learning with errors on rsa co- processors...thomas pöppelmann – etsi / iqc quantum safe workshop...
TRANSCRIPT
![Page 1: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/1.jpg)
Learning with Errors on RSA Co-Processors
Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018
![Page 2: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/2.jpg)
Introduction
Outline
Post-quantum cryptography› Is getting standardized as quantum technology matures› Has to be implemented efficiently on small devices like smart cards or in IoT
context› Transition strategy from RSA/ECC to PQC required -> reuse of existing hardware
22018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Content of the talk: How to use an RSA co-processor to accelerate
lattice-based PQC (i.e., a Kyber variant)
![Page 3: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/3.jpg)
Kyber
› CRYSTALS-Kyber– State-of-the-art lattice-based CCA-secured key encapsulation
mechanism (KEM)– Submitted to NIST by Roberto Avanzi, Joppe Bos, Léo Ducas,
Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé
– Main selling point: Modular LWE– Base ring is R / 1– Modular LWE parameter to configure security level– Pitched as “middle ground” between LWE (no structure) and RLWE
(structured)
Parameterset
K Bit-sec
|pk| |sk| |ctxt|
Kyber512 2 102 736 1632 800
Kyber768 3 161 1088 2400 1152
Kyber1024 4 218 1440 3168 1504
32018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
![Page 4: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/4.jpg)
Motivation
› Main arithmetic operation in ideal lattice-based crypto is polynomial multiplication in and polynomial addition (e.g., )
› For 256 a schoolbook polynomial multiplication algorithm would require 65536 multiplications in vs. one NTT with only 1024 (=> 3 ⋅ 1024 256 3328)
Problem: Multiplication in may still be slow on your target platform
Possible solution: Use RSA co-processor [AHHPVW18]
[AHHPVW18] Martin R. Albrecht, Christian Hanser, Andrea Höller, Thomas Pöppelmann, Fernando Virdia, Andreas Wallner: Implementing RLWE-based Schemes Using an RSA Co-Processor. IACR Cryptology ePrint Archive 2018: 425 (2018), to appear in TCHES’19
42018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
![Page 5: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/5.jpg)
Kronecker substitution
Polynomial multiplication
› 2 3
› 1
› ⋅ 2 3 ⋅ 12 3 2 3 2 5 3
Kronecker substitution
› 10 2 ⋅ 10 3 203
› 10 1 ⋅ 10 1 101
› 203 ⋅ 101 20503
› 020503~2 5 3
Use Kronecker to realize a MulAdd gadget with RSA co-processor
, , , ⋅
Note: Different variants of Kronecker exist (KS1-4) and one has to take care to allow signed arithmetic
52018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
![Page 6: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/6.jpg)
Target device: Infineon SLE 78 CLUFX5000
The SLE78CLUFX5000 chip card
› 16-bit Dual Security-CPU running at 50 MHz
› 16 Kbyte RAM and 500 Kbyte NVM
› RSA/ECC co-processor (long integer multiplier)
› AES-128/256 co-processor
› SHA1 and SHA256 co-processor
When used to accelerate RSA, the co-processor of the SLE 78 CLUFX5000 is designed to compute
, , ↦ , , , ↦ ·
For , , being integers of size 2200 bits.
The software can send commands to co-processor which also has 5 internal registers of size approx. 2200 bits.
RSA
62018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Chip card hardware
NVMDual-CPU
RAM
RSA/ECC
AES
SHA
Analog frontend (often contactless)
![Page 7: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/7.jpg)
Kyber implementation on SLE 78
› Kyber works in R / 1
– Use 32 bits per coefficient– Integers of 64 · 32 = 2048 bits– Perform polynomial arithmetic modulo 1
(Karatsuba or Schoolbook)
› Implementation on SLE 78
– Karatsuba to reduce multiplications (one 2048 multiplications costs 9,300 cycles on co-processor)
– Perform additions on CPU while co-processor is multiplying (reduce transfer costs CPU <-> co-processor
– Use SHA-256 and AES-256 co-processor for PRF and XOF as well as random oracles (CCA)
Smaller integers vs. more effort to
pack
Trade multiplications for
additions
Co-processor is running in parallel
72018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
![Page 8: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/8.jpg)
Results
› CCA-secured Kyber768 @ 50 MHz
– Gen in 79.6 ms, Enc in 102.4 ms, Dec in 132.7 ms
Packing is expensive
One NTT costs more than MulAdd
PRF/XOF using AES co-pro
PRF/XOF using AES co-pro + SHA-256-
co-pro
Random oracles with SHA3 in SW
82018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
![Page 9: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/9.jpg)
More results
Kyber768 decryption similar speed as RSA-2048 with CRT(but no attack countermeasures)
92018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
![Page 10: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/10.jpg)
Summary
› Might allow smoother migration towards PQC
› Note that we implemented a Kyber variant
– Inclusion of NTT into specification hurts us – We use hardware-based co-processors
(availability only good for AES and SHA2)– But MLWE fits well as only one MulAdd
required and dimension ( 256) small
Fast PQC is feasible on current smart card platforms
102018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
![Page 11: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/11.jpg)
Thank you!
Thank you for your attention!Any questions?
https://futuretpm.eu/
http://www.infineon.com/[email protected]
112018-11-08 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
![Page 12: Learning with Errors on RSA Co- Processors...Thomas Pöppelmann – ETSI / IQC Quantum Safe Workshop 2018 – 11/08/2018 Introduction Outline Post-quantum cryptography › Is getting](https://reader035.vdocuments.site/reader035/viewer/2022062605/5fd39339c5630c039b38c109/html5/thumbnails/12.jpg)