FPGA Implementation of Post-Quantum Cryptography Recommended by NIST

In the next 10 to 50 years, the quantum computer is expected to be available and quantum computing has the potential to defeat RSA (Rivest-Shamir-Adleman Cryptosystem) and ECC (Elliptic Curve Cryptosystem). Therefore there is an urgentneed to do research on post-quantum cryptography and its implementation. In this thesis, four new Truncated Polynomial Multipliers (TPM), namely, TPM-I, TPM-II, TPM-III, and TPM-IV for NTRU Prime system are proposed. To the best of our knowledge, this is the first time to focus on time-efficient hardware architectures and implementation of NTRU Prime with FPGA. TPM-I uses a modified linear feedback shift register (LFSR) based architecture for NTRU prime system. TPM-II makes use of x^2-net structure for NTRU Prime system, which scans two consecutive coefficients in the control input polynomial r(x) in one clock cycle. In TPM-III and TPM-IV, three consecutive zeros and consecutive zeros in the control input polynomial r(x) are scanned during one clock cycle, respectively. FPGA implementation results are obtained for the four proposed polynomial multiplication architectures and a comparison between the proposed multiplier FPGA results for NTRU Prime system and the existing work on NTRUEncrypt is shown. Regarding space complexity, TPM-I can reduce the area consumption with the least logical elements, although it takes more latency time among the four proposed multipliers and NTRUEncrypt work [12]. TPM-II has the best performance of latency with parameter sets ees401ep1, ees449ep1, ees677ep1 in security levels: 112-bit, 128-bit, and 192-bit, respectively. TPM-IV uses the smallest latency time with the parameter set ees1087ep2 in security level 256, compared to the other three latency time of proposed multipliers. Both TPM-II and TPM-IV have a lower latency time compared to NTRUEncrypt work [12] in different security levels. Note that NTRU Prime has enhanced security in comparison with NTRUEncrypt due to the fact, the former uses a new truncated polynomial ring, which has a more secure structure

A Lightweight Implementation of NTRU Prime for the Post-Quantum Internet of Things

The dawning era of quantum computing has initiated various initiatives for the standardization of post-quantum cryptosystems with the goal of (eventually) replacing RSA and ECC. NTRU Prime is a variant of the classical NTRU cryptosystem that comes with a couple of tweaks to minimize the attack surface; most notably, it avoids rings with "worrisome" structure. This paper presents, to our knowledge, the first assembler-optimized implementation of Streamlined NTRU Prime for an 8-bit AVR microcontroller and shows that high-security lattice-based cryptography is feasible for small IoT devices. An encapsulation operation using parameters for 128-bit post-quantum security requires 8.2 million clock cycles when executed on an 8-bit ATmega1284 microcontroller. The decapsulation is approximately twice as costly and has an execution time of 15.6 million cycles. We achieved this performance through (i) new low-level software optimization techniques to accelerate Karatsuba-based polynomial multiplication on the 8-bit AVR platform and (ii) an efficient implementation of the coefficient modular reduction written in assembly language. The execution time of encapsulation and decapsulation is independent of secret data, which makes our software resistant against timing attacks. Finally, we assess the performance one could theoretically gain by using a so-called product-form polynomial as part of the secret key and discuss potential security implications

Fault-Injection Attacks against NIST\u27s Post-Quantum Cryptography Round 3 KEM Candidates

We investigate __all__ NIST PQC Round 3 KEM candidates from the viewpoint of fault-injection attacks: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime, and SIKE. All KEM schemes use variants of the Fujisaki-Okamoto transformation, so the equality test with re-encryption in decapsulation is critical. We survey effective key-recovery attacks when we can skip the equality test. We found the existing key-recovery attacks against Kyber, NTRU, Saber, FrodoKEM, HQC, one of two KEM schemes in NTRU Prime, and SIKE. We propose a new key-recovery attack against the other KEM scheme in NTRU Prime. We also report an attack against BIKE that leads to leakage of information of secret keys. The open-source pqm4 library contains all KEM schemes except Classic McEliece and HQC. We show that giving a single instruction-skipping fault in the decapsulation processes leads to skipping the equality test __virtually__ for Kyber, NTRU, Saber, BIKE, and SIKE. We also report the experimental attacks against them. We also report the implementation of NTRU Prime allows chosen-ciphertext attacks freely and the timing side-channel of FrodoKEM reported in Guo, Johansson, and Nilsson (CRYPTO 2020) remains, while there are no such bugs in their NIST PQC Round 3 submissions

