High-Performance Ideal Lattice-Based Cryptography on 8-Bit ATxmega Microcontrollers

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9230)

Abstract

Over the last years lattice-based cryptography has received much attention due to versatile average-case problems like Ring-LWE or Ring-SIS that appear to be intractable by quantum computers. But despite of promising constructions, only few results have been published on implementation issues on very constrained platforms. In this work we therefore study and compare implementations of Ring-LWE encryption and the Bimodal Lattice Signature Scheme (BLISS) on an 8-bit Atmel ATxmega128 microcontroller. Since the number theoretic transform (NTT) is one of the core components in implementations of lattice-based cryptosystems, we review the application of the NTT in previous implementations and present an improved approach that significantly lowers the runtime for polynomial multiplication. Our implementation of Ring-LWE encryption takes 27 ms for encryption and 6.7 ms for decryption. To compute a BLISS signature, our software takes 329 ms and 88 ms for verification. These results outperform implementations on similar platforms and underline the feasibility of lattice-based cryptography on constrained devices.

Keywords

Ideal lattices NTT RLWE BLISS ATxmega 

References

  1. 1.
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  2. 2.
    Balasch, J., Ege, B., Eisenbarth, T., Gérard, B., Gong, Z., Güneysu, T., Heyse, S., Kerckhof, S., Koeune, F., Plos, T., Pöppelmann, T., Regazzoni, F., Standaert, F.-X., Van Assche, G., Van Keer, R., van Oldeneel tot Oldenzeel, L., von Maurich, I.: Compact implementation and performance evaluation of hash functions in ATtiny devices. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 158–172. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  3. 3.
    Batina, L., Robshaw, M. (eds.): CHES 2014. LNCS, vol. 8731. Springer, Heidelberg (2014) Google Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: Keccak implementation overview, version 3.2 (2012). http://keccak.noekeon.org/Keccak-implementation-3.2.pdf
  5. 5.
    Blahut, R.E.: Fast Algorithms for Signal Processing. Cambridge University Press, Cambridge (2010). http://amazon.com/o/ASIN/0521190495/ CrossRefMATHGoogle Scholar
  6. 6.
    Boorghany, A., Jalili, R.: Implementation and comparison of lattice-based identification protocols on smart cards and microcontrollers. Eprint 2014, 78 (2014). http://eprint.iacr.org/2014/078, preliminary version of [7]
  7. 7.
    Boorghany, A., Sarmadi, S.B., Jalili, R.: On constrained implementation of lattice-based cryptographic primitives and schemes on smart cards. Eprint 2014, 514 (2014). http://eprint.iacr.org/2014/514, successive version of [6]
  8. 8.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. Eprint 2014, 599 (2014). http://eprint.iacr.org/2014/599
  9. 9.
    Cabarcas, D., Weiden, P., Buchmann, J.: On the efficiency of provably secure NTRU. In: Mosca [40], pp. 22–39Google Scholar
  10. 10.
    Chen, D.D., Mentens, N., Vercauteren, F., Roy, S.S., Cheung, R.C.C., Pao, D., Verbauwhede, I.: High-speed polynomial multiplication architecture for ring-LWE and SHE cryptosystems. IEEE Trans. Circuits Syst. 62–I(1), 157–166 (2015)CrossRefGoogle Scholar
  11. 11.
    Chu, E., George, A.: Inside the FFT Black Box Serial and Parallel Fast Fourier Transform Algorithms. CRC Press, Boca Raton (2000) MATHGoogle Scholar
  12. 12.
    de Clercq, R., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Efficient software implementation of Ring-LWE encryption. Eprint 2014, 725 (2014). http://eprint.iacr.org/2014/725
  13. 13.
    Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19, 297–301 (1965)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Crandall, R., Fagin, B.: Discrete weighted transforms and large-integer arithmetic. Math. Comput. 62(205), 305–324 (1994)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Crandall, R., Pomerance, C.: Prime Numbers: A Computational Perspective. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Devroye, L.: Non-uniform Random Variate Generation. Springer, New York (1986). http://luc.devroye.org/rnbookindex.html CrossRefMATHGoogle Scholar
  17. 17.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  18. 18.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. Eprint 2013, 383 (2013). http://eprint.iacr.org/2013/383, full version of [18]
  19. 19.
    Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014) Google Scholar
  20. 20.
    Düll, M., Haase, B., Hinterwälder, G., Hutter, M., Paar, C., Sánchez, A.H., Schwabe, P.: High-speed Curve25519 on 8-bit, 16-bit and 32-bit microcontrollers. Des. Codes Crypt. (to appear)Google Scholar
  21. 21.
    Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014)MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Gentleman, W.M., Sande, G.: Fast Fourier transforms: for fun and profit. In: AFIPS Conference Proceedings, AFIPS 1966, vol. 29, pp. 563–578. AFIPS/ACM/Spartan Books, Washington D.C. (1966)Google Scholar
  23. 23.
    Göttert, N., Feller, T., Schneider, M., Buchmann, J., Huss, S.A.: On the design of hardware building blocks for modern lattice-based encryption schemes. In: Prouff and Schaumont [46], pp. 512–529Google Scholar
  24. 24.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff and Schaumont [46], pp. 530–547Google Scholar
  25. 25.
    Güneysu, T., Oder, T., Pöppelmann, T., Schwabe, P.: Software speed records for lattice-based signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 67–82. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  26. 26.
    Gura, N., Patel, A., Wander, A., Eberle, H., Shantz, S.C.: Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 119–132. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  27. 27.
    Heyse, S., von Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 273–292. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  28. 28.
    Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  29. 29.
    Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W.: Practical signatures from the partial Fourier recovery problem. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 476–493. Springer, Heidelberg (2014) Google Scholar
  30. 30.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  31. 31.
    Hutter, M., Schwabe, P.: NaCl on 8-bit AVR microcontrollers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 156–172. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  32. 32.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  33. 33.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  34. 34.
    Liu, Z., Großschädl, J., Kizhvatov, I.: Efficient and side-channel resistant RSA implementation for 8-bit AVR microcontrollers. In: SECIOT 2010. IEEE Computer Society Press (2010)Google Scholar
  35. 35.
    Liu, Z., Seo, H., Roy, S.S., Großschädl, J., Kim, H., Verbauwhede, I.: Efficient Ring-LWE encryption on 8-bit AVR processors. Eprint 2015, 410 (2015). http://eprint.iacr.org/2015/410, to appear in CHES 2015
  36. 36.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  37. 37.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices andlearning with errors over rings (2010), presentation of [36] givenby Chris Peikert at Eurocrypt 2010. http://www.cc.gatech.edu/~cpeikert/pubs/slides-ideal-lwe.pdf
  38. 38.
    Melchor, C.A., Boyen, X., Deneuville, J., Gaborit, P.: Sealing the leak on classical NTRU signatures. In: Mosca [40], pp. 1–21Google Scholar
  39. 39.
    Monteverde, M.: NTRU software implementation for constrained devices. Master’s thesis, Katholieke Universiteit Leuven (2008)Google Scholar
  40. 40.
    Mosca, M. (ed.): PQCrypto 2014. LNCS, vol. 8772. Springer, Heidelberg (2014) MATHGoogle Scholar
  41. 41.
    Nussbaumer, H.J.: Fast Fourier Transform and Convolution Algorithms, Springer Series in Information Sciences, vol. 2. Springer, Heidelberg (1982) Google Scholar
  42. 42.
    Oder, T., Pöppelmann, T., Güneysu, T.: Beyond ECDSA and RSA: lattice-based digital signatures on constrained devices. In: DAC 2014, pp. 1–6. ACM (2014)Google Scholar
  43. 43.
    Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina and Robshaw [3], pp. 353–370Google Scholar
  44. 44.
    Pöppelmann, T., Güneysu, T.: Towards practical lattice-based public-key encryption on reconfigurable hardware. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 68–86. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  45. 45.
    Pöppelmann, T., Oder, T., Güneysu, T.: High-performance ideal lattice-based cryptography on ATXmega 8-bit microcontrollers. Eprint 2015, 382 (2015). http://eprint.iacr.org/2015/382
  46. 46.
    Prouff, E., Schaumont, P. (eds.): CHES 2012. LNCS, vol. 7428. Springer, Heidelberg (2012) Google Scholar
  47. 47.
    Rich, S., Gellman, B.: NSA seeks quantum computer that could crack most codes. The Washington Post (2013). http://wapo.st/19DycJT
  48. 48.
    Roy, S.S., Vercauteren, F., Mentens, N., Chen, D.D., Verbauwhede, I.: Compact ring-LWE cryptoprocessor. In: Batina and Robshaw [3], pp. 371–391Google Scholar
  49. 49.
    Schönhage, A., Strassen, V.: Schnelle multiplikation grosser zahlen. Computing 7(3), 281–292 (1971)CrossRefMATHGoogle Scholar
  50. 50.
    Shor, P.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, 1994, pp. 124–134. IEEE (1994)Google Scholar
  51. 51.
    Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer (2011)Google Scholar
  52. 52.
    Winkler, F.: Polynomial Algorithms in Computer Algebra. Texts and Monographs in Symbolic Computation, 1st edn. Springer, Heidelberg (1996) CrossRefMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University BochumBochumGermany

Personalised recommendations