Hardware accelerators for post-quantum cryptography and fully homomorphic encryption

Agrawal, Rashmi

16 January 2023

With the monetization of user data, data breaches have become very common these days. In the past five years, there were more than 7000 data breaches involving theft of personal information of billions of people. In the year 2020 alone, the global average cost per data breach was $3.86 million, and this number rose to $4.24 million in 2021. Therefore, the need for maintaining data security and privacy is becoming increasingly critical. Over the years, various data encryption schemes including RSA, ECC, and AES are being used to enable data security and privacy. However, these schemes are deemed vulnerable to quantum computers with their enormous processing power. As quantum computers are expected to become main stream in the near future, post-quantum secure encryption schemes are required. To this end, through NIST’s standardization efforts, code-based and lattice-based encryption schemes have emerged as one of the plausible way forward. Both code-based and lattice-based encryption schemes enable public key cryptosystems, key exchange mechanisms, and digital signatures. In addition, lattice-based encryption schemes support fully homomorphic encryption (FHE) that enables computation on encrypted data. Over the years, there have been several efforts to design efficient FPGA-based and ASIC-based solutions for accelerating the code-based and lattice-based encryption schemes. The conventional code-based McEliece cryptosystem uses binary Goppa code, which has good code rate and error correction capability, but suffers from high encoding and decoding complexity. Moreover, the size of the generated public key is in several MBs, leading to cryptosystem designs that cannot be accommodated on low-end FPGAs. In lattice-based encryption schemes, large polynomial ring operations form the core compute kernel and remain a key challenge for many hardware designers. To extend support for large modular arithmetic operations on an FPGA, while incurring low latency and hardware resource utilization requires substantial design efforts. Moreover, prior FPGA solutions for lattice-based FHE include hardware acceleration of basic FHE primitives for impractical parameter sets without the support for bootstrapping operation that is critical to building real-time privacy-preserving applications. Similarly, prior ASIC proposals of FHE that include bootstrapping are heavily memory bound, leading to large execution times, underutilized compute resources, and cost millions of dollars. To respond to these challenges, in this dissertation, we focus on the design of efficient hardware accelerators for code-based and lattice-based public key cryptosystems (PKC). For code-based PKC, we propose the design of a fully-parameterized en/decryption co-processor based on a new variant of McEliece cryptosystem. This co-processor takes advantage of the non-binary Orthogonal Latin Square Code (OLSC) to achieve a lower computational complexity along with smaller key size than that of the binary Goppa code. Our FPGA-based implementation of the co-processor is ∼3.5× faster than an existing classic McEliece cryptosystem implementation. For lattice-based PKC, we propose the design of a co-processor that implements large polynomial ring operations. It uses a fully-pipelined NTT polynomial multiplier to perform fast polynomial multiplications. We also propose the design of a highly-optimized Gaussian noise sampler, capable of sampling millions of high-precision samples per second. Through an FPGA-based implementation of this lattice-based PKC co-processor, we achieve a speedup of 6.5× while utilizing 5× less hardware resources as compared to state-of-the-art implementations. Leveraging our work on lattice-based PKC implementation, we explore the design of hardware accelerators that perform FHE operations using Cheon-Kim-Kim-Song (CKKS) scheme. Here, we first perform an in-depth architectural analysis of various FHE operations in the CKKS scheme so as to explore ways to accelerate an end-to-end FHE application. For this analysis, we develop a custom architecture modeling tool, SimFHE, to measure the compute and memory bandwidth requirements of hardware-accelerated CKKS. Our analysis using SimFHE reveals that, without a prohibitively large cache, all FHE operations exhibit low arithmetic intensity (<1 Op/byte). To address the memory bottleneck resulting from the low arithmetic intensity, we propose several memory-aware design (MAD) techniques, including caching and algorithmic optimizations, to reduce the memory requirements of CKKS-based application execution. We show that the use of our MAD techniques can yield an ASIC design that is at least 5-10× cheaper than the large-cache proposals, but only ∼2-3× slower. We also design FAB, an FPGA-based accelerator for bootstrappable FHE. FAB, for the first time ever, accelerates bootstrapping (along with basic FHE primitives) on an FPGA for a secure and practical parameter set. FAB tackles the memory-bounded nature of bootstrappable FHE through judicious datapath modification, smart operation scheduling, and on-chip memory management techniques to maximize the overall FHE-based compute throughput. FAB outperforms all prior CPU/GPU works by 9.5× to 456× and provides a practical performance for our target application: secure training of logistic regression models. / 2025-01-16T00:00:00Z

