Advertisement

Towards Efficient Arithmetic for Lattice-Based Cryptography on Reconfigurable Hardware

  • Thomas Pöppelmann
  • Tim Güneysu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7533)

Abstract

In recent years lattice-based cryptography has emerged as quantum secure and theoretically elegant alternative to classical cryptographic schemes (like ECC or RSA). In addition to that, lattices are a versatile tool and play an important role in the development of efficient fully or somewhat homomorphic encryption (SHE/FHE) schemes. In practice, ideal lattices defined in the polynomial ring ℤ p [x]/〈x n  + 1〉 allow the reduction of the generally very large key sizes of lattice constructions. Another advantage of ideal lattices is that polynomial multiplication is a basic operation that has, in theory, only quasi-linear time complexity of \({\mathcal O}(n \log{n})\) in ℤ p [x]/〈x n  + 1〉. However, few is known about the practical performance of the FFT in this specific application domain and whether it is really an alternative. In this work we make a first step towards efficient FFT-based arithmetic for lattice-based cryptography and show that the FFT can be implemented efficiently on reconfigurable hardware. We give instantiations of recently proposed parameter sets for homomorphic and public-key encryption. In a generic setting we are able to multiply polynomials with up to 4096 coefficients and a 17-bit prime in less than 0.5 milliseconds. For a parameter set of a SHE scheme (n=1024,p=1061093377) our implementation performs 9063 polynomial multiplications per second on a mid-range Spartan-6.

