14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany
Agenda Introduction Ring-LWE Encryption Lattice Processor Results Conclusion 14. Aug
Motivation Advantages of lattices: – Post-quantum security – Security proofs – Versatility Goal of this work: – Provide a simple and reusable hardware building block Starting point to solve more advanced implementation problems Make source code available – Deal with aspects important in practice Ciphertext expansion Error rate 14. Aug
Agenda Introduction Ring-LWE Encryption Lattice Processor Results Conclusion 14. Aug
Recap: Ideal Lattices 14. Aug (*) Other choices are also possible but this one has emerged as standard for security and efficiency. 5
LWE-Encryption 14. Aug x x + ++ x+ [LP11] Richard Lindner, Chris Peikert: Better Key Sizes (and Attacks) for LWE-Based Encryption. CT-RSA
LWE-Encryption 14. Aug
Agenda Introduction Ring-LWE Encryption Lattice Processor Results Conclusion 14. Aug
Reconfigurable Hardware (FPGA) Field Programmable Gate Array (FPGA) – A chip containing programmable logic blocks – Logic blocks are connected by a configurable interconnect – Limited number of dedicated „hard-cores“ like block memory or embedded multipliers (DSPs) are available Hardware is inherently parallel – Time vs. area 14. Aug
The Challenge Ring-LWE encryption and also other schemes (e.g., signature schemes) basically just require polynomial arithmetic – So far results are only available for polynomial multiplication – Temporary values have to be stored – Operations for addition and subtraction are necessary – An easy interface is required Solution: Build a lattice processor/micro-code engine 14. Aug
Lattice Processor 14. Aug
Lattice Processor 14. Aug
Optimizing Encryption 14. Aug
Agenda Introduction Ring-LWE Encryption Lattice Processor Results Conclusion 14. Aug
Results Implemented encryption scheme on Spartan-6 and Virtex-6 for medium security (n=256,q=7681) and high security (n=512, q=12289) Core supports encryption, decryption and key generation Gaussian sampler is bounded with relatively low precision 14. Aug
14. Aug Performance and Resources Post-place-and-route performance on a Virtex-6 LX75T FPGA. 16
Comparison with Previous Work Compared to previous implementation by Göttert et al. from CHES 2012 – Three times slower – Up to 60 times lower area While speed is important the design has to fit onto a reasonably sized FPGAs – Hardware allows parallel placement to make up for lower speed Higher flexibility with one general purpose core (Gen/Enc/Dec) 14. Aug [Göttert et al.] Norman Göttert, Thomas Feller, Michael Schneider, Johannes Buchmann, Sorin A. Huss: On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes. CHES
14. Aug Comparison with Other Schemes 18
Agenda Introduction Ring-LWE Encryption Lattice Processor Results Conclusion 14. Aug
Future Work and Conclusion 14. Aug Conclusion Flexible building block for a large number of applications in ideal lattice-based cryptography Source code (VHDL) of the encryption scheme/lattice processor available for evaluation at Future Work Side-channel evaluation Bimodal Lattice Signature Scheme (BLISS), Crypto 2013 Performance and resource optimization Implementation and acceleration of high-level constructions like homomorphic encryption or IBE 20
14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany Thank You for Your Attention! Any Questions?