Skip to main content
SpringerLink
Log in

Verification of an Optimized NTT Algorithm

  • Conference paper
  • First Online:
Software Verification (NSV 2020, VSTTE 2020)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12549))

Abstract

The Number Theoretic Transform (NTT) is an efficient algorithm for computing products of polynomials with coefficients in finite fields. It is a common procedure in lattice-based key-exchange and signature schemes. These new cryptographic algorithms are becoming increasingly important because they are quantum resistant. No quantum algorithm is known to break these lattice-based algorithms, unlike older schemes such as RSA or elliptic curve cryptosystems.

Many implementations and optimizations of the NTT have been proposed in the literature. A particular efficient variant is due to Longa and Naehrig. We have implemented several of these variants, including an improved version of the Longa and Naehrig algorithm. An important concern is to show that numerical overflows do not happen in such algorithms. We report on several attempts at automatically verifying the absence of overflows using static analysis tools. Off-the-shelf tools do not work on the NTT code. We present a specialized abstract-interpretation method to solve the problem.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We have modified the original slightly.

  2. 2.

    http://fmv.jku.at/cadical/.

  3. 3.

    By default, CBMC relies on MiniSAT 2.2.1.

  4. 4.

    Translation from LLVM bitcode to Crab CFG is implemented by a SeaHorn component called Clam  [5].

References

  1. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX Security Symposium, pp. 327–343 (2016)

    Google Scholar 

  2. Amato, G., Scozzari, F.: Localizing widening and narrowing. In: Logozzo, F., Fähndrich, M. (eds.) SAS 2013. LNCS, vol. 7935, pp. 25–42. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38856-9_4

    Chapter  MATH  Google Scholar 

  3. Beyer, D., Keremoglu, M.E.: CPAchecker: a tool for configurable software verification. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 184–190. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_16

    Chapter  Google Scholar 

  4. Blanchet, B., et al.: Design and implementation of a special-purpose static program analyzer for safety-critical real-time embedded software. In: Mogensen, T., Schmidt, D., Sudborough, I.H. (eds.) The Essence of Computation: Complexity, Analysis, Transformation (2002)

    Google Scholar 

  5. Clam: Crab for LLVM Abstraction Manager. https://github.com/seahorn/crab-llvm

  6. Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24730-2_15

    Chapter  MATH  Google Scholar 

  7. Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19(90), 297–301 (1965)

    Article  MathSciNet  Google Scholar 

  8. Cousot, P., Cousot, R.: Static determination of dynamic properties of programs. In: ISOP 1976, pp. 106–130 (1976)

    Google Scholar 

  9. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: POPL, pp. 269–282 (1979)

    Google Scholar 

  10. Cousot, P., Cousot, R., Logozzo, F.: A parametric segmentation functor for fully automatic and scalable array content analysis. In: POPL, pp. 105–118. ACM (2011)

    Google Scholar 

  11. Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Aho, A.V., Zilles, S.N., Szymanski, T.G. (eds.) POPL 1978, pp. 84–96. ACM Press (1978)

    Google Scholar 

  12. CoRnucopia of ABstractions: A language-agnostic library for abstract interpretation. https://github.com/seahorn/crab

  13. Cuoq, P., Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C: a software analysis perspective. In: Eleftherakis, G., Hinchey, M., Holcombe, M. (eds.) SEFM 2012. LNCS, vol. 7504, pp. 233–247. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33826-7_16

    Chapter  Google Scholar 

  14. BLISS Implementation: Bimodal Lattice Signature Schemes. https://github.com/SRI-CSL/Bliss

  15. An Implementation of the Number Theoretic Transform. https://github.com/SRI-CSL/NTT

  16. Dillig, I., Dillig, T., Aiken, A.: Fluid updates: beyond strong vs. weak updates. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 246–266. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11957-6_14

    Chapter  MATH  Google Scholar 

  17. Dockins, R., Foltzer, A., Hendrix, J., Huffman, B., McNamee, D., Tomb, A.: Constructing semantic models of programs with the software analysis workbench. In: Blazy, S., Chechik, M. (eds.) VSTTE 2016. LNCS, vol. 9971, pp. 56–72. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48869-1_5

    Chapter  Google Scholar 

  18. Ducas, L.: Accelerating Bliss: the geometry of ternary polynomials. Cryptology ePrint Archive, Report 2014/874 (2014). http://eprint.iacr.org/2014/874

  19. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3

    Chapter  Google Scholar 

  20. Fog, A.: Instruction tables: instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs (2020). www.agner.org/optimize

  21. Gentleman, W.M., Sande, G.: Fast Fourier transforms–for fun and profit. In: AFIPS 1966, pp. 563–578 (1966). https://doi.org/10.1145/1464291.1464352