Keywords

Lattice-Based Cryptography Ideal Lattices FFT NTT FPGA Implementation 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Agarwal, R., Burrus, C.: Fast convolution using fermat number transforms with applications to digital filtering. IEEE Transactions on Acoustics, Speech and Signal Processing 22(2), 87–97 (1974)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (1996)Google Scholar
  3. 3.
    Arbitman, Y., Dogon, G., Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFTX: A proposal for the SHA-3 standard. Submission to NIST (2008)Google Scholar
  4. 4.
    Atici, A.C., Batina, L., Fan, J., Verbauwhede, I., Yalcin, S.B.O.: Low-cost implementations of NTRU for pervasive security. In: International Conference on Application-Specific Systems, Architectures and Processors, ASAP 2008, pp. 79–84. IEEE (2008)Google Scholar
  5. 5.
    Bailey, D.V., Coffin, D., Elbirt, A., Silverman, J.H., Woodbury, A.D.: NTRU in Constrained Devices. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 262–272. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Baktir, S., Kumar, S., Paar, C., Sunar, B.: A state-of-the-art elliptic curve cryptographic processor operating in the frequency domain. Mob. Netw. Appl. 12(4), 259–270 (2007)CrossRefGoogle Scholar
  7. 7.
    Baktir, S., Sunar, B.: Achieving efficient polynomial multiplication in fermat fields using the fast fourier transform. In: Proceedings of the 44th Annual Southeast Regional Conference, ACM-SE 44, pp. 549–554. ACM, New York (2006)CrossRefGoogle Scholar
  8. 8.
    Bergland, G.: Fast fourier transform hardware implementations–an overview. IEEE Transactions on Audio and Electroacoustics 17(2), 104–108 (1969)CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J.: Fast multiplication and its applications. Algorithmic Number Theory 44, 325–384 (2008)Google Scholar
  10. 10.
    Blahut, R.E.: Fast Algorithms for Signal Processing. Cambridge University Press (2010)Google Scholar
  11. 11.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: Fully homomorphic encryption without bootstrapping. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 18, p. 111 (2011)Google Scholar
  12. 12.
    Buchmann, J., May, A., Vollmer, U.: Perspectives for cryptographic long-term security. Communications of the ACM 49(9), 50–55 (2006)CrossRefGoogle Scholar
  13. 13.
    Buchmann, J., Lindner, R.: Secure Parameters for SWIFFT. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Cheng, L.S., Miri, A., Yeap, T.H.: Efficient FPGA implementation of FFT based multipliers. In: Canadian Conference on Electrical and Computer Engineering, pp. 1300–1303. IEEE (2005)Google Scholar
  15. 15.
    Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of complex fourier series. Math. Comput 19(90), 297–301 (1965)MathSciNetzbMATHCrossRefGoogle Scholar
  16. 16.
    Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. The MIT Press (July 2009)Google Scholar
  17. 17.
    Corona, C.C., Moreno, E.F., Henriquez, F.R., et al.: Hardware design of a 256-bit prime field multiplier suitable for computing bilinear pairings. In: 2011 International Conference on Reconfigurable Computing and FPGAs (ReConFig), pp. 229–234. IEEE (2011)Google Scholar
  18. 18.
    Deschamps, J.P., Sutter, G.: Comparison of FPGA implementation of the mod M reduction. Latin American Applied Research 37(1), 93–97 (2007)Google Scholar
  19. 19.
    Dreschmann, M., Meyer, J., Huebner, M., Schmogrow, R., Hillerkuss, D., Becker, J., Leuthold, J., Freude, W.: Implementation of an Ultra-High Speed 256-Point FFT for Xilinx Virtex-6 Devices. In: 2011 9th IEEE International Conference on Industrial Informatics (INDIN), pp. 829–834 (July 2011)Google Scholar
  20. 20.
    Emeliyanenko, P.: Efficient Multiplication of Polynomials on Graphics Hardware. In: Dou, Y., Gruber, R., Joller, J.M. (eds.) APPT 2009. LNCS, vol. 5737, pp. 134–149. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Frederiksen, T.K.: A practical implementation of Regev’s LWE-based cryptosystem (2010), http://daimi.au.dk/~jot2re/lwe/resources/A%20Practical%20Implementation%20of%20Regevs%20LWE-based%20Cryptosystem.pdf
  22. 22.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Proceedings of the Theory and Applications of Cryptographic Techniques 27th Annual International Conference on Advances in Cryptology, pp. 31–51. Springer (2008)Google Scholar
  23. 23.
    Gautam, V., Ray, K.C., Haddow, P.: Hardware efficient design of variable length FFT processor. In: 2011 IEEE 14th International Symposium on Design and Diagnostics of Electronic Circuits Systems (DDECS), pp. 309–312 (April 2011)Google Scholar
  24. 24.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pp. 169–178. ACM (2009)Google Scholar
  25. 25.
    Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. IACR Cryptology ePrint Archive, 2012:99 (2012)Google Scholar
  26. 26.
    Göttert, N., Feller, T., Schneider, M., Huss, S.A., Buchmann, J.: On the design of hardware building blocks for modern lattice-based encryption schemes. In: Cryptographic Hardware and Embedded Systems–CHES 2012 (2012)Google Scholar
  27. 27.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: A signature scheme for embedded systems. In: Cryptographic Hardware and Embedded Systems–CHES 2012 (2012)Google Scholar
  28. 28.
    Güneysu, T., Paar, C.: Ultra High Performance ECC over NIST Primes on Commercial FPGAs. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 62–78. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  29. 29.
