Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/itnec.2016.7560353

2016-01-01

Abstract:Lattice-based cryptography is an important candidate for post-quantum cryptography. Many lattice-based cryptosystems need to sample vectors from discrete Gaussian distributions. This paper shows a high-performance and high-precision software implementation of discrete Gaussian sampler, which is based on the inverse cumulative distribution function. We exploit multi-level fast lookup tables to speed up the sampler and reduce the required random-bits. The multithreading technique is also applied to speed up the sampler. Experimental results on an Intel Core i7-4771 processor shows that our sampler costs on average 6.48 random-bits to get a Gaussian sample and the throughput of our implementation is as high as 265.322 Mega samples per second.

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/fpl.2015.7293949

2015-01-01

Abstract:Modern lattice-based public key cryptosystems usually require sampling from discrete Gaussian distributions. In this paper, we propose a novel implementation of cumulative distribution function (CDF) inversion sampler with high precision and large tail bound. It has maximum statistical distance of 2−90 to a theoretical discrete Gaussian distribution. Our CDF inversion sampler exploits piecewise comparison to save more than 90% random bits and reduce the required large comparators to two small comparators. We speed up the sampler by using a small lookup table, and the hit rate of the lookup table is as high as 94%. With these optimizations, our sampler takes on average 9.44 random bits and 2.28 clock cycles to generate a sample. It consumes 1 block RAM and 17 slices on a Spartan-6 FPGA. With additional 13 slices, our sampler is able to generate n samples within around 1.14n clock cycles.

Liang Kong,Shuguo Li,Ruirui Liu

DOI: https://doi.org/10.1109/tc.2020.3001170

2021-01-01

Abstract:Discrete Gaussian distribution plays an essential role in lattice cryptography whereas naive implementations suffer from timing attacks. Unfortunately, conversion to secure constant-time variant incurs severe deterioration in performance. In Knuth-Yao sampling, we demonstrate several properties of the discrete distribution generation tree involving structural features and finite node height. Accordingly we propose a generic method independent of standard deviations, which focuses on minimizing the Boolean expressions for the mapping from input bit strings to output sample values, along with an in-depth efficiency analysis. Two optimization techniques are devised to further propel the minimization by replacing and adjusting nodes. To strike the balance of computational overhead and closeness to optimum, heuristic strategies are introduced. Finally, performance evaluation is conducted both in software and hardware. Running on a 3.4GHz Intel Core i7-6700 processor, our method improves sampling rate by up to 29.5 percent compared to the latest technique. Targeting hardware FPGA devices, our approach can be 2.7 times faster and achieves 57.3 percent resource reduction than the original constant-time Knuth-Yao sampling. Compared to the Cumulative Distribution Table algorithm with fixed step binary search, our sampler can be at least 12.6 times faster and gains 79/61 percent better area-time product than its counterpart without/with BRAM.

Paresh Baidya,Rourab Paul,Swagata Mandal,Sumit Kumar Debnath

DOI: https://doi.org/10.1109/lca.2024.3454490

IF: 2.3

2024-10-22

IEEE Computer Architecture Letters

Abstract:Lattice-based cryptography offers a promising alternative to traditional cryptographic schemes due to its resistance against quantum attacks. Discrete Gaussian sampling plays a crucial role in lattice-based cryptographic algorithms such as Ring Learning with error (R-LWE) for generating the coefficient of the polynomials. The Knuth Yao Sampler is a widely used discrete Gaussian sampling technique in Lattice-based cryptography. On the other hand, Lattice based cryptography involves resource intensive complex computation. Due to the presence of inherent parallelism, on field programmability Field Programmable Gate Array (FPGA) based reconfigurable hardware can be a good platform for the implementation of Lattice-based cryptographic algorithms. In this work, an efficient implementation of Knuth Yao Sampler on reconfigurable hardware is proposed that not only reduces the resource utilization but also enhances the speed of the sampling operation. The proposed method reduces look up table (LUT) requirement by almost 29% and enhances the speed by almost 17 times compared to the method proposed by the authors in (Sinha Roy et al., 2014).

