20826/9975 7153 8 14 131 19k NewHope KEX Client [KLC + 17] Lattice Artix-7 18756/9412 6680 8 14 133 12.7k NewHope KEX Server [OG17] Lattice Artix-7 5142/4452 1708 2 4 125 731 NewHope KEX Client [OG17] Lattice Artix-7 4498/4635 1483 2 4 117 653 LWE Encryption [HMO + 16] Lattice Spartan-6 6078/4676 1811 1 73 125 1272 ECDH [SG14] Curve25519 Zynq 7020 2783/3592 1029 20 2 200 2519

  10. 11 September 2018 Why focus on lattice-based cryptography? In many cases, lattice-based cryptography outperforms RSA and ECC with competitive key / signature / ciphertext sizes [HPO + 15]. More versatile than code-based, isogeny-based, multivariate, and hash-based cryptography. Can be used for encryption, signatures, FHE, IBE, ABE, etc... Theoretical foundations are well-studied, no serious breaks (yet!).

  11. 11 September 2018 Lattice-based cryptography in practice Lattice-based cryptography is important in its own right. ◮ Benefits from simple mathematical operations such as integer multiplication, addition, and modular reduction. Lattice-based cryptography is flourishing: ◮ 40% lattice-based NIST PQC submissions. ◮ NewHope key exchange created. ◮ Ring-LWE encryption and BLISS signatures outperform RSA and ECC in s/w and h/w. Lattice-based cryptography is already being considered: ◮ VPN strongSwan supports post-quantum mode. ◮ NewHope awarded Internet Defense Prize Winner 2016. ◮ Google experimenting with NewHope key exchange.

  12. 11 September 2018 The Learning With Errors Problem There is a secret vector s ← Z n q . An oracle (who knows s ) generates a uniform matrix A and noise vector e distributed normally with standard deviation αq . The oracle outputs: ( A , b = As + e mod q ) . The distribution of A is uniformly random, b is pseudo-random.

  13. 11 September 2018 The Learning With Errors Problem There is a secret vector s ← Z n q . An oracle (who knows s ) generates a uniform matrix A and noise vector e distributed normally with standard deviation αq . The oracle outputs: ( A , b = As + e mod q ) . The distribution of A is uniformly random, b is pseudo-random. Can you find s , given access to ( A , b ) ?

  14. 11 September 2018 The Learning With Errors Problem There is a secret vector s ← Z n q . An oracle (who knows s ) generates a uniform matrix A and noise vector e distributed normally with standard deviation αq . The oracle outputs: ( A , b = As + e mod q ) . The distribution of A is uniformly random, b is pseudo-random. Can you find s , given access to ( A , b ) ? Can you distinguish ( A , b ) from a uniformly random ( A , b ′ ) ?

  15. 11 September 2018 Classes of lattices (simplified) Lattice-based cryptographic schemes generally fall under three classes. LWE ← → Module-LWE ← → Ring-LWE

  16. 11 September 2018 Classes of lattices (simplified) Lattice-based cryptographic schemes generally fall under three classes. LWE ← → Module-LWE ← → Ring-LWE Added structures hinder security. LWE ≥ sec. Module-LWE ≥ sec. Ring-LWE

  17. 11 September 2018 Classes of lattices (simplified) Lattice-based cryptographic schemes generally fall under three classes. LWE ← → Module-LWE ← → Ring-LWE Added structures hinder security. LWE ≥ sec. Module-LWE ≥ sec. Ring-LWE However, it can also gain performance. LWE ≤ per. Module-LWE / Ring-LWE

  18. 11 September 2018 Classes of lattices (simplified) Lattice-based cryptographic schemes generally fall under three classes. LWE ← → Module-LWE ← → Ring-LWE Added structures hinder security. LWE ≥ sec. Module-LWE ≥ sec. Ring-LWE However, it can also gain performance. LWE ≤ per. Module-LWE / Ring-LWE How does Ring-LWE compare with Module-LWE? What about NTRU?

  19. 11 September 2018 Structured lattices in practice Table: Microcontroller cycle counts of related lattice-based schemes. Crypto. Scheme Lattice Type Device Memory Cycles *Saber Encaps [KMRV18] Module-LWE Cortex-M4 7k Bytes 1,530,000 *Saber Decaps [KMRV18] Module-LWE Cortex-M4 8k Bytes 1,635,000 *Kyber768 Encaps [pqm] Module-LWE Cortex-M4 13.5k Bytes 1,497,789 *Kyber768 Decaps [pqm] Module-LWE Cortex-M4 14.5k Bytes 1,526,564 *NewHope KEM Encaps [pqm] Ring-LWE Cortex-M4 17.5k Bytes 1,966,358 *NewHope KEM Decaps [pqm] Ring-LWE Cortex-M4 19.5k Bytes 1,977,753 *FrodoKEM-640-cSHAKE Encaps [pqm] LWE Cortex-M4 58k Bytes 111,688,861 *FrodoKEM-640-cSHAKE Decaps [pqm] LWE Cortex-M4 68k Bytes 112,156,317 NTRU-HRSS-KEM KeyGen [pqm] NTRU Cortex-M4 10k Bytes 197,262,297 NTRU-HRSS-KEM Encaps [pqm] NTRU Cortex-M4 9k Bytes 5,166,153 NTRU-HRSS-KEM Decaps [pqm] NTRU Cortex-M4 10k Bytes 15,069,480 Str-NTRU-prime KEM KeyGen [pqm] NTRU Cortex-M4 14.5k Bytes 147,543,618 Str-NTRU-prime KEM Encaps [pqm] NTRU Cortex-M4 11k Bytes 10,631,675 Str-NTRU-prime KEM Decaps [pqm] NTRU Cortex-M4 16k Bytes 30,641,200