    Györfi, T., Cret, O., Hanrot, G., Brisebarre, N.: High-throughput hardware architecture for the SWIFFT / SWIFFTX hash functions. In: IACR Cryptology ePrint Archive, 2012:343 (2012)Google Scholar
  30. 30.
    Hoffstein, J., Pipher, J., Silverman, J.: NTRU: A ring-based public key cryptosystem. Algorithmic Number Theory, 267–288 (1998)Google Scholar
  31. 31.
    Kamal, A.A., Youssef, A.M.: An FPGA implementation of the NTRUEncrypt cryptosystem. In: 2009 International Conference on Microelectronics (ICM), pp. 209–212. IEEE (2009)Google Scholar
  32. 32.
    Karatsuba, A., Ofman, Y.: Multiplication of multidigit numbers on automata. Soviet Physics Doklady 7, 595 (1963)Google Scholar
  33. 33.
    Lindner, R., Peikert, C.: Better Key Sizes (and Attacks) for LWE-Based Encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  34. 34.
    Lyubashevsky, V.: Lattice-Based Identification Schemes Secure Under Active Attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  35. 35.
    Lyubashevsky, V., Micciancio, D.: Generalized Compact Knapsacks Are Collision Resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  36. 36.
    Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  37. 37.
    Lyubashevsky, V.: Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  38. 38.
    Lyubashevsky, V.: Lattice Signatures without Trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  39. 39.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: A Modest Proposal for FFT Hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  40. 40.
    Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  41. 41.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity 16(4), 365–411 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  42. 42.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-Quantum Cryptography, pp. 147–191 (2009)Google Scholar
  43. 43.
    Naehrig, M., Lauter, K., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW 2011, pp. 113–124. ACM, New York (2011)CrossRefGoogle Scholar
  44. 44.
    Pease, M.C.: An adaptation of the fast fourier transform for parallel processing. J. ACM 15(2), 252–264 (1968)zbMATHCrossRefGoogle Scholar
  45. 45.
    Percival, C.: Rapid multiplication modulo the sum and difference of highly composite numbers. Mathematics of Computation 72(241), 387–396 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  46. 46.
    Pollard, J.M.: The fast fourier transform in a finite field. Mathematics of Computation 25(114), 365–374 (1971)MathSciNetzbMATHCrossRefGoogle Scholar
  47. 47.
    Rader, C.M.: Discrete convolutions via mersenne transforms. IEEE Transactions on Computers 100(12), 1269–1273 (1972)MathSciNetCrossRefGoogle Scholar
  48. 48.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, May 22-24, p. 84. ACM Press (2005)Google Scholar
  49. 49.
    Regev, O.: The learning with errors problem. Invited Survey in CCC (2010)Google Scholar
  50. 50.
    Rückert, M., Schneider, M.: Estimating the security of lattice-based cryptosystems. Cryptology ePrint Archive, Report 2010/137 (2010), http://eprint.iacr.org/
  51. 51.
    Schönhage, A., Strassen, V.: Schnelle Multiplikation Grosser Zahlen. Computing 7(3), 281–292 (1971)zbMATHCrossRefGoogle Scholar
  52. 52.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 1994 Proceedings of 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE Computer Society Press, Los Alamitos (1994)CrossRefGoogle Scholar
  53. 53.
    Shoup, V.: NTL: A library for doing number theory (2001)Google Scholar
  54. 54.
    Stehlé, D., Steinfeld, R.: Making NTRU as Secure as Worst-Case Problems Over Ideal Lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  55. 55.
    Suleiman, A., Saleh, H., Hussein, A., Akopian, D.: A family of scalable FFT architectures and an implementation of 1024-point radix-2 FFT for real-time communications. In: IEEE International Conference on Computer Design, ICCD 2008, pp. 321–327 (October 2008)Google Scholar
  56. 56.
    von zur Gathen, J., Shokrollahi, J.: Efficient FPGA-based Karatsuba multipliers for polynomials over \(\mathbb{F}_2\). In: Selected Areas in Cryptography, pp. 359–369. Springer (2006)Google Scholar
  57. 57.
    Weimerskirch, A., Paar, C.: Generalizations of the Karatsuba algorithm for polynomial multiplication (2003)Google Scholar
  58. 58.
    Wey, C.-L., Lin, S.-Y., Tang, W.-C.: Efficient memory-based FFT processors for OFDM applications. In: 2007 IEEE International Conference on Electro/Information Technology, pp. 345–350 (May 2007)Google Scholar
  59. 59.
    Winkler, F.: Polynomial Algorithms in Computer Algebra (Texts and Monographs in Symbolic Computation), 1st edn. Springer (August 1996)Google Scholar
  60. 60.
    Xilinx. Smartxplorer for ISE project navigator users, Version 12.1 (2010), http://www.xilinx.com/support/documentation/sw_manuals/xilinx13_1/ug689.pdf
  61. 61.
    Yao, Y., Huang, J., Khanna, S., Shelat, A., Calhoun, B.H., Lach, J., Evans, D.: A sub-0.5V lattice-based public-key encryption scheme for RFID platforms in 130nm CMOS. In: Workshop on RFID Security (RFIDsec 2011 Asia), Cryptology and Information Security, pp. 96–113. IOS Press (April 2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Thomas Pöppelmann
    • 1
  • Tim Güneysu
    • 1
  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University BochumGermany

Personalised recommendations