Low-cost and area-efficient FPGA implementations of lattice-based cryptography

Aysu, Aydın; Patterson, Cameron; Schaumont, Patrick

doi:10.1109/hst.2013.6581570

Cited by 72 publications

(52 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, this approach leads to so called "bubbles" during the inverse transformation as not enough memory ports are available to feed the two inputs and to write back the two outputs of the butterfly and thus every second cycle the PE is unused. As a consequence, the implementation proposed in [APS13] requires 2n(log 2 (n)) + 7n cycles 7 which is more than the ≈ 3 2 (n log n) + 5.5n of our implementation for common choices of n. As an example, for n = 512 the implementation of Aysu et al needs 11,264 cycles while our work requires ≈ 9,728 cycles.…”

Section: Review Of Follow-up Work On Polynomial Multiplicationmentioning

confidence: 84%

“…The design consists of an NTT multiplier with access to a register file and offers instructions for storing, loading, adding, and sampling of polynomials from a Gaussian distribution. The proposed multiplier design builds on top of the work by Aysu et al [APS13]. The most important improvement is a technique to remove the bottleneck when accessing the BRAM holding polynomial coefficients where two coefficients are stored pairwise in one memory address.…”

Section: Polynomial Multiplier By Chen Et Al [Cmvmentioning

confidence: 99%

“…Polynomial Multiplier by Aysu et al [APS13]. A polynomial multiplier supporting a variable n but fixed q = 2 16 + 1 = 65537 for simple modular reduction (see Section 4.3.1) was proposed by Aysu et al in [APS13].…”

Section: Review Of Follow-up Work On Polynomial Multiplicationmentioning

confidence: 99%

“…A polynomial multiplier supporting a variable n but fixed q = 2 16 + 1 = 65537 for simple modular reduction (see Section 4.3.1) was proposed by Aysu et al in [APS13]. Their implementation is a pure polynomial multiplier designed to compute c = ab ∈ Z q [x]/ x n + 1 and does not target a specific scheme or parameter set.…”

Section: Review Of Follow-up Work On Polynomial Multiplicationmentioning

confidence: 99%

See 3 more Smart Citations

Efficient implementation of ideal lattice-based cryptography

Pöppelmann¹

2017

It - Information Technology

View full text Add to dashboard Cite

Digital signatures and public-key encryption are used to protect almost any secure communication channel on the Internet or between embedded devices. Currently, protocol designers and engineers usually rely on schemes that are either based on the factoring assumption (RSA) or on the hardness of the discrete logarithm problem (DSA/ECDSA). But in case of advances in classical cryptanalysis or progress on the development of quantum computers the hardness of these closely related problems might be seriously weakened. In order to prepare for such an event, research on alternatives is required to provide long-term security.In this thesis, we focus on the efficient implementation of such alternative public-key cryptosystems whose security is based on the intractability of certain computational problems on ideal lattices. While an extensive theoretical background exists for lattice-based and ideal latticebased cryptography, not much is known about the efficiency of practical instantiations, especially on constrained and cost-sensitive platforms. We thus investigate novel algorithms and implementation techniques for fast and flexible polynomial multiplication and Gaussian sampling and then use these building blocks to implement public-key encryption and signature schemes. The results provided in this thesis show that lattice-based schemes can be optimized for high performance or resource efficiency on embedded microcontrollers and reconfigurable hardware. Our implementations of a public-key encryption scheme based on the ring learning with errors problems (RLWE) or of the bimodal lattice signature scheme (BLISS) can even outperform classical ECC-and RSA-based implementations.Lattice-based cryptography can also be used to realize homomorphic cryptography that allows computation on encrypted data. However, due to the large parameter sets and complex operations required, even for simple homomorphic evaluation operations, the performance of these schemes is a major issue preventing practical usage. In this thesis we investigate options for acceleration of homomorphic cryptography in a cloud environment using reconfigurable hardware. We implement all evaluation operations of the YASHE homomorphic encryption scheme and propose methods to deal with large ciphertext and key sizes as well as limited memory bandwidth. KeywordsPost-quantum cryptography, public-key cryptosystem, embedded system, microcontroller, FPGA KurzfassungDigitale Signaturen und Public-Key-Verschlüsselung werden für den Schutz nahezu jeder sicheren Kommunikation über das Internet oder zwischen eingebetteten Systemen genutzt. Die Sicherheit basiert dabei entweder auf der Faktorisierungsannahme (RSA) oder der Annahme, dass es schwer ist, das diskrete Logarithmus-Problem (DSA/ECDSA) zu lösen. Durch Fortschritte in der klassischen Kryptoanalyse oder bei der Entwicklung von Quantencomputern könnten diese Probleme allerdings in Zukunft ernsthaft geschwächt oder gelöst werden. Daher ist Forschung zu alternativen Public-Key-Kryptosystemen erforderlich, die in ...

