Lattice-Based Signatures: Optimization and Implementation on Reconfigurable Hardware

Nearly all of the currently used signature schemes, such as RSA or DSA, are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. As a consequence, the appearance of quantum computers or algorithmic advances on these problems may lead to the unpleasant situation that a large number of today's schemes will most likely need to be replaced with more secure alternatives. In this work we present such an alternative-an efficient signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in lattice-based cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 1.5 kB and 0.3 kB long, while the signature size is approximately 1.1 kB for a security level of around 80 bits. We provide implementation results on reconfigurable hardware (Spartan/Virtex-6) and demonstrate that the scheme is scalable, has low area consumption, and even outperforms classical schemes.

[1]  J.D. Golic,et al.  New Methods for Digital Generation and Postprocessing of Random Data , 2006, IEEE Transactions on Computers.

[2]  Daniele Micciancio,et al.  Asymptotically Efficient Lattice-Based Digital Signatures , 2018, Journal of Cryptology.

[3]  Andrey Bogdanov,et al.  Fast multivariate signature generation in hardware: The case of rainbow , 2008, 2008 International Conference on Application-Specific Systems, Architectures and Processors.

[4]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[5]  Stanislav Bulygin,et al.  Small Public Keys and Fast Verification for $\mathcal{M}$ ultivariate $\mathcal{Q}$ uadratic Public Key Systems , 2011, CHES.

[6]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[7]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[8]  Christophe De Cannière,et al.  Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles , 2006, ISC.

[9]  M. Anwar Hasan,et al.  High-Performance Architecture of Elliptic Curve Scalar Multiplication , 2008, IEEE Transactions on Computers.

[10]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[11]  Anatolij A. Karatsuba,et al.  Multiplication of Multidigit Numbers on Automata , 1963 .

[12]  Matthieu Finiasz Parallel-CFS - Strengthening the CFS McEliece-Based Signature Scheme , 2010, Selected Areas in Cryptography.

[13]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[14]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[15]  Jovan Dj. Golic,et al.  High-Speed True Random Number Generation with Logic Gates Only , 2007, CHES.

[16]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[17]  Joseph H. Silverman,et al.  NSS: An NTRU Lattice-Based Signature Scheme , 2001, EUROCRYPT.

[18]  Phong Q. Nguyen,et al.  Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures , 2009, Journal of Cryptology.

[19]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[20]  Thomas Eisenbarth,et al.  Faster Hash-Based Signatures with Bounded Leakage , 2013, Selected Areas in Cryptography.

[21]  Antoine Joux,et al.  A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic , 2013, IACR Cryptol. ePrint Arch..

[22]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[23]  Daisuke Suzuki,et al.  How to Maximize the Potential of FPGA Resources for Modular Exponentiation , 2007, CHES.

[24]  Stanislav Bulygin,et al.  Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems , 2011, IACR Cryptol. ePrint Arch..

[25]  PointchevalDavid,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2000 .

[26]  Tim Güneysu,et al.  Towards Efficient Arithmetic for Lattice-Based Cryptography on Reconfigurable Hardware , 2012, LATINCRYPT.

[27]  Tim Güneysu,et al.  Ultra High Performance ECC over NIST Primes on Commercial FPGAs , 2008, CHES.

[28]  Johannes A. Buchmann,et al.  Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers , 2013, IACR Cryptol. ePrint Arch..

[29]  Steven D. Galbraith,et al.  Sampling from discrete Gaussians for lattice-based cryptography on a constrained device , 2014, Applicable Algebra in Engineering, Communication and Computing.

[30]  Patrick Schaumont,et al.  Low-cost and area-efficient FPGA implementations of lattice-based cryptography , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[31]  Tim Güneysu,et al.  Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware , 2013, Selected Areas in Cryptography.

[32]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[33]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[34]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[35]  Abdulhadi Shoufan,et al.  A Novel Cryptoprocessor Architecture for the McEliece Public-Key Cryptosystem , 2010, IEEE Transactions on Computers.

[36]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[37]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[38]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[39]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[40]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[41]  Sorin A. Huss,et al.  On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes , 2012, CHES.

[42]  William Whyte,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.

[43]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[44]  J. Solinas CORR 99-39 Generalized Mersenne Numbers , 1999 .

[45]  Tim Güneysu,et al.  MicroEliece: McEliece for Embedded Devices , 2009, CHES.

[46]  Frederik Vercauteren,et al.  High Precision Discrete Gaussian Sampling on FPGAs , 2013, Selected Areas in Cryptography.

[47]  Rachid El Bansarkhani,et al.  Improvement and Effi cient Implementation of a Lattice-based Signature Scheme , 2013, IACR Cryptol. ePrint Arch..

[48]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.

[49]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[50]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[51]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[52]  Jacques Stern,et al.  An Efficient Pseudo-Random Generator Provably as Secure as Syndrome Decoding , 1996, EUROCRYPT.

[53]  Léo Ducas,et al.  Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures , 2012, ASIACRYPT.

[54]  Sanjeev Arora,et al.  New Algorithms for Learning in Presence of Errors , 2011, ICALP.

[55]  Franz Winkler,et al.  Polynomial Algorithms in Computer Algebra , 1996, Texts and Monographs in Symbolic Computation.

[56]  Arnaud Tisserand,et al.  FPGA Implementation of a Recently Published Signature Scheme , 2004 .

[57]  Chen-Mou Cheng,et al.  SSE Implementation of Multivariate PKCs on Modern x86 CPUs , 2009, CHES.

[58]  Johannes A. Buchmann,et al.  XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions , 2011, IACR Cryptol. ePrint Arch..

[59]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[60]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[61]  Andreas Hülsing,et al.  Forward Secure Signatures on Smart Cards , 2012, Selected Areas in Cryptography.

[62]  Peter Schwabe,et al.  McBits: Fast Constant-Time Code-Based Cryptography , 2013, CHES.

[63]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[64]  Andrey Bogdanov,et al.  Time-Area Optimized Public-Key Engines: MQ-Cryptosystems as Replacement for Elliptic Curves? , 2008, IACR Cryptol. ePrint Arch..

[65]  Peter Schwabe,et al.  Software Speed Records for Lattice-Based Signatures , 2013, PQCrypto.