Sirui Shen,Wenqing Song,Xinyu Wang,Xinyu Shao,Yuxiang Fu,Zhonghai Lu,Li

DOI: https://doi.org/10.1109/iscas48785.2022.9937989

2022-01-01

Abstract:Discrete Gaussian sampling is one of the important components in lattice-based cryptosystems which are promising candidates for post-quantum cryptographic algorithms. For sufficient security and satisfactory performance, the Knuth-Yao algorithm is an efficient way to implement discrete Gaussian samplers. Nevertheless, most polynomials in lattice-based cryptography have 256 coefficients or more, which suffers from long latency to complete the sample generation. In this paper, the first parallel discrete Gaussian sampler with hierarchical structure is proposed, while keeping statistical distance to the actual distribution. Based on the imbalanced visiting frequency of the probability matrix, a three-stage generation strategy is adopted with hierarchical bit search units (BSUs) that can greatly reduce area consumption of the repeated costly lookup tables. Besides the architecture improvement, a lowest-set-bit scanning scheme is introduced to BSUs. Moreover, the parallelism of our design provides obfuscation ability against side-channel attacks (SCAs). A practical hardware implementation of discrete Gaussian distributions with $\sigma$=3.33 on the Xilinx Virtex-5 XC5VLX30 FPGA device spends 26.12 ns on average to generate 256 samples, consuming 994 slices. Results have verified its advantages of area efficiency over the state-of-the-arts (SOAs).

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/fpl.2015.7293949

2015-01-01

Abstract:Modern lattice-based public key cryptosystems usually require sampling from discrete Gaussian distributions. In this paper, we propose a novel implementation of cumulative distribution function (CDF) inversion sampler with high precision and large tail bound. It has maximum statistical distance of 2−90 to a theoretical discrete Gaussian distribution. Our CDF inversion sampler exploits piecewise comparison to save more than 90% random bits and reduce the required large comparators to two small comparators. We speed up the sampler by using a small lookup table, and the hit rate of the lookup table is as high as 94%. With these optimizations, our sampler takes on average 9.44 random bits and 2.28 clock cycles to generate a sample. It consumes 1 block RAM and 17 slices on a Spartan-6 FPGA. With additional 13 slices, our sampler is able to generate n samples within around 1.14n clock cycles.

Liang Kong,Shuguo Li,Ruirui Liu

DOI: https://doi.org/10.1109/tc.2020.3001170

2021-01-01

Abstract:Discrete Gaussian distribution plays an essential role in lattice cryptography whereas naive implementations suffer from timing attacks. Unfortunately, conversion to secure constant-time variant incurs severe deterioration in performance. In Knuth-Yao sampling, we demonstrate several properties of the discrete distribution generation tree involving structural features and finite node height. Accordingly we propose a generic method independent of standard deviations, which focuses on minimizing the Boolean expressions for the mapping from input bit strings to output sample values, along with an in-depth efficiency analysis. Two optimization techniques are devised to further propel the minimization by replacing and adjusting nodes. To strike the balance of computational overhead and closeness to optimum, heuristic strategies are introduced. Finally, performance evaluation is conducted both in software and hardware. Running on a 3.4GHz Intel Core i7-6700 processor, our method improves sampling rate by up to 29.5 percent compared to the latest technique. Targeting hardware FPGA devices, our approach can be 2.7 times faster and achieves 57.3 percent resource reduction than the original constant-time Knuth-Yao sampling. Compared to the Cumulative Distribution Table algorithm with fixed step binary search, our sampler can be at least 12.6 times faster and gains 79/61 percent better area-time product than its counterpart without/with BRAM.

