Secure Number Theoretic Transform and Speed Record for Ring-LWE Encryption on Embedded Processors

Seo, Hwajeong; Liu, Zhe; Park, Tae Hwan; Kwon, Hyeokchan; Lee, Sokjoon; Kim, Howon

doi:10.1007/978-3-319-78556-1_10

Cited by 2 publications

(12 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper, we optimized the modular reduction for the high-speed implementation of NTT computation. We chose q = 7681 and q = 12, 289 primes (i.e., 0x1E01 and 0x3001 in hexadecimal representation) for the target parameters, which are widely used in previous works [28][29][30].…”

Section: Number Theoretic Transformmentioning

confidence: 99%

“…The modular reduction can be implemented using the bit-shift and add technique (i.e., SAMS2) or Montgomery reduction covered in previous works [28,29]. These methods can be accelerated further by using the optimized Look-Up Table (LUT) access-based fast reduction technique for performing mod 7681 and mod 12, 289 operations in ICISC'17 [30]. The main idea of the LUT-based approach is to first reduce the result by using 8-bit wise pre-computed reduced results.…”

Section: Number Theoretic Transformmentioning

confidence: 99%

“…However, the AES accelerator of the ATxmega128A1 can only support 128-bit key, which is not sufficient for long-term security, such as 192-bit and 256-bit security levels. However, previous works utilized the 128-bit AES hardware accelerator for 256-bit scheme in order to achieve high performance by sacrificing the security [27,29,30]. In [28], they only used the software AES from the AVR Crypto Lib for the long-term security level (i.e., 256-bit security level).…”

Section: Aes-based Pseudo Random Number Generatormentioning

confidence: 99%

“…The sampling ensures constant timing or random shuffling. In ICISC'17, Seo et al proposed secure and efficient Ring-LWE implementations by using LUT-based modular reduction technique and random shuffling [30]. This is the first approach to utilize the LUT for reduction.…”

Section: Introductionmentioning

confidence: 99%

“…Recently, in WISA '19,Seo et al presented novel LUT-based modular reduction method [31]. Unlike the previous work in [30], this approach only requires two times of LUT access to perform the modular reduction by modifying the input value.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Fast Number Theoretic Transform for Ring-LWE on 8-bit AVR Embedded Processor

Seo

Kwon

et al. 2020

Sensors

Self Cite

View full text Add to dashboard Cite

In this paper, we optimized Number Theoretic Transform (NTT) and random sampling operations on low-end 8-bit AVR microcontrollers. We focused on the optimized modular multiplication with secure countermeasure (i.e., constant timing), which ensures high performance and prevents timing attack and simple power analysis. In particular, we presented combined Look-Up Table (LUT)-based fast reduction techniques in a regular fashion. This novel approach only requires two times of LUT access to perform the whole modular reduction routine. The implementation is carefully written in assembly language, which reduces the number of memory access and function call routines. With LUT-based optimization techniques, proposed NTT implementations outperform the previous best results by 9.0% and 14.6% for 128-bit security level and 256-bit security level, respectively. Furthermore, we adopted the most optimized AES software implementation to improve the performance of pseudo random number generation for random sampling operation. The encryption of AES-256 counter (CTR) mode used for random number generator requires only 3184 clock cycles for 128-bit data input, which is 9.5% faster than previous state-of-art results. Finally, proposed methods are applied to the whole process of Ring-LWE key scheduling and encryption operations, which require only 524,211 and 659,603 clock cycles for 128-bit security level, respectively. For the key generation of 256-bit security level, 1,325,171 and 1,775,475 clock cycles are required for H/W and S/W AES-based implementations, respectively. For the encryption of 256-bit security level, 1,430,601 and 2,042,474 clock cycles are required for H/W and S/W AES-based implementations, respectively.

show abstract

Section: Number Theoretic Transformmentioning

confidence: 99%