MANORKA projekt Az Esélyegyenlőségi Munkacsoport tevékenységei Krausz Veronika
SABER: Module-LWR based KEM - csrc.nist.gov · James Howe, Tobias Oder, Markus Krausz, and Tim...
Transcript of SABER: Module-LWR based KEM - csrc.nist.gov · James Howe, Tobias Oder, Markus Krausz, and Tim...
Round 2
SABER: Module-LWR basedKEM
J. P. D’Anvers A. KarmakarS. S. Roy F. VercauterenKU LeuvenAugust 22, 2019
0 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
1 SABER
1 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
2 SABER
1 General LWE based scheme
Alice Bob
AAA← U(Zl×lq )
sss,eee← small(Zl×1q )
bbb = AAA · sss+ eee bbb,AAA- sss′, eee′, eee′′ ← small(Z1×l
q )bbb′T = AAAT · sss′ + eee′
v = bbb′ · sss �bbb′, v′ v′T = bbbT · sss′ + eee′′ + q
2mm′ = b 2
q (v′ − v)e
3 SABER
1 SABER
I Module:• Polynomial ring Rq = Zq[X]/(X256 + 1) with q = 213
• Rank of module 2, 3, 4 depending on security level⊕ Flexibility: only one polynomial multiplication
4 SABER
1 SABER
Alice Bob
AAA← U(Rl×lq )
sss,eee← small(Rl×1q )
bbb = AAA · sss+ eee bbb,AAA- sss′, eee′, eee′′ ← small(R1×l
q )bbb′T = AAAT · sss′ + eee′
v = bbb′ · sss �bbb′, v′ v′T = bbbT · sss′ + eee′′ + q
2mm′ = b 2
q (v′ − v)e
5 SABER
1 Module-LWR: SABER
I Module:• Polynomial ring Rq = Zq[X]/(X256 + 1) with q = 213
• Rank of module 2, 3, 4 depending on security level⊕ Flexibility: only one polynomial multiplication
I Learning with Rounding⊕ No generation of eee,eee′, eee′′⊕ Efficient bandwidth usage
6 SABER
1 SABER
Alice Bob
AAA← U(Rl×lq )
sss← small(Rl×1q )
bbb = bpqAAA · ssse bbb,AAA
- sss′ ← small(R1×lq )
bbb′T = bpqAAA
T · sss′ev = bbb′ · sss �
bbb′, v′ v′T = bTp bbb
T · sss′ + T2me
m′ = b 2q (v′ − p
T v)e
7 SABER
1 Module-LWR: SABER
I Module:• Polynomial ring Rq = Zq[X]/(X256 + 1) with q = 213
• Rank of module 2, 3, 4 depending on security level⊕ Flexibility: only one polynomial multiplication
I Learning with Rounding⊕ no generation of eee,eee′, eee′′⊕ efficient bandwidth usage
I power-of-two⊕ easy sampling⊕ no modular arithmetic⊕ easy rounding = add constant and chop no NTT for fast multiplication⊕ Toom-Cook⊕ easier masking
8 SABER
1 SABER
Alice Bob
AAA← U(Rl×lq )
sss← small(Rl×1q )
bbb = (AAA · sss + hhh)� log2( qp
) bbb,AAA- sss′ ← small(R1×lq )
bbb′T = (AAAT · sss′ + hhh)� log2( qp
)v = bbb′ · sss �b
bb′, v′ v′T = (bbbT · sss′ + h1 + p2 m)� log2( p
T)
m′ = b 2p
(v′ − pT
v)e
9 SABER
1 SABER
I binomial secret distribution⊕ easy sampling
I No error correcting code⊕ simpler implementation⊕ easier masking
10 SABER
1 SABER
I binomial secret distribution⊕ easy sampling
I No error correcting code⊕ simpler implementation⊕ easier masking
10 SABER
1 SABER - parameters
I Rq = Zq[X]/(X256 + 1) with q = 213
I public key / ciphertext in Rp and RT with p = 210 and T = 24
I Centered binomial distribution with 8 coins ([−4, 4])
I IND-CCA secure KEM version using FO-transformation
I Public Key: 992 BytesI Ciphertext: 1088 BytesI Failure probability: 2−136
I Security: 185 bits
11 SABER
1 SABER - parameters
I Rq = Zq[X]/(X256 + 1) with q = 213
I public key / ciphertext in Rp and RT with p = 210 and T = 24
I Centered binomial distribution with 8 coins ([−4, 4])
I IND-CCA secure KEM version using FO-transformation
I Public Key: 992 BytesI Ciphertext: 1088 BytesI Failure probability: 2−136
I Security: 185 bits
11 SABER
1 SABER - parameters
I Rq = Zq[X]/(X256 + 1) with q = 213
I public key / ciphertext in Rp and RT with p = 210 and T = 24
I Centered binomial distribution with 8 coins ([−4, 4])
I IND-CCA secure KEM version using FO-transformation
I Public Key: 992 BytesI Ciphertext: 1088 BytesI Failure probability: 2−136
I Security: 185 bits
11 SABER
1 SABER
Sec Cat fail prob Classical Quantum pk (B) sk (B) ciphertext (B)LightSaber-KEM: k = 2, n = 256, q = 213, p = 210, T = 23, µ = 101 2−120 126 115 672 1568 736Saber-KEM: k = 3, n = 256, q = 213, p = 210, T = 24, µ = 83 2−136 199 181 992 2304 1088FireSaber-KEM: k = 4, n = 256, q = 213, p = 210, T = 26, µ = 65 2−165 270 246 1312 3040 1472
Table: Security and correctness of Saber.KEM.