Computer engineering

FPGA

Fully homomorphic encryption

Hardware accelerator

Post-quantum cryptography

Privacy-preserving computing

Post-quantum algorithms for digital signing in Public Key Infrastructures / Post-quantum-algoritmer för digitala signaturer i Public Key Infrastructures

Sjöberg, Mikael

January 2017

One emerging threat to Public Key Infrastructures is the possible development of large-scale quantum computers, which would be able to break the public-key cryptosystems used today. Several possibly post-quantum secure cryptographic algorithms have been proposed but so far they have not been used in many practical settings. The purpose of this thesis was to find post-quantum digital signature algorithms that might be suitable for use in Public Key Infrastructures today. To answer the research question, an extensive literature study was conducted where relevant algorithms were surveyed. Algorithms with high-grade implementations in different cryptographic libraries were benchmarked for performance. Hash-based XMSS and SPHINCS, multivariate-based Rainbow and lattice-based BLISS-B were benchmarked and the results showed that BLISS-B offered the best performance, on par with RSA and ECDSA. All the algorithms did however have relatively large signature sizes and/or key sizes. Support for post-quantum digital signature algorithms in Public Key Infrastructure products could easily be achieved since many algorithms are implemented in cryptographic libraries. The algorithms that could be recommended for use today were SPHINCS for high-security applications and possibly BLISS-B for lower security applications requiring higher efficiency. The biggest obstacles to widespread deployment of post-quantum algorithms was deemed to be lack of standardisation and either inefficient operations compared to classical algorithms, uncertain security levels, or both. / Ett nytt hot mot Public Key Infrastructures är den möjliga utvecklingen av storskaliga kvantdatorer som kan knäcka de asymmetriska kryptosystem som används idag. Ett flertal eventuellt kvantsäkra algoritmer har presenterats men de har än så länge inte sett mycket praktisk användning. Målet med detta examensarbete var att försöka identifiera eventuellt kvantsäkra signaturalgoritmer som skulle kunna lämpa sig för användning i Public Key Infrastructures idag. För att besvara forskningsfrågan gjordes en utredande litteraturstudie där relevanta signaturalgoritmer identifierades. Därefter prestandatestades de algoritmer som var implementerade i kryptografiska bibliotek. De algoritmer som prestandatestades var de hash-baserade algoritmerna XMSS och SPHINCS, flervariabel-baserade Rainbow och gitter-baserade BLISS-B. Resultaten visade att BLISS-B hade bäst prestanda och att prestandan var i nivå med RSA och ECDSA. Samtliga algoritmer hade emellertid relativt stora signatur- och/eller nyckelstorlekar. Eventuellt kvantsäkra algoritmer skulle redan idag kunna stödjas i Public Key Infrastructures eftersom många algoritmer finns implementerade i kryptografiska bibliotek. SPHINCS kunde rekommenderas när hög säkerhet krävs medan BLISS-B möjligtvis skulle kunna användas när lägre säkerhet kan tolereras i utbyte mot bättre prestanda. Största hindren för utbredd användning ansågs vara en brist på standardisering samt ineffektiva operationer jämfört med klassiska algoritmer och/eller tveksamma säkerhetsnivåer.

Post-quantum algorithms

Digital signature algorithms

Public Key Infrastructures

Computer Sciences

Datavetenskap (datalogi)

A Cryptanalysis of Lifted Underdetermined Multivariate Cryptosystems

Deaton, Joshua

23 August 2022

No description available.

Mathematics

Cryptanalysis

Multivariate

Cryptography

Post-Quantum

Solving System of Polynomial Equations

Mathematics

Post-quantum self-tallying voting protocol

Wong, Vonn Kee

22 August 2022

No description available.

Mathematics

voting protocol

post-quantum

ring learning with errors

zero knowledge proofs

Zero-Knowledge Proof for Knowledge of RLWE (Ring-Learning with Errors) Secret Keys

R V, Saraswathy

07 June 2018

No description available.

Mathematics

key exchange

RLWE

post-quantum

key reuse

active attacks

zero knowledge

New Password Authenticated Key Exchange Based on the Ring Learning with Errors

Alsayigh, Saed A.

24 October 2016

No description available.

