Skip to main content

Enhanced Lattice-Based Signatures on Reconfigurable Hardware

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8731)

Abstract

The recent Bimodal Lattice Signature Scheme (Bliss) showed that lattice-based constructions have evolved to practical alternatives to RSA or ECC. Besides reasonably small signatures with 5600 bits for a 128-bit level of security, Bliss enables extremely fast signing and signature verification in software. However, due to the complex sampling of Gaussian noise with high precision, it is not clear whether this scheme can be mapped efficiently to embedded devices. Even though the authors of Bliss also proposed a new sampling algorithm using Bernoulli variables this approach is more complex than previous methods using large precomputed tables. The clear disadvantage of using large tables for high performance is that they cannot be used on constrained computing environments, such as FPGAs, with limited memory. In this work we thus present techniques for an efficient Cumulative Distribution Table (CDT) based Gaussian sampler on reconfigurable hardware involving Peikert’s convolution lemma and the Kullback-Leibler divergence. Based on our enhanced sampler design, we provide a first Bliss architecture for Xilinx Spartan-6 FPGAs that integrates fast FFT/NTT-based polynomial multiplication, sparse multiplication, and a Keccak hash function. Additionally, we compare the CDT with the Bernoulli approach and show that for the particular Bliss-I parameter set the improved CDT approach is faster with lower area consumption. Our core uses 2,431 slices, 7.5 BRAMs, and 6 DSPs and performs a signing operation in 126 μs on average. Verification takes even less with 70 μs.

Keywords

  • Ideal Lattices
  • Gaussian Sampling
  • Digital Signatures
  • FPGA

References

  1. Aysu, A., Patterson, C., Schaumont, P.: Low-cost and area-efficient FPGA implementations of lattice-based cryptography. In: HOST, pp. 81–86. IEEE (2013)

    Google Scholar 

  2. Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Heidelberg (2014)

    CrossRef  Google Scholar 

  3. Bansarkhani, R.E., Buchmann, J.: Improvement and efficient implementation of a lattice-based signature scheme. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 48–67. Springer, Heidelberg (2014)

    Google Scholar 

  4. Barbulescu, R.: Selecting polynomials for the function field sieve. Cryptology ePrint Archive, Report 2013/200 (2013), http://eprint.iacr.org/2013/200

  5. Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014), http://arxiv.org/abs/1306.4244

    CrossRef  Google Scholar 

  6. Blondeau, C., Gérard, B.: On the data complexity of statistical attacks against block ciphers (full version). Cryptology ePrint Archive, Report 2009/064 (2009), http://eprint.iacr.org/2009/064

  7. Boorghany, A., Jalili, R.: Implementation and comparison of lattice-based identification protocols on smart cards and microcontrollers. Cryptology ePrint Archive, Report 2014/078 (2014), http://eprint.iacr.org/2014/078

  8. Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete ziggurat: A time-memory trade-off for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013, vol. 8282, pp. 402–417. Springer, Heidelberg (2014)

    Google Scholar 

  9. Chen, H.-C., Asau, Y.: On generating random variates from an empirical distribution. AIIE Transactions 6(2), 163–166 (1974)

    CrossRef  Google Scholar 

  10. Cover, T.M., Thomas, J.: Elements of Information Theory. Wiley (1991)

    Google Scholar 

  11. Devroye, L.: Non-Uniform Random Variate Generation. Springer-Verlag (1986), http://luc.devroye.org/rnbookindex.html

  12. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  13. Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. In: Applicable Algebra in Engineering, Communication and Computing, pp. 1–22 (2014)

    Google Scholar 

  14. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, Victoria, British Columbia, Canada, May 17-20, pp. 197–206. ACM Press (2008)

    Google Scholar 

  15. Glas, B., Sander, O., Stuckert, V., Müller-Glaser, K.D., Becker, J.: Prime field ECDSA signature processing for reconfigurable embedded systems. Int. J. Reconfig. Comp. (2011)

    Google Scholar 

  16. Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: A signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  17. Güneysu, T., Oder, T., Pöppelmann, T., Schwabe, P.: Software speed records for lattice-based signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 67–82. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  18. Güneysu, T., Paar, C.: Ultra high performance ECC over NIST primes on commercial fPGAs. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 62–78. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  19. Gutierrez, R., Torres-Carot, V., Valls, J.: Hardware architecture of a Gaussian noise generator based on the inversion method. IEEE Trans. on Circuits and Systems 59-II(8), 501–505 (2012)

