a masked ring-lwe implementation - cryptoexperts€¦ · frederik vercauteren, ingrid verbauwhede...
TRANSCRIPT
![Page 1: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/1.jpg)
Oscar Reparaz, Sujoy Sinha Roy,Frederik Vercauteren, Ingrid Verbauwhede
COSIC/KU LeuvenCHES 2015, Saint-Malo, FR
A MASKED RING-LWEIMPLEMENTATION
1
![Page 2: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/2.jpg)
unprotected ring-LWE decryptionr2
m=th[INTT(c1*r 2+ c 2)] 2
![Page 3: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/3.jpg)
unprotected ring-LWE decryptionr2
c1
c2
m=th[INTT(c1*r 2+ c 2)] 2
![Page 4: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/4.jpg)
unprotected ring-LWE decryption
x x x x x x x x x x
r2
c1
c2
m=th[INTT(c1*r 2+ c 2)] 2
![Page 5: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/5.jpg)
unprotected ring-LWE decryption
x x x x x x x x x x
+ + + + + + + + + +
r2
c1
c2
m=th[INTT(c1*r 2+ c 2)] 2
![Page 6: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/6.jpg)
unprotected ring-LWE decryption
INTT
x x x x x x x x x x
+ + + + + + + + + +
r2
c1
c2
m=th[INTT(c1*r 2+ c 2)] 2
![Page 7: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/7.jpg)
unprotected ring-LWE decryption
INTT
x x x x x x x x x x
+ + + + + + + + + +
th th th th th th th th th th
r2
c1
c2
m
m=th[INTT(c1*r 2+ c 2)] 2
![Page 8: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/8.jpg)
th operation
3
![Page 9: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/9.jpg)
masking ring-LWE
• Core idea: split the secret: r=r’+r’’
m=th[INTT(c1*r 2+ c 2)] 4
![Page 10: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/10.jpg)
masking ring-LWE
• Core idea: split the secret: r=r’+r’’
m=th[INTT(c1*r 2+ c 2)] 4
2
2
1
![Page 11: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/11.jpg)
on the masked decoder
6
2
2
1
![Page 12: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/12.jpg)
on the masked decoder
2
2
1
6
![Page 13: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/13.jpg)
7
![Page 14: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/14.jpg)
7
![Page 15: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/15.jpg)
7
![Page 16: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/16.jpg)
7
![Page 17: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/17.jpg)
what happened?
• could decode th(a) from quad(a’) and quad(a’’)
– quad() return only 2 bits, so it will be easy to perform masked computation.
• Idea: decode th(a) only from quad(a’) and quad(a’’)
– large compression
8
![Page 18: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/18.jpg)
decoding rules
• There are 7 other more cases (“rules”)
• There are 8 cases that don’t allow inferring th(a)!
9
![Page 19: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/19.jpg)
Cases where it fails
10
![Page 20: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/20.jpg)
solution: refresh
• Refresh the sharing:
a’ := a’ + D
a’’ := a’’ – D
And try again
• Do not draw D from random, compute nice ones.
11
![Page 21: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/21.jpg)
12
![Page 22: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/22.jpg)
implementation costs
unprotected (CHES2014*)
• 1713 LUTs / 830 FFs / 1 DSP
• Fmax = 120 MHz
protected (this work)
• 2014 LUTs / 959 FFs / 1 DSP
• 100 MHz
Parameter set: (n,q,s)=(256,7681,11.32)Xilinx Virtex-II xc2vp7 FPGA
* Synthetized on Virtex-II 13
![Page 23: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/23.jpg)
implementation costs
unprotected (CHES2014*)
• 1713 LUTs / 830 FFs / 1 DSP
• Fmax = 120 MHz
• 2.8 k cycles (23.5 us)
protected (this work)
• 2014 LUTs / 959 FFs / 1 DSP
• 100 MHz
• 7.5 k cycles (75.2 us)
Parameter set: (n,q,s)=(256,7681,11.32)Xilinx Virtex-II xc2vp7 FPGA
* Synthetized on Virtex-II 13
![Page 24: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/24.jpg)
implementation costs
unprotected (CHES2014*)
• 1713 LUTs / 830 FFs / 1 DSP
• Fmax = 120 MHz
• 2.8 k cycles (23.5 us)
protected (this work)
• 2014 LUTs / 959 FFs / 1 DSP
• 100 MHz
• 7.5 k cycles (75.2 us)
Parameter set: (n,q,s)=(256,7681,11.32)Xilinx Virtex-II xc2vp7 FPGA
ECC: Rebeiro et.al. (CHES2012): 289 kcycles * LUTThis work: 151 k cycles*LUTs
* Synthetized on Virtex-II 13
![Page 25: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/25.jpg)
error rates
14
![Page 26: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/26.jpg)
error rates
14
![Page 27: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/27.jpg)
15
![Page 28: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/28.jpg)
16
![Page 29: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/29.jpg)
evaluation
17
![Page 30: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/30.jpg)
PRNG off
18
![Page 31: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/31.jpg)
PRNG on
19
![Page 32: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/32.jpg)
second order
20
![Page 33: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/33.jpg)
second order
21
![Page 34: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/34.jpg)
Conclusion
• Fully masked ring-LWE decryption
– outputs Boolean shares
• Manageable overhead: x2.6 cycles wrtunprotected
• Small!
• Bespoke decoder
– Error rate controlled
• Practical evaluation
22
![Page 35: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/35.jpg)
23
![Page 36: A MASKED RING-LWE IMPLEMENTATION - CryptoExperts€¦ · Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR A MASKED RING-LWE IMPLEMENTATION 24. Title:](https://reader033.vdocuments.net/reader033/viewer/2022060606/605b3df2fccce04b3305a590/html5/thumbnails/36.jpg)
Oscar Reparaz, Sujoy Sinha Roy,Frederik Vercauteren, Ingrid Verbauwhede
COSIC/KU LeuvenCHES 2015, Saint-Malo, FR
A MASKED RING-LWEIMPLEMENTATION
24