Results 1  10
of
17
Postquantum key exchange for the TLS protocol from
, 2014
"... the ring learning with errors problem ..."
High Precision Discrete Gaussian Sampling on
"... Abstract. Latticebased public key cryptography often requires sampling from discrete Gaussian distributions. In this paper we present an efficient hardware implementation of a discrete Gaussian sampler with high precision and large tailbound based on the KnuthYao algorithm. The KnuthYao algorit ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Latticebased public key cryptography often requires sampling from discrete Gaussian distributions. In this paper we present an efficient hardware implementation of a discrete Gaussian sampler with high precision and large tailbound based on the KnuthYao algorithm. The KnuthYao algorithm is chosen since it requires a minimal number of random bits and is well suited for high precision sampling. We propose a novel implementation of this algorithm based on an efficient traversal of the discrete distribution generating (DDG) tree. Furthermore, we propose optimization techniques to store the probabilities of the sample points in nearoptimal space. Our implementation targets the Gaussian distribution parameters typically used in LWE encryption schemes and has maximum statistical distance of 2−90 to a true discrete Gaussian distribution. For these parameters, our implementation on the Xilinx Virtex V platform results in a sampler architecture that only consumes 47 slices and has a delay of 3ns.
Discrete Ziggurat: A TimeMemory Tradeoff for Sampling from a Gaussian Distribution over the Integers
"... Several latticebased cryptosystems require to sample from a discrete Gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper we explore a different method that allows for a flexible timem ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Several latticebased cryptosystems require to sample from a discrete Gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper we explore a different method that allows for a flexible timememory tradeoff, offering developers freedom in choosing how much space they can spare to store precomputed values. We prove that the generated distribution is close enough to a discrete Gaussian to be used in latticebased cryptography. Moreover, we report on an implementation of the method and compare its performance to existing methods from the literature. We show that for large standard deviations, the Ziggurat algorithm outperforms all existing methods.
Efficient Software Implementation of RingLWE Encryption
"... Abstract. Presentday publickey cryptosystems such as RSA and Elliptic Curve Cryptography (ECC) will become insecure when quantum computers become a reality. This paper presents the new state of the art in efficient software implementations of a postquantum secure publickey encryption scheme bas ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Presentday publickey cryptosystems such as RSA and Elliptic Curve Cryptography (ECC) will become insecure when quantum computers become a reality. This paper presents the new state of the art in efficient software implementations of a postquantum secure publickey encryption scheme based on the ringLWE problem. We use a 32bit ARM CortexM4F microcontroller as the target platform. Our contribution includes optimization techniques for fast discrete Gaussian sampling and efficient polynomial multiplication. This implementation beats all known software implementations, on any architecture, by at least one order of magnitude. We further show that our scheme beats all ECCbased publickey encryption schemes by at least one order of magnitude. At 128bit security we require 121166 cycles per encryption and 43324 cycles per decryption, while at a 256bit security we require 261939 cycles per encryption and 96520 cycles per decryption. Gaussian sampling is done at an average of 28.5 cycles per sample. 1
Beyond ECDSA and RSA: Latticebased digital signatures on constrained devices
 In DAC ’14 Proceedings of the The 51st Annual Design Automation Conference on Design Automation Conference
"... All currently deployed asymmetric cryptography is broken with the advent of powerful quantum computers. We thus have to consider alternative solutions for systems with longterm security requirements (e.g., for longlasting vehicular and avionic communication infrastructures). In this work we presen ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
All currently deployed asymmetric cryptography is broken with the advent of powerful quantum computers. We thus have to consider alternative solutions for systems with longterm security requirements (e.g., for longlasting vehicular and avionic communication infrastructures). In this work we present an efficient implementation of BLISS, a recently proposed, postquantum secure, and formally analyzed novel latticebased signature scheme. We show that we can achieve a significant performance of 35.3 and 6 ms for signing and verification, respectively, at a 128bit security level on an ARM CortexM4F microcontroller. This shows that latticebased cryptography can be efficiently deployed on today’s hardware and provides security solutions for many use cases that can even withstand future threats.
