SAFEcrypto: Secure Architectures of Future Emerging cryptography · 2016. 9. 30. · SAFEcrypto:...

SAFEcrypto: Secure

Architectures of Future

Emerging cryptography

Ciara Rafferty

Queen’s University Belfast

20 September 2016

This project has received funding from the European Union H2020 research and innovation programme under grant agreement No 644729 www.SAFEcrypto.eu @SAFEcrypto

www.safecrypto.eu | @safecrypto

• Project goal and main objectives

• SAFEcrypto Case Studies

- Satellite Communications

- Public Safety Communication

- Municipal Data Analytics

• Research output: LWE v ring-LWE

• Challenges for LBC Hardware/Software Implementations

• Summary of outcomes to date

• Conclusion & Future Work Plans

Outline of Talk


SAFEcrypto Project

• 4-year project - commenced in January 2015

• Academic partners

– Institut National De Recherche en Informatiqueet en Automatique (France)

– Queen’s University Belfast (UK)

– Ruhr-Universitaet Bochum (Germany)

– Universita Della Svizzera Italiana (Switzerland)

• Industry partners

– EMC/RSA

– HWCommunications Ltd

– Thales


Overall Goal

SAFEcrypto will provide a new generation of practical, robust and

physically secure post-quantum cryptographic solutions that ensure

long-term security for future ICT systems, services and applications.

SAFEcrypto


Lattice-based Cryptography (LBC) emerging as a very promising PQ candidate

• LBC encryption and digital signatures already practical & efficient

- NTRUEncrypt exists since 1996 with no significant attacks to date

- Recent LBC signatures schemes shown to outperform RSA sig schemes

• Underlying operations can be implemented efficiently

• Allows for other constructions/applications beyond encryption/signatures

- Identity based encryption (IBE)

- Attribute-based encryption (ABE)

- Fully homomorphic encryption (FHE)

Quantum-Safe Cryptography


Summary of Objectives

1. Investigate practicality of LBC primitives (digital signatures, authentication, IBE and ABE) to determine their fit-for-purpose in real-world applications

2. Design and implement hardware & software architectures of LBC primitives that will fulfill the needs of a wide range of applications

3. Investigate the physical security of the LBC implementations to protect against leakage of sensitive information via side channel and fault attacks

4. Evaluate LBC in current secure comms. protocols, such as TLS, IPSec

5. Deliver proof-of-concept demonstrators of LBC primitives applied to 3 case-studies:

• Satellite Communications

• Public Safety Communication

• Municipal Data Analytics

SAFEcrypto


1. Satellite Communications

Security and key management vital within satellite systems• Currently: - systems owned and operated by one organisation

- symmetric key crypto exclusively used

• In future: - Repurposing of satellites and sharing of infrastructure- Number of space-based entities, missions & number/

variety of end users will increase- Public key cryptography will be used

Case Studies

• Given the longevity of satellite systems, public key solutions needs to withstand attacks for 10-40 years

=> ideal case study for post-quantum cryptography


2. Public Safety Communications

• Traditionally public safety comms relied on security of bespoke systems and closed networks.

• Future systems seeking to use COTS technology.

- LTE identified as a potential network layer solution- The browser application WebRTC may be used (uses DTLS protocol)

Case Studies

• Public safety comms technology may not be refreshed for up to 30 years…

=> need to provide long term security assurances e.g via post quantum cryptography

www.qinetiq.com


3. Municipal data analytics

• Significant benefits possible through collaborative analytics of large government-owned data sets;

• Needs appropriate management of accessibility & privacy of the info

• Group key management a key requirement

Need for long-term protection of personal & sensitive info within data sets

SAFEcrypto will provide:

- LBC key management approaches to manage access to data through group keys, broadcast keys, etc.