12 SABER
2 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
13 SABER
2 Changes for Round 2
I Generation of matrix AAA
• multiplication with AAA and AAAT
• just-in-time possible for AAA• speed-up preferred in encryption
14 SABER
2 Changes for Round 2
I Generation of matrix AAA• multiplication with AAA and AAAT
• just-in-time possible for AAA• speed-up preferred in encryption
14 SABER
2 Serial vs parallel generation of A
I software• Keccak-Absorb() is more expensive than Keccak-Extract()• Hence, serial SHAKE is faster on non-vectorized microcontrollers• But, slower on Intel AVX
I hardware• Keccak core consumes 33% of overall area [BPC19] (including
memory)• Keccak-Extract produces RND every 28 cycles• Polynomial multiplier consumes RND much slower than Keccak
can produce• Serial Keccak makes implementation simpler
15 SABER
2 Serial vs parallel generation of A
I software• Keccak-Absorb() is more expensive than Keccak-Extract()• Hence, serial SHAKE is faster on non-vectorized microcontrollers• But, slower on Intel AVX
I hardware• Keccak core consumes 33% of overall area [BPC19] (including
memory)• Keccak-Extract produces RND every 28 cycles• Polynomial multiplier consumes RND much slower than Keccak
can produce• Serial Keccak makes implementation simpler
15 SABER
2 Changes for Round 2
I Generation of matrix AAA
I Rounding = add constant + choppingI one of the constants changed for security proof
I (Debated) smaller secret varianceI e.g. trinary binomial distributionI would reduce public key and ciphertext size with ±10%I too aggressive
16 SABER
2 Changes for Round 2
I Generation of matrix AAA
I Rounding = add constant + choppingI one of the constants changed for security proof
I (Debated) smaller secret varianceI e.g. trinary binomial distributionI would reduce public key and ciphertext size with ±10%I too aggressive
16 SABER
2 Changes for Round 2
I Generation of matrix AAA
I Rounding = add constant + choppingI one of the constants changed for security proof
I (Debated) smaller secret varianceI e.g. trinary binomial distributionI would reduce public key and ciphertext size with ±10%I too aggressive
16 SABER
3 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
17 SABER
3 Software Implementations
I Haswell AVX2 (KU Leuven, Belgium [DKRV18])• IND-CCA encapsulation/decapsulation 122K, 120K cycles
I ARM Cortex-M (KU Leuven, Belgium [KMRV18])• Cortex-M4 (Speed)
- encapsulation/decapsulation 1444 / 1543 K cycles• Cortex-M4 (Speed / Memory)
- encapsulation/decapsulation 1530 / 1635 K cycles- encapsulation/decapsulation 7019 / 8115 bytes memory
• Cortex-M0 (Memory)- encapsulation/decapsulation 6328 / 7509 K cycles- encapsulation/decapsulation 5119 / 6215 bytes memory
18 SABER
3 Software Implementations
I Haswell AVX2 (KU Leuven, Belgium [DKRV18])• IND-CCA encapsulation/decapsulation 122K, 120K cycles
I ARM Cortex-M (KU Leuven, Belgium [KMRV18])• Cortex-M4 (Speed)
- encapsulation/decapsulation 1444 / 1543 K cycles• Cortex-M4 (Speed / Memory)
- encapsulation/decapsulation 1530 / 1635 K cycles- encapsulation/decapsulation 7019 / 8115 bytes memory
• Cortex-M0 (Memory)- encapsulation/decapsulation 6328 / 7509 K cycles- encapsulation/decapsulation 5119 / 6215 bytes memory
18 SABER
3 Hardware Implementations I
I High-speed HW (University of Birmingham, UK)• Instruction-set coprocessor architecture with all SABER
components on HW• Generic HDL code: suitable for ASIC and FPGA implementation• IND-CPA encryption/decryption = 6/1.6 K cycles• IND-CCA encapsulation/decapsulation = ≈ 7/8.5 K cycles
