Round 2 SABER: Module-LWR based KEM J. P. D’Anvers A. Karmakar S. S. Roy F. Vercauteren KU Leuven August 22, 2019
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Round 2
SABER: Module-LWR basedKEM
J. P. D’Anvers A. KarmakarS. S. Roy F. VercauterenKU LeuvenAugust 22, 2019
0 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
1 SABER
1 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
2 SABER
1 General LWE based scheme
Alice Bob
AAA← U(Zl×lq )
sss,eee← small(Zl×1q )
bbb = AAA · sss+ eee bbb,AAA- sss′, eee′, eee′′ ← small(Z1×l
q )bbb′T = AAAT · sss′ + eee′
v = bbb′ · sss �bbb′, v′ v′T = bbbT · sss′ + eee′′ + q
2mm′ = b 2
q (v′ − v)e
3 SABER
1 SABER
I Module:• Polynomial ring Rq = Zq[X]/(X256 + 1) with q = 213
• Rank of module 2, 3, 4 depending on security level⊕ Flexibility: only one polynomial multiplication
4 SABER
1 SABER
Alice Bob
AAA← U(Rl×lq )
sss,eee← small(Rl×1q )
bbb = AAA · sss+ eee bbb,AAA- sss′, eee′, eee′′ ← small(R1×l
q )bbb′T = AAAT · sss′ + eee′
v = bbb′ · sss �bbb′, v′ v′T = bbbT · sss′ + eee′′ + q
2mm′ = b 2
q (v′ − v)e
5 SABER
1 Module-LWR: SABER
I Module:• Polynomial ring Rq = Zq[X]/(X256 + 1) with q = 213
• Rank of module 2, 3, 4 depending on security level⊕ Flexibility: only one polynomial multiplication
I Learning with Rounding⊕ No generation of eee,eee′, eee′′⊕ Efficient bandwidth usage
6 SABER
1 SABER
Alice Bob
AAA← U(Rl×lq )
sss← small(Rl×1q )
bbb = bpqAAA · ssse bbb,AAA
- sss′ ← small(R1×lq )
bbb′T = bpqAAA
T · sss′ev = bbb′ · sss �
bbb′, v′ v′T = bTp bbb
T · sss′ + T2me
m′ = b 2q (v′ − p
T v)e
7 SABER
1 Module-LWR: SABER
I Module:• Polynomial ring Rq = Zq[X]/(X256 + 1) with q = 213
• Rank of module 2, 3, 4 depending on security level⊕ Flexibility: only one polynomial multiplication
I Learning with Rounding⊕ no generation of eee,eee′, eee′′⊕ efficient bandwidth usage
I power-of-two⊕ easy sampling⊕ no modular arithmetic⊕ easy rounding = add constant and chop no NTT for fast multiplication⊕ Toom-Cook⊕ easier masking
8 SABER
1 SABER
Alice Bob
AAA← U(Rl×lq )
sss← small(Rl×1q )
bbb = (AAA · sss + hhh)� log2( qp
) bbb,AAA- sss′ ← small(R1×lq )
bbb′T = (AAAT · sss′ + hhh)� log2( qp
)v = bbb′ · sss �b
bb′, v′ v′T = (bbbT · sss′ + h1 + p2 m)� log2( p
T)
m′ = b 2p
(v′ − pT
v)e
9 SABER
1 SABER
I binomial secret distribution⊕ easy sampling
I No error correcting code⊕ simpler implementation⊕ easier masking
10 SABER
1 SABER
I binomial secret distribution⊕ easy sampling
I No error correcting code⊕ simpler implementation⊕ easier masking
10 SABER
1 SABER - parameters
I Rq = Zq[X]/(X256 + 1) with q = 213
I public key / ciphertext in Rp and RT with p = 210 and T = 24
I Centered binomial distribution with 8 coins ([−4, 4])
I IND-CCA secure KEM version using FO-transformation
I Public Key: 992 BytesI Ciphertext: 1088 BytesI Failure probability: 2−136
I Security: 185 bits
11 SABER
1 SABER - parameters
I Rq = Zq[X]/(X256 + 1) with q = 213
I public key / ciphertext in Rp and RT with p = 210 and T = 24
I Centered binomial distribution with 8 coins ([−4, 4])
I IND-CCA secure KEM version using FO-transformation
I Public Key: 992 BytesI Ciphertext: 1088 BytesI Failure probability: 2−136
I Security: 185 bits
11 SABER
1 SABER - parameters
I Rq = Zq[X]/(X256 + 1) with q = 213
I public key / ciphertext in Rp and RT with p = 210 and T = 24
I Centered binomial distribution with 8 coins ([−4, 4])
I IND-CCA secure KEM version using FO-transformation
I Public Key: 992 BytesI Ciphertext: 1088 BytesI Failure probability: 2−136
I Security: 185 bits
11 SABER
1 SABER
Sec Cat fail prob Classical Quantum pk (B) sk (B) ciphertext (B)LightSaber-KEM: k = 2, n = 256, q = 213, p = 210, T = 23, µ = 101 2−120 126 115 672 1568 736Saber-KEM: k = 3, n = 256, q = 213, p = 210, T = 24, µ = 83 2−136 199 181 992 2304 1088FireSaber-KEM: k = 4, n = 256, q = 213, p = 210, T = 26, µ = 65 2−165 270 246 1312 3040 1472
Table: Security and correctness of Saber.KEM.
