1. Introduction
Post quantum cryptography refers to the cryptographicalgorithms to maintain the security against attacks based on quantum computers. In 2017, NIST recruited candidates forstandardization of the post quantum cryptography method and 69 candidates were proposed. In 2022, the selection of standard methods will be completed [1]. In this study, we aim to improve the implementation performance of the proposed Lizard [2] method among these candidates. The Lizard methodis based on the Learning With Errors (LWE) problem [3] and the Learning With Rounding (LWR) problem [4]. We canimplement many security services using Lizard, but we try to improve the implementation of the simplest service, KEM(Key Encapsulation Mechanism). KEM means a method by which two participating communicators can securely generatea shared key of a can for secure communication. Normally, if A and B use KEM to generate a shared key, then A send sits public key and public parameters to B, andB generates and passes the ciphertext c passed to A using KEM's Key Encapsulation algorithm do. B also obtains K, the key information to be shared at the same time. Finally, A uses the key decapsulation algorithm to obtain the shared key Kusing c and its own private key.
We have improved the performance of these KEM implementations. Specifically, we reduced the number of callsto the random number generation function used in key generation. This can be achieved by efficiently using the generated random number bits. Key Encapsulation algorithmand Decapsulation algorithm also improve the execution speed of iterative operations by using registers, and also improve the implementation of pointer operation using multiplication only by addition. As a result of this improvement, we achieved about 25% of key generation, 7% of key encapsulation, and 10% of key decapsulation, compared to the KEM versionoriginally submitted to NIST.
The rest of this paper is organized as follows. Section 2 deals with prior knowledge, and Section 3 deals with related research. In Section 4, we propose an improvement method. In Section 5, we perform performance evaluation. Conclusions are made in Section 6.
2. Preliminaries
2.1. Notation
Here is the list of notations which will be used throughout this paper:
(Table 1) Notations
The Lizard implementation in this paper uses the parameter KEM_CATEGORY1_N536 [1], which providesthe same level of security as that provided by 128bit AES. In this case, the values of some of the symbols defined above are defined as shown in Table 2.
(Table 2) KEM_CATEGORY1_N536 parameter setup
2.2 Introduction to Lizard KEM
Recently, Hofheinz et al. proposed a method of converting a public key cryptographic algorithm of arbitrary IND-CPA security, to a KEM that provides IND-CCA2 security by using FO (Fusisaki-Okamoto) transformation [5]. The Lizard KEM is a result of modifying the Lizard cipher algorithmaccording to the above method, and can be described as Tables 3 to 5 below.
Lizard is composed of the key generation algorithm (Lizard. Key Gen), the key encapsulation algorithm (Lizard. Encap) and the key decapsulation algorithm (Lizard.Decap). the parameters used for Lizard.KeyGen (params) are m, n, l1, l2, l, d, p, q, (2|p|q), hr ( < ρ, α <1, and the hash functions G:{0,1}*→,1}d, H:{0,1}*→ l2m, h, and H’:{0,1}*→,1}l. The following Table 3~5 describe the details of the algorithms.
(Table 3) Lizard.KeyGen
(Table 4) Lizard.Encap
(Table 5) Lizard.Decap
The algorithms described in Tables 3-5 take a lot of time unless carefully implemented [1]. We aim to implement the Lizard submitted to NIST as an implementation to be improved [1].
3. Related Work
This paper is an improvement of Lizard proposed to NIST. In this paper, we introduce the competitive PQCalgorithms proposed to NIST, and finally introduce Lizard. Bos et al. proposed a KEM (Frodo) that is based LWEproblem [6]. They showed that they could implement theirmethods in OpenSSL to share keys between the participants in networks. They argued that they could use their methods to provide quantum security so they could replace ECDHE. This method is a KEM competing with Lizard. The problem with this method is that it takes a lot of randomness to generate matrix A and consumes 40% of the time to generate A [6]. They have attempted to use their methods in a variety of environments through further improvements in the pattern of memory accesses.
Cheon et al. proposed a public key cryptographicalgorithm based on spLWE (LWE with sparse secret), whichis a variant of the LWE problem [7]. They implemented it based onPeikert's IND-CPA-based public key cryptosystem [8] with FO transform [9]. This method has a disadvantage in that a higher-order parameter is required to be used incomparison with the LWE-based method. This method requires about 313 microseconds in the Macbook Pro with 2.6 GHz Intel Core i5 CPU environment to share the message of 256 bits length.
Alkim et al. proposed a method to improve efficiency and safety compared to [6] by improving the method proposed by Peikert et al. [8] [10]. In their method, the large modulus q value could be reduced to q = 12289 < 214 compared to the previous method [6] where q=232. It can also provide 128-bit post quantum safety.