Mathematics

Key Exchange

PAKE

Ring Learning with Errors

authentication

post-quantum

lattice reduction

A deep learning based side-channel analysis of an FPGA implementation of Saber / En djupinlärningsbaserad sidokanalanalys av en FPGA-implementering av Saber

Ji, Yanning

January 2022

In 2016, NIST started a post quantum cryptography (PQC) standardization project in response to the rapid development of quantum algorithms which break many public-key cryptographic schemes. As the project nears its end, it is necessary to assess the resistance of its finalists to side-channel attacks. Although several side-channel attacks on software implementations PQCfinalists have been presented in recent papers, hardware implementations have been investigated much less. In this thesis, we present the first side-channel attack on an FPGA implementation of one of the NIST PQC finalists, Saber. Our experiments are performed on a publicly availible implementation of Saber compiled with Xilinx Vivado for an Artix-7 XC7A100T FPGA. We trained several deep learning models in an attempt to recover the Hamming weight and value of messages using their corresponding power traces. We also proposed a method to determine the Hamming weight of messages through binary search based on these models. We found out that, due to the difference in software and hardware implementations, the previously presented message recovery method that breaks a masked software implementation of Saber cannot be directly applied to the hardware implementation. The main reason for this is that, in the hardware implementation used in our experiments, all 256 bits of a message are processed in parallel, while in the software implementation used in the previous work, the bits are processed one-by-one. Future works includes finding new methods for analyzing hardware implementations. / Under 2016 startade NIST ett standardiseringsprojekt efter kvantkryptering (PQC) som svar på den snabba utvecklingen av kvantalgoritmer som bryter många kryptografiska system med offentliga nyckel. När projektet närmar sig sitt slut är det nödvändigt att bedöma finalisternas motstånd mot sidokanalsattacker. Även om flera sidokanalsattacker på programvaruimplementationer PQC-finalister har presenterats i de senaste tidningarna, har hårdvaruimplementationer undersökts mycket mindre. I denna avhandling presenterar vi den första sidokanalsattacken på en FPGA-implementering av en av NIST PQC-finalisterna, Sabre. Våra experiment utförs på en allmänt tillgänglig implementering av Sabre kompilerad med Xilinx Vivado för en Artix-7 XC7A100T FPGA. Vi tränade f lera modeller för djupinlärning i ett försök att återställa Hamming-vikten och värdet av meddelanden med hjälp av deras motsvarande kraftspår. Vi föreslog också en metod för att bestämma Hamming-vikten för meddelanden genom binär sökning baserat på dessa modeller. Vi fick reda på att, på grund av skillnaden i mjukvaru- och hårdvaruimplementationer, kan den tidigare presenterade meddelandeåterställningsmetoden som bryter en maskerad mjukvaruimplementering av Sabre inte direkt appliceras på hårdvaruimplementeringen. Den främsta anledningen till detta är att i hårdvaruimplementeringen som används i våra experiment bearbetas alla 256 bitar i ett meddelande parallellt, medan i mjukvaruimplementeringen som användes i det tidigare arbetet bearbetas bitarna en i taget. Framtida arbete inkluderar att hitta nya metoder för att analysera hårdvaruimplementationer.

Side-Channel Attack

Deep Learning

Post-quantum Cryptography

Sidokanalsattack

djupinlärning

postkvantkryptering

Computer and Information Sciences

Data- och informationsvetenskap

Advances Towards Practical Implementations of Isogeny Based Signatures

Gorrie, Robert W.V.

January 2019

Progress in the field of quantum computing has shown that, should construction of a sufficiently powerful quantum computer become feasible, much of the cryptography used on the Internet today will be rendered insecure. In lieu of this, several approaches to “quantum-safe” cryptography have been proposed, each one becoming a serious field of study. The youngest of these approaches, isogeny based cryptography, is oriented around problems in algebraic geometry involving a particular variety of elliptic curves. Supersingular isogeny Diffie-Hellman (SIDH) is this subfields main contender for quantum-safe key-exchange. Yoo et al. have provided an isogeny-based signature scheme built on top of SIDH. Currently, cryptographic algorithms in this class are hindered by poor performance metrics and, in the case of the Yoo et al. signature scheme, large communication overhead. In this dissertation we explore two different modifications to the implementation of this signature scheme; one with the intent of improving temporal performance, and another with the intent of reducing signature sizes. We show that our first modification, a mechanism for batching together expensive operations, can offer roughly 8% faster signature signing and verification. Our second modification, an adaptation of the SIDH public key compression technique outlined in [CJL + 17], can reduce Yoo et al. signature sizes from roughly 688λ bytes to 544λ bytes at the 128-bit security level on a 64-bit operating system. We also explore the combination of these techniques, and the potential of employing these techniques in different application settings. Our experiments reveal that isogeny based cryptosystems still have much potential for improved performance metrics. While some practitioners may believe isogeny-based cryptosystems impractical, we show that these systems still have room for improvement, and with continued research can be made more efficient - and eventually practical. Achieving more efficient implementations for quantum-safe algorithms will allow us to make them more accessible. With faster and lower-overhead implementations these primitives can be run on low bandwidth, low spec devices; ensuring that more and more machines can be made resistant to quantum cryptanalysis. / Thesis / Master of Science (MSc)