  22. Gopan, D., Reps, T., Sagiv, M.: A framework for numeric analysis of array operations. In: POPL, pp. 338–350. ACM (2005)

    Google Scholar 

  23. Granger, P.: Static analysis of arithmetical congruences. Int. J. Comput. Math. 30, 165–190 (1989)

    Article  Google Scholar 

  24. Gurfinkel, A., Kahsai, T., Komuravelli, A., Navas, J.A.: The SeaHorn verification framework. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 343–361. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_20

    Chapter  Google Scholar 

  25. Halbwachs, N., Péron, M.: Discovering properties about arrays in simple programs. In: PLDI, pp. 339–348. ACM (2008)

    Google Scholar 

  26. Harvey, D.: Faster arithmetic for number-theoretic transforms. J. Symb. Comput. 60, 113–119 (2014). https://doi.org/10.1016/j.jsc.2013.09.002

  27. Komuravelli, A., Gurfinkel, A., Chaki, S.: SMT-based model checking for recursive programs. Formal Methods Syst. Des. 48(3), 175–205 (2016). https://doi.org/10.1007/s10703-016-0249-4

    Article  MATH  Google Scholar 

  28. Lakhdar-Chaouch, L., Jeannet, B., Girault, A.: Widening with thresholds for programs with complex control graphs. In: Bultan, T., Hsiung, P.-A. (eds.) ATVA 2011. LNCS, vol. 6996, pp. 492–502. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24372-1_38

    Chapter  MATH  Google Scholar 

  29. Longa, P., Naehrig, M.: Speeding up the number theoretic transform for faster ideal lattice-based cryptography. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 124–139. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_8

    Chapter  Google Scholar 

  30. Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: Danvy, O., Filinski, A. (eds.) PADO 2001. LNCS, vol. 2053, pp. 155–172. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44978-7_10

    Chapter  Google Scholar 

  31. Miné, A.: The octagon abstract domain. High.-Order Symb. Comput. 19(1), 31–100 (2006)

    Article  Google Scholar 

  32. Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)

    Article  MathSciNet  Google Scholar 

  33. Pöppelmann, T., Güneysu, T.: Towards efficient arithmetic for lattice-based cryptography on reconfigurable hardware. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 139–158. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33481-8_8

    Chapter  Google Scholar 

  34. Pöppelmann, T., Oder, T., Güneysu, T.: High-performance ideal lattice-based cryptography on 8-bit ATxmega microcontrollers. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 346–365. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_19

    Chapter  Google Scholar 

  35. Roy, S.S., Vercauteren, F., Mentens, N., Chen, D.D., Verbauwhede, I.: Compact ring-LWE cryptoprocessor. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 371–391. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_21

    Chapter  Google Scholar 

  36. SeaHorn verification framework. https://github.com/seahorn/seahorn

  37. Warren, H.S.: Hacker’s Delight, 2nd edn. Addison-Wesley, Boston (2013)

    Google Scholar 

  38. Winkler, F.: Polynomial Algorithms in Computer Algebra. Texts and Monographs in Symbolic Computation. Springer, Heidelberg (1996). https://doi.org/10.1007/978-3-7091-6571-3

    Book  MATH  Google Scholar 

Download references

Acknowledgements

This work benefited from many discussions with Tancrède Lepoint. The work was partially supported by NSF Grants CCF-1816936 and CCF-1817204.

Author information

Authors and Affiliations

  1. Computer Science Laboratory, SRI International, Menlo Park, CA, 94025, USA

    Jorge A. Navas, Bruno Dutertre & Ian A. Mason

Authors
  1. Jorge A. Navas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bruno Dutertre
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ian A. Mason
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bruno Dutertre .

Editor information

Editors and Affiliations

  1. MPI-SWS Kaiserslautern, Kaiserslautern, Germany

    Maria Christakis

  2. University of California, San Diego, La Jolla, CA, USA

    Nadia Polikarpova

  3. Computer Science, University of North Carolina at Chapel Hill, Chapel Hill, NC, USA

    Parasara Sridhar Duggirala

  4. Engineering and Informatics, University of Sussex, Brighton, UK

    Peter Schrammel

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Navas, J.A., Dutertre, B., Mason, I.A. (2020). Verification of an Optimized NTT Algorithm. In: Christakis, M., Polikarpova, N., Duggirala, P.S., Schrammel, P. (eds) Software Verification. NSV VSTTE 2020 2020. Lecture Notes in Computer Science(), vol 12549. Springer, Cham. https://doi.org/10.1007/978-3-030-63618-0_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63618-0_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63617-3

  • Online ISBN: 978-3-030-63618-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation