A Survey on Homomorphic Encryption Schemes: Theory and Implementation

Legacy encryption systems depend on sharing a key (public or private) among the peers involved in exchanging an encrypted message. However, this approach poses privacy concerns. Especially with popular cloud services, the control over the privacy of the sensitive data is lost. Even when the keys are not shared, the encrypted material is shared with a third party that does not necessarily need to access the content. Moreover, untrusted servers, providers, and cloud operators can keep identifying elements of users long after users end the relationship with the services. Indeed, Homomorphic Encryption (HE), a special kind of encryption scheme, can address these concerns as it allows any third party to operate on the encrypted data without decrypting it in advance. Although this extremely useful feature of the HE scheme has been known for over 30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE) scheme, which allows any computable function to perform on the encrypted data, was introduced by Craig Gentry in 2009. Even though this was a major achievement, different implementations so far demonstrated that FHE still needs to be improved significantly to be practical on every platform. First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which are important pillars of achieving FHE. Then, the main FHE families, which have become the base for the other follow-up FHE schemes are presented. Furthermore, the implementations and recent improvements in Gentry-type FHE schemes are also surveyed. Finally, further research directions are discussed. This survey is intended to give a clear knowledge and foundation to researchers and practitioners interested in knowing, applying, as well as extending the state of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the survey that is being submitted to ACM CSUR and has been uploaded to arXiv for feedback from stakeholder

FPGA Implementation of Post-Quantum Cryptography Recommended by NIST

In the next 10 to 50 years, the quantum computer is expected to be available and quantum computing has the potential to defeat RSA (Rivest-Shamir-Adleman Cryptosystem) and ECC (Elliptic Curve Cryptosystem). Therefore there is an urgentneed to do research on post-quantum cryptography and its implementation. In this thesis, four new Truncated Polynomial Multipliers (TPM), namely, TPM-I, TPM-II, TPM-III, and TPM-IV for NTRU Prime system are proposed. To the best of our knowledge, this is the first time to focus on time-efficient hardware architectures and implementation of NTRU Prime with FPGA. TPM-I uses a modified linear feedback shift register (LFSR) based architecture for NTRU prime system. TPM-II makes use of x^2-net structure for NTRU Prime system, which scans two consecutive coefficients in the control input polynomial r(x) in one clock cycle. In TPM-III and TPM-IV, three consecutive zeros and consecutive zeros in the control input polynomial r(x) are scanned during one clock cycle, respectively. FPGA implementation results are obtained for the four proposed polynomial multiplication architectures and a comparison between the proposed multiplier FPGA results for NTRU Prime system and the existing work on NTRUEncrypt is shown. Regarding space complexity, TPM-I can reduce the area consumption with the least logical elements, although it takes more latency time among the four proposed multipliers and NTRUEncrypt work [12]. TPM-II has the best performance of latency with parameter sets ees401ep1, ees449ep1, ees677ep1 in security levels: 112-bit, 128-bit, and 192-bit, respectively. TPM-IV uses the smallest latency time with the parameter set ees1087ep2 in security level 256, compared to the other three latency time of proposed multipliers. Both TPM-II and TPM-IV have a lower latency time compared to NTRUEncrypt work [12] in different security levels. Note that NTRU Prime has enhanced security in comparison with NTRUEncrypt due to the fact, the former uses a new truncated polynomial ring, which has a more secure structure

Post-Quantum Cryptography for Internet of Things: A Survey on Performance and Optimization

Due to recent development in quantum computing, the invention of a large quantum computer is no longer a distant future. Quantum computing severely threatens modern cryptography, as the hard mathematical problems beneath classic public-key cryptosystems can be solved easily by a sufficiently large quantum computer. As such, researchers have proposed PQC based on problems that even quantum computers cannot efficiently solve. Generally, post-quantum encryption and signatures can be hard to compute. This could potentially be a problem for IoT, which usually consist lightweight devices with limited computational power. In this paper, we survey existing literature on the performance for PQC in resource-constrained devices to understand the severeness of this problem. We also review recent proposals to optimize PQC algorithms for resource-constrained devices. Overall, we find that whilst PQC may be feasible for reasonably lightweight IoT, proposals for their optimization seem to lack standardization. As such, we suggest future research to seek coordination, in order to ensure an efficient and safe migration toward IoT for the post-quantum era.Comment: 13 pages, 3 figures and 7 tables. Formatted version submitted to ACM Computer Survey

SoK: Fully Homomorphic Encryption Accelerators

Fully Homomorphic Encryption~(FHE) is a key technology enabling privacy-preserving computing. However, the fundamental challenge of FHE is its inefficiency, due primarily to the underlying polynomial computations with high computation complexity and extremely time-consuming ciphertext maintenance operations. To tackle this challenge, various FHE accelerators have recently been proposed by both research and industrial communities. This paper takes the first initiative to conduct a systematic study on the 14 FHE accelerators -- cuHE/cuFHE, nuFHE, HEAT, HEAX, HEXL, HEXL-FPGA, 100$\times$, F1, CraterLake, BTS, ARK, Poseidon, FAB and TensorFHE. We first make our observations on the evolution trajectory of these existing FHE accelerators to establish a qualitative connection between them. Then, we perform testbed evaluations of representative open-source FHE accelerators to provide a quantitative comparison on them. Finally, with the insights learned from both qualitative and quantitative studies, we discuss potential directions to inform the future design and implementation for FHE accelerators

Multi-Unit Serial Polynomial Multiplier to Accelerate NTRU-Based Cryptographic Schemes in IoT Embedded Systems