I Lightweight HW/SW codesign (KU Leuven, Belgium)• Encapsulation/decapsulation require ≈ 4.2 ms
I High-speed HW/SW codesign (George Mason University, USA /Military University of Technology, Poland [HOKG18])• Encapsulation/decapsulation require ≈ 0.069 ms
19 SABER
3 Hardware Implementations I
I High-speed HW (University of Birmingham, UK)• Instruction-set coprocessor architecture with all SABER
components on HW• Generic HDL code: suitable for ASIC and FPGA implementation• IND-CPA encryption/decryption = 6/1.6 K cycles• IND-CCA encapsulation/decapsulation = ≈ 7/8.5 K cycles
I Lightweight HW/SW codesign (KU Leuven, Belgium)• Encapsulation/decapsulation require ≈ 4.2 ms
I High-speed HW/SW codesign (George Mason University, USA /Military University of Technology, Poland [HOKG18])• Encapsulation/decapsulation require ≈ 0.069 ms
19 SABER
3 Hardware Implementations I
I High-speed HW (University of Birmingham, UK)• Instruction-set coprocessor architecture with all SABER
components on HW• Generic HDL code: suitable for ASIC and FPGA implementation• IND-CPA encryption/decryption = 6/1.6 K cycles• IND-CCA encapsulation/decapsulation = ≈ 7/8.5 K cycles
I Lightweight HW/SW codesign (KU Leuven, Belgium)• Encapsulation/decapsulation require ≈ 4.2 ms
I High-speed HW/SW codesign (George Mason University, USA /Military University of Technology, Poland [HOKG18])• Encapsulation/decapsulation require ≈ 0.069 ms
19 SABER
3 Hardware Implementations II
I ASIC implementation (Tsinghua University, China)• Still in development• Polynomial multiplication• Area: 220626 um2 (307193GE)• Max Freq: 400 MHz• Power: 4.34 mW
20 SABER
3 Masking
I First order masking can be achieved by arithmetic masking inpolynomial multiplication and Boolean masking for decoding.
I Saber uses power-of-two modulusI Thus masking methods can be combined by Debraize’s arithmetic
to boolean conversion [Deb12]I Time with masking roughly doubles.
21 SABER
4 Outline
1 Introduction
2 Round 2 changes
3 Implementations
4 Conclusion
22 SABER
4 Conclusion
SABER is:I Flexible
I SimpleI Efficient
I More work in the pipeline
23 SABER
4 Conclusion
SABER is:I FlexibleI Simple
I Efficient
I More work in the pipeline
23 SABER
4 Conclusion
SABER is:I FlexibleI SimpleI Efficient
I More work in the pipeline
23 SABER
4 Conclusion
SABER is:I FlexibleI SimpleI Efficient
I More work in the pipeline
23 SABER
4 References I
Utsav Banerjee, Abhishek Pathak, and Anantha P. Chandrakasan.An Energy-Efficient Configurable Lattice Cryptography Processor for theQuantum-Secure Internet of Things.In IEEE International Solid-State Circuits Conference, pages 46–48, 2019.
Blandine Debraize.Efficient and provably secure methods for switching from arithmetic toboolean masking.In Cryptographic Hardware and Embedded Systems – CHES 2012, volume7428 LNCS, 2012.
Jan-Pieter D’Anvers, Angshuman Karmakar, Sujoy Sinha Roy, and FrederikVercauteren.Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption andCCA-Secure KEM.In AFRICACRYPT 2018, pages 282–305, 2018.
24 SABER
4 References II
James Howe, Tobias Oder, Markus Krausz, and Tim Guneysu.Standard Lattice-Based Key Encapsulation on Embedded Devices.IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018,8 2018.
Angshuman Karmakar, Jose Maria Bermudo Mera, Sujoy Sinha Roy, andIngrid Verbauwhede.Saber on ARM: CCA-secure module lattice-based key encapsulation on ARM.IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018,8 2018.
25 SABER
4 Questions?
26 SABER