Skip to main content

High-Performance Ideal Lattice-Based Cryptography on 8-Bit ATxmega Microcontrollers

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9230)

Abstract

Over the last years lattice-based cryptography has received much attention due to versatile average-case problems like Ring-LWE or Ring-SIS that appear to be intractable by quantum computers. But despite of promising constructions, only few results have been published on implementation issues on very constrained platforms. In this work we therefore study and compare implementations of Ring-LWE encryption and the Bimodal Lattice Signature Scheme (BLISS) on an 8-bit Atmel ATxmega128 microcontroller. Since the number theoretic transform (NTT) is one of the core components in implementations of lattice-based cryptosystems, we review the application of the NTT in previous implementations and present an improved approach that significantly lowers the runtime for polynomial multiplication. Our implementation of Ring-LWE encryption takes 27 ms for encryption and 6.7 ms for decryption. To compute a BLISS signature, our software takes 329 ms and 88 ms for verification. These results outperform implementations on similar platforms and underline the feasibility of lattice-based cryptography on constrained devices.

Keywords

  • Ideal lattices
  • NTT
  • RLWE
  • BLISS
  • ATxmega

This work was partially funded by the European Union H2020 SAFEcrypto project (grant no. 644729), European Union H2020 PQCRYPTO project (grant no. 645622), German Research Foundation (DFG), and DFG Research Training Group GRK 1817/1.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-22174-8_19
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-22174-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)
Fig. 1.

Notes

  1. 1.

    The NTT can be regarded as Fast Fourier Transform over \(\mathbb {Z}_{q}\).

  2. 2.

    See http://www.sha.rub.de/research/projects/lattice/.

  3. 3.

    Actually, this is overly restrictive and the NTT is also defined for certain composite numbers (n has to divide \(p-1\) for every prime factor p of \(q\)). However, for the given target parameter sets common in lattice-based cryptography we can restrict ourselves to prime moduli and refer to [41] for further information on composite moduli NTTs.

  4. 4.

    Similar to exponentiation being the main operation of RSA or point multiplication being the main operation of ECC.

  5. 5.

    Up to our knowledge, all security evaluations of RLWEenc (and also BLISS) only consider best known attacks executed on a classical computer. The security levels are thus denoted as pre-quantum. A security assessment that considers quantum computers is certainly necessary but is not in the scope of this paper.

  6. 6.

    Most of the techniques discussed in this section have already been proposed in the context of the fast Fourier transform (FFT). However, they have not yet been considered to speed up ideal lattice-based cryptography (at least not in works like [7, 12, 43, 48]). Moreover, some optimizations and techniques are mutually exclusive and a careful selection and balancing has to be made.

  7. 7.

    It is debatable which precision is really necessary in RLWEenc and what impact less precision would have on the security of the scheme, e.g., \(\lambda =40\). But as the implementation of the CDT for small standard deviations \(\sigma \) is rather efficient and for better comparison with related work like [6, 7, 12] we chose to implement high precision sampling and set \(\lambda =128\).

  8. 8.

    While the ATxmega128 and ATxmega64 compared to the ATmega64 differ in their operation frequency and some architectural differences cycle counts are mostly comparable.

  9. 9.

    One exception is a Master thesis by Monteverde [39], but the implemented NTRU251:3 variant is not secure anymore according to recent recommendations in [28].

References

  1. Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Heidelberg (2014)

    CrossRef  Google Scholar 

  2. Balasch, J., Ege, B., Eisenbarth, T., Gérard, B., Gong, Z., Güneysu, T., Heyse, S., Kerckhof, S., Koeune, F., Plos, T., Pöppelmann, T., Regazzoni, F., Standaert, F.-X., Van Assche, G., Van Keer, R., van Oldeneel tot Oldenzeel, L., von Maurich, I.: Compact implementation and performance evaluation of hash functions in ATtiny devices. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 158–172. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  3. Batina, L., Robshaw, M. (eds.): CHES 2014. LNCS, vol. 8731. Springer, Heidelberg (2014)

    Google Scholar 

  4. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: Keccak implementation overview, version 3.2 (2012). http://keccak.noekeon.org/Keccak-implementation-3.2.pdf

  5. Blahut, R.E.: Fast Algorithms for Signal Processing. Cambridge University Press, Cambridge (2010). http://amazon.com/o/ASIN/0521190495/

    CrossRef  MATH  Google Scholar 

  6. Boorghany, A., Jalili, R.: Implementation and comparison of lattice-based identification protocols on smart cards and microcontrollers. Eprint 2014, 78 (2014). http://eprint.iacr.org/2014/078, preliminary version of [7]

  7. Boorghany, A., Sarmadi, S.B., Jalili, R.: On constrained implementation of lattice-based cryptographic primitives and schemes on smart cards. Eprint 2014, 514 (2014). http://eprint.iacr.org/2014/514, successive version of [6]

  8. Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. Eprint 2014, 599 (2014). http://eprint.iacr.org/2014/599

  9. Cabarcas, D., Weiden, P., Buchmann, J.: On the efficiency of provably secure NTRU. In: Mosca [40], pp. 22–39

    Google Scholar 

  10. Chen, D.D., Mentens, N., Vercauteren, F., Roy, S.S., Cheung, R.C.C., Pao, D., Verbauwhede, I.: High-speed polynomial multiplication architecture for ring-LWE and SHE cryptosystems. IEEE Trans. Circuits Syst. 62–I(1), 157–166 (2015)

    CrossRef  Google Scholar 

  11. Chu, E., George, A.: Inside the FFT Black Box Serial and Parallel Fast Fourier Transform Algorithms. CRC Press, Boca Raton (2000)

    MATH  Google Scholar 

  12. de Clercq, R., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Efficient software implementation of Ring-LWE encryption. Eprint 2014, 725 (2014). http://eprint.iacr.org/2014/725

  13. Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19, 297–301 (1965)

    MathSciNet  CrossRef  MATH  Google Scholar 

  14. Crandall, R., Fagin, B.: Discrete weighted transforms and large-integer arithmetic. Math. Comput. 62(205), 305–324 (1994)

    MathSciNet  CrossRef  Google Scholar 

  15. Crandall, R., Pomerance, C.: Prime Numbers: A Computational Perspective. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  16. Devroye, L.: Non-uniform Random Variate Generation. Springer, New York (1986). http://luc.devroye.org/rnbookindex.html

    CrossRef  MATH  Google Scholar 

  17. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  18. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. Eprint 2013, 383 (2013). http://eprint.iacr.org/2013/383, full version of [18]

  19. Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014)

    Google Scholar 

  20. Düll, M., Haase, B., Hinterwälder, G., Hutter, M., Paar, C., Sánchez, A.H., Schwabe, P.: High-speed Curve25519 on 8-bit, 16-bit and 32-bit microcontrollers. Des. Codes Crypt. (to appear)

    Google Scholar 

  21. Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014)

    MathSciNet  CrossRef  MATH  Google Scholar 

  22. Gentleman, W.M., Sande, G.: Fast Fourier transforms: for fun and profit. In: AFIPS Conference Proceedings, AFIPS 1966, vol. 29, pp. 563–578. AFIPS/ACM/Spartan Books, Washington D.C. (1966)

    Google Scholar 

  23. Göttert, N., Feller, T., Schneider, M., Buchmann, J., Huss, S.A.: On the design of hardware building blocks for modern lattice-based encryption schemes. In: Prouff and Schaumont [46], pp. 512–529

    Google Scholar 

  24. Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff and Schaumont [46], pp. 530–547

    Google Scholar 

  25. Güneysu, T., Oder, T., Pöppelmann, T., Schwabe, P.: Software speed records for lattice-based signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 67–82. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  26. Gura, N., Patel, A., Wander, A., Eberle, H., Shantz, S.C.: Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 119–132. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  27. Heyse, S., von Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 273–292. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  28. Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  29. Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W.: Practical signatures from the partial Fourier recovery problem. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 476–493. Springer, Heidelberg (2014)

    Google Scholar 

  30. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)

    CrossRef  Google Scholar 

  31. Hutter, M., Schwabe, P.: NaCl on 8-bit AVR microcontrollers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 156–172. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  32. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  33. Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  34. Liu, Z., Großschädl, J., Kizhvatov, I.: Efficient and side-channel resistant RSA implementation for 8-bit AVR microcontrollers. In: SECIOT 2010. IEEE Computer Society Press (2010)

    Google Scholar 

  35. Liu, Z., Seo, H., Roy, S.S., Großschädl, J., Kim, H., Verbauwhede, I.: Efficient Ring-LWE encryption on 8-bit AVR processors. Eprint 2015, 410 (2015). http://eprint.iacr.org/2015/410, to appear in CHES 2015

  36. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  37. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices andlearning with errors over rings (2010), presentation of [36] givenby Chris Peikert at Eurocrypt 2010. http://www.cc.gatech.edu/~cpeikert/pubs/slides-ideal-lwe.pdf

  38. Melchor, C.A., Boyen, X., Deneuville, J., Gaborit, P.: Sealing the leak on classical NTRU signatures. In: Mosca [40], pp. 1–21

    Google Scholar 

  39. Monteverde, M.: NTRU software implementation for constrained devices. Master’s thesis, Katholieke Universiteit Leuven (2008)

    Google Scholar 

  40. Mosca, M. (ed.): PQCrypto 2014. LNCS, vol. 8772. Springer, Heidelberg (2014)

    MATH  Google Scholar 

  41. Nussbaumer, H.J.: Fast Fourier Transform and Convolution Algorithms, Springer Series in Information Sciences, vol. 2. Springer, Heidelberg (1982)

    Google Scholar 

  42. Oder, T., Pöppelmann, T., Güneysu, T.: Beyond ECDSA and RSA: lattice-based digital signatures on constrained devices. In: DAC 2014, pp. 1–6. ACM (2014)

    Google Scholar 

  43. Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina and Robshaw [3], pp. 353–370

    Google Scholar 

  44. Pöppelmann, T., Güneysu, T.: Towards practical lattice-based public-key encryption on reconfigurable hardware. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 68–86. Springer, Heidelberg (2014)

    CrossRef  Google Scholar 

  45. Pöppelmann, T., Oder, T., Güneysu, T.: High-performance ideal lattice-based cryptography on ATXmega 8-bit microcontrollers. Eprint 2015, 382 (2015). http://eprint.iacr.org/2015/382

  46. Prouff, E., Schaumont, P. (eds.): CHES 2012. LNCS, vol. 7428. Springer, Heidelberg (2012)

    Google Scholar 

  47. Rich, S., Gellman, B.: NSA seeks quantum computer that could crack most codes. The Washington Post (2013). http://wapo.st/19DycJT

  48. Roy, S.S., Vercauteren, F., Mentens, N., Chen, D.D., Verbauwhede, I.: Compact ring-LWE cryptoprocessor. In: Batina and Robshaw [3], pp. 371–391

    Google Scholar 

  49. Schönhage, A., Strassen, V.: Schnelle multiplikation grosser zahlen. Computing 7(3), 281–292 (1971)

    CrossRef  MATH  Google Scholar 

  50. Shor, P.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, 1994, pp. 124–134. IEEE (1994)

    Google Scholar 

  51. Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer (2011)

    Google Scholar 

  52. Winkler, F.: Polynomial Algorithms in Computer Algebra. Texts and Monographs in Symbolic Computation, 1st edn. Springer, Heidelberg (1996)

    CrossRef  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Thomas Pöppelmann .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Pöppelmann, T., Oder, T., Güneysu, T. (2015). High-Performance Ideal Lattice-Based Cryptography on 8-Bit ATxmega Microcontrollers. In: Lauter, K., Rodríguez-Henríquez, F. (eds) Progress in Cryptology -- LATINCRYPT 2015. LATINCRYPT 2015. Lecture Notes in Computer Science(), vol 9230. Springer, Cham. https://doi.org/10.1007/978-3-319-22174-8_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-22174-8_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-22173-1

  • Online ISBN: 978-3-319-22174-8

  • eBook Packages: Computer ScienceComputer Science (R0)