Post-Quantum Cryptography on FPGAs: The Niederreiter Cryptosystem: Extended Abstract

Proceedings of the 2018 on Great Lakes Symposium on VLSI Pub Date : 2018-05-30 DOI:10.1145/3194554.3194617

Wen Wang, Jakub Szefer, R. Niederhagen

{"title":"Post-Quantum Cryptography on FPGAs: The Niederreiter Cryptosystem: Extended Abstract","authors":"Wen Wang, Jakub Szefer, R. Niederhagen","doi":"10.1145/3194554.3194617","DOIUrl":null,"url":null,"abstract":"Our invited presentation will give an introduction to major hardware building blocks needed to implement code-based cryptographic systems. We will present details of a modern, FPGA-based, constant-time implementation of the Niederreiter cryptosystem using binary Goppa codes, including modules for encryption, decryption, and key generation. The presentation will also include a brief summary of other existing implementations of code-based cryptographic systems and it will present research challenges for implementing such systems efficiently. Currently, there are five promising classes of post-quantum cryptographic algorithms: hash-based, code-based, lattice-based, multivariate, and isogeny-based cryptography. Our work focuses on code-base cryptography, specifically the Niederreiter cryptosystem using binary Goppa codes. The main design challenge within code-based cryptosystems is the tension between cryptographic parameters (i.e., security level) and practical aspects, e.g., the size of keys and computation speed, resulting from the chosen parameters. The core of the presentation will focus on the FPGA implementation of our binary Goppa code-based Niederreiter cryptosystem, including modules for encryption, decryption, and key generation [2, 3]. We will show how to make the design constant-time in order to protect against timing side-channel analysis and how to make the design fully parameterized in order to support a wide range of parameter choices for security, including binary field size, the degree of the Goppa polynomial, and the code length. The parameterized design also allows users to choose design parameters for time-area trade-offs in order to support a large variety of applications ranging from smart cards to server accelerators. For parameters that are considered to provide \"128-bit post-quantum security\" (i.e., the cost of an attack on a quantum computer is assumed to be at least 2 128 quantum operations), our time-optimized implementation requires 966,400 cycles for the generation of both public and private portions of a key and 14,291 cycles to decrypt a ciphertext. The time-optimized design uses only 121,806 ALMs (52% of the available logic) and 961 RAM blocks (38% of the available Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.GLSVLSI '18, May 23-25, 2018, Chicago, IL, USA ©2018 Copyright held by the owner/author(s). Publication rights licensed to the Association for Computing Machinery. ACM ISBN 978-1-4503-5724-1/18/05... $15.00 https://doi.org/10.1145/3194554.3194617 memory), and results in a design that runs at about 250 MHz on a medium-size Stratix V FPGA (5SGXEA7N). To achieve this efficient design, a number of building blocks were needed: Gaussian systemizers for matrix systemizations [1], Gao-Mateer additive FFT for polynomial evaluations, a merge-sort module for generating uniformly distributed permutations, and a constant-time Berlekamp-Massey module for decoding [2, 3]. Reasons for making these design choices will be covered in the presentation as well. Given the increasing interest in code-based cryptography, a number of projects have been focusing on the hardware implementation of the Niederreiter cryptosystem. We will present the performance of our entire Niederreiter cryptosystem with \"128-bit post-quantum security\" and compare our design with other existing FPGA-based implementations. Prior works have not reached the security level of our design, and this presentation will highlight design choices which allow for achieving a high-security design, while maintaining efficiency. Our current work is the fastest design to date, beating prior FPGA work and optimized CPU-based implementations on recent processors. Based on insights from our work, the presentation will show how to design flexible hardware cores that can be easily configured for different security levels and performance targets.","PeriodicalId":215940,"journal":{"name":"Proceedings of the 2018 on Great Lakes Symposium on VLSI","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2018 on Great Lakes Symposium on VLSI","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3194554.3194617","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Our invited presentation will give an introduction to major hardware building blocks needed to implement code-based cryptographic systems. We will present details of a modern, FPGA-based, constant-time implementation of the Niederreiter cryptosystem using binary Goppa codes, including modules for encryption, decryption, and key generation. The presentation will also include a brief summary of other existing implementations of code-based cryptographic systems and it will present research challenges for implementing such systems efficiently. Currently, there are five promising classes of post-quantum cryptographic algorithms: hash-based, code-based, lattice-based, multivariate, and isogeny-based cryptography. Our work focuses on code-base cryptography, specifically the Niederreiter cryptosystem using binary Goppa codes. The main design challenge within code-based cryptosystems is the tension between cryptographic parameters (i.e., security level) and practical aspects, e.g., the size of keys and computation speed, resulting from the chosen parameters. The core of the presentation will focus on the FPGA implementation of our binary Goppa code-based Niederreiter cryptosystem, including modules for encryption, decryption, and key generation [2, 3]. We will show how to make the design constant-time in order to protect against timing side-channel analysis and how to make the design fully parameterized in order to support a wide range of parameter choices for security, including binary field size, the degree of the Goppa polynomial, and the code length. The parameterized design also allows users to choose design parameters for time-area trade-offs in order to support a large variety of applications ranging from smart cards to server accelerators. For parameters that are considered to provide "128-bit post-quantum security" (i.e., the cost of an attack on a quantum computer is assumed to be at least 2 128 quantum operations), our time-optimized implementation requires 966,400 cycles for the generation of both public and private portions of a key and 14,291 cycles to decrypt a ciphertext. The time-optimized design uses only 121,806 ALMs (52% of the available logic) and 961 RAM blocks (38% of the available Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.GLSVLSI '18, May 23-25, 2018, Chicago, IL, USA ©2018 Copyright held by the owner/author(s). Publication rights licensed to the Association for Computing Machinery. ACM ISBN 978-1-4503-5724-1/18/05... $15.00 https://doi.org/10.1145/3194554.3194617 memory), and results in a design that runs at about 250 MHz on a medium-size Stratix V FPGA (5SGXEA7N). To achieve this efficient design, a number of building blocks were needed: Gaussian systemizers for matrix systemizations [1], Gao-Mateer additive FFT for polynomial evaluations, a merge-sort module for generating uniformly distributed permutations, and a constant-time Berlekamp-Massey module for decoding [2, 3]. Reasons for making these design choices will be covered in the presentation as well. Given the increasing interest in code-based cryptography, a number of projects have been focusing on the hardware implementation of the Niederreiter cryptosystem. We will present the performance of our entire Niederreiter cryptosystem with "128-bit post-quantum security" and compare our design with other existing FPGA-based implementations. Prior works have not reached the security level of our design, and this presentation will highlight design choices which allow for achieving a high-security design, while maintaining efficiency. Our current work is the fastest design to date, beating prior FPGA work and optimized CPU-based implementations on recent processors. Based on insights from our work, the presentation will show how to design flexible hardware cores that can be easily configured for different security levels and performance targets.