computer science, hardware & architecture

Antian Wang,Weihang Tan,Keshab K. Parhi,Yingjie Lao

DOI: https://doi.org/10.48550/arXiv.2208.14270

2022-08-30

Cryptography and Security

Abstract:With the surge of the powerful quantum computer, lattice-based cryptography proliferated the latest cryptography hardware implementation due to its resistance against quantum computers. Among the computational blocks of lattice-based cryptography, the random errors produced by the sampler play a key role in ensuring the security of these schemes. This paper proposes an integral architecture for the sampler, which can reduce the overall resource consumption by reusing the multipliers and adders within the modular polynomial computation. For instance, our experimental results show that the proposed design can effectively reduce the discrete Ziggurat sampling method in DSP usage.

Xinwei Gao,Lin Li,Jintai Ding,Jiqiang Liu,R. Saraswathy,Zhe Liu

DOI: https://doi.org/10.1007/978-3-319-72359-4_33

2017-01-01

Abstract:LWE/RLWE-based cryptosystems require sampling error term from discrete Gaussian distribution. However, some existing samplers are somehow slow under certain circumstances therefore efficiency of such schemes is restricted. In this paper, we introduce a more efficient discretized Gaussian sampler based on ziggurat sampling algorithm. We also analyze statistical quality of our sampler to prove that it can be adopted in LWE/RLWE-based cryptosystems. Compared with ziggurat-based sampler by Buchmann et al. related samplers by Peikert, Ducas et al. and Knuth-Yao, our sampler achieves more than 2x speedup when standard deviation is large. This can benefit constructions rely on noise flooding (e.g., homomorphic encryption). We also present two applications: First, we use our sampler to optimize the RLWE-based authenticated key exchange (AKE) protocol by Zhang et al. We achieve 1.14x speedup on total runtime of this protocol over major parameter choices. Second, we give practical post-quantum Transport Layer Security (TLS) ciphersuite. Our ciphersuite inherits advantages from TLS and the optimized AKE protocol. Performance of our proof-of-concept implementation is close to TLS v1.2 ciphersuites and one post-quantum TLS construction.

Chaohui Du,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1109/trustcom.2015.510

2015-01-01

Abstract:Lattice-based cryptography is considered as a main candidate for post-quantum cryptosystems. Its security is based on worst-case computational assumptions in lattices that remain hard even for quantum computers. In this paper, we present an efficient software implementation of lattice based Ring-LWE public key encryption scheme, which optimizes the two basic building blocks: multiplication over polynomial rings and discrete Gaussian sampling. We exploit the number theoretic transform (NTT) to speed up polynomial multiplication over rings and propose an optimized single instruction multiple data (SIMD) based implementation of NTT. It takes 1965/4411 clock cycles to perform a transform with 256/512 elements. Our implementation can save about 75% memory accesses and more than 51% modulo q operations during NTT computation. On the other hand, we propose an efficient implementation of high precision discrete Gaussian sampler, which is based on the inverse of the cumulative distribution function. Our implementation has maximum statistical distance of 2-90 to a theoretical discrete Gaussian distribution. It takes on average 15.4 ns and 9.5 uniformly random bits to generate a Gaussian sample. With these optimizations, our implementation of the public key encryption scheme performs encryption/decryption operations in 15.88/2.37 μs for medium security and 31.30/4.59 μs for high security on one core of an Intel Core i7-4771 processor. Its throughput is higher than the existing software implementation by about two orders of magnitude, and it is even higher than all the hardware implementations.

Guangyan Li,Zewen Ye,Donglong Chen,Wangchen Dai,Gaoyu Mao,Kejie Huang,Ray C. C. Cheung

