Fast Polynomial Inversion for Post Quantum QC-MDPC Cryptography

“…The second approach builds on the observation made in [10]: given an element a(x) ∈ Z 2 [x]/(x p − 1), considering the set of exponents of its non-zero coefficient monomials S allows to rewrite a(x) as j ∈S x j . It is known that, on characteristic 2 polynomial rings…”

“…This observation allows to compute the 2 i -th power of an element in Z 2 [x]/(x p − 1), again, at a linear cost (indeed, the one of permuting the coefficients); moreover the permutation which must be computed is fixed, and depends only on the values p and 2 i , which are both public and fixed, thus avoiding any meaningful information leakage via the timing side channel. The authors of [10] observe that, since the required permutations, Output: c(x ) = (a(x ) e ) 2 , and e=2 p−2 −1=(11 . .…”

“…Finally, the authors of [10] also note that, on x86_64 platforms, it is faster to precompute the inverse permutation with respect to the one corresponding to raising a(x) to 2 i , as it allows the collection of binary coefficients of the result a(x) 2 i that are contiguous in their memory representation. This is done determining, for each coefficient of a(x) 2 i , which was its corresponding one in a(x) through the inverse permutation.…”

“…The said inverse permutation maps the coefficient of the l-th degree term in a(x) 2 i , 0≤l ≤p−1, back to the coefficient of the (l • (2 −i mod p) mod p)-th term in a(x). We note that, also in this case, it is possible to either tabulate the entire set of inverse permutations, as suggested by [10], or simply tabulate the values of (2 −i mod p) and determine each position of the permutation at hand partially online. 0 20,000 40,000 60,000 80,000…”

“…Concerning the exponentiations to 2 i , as required by the optimized Fermat's little based inverse, we investigated the effects of the tradeoff reported in [10], where it is noted that, for small values of i, it can be faster to compute the exponentiation to 2 i by repeated squaring, instead of resorting to a bitwise permutation. Indeed, it is possible to obtain a fast squaring exploiting the pclmulqdq instruction which performs a binary polynomial multiplication of two, 64 terms, polynomials in a 128 terms one.…”

A comprehensive analysis of constant-time polynomial inversion for post-quantum cryptosystems

“…The second approach builds on the observation made in [10]: given an element a(x) ∈ Z 2 [x]/(x p − 1), considering the set of exponents of its non-zero coefficient monomials S allows to rewrite a(x) as j ∈S x j . It is known that, on characteristic 2 polynomial rings…”

“…This observation allows to compute the 2 i -th power of an element in Z 2 [x]/(x p − 1), again, at a linear cost (indeed, the one of permuting the coefficients); moreover the permutation which must be computed is fixed, and depends only on the values p and 2 i , which are both public and fixed, thus avoiding any meaningful information leakage via the timing side channel. The authors of [10] observe that, since the required permutations, Output: c(x ) = (a(x ) e ) 2 , and e=2 p−2 −1=(11 . .…”

“…Finally, the authors of [10] also note that, on x86_64 platforms, it is faster to precompute the inverse permutation with respect to the one corresponding to raising a(x) to 2 i , as it allows the collection of binary coefficients of the result a(x) 2 i that are contiguous in their memory representation. This is done determining, for each coefficient of a(x) 2 i , which was its corresponding one in a(x) through the inverse permutation.…”

“…The said inverse permutation maps the coefficient of the l-th degree term in a(x) 2 i , 0≤l ≤p−1, back to the coefficient of the (l • (2 −i mod p) mod p)-th term in a(x). We note that, also in this case, it is possible to either tabulate the entire set of inverse permutations, as suggested by [10], or simply tabulate the values of (2 −i mod p) and determine each position of the permutation at hand partially online. 0 20,000 40,000 60,000 80,000…”

“…Concerning the exponentiations to 2 i , as required by the optimized Fermat's little based inverse, we investigated the effects of the tradeoff reported in [10], where it is noted that, for small values of i, it can be faster to compute the exponentiation to 2 i by repeated squaring, instead of resorting to a bitwise permutation. Indeed, it is possible to obtain a fast squaring exploiting the pclmulqdq instruction which performs a binary polynomial multiplication of two, 64 terms, polynomials in a 128 terms one.…”

A comprehensive analysis of constant-time polynomial inversion for post-quantum cryptosystems

DU-QS22: A Dataset for Analyzing QC-MDPC-Based Quantum-Safe Cryptosystems

Efficiently Masking Polynomial Inversion at Arbitrary Order