Chaohui Du,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1109/trustcom.2015.510

2015-01-01

Abstract:Lattice-based cryptography is considered as a main candidate for post-quantum cryptosystems. Its security is based on worst-case computational assumptions in lattices that remain hard even for quantum computers. In this paper, we present an efficient software implementation of lattice based Ring-LWE public key encryption scheme, which optimizes the two basic building blocks: multiplication over polynomial rings and discrete Gaussian sampling. We exploit the number theoretic transform (NTT) to speed up polynomial multiplication over rings and propose an optimized single instruction multiple data (SIMD) based implementation of NTT. It takes 1965/4411 clock cycles to perform a transform with 256/512 elements. Our implementation can save about 75% memory accesses and more than 51% modulo q operations during NTT computation. On the other hand, we propose an efficient implementation of high precision discrete Gaussian sampler, which is based on the inverse of the cumulative distribution function. Our implementation has maximum statistical distance of 2-90 to a theoretical discrete Gaussian distribution. It takes on average 15.4 ns and 9.5 uniformly random bits to generate a Gaussian sample. With these optimizations, our implementation of the public key encryption scheme performs encryption/decryption operations in 15.88/2.37 μs for medium security and 31.30/4.59 μs for high security on one core of an Intel Core i7-4771 processor. Its throughput is higher than the existing software implementation by about two orders of magnitude, and it is even higher than all the hardware implementations.

Xinwei Gao,Lin Li,Jintai Ding,Jiqiang Liu,R. Saraswathy,Zhe Liu

DOI: https://doi.org/10.1007/978-3-319-72359-4_33

2017-01-01

Abstract:LWE/RLWE-based cryptosystems require sampling error term from discrete Gaussian distribution. However, some existing samplers are somehow slow under certain circumstances therefore efficiency of such schemes is restricted. In this paper, we introduce a more efficient discretized Gaussian sampler based on ziggurat sampling algorithm. We also analyze statistical quality of our sampler to prove that it can be adopted in LWE/RLWE-based cryptosystems. Compared with ziggurat-based sampler by Buchmann et al. related samplers by Peikert, Ducas et al. and Knuth-Yao, our sampler achieves more than 2x speedup when standard deviation is large. This can benefit constructions rely on noise flooding (e.g., homomorphic encryption). We also present two applications: First, we use our sampler to optimize the RLWE-based authenticated key exchange (AKE) protocol by Zhang et al. We achieve 1.14x speedup on total runtime of this protocol over major parameter choices. Second, we give practical post-quantum Transport Layer Security (TLS) ciphersuite. Our ciphersuite inherits advantages from TLS and the optimized AKE protocol. Performance of our proof-of-concept implementation is close to TLS v1.2 ciphersuites and one post-quantum TLS construction.

Paresh Baidya,Rourab Paul,Swagata Mandal,Sumit Kumar Debnath

DOI: https://doi.org/10.1109/lca.2024.3454490

IF: 2.3

2024-10-22

IEEE Computer Architecture Letters

Abstract:Lattice-based cryptography offers a promising alternative to traditional cryptographic schemes due to its resistance against quantum attacks. Discrete Gaussian sampling plays a crucial role in lattice-based cryptographic algorithms such as Ring Learning with error (R-LWE) for generating the coefficient of the polynomials. The Knuth Yao Sampler is a widely used discrete Gaussian sampling technique in Lattice-based cryptography. On the other hand, Lattice based cryptography involves resource intensive complex computation. Due to the presence of inherent parallelism, on field programmability Field Programmable Gate Array (FPGA) based reconfigurable hardware can be a good platform for the implementation of Lattice-based cryptographic algorithms. In this work, an efficient implementation of Knuth Yao Sampler on reconfigurable hardware is proposed that not only reduces the resource utilization but also enhances the speed of the sampling operation. The proposed method reduces look up table (LUT) requirement by almost 29% and enhances the speed by almost 17 times compared to the method proposed by the authors in (Sinha Roy et al., 2014).

computer science, hardware & architecture

Antian Wang,Weihang Tan,Keshab K. Parhi,Yingjie Lao

DOI: https://doi.org/10.48550/arXiv.2208.14270

2022-08-30

Cryptography and Security

Abstract:With the surge of the powerful quantum computer, lattice-based cryptography proliferated the latest cryptography hardware implementation due to its resistance against quantum computers. Among the computational blocks of lattice-based cryptography, the random errors produced by the sampler play a key role in ensuring the security of these schemes. This paper proposes an integral architecture for the sampler, which can reduce the overall resource consumption by reusing the multipliers and adders within the modular polynomial computation. For instance, our experimental results show that the proposed design can effectively reduce the discrete Ziggurat sampling method in DSP usage.

