Thomas Pppelmann [email protected] Hardware Security
Group Horst Grtz Institute for IT Security 05.06.2015 Implementing
Lattice-Based Cryptography on Embedded Devices Summer school on
real-world crypto and privacy
Slide 2
Outline Motivation Ring-learning with errors (RLWE) Public-key
encryption based on RLWE Area-optimized implementation
High-performance implementation 05.06.20152
Slide 3
Outline Motivation Ring-learning with errors (RLWE) Public-key
encryption based on RLWE Area-optimized implementation
High-performance implementation 05.06.20153
Slide 4
Why Implementation of Lattices? Why focus on lattice-based
cryptography? We can get signatures and public key encryption out
of lattices and also more (IBE, FHE) A lot of development on theory
side; schemes are getting better and better Implementation of
lattices is a young field; only done for 3- 4 years now (except for
NTRU) 05.06.20154
Slide 5
Implementation Conditions that have to be met for
implementation Parameters, parameters, parameters Security level
should be known What are the goals? Throughput, latency, and
power/energy Code size/area (drives costs) Small key, ciphertext,
and signature size Cross-disciplinary work and interaction between
engineers and cryptographers required Parameter selection and
design decisions can make schemes more efficient but also weaker
05.06.20155
Slide 6
To be Ideal or not Ideal? Random LatticesIdeal Lattices
05.06.20156 Two important lines of research: random lattices and
ideal lattices Big impact on implementation (theory not that much)
Security for random lattices is better understood (ideal lattices
are more structured) Implementation of random lattice signatures:
High-speed signatures from standard lattices, zgr Dagdelen, Rachid
El Bansarkhani, Florian Gpfert, Tim Gneysu, Tobias Oder, Thomas
Pppelmann, Ana Helena Snchez, Peter Schwabe, Latincrypt14
Slide 7
Outline Motivation Ring-learning with errors (RLWE) Public-key
encryption based on RLWE Area-optimized implementation
High-performance implementation 05.06.20157
Slide 8
Learning with Errors Solving of a system of linear equations
05.06.20158 411110 55953 39010 1332 12734 65114 3350 4 8 1 10 4 12
9 Blue is given; Find (learn) red => Solve linear system 6 9 11
Use Gaussian elimination secret (slides stolen from talk by Douglas
Stebila at RWC15)
Slide 9
Learning with Errors Solving of a system of linear equations
05.06.20159 411110 55953 39010 1332 12734 65114 3350 4 8 1 10 4 12
9 Blue is given; Find red => Learning with errors 6 9 11 secret
0 1 1 1 0 random small noise looks random (slides stolen from talk
by Douglas Stebila at RWC15)
Slide 10
(Ring) Learning with Errors From learning with errors to
ring-learning with errors 05.06.201510 411110 34111 2341 12234 9 23
109122 1110912 411110 Only one line has to be stored
Slide 11
Ring Learning with Errors 05.06.201511 3423 1-20 010 324312
random small secret (Gaussian) small error (Gaussian) random
Slide 12
Ring Learning with Errors 05.06.201512 3423 1-20 010 324312
random small secret (Gaussian) small error (Gaussian) random
Slide 13
05.06.201513
Slide 14
05.06.201514
Slide 15
Discrete Gaussian Distribution 05.06.201515
-15011020502-1900572 Uniform 4-801 Uniform * Gaussian = Uniform
Gaussian * Gaussian = larger Gaussian Gaussian e
Slide 16
16 Gaussian Sampling: Options Rejection Sampling Bernoulli
Sampling Knuth-Yao Sampling Cumulative Distribution Table (CDT)
Sampling 05.06.2015 [DG14] Efficient sampling from discrete
Gaussians for lattice-based cryptography on a constrained device,
Dwarakanath and Galbraith, Applicable Algebra in Engineering,
Communication and Computing, 2014 [DDLL14] Lattice Signatures and
Bimodal Gaussians, Lo Ducas and Alain Durmus and Tancrde Lepoint
and Vadim Lyubashevsky, CRYPTO '13
Slide 17
Outline Motivation Ring-learning with errors (RLWE) Public-key
encryption based on RLWE Area-optimized implementation
High-performance implementation 05.06.201517
Slide 18
Ring-LWE Encryption: Scheme [LP11/LPR10] 14. Aug. 2013 x x + ++
x+ 18 large small