Performance and Efficiency Exploration of Hardware Polynomial Multipliers for Post-Quantum Lattice-Based Cryptosystems

The significant effort in the research and design of large-scale quantum computers has spurred a transition to post-quantum cryptographic primitives worldwide. The post-quantum cryptographic primitive standardization effort led by the US NIST has recently selected the asymmetric encryption primitive Kyber as its candidate for standardization and indicated NTRU, as a valid alternative if intellectual property issues are not solved. Finally, a more conservative alternative to NTRU, NTRUPrime was also considered as an alternate candidate, due to its design choices that remove the possibility for a large set of attacks preemptively. All the aforementioned asymmetric primitives provide good performances, and are prime choices to provide IoT devices with post-quantum confidentiality services. In this work, we present a comprehensive exploration of hardware designs for the computation of polynomial multiplications, the workhorse operation in all the aforementioned cryptosystems, with a thorough analysis of performance, compactness and efficiency. The presented designs cope with the differences in the arithmetics of polynomial rings employed by distinct cryptosystems, benefiting from configurations and optimizations that are applicable at synthesis time and/or run time. In this context, we target a use case scenario where long-term key pairs are used, such as the ones for VPNs (e.g., over IPSec), secure shell protocols and instant messaging applications. Our high-performance design variants exhibit figures of latency comparable to the ones needed for the execution of the symmetric cryptographic primitives also included in the Post-Quantum schemes. Notably, the performance figures of the designs proposed for NTRU and NTRU Prime surpass the ones described in the related literature

Integrating post-quantum cryptography (NTRU) in the TLS protocol

Dissertação de mestrado em Computer ScienceWe aim to integrate new “suites”, using post-quantum authentication and encryption tech niques, in the TLS protocol. Namely, this project is dedicated to integrating algorithms belonging to the NTRU family of cryptossystems in the OpenSSL library and in the Python package “Cryptography”. Even though all the algorithms included in this project have already been imple mented as part of their submissions to the NIST Post-Quantum Standartization project, currently there doesn’t seem to exist a way to perform prototyping and testing of these cryp tossystems in real-life use cases, and it would be interesting to create such tools. We also aim to test if these algorithms could be further optimized for speed and efficiency by comparing the reference implementations (submited to NIST and publicly avail able) with our own implementations that perform some required mathematical operations in a very efficient manner (by using specialized number theory libraries).Pretende-se integrar novas “suites” no protocolo TLS que usem técnicas de autenticação e cifra na categoria de técnicas pós-quanticas. Nomeadamente, este projecto é dedicado à integração de algoritmos da família NTRU na biblioteca OPENSSL e na “package” Cryptography para o Python. Apesar de todos os algoritmos contemplados neste projeto já terem sido implementa dos no âmbito da sua submissão ao NIST Post-Quantum Standartization project, actualmente não parece existir forma de testar e prototipar estes criptossistemas em casos de uso realistas, e seria interessante desenvolver ferramentas que o permitam. Pretende-se também aferir se estes algoritmos podem ser optimizados em eficiência e velocidade de execução, comparando as implementações de referência (submetidas ao NIST e disponiveis publicamente) com as nossas implementações, que efectuam algumas operações matemáticas necessárias de forma muito eficiente (com recusro a bibliotecas de teoria de números especializadas)

Message Recovery Attack in NTRU through VFK Lattices

In the present paper, we implement a message recovery attack to all variants of the NTRU cryptosystem. Our approach involves a reduction from the NTRU-lattice to a Voronoi First Kind lattice, enabling the application of a polynomial CVP exact algorithm crucial for executing the Message Recovery. The efficacy of our attack relies on a specific oracle that permits us to approximate an unknown quantity. Furthermore, we outline the mathematical conditions under which the attack is successful. Finally, we delve into a well-established polynomial algorithm for CVP on VFK lattices and its implementation, shedding light on its efficacy in our attack. Subsequently, we present comprehensive experimental results on the NTRU-HPS and the NTRU-Prime variants of the NIST submissions and propose a method that could indicate the resistance of the NTRU cryptosystem to our attack