Oded Regev

DOI: https://doi.org/10.48550/arXiv.cs/0309051

2003-09-29

Abstract:We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop provide an elegant description of certain Gaussian distributions around lattice points. Our results include two cryptographic constructions which are based on the worst-case hardness of the unique shortest vector problem. The main result is a new public key cryptosystem whose security guarantee is considerably stronger than previous results ($O(n^{1.5})$ instead of $O(n^7)$). This provides the first alternative to Ajtai and Dwork's original 1996 cryptosystem. Our second result is a family of collision resistant hash functions which, apart from improving the security in terms of the unique shortest vector problem, is also the first example of an analysis which is not based on Ajtai's iterative step. Surprisingly, both results are derived from one theorem which presents two indistinguishable distributions on the segment $[0,1)$. It seems that this theorem can have further applications and as an example we mention how it can be used to solve an open problem related to quantum computation.

Cryptography and Security

Hai Lu,Yan Zhu,Cecilia E Chen,Di Ma

DOI: https://doi.org/10.1109/tifs.2024.3376206

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In the light of the advantages of ring, more and more Lattice-Based Cryptography (LBC) schemes are designed over it to provide small storage cost and high performance. Gaussian Sampler for Lattice Trapdoor (GSLT) plays an important role for these schemes, especially for key extraction. In this paper, we present an efficient GSLT scheme with On-line and Off-line stages. In the On-line stage, we extend the fast non-spherical Gadget-lattice sampling into the ring setting for high performance, and analyze the covariance matrix of output vectors. Subsequently, two optimized perturbation sampling constructions are designed for non-spherical Gadget-lattice sampler to avoid inefficient Cholesky decomposition during Off-line stage. The first construction aims to the spherical Gaussian distribution of preimage vectors, which is beneficial for theoretical analysis. In contrast, the second one is designed on the non-spherical distribution to improve the efficiency of perturbation sampling without leakage of trapdoor in statistic, and we further provide the method how to choose the Gaussian parameters. The complexity analysis and experimental results show that the On-line stage of our scheme has a better performance in comparison with the other works. In the Off-line stage, both of two perturbation sampling constructions can avoid low efficiency of Cholesky decomposition, and are more suitable for the non-spherical G-lattice sampling. In short, our work provides two candidates on either Gaussian parameter or sampling efficiency, thereby offering more options for key generation in LBC schemes.

computer science, theory & methods,engineering, electrical & electronic

André Chailloux,Johanna Loyer

DOI: https://doi.org/10.48550/arXiv.2105.05608

2021-05-12

Quantum Physics

Abstract:Lattice-based cryptography is one of the leading proposals for post-quantum cryptography. The Shortest Vector Problem (SVP) is arguably the most important problem for the cryptanalysis of lattice-based cryptography, and many lattice-based schemes have security claims based on its hardness. The best quantum algorithm for the SVP is due to Laarhoven [Laa16 PhD] and runs in (heuristic) time $2^{0.2653d + o(d)}$. In this article, we present an improvement over Laarhoven's result and present an algorithm that has a (heuristic) running time of $2^{0.2570 d + o(d)}$ where $d$ is the lattice dimension. We also present time-memory trade-offs where we quantify the amount of quantum memory and quantum random access memory of our algorithm. The core idea is to replace Grover's algorithm used in [Laa16 PhD] in a key part of the sieving algorithm by a quantum random walk in which we add a layer of local sensitive filtering.