Bernstein et al. [10] mentioned the possibility of sidechannel attack and proposed a method based on streamlined NTRU prime [11]. The proposed method is improved in performance compared to the previous method, and it is known that it has a small attack surface because it uses aring with no structure.
[12] is a well-known KEM based on the module LWEproblem- and is known to exhibit very efficient performance. They are known to show very good performance in terms of the required ciphertext size and computation efficiency by applying a compression method for small numbers. In [13], unlike the previous method, it is proposed a cost-free method to achieve QROM security without additional hash.
Finally, Lizard is a method based on LWE and Learning with Rounding (LWR) [2]. This method is very efficient because it does not perform Gaussian Sampling inencryption. Lizard also ensures quantum security under the QROM model.
4. Proposed approach
In this section, we discuss various performance enhancementmethods proposed in this study. The target implementation to enhance in this paper is the reference implementation of the Lizard submitted to the NIST PQC Standardization Content[1].
4.1 Improvement of key generation algorithm
We first reduced the number of random bits needed togenerate matrix A. In the existing implementation, randombits are generated in byte units. Since the length of eachelement in matrix A is 11 bits, 5 bits are discarded when 2-byte random numbers are used to generate an element in A. This is done with a larger number of random numbergenerator function calls, which requires a large performance waste. We used these 5 bits to reduce the number of random number generation.
According to the original implementation submitted by NIST [1], 1097728 random bits are required to generate amatrix A in 128bit quantum security setting. However, as aresult of the improvement, only 823296 bits are required in the proposed implementation.
The second improvement is areduction in the number ofrandom bits required to generate the secret key sparse vector S. In implementations submitted to the existing standard, a one-byte random number was used to generate S's elements, represented by one of 1,0, -1. We improved this to only use2 bits, and as a result we could reduce the length of therequired random bits to 1/4. As a result of the improvement, unlike the original implementation where 8576 random bits are required in the original implementation, the proposed implememtation requries only 2144 random bits to generatea secret key matrix S.
The third improvement is the reduction of the number ofrandom bits needed to generate matrix E. The elements of this matrix are extracted from the Discrete Gaussiandistribution, which requires random bits. Unfortunately, in the existing implementation, 32bit random number was generated and used even though total 10bit random numberbit is needed. We have improved it so that only 10bitrandom number can be used exactly. Fig. 1) explains the improvement. As a result of this improvement the number ofrandom bits generated for the matrix E is reduced from 65536bits to 32768bits.
(Fig. 1) Improvement to generate the matrix E: only one random word is generated and extracts 10bits from the word.
(Fig. 2) The initial implementation in the step of generation of r_idx in Key Encapsulation.
4.2 Improvement of key encapsulation and decapsulation algorithms
We propose an efficient method to generate r_idx by repeating the operation of extracting {-1,0,1} from the existing implementation. The concrete contents are shown infigures 2 and 3.
In the existing implementation, the multiplication operation is required when calculating two pointers r_t and r_idxtin the process of creating r_idx as shown in Fig. We have replaced the multiplication operations required for r_tby addition operations during these operations. If this processexists simultaneously in the encapsulation and decapsulationimplementations, we modify it and improve the performance.
(Fig. 3) Step of improved generation of r_idx in Key Encapsulation.
5. Performance evaluation
We performed 100,000 iterations for each improved algorithm implementation and measured the performance with the meanvalue. Performance evaluation was performed with parameters of 128 bit Quantum safety. The executionenvironment is Intel Core i5-4557 CPU 3.20GHz, 4GBRAM, and Ubuntu 14.04 LTS. As a result, we found that key generation is improved by 25%, Key Encapsulation and Decapsulaton by 7% and 10%, respectively, compared with the existing implementation.
Figures 3 and 4 below show the execution time of eachalgorithm including the degree of change of execution time. As shown in the figure, the key generation time does not change at every execution, but the Key Encapsulation /Decapsulation method can confirm that there is a difference in execution time according to the generated random numbervalue. The difference of the execution times vary in eachiteration, around 0.4~0.55 ms. In order to improve the security of the Lizard, it is necessary to reduce this value tomake the scheme resilient against side-channel attacks.
6. Conclusion
In this paper, we analyze the implementation of Lizard proposed in NIST PQC and proposeda method to improveperformance. By simply reducing the number of wasted random bits and improving the register operation, we haveachieved a performance improvement of 7% ~ 25%. We hope that the results of this paper will be applied to Lizardimplementations so that Lizard can be adopted as aninternational standard algorithm. Also, as a future study, we will try to improve the performance of Ring Lizard based on Ring LWE problem unlike Lizard. This study is also expected to be applied as a key method in various security fields [14-16].
