1 / 25

HYDRA: A Flexible PQC Processor

HYDRA: A Flexible PQC Processor. Chen-Mou Cheng National Taiwan University November 16, 2012. Acknowledgment. Joint work with Bo-Yin Yang (Academia Sinica ) and Andy Wu. Post-quantum cryptography. Hash-based cryptography Code-based cryptography Lattice-based cryptography

avari
Download Presentation

HYDRA: A Flexible PQC Processor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HYDRA: A Flexible PQC Processor Chen-Mou Cheng National Taiwan University November 16, 2012

  2. Acknowledgment • Joint work with Bo-Yin Yang (Academia Sinica) and Andy Wu

  3. Post-quantum cryptography • Hash-based cryptography • Code-based cryptography • Lattice-based cryptography • Multivariate cryptography

  4. Multivariate cryptography • Composition of maps • Public quadratic polynomials • F1 and Fkare affine(y = Ax + b) Step 2. Encryptionp ――――→ E ――――→ c easy↑ ↓hard Step 1. Generationp → F1 → F2 … → Fk → c ↓easy ↓easy easy↓ Step 3. Decryptionp ← D1 ← D2 … ← Dk← c

  5. Classification of multivariates • Big-field multivariates • Matsumoto-Imai derivatives • SFLASH, HFE • Small-field (or true) multivariates • Unbalanced Oil-and-Vinegar derivatives • Rainbow, TTS

  6. Security of UOV • MQ: Multivariate quadratics direct attacks • Gröbner bases: XL, F4/F5families • EIP: Extended Isomorphism of Polynomials,a.k.a. rank or linear algebra attacks • Low rank attack • High rank attack • Reconciliation attack • …

  7. The HYDRA processor • A scalable, programmable crypto coprocessor • Accompanying toolchains and software libraries • API to raise abstraction level for developing security applications • Allowing aggressive experimentation with PKC, especially PQC

  8. Slogans • Cheap PKC • Hardware acceleration of core computation • Customizable for multiple vertical markets, allowing cost sharing • Future-proof PKC • Algorithm agility, allowing “BIOS upgrades” • PQC to resist emerging quantum-computers’ attacks • Management-free PKC • Lower total cost of ownership via PKC • Identity-based crypto ⇒ No more PKI! • “If we build them [cheaply], they will come”

  9. Target cryptosystems

  10. ASIC prototyping of NTRU

  11. ASIC prototyping of TTS

  12. ASIC prototyping of Fp multiplications

  13. The Hydra microarchitecture D$ Axpy engine Decoder I$ μC DMA Memory bus

  14. Design ingredients • Axpy-style ISA for regular data movement between cache & datapath, i.e., Ya•X + Y, where |a| = w, |X| = lw, |Y| = lw or (l + 1)w • Wide & flexible vector datapath • DMA engine to (pre-)fetch and store data to fill up vector datapath as much as possible • General-purpose mC for complex I/O

  15. Review: NTRU cryptosystem • Core operation: Multiplication in Z[x]/(xn-1) • Key generation • Encryption • Decryption • Randomly choose f and g with small coefficients • Find fp, fqsuch that fpf= 1 mod p and fqf= 1 mod q • Public key: h = pfqg • Private key: f , fp • Randomly generate r with coefficients in [-1,1] • c = rh+m • a = fc, with coefficients in [-q/2,q/2] • m = afp, with coefficient in [-p/2,p/2]

  16. Multiplications in NTRU

  17. NTRU ees397ep1 • p=2, q=307, n=397 • Message m: 397 bits • Signature c: (Z307)397, ~397x9 bits • Public key h: (Z307[x])/(x397-1), ~397x9 bits • Private key • f : (Z307[x])/(x397-1), ~397x9 bits • - Contains 74 nonzero elements • fp: (Z2[x])/(x397-1), = 397x1 bits

  18. Review: TTS cryptosystem • Message z: (GF31)40, ~200 bits • Signature w: (GF31)64, ~320 bits • Public key P: (GF31)40x2080, ~416 Kbits • Bottleneck: Quadratic polynomial evaluation • Private key: ~44244 bits • Bottleneck: Linear maps and system solving

  19. Review: Elliptic curve pairing • Core operations are finite-field arithmetic • Bottleneck for prime fields: Modular multiplication • Euclid’s division: y=qn+r, 0<=r<n • Hensel’s division: y+qn=pkr, 0<=r<2n, p prime • Montgomery method • xpkx mod n: ring homomorphism if (p,n)=1 • Precomputep’,n’ such that pkp’-nn’=1 • q (y mod pk)n’ • q’ (q mod pk)n • r (y+q’)/pk

  20. Montgomery method: More details • Problem: Given A, B, M, compute AB mod M • Idea: Works in an isomorphic ring • AAR mod M and BBR mod M • Need a way to compute ABR mod M • Solution: (x,y) M (xy)/R mod M • T(AR mod M)(BR mod M) • Can add multiple of M since mod M • T + xM = 0 mod R, therefore x = –M–1T mod R • (AR,BR) M(T + (–M–1T mod R)M)/R = ABR mod M

  21. Multi-precision Montgomery • X = (xn – 1xn – 2 … x0), xi in {0,…,2w – 1} • S0 • for i in 0 .. n – 1 • qis0 + aib0(–M–1) mod 2w • S(S + aiB + qiM)/2w • [loop invariant: S in {0,…,M + B – 1}] • [post condition: 2nwS = AB + QM]

  22. The main Hydra ISA • Recall: Ya•X + Y • |a| = w, |X| = lw, |Y| = lw or (l + 1)w • Type i (for pairing) • a in {0,…,2w – 1}, X in {0,…,2lw – 1},Y in {0,…,2(l + 1)w – 1} • •,+: the usual integer multiplication and addition • Type q (for TTS) • a in Fq, X in Fql, Y in Fql, and q ≤ 2w • •,+: scalar multiplication and vector addition in l-dimensional vector spaces over Fq

  23. Type r Axpy instructions • X in Zql, Y in Zql such that q ≤ 2w • a in Zph such that h[lgp] ≤ 2w

  24. Next steps • Prototype implementation • Bulk of the work goes here • SystemC-based ISA simulator • Compiler construction • Maybe to base on LLVM

  25. Thank you! • Questions or comments?

More Related