12 SABER
2 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
13 SABER
2 Changes for Round 2
I Generation of matrix AAA
• multiplication with AAA and AAAT
• just-in-time possible for AAA• speed-up preferred in encryption
14 SABER
2 Changes for Round 2
I Generation of matrix AAA• multiplication with AAA and AAAT
• just-in-time possible for AAA• speed-up preferred in encryption
14 SABER
2 Serial vs parallel generation of A
I software• Keccak-Absorb() is more expensive than Keccak-Extract()• Hence, serial SHAKE is faster on non-vectorized microcontrollers• But, slower on Intel AVX
I hardware• Keccak core consumes 33% of overall area [BPC19] (including
memory)• Keccak-Extract produces RND every 28 cycles• Polynomial multiplier consumes RND much slower than Keccak
can produce• Serial Keccak makes implementation simpler
15 SABER
2 Serial vs parallel generation of A
I software• Keccak-Absorb() is more expensive than Keccak-Extract()• Hence, serial SHAKE is faster on non-vectorized microcontrollers• But, slower on Intel AVX
I hardware• Keccak core consumes 33% of overall area [BPC19] (including
memory)• Keccak-Extract produces RND every 28 cycles• Polynomial multiplier consumes RND much slower than Keccak
can produce• Serial Keccak makes implementation simpler
15 SABER
2 Changes for Round 2
I Generation of matrix AAA
I Rounding = add constant + choppingI one of the constants changed for security proof
I (Debated) smaller secret varianceI e.g. trinary binomial distributionI would reduce public key and ciphertext size with ±10%I too aggressive
16 SABER
2 Changes for Round 2
I Generation of matrix AAA
I Rounding = add constant + choppingI one of the constants changed for security proof
I (Debated) smaller secret varianceI e.g. trinary binomial distributionI would reduce public key and ciphertext size with ±10%I too aggressive
16 SABER
2 Changes for Round 2
I Generation of matrix AAA
I Rounding = add constant + choppingI one of the constants changed for security proof
I (Debated) smaller secret varianceI e.g. trinary binomial distributionI would reduce public key and ciphertext size with ±10%I too aggressive
16 SABER
3 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
17 SABER
3 Software Implementations
I Haswell AVX2 (KU Leuven, Belgium [DKRV18])• IND-CCA encapsulation/decapsulation 122K, 120K cycles
I ARM Cortex-M (KU Leuven, Belgium [KMRV18])• Cortex-M4 (Speed)
- encapsulation/decapsulation 1444 / 1543 K cycles• Cortex-M4 (Speed / Memory)
- encapsulation/decapsulation 1530 / 1635 K cycles- encapsulation/decapsulation 7019 / 8115 bytes memory
• Cortex-M0 (Memory)- encapsulation/decapsulation 6328 / 7509 K cycles- encapsulation/decapsulation 5119 / 6215 bytes memory
18 SABER
3 Software Implementations
I Haswell AVX2 (KU Leuven, Belgium [DKRV18])• IND-CCA encapsulation/decapsulation 122K, 120K cycles
I ARM Cortex-M (KU Leuven, Belgium [KMRV18])• Cortex-M4 (Speed)
- encapsulation/decapsulation 1444 / 1543 K cycles• Cortex-M4 (Speed / Memory)
- encapsulation/decapsulation 1530 / 1635 K cycles- encapsulation/decapsulation 7019 / 8115 bytes memory
• Cortex-M0 (Memory)- encapsulation/decapsulation 6328 / 7509 K cycles- encapsulation/decapsulation 5119 / 6215 bytes memory
18 SABER
3 Hardware Implementations I
I High-speed HW (University of Birmingham, UK)• Instruction-set coprocessor architecture with all SABER
components on HW• Generic HDL code: suitable for ASIC and FPGA implementation• IND-CPA encryption/decryption = 6/1.6 K cycles• IND-CCA encapsulation/decapsulation = ≈ 7/8.5 K cycles