Jianhua Yan,Licheng Wang,Jing Li,Muzi Li,Yixan Yang,Wenbin Yao

DOI: https://doi.org/10.1002/cpe.3925

2016-01-01

Abstract:Lattice has become an attractive cryptographic tool due to its potential resistance to quantum attacks, worst-case hardness, simple computation kind, and flexibility. The pre-image sample algorithm is the most fundamental algorithm in lattice-based cryptography for its comprehensive applications in various primitives. Currently, SampleDO due to Micciancio and Peikert (MP) sample algorithm is the most efficient pre-image sample algorithm. However, this algorithm also needs massive computations. On the one hand, it expenses the cube of the lattice dimension multiplications over reals to set matrices as Gaussian parameters. On the other hand, it needs complex discrete convolution computations. First, this paper proposes an efficient pre-image sample algorithm with outputs obeying irregular Gaussian distribution. Two measures are adopted to prevent the leakage of the geometrical property of trapdoor caused by irregular Gaussian outputs. A variant of MP trapdoor is proposed, and a new trapdoor is randomly assembled from a big enough space in each sample. Although still using a matrix as the Guassian parameter, in the proposed algorithm, the computational cost to set Gaussian parameters is zero. Meanwhile, the computational overhead for every sample is far less than that of MP sample algorithm. Second, to demonstrate the security and efficiency of the proposed sample algorithm, a hierarchical identity-based signature scheme is put forward. This scheme is proved existentially unforgeable against selective identity adaptively chosen-message attacks. Furthermore, the theoretical analysis shows that the proposed identity-based signature is more efficient than the existing schemes. Copyright (C) 2016 John Wiley & Sons, Ltd.

Maximilian Schöffel,Johannes Feldmann,Norbert Wehn

2024-11-27

Abstract:HQC is one of the code-based finalists in the last round of the NIST post quantum cryptography standardization process. In this process, security and implementation efficiency are key metrics for the selection of the candidates. A critical compute kernel with respect to efficient hardware implementations and security in HQC is the sampling method used to derive random numbers. Due to its security criticality, recently an updated sampling algorithm was presented to increase its robustness against side-channel attacks. In this paper, we pursue a cross layer approach to optimize this new sampling algorithm to enable an efficient hardware implementation without comprising the original algorithmic security and side-channel attack robustness. We compare our cross layer based implementation to a direct hardware implementation of the original algorithm and to optimized implementations of the previous sampler version. All implementations are evaluated using the Xilinx Artix 7 FPGA. Our results show that our approach reduces the latency by a factor of 24 compared to the original algorithm and by a factor of 28 compared to the previously used sampler with significantly less resources.

Cryptography and Security

Guangyan Li,Zewen Ye,Donglong Chen,Wangchen Dai,Gaoyu Mao,Kejie Huang,Ray C. C. Cheung

DOI: https://doi.org/10.1145/3689437

IF: 2.837

2024-08-27

ACM Transactions on Reconfigurable Technology and Systems

Abstract:Lattice-based cryptography (LBC) has been established as a prominent research field, with particular attention on post-quantum cryptography (PQC) and fully homomorphic encryption (FHE). As the implementing bottleneck of PQC and FHE, number theoretic transform (NTT) has been extensively studied. However, current works struggled with scalability, hindering their adaptation to various parameters, such as bit-width and polynomial length. In this paper, we proposed a novel Discrete Galois Transformation (DGT) algorithm utilizing the radix-4 variant to achieve a higher level of parallelism to the existing NTT. Furthermore, to implement the efficient radix-4 DGT adapting more LBCs, we proposed a set of scalable building blocks, including a modified Barrett modular multiplier accepting arbitrary modulus with only one integer multiplier, a radix-4 DGT butterfly unit, and a stream permutation network. The proposed modules are implemented on the Xilinx Virtex-7 and U250 FPGA to evaluate resource utilization and performance. Lastly, a design space exploration framework is proposed to generate optimized radix-4 DGT hardware constrained by polynomial and platform parameters. The sensitivity analysis showcases the generated hardware's performance and scalability. The implementation results on the Xilinx Virtex-7 and U250 FPGA show significant performance improvements over the state-of-the-art works, which reached at least 35%, 192%, and 68% area-time product improvements in terms of LUTs, BRAMs, and DSPs, respectively.

