14. Aug. 2013

Towards Practical Lattice-Based Public-KeyEncryption on Reconfigurable HardwareSAC 2013, Burnaby, Canada

Thomas Pöppelmann and Tim GüneysuHorst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany

2

Agenda

• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion

14. Aug. 2013

3

Motivation

• Advantages of lattices:– Post-quantum security– Security proofs– Versatility

• Goal of this work:– Provide a simple and reusable hardware building block

• Starting point to solve more advanced implementation problems• Make source code available

– Deal with aspects important in practice• Ciphertext expansion• Error rate

14. Aug. 2013

4

Agenda

• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion

14. Aug. 2013

5

Recap: Ideal Lattices

• Ideal lattices correspond to ideals in the ring with being a power of two and being a prime such that (*)– Introduces algebraic structure into previously random lattices – no

serious advantage for attackers so far– Most standard lattice problems have an ideal lattice counterpart

• Polynomial multiplication is the basic operation– Runtime ) when using the number theoretic transform (NTT)– with

• Ring-LWE problem requires to distinguish whether samples are with or uniformly random – Decisional problem as hard as search– is a small discrete Gaussian distribution

14. Aug. 2013

(*) Other choices are also possible but this one has emerged as standard for security and efficiency.

6

LWE-Encryption

Enc(): Ciphertext:

14. Aug. 2013

Gen: Choose , . Compute

𝑎

𝑝𝐷𝜎

x

x

𝐷𝜎 𝐷𝜎

+

+ +

𝑚 𝑒𝑛𝑐𝑜𝑑𝑒

𝑐1

𝑐2

Dec(): Output 𝑐1

𝑐2𝑟1

x + 𝑑𝑒𝑐𝑜𝑑𝑒 𝑚

[LP11] Richard Lindner, Chris Peikert: Better Key Sizes (and Attacks) for LWE-Based Encryption. CT-RSA 2011

7

LWE-Encryption

• Parameters: 128-bit CPA security (=256,=7681,=11.32) – Approx. 1600 bit secret key– 3328 bit public key– Message expansion factor 26

• Encoding/Decoding: Small noise still present after decryption– One message bit is encoded into one coefficient of the

polynomial ( q/2)– May fail with low probability

• Optimization– Use different encoding– Remove some LSBs of ciphertext coefficients

14. Aug. 2013

8

Agenda

• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion

14. Aug. 2013

9

Reconfigurable Hardware (FPGA)

• Field Programmable Gate Array (FPGA)– A chip containing programmable logic

blocks– Logic blocks are connected by a

configurable interconnect– Limited number of dedicated „hard-

cores“ like block memory or embedded multipliers (DSPs) are available

• Hardware is inherently parallel– Time vs. area

14. Aug. 2013

10

The Challenge

• Ring-LWE encryption and also other schemes (e.g., signature schemes) basically just require polynomial arithmetic– So far results are only available for polynomial

multiplication– Temporary values have to be stored– Operations for addition and subtraction are necessary– An easy interface is required

Solution: Build a lattice processor/micro-code engine

14. Aug. 2013

11

Lattice Processor

• Supports any power of two and prime satisfying • Configurable amount of registers (register = polynomial)• Discrete Gaussian sampler using the inverse transform method• Instruction set (simplified):

– NTT: Perform NTT on register ( cycles)– PW_MUL: Point-wise multiplication of two polynomials ( cycles)– INTT: Perform inverse NTT on register ( cycles)– ADD: Add two polynomials ( cycles)– SUB: Subtract two polynomials ( cycles)– MOV: Transfer polynomial or obtain polynomial from the

sampler

14. Aug. 2013

12

Lattice Processor

14. Aug. 2013

13

Optimizing Encryption

Encryption1. 2. NTT ()3.4.5.6.

14. Aug. 2013

Key Generation 1. , . Compute 2. = NTT (), = NTT (),

Note: Straightforward version would require at least two multiplications: 3+6n

14

Agenda

• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion

14. Aug. 2013

15

Results

• Implemented encryption scheme on Spartan-6 and Virtex-6 for medium security (n=256,q=7681) and high security (n=512, q=12289)

• Core supports encryption, decryption and key generation

• Gaussian sampler is bounded with relatively low precision

14. Aug. 2013

1614. Aug. 2013

Performance and Resources

Post-place-and-route performance on a Virtex-6 LX75T FPGA.

17

Comparison with Previous Work

• Compared to previous implementation by Göttert et al. from CHES 2012– Three times slower– Up to 60 times lower area

• While speed is important the design has to fit onto a reasonably sized FPGAs– Hardware allows parallel placement to make up for lower speed

• Higher flexibility with one general purpose core (Gen/Enc/Dec)

14. Aug. 2013

[Göttert et al.] Norman Göttert, Thomas Feller, Michael Schneider, Johannes Buchmann, Sorin A. Huss: On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes. CHES 2012

1814. Aug. 2013

Comparison with Other Schemes

19

Agenda

• Introduction• Ring-LWE Encryption• Lattice Processor• Results• Conclusion

14. Aug. 2013

20

Future Work and Conclusion

14. Aug. 2013

Conclusion• Flexible building block for a large number of applications in ideal

lattice-based cryptography• Source code (VHDL) of the encryption scheme/lattice processor

available for evaluation at http://www.sha.rub.de/research/projects/lattice/

Future Work• Side-channel evaluation• Bimodal Lattice Signature Scheme (BLISS), Crypto 2013• Performance and resource optimization• Implementation and acceleration of high-level constructions like

homomorphic encryption or IBE

14. Aug. 2013

Towards Practical Lattice-Based Public-KeyEncryption on Reconfigurable HardwareSAC 2013, Burnaby, Canada

Thomas Pöppelmann and Tim GüneysuHorst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany

Thank You for Your Attention!Any Questions?