Results 1  10
of
15
Postquantum key exchange for the TLS protocol from
, 2014
"... the ring learning with errors problem ..."
High Precision Discrete Gaussian Sampling on
"... Abstract. Latticebased public key cryptography often requires sampling from discrete Gaussian distributions. In this paper we present an efficient hardware implementation of a discrete Gaussian sampler with high precision and large tailbound based on the KnuthYao algorithm. The KnuthYao algorit ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Latticebased public key cryptography often requires sampling from discrete Gaussian distributions. In this paper we present an efficient hardware implementation of a discrete Gaussian sampler with high precision and large tailbound based on the KnuthYao algorithm. The KnuthYao algorithm is chosen since it requires a minimal number of random bits and is well suited for high precision sampling. We propose a novel implementation of this algorithm based on an efficient traversal of the discrete distribution generating (DDG) tree. Furthermore, we propose optimization techniques to store the probabilities of the sample points in nearoptimal space. Our implementation targets the Gaussian distribution parameters typically used in LWE encryption schemes and has maximum statistical distance of 2−90 to a true discrete Gaussian distribution. For these parameters, our implementation on the Xilinx Virtex V platform results in a sampler architecture that only consumes 47 slices and has a delay of 3ns.
Discrete Ziggurat: A TimeMemory Tradeoff for Sampling from a Gaussian Distribution over the Integers
"... Abstract. Several latticebased cryptosystems require to sample from a discrete Gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper we explore a different method that allows for a flexib ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Several latticebased cryptosystems require to sample from a discrete Gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper we explore a different method that allows for a flexible timememory tradeoff, offering developers freedom in choosing how much space they can spare to store precomputed values. We prove that the generated distribution is close enough to a discrete Gaussian to be used in latticebased cryptography. Moreover, we report on an implementation of the method and compare its performance to existing methods from the literature. We show that for large standard deviations, the Ziggurat algorithm outperforms all existing methods.
Efficient Software Implementation of RingLWE Encryption
"... Abstract. Presentday publickey cryptosystems such as RSA and Elliptic Curve Cryptography (ECC) will become insecure when quantum computers become a reality. This paper presents the new state of the art in efficient software implementations of a postquantum secure publickey encryption scheme bas ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Presentday publickey cryptosystems such as RSA and Elliptic Curve Cryptography (ECC) will become insecure when quantum computers become a reality. This paper presents the new state of the art in efficient software implementations of a postquantum secure publickey encryption scheme based on the ringLWE problem. We use a 32bit ARM CortexM4F microcontroller as the target platform. Our contribution includes optimization techniques for fast discrete Gaussian sampling and efficient polynomial multiplication. This implementation beats all known software implementations, on any architecture, by at least one order of magnitude. We further show that our scheme beats all ECCbased publickey encryption schemes by at least one order of magnitude. At 128bit security we require 121166 cycles per encryption and 43324 cycles per decryption, while at a 256bit security we require 261939 cycles per encryption and 96520 cycles per decryption. Gaussian sampling is done at an average of 28.5 cycles per sample. 1
Beyond ECDSA and RSA: Latticebased digital signatures on constrained devices
 In DAC ’14 Proceedings of the The 51st Annual Design Automation Conference on Design Automation Conference
"... All currently deployed asymmetric cryptography is broken with the advent of powerful quantum computers. We thus have to consider alternative solutions for systems with longterm security requirements (e.g., for longlasting vehicular and avionic communication infrastructures). In this work we presen ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
All currently deployed asymmetric cryptography is broken with the advent of powerful quantum computers. We thus have to consider alternative solutions for systems with longterm security requirements (e.g., for longlasting vehicular and avionic communication infrastructures). In this work we present an efficient implementation of BLISS, a recently proposed, postquantum secure, and formally analyzed novel latticebased signature scheme. We show that we can achieve a significant performance of 35.3 and 6 ms for signing and verification, respectively, at a 128bit security level on an ARM CortexM4F microcontroller. This shows that latticebased cryptography can be efficiently deployed on today’s hardware and provides security solutions for many use cases that can even withstand future threats.