computer science, hardware & architecture

Zheng Wang,Yang Huang,Shanxiang Lyu

DOI: https://doi.org/10.48550/arXiv.1812.00127

2018-12-01

Abstract:Sampling from the lattice Gaussian distribution has emerged as an important problem in coding, decoding and cryptography. In this paper, lattice reduction technique is adopted to Gibbs sampler for lattice Gaussian sampling. Firstly, with respect to lattice Gaussian distribution, the convergence rate of systematic scan Gibbs sampling is derived and we show it is characterized by the Hirschfeld-Gebelein-Rényi (HGR) maximal correlation among the multivariate of being sampled. Therefore, lattice reduction is applied to formulate an equivalent lattice Gaussian distribution but with less correlated multivariate, which leads to a better Markov mixing due to the enhanced convergence rate. Then, we extend the proposed lattice-reduction-aided Gibbs sampling to lattice decoding, where the choice of the standard deviation for the sampling is fully investigated. A customized solution that suits for each specific decoding case by Euclidean distance is given, thus resulting in a better trade-off between Markov mixing and sampler decoding. Moreover, based on it, a startup mechanism is also proposed for Gibbs sampler decoding, where decoding complexity can be reduced without performance loss. Simulation results based on large-scale MIMO detection are presented to confirm the performance gain and complexity reduction.

Information Theory

Yuan Li,Paul Chow,Jiang Jiang,Minxuan Zhang,Shaojun Wei

DOI: https://doi.org/10.1109/FPT.2012.6412133

2012-01-01

Abstract:We present a hardware architecture for efficient implementation of a Gaussian random number generator (GRNG), using the Monty Python method. To maximize the performance/complexity efficiency, an efficient word-length optimization model is proposed to find out both the optimal integer and fractional word-lengths for signals. Experimental results show that our optimized Fixed-Point design achieves a throughput of almost 1 sample-per-cycle and runs as fast as 375.9 MHz on a Xilinx XC6VLX240T FPGA device. This performance is 23.4-fold faster than a dedicated software version running on a 2.67-GHz Intel core i5 processor. It takes 1976 LUTs, 1785 Flip-Flops, 12 BRAMs and 35 DSPs, which is only about 1% of the device as well as a great reduction compared to its corresponding Floating-Point implementations. Furthermore, we develop a framework that is capable of partitioning the Gaussian distribution stream into an arbitrary number of parallel sub-streams. With support from software, this framework can obtain speedup roughly linearly with the number of parallel cores. The quality of the variables produced by our design are verified via the standard Gaussian statistical test suit, the chi-square (X2) test.

Cong Zhang,Zilong Liu,Yuyang Chen,Jiahao Lu,Dongsheng Liu

DOI: https://doi.org/10.1109/jiot.2020.2981133

IF: 10.6

2020-09-01

IEEE Internet of Things Journal

Abstract:Post-quantum cryptography (PQC) great potential in providing reliable communication security for Internet-of-Things (IoT) devices against the quantum computer in the future. The Gaussian sampler is a crucial part in lattice-based post-quantum cryptosystems, thus being the most vulnerable module to side-channel attack as well. However, research on the countermeasures for the Gaussian sampler against power side-channel attacks is almost blank. In this article, a flexible and generic cumulative distribution table (CDT)-based Gaussian sampler using the hardware–software approach is proposed. The proposed CDT sampler has an AHB interface and can be reconfigured to support various parameter sets, while utilizing just 77 Slices on a Xilinx Spartan-6 FPGA with constant response time. Additionally, the first simple power analysis (SPA) attack on the CDT sampler is presented. The presented attack mainly takes advantage of the chosen input and the SPA vulnerability associated with the binary search method, hence the attacker is able to recover every sampled value by comparing a few pairs of power consumption traces. To further protect against chosen input SPA attack, this article identifies the vulnerability associated with three main operations in every binary search state and construct an effective countermeasure based on randomization at the cost of only extra 58.4% Slices. Compared to other related works, the merits of the proposed CDT sampler are the high hardware flexibility, side-channel security, and suitability for resource-constrained IoT nodes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zheng Wang