show abstract

Section: Review Of Follow-up Work On Polynomial Multiplicationmentioning

confidence: 84%

Section: Polynomial Multiplier By Chen Et Al [Cmvmentioning

confidence: 99%

Section: Review Of Follow-up Work On Polynomial Multiplicationmentioning

confidence: 99%

Section: Review Of Follow-up Work On Polynomial Multiplicationmentioning

confidence: 99%

See 2 more Smart Citations

Efficient implementation of ideal lattice-based cryptography

Pöppelmann¹

2017

It - Information Technology

View full text Add to dashboard Cite

show abstract

“…The evaluation representation, also referred to as polynomial Chinese Remainder Transform (CRT) representation [57], computes the values of polynomial a(x) at all primitivem-th roots of unity modulo q, i.e., b i = a(ζ i ) mod q for i ∈ (Z/mZ) * . These cyclotomic rings support fast polynomial multiplication by transforming the polynomials from coefficient to evaluation representation in O(n log n) time using Fermat Theoretic Transform (FTT) [58] and component-wise multiplication. Lattice sampling works with n-dimensional discrete Gaussian distributions over lattice Λ ⊂ R n denoted as D Λ,c,σ , where c ∈ R n is the center and σ is the distribution parameter.…”

Section: B Cyclotomic Ringsmentioning

confidence: 99%

Implementing Conjunction Obfuscation Under Entropic Ring LWE

Cousins

Crescenzo

Gür

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Abstract-We address the practicality challenges of secure program obfuscation by implementing, optimizing, and experimentally assessing an approach to securely obfuscate conjunction programs proposed in [1]. Conjunction programs evaluate functions f (x1, . . . , xL) = i∈I yi, where yi is either xi or ¬xi and I ⊆ [L], and can be used as classifiers. Our obfuscation approach satisfies distributional Virtual Black Box (VBB) security based on reasonable hardness assumptions, namely an entropic variant of the Ring Learning with Errors (Ring-LWE) assumption. Prior implementations of secure program obfuscation techniques support either trivial programs like point functions, or support the obfuscation of more general but less efficient branching programs to satisfy Indistinguishability Obfuscation (IO), a weaker security model. Further, the more general implemented techniques, rather than relying on standard assumptions, base their security on conjectures that have been shown to be theoretically vulnerable.Our work is the first implementation of non-trivial program obfuscation based on polynomial rings. Our contributions include multiple design and implementation advances resulting in reduced program size, obfuscation runtime, and evaluation runtime by many orders of magnitude. We implement our design in software and experimentally assess performance in a commercially available multi-core computing environment. Our implementation achieves runtimes of 6.7 hours to securely obfuscate a 64-bit conjunction program and 2.5 seconds to evaluate this program over an arbitrary input. We are also able to obfuscate a 32-bit conjunction program with 53 bits of security in 7 minutes and evaluate the obfuscated program in 43 milliseconds on a commodity desktop computer, which implies that 32-bit conjunction obfuscation is already practical. Our graph-induced (directed) encoding implementation runs up to 25 levels, which is higher than previously reported in the literature for this encoding. Our design and implementation advances are applicable to obfuscating more general compute-and-compare programs and can also be used for many cryptographic schemes based on lattice trapdoors.

show abstract

Elliptic‐curve cryptography for wireless sensor network nodes without hardware multiplier support

Gulen

Baktır

2016

Security Comm Networks

View full text Add to dashboard Cite

With its relatively small key size, elliptic‐curve cryptography (ECC) is considered as the public‐key cryptographic algorithm of choice for wireless sensor networks (WSNs). In this work, we implemented ECC in the frequency domain, that is, by using the number theoretic transform, and without using hardware multiplier support, on the constrained MSP430 microcontroller widely used in WSNs. Our 169‐bit ECC implementation uses Edwards curves and performs scalar point multiplication in only 1.97 and 0.98 s for multiplication of random and fixed points, respectively. Unlike many implementations in literature, our implementation does not use hardware multiplier support, which makes it desirable for low‐power applications on constrained WSN platforms. To our knowledge, this study presents the first ever software implementation of ECC in the frequency domain on a constrained low‐power microcontroller without hardware multiplier support. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract

Low-cost and area-efficient FPGA implementations of lattice-based cryptography

Cited by 72 publications

References 4 publications

Efficient implementation of ideal lattice-based cryptography

Efficient implementation of ideal lattice-based cryptography

Implementing Conjunction Obfuscation Under Entropic Ring LWE

Elliptic‐curve cryptography for wireless sensor network nodes without hardware multiplier support

Contact Info

Product

Resources

About