Results 1 
9 of
9
Sampling from discrete Gaussians for latticebased cryptography on a constrained device
 Appl. Algebra Eng. Commun. Comput
"... ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to larg ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to large numbers of external random bits. We review latticebased encryption schemes and signature schemes and their requirements for sampling from discrete Gaussians. Finally, we make some remarks on challenges and potential solutions for practical latticebased cryptography.
Efficient Software Implementation of RingLWE Encryption
"... Abstract. Presentday publickey cryptosystems such as RSA and Elliptic Curve Cryptography (ECC) will become insecure when quantum computers become a reality. This paper presents the new state of the art in efficient software implementations of a postquantum secure publickey encryption scheme bas ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Presentday publickey cryptosystems such as RSA and Elliptic Curve Cryptography (ECC) will become insecure when quantum computers become a reality. This paper presents the new state of the art in efficient software implementations of a postquantum secure publickey encryption scheme based on the ringLWE problem. We use a 32bit ARM CortexM4F microcontroller as the target platform. Our contribution includes optimization techniques for fast discrete Gaussian sampling and efficient polynomial multiplication. This implementation beats all known software implementations, on any architecture, by at least one order of magnitude. We further show that our scheme beats all ECCbased publickey encryption schemes by at least one order of magnitude. At 128bit security we require 121166 cycles per encryption and 43324 cycles per decryption, while at a 256bit security we require 261939 cycles per encryption and 96520 cycles per decryption. Gaussian sampling is done at an average of 28.5 cycles per sample. 1
Compact RingLWE Cryptoprocessor
"... Abstract. In this paper we propose an efficient and compact processor for a ringLWE based encryption scheme. We present three optimizations for the Number Theoretic Transform (NTT) used for polynomial multiplication: we avoid preprocessing in the negative wrapped convolution by merging it with th ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we propose an efficient and compact processor for a ringLWE based encryption scheme. We present three optimizations for the Number Theoretic Transform (NTT) used for polynomial multiplication: we avoid preprocessing in the negative wrapped convolution by merging it with the main algorithm, we reduce the fixed computation cost of the twiddle factors and propose an advanced memory access scheme. These optimization techniques reduce both the cycle and memory requirements. Finally, we also propose an optimization of the ringLWE encryption system that reduces the number of NTT operations from five to four resulting in a 20 % speedup. We use these computational optimizations along with several architectural optimizations to design an instructionset ringLWE cryptoprocessor. For dimension 256, our processor performs encryption/decryption operations in 20/9 µs on a Virtex 6 FPGA and only requires 1349 LUTs, 860 FFs, 1 DSPMULT and 2 BRAMs. Similarly for dimension 512, the processor takes 48/21 µs for performing encryption/decryption operations and only requires 1536 LUTs, 953 FFs, 1 DSPMULT and 3 BRAMs. Our processors are therefore more than three times smaller than the current state of the art hardware implementations, whilst running somewhat faster.
LatticeBased Signatures: Optimization and Implementation on Reconfigurable Hardware
, 2015
"... Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to the unpl ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to the unpleasant situation that a large number of today’s schemes will most likely need to be replaced with more secure alternatives. In this work we present such an alternative – an efficient signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in latticebased cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 1.5 kB and 0.3 kB long, while the signature size is approximately 1.1 kB for a security level of around 80 bits. We provide implementation results on reconfigurable hardware (Spartan/Virtex6) and demonstrate that the scheme is scalable, has low area consumption, and even outperforms classical schemes.
APractical Latticebased Digital Signature Schemes
"... Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case o ..."
Abstract
 Add to MetaCart
Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case of classical cryptanalytic advances or progress on the development of quantum computers the hardness of these closely related problems might be seriously weakened. A potential alternative approach is the construction of signature schemes based on the hardness of certain lattices problems which are assumed to be intractable by quantum computers. Due to significant research advancements in recent years, latticebased schemes have now become practical and appear to be a very viable alternative to numbertheoretic cryptography. In this paper we focus on recent developments and the current stateoftheart in latticebased digital signatures and provide a comprehensive survey discussing signature schemes with respect to practicality. Additionally, we discuss future research areas that are essential for the continued development of latticebased cryptography.