I Lightweight HW/SW codesign (KU Leuven, Belgium)• Encapsulation/decapsulation require ≈ 4.2 ms
I High-speed HW/SW codesign (George Mason University, USA /Military University of Technology, Poland [HOKG18])• Encapsulation/decapsulation require ≈ 0.069 ms
19 SABER
3 Hardware Implementations I
I High-speed HW (University of Birmingham, UK)• Instruction-set coprocessor architecture with all SABER
components on HW• Generic HDL code: suitable for ASIC and FPGA implementation• IND-CPA encryption/decryption = 6/1.6 K cycles• IND-CCA encapsulation/decapsulation = ≈ 7/8.5 K cycles
I Lightweight HW/SW codesign (KU Leuven, Belgium)• Encapsulation/decapsulation require ≈ 4.2 ms
I High-speed HW/SW codesign (George Mason University, USA /Military University of Technology, Poland [HOKG18])• Encapsulation/decapsulation require ≈ 0.069 ms
19 SABER
3 Hardware Implementations I
I High-speed HW (University of Birmingham, UK)• Instruction-set coprocessor architecture with all SABER
components on HW• Generic HDL code: suitable for ASIC and FPGA implementation• IND-CPA encryption/decryption = 6/1.6 K cycles• IND-CCA encapsulation/decapsulation = ≈ 7/8.5 K cycles
I Lightweight HW/SW codesign (KU Leuven, Belgium)• Encapsulation/decapsulation require ≈ 4.2 ms
I High-speed HW/SW codesign (George Mason University, USA /Military University of Technology, Poland [HOKG18])• Encapsulation/decapsulation require ≈ 0.069 ms
19 SABER
3 Hardware Implementations II
I ASIC implementation (Tsinghua University, China)• Still in development• Polynomial multiplication• Area: 220626 um2 (307193GE)• Max Freq: 400 MHz• Power: 4.34 mW
20 SABER
3 Masking
I First order masking can be achieved by arithmetic masking inpolynomial multiplication and Boolean masking for decoding.
I Saber uses power-of-two modulusI Thus masking methods can be combined by Debraize’s arithmetic
to boolean conversion [Deb12]I Time with masking roughly doubles.
21 SABER
4 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
22 SABER
4 Conclusion
SABER is:I Flexible
I SimpleI Efficient
I More work in the pipeline
23 SABER
4 Conclusion
SABER is:I FlexibleI Simple
I Efficient
I More work in the pipeline
23 SABER
4 Conclusion
SABER is:I FlexibleI SimpleI Efficient
I More work in the pipeline
23 SABER
4 Conclusion
SABER is:I FlexibleI SimpleI Efficient
I More work in the pipeline
23 SABER
4 References I
Utsav Banerjee, Abhishek Pathak, and Anantha P. Chandrakasan.An Energy-Efficient Configurable Lattice Cryptography Processor for theQuantum-Secure Internet of Things.In IEEE International Solid-State Circuits Conference, pages 46–48, 2019.
Blandine Debraize.Efficient and provably secure methods for switching from arithmetic toboolean masking.In Cryptographic Hardware and Embedded Systems – CHES 2012, volume7428 LNCS, 2012.
Jan-Pieter D’Anvers, Angshuman Karmakar, Sujoy Sinha Roy, and FrederikVercauteren.Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption andCCA-Secure KEM.In AFRICACRYPT 2018, pages 282–305, 2018.
24 SABER
4 References II
James Howe, Tobias Oder, Markus Krausz, and Tim Guneysu.Standard Lattice-Based Key Encapsulation on Embedded Devices.IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018,8 2018.
Angshuman Karmakar, Jose Maria Bermudo Mera, Sujoy Sinha Roy, andIngrid Verbauwhede.Saber on ARM: CCA-secure module lattice-based key encapsulation on ARM.IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018,8 2018.
25 SABER
4 Questions?
26 SABER
Related Documents