Highspeed signatures from standard lattices
"... Abstract. At CTRSA 2014 Bai and Galbraith proposed a latticebased signature scheme optimized for short signatures and with a security reduction to hard standard lattice problems. In this work we first refine the security analysis of the original work and propose a new 128bit secure parameter se ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. At CTRSA 2014 Bai and Galbraith proposed a latticebased signature scheme optimized for short signatures and with a security reduction to hard standard lattice problems. In this work we first refine the security analysis of the original work and propose a new 128bit secure parameter set chosen for software efficiency. Moreover, we increase the acceptance probability of the signing algorithm through an improved rejection condition on the secret keys. Our software implementation targeting Intel CPUs with AVX/AVX2 and ARM CPUs with NEON vector instructions shows that even though we do not rely on ideal lattices, we are able to achieve high performance. For this we optimize the matrixvector operations and several other aspects of the scheme and finally compare our work with the state of the art.
Simple Lattice Trapdoor Sampling from a Broad Class of Distributions
"... Abstract. At the center of many latticebased constructions is an algorithm that samples a short vector s, satisfying [AAR − HG]s = t mod q where A,AR,H,G are public matrices and R is a trapdoor. Although the algorithm crucially relies on the knowledge of the trapdoor R to perform this sampling eff ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. At the center of many latticebased constructions is an algorithm that samples a short vector s, satisfying [AAR − HG]s = t mod q where A,AR,H,G are public matrices and R is a trapdoor. Although the algorithm crucially relies on the knowledge of the trapdoor R to perform this sampling efficiently, the distribution it outputs should be independent of R given the public values. We present a new, simple algorithm for performing this task. The main novelty of our sampler is that the distribution of s does not need to be Gaussian, whereas all previous works crucially used the properties of the Gaussian distribution to produce such an s. The advantage of using a nonGaussian distribution is that we are able to avoid the highprecision arithmetic that is inherent in Gaussian sampling over arbitrary lattices. So while the norm of our output vector s is on the order of n to ntimes larger (the representation length, though, is only a constant factor larger) than in the samplers of Gentry, Peikert, Vaikuntanathan (STOC 2008) and Micciancio, Peikert (EUROCRYPT 2012), the sampling itself can be done very efficiently. This provides a useful time/output tradeoff for devices with constrained computing power. In addition, we believe that the conceptual simplicity and generality of our algorithm may lead to it finding other applications. 1
LatticeBased Signatures: Optimization and Implementation on Reconfigurable Hardware
, 2015
"... Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to the unpl ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to the unpleasant situation that a large number of today’s schemes will most likely need to be replaced with more secure alternatives. In this work we present such an alternative – an efficient signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in latticebased cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 1.5 kB and 0.3 kB long, while the signature size is approximately 1.1 kB for a security level of around 80 bits. We provide implementation results on reconfigurable hardware (Spartan/Virtex6) and demonstrate that the scheme is scalable, has low area consumption, and even outperforms classical schemes.
APractical Latticebased Digital Signature Schemes
"... Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case o ..."
Abstract
 Add to MetaCart
Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case of classical cryptanalytic advances or progress on the development of quantum computers the hardness of these closely related problems might be seriously weakened. A potential alternative approach is the construction of signature schemes based on the hardness of certain lattices problems which are assumed to be intractable by quantum computers. Due to significant research advancements in recent years, latticebased schemes have now become practical and appear to be a very viable alternative to numbertheoretic cryptography. In this paper we focus on recent developments and the current stateoftheart in latticebased digital signatures and provide a comprehensive survey discussing signature schemes with respect to practicality. Additionally, we discuss future research areas that are essential for the continued development of latticebased cryptography.
1LatticeBased Signatures: Optimization and Implementation on Reconfigurable Hardware
"... Abstract—Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to ..."
Abstract
 Add to MetaCart
Abstract—Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to the unpleasant situation that a large number of today’s schemes will most likely need to be replaced with more secure alternatives. In this work we present such an alternative – an efficient signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in latticebased cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 1.5 kB and 0.3 kB long, while the signature size is approximately 1.1 kB for a security level of around 80 bits. We provide implementation results on reconfigurable hardware (Spartan/Virtex6) and demonstrate that the scheme is scalable, has low area consumption, and even outperforms classical schemes. Index Terms—Public key cryptosystems, reconfigurable hardware, signature scheme, ideal lattices, FPGA. F 1