Efficient isochronous fixed-weight sampling with applications to NTRU

IACR Cryptol. ePrint Arch. Pub Date : 2024-07-08 DOI:10.62056/a6n59qgxq

Décio Luiz Gazzoni Filho, Tomás Recio, Julio López Hernandez

{"title":"Efficient isochronous fixed-weight sampling with applications to NTRU","authors":"Décio Luiz Gazzoni Filho, Tomás Recio, Julio López Hernandez","doi":"10.62056/a6n59qgxq","DOIUrl":null,"url":null,"abstract":"We present a solution to the open problem of designing a linear-time, unbiased and timing attack-resistant shuffling algorithm for fixed-weight sampling. Although it can be implemented without timing leakages of secret data in any architecture, we illustrate with ARMv7-M and ARMv8-A implementations; for the latter, we take advantage of architectural features such as NEON and conditional instructions, which are representative of features available on architectures targeting similar systems, such as Intel. Our proposed algorithm improves asymptotically upon the current approach based on constant-time sorting networks (\n \n O\n (\n n\n )\n \n versus \n \n O\n (\n n\n \n log\n 2\n \n n\n )\n \n ), and an implementation of the new algorithm applied to NTRU is also faster in practice, by a factor of up to \n \n 6.91\n \n (\n 591\n %\n )\n \n on ARMv8-A cores and \n \n 12.89\n \n (\n 1189\n %\n )\n \n on the Cortex-M4; it also requires fewer uniform random bits. This translates into performance improvements for NTRU encapsulation, compared to state-of-the-art implementations, of up to 50% on ARMv8-A cores and 72% on the Cortex-M4, and small improvements to key generation (up to 2.7% on ARMv8-A cores and 6.1% on the Cortex-M4), with negligible impact on code size and a slight improvement in RAM usage for the Cortex-M4.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"119 17","pages":"548"},"PeriodicalIF":0.0000,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.62056/a6n59qgxq","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

We present a solution to the open problem of designing a linear-time, unbiased and timing attack-resistant shuffling algorithm for fixed-weight sampling. Although it can be implemented without timing leakages of secret data in any architecture, we illustrate with ARMv7-M and ARMv8-A implementations; for the latter, we take advantage of architectural features such as NEON and conditional instructions, which are representative of features available on architectures targeting similar systems, such as Intel. Our proposed algorithm improves asymptotically upon the current approach based on constant-time sorting networks ( O ( n ) versus O ( n log 2 n ) ), and an implementation of the new algorithm applied to NTRU is also faster in practice, by a factor of up to 6.91 ( 591 % ) on ARMv8-A cores and 12.89 ( 1189 % ) on the Cortex-M4; it also requires fewer uniform random bits. This translates into performance improvements for NTRU encapsulation, compared to state-of-the-art implementations, of up to 50% on ARMv8-A cores and 72% on the Cortex-M4, and small improvements to key generation (up to 2.7% on ARMv8-A cores and 6.1% on the Cortex-M4), with negligible impact on code size and a slight improvement in RAM usage for the Cortex-M4.

查看原文本刊更多论文

高效等时定量采样与 NTRU 的应用

我们针对设计线性时间、无偏、抗时序攻击的固定权重采样洗牌算法这一未决问题提出了一种解决方案。虽然该算法可以在任何体系结构中实现而不会泄露秘密数据，但我们以 ARMv7-M 和 ARMv8-A 实现为例进行了说明；对于后者，我们利用了 NEON 和条件指令等体系结构特性，这些特性在英特尔等针对类似系统的体系结构中具有代表性。我们提出的算法渐进地改进了当前基于恒定时间排序网络的方法（O ( n ) 与 O ( n log 2 n ) 之比），应用于 NTRU 的新算法的实现在实践中也更快，在 ARMv8-A 内核上快达 6.91 ( 591 % ) 倍，在 Cortex-M4 上快达 12.89 ( 1189 % ) 倍；它所需的均匀随机位也更少。与最先进的实现相比，NTRU 封装的性能在 ARMv8-A 内核上提高了 50%，在 Cortex-M4 上提高了 72%，密钥生成的性能也略有提高（在 ARMv8-A 内核上提高了 2.7%，在 Cortex-M4 上提高了 6.1%），对代码大小的影响可以忽略不计，Cortex-M4 的 RAM 使用率略有提高。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Cryptol. ePrint Arch.

自引率

0.00%

发文量