Lattice-based encryption over standard lattices in hardware

Lattice-based cryptography has gained credence recently as a replacement for current public-key cryptosystems, due to its quantum-resilience, versatility, and relatively low key sizes. To date, encryption based on the learning with errors (LWE) problem has only been investigated from an ideal lattice standpoint, due to its computation and size efficiencies. However, a thorough investigation of standard lattices in practice has yet to be considered. Standard lattices may be preferred to ideal lattices due to their stronger security assumptions and less restrictive parameter selection process. In this paper, an area-optimised hardware architecture of a standard lattice-based cryptographic scheme is proposed. The design is implemented on a FPGA and it is found that both encryption and decryption fit comfortably on a Spartan-6 FPGA. This is the first hardware architecture for standard lattice-based cryptography reported in the literature to date, and thus is a benchmark for future implementations. Additionally, a revised discrete Gaussian sampler is proposed which is the fastest of its type to date, and also is the first to investigate the cost savings of implementing with A/2-bits of precision. Performance results are promising compared to the hardware designs of the equivalent ring-LWE scheme, which in addition to providing stronger security proofs; generate 1272 encryptions per second and 4395 decryptions per second.

[1]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[2]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[3]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[4]  Kristin E. Lauter,et al.  Provably Weak Instances of Ring-LWE , 2015, CRYPTO.

[5]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[6]  Frederik Vercauteren,et al.  High Precision Discrete Gaussian Sampling on FPGAs , 2013, Selected Areas in Cryptography.

[7]  Johannes A. Buchmann,et al.  Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers , 2013, IACR Cryptol. ePrint Arch..

[8]  Sorin A. Huss,et al.  On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes , 2012, CHES.

[9]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[10]  Andrew Chi-Chih Yao,et al.  The complexity of nonuniform random number generation , 1976 .

[11]  Hao Chen,et al.  Attacks on Search RLWE , 2015, IACR Cryptol. ePrint Arch..

[12]  Tim Güneysu,et al.  Enhanced Lattice-Based Signatures on Reconfigurable Hardware , 2014, CHES.

[13]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[14]  Raphael Overbeck,et al.  Code-based cryptography , 2009 .

[15]  O. Regev The Learning with Errors problem , 2010 .

[16]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[17]  Kristin E. Lauter,et al.  Weak Instances of PLWE , 2014, Selected Areas in Cryptography.

[18]  Frederik Vercauteren,et al.  Compact Ring-LWE Cryptoprocessor , 2014, CHES.

[19]  Frederik Vercauteren,et al.  Compact and Side Channel Secure Discrete Gaussian Sampling , 2014, IACR Cryptol. ePrint Arch..

[20]  Michael Schneider,et al.  Sieving for Shortest Vectors in Ideal Lattices , 2013, AFRICACRYPT.

[21]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[22]  Ronald Cramer,et al.  Recovering Short Generators of Principal Ideals in Cyclotomic Rings , 2016, EUROCRYPT.

[23]  Anja Becker,et al.  Efficient (Ideal) Lattice Sieving Using Cross-Polytope LSH , 2015, AFRICACRYPT.

[24]  Oded Regev,et al.  The Learning with Errors Problem (Invited Survey) , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[25]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[26]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[27]  Hideki Imai,et al.  Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption , 1988, EUROCRYPT.

[28]  Markku-Juhani O. Saarinen Gaussian Sampling Precision and Information Leakage in Lattice Cryptography , 2015, IACR Cryptol. ePrint Arch..

[29]  Thomas Poppelmann,et al.  Area optimization of lightweight lattice-based encryption on reconfigurable hardware , 2014, 2014 IEEE International Symposium on Circuits and Systems (ISCAS).

[30]  Michael Naehrig,et al.  Sieving for shortest vectors in ideal lattices: a practical perspective , 2017, Int. J. Appl. Cryptogr..

[31]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[32]  Tsuyoshi Takagi,et al.  Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice , 2014, Public Key Cryptography.

[33]  Tim Güneysu,et al.  Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware , 2013, Selected Areas in Cryptography.

[34]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..