- A practical lattice-based ABE scheme

Case Studies


Lattice-based Cryptography

• Matrix vector multiplication for standard lattices

• Polynomial multiplication for ideal lattices

• Discrete Gaussian Sampling

• Bernoulli sampling

• Cumulative Distribution Table (CDT) sampling

• Knuth-Yao sampling

• Ziggurat sampling

Lattice Based Cryptography Building Blocks

Recent work in SAFEcrypto:- Proposes that the precision of Gaussian samplers (2- for -bit security)

can be reduced from = 128 to =64 with negligible effect on security

(Saarinen, Cryptology ePrint archive, report 2015/953, 2015)


Lattice-based Cryptography

• Currently two popular lattice-based problems for cryptography are the Learning With Errors (LWE) problem and Ring-LWE problem

LWE Vs Ring-LWE

Standard-LWE Ring-LWE

Large key sizes required (size N2)Reduced key sizes can be used due to ideal lattice assumption (size N)

Matrix-vector multiplications required

Reduces computations to polynomial multiplication, allowing use of fast NTT multiplication

Security is based on the LWE problem

Security is based on the LWE problem with an additional security assumption to use an ideal lattice structure

Hardware LBC Implementations: LWE Vs Ring-LWE Encryption

Note: LWE has higher no. of multiplications and x128 increase in key size

RLWE Encrypt (Pöppelmann & Güneysu (PG), 2014)*

S6LX16 4121/3513/- 14/1 160 6861 23321

RLWE Decrypt (PG 2014)* S6LX16 4121/3513/- 14/1 160 4404 36331

RLWE Encrypt (PG 2014)* V6LX75T 4549/3624/1506 12/1 262 6861 38187

RLWE Decrypt (PG 2014)* V6LX75T 4549/3624/1506 12/1 262 4404 59492

RLWE Encrypt (PG 2014) S6LX9 282/238/95 2/1 144 136212 1057

RLWE Decrypt (PG 2014) S6LX9 94/87/32 1/1 189 66338 2849

RLWE Encrypt (Roy et al, 2014)* V6LX75T 1349/860/- 2/1 313 6300 49751

RLWE Decrypt (Roy et al, 2014)* V6LX75T 1349/860/- 2/1 313 2800 109890

Post place & route results of standard & ring LWE encryption and decryption, with parameter set (dim=256, 𝑞=4096, 𝜎 = 3.39), except *, where 𝑞 =4093. (Howe et al. DAC 2016)

Operation and Algorithm Device LUT/FF/SLICE BRAM/DSP

MHz Cycles Ops/s

LWE Encrypt (𝜆 = 128) S6LX45 6152/4804/1866 73/1 125 98304 1272

LWE Encrypt (𝜆 = 64) S6LX45 6078/4676/1811 73/1 125 98304 1272

LWE Decrypt S6LX45 63/58/32 13/1 144 32768 4395

Challenges for Practical LBC Implementations

• Need to be as efficient and versatile as classical Public Key systems, such as RSA and ECC

• Embedded devices are constrained

- No large memories

- Limited computational power

• Choice of parameters is crucial - long-term/QC-security

- Parameters tend to be larger than classic PK schemes

- Directly affects performance

- Scalability

• Choice of Gaussian Sampler

- Different choice for signatures Vs encryption

- Different choice for high speed Vs compact design

Challenges for Practical LBC Implementations

• Resistance to physical attacks, such as side channel and fault attacks

- Timing Analysis (exploits dependency between execution time of algor & secret internal states)

- Power/EM Analysis (exploits dependency between power/EM consumed by device & data processed)

- Profiling(involves constructing an offline model by characterizinga device similar to target)

- Fault(deliberate injection of fault in a device to exploit differencebetween correct and faulty output)

• Physical attacks demonstrated on AES, ECC, RSA

• Little research into vulnerabilities of LBC implementationsto physical attacks

Outcomes 2015-2016

• Deliverable 2.4: Overview of Related research projects

• Deliverable 3.1: Risk and Vulnerability assessment of LBC architectures

• Deliverable 4.1: Evaluation report of lattice-based digital signatures

• Deliverable 5.1: Evaluation report of efficiency of lattice-based constructions

• Deliverable 6.1: Software requirements specification

• Deliverable 7.1: State-of-the-Art in Physical side-channel attacks and resistant technologies