  20. 11 September 2018 Frodo: Why should we take off the ring! The design philosophy of FrodoKEM [ABD + ] combines: Conservative yet practical post-quantum constructions. Security derived from cautious parameterizations of the well-studied learning with errors problem. Thus, close connections to conjectured-hard problems on generic, “algebraically unstructured” lattices. Parameter selection is far less constrained than vs ideal lattice schemes.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

11 September 2018 Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder , Markus Krausz , and Tim uneysu . G University of Bristol, UK; Ruhr-Universit at Bochum, Germany; and

245 views • 21 slides
Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES, Amsterdam 11 th September, 2018 Joint work with : Jose Maria Bermudo Mera Sujoy Sinha Roy Ingrid Verbauwhede Saber: CCA secure post-quantum KEM*

613 views • 30 slides
High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

482 views • 37 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged OS kernel Windows Embedded 8.1 Windows Embedded 8 Converged app model Windows 10 Windows Embedded 8.1 Windows Embedded 8 Handheld Handheld

792 views • 29 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
The standard mode of DSQSS/DLA Standard mode files Input files of dla Simple mode file

The standard mode of DSQSS/DLA Standard mode files Input files of dla Simple mode file

The standard mode of DSQSS/DLA Standard mode files Input files of dla Simple mode file std.toml dla_latgen lattice.dat dla_alg lattice.xml dla result.dat lattice.toml algorithm.xml hamiltonian.toml wv.xml dla_hamgen dla_wvgen

616 views • 16 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
A Successful Example of a Layered Architecture Based Embedded Development with Ada 83 for

A Successful Example of a Layered Architecture Based Embedded Development with Ada 83 for

A Successful Example of a Layered Architecture Based Embedded Development with Ada 83 for Standard-Missile Control Kelly L. Spicer Raytheon Missile Systems Missile Software Engineering Center Tucson, Arizona 520-663-7020

755 views • 38 slides
Page 1 Brief ARM History ARM=RISC, ColdFire=CISC? 1978 Acorn started Make

Page 1 Brief ARM History ARM=RISC, ColdFire=CISC? 1978 Acorn started Make

Ripped From The Headlines Last Time OpenBTS: A software-based GSM access point, allowing Embedded systems introduction standard GSM-compatible mobile phones to Definition of embedded system make telephone calls without

303 views • 7 slides
Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

slide 1 gaius Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a network packet or frame encapsulation refers to how the network interface uses packet switching hardware two machines

499 views • 27 slides
hadronic interaction and beyond standard model from lattice gauge theory Takeshi Yamazaki

hadronic interaction and beyond standard model from lattice gauge theory Takeshi Yamazaki

hadronic interaction and beyond standard model from lattice gauge theory Takeshi Yamazaki University of Tsukuba 2014 @ , July 28August 1, 2014 hadron interaction from lattice

969 views • 58 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

546 views • 9 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

751 views • 7 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

240 views • 7 slides
Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical University of Denmark, Cybercrypt SPHINCS SPHINCS Hash-based signature scheme Stateless 128-bit post-quantum security Sizes: Public

692 views • 55 slides
Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles for

679 views • 65 slides
RA RACE CE A softw A softwar are e fr framew amewor ork k for inter or interope

RA RACE CE A softw A softwar are e fr framew amewor ork k for inter or interope

RA RACE CE A softw A softwar are e fr framew amewor ork k for inter or interope operable, ble, plug-and plug and-play play, , distributed r distributed robotic obotic sys systems tems-of of-sys systems tems Robert Skilton

382 views • 19 slides
Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David

Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David

Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David Houngninou Southern Methodist University Table of content 1. Target device: MCBSTM32C 2. References 3. GPIO ports: registers and pins 4. Interfacing

585 views • 31 slides
Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial

Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial

Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial line (PAL) Quantitative assessment Neural canal width (NCW) Basion-axial interval (BAI) Basion Defined for our purposes as the most

334 views • 11 slides
Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural

Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural

Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural Networks Fully-connected layers im2col+GEMM algorithm for convolution 1x1 convolutional layers Android CPU Landscape Overview of CPU

449 views • 17 slides
uXOM: Efficient eXecute-Only Memory on Cortex-M Donghyun Kwon 1,4 , Jangseop Shin 1 , Giyeol Kim 1

uXOM: Efficient eXecute-Only Memory on Cortex-M Donghyun Kwon 1,4 , Jangseop Shin 1 , Giyeol Kim 1

uXOM: Efficient eXecute-Only Memory on Cortex-M Donghyun Kwon 1,4 , Jangseop Shin 1 , Giyeol Kim 1 , Byoungyoung Lee 1,2 , Yeongpil Cho 3 , Yunheung Paek 1 1 Seoul National University, 2 Purdue University, 3 Soongsil University, 4 Electronics and

875 views • 24 slides
Modeling Visual Cortex V4 in Naturalistic Conditions with Invariant and Sparse Image

Modeling Visual Cortex V4 in Naturalistic Conditions with Invariant and Sparse Image

Modeling Visual Cortex V4 in Naturalistic Conditions with Invariant and Sparse Image Representations Bin Yu Departments of Statistics and EECS University of California at Berkeley Rutgers University, May 2, 2014 Modeling Visual Cortex V4 in

861 views • 56 slides

More recommend