Simple Lattice Trapdoor Sampling from a Broad Class of Distributions
"... Abstract. At the center of many latticebased constructions is an algorithm that samples a short vector s, satisfying [AAR − HG]s = t mod q where A,AR,H,G are public matrices and R is a trapdoor. Although the algorithm crucially relies on the knowledge of the trapdoor R to perform this sampling eff ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. At the center of many latticebased constructions is an algorithm that samples a short vector s, satisfying [AAR − HG]s = t mod q where A,AR,H,G are public matrices and R is a trapdoor. Although the algorithm crucially relies on the knowledge of the trapdoor R to perform this sampling efficiently, the distribution it outputs should be independent of R given the public values. We present a new, simple algorithm for performing this task. The main novelty of our sampler is that the distribution of s does not need to be Gaussian, whereas all previous works crucially used the properties of the Gaussian distribution to produce such an s. The advantage of using a nonGaussian distribution is that we are able to avoid the highprecision arithmetic that is inherent in Gaussian sampling over arbitrary lattices. So while the norm of our output vector s is on the order of n to ntimes larger (the representation length, though, is only a constant factor larger) than in the samplers of Gentry, Peikert, Vaikuntanathan (STOC 2008) and Micciancio, Peikert (EUROCRYPT 2012), the sampling itself can be done very efficiently. This provides a useful time/output tradeoff for devices with constrained computing power. In addition, we believe that the conceptual simplicity and generality of our algorithm may lead to it finding other applications. 1
Highspeed signatures from standard lattices
"... Abstract. At CTRSA 2014 Bai and Galbraith proposed a latticebased signature scheme optimized for short signatures and with a security reduction to hard standard lattice problems. In this work we first refine the security analysis of the original work and propose a new 128bit secure parameter se ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. At CTRSA 2014 Bai and Galbraith proposed a latticebased signature scheme optimized for short signatures and with a security reduction to hard standard lattice problems. In this work we first refine the security analysis of the original work and propose a new 128bit secure parameter set chosen for software efficiency. Moreover, we increase the acceptance probability of the signing algorithm through an improved rejection condition on the secret keys. Our software implementation targeting Intel CPUs with AVX/AVX2 and ARM CPUs with NEON vector instructions shows that even though we do not rely on ideal lattices, we are able to achieve high performance. For this we optimize the matrixvector operations and several other aspects of the scheme and finally compare our work with the state of the art.
1Compact and Side Channel Secure Discrete Gaussian Sampling
"... Abstract—Discrete Gaussian sampling is an integral part of many lattice based cryptosystems such as publickey encryption, digital signature schemes and homomorphic encryption schemes. In this paper we propose a compact and fast KnuthYao sampler for sampling from a narrow discrete Gaussian distribu ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Discrete Gaussian sampling is an integral part of many lattice based cryptosystems such as publickey encryption, digital signature schemes and homomorphic encryption schemes. In this paper we propose a compact and fast KnuthYao sampler for sampling from a narrow discrete Gaussian distribution with very high precision. The designed samplers have a maximum statistical distance of 2−90 to a true discrete Gaussian distribution. In this paper we investigate various optimization techniques to achieve minimum area and cycle requirement. For the standard deviation 3.33, the most areaoptimal implementation of the bitscan operation based KnuthYao sampler consumes 30 slices on the Xilinx Virtex 5 FPGAs, and requires on average 17 cycles to generate a sample. We improve the speed of the sampler by using a precomputed table that directly maps the initial random bits into samples with very high probability. The fast sampler consumes 35 slices and spends on average 2.5 cycles to generate a sample. However the sampler architectures are not secure against timing and power analysis based attacks. In this paper we propose a random shuffle method to protect the Gaussian distributed polynomial against such attacks. The side channel attack resistant sampler architecture consumes 52 slices and spends on average 420 cycles to generate a polynomial of 256 coefficients.
APractical Latticebased Digital Signature Schemes
"... Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case o ..."
Abstract
 Add to MetaCart
(Show Context)
Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case of classical cryptanalytic advances or progress on the development of quantum computers the hardness of these closely related problems might be seriously weakened. A potential alternative approach is the construction of signature schemes based on the hardness of certain lattices problems which are assumed to be intractable by quantum computers. Due to significant research advancements in recent years, latticebased schemes have now become practical and appear to be a very viable alternative to numbertheoretic cryptography. In this paper we focus on recent developments and the current stateoftheart in latticebased digital signatures and provide a comprehensive survey discussing signature schemes with respect to practicality. Additionally, we discuss future research areas that are essential for the continued development of latticebased cryptography.
1LatticeBased Signatures: Optimization and Implementation on Reconfigurable Hardware
"... Abstract—Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract—Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to the unpleasant situation that a large number of today’s schemes will most likely need to be replaced with more secure alternatives. In this work we present such an alternative – an efficient signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in latticebased cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 1.5 kB and 0.3 kB long, while the signature size is approximately 1.1 kB for a security level of around 80 bits. We provide implementation results on reconfigurable hardware (Spartan/Virtex6) and demonstrate that the scheme is scalable, has low area consumption, and even outperforms classical schemes. Index Terms—Public key cryptosystems, reconfigurable hardware, signature scheme, ideal lattices, FPGA. F 1