14. Aug. 2013 Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany
Feb 24, 2016
14. Aug. 2013
Towards Practical Lattice-Based Public-KeyEncryption on Reconfigurable HardwareSAC 2013, Burnaby, Canada
Thomas Pöppelmann and Tim GüneysuHorst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany
2
Agenda
• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion
14. Aug. 2013
3
Motivation
• Advantages of lattices:– Post-quantum security– Security proofs– Versatility
• Goal of this work:– Provide a simple and reusable hardware building block
• Starting point to solve more advanced implementation problems• Make source code available
– Deal with aspects important in practice• Ciphertext expansion• Error rate
14. Aug. 2013
4
Agenda
• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion
14. Aug. 2013
5
Recap: Ideal Lattices
• Ideal lattices correspond to ideals in the ring with being a power of two and being a prime such that (*)– Introduces algebraic structure into previously random lattices – no
serious advantage for attackers so far– Most standard lattice problems have an ideal lattice counterpart
• Polynomial multiplication is the basic operation– Runtime ) when using the number theoretic transform (NTT)– with
• Ring-LWE problem requires to distinguish whether samples are with or uniformly random – Decisional problem as hard as search– is a small discrete Gaussian distribution
14. Aug. 2013
(*) Other choices are also possible but this one has emerged as standard for security and efficiency.
6
LWE-Encryption
Enc(): Ciphertext:
14. Aug. 2013
Gen: Choose , . Compute
𝑎
𝑝𝐷𝜎
x
x
𝐷𝜎 𝐷𝜎
+
+ +
𝑚 𝑒𝑛𝑐𝑜𝑑𝑒
𝑐1
𝑐2
Dec(): Output 𝑐1
𝑐2𝑟1
x + 𝑑𝑒𝑐𝑜𝑑𝑒 𝑚
[LP11] Richard Lindner, Chris Peikert: Better Key Sizes (and Attacks) for LWE-Based Encryption. CT-RSA 2011
7
LWE-Encryption
• Parameters: 128-bit CPA security (=256,=7681,=11.32) – Approx. 1600 bit secret key– 3328 bit public key– Message expansion factor 26
• Encoding/Decoding: Small noise still present after decryption– One message bit is encoded into one coefficient of the
polynomial ( q/2)– May fail with low probability
• Optimization– Use different encoding– Remove some LSBs of ciphertext coefficients
14. Aug. 2013
8
Agenda
• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion
14. Aug. 2013
9
Reconfigurable Hardware (FPGA)
• Field Programmable Gate Array (FPGA)– A chip containing programmable logic
blocks– Logic blocks are connected by a
configurable interconnect– Limited number of dedicated „hard-
cores“ like block memory or embedded multipliers (DSPs) are available
• Hardware is inherently parallel– Time vs. area
14. Aug. 2013
10
The Challenge
• Ring-LWE encryption and also other schemes (e.g., signature schemes) basically just require polynomial arithmetic– So far results are only available for polynomial
multiplication– Temporary values have to be stored– Operations for addition and subtraction are necessary– An easy interface is required
Solution: Build a lattice processor/micro-code engine
14. Aug. 2013
11
Lattice Processor
• Supports any power of two and prime satisfying • Configurable amount of registers (register = polynomial)• Discrete Gaussian sampler using the inverse transform method• Instruction set (simplified):
– NTT: Perform NTT on register ( cycles)– PW_MUL: Point-wise multiplication of two polynomials ( cycles)– INTT: Perform inverse NTT on register ( cycles)– ADD: Add two polynomials ( cycles)– SUB: Subtract two polynomials ( cycles)– MOV: Transfer polynomial or obtain polynomial from the
sampler
14. Aug. 2013
12
Lattice Processor
14. Aug. 2013
13
Optimizing Encryption
Encryption1. 2. NTT ()3.4.5.6.
14. Aug. 2013
Key Generation 1. , . Compute 2. = NTT (), = NTT (),
Note: Straightforward version would require at least two multiplications: 3+6n
14
Agenda
• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion
14. Aug. 2013
15
Results
• Implemented encryption scheme on Spartan-6 and Virtex-6 for medium security (n=256,q=7681) and high security (n=512, q=12289)
• Core supports encryption, decryption and key generation
• Gaussian sampler is bounded with relatively low precision
14. Aug. 2013
1614. Aug. 2013
Performance and Resources
Post-place-and-route performance on a Virtex-6 LX75T FPGA.
17
Comparison with Previous Work
• Compared to previous implementation by Göttert et al. from CHES 2012– Three times slower– Up to 60 times lower area
• While speed is important the design has to fit onto a reasonably sized FPGAs– Hardware allows parallel placement to make up for lower speed
• Higher flexibility with one general purpose core (Gen/Enc/Dec)
14. Aug. 2013
[Göttert et al.] Norman Göttert, Thomas Feller, Michael Schneider, Johannes Buchmann, Sorin A. Huss: On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes. CHES 2012
1814. Aug. 2013
Comparison with Other Schemes
19
Agenda
• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion
14. Aug. 2013
20
Future Work and Conclusion
14. Aug. 2013
Conclusion• Flexible building block for a large number of applications in ideal lattice-
based cryptography• Source code (VHDL) of the encryption scheme/lattice processor available
for evaluation at http://www.sha.rub.de/research/projects/lattice/
Future Work• Side-channel evaluation• Bimodal Lattice Signature Scheme (BLISS), Crypto 2013• Performance and resource optimization• Implementation and acceleration of high-level constructions like
homomorphic encryption or IBE
14. Aug. 2013
Towards Practical Lattice-Based Public-KeyEncryption on Reconfigurable HardwareSAC 2013, Burnaby, Canada
Thomas Pöppelmann and Tim GüneysuHorst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany
Thank You for Your Attention!Any Questions?