查看原文本刊更多论文

fpga上的后量子密码学:下比特密码系统:扩展摘要

我们邀请的演讲将介绍实现基于代码的加密系统所需的主要硬件构建块。我们将详细介绍使用二进制Goppa码的现代、基于fpga的、恒定时间的Niederreiter密码系统实现，包括用于加密、解密和密钥生成的模块。该报告还将简要总结其他现有的基于代码的加密系统的实现，并将提出有效实现此类系统的研究挑战。目前，有五种很有前途的后量子加密算法:基于哈希的、基于代码的、基于格的、多元的和基于等基因的加密。我们的工作重点是基于代码的密码学，特别是使用二进制Goppa码的Niederreiter密码系统。基于代码的密码系统的主要设计挑战是密码参数(即安全级别)与实际方面(例如密钥的大小和计算速度)之间的紧张关系，这是由所选参数引起的。演讲的核心将集中在基于二进制Goppa码的Niederreiter密码系统的FPGA实现上，包括用于加密、解密和密钥生成的模块[2,3]。我们将展示如何使设计保持恒定时间，以防止时序侧信道分析，以及如何使设计完全参数化，以支持广泛的安全性参数选择，包括二进制字段大小、Goppa多项式的程度和代码长度。参数化设计还允许用户为时区权衡选择设计参数，以支持从智能卡到服务器加速器的各种应用程序。对于被认为提供“128位后量子安全”的参数(即，假设对量子计算机的攻击成本至少为2 128个量子操作)，我们的时间优化实现需要966,400个周期来生成密钥的公共和私有部分，需要14,291个周期来解密密文。时间优化的设计仅使用121,806个alm(52%的可用逻辑)和961个RAM块(38%的可用许可)，允许免费制作本作品的全部或部分数字或硬拷贝供个人或课堂使用，前提是副本不是为了盈利或商业利益而制作或分发的，并且副本在第一页上带有本通知和完整的引用。本作品的版权由作者以外的人所有，必须得到尊重。允许有信用的摘要。以其他方式复制或重新发布，在服务器上发布或重新分发到列表，需要事先获得特定许可和/或付费。请访问permissions@acm.org.GLSVLSI '18, 2018年5月23日至25日，芝加哥，伊利诺伊州，美国©2018版权归所有人/作者所有。出版授权给计算机协会。Acm isbn 978-1-4503-5724-1/18/05…$15.00 https://doi.org/10.1145/3194554.3194617内存)，并导致在中等尺寸Stratix V FPGA (5SGXEA7N)上运行约250 MHz的设计。为了实现这种高效的设计，需要一些构建模块:用于矩阵系统化的高斯系统[1]，用于多项式求值的Gao-Mateer加性FFT，用于生成均匀分布排列的合并排序模块，以及用于解码的常数时间Berlekamp-Massey模块[2,3]。做出这些设计选择的原因也将在演示文稿中介绍。鉴于人们对基于代码的密码学越来越感兴趣，许多项目都将重点放在Niederreiter密码系统的硬件实现上。我们将展示整个Niederreiter密码系统的“128位后量子安全”性能，并将我们的设计与其他现有的基于fpga的实现进行比较。之前的工作没有达到我们设计的安全水平，这次演讲将重点介绍在保持效率的同时实现高安全性设计的设计选择。我们目前的工作是迄今为止最快的设计，击败了之前的FPGA工作，并在最近的处理器上优化了基于cpu的实现。基于我们工作的见解，演示将展示如何设计灵活的硬件核心，可以轻松地针对不同的安全级别和性能目标进行配置。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2018 on Great Lakes Symposium on VLSI

自引率

0.00%

发文量