DOI: https://doi.org/10.1145/3689437

IF: 2.837

2024-08-27

ACM Transactions on Reconfigurable Technology and Systems

Abstract:Lattice-based cryptography (LBC) has been established as a prominent research field, with particular attention on post-quantum cryptography (PQC) and fully homomorphic encryption (FHE). As the implementing bottleneck of PQC and FHE, number theoretic transform (NTT) has been extensively studied. However, current works struggled with scalability, hindering their adaptation to various parameters, such as bit-width and polynomial length. In this paper, we proposed a novel Discrete Galois Transformation (DGT) algorithm utilizing the radix-4 variant to achieve a higher level of parallelism to the existing NTT. Furthermore, to implement the efficient radix-4 DGT adapting more LBCs, we proposed a set of scalable building blocks, including a modified Barrett modular multiplier accepting arbitrary modulus with only one integer multiplier, a radix-4 DGT butterfly unit, and a stream permutation network. The proposed modules are implemented on the Xilinx Virtex-7 and U250 FPGA to evaluate resource utilization and performance. Lastly, a design space exploration framework is proposed to generate optimized radix-4 DGT hardware constrained by polynomial and platform parameters. The sensitivity analysis showcases the generated hardware's performance and scalability. The implementation results on the Xilinx Virtex-7 and U250 FPGA show significant performance improvements over the state-of-the-art works, which reached at least 35%, 192%, and 68% area-time product improvements in terms of LUTs, BRAMs, and DSPs, respectively.

computer science, hardware & architecture

Yuan Li,Paul Chow,Jiang Jiang,Minxuan Zhang,Shaojun Wei

DOI: https://doi.org/10.1109/FPT.2012.6412133

2012-01-01

Abstract:We present a hardware architecture for efficient implementation of a Gaussian random number generator (GRNG), using the Monty Python method. To maximize the performance/complexity efficiency, an efficient word-length optimization model is proposed to find out both the optimal integer and fractional word-lengths for signals. Experimental results show that our optimized Fixed-Point design achieves a throughput of almost 1 sample-per-cycle and runs as fast as 375.9 MHz on a Xilinx XC6VLX240T FPGA device. This performance is 23.4-fold faster than a dedicated software version running on a 2.67-GHz Intel core i5 processor. It takes 1976 LUTs, 1785 Flip-Flops, 12 BRAMs and 35 DSPs, which is only about 1% of the device as well as a great reduction compared to its corresponding Floating-Point implementations. Furthermore, we develop a framework that is capable of partitioning the Gaussian distribution stream into an arbitrary number of parallel sub-streams. With support from software, this framework can obtain speedup roughly linearly with the number of parallel cores. The quality of the variables produced by our design are verified via the standard Gaussian statistical test suit, the chi-square (X2) test.

Hai Lu,Yan Zhu,Cecilia E Chen,Di Ma

DOI: https://doi.org/10.1109/tifs.2024.3376206

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In the light of the advantages of ring, more and more Lattice-Based Cryptography (LBC) schemes are designed over it to provide small storage cost and high performance. Gaussian Sampler for Lattice Trapdoor (GSLT) plays an important role for these schemes, especially for key extraction. In this paper, we present an efficient GSLT scheme with On-line and Off-line stages. In the On-line stage, we extend the fast non-spherical Gadget-lattice sampling into the ring setting for high performance, and analyze the covariance matrix of output vectors. Subsequently, two optimized perturbation sampling constructions are designed for non-spherical Gadget-lattice sampler to avoid inefficient Cholesky decomposition during Off-line stage. The first construction aims to the spherical Gaussian distribution of preimage vectors, which is beneficial for theoretical analysis. In contrast, the second one is designed on the non-spherical distribution to improve the efficiency of perturbation sampling without leakage of trapdoor in statistic, and we further provide the method how to choose the Gaussian parameters. The complexity analysis and experimental results show that the On-line stage of our scheme has a better performance in comparison with the other works. In the Off-line stage, both of two perturbation sampling constructions can avoid low efficiency of Cholesky decomposition, and are more suitable for the non-spherical G-lattice sampling. In short, our work provides two candidates on either Gaussian parameter or sampling efficiency, thereby offering more options for key generation in LBC schemes.