DOI: https://doi.org/10.48550/arXiv.1811.12719

2018-11-30

Information Theory

Abstract:Sampling from lattice Gaussian distribution has emerged as an important problem in coding, decoding and cryptography. In this paper, the classic Gibbs algorithm from Markov chain Monte Carlo (MCMC) methods is demonstrated to be geometrically ergodic for lattice Gaussian sampling, which means the Markov chain arising from it converges exponentially fast to the stationary distribution. Meanwhile, the exponential convergence rate of Markov chain is also derived through the spectral radius of forward operator. Then, a comprehensive analysis regarding to the convergence rate is carried out and two sampling schemes are proposed to further enhance the convergence performance. The first one, referred to as Metropolis-within-Gibbs (MWG) algorithm, improves the convergence by refining the state space of the univariate sampling. On the other hand, the blocked strategy of Gibbs algorithm, which performs the sampling over multivariate at each Markov move, is also shown to yield a better convergence rate than the traditional univariate sampling. In order to perform blocked sampling efficiently, Gibbs-Klein (GK) algorithm is proposed, which samples block by block using Klein's algorithm. Furthermore, the validity of GK algorithm is demonstrated by showing its ergodicity. Simulation results based on MIMO detections are presented to confirm the convergence gain brought by the proposed Gibbs sampling schemes.

Jiabo Wang,Cong Ling

DOI: https://doi.org/10.1007/s10623-022-01164-7

2023-01-15

Abstract:Cryptographic constructions based on hard lattice problems have emerged as a front runner for the standardization of post-quantum public-key cryptography. As the standardization process takes place, optimizing specific parts of proposed schemes, e.g., Bernoulli sampling and integer Gaussian sampling, becomes a worthwhile endeavor. In this work, we propose a novel Bernoulli sampler based on polar codes, dubbed "polar sampler". The polar sampler is information theoretically optimum in the sense that the number of uniformly random bits it consumes approaches the entropy bound asymptotically. It also features quasi-linear complexity and constant-time implementation. An integer Gaussian sampler is developed using multilevel polar samplers. Our algorithm becomes effective when sufficiently many samples are required at each query to the sampler. Security analysis is given based on Kullback–Leibler divergence and Rényi divergence. Experimental and asymptotic comparisons between our integer Gaussian sampler and state-of-the-art samplers verify its efficiency in terms of entropy consumption, running time and memory cost. We envisage that the proposed Bernoulli sampler can find other applications in cryptography in addition to Gaussian sampling.

mathematics, applied,computer science, theory & methods

Nishant Rodrigues,Brad Lackey

DOI: https://doi.org/10.48550/arXiv.2110.13352

2021-10-26

Quantum Physics

Abstract:Lattices are very important objects in the effort to construct cryptographic primitives that are secure against quantum attacks. A central problem in the study of lattices is that of finding the shortest non-zero vector in the lattice. Asymptotically, sieving is the best known technique for solving the shortest vector problem, however, sieving requires memory exponential in the dimension of the lattice. As a consequence, enumeration algorithms are often used in place of sieving due to their linear memory complexity, despite their super-exponential runtime. In this work, we present a heuristic quantum sieving algorithm that has memory complexity polynomial in the size of the length of the sampled vectors at the initial step of the sieve. In other words, unlike most sieving algorithms, the memory complexity of our algorithm does not depend on the number of sampled vectors at the initial step of the sieve.

Lior Eldar,Peter Shor

DOI: https://doi.org/10.48550/arXiv.1703.02515

2017-03-07

Quantum Physics

Abstract:In this work, we introduce a definition of the Discrete Fourier Transform (DFT) on Euclidean lattices in $\R^n$, that generalizes the $n$-th fold DFT of the integer lattice $\Z^n$ to arbitrary lattices. This definition is not applicable for every lattice, but can be defined on lattices known as Systematic Normal Form (SysNF) introduced in \cite{ES16}. Systematic Normal Form lattices are sets of integer vectors that satisfy a single homogeneous modular equation, which itself satisfies a certain number-theoretic property. Such lattices form a dense set in the space of $n$-dimensional lattices, and can be used to approximate efficiently any lattice. This implies that for every lattice $L$ a DFT can be computed efficiently on a lattice near $L$. Our proof of the statement above uses arguments from quantum computing, and as an application of our definition we show a quantum algorithm for sampling from discrete distributions on lattices, that extends our ability to sample efficiently from the discrete Gaussian distribution \cite{GPV08} to any distribution that is sufficiently "smooth". We conjecture that studying the eigenvectors of the newly-defined lattice DFT may provide new insights into the structure of lattices, especially regarding hard computational problems, like the shortest vector problem.