1LatticeBased Signatures: Optimization and Implementation on Reconfigurable Hardware
"... Abstract—Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to ..."
Abstract
 Add to MetaCart
Abstract—Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to the unpleasant situation that a large number of today’s schemes will most likely need to be replaced with more secure alternatives. In this work we present such an alternative – an efficient signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in latticebased cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 1.5 kB and 0.3 kB long, while the signature size is approximately 1.1 kB for a security level of around 80 bits. We provide implementation results on reconfigurable hardware (Spartan/Virtex6) and demonstrate that the scheme is scalable, has low area consumption, and even outperforms classical schemes. Index Terms—Public key cryptosystems, reconfigurable hardware, signature scheme, ideal lattices, FPGA. F 1
Compact and Side Channel Secure Discrete Gaussian Sampling
, 2014
"... Discrete Gaussian sampling is an integral part of many lattice based cryptosystems such as publickey encryption, digital signature schemes and homomorphic encryption schemes. In this paper we propose a compact and fast KnuthYao sampler for sampling from a narrow discrete Gaussian distribution wit ..."
Abstract
 Add to MetaCart
Discrete Gaussian sampling is an integral part of many lattice based cryptosystems such as publickey encryption, digital signature schemes and homomorphic encryption schemes. In this paper we propose a compact and fast KnuthYao sampler for sampling from a narrow discrete Gaussian distribution with very high precision. The designed samplers have a maximum statistical distance of 2−90 to a true discrete Gaussian distribution. In this paper we investigate various optimization techniques to achieve minimum area and cycle requirement. For the standard deviation 3.33, the most areaoptimal implementation of the bitscan operation based KnuthYao sampler consumes 30 slices on the Xilinx Virtex 5 FPGAs, and requires on average 17 cycles to generate a sample. We improve the speed of the sampler by using a precomputed table that directly maps the initial random bits into samples with very high probability. The fast sampler consumes 35 slices and spends on average 2.5 cycles to generate a sample. However the sampler architectures are not secure against timing and power analysis based attacks. In this paper we propose a random shuffle method to protect the Gaussian distributed polynomial against such attacks. The side channel attack resistant sampler architecture consumes 52 slices and spends on average 420 cycles to generate a polynomial of 256 coefficients.
Gaussian Sampling Precision in Lattice Cryptography
, 2015
"... Security parameters and attack countermeasures for Latticebased cryptosystems have not yet matured to the level that we now expect from RSA and Elliptic Curve implementations. Many modern RingLWE and other latticebased public key algorithms require high precision random sampling from the Discrete ..."
Abstract
 Add to MetaCart
(Show Context)
Security parameters and attack countermeasures for Latticebased cryptosystems have not yet matured to the level that we now expect from RSA and Elliptic Curve implementations. Many modern RingLWE and other latticebased public key algorithms require high precision random sampling from the Discrete Gaussian distribution. The sampling procedure often represents the biggest implementation bottleneck due to its memory and computational requirements. We examine the stated requirements of precision for Gaussian samplers, where statistical distance to the theoretical distribution is typically expected to be below 290 or 2128 for 90 or 128 “bit ” security level. We argue that such precision is excessive and give precise theoretical arguments why half of the precision of the security parameter is almost always sufficient. This leads to faster and more compact implementations; almost halving implementation size in both hardware and software. We further propose new experimental parameters for practical Gaussian samplers for use in Lattice Cryptography.
Practical Latticebased Digital Signature Schemes
"... Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case of ..."
Abstract
 Add to MetaCart
(Show Context)
Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case of classical cryptanalytic advances or progress on the development of quantum computers the hardness of these closely related problems might be seriously weakened. A potential alternative approach is the construction of signature schemes based on the hardness of certain lattices problems which are assumed to be intractable by quantum computers. Due to significant research advancements in recent years, latticebased schemes have now become practical and appear to be a very viable alternative to numbertheoretic cryptography. In this paper we focus on recent developments and the current stateoftheart in latticebased digital signatures and provide a comprehensive survey discussing signature schemes with respect to practicality. Additionally, we discuss future research areas that are essential for the continued development of latticebased cryptography.