computer science, theory & methods,engineering, electrical & electronic

Maximilian Schöffel,Johannes Feldmann,Norbert Wehn

2024-11-27

Abstract:HQC is one of the code-based finalists in the last round of the NIST post quantum cryptography standardization process. In this process, security and implementation efficiency are key metrics for the selection of the candidates. A critical compute kernel with respect to efficient hardware implementations and security in HQC is the sampling method used to derive random numbers. Due to its security criticality, recently an updated sampling algorithm was presented to increase its robustness against side-channel attacks. In this paper, we pursue a cross layer approach to optimize this new sampling algorithm to enable an efficient hardware implementation without comprising the original algorithmic security and side-channel attack robustness. We compare our cross layer based implementation to a direct hardware implementation of the original algorithm and to optimized implementations of the previous sampler version. All implementations are evaluated using the Xilinx Artix 7 FPGA. Our results show that our approach reduces the latency by a factor of 24 compared to the original algorithm and by a factor of 28 compared to the previously used sampler with significantly less resources.

Cryptography and Security

Oded Regev

DOI: https://doi.org/10.48550/arXiv.cs/0309051

2003-09-29

Abstract:We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop provide an elegant description of certain Gaussian distributions around lattice points. Our results include two cryptographic constructions which are based on the worst-case hardness of the unique shortest vector problem. The main result is a new public key cryptosystem whose security guarantee is considerably stronger than previous results ($O(n^{1.5})$ instead of $O(n^7)$). This provides the first alternative to Ajtai and Dwork's original 1996 cryptosystem. Our second result is a family of collision resistant hash functions which, apart from improving the security in terms of the unique shortest vector problem, is also the first example of an analysis which is not based on Ajtai's iterative step. Surprisingly, both results are derived from one theorem which presents two indistinguishable distributions on the segment $[0,1)$. It seems that this theorem can have further applications and as an example we mention how it can be used to solve an open problem related to quantum computation.

Cryptography and Security

Zheng Wang,Yang Huang,Shanxiang Lyu

DOI: https://doi.org/10.48550/arXiv.1812.00127

2018-12-01

Abstract:Sampling from the lattice Gaussian distribution has emerged as an important problem in coding, decoding and cryptography. In this paper, lattice reduction technique is adopted to Gibbs sampler for lattice Gaussian sampling. Firstly, with respect to lattice Gaussian distribution, the convergence rate of systematic scan Gibbs sampling is derived and we show it is characterized by the Hirschfeld-Gebelein-Rényi (HGR) maximal correlation among the multivariate of being sampled. Therefore, lattice reduction is applied to formulate an equivalent lattice Gaussian distribution but with less correlated multivariate, which leads to a better Markov mixing due to the enhanced convergence rate. Then, we extend the proposed lattice-reduction-aided Gibbs sampling to lattice decoding, where the choice of the standard deviation for the sampling is fully investigated. A customized solution that suits for each specific decoding case by Euclidean distance is given, thus resulting in a better trade-off between Markov mixing and sampler decoding. Moreover, based on it, a startup mechanism is also proposed for Gibbs sampler decoding, where decoding complexity can be reduced without performance loss. Simulation results based on large-scale MIMO detection are presented to confirm the performance gain and complexity reduction.

Information Theory

Jianhua Yan,Licheng Wang,Jing Li,Muzi Li,Yixan Yang,Wenbin Yao

DOI: https://doi.org/10.1002/cpe.3925

2016-01-01

Abstract:Lattice has become an attractive cryptographic tool due to its potential resistance to quantum attacks, worst-case hardness, simple computation kind, and flexibility. The pre-image sample algorithm is the most fundamental algorithm in lattice-based cryptography for its comprehensive applications in various primitives. Currently, SampleDO due to Micciancio and Peikert (MP) sample algorithm is the most efficient pre-image sample algorithm. However, this algorithm also needs massive computations. On the one hand, it expenses the cube of the lattice dimension multiplications over reals to set matrices as Gaussian parameters. On the other hand, it needs complex discrete convolution computations. First, this paper proposes an efficient pre-image sample algorithm with outputs obeying irregular Gaussian distribution. Two measures are adopted to prevent the leakage of the geometrical property of trapdoor caused by irregular Gaussian outputs. A variant of MP trapdoor is proposed, and a new trapdoor is randomly assembled from a big enough space in each sample. Although still using a matrix as the Guassian parameter, in the proposed algorithm, the computational cost to set Gaussian parameters is zero. Meanwhile, the computational overhead for every sample is far less than that of MP sample algorithm. Second, to demonstrate the security and efficiency of the proposed sample algorithm, a hierarchical identity-based signature scheme is put forward. This scheme is proved existentially unforgeable against selective identity adaptively chosen-message attacks. Furthermore, the theoretical analysis shows that the proposed identity-based signature is more efficient than the existing schemes. Copyright (C) 2016 John Wiley & Sons, Ltd.

