Accelerating pre- and post-quantum cryptography Citation for published version (APA): Chou, T. (2016). Accelerating pre- and post-quantum cryptography. Technische Universiteit Eindhoven. Document status and date: Published: 27/06/2016 Document Version: Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers) Please check the document version of this publication: • A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website. • The final author version and the galley proof are versions of the publication after peer review. • The final published version features the final layout of the paper including the volume, issue and page numbers. Link to publication General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal. If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement: www.tue.nl/taverne Take down policy If you believe that this document breaches copyright please contact us at: [email protected] providing details and we will investigate your claim. Download date: 23. Sep. 2021 Accelerating Pre- and Post-Quantum Cryptography Tung Chou Copyright c 2016 by Tung Chou. Printed by Printservice Technische Universiteit Eindhoven. The cover illustrates the data flow in a size-8 Gao–Matter additive FFT: the back cover for the radix conversions and twistings and the front cover for the FFT butterflies. A catalogue record is available from the Eindhoven University of Technology Library ISBN 978-90-386-4105-8 NUR 919 Accelerating Pre- and Post-Quantum Cryptography PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de rector magnificus, prof.dr.ir. F.T.P. Baaijens, voor een commissie aangewezen door het College voor Promoties, in het openbaar te verdedigen op maandag 27 juni 2016 om 16.00 uur door Tung Chou geboren te Taipei, Taiwan Dit proefschrift is goedgekeurd door de promotoren en de samenstelling van de pro- motiecommissie is als volgt: voorzitter: prof.dr. J. de Vlieg 1e promotor: prof.dr. D.J. Bernstein 2e promotor: prof.dr. T. Lange leden: prof.dr.ir. J. Draisma prof.dr. M. Scott (Dublin City University) dr.habil. N. Sendrier (INRIA Rocquencourt) prof.dr. V. Shoup (New York University) prof.dr. B.-Y. Yang (Academia Sinica) Het onderzoek of ontwerp dat in dit proefschrift wordt beschreven is uitgevoerd in overeenstemming met de TU/e Gedragscode Wetenschapsbeoefening. Acknowledgement First, I would like to thank my supervisