Verification of an Optimized NTT Algorithm

The Number Theoretic Transform (NTT) is an efficient algorithm for computing products of polynomials with coefficient in finite fields. It is a common procedure in lattice-based key-exchange and signature schemes. These new cryptographic algorithms are becoming increasingly important because they are quantum resistant . No quantum algorithm is known to break these lattice-based algorithms, unlike older schemes such as RSA or elliptic curve cryptosystems. Many implementations and optimizations of the NTT have been proposed in the literature. A particular efficient variant is due to Longa and Naehrig. We have implemented several of these variants, including an improved version of the Longa and Naehrig algorithm. An important concern is to show that numerical overflows do not happen in such algorithms. We report on several attempts at automatically verifying the absence of overflows using static analysis tools. Off-the-shelf tools do not work on the NTT code. We present a specialized abstract-interpretation method to solve the problem.

[1]  Frederik Vercauteren,et al.  Compact Ring-LWE Cryptoprocessor , 2014, CHES.

[2]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[3]  Thomas W. Reps,et al.  A framework for numeric analysis of array operations , 2005, POPL '05.

[4]  Franz Winkler,et al.  Polynomial Algorithms in Computer Algebra , 1996, Texts and Monographs in Symbolic Computation.

[5]  Bertrand Jeannet,et al.  Widening with Thresholds for Programs with Complex Control Graphs , 2011, ATVA.

[6]  Henry S. Warren Hacker's Delight, Second Edition , 2013 .

[7]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[8]  Patrick Cousot,et al.  A parametric segmentation functor for fully automatic and scalable array content analysis , 2011, POPL '11.

[9]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[10]  Patrick Longa,et al.  Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography , 2016, CANS.

[11]  Jorge A. Navas,et al.  Signedness-Agnostic Program Analysis: Precise Integer Bounds for Low-Level Code , 2012, APLAS.

[12]  Philippe Granger Static analysis of arithmetical congruences , 1989 .

[13]  Jorge A. Navas,et al.  The SeaHorn Verification Framework , 2015, CAV.

[14]  Tim Güneysu,et al.  High-Performance Ideal Lattice-Based Cryptography on 8-Bit ATxmega Microcontrollers , 2015, LATINCRYPT.

[15]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[16]  Sagar Chaki,et al.  SMT-based model checking for recursive programs , 2014, Formal Methods in System Design.

[17]  W. M. Gentleman,et al.  Fast Fourier Transforms: for fun and profit , 1966, AFIPS '66 (Fall).

[18]  Gianluca Amato,et al.  Localizing Widening and Narrowing , 2013, SAS.

[19]  Antoine Miné,et al.  A New Numerical Abstract Domain Based on Difference-Bound Matrices , 2001, PADO.

[20]  Isil Dillig,et al.  Fluid Updates: Beyond Strong vs. Weak Updates , 2010, ESOP.

[21]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[22]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[23]  Brian Huffman,et al.  Constructing Semantic Models of Programs with the Software Analysis Workbench , 2016, VSTTE.

[24]  Nicolas Halbwachs,et al.  Discovering properties about arrays in simple programs , 2008, PLDI '08.

[25]  Tim Güneysu,et al.  Towards Efficient Arithmetic for Lattice-Based Cryptography on Reconfigurable Hardware , 2012, LATINCRYPT.

[26]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[27]  Léo Ducas,et al.  Accelerating Bliss: the geometry of ternary polynomials , 2014, IACR Cryptol. ePrint Arch..

[28]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software , 2002, The Essence of Computation.

[29]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[30]  Dirk Beyer,et al.  CPAchecker: A Tool for Configurable Software Verification , 2009, CAV.

[31]  David Harvey,et al.  Faster arithmetic for number-theoretic transforms , 2012, J. Symb. Comput..

[32]  Nikolai Kosmatov,et al.  Frama-C: A software analysis perspective , 2015, Formal Aspects of Computing.

[33]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.