Cong Zhang,Zilong Liu,Yuyang Chen,Jiahao Lu,Dongsheng Liu

DOI: https://doi.org/10.1109/jiot.2020.2981133

IF: 10.6

2020-09-01

IEEE Internet of Things Journal

Abstract:Post-quantum cryptography (PQC) great potential in providing reliable communication security for Internet-of-Things (IoT) devices against the quantum computer in the future. The Gaussian sampler is a crucial part in lattice-based post-quantum cryptosystems, thus being the most vulnerable module to side-channel attack as well. However, research on the countermeasures for the Gaussian sampler against power side-channel attacks is almost blank. In this article, a flexible and generic cumulative distribution table (CDT)-based Gaussian sampler using the hardware–software approach is proposed. The proposed CDT sampler has an AHB interface and can be reconfigured to support various parameter sets, while utilizing just 77 Slices on a Xilinx Spartan-6 FPGA with constant response time. Additionally, the first simple power analysis (SPA) attack on the CDT sampler is presented. The presented attack mainly takes advantage of the chosen input and the SPA vulnerability associated with the binary search method, hence the attacker is able to recover every sampled value by comparing a few pairs of power consumption traces. To further protect against chosen input SPA attack, this article identifies the vulnerability associated with three main operations in every binary search state and construct an effective countermeasure based on randomization at the cost of only extra 58.4% Slices. Compared to other related works, the merits of the proposed CDT sampler are the high hardware flexibility, side-channel security, and suitability for resource-constrained IoT nodes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/trustcom.2015.399

2015-01-01

Abstract:Lattice based cryptography is considered as an important candidate for post-quantum cryptosystems. Various lattice based cryptosystems are based on the Ring learning with errors (Ring-LWE) problem. As a basic operation of Ring-LWE problem, polynomial multiplication over rings is the most critical and computationally intensive operation of these cryptosystems. In this paper, we exploit the number theoretic transform (NTT) to build a family of scalable polynomial multiplier architectures, which provide designers with a trade-off choice of speed vs. area. Our multiplier architectures reduce the required clock cycles from 8n+1.5n lg n) to (2n+1.5n lg n)/B, where n is the dimension of the polynomials and B is number of butterfly operators. The experimental results on a Spartan-6 FPGA show that our proposed polynomial multiplier (B = 2) achieves a speedup of 2.5 times on average and consumes less slices and block RAMs when compared with the state of art of compact design. On a Stratix FPGA, our polynomial multiplier (B = 4) is able to achieve a speedup of 1.2 times on average and save around 90% Memory ALUTs, 75% block memory bits, and 63% DSPs when compared with the state of art of high speed design. On a Spartan-6 FPGA, our polynomial multiplier (B = 8) is capable to calculate the product of two polynomials of degree 256/512/1024/2048 in 2.88/5.71/11.46/24.89 µs.

Jiabo Wang,Cong Ling

DOI: https://doi.org/10.1007/s10623-022-01164-7

2023-01-15

Abstract:Cryptographic constructions based on hard lattice problems have emerged as a front runner for the standardization of post-quantum public-key cryptography. As the standardization process takes place, optimizing specific parts of proposed schemes, e.g., Bernoulli sampling and integer Gaussian sampling, becomes a worthwhile endeavor. In this work, we propose a novel Bernoulli sampler based on polar codes, dubbed "polar sampler". The polar sampler is information theoretically optimum in the sense that the number of uniformly random bits it consumes approaches the entropy bound asymptotically. It also features quasi-linear complexity and constant-time implementation. An integer Gaussian sampler is developed using multilevel polar samplers. Our algorithm becomes effective when sufficiently many samples are required at each query to the sampler. Security analysis is given based on Kullback–Leibler divergence and Rényi divergence. Experimental and asymptotic comparisons between our integer Gaussian sampler and state-of-the-art samplers verify its efficiency in terms of entropy consumption, running time and memory cost. We envisage that the proposed Bernoulli sampler can find other applications in cryptography in addition to Gaussian sampling.

