On Constrained Implementation of Lattice-Based Cryptographic Primitives and Schemes on Smart Cards

Boorghany, Ahmad; Sarmadi, Siavash Bayat; Jalili, Rasool

doi:10.1145/2700078

Cited by 39 publications

(57 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In Chapter 5 we discuss decryption errors and two hardware designs optimized for performance and area, respectively. Implementations of RLWEenc on the 8-bit ATxmega and ATmega family of microcontrollers have been proposed in [BSJ14,BJ14] and an implementation on a Cortex-M4F device is given in [dCRVV15] …”

Section: Related Workmentioning

confidence: 99%

“…However, a straightforward implementation using the C %-operator with a constant modulus is quite expensive and requires around 600 cycles in our own experiments due to the generic libc modular reduction (call __udivmodsi4). As a consequence, the software of the authors of [BSJ14] still consumes approx. Another approach is a subtract-and-shift algorithm which loads the shifted modulus as constant and the input into a temporary register.…”

Section: Combination Of Optimization Techniquesmentioning

confidence: 99%

“…11. A comparison between our implementation of BLISS-I and the implementations of [BSJ14] and [BJ14] is difficult since the authors implemented the signature as authentication protocol. Therefore, they only provide the runtime of a complete protocol run that corresponds to one signing operation and one verification in our results, but without the expensive hashing as the sparse polynomial c is not obtained from a random oracle but randomly generated by the other protocol party.…”

Section: Comparisonmentioning

confidence: 99%

“…However, our implementations of BLISS sign and BLISS verify still require less cycles than their implementation. The biggest improvement stems from the usage of the CDT using convolutions and Kullback-Leibler divergence (see Section 2.5.4) which is superior (1,140,600 cycles per poly-nomial) compared to the Bernoulli approach (13,151,929 cycles per polynomial [BSJ14]) and the straight-forward CDT approach used in [BJ14]. As our implementation of BLISS-I needs 18,802 bytes of flash memory, it is also smaller than the implementation of [BJ14] that requires 66.5 kB of flash memory and the implementation of [BSJ14] that needs 25.1 kB of flash memory.…”

Section: Comparisonmentioning

confidence: 99%

“…Many operations on small coefficients of size less than 16 bits can presumably be easier processed on an 8-bit architecture than the multiprecision arithmetic required for RSA and ECC. However, so far only few works like [BSJ14,BJ14] cover the implementation of lattice-based cryptography on constrained 8-bit architectures. It is also worth mentioning that current works dealing with high performance implementation of ideal lattice-based cryptography usually rely on the straightforward Cooley-Tukey (CT) radix-2 decimation-in-time (DIT) NTT algorithm (e.g., [PDG14a, BSJ14, RVM + 14, dCRVV15]).…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Efficient implementation of ideal lattice-based cryptography

Pöppelmann¹

2017

It - Information Technology

View full text Add to dashboard Cite

Digital signatures and public-key encryption are used to protect almost any secure communication channel on the Internet or between embedded devices. Currently, protocol designers and engineers usually rely on schemes that are either based on the factoring assumption (RSA) or on the hardness of the discrete logarithm problem (DSA/ECDSA). But in case of advances in classical cryptanalysis or progress on the development of quantum computers the hardness of these closely related problems might be seriously weakened. In order to prepare for such an event, research on alternatives is required to provide long-term security.In this thesis, we focus on the efficient implementation of such alternative public-key cryptosystems whose security is based on the intractability of certain computational problems on ideal lattices. While an extensive theoretical background exists for lattice-based and ideal latticebased cryptography, not much is known about the efficiency of practical instantiations, especially on constrained and cost-sensitive platforms. We thus investigate novel algorithms and implementation techniques for fast and flexible polynomial multiplication and Gaussian sampling and then use these building blocks to implement public-key encryption and signature schemes. The results provided in this thesis show that lattice-based schemes can be optimized for high performance or resource efficiency on embedded microcontrollers and reconfigurable hardware. Our implementations of a public-key encryption scheme based on the ring learning with errors problems (RLWE) or of the bimodal lattice signature scheme (BLISS) can even outperform classical ECC-and RSA-based implementations.Lattice-based cryptography can also be used to realize homomorphic cryptography that allows computation on encrypted data. However, due to the large parameter sets and complex operations required, even for simple homomorphic evaluation operations, the performance of these schemes is a major issue preventing practical usage. In this thesis we investigate options for acceleration of homomorphic cryptography in a cloud environment using reconfigurable hardware. We implement all evaluation operations of the YASHE homomorphic encryption scheme and propose methods to deal with large ciphertext and key sizes as well as limited memory bandwidth. KeywordsPost-quantum cryptography, public-key cryptosystem, embedded system, microcontroller, FPGA KurzfassungDigitale Signaturen und Public-Key-Verschlüsselung werden für den Schutz nahezu jeder sicheren Kommunikation über das Internet oder zwischen eingebetteten Systemen genutzt. Die Sicherheit basiert dabei entweder auf der Faktorisierungsannahme (RSA) oder der Annahme, dass es schwer ist, das diskrete Logarithmus-Problem (DSA/ECDSA) zu lösen. Durch Fortschritte in der klassischen Kryptoanalyse oder bei der Entwicklung von Quantencomputern könnten diese Probleme allerdings in Zukunft ernsthaft geschwächt oder gelöst werden. Daher ist Forschung zu alternativen Public-Key-Kryptosystemen erforderlich, die in ...

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Combination Of Optimization Techniquesmentioning

confidence: 99%

Section: Comparisonmentioning

confidence: 99%

Section: Comparisonmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Efficient implementation of ideal lattice-based cryptography

Pöppelmann¹

2017

It - Information Technology

View full text Add to dashboard Cite

show abstract

A Survey of Software Implementations for the Number Theoretic Transform

Mert,

Yaman,

Karabulut

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Additively Homomorphic Ring-LWE Masking

Reparaz

Clercq

Roy

et al. 2016

Post-Quantum Cryptography

View full text Add to dashboard Cite

In this paper, we present a new masking scheme for ring-LWE decryption. Our scheme exploits the additively-homomorphic property of the existing ring-LWE encryption schemes and computes an additivemask as an encryption of a random message. Our solution differs in several aspects from the recent masked ring-LWE implementation by Reparaz et al. presented at CHES 2015; most notably we do not require a masked decoder but work with a conventional, unmasked decoder. As such, we can secure a ring-LWE implementation using additive masking with minimal changes. Our masking scheme is also very generic in the sense that it can be applied to other additively-homomorphic encryption schemes.

show abstract

On Constrained Implementation of Lattice-Based Cryptographic Primitives and Schemes on Smart Cards

Cited by 39 publications

References 29 publications

Efficient implementation of ideal lattice-based cryptography

Efficient implementation of ideal lattice-based cryptography

A Survey of Software Implementations for the Number Theoretic Transform

Additively Homomorphic Ring-LWE Masking

Contact Info

Product

Resources

About