    Google Scholar 

  20. Joux, A.: A new index calculus algorithm with complexity l(1/4 + o(1)) in very small characteristic. Cryptology ePrint Archive, Report 2013/095 (2013), http://eprint.iacr.org/2013/095

  21. Järvinen, T.M.K., Skyttä, J.: Final project report: Cryptoprocessor for elliptic curve digital signature algorithm, ECDSA (2007), http://www.altera.com/literature/dc/2007/in_2007_dig_signature.pdf

  22. Jungk, B., Apfelbeck, J.: Area-efficient FPGA implementations of the SHA-3 finalists. In: Athanas, P.M., Becker, J., Cumplido, R. (eds.) ReConFig, pp. 235–241. IEEE Computer Society (2011)

    Google Scholar 

  23. Kullback, S., Leibler, R.A.: On information and sufficiency. Ann. Math. Statist. 22(1), 79–86 (1951)

    MathSciNet  CrossRef  MATH  Google Scholar 

  24. Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  25. Lyubashevsky, V.: Fiat-shamir with aborts: Applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  26. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  27. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  28. Micciancio, D., Peikert, C.: Trapdoors for lattices: Simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  29. Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  30. Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  31. Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. IACR Cryptology ePrint Archive, 2014:254 (2014)

    Google Scholar 

  32. Pöppelmann, T., Güneysu, T.: Towards efficient arithmetic for lattice-based cryptography on reconfigurable hardware. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 139–158. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  33. T. Pöppelmann and T. Güneysu. Towards practical lattice-based public-key encryption on reconfigurable hardware. T. Lange, K. Lauter, and P. Lison?ek

    Google Scholar 

  34. Pöppelmann, T., Güneysu, T.: Area optimization of lightweight lattice-based encryption on reconfigurable hardware. In: ISCAS (to appear, 2014), http://www.sha.rub.de/media/sh/veroeffentlichungen/2014/03/23/iscas_web_version.pdf

  35. Rich, S., Gellman, B.: NSA seeks quantum computer that could crack most codes. The Washington Post (2013), http://wapo.st/19DycJT

  36. Roy, S.S., Vercauteren, F., Mentens, N., Chen, D.D., Verbauwhede, I.: Compact hardware implementation of Ring-LWE cryptosystems. IACR Cryptology ePrint Archive, 2013:866 (2013)

    Google Scholar 

  37. Roy, S.S., Vercauteren, F., Verbauwhede, I.: High precision discrete Gaussian sampling on FPGAs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 383–401. Springer, Heidelberg (2014)

    Google Scholar 

  38. Shahid, R., Sharif, M.U., Rogawski, M., Gaj, K.: Use of embedded FPGA resources in implementations of 14 round 2 SHA-3 candidates. In: Tessier, R. (ed.) FPT, pp. 1–9. IEEE (2011)

    Google Scholar 

  39. Shor, P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: 35th FOCS, Santa Fe, New Mexico, November 20-22, pp. 124–134. IEEE Computer Society Press (1994)

    Google Scholar 

  40. Suzuki, D., Matsumoto, T.: How to maximize the potential of FPGA-based DSPs for modular exponentiation. IEICE Transactions 94-A(1), 211–222 (2011)

    Google Scholar 

  41. Thomas, D.B., Luk, W., Leong, P.H.W., Villasenor, J.D.: Gaussian random number generators. ACM Comput. Surv. 39(4) (2007)

    Google Scholar 

  42. Vaudenay, S.: Decorrelation: A theory for block cipher security. Journal of Cryptology 16(4), 249–286 (2003)

    MathSciNet  CrossRef  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Pöppelmann, T., Ducas, L., Güneysu, T. (2014). Enhanced Lattice-Based Signatures on Reconfigurable Hardware. In: Batina, L., Robshaw, M. (eds) Cryptographic Hardware and Embedded Systems – CHES 2014. CHES 2014. Lecture Notes in Computer Science, vol 8731. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44709-3_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-44709-3_20

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-44708-6

  • Online ISBN: 978-3-662-44709-3

  • eBook Packages: Computer ScienceComputer Science (R0)