mathematics, applied,computer science, theory & methods

Utsav Banerjee,Tenzin S. Ukyab,Anantha P. Chandrakasan

DOI: https://doi.org/10.13154/tches.v2019.i4.17-61

2019-10-26

Abstract:Public key cryptography protocols, such as RSA and elliptic curve cryptography, will be rendered insecure by Shor's algorithm when large-scale quantum computers are built. Cryptographers are working on quantum-resistant algorithms, and lattice-based cryptography has emerged as a prime candidate. However, high computational complexity of these algorithms makes it challenging to implement lattice-based protocols on low-power embedded devices. To address this challenge, we present Sapphire - a lattice cryptography processor with configurable parameters. Efficient sampling, with a SHA-3-based PRNG, provides two orders of magnitude energy savings; a single-port RAM-based number theoretic transform memory architecture is proposed, which provides 124k-gate area savings; while a low-power modular arithmetic unit accelerates polynomial computations. Our test chip was fabricated in TSMC 40nm low-power CMOS process, with the Sapphire cryptographic core occupying 0.28 mm2 area consisting of 106k logic gates and 40.25 KB SRAM. Sapphire can be programmed with custom instructions for polynomial arithmetic and sampling, and it is coupled with a low-power RISC-V micro-processor to demonstrate NIST Round 2 lattice-based CCA-secure key encapsulation and signature protocols Frodo, NewHope, qTESLA, CRYSTALS-Kyber and CRYSTALS-Dilithium, achieving up to an order of magnitude improvement in performance and energy-efficiency compared to state-of-the-art hardware implementations. All key building blocks of Sapphire are constant-time and secure against timing and simple power analysis side-channel attacks. We also discuss how masking-based DPA countermeasures can be implemented on the Sapphire core without any changes to the hardware.

Cryptography and Security,Hardware Architecture

André Chailloux,Johanna Loyer

DOI: https://doi.org/10.48550/arXiv.2105.05608

2021-05-12

Quantum Physics

Abstract:Lattice-based cryptography is one of the leading proposals for post-quantum cryptography. The Shortest Vector Problem (SVP) is arguably the most important problem for the cryptanalysis of lattice-based cryptography, and many lattice-based schemes have security claims based on its hardness. The best quantum algorithm for the SVP is due to Laarhoven [Laa16 PhD] and runs in (heuristic) time $2^{0.2653d + o(d)}$. In this article, we present an improvement over Laarhoven's result and present an algorithm that has a (heuristic) running time of $2^{0.2570 d + o(d)}$ where $d$ is the lattice dimension. We also present time-memory trade-offs where we quantify the amount of quantum memory and quantum random access memory of our algorithm. The core idea is to replace Grover's algorithm used in [Laa16 PhD] in a key part of the sieving algorithm by a quantum random walk in which we add a layer of local sensitive filtering.

Weihang Tan,Antian Wang,Yingjie Lao,Xinmiao Zhang,Keshab K. Parhi

DOI: https://doi.org/10.1109/TC.2023.3251847

2023-02-24

Abstract:This paper presents a low-latency hardware accelerator for modular polynomial multiplication for lattice-based post-quantum cryptography and homomorphic encryption applications. The proposed novel modular polynomial multiplier exploits the fast finite impulse response (FIR) filter architecture to reduce the computational complexity of the schoolbook modular polynomial multiplication. We also extend this structure to fast $M$-parallel architectures while achieving low-latency, high-speed, and full hardware utilization. We comprehensively evaluate the performance of the proposed architectures under various polynomial settings as well as in the Saber scheme for post-quantum cryptography as a case study. The experimental results show that our proposed modular polynomial multiplier reduces the computation time and area-time product, respectively, compared to the state-of-the-art designs.

Cryptography and Security,Hardware Architecture