Algorithmic Views of Vectorized Polynomial Multipliers for NTRU and NTRU Prime (Long Paper)

This paper explores the design space of vector-optimized polynomial multiplications in the lattice-based key-encapsulation mechanisms NTRU and NTRU Prime. Since NTRU and NTRU Prime do not support straightforward applications of number– theoretic transforms, the state-of-the-art vector code either resorted to Toom–Cook, or introduced various techniques for coefficient ring extensions. All these techniques lead to a large number of small-degree polynomial multiplications, which is the bottleneck in our experiments. For NTRU Prime, we show how to reduce the number of small-degree polynomial multiplications to nearly 1/4 times compared to the previous vectorized code with the same functionality. Our transformations are based on careful choices of FFTs, including Good–Thomas, Rader’s, Schönhage’s, and Bruun’s FFTs. For NTRU, we show how to deploy Toom-5 with 3-bit losses. Furthermore, we show that the Toeplitz matrix–vector product naturally translates into efficient implementations with vector-by-scalar multiplication instructions which do not appear in all prior vector-optimized implementations. We choose the ARM Cortex-A72 CPU which implements the Armv8-A architecture for experiments, because of its wide uses in smartphones, and also the Neon vector instruction set implementing vector-by-scalar multiplications that do not appear in most other vector instruction sets like Intel’s AVX2. Even for platforms without vector-by-scalar multiplications, we expect significant improvements compared to the state of the art, since our transformations reduce the number of multiplication instructions by a large margin. Compared to the state-of-the-art optimized implementations, we achieve 2.18× and 6.7× faster polynomial multiplications for NTRU and NTRU Prime, respectively. For full schemes, we additionally vectorize the polynomial inversions, sorting network, and encoding/decoding subroutines in NTRU and NTRU Prime. For ntruhps2048677, we achieve 7.67×, 2.48×, and 1.77× faster key generation, encapsulation, and decapsulation, respectively. For ntrulpr761, we achieve 3×, 2.87×, and 3.25× faster key generation, encapsulation, and decapsulation, respectively. For sntrup761, there are no previously optimized implementations and we significantly outperform the reference implementation

Single-Trace Side-Channel Attacks on ω-Small Polynomial Sampling: With Applications to NTRU, NTRU Prime, and CRYSTALS-DILITHIUM

This paper proposes a new single-trace side-channel attack on lattice-based post-quantum protocols. We target the ω-small polynomial sampling of NTRU, NTRU Prime, and CRYSTALS-DILITHIUM algorithm implementations (which are NIST Round-3 finalists and alternative candidates), and we demonstrate the vulnerabilities of their sub-routines to a power-based side-channel attack. Specifically, we reveal that the sorting implementation in NTRU/NTRU Prime and the shuffling in CRYSTALS-DILITHIUM\u27s ω-small polynomial sampling process leaks information about the ‘-1’, \u270’, or ’+1\u27 assignments made to the coefficients. We further demonstrate that these assignments can be found within a single power measurement and that revealing them allows secret and session key recovery for NTRU/NTRU Prime, while reducing the challenge polynomial\u27s entropy for CRYSTALS-DILITHIUM. We execute our proposed attacks on an ARM Cortex-M4 microcontroller running the reference software submissions from NIST Round-3 software packages. The results show that our attacks can extract coefficients with a success rate of 99.78% for NTRU and NTRU Prime, reducing the search space to 2^41 or below. For CRYSTALS-DILITHIUM, our attack recovers the coefficients’ signs with over 99.99% success, reducing rejected challenge polynomials’ entropy between 39 to 60 bits. Our work informs the proposers about the single-trace vulnerabilities of their software and urges them to develop single-trace resilient software for low-cost microcontrollers