Abstract
Post-quantum cryptography has attracted increased attention in the last couple of years, due to the threat of quantum computers breaking current cryptosystems. In particular, the key size and performance of post-quantum algorithms became a significant target for optimization. In this spirit, Alkim et al. have recently proposed a significant optimization for a key exchange scheme that is based on the R-LWE problem. In this paper, we build on the implementation of Alkim et al., and focus on improving the algorithm for generating a uniformly random polynomial. We optimize three independent directions: efficient pseudorandom bytes generation, decreasing the rejection rate during sampling, and vectorizing the sampling step. When measured on the latest Intel processor Architecture Codename Skylake, our new optimizations improve over Alkim et al. by up to \(1.59\times \) on the server side, and by up to \(1.54\times \) on the client side.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A comprehensible overview can also be found in a blog post by A. Langley; https://www.imperialviolet.org/2015/12/24/rlwe.html.
- 2.
Intel Software Development Emulator (SDE) https://software.intel.com/en-us/articles/intel-software-development-emulator.
References
IBM’s stunning breakthrough: quantum computing finally ‘within reach’, February 2012. http://www.foxnews.com/tech/2012/02/28/ibm-quantum-computing-as-little-as-10-years-off.html
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange-a new hope. IACR Cryptology ePrint Archive 2015/1092 (2015). http://eprint.iacr.org/2015/1092
Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570. IEEE Computer Society, May 2015
Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptology ePrint Archive 2012/688 (2012). http://eprint.iacr.org/2012/688
Galbraith, S.D.: Space-efficient variants of cryptosystems based on learning with errors (2013). https://www.math.auckland.ac.nz/~sgal018/compact-LWE.pdf
Gueron, S.: Intel \(\textregistered \) Advanced Encryption Standard (AES) new instructions set, September 2012. https://software.intel.com/sites/default/files/article/165683/aes-wp-2012-09-22-v01.pdf
Gueron, S.: Intel’s new AES instructions for enhanced performance and security. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 51–66. Springer, Heidelberg (2009)
Gueron, S., Krasnov, V.: Simultaneous hashing of multiple messages. J. Inf. Secur. 3(4), 319–325 (2012)
Gueron, S., Krasnov, V.: Fast prime field elliptic-curve cryptography with 256-bit primes. J. Cryptograph. Eng. 5(2), 141–151 (2015)
Gueron, S., Krasnov, V.: Improved P256 ECC performance by means of a dedicated function for modular inversion modulo the P256 group order, April 2015. https://mta.openssl.org/pipermail/openssl-dev/2015-April/001197.html
Intel corporation: Intel \(\textregistered \) 64 and IA-32 architectures software developer’s manual, September 2015. http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf
Intel corporation: intel \({\textregistered }\) architecture instruction set extensions programming reference, August 2015. https://software.intel.com/sites/default/files/managed/07/b7/319433-023.pdf
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Heidelberg (2014)
National institute of standards, technology: FIPS PUB 202-SHA-3 standard: permutation-based hash and extendable-output functions (2015). http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
Acknowledgments
This research was supported by the PQCRYPTO project, which was partially funded by the European Commission Horizon 2020 research Programme, grant #645622, and by the ISRAEL SCIENCE FOUNDATION (grant No. 1018/16).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Vectorized Rejection Sampling - Code Snippets
A Vectorized Rejection Sampling - Code Snippets
The relevant part of our AVX2 optimizations in the source code is shown in Listing 2. Listing 3 shows the relevant part of our AVX512 optimizations. Note that the AVX512 sampling gets much easier thanks to the new masks feature that gives more targeted data-control in almost all instructions. In particular, the VPCOMPRESSD instruction allows us to write back only specific values instead of a whole vector.
In both these approaches, we incorporate our proposal to reduce the rejection rate as explained in Sect. 4.1. Since we are working on vectors of integers, we do not have a division function in the AVX integer instructions (like in Listing 1) and implement this by repeatedly comparing and subtracting.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Gueron, S., Schlieker, F. (2016). Speeding up R-LWE Post-quantum Key Exchange. In: Brumley, B., Röning, J. (eds) Secure IT Systems. NordSec 2016. Lecture Notes in Computer Science(), vol 10014. Springer, Cham. https://doi.org/10.1007/978-3-319-47560-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-47560-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47559-2
Online ISBN: 978-3-319-47560-8
eBook Packages: Computer ScienceComputer Science (R0)