• Deliverable 8.1: Post-Quantum Cryptographic Key Management Assessment

• Deliverable 9.1: Case Study Specifications and Requirements

For more information and further documentation, see the website: www.safecrypto.eu/more-information/outcomes/

http://www.safecrypto.eu/more-information/outcomes/

Conclusion

• Lattice-based cryptosystems are a promising Post-Quantum cryptography solution for long-term security applications

• LBC offers versatility in the range of cryptosystems it can support

• LBC Encryption & signatures now more practical than RSA-based schemes

• However, to be considered as a replacement for traditional PK cryptography, LBC must be verified to demonstrate it can meet the requirements of real world scenarios.

Future Plans

Summary of SAFEcrypto future work

• Investigate parameter trade-offs to illustrate integration of lattice-based encryption/signature primitives into actual systems

• Develop practical IBE/ABE constructions

• Design and implementation of physically secure HW/SW LBC schemes

• Develop proof of concept demonstrators for 3 case studies in Satellite Communications, Public Safety Communication & Municipal Data Analytics

• Assist with current global initiatives:

– ETSI QSC Industry Specification Group

– US NIST competition for Quantum-safe public-key candidates

Thank you for listening!

For more information: http://www.safecrypto.eu/

http://www.safecrypto.eu/


2015:

• J. Howe, T. Pöppelmann, M. O'Neill, E. O'Sullivan, T. Güneysu, ”Practical Lattice-Based Digital Signature Schemes”,

ACM Transaction on Embedded Computing 2015

• T. Güneysu, V. Lyubashevsky, T. Pöppelmann, “Lattice-Based Signatures: Optimization and Implementation on

Reconfigurable Hardware” , IEEE Transaction on Computers 2015

• V. Lyubashevsky, T. Prest, “Quadratic time, linear space algorithms for Gram-Schmidt orthogonalization and

Gaussian sampling in structured lattices”, EUROCRYPT 2015

• V. Lyubashevsky, D. Wichs, “Simple lattice trapdoor sampling from a broad class of distributions”, Public Key

Cryptography (PKC) 2015

• T. Pöppelmann, T. Oder, T. Güneysu, “High-Performance Ideal Lattice-Based Cryptography on ATXME-GA 8-Bit

Microcontrollers” , Latincrypt 2015

• M.-J. O. Saarinen, “Gaussian Sampling Precision in Lattice Cryptography”, IACR ePrint 2015/953

2016:

• J. Buchmann, F. Göpfert, T. Güneysu, T. Oder, T. Pöppelmann, “High-Performance and Lightweight Lattice-Based

Public-Key Encryption”, 2nd ACM International Workshop on IoT Privacy, Trust, and Security - IoTPTS '16

• R. Del Pino, V. Lyubashevsky, D. Pointcheval, “The Whole is Less Than the Sum of its Parts: Constructing More

Efficient Lattice-based AKEs”, Security and Cryptography in Networks (SCN) 2016

• J. Howe, C. Moore, M. O'Neill, F. Regazzoni, T. Güneysu, K. Beeden, “Standard Lattices in Hardware”, Proceedings of the

53rd Annual Design Automation Conference on - DAC '16

• M. O'Neill, F. Regazzoni, F. Valencia, T. Güneysu, T. Oder, A. Waller, G. Jones, A. Barnett, R. Griffin, A. Byrne, B. Ammar, E.

O'Sullivan, D. Lund, G. McWilliams, M.-J. Saarinen, C. Moore, A. Khalid, J. Howe, R. del Pino, M. Abdalla, “Secure

architectures of future emerging cryptography”, Computing Frontiers - CF '16 (invited paper)

For more information and further documentation, see the website: www.safecrypto.eu/more-information/outcomes/

Publications

SAFEcrypto: Secure Architectures of Future Emerging cryptography · 2016. 9. 30. · SAFEcrypto:...

Documents

Transcript of SAFEcrypto: Secure Architectures of Future Emerging cryptography · 2016. 9. 30. · SAFEcrypto:...