isogeny

cryptography

elliptic curve

SIDH

signature

optimization

efficient

post-quantum

quantum-safe

Algebraic Construction for Multi-Party Protocols with Focus on Threshold Signatures

Battagliola, Michele

29 April 2024

Secure multi-party computation (MPC) is a field of cryptography that aims to provide methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike of traditional cryptography where adversary is outside the system of participants, the main task (and challenge) of MPC is to protect participants from internal adversaries, who participate in protocol and can therefore send corrupted. The results presented in this thesis are three-fold. First, we study MPC from a theoretical standpoint, designing a new heuristic and a new proof system useful for proving the security of threshold signatures, a particular kind of MPC protocol. Next, we present new MPC primitives: a novel secret sharing scheme, a threshold version of Schnorr signature, a post quantum secure group action based threshold signature and finally a post quantum oblivious transfer. Lastly, we designed a coercion resistant e-voting protocol, that allows voters to freely votes without being afraid of external adversaries trying to pressure them to vote in a particular way.

Settore MAT/02 - Algebra

Theoretical and Practical Aspects of the Migration to Post Quantum Cryptography

Schröck, Florian

23 April 2024

Partial Post Quantum Cryptography migration of GitLab Community Edition source code with 3 main contributions 1. Devloped RubyCrypt - a simple scanner to assist the Cryptographic Inventory Compilation of Ruby apps 2. Configured git to use PQC signature (CRYSTALS-Dilithium) for commit signing 3. Included CRYSTALS-Dilithium to ssh_data, a common cryptographic Ruby gem used by GitLab (& GitHub):1. Introduction 2. Theoretical Background - Post Quantum Cryptography 2.1. Code-based Cryptography 2.1.1. McEliece Cryptosystem 2.2. Lattice-based Cryptography 2.2.1. CRYSTALS-Dilithium 3. Post Quantum Cryptography Migration of GitLab - a Case Study 3.1. Problem Statement 3.2. Related Work 3.2.1. Software Tools for Static Program Analysis 3.3. Chosen Approach 4. Implementation 4.1. Cryptographic Inventory Compilation 4.1.1. Results 4.2. Migration Planning 4.3. Migration Execution 4.3.1. PQC Commit Signatures in git 4.3.2. Including Dilithium to ssh_data 5. Conclusion and Outlook 6. References List of Tables List of Figures List of Source Code Acronyms Notation / Partielle Migration des GitLab Community Edition Source Codes auf Verfahren der Post-Quanten-Kryptographie mit 3 Hauptergebnissen 1. Entwicklung von RubyCrypt - einem simplen Scanner zur Unterstützung der Inventarisierung verwendeter Kryptographie in Ruby-Anwendungen 2. Konfiguration von git zur Verwendung des quantensicheren Signaturalgorithmus CRYSTALS-Dilithium zur Signatur von Commits 3. Integration von CRYSTALS-Dilithium in ssh_data, ein populäres kryptographisches Ruby gem welches in GitLab (und GitHub) verwendet wird:1. Introduction 2. Theoretical Background - Post Quantum Cryptography 2.1. Code-based Cryptography 2.1.1. McEliece Cryptosystem 2.2. Lattice-based Cryptography 2.2.1. CRYSTALS-Dilithium 3. Post Quantum Cryptography Migration of GitLab - a Case Study 3.1. Problem Statement 3.2. Related Work 3.2.1. Software Tools for Static Program Analysis 3.3. Chosen Approach 4. Implementation 4.1. Cryptographic Inventory Compilation 4.1.1. Results 4.2. Migration Planning 4.3. Migration Execution 4.3.1. PQC Commit Signatures in git 4.3.2. Including Dilithium to ssh_data 5. Conclusion and Outlook 6. References List of Tables List of Figures List of Source Code Acronyms Notation