Concern for the security of embedded systems that implement IoT devices has become a crucial issue, as these devices today support an increasing number of applications and services that store and exchange information whose integrity, privacy, and authenticity must be adequately guaranteed. Modern lattice-based cryptographic schemes have proven to be a good alternative, both to face the security threats that arise as a consequence of the development of quantum computing and to allow efficient implementations of cryptographic primitives in resource-limited embedded systems, such as those used in consumer and industrial applications of the IoT. This article describes the hardware implementation of parameterized multi-unit serial polynomial multipliers to speed up time-consuming operations in NTRU-based cryptographic schemes. The flexibility in selecting the design parameters and the interconnection protocol with a general-purpose processor allow them to be applied both to the standardized variants of NTRU and to the new proposals that are being considered in the post-quantum contest currently held by the National Institute of Standards and Technology, as well as to obtain an adequate cost/performance/security-level trade-off for a target application. The designs are provided as AXI4 bus-compliant intellectual property modules that can be easily incorporated into embedded systems developed with the Vivado design tools. The work provides an extensive set of implementation and characterization results in devices of the Xilinx Zynq-7000 and Zynq UltraScale+ families for the different sets of parameters defined in the NTRUEncrypt standard. It also includes details of their plug and play inclusion as hardware accelerators in the C implementation of this public-key encryption scheme codified in the LibNTRU library, showing that acceleration factors of up to 3.1 are achieved when compared to pure software implementations running on the processing systems included in the programmable devices.European Union 952622Ministerio de Ciencia e Innovación PID2020-116664RB100, 10.13039/50110001103

Performance and Efficiency Exploration of Hardware Polynomial Multipliers for Post-Quantum Lattice-Based Cryptosystems

The significant effort in the research and design of large-scale quantum computers has spurred a transition to post-quantum cryptographic primitives worldwide. The post-quantum cryptographic primitive standardization effort led by the US NIST has recently selected the asymmetric encryption primitive Kyber as its candidate for standardization and indicated NTRU, as a valid alternative if intellectual property issues are not solved. Finally, a more conservative alternative to NTRU, NTRUPrime was also considered as an alternate candidate, due to its design choices that remove the possibility for a large set of attacks preemptively. All the aforementioned asymmetric primitives provide good performances, and are prime choices to provide IoT devices with post-quantum confidentiality services. In this work, we present a comprehensive exploration of hardware designs for the computation of polynomial multiplications, the workhorse operation in all the aforementioned cryptosystems, with a thorough analysis of performance, compactness and efficiency. The presented designs cope with the differences in the arithmetics of polynomial rings employed by distinct cryptosystems, benefiting from configurations and optimizations that are applicable at synthesis time and/or run time. In this context, we target a use case scenario where long-term key pairs are used, such as the ones for VPNs (e.g., over IPSec), secure shell protocols and instant messaging applications. Our high-performance design variants exhibit figures of latency comparable to the ones needed for the execution of the symmetric cryptographic primitives also included in the Post-Quantum schemes. Notably, the performance figures of the designs proposed for NTRU and NTRU Prime surpass the ones described in the related literature

Efficient Multiplication Architectures for Truncated Polynomial Ring

In this thesis, four efficient multiplication architectures, named as Multipliers I, II, III, and IV, respectively, for truncated polynomial ring are proposed. Their FPGA implementation results are presented. All of the four proposed multipliers can be used for implementation of NTRUEncrypt public key system. All new multiplication architectures are based on certain extensions to Linear Feedback Shift Register (LFSR). Multiplier I uses x^2-net structure for LFSR, which scans two consecutive coefficients in the control input polynomial r(x) during one clock cycle. In Multiplier II, three consecutive zeros in the control input polynomial r(x) can be processed during one clock cycle. Multiplier III takes advantage of consecutive zeros in the control input polynomial r(x). Multiplier IV is resistant to certain side-channel attacks through controlling the operations for each clock cycle. An FPGA complexity comparison among the proposed multipliers and the existing similar works is made, including number of adaptive logic modules (ALMs), number of registers, number of cycles, maximum operating frequency (FMax) and latency. The FPGA comparison results are given as follows. Multiplier I has smaller latency than any existing works when the first set of parameters from every security level is used (ees401ep1, ees449ep1, ees677ep1, ees1087ep2). Multiplier II is the second best in speed compared to existing works, but has better area-latency product compared to the fastest existing work for the first set of parameters at security level 112-bit, 128-bit and 192-bit. As an enhanced version of Multiplier II, Multiplier III is faster than any existing works in comparison for all IEEE recommended parameter sets. Multiplier IV, designed to be resistant to side channel attacks, also has high speed property that it outperforms all the existing works in terms of latency for all three parameter sets to which it is applicable

Application of NTRU Cryptographic Algorithm for securing SCADA communication

Supervisory Control and Data Acquisition (SCADA) system is a control system which is widely used in Critical Infrastructure System to monitor and control industrial processes autonomously. Most of the SCADA communication protocols are vulnerable to various types of cyber-related attacks. The currently used security standards for SCADA communication specify the use of asymmetric cryptographic algorithms like RSA or ECC for securing SCADA communications. There are certain performance issues with cryptographic solutions of these specifications when applied to SCADA system with real-time constraints and hardware limitations. To overcome this issue, in this thesis we propose the use of a faster and light-weighted NTRU cryptographic algorithm for authentication and data integrity in securing SCADA communication. Experimental research conducted on ARMv6 based Raspberry Pi and Intel Core machine shows that cryptographic operations of NTRU is two to thirty five times faster than the corresponding RSA or ECC. Usage of NTRU algorithm reduces computation and memory overhead significantly making it suitable for SCADA systems with real-time constraints and hardware limitations