(Fig. 4) Comparison of Key generation time with its time
(Fig. 5) Comparison on Key Encapsulation/ Key Decapsulation times with its time variation References
References
- NIST PQC Standardization. Available at: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
- J. Cheon, D. Kim, J. Lee, and Y. Song, "Lizard: Cut Off the Tail! A Practical Post-quantum Public-Key Encryption from LWE and LWR", In Proc International Conference on Security and Cryptography for Networks (SCN) 2018, LNCS vol. 11035, pp. 160-177, 2018. https://doi.org/10.1007/978-3-319-98113-0_9
- Oded Regev, "On lattices, learning with errors, random linear codes, and cryptography", In Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, STOC '05, pages 84-93, New York, NY, USA, 2005. ACM. https://doi.org/10.1145/1568318.1568324
- Joel Alwen, Stephan Krenn, Krzysztof Pietrzak, Daniel Wich, "Learning with Rounding, Revisited", In Proc. CRYPTO, LNCS vol. 8042, pp. 57-74, 2013. https://doi.org/10.1007/978-3-642-40041-4_4
- Hofheinz, D., Hovelmanns, K., & Kiltz, E, "A modular analysis of the Fujisaki-Okamoto transformation,"In Theory of Cryptography Conference (pp. 341-371) Nov, 2017. Springer. https://doi.org/10.1007/978-3-319-70500-2_12
- Bos, J., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., et al. "Frodo: Take off the Ring!: Practical, Quantum-Secure Key Exchange from LWE", In Proc. 23rd ACM Conference on Computer and Communications Security. https://doi.org/10.1145/2976749.2978425
- J Cheon et al, "A Practical Post-Quantum Public-Key Cryptosystem Based on spLWE.", In Proc. International Conference on Information Security and Cryptology (ICISC 2016) - LNCS vol. 10157, pp. 51-74, 2016. https://doi.org/10.1007/978-3-319-53177-9_3
- Peikert, C. "Lattice Cryptography for the Internet". In Proc. Post-Quantum Cryptography, LNCS vol. 8772, pp. 197-219. 2014. https://doi.org/10.1007/978-3-319-11659-4_12
- Targhi, E., & Unruh, D, "Quantum Security of the Fujisaki-Okamoto Transform", In Proc. Theory of Cryptography:14th International Conference, 2016, pp. 192-216. Berlin: Springer. https://doi.org/10.1007/978-3-662-53644-5_8
- Alkim, E., Ducas, L., Poppelman, T., & Shwabe, P, "Post-quantum Key Exchange - A New Hope," In, Proc.25th USENIX Security Symposium USENIX Security 16. Austin, TX: USENIX Association, 2016. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkim
- Bernstein, D., Chuengsatiansup, C., Lange, T., & van Vredendaal, C., "NTRU Prime: Reducing Attack Surface at Low Cost", In Proc. Selected Areas in Cryptography SAC 2017, pp. 235-260, 2017. https://doi.org/10.1007/978-3-319-72565-9_12
- Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J. M., and Stehle, D. (2018, April). CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM. In 3rd IEEE European Symposium on Security and Privacy. London, United Kingdom. https://doi.org/10.1109/eurosp.2018.00032
- Jiang, H., Zhang, Z., Chen, L., Wang, H., & Ma, Z., "Post-quantum IND-CCA-secure KEM without additional hash", Cryptology ePrint Archive, https://eprint.iacr.org/2017/1096 .
- Seul-Ki Choi, Chung-Huang Yang, Jin Kwak, " System Hardening and Security Monitoring for IoT Devices to Mitigate IoT Security Vulnerabilities and Threats", KSII Transactions on Internet and Information Systems, vol. 12, no. 2, Feb., 2018. https://doi.org/10.3837/tiis.2018.02.022
- Mrutyunjanya Sahani, Subhashree Subudhi, Mihir Narayan Mohanty, "Design of Face Recognition based Embedded Home Security System", KSII Transactions on Internet and Information Systems, vol. 10, no. 4, Apr., 2016. https://doi.org/10.3837/tiis.2016.04.016
- Admir Midzic, Zikrija Avdagic, Samir Omanovic, "Intrusion Detection System Modeling Based on Learning from Network Traffic Data", KSII Transactions on Internet and Information Systems, vol. 12, no. 11, Nov., 2018. https://doi.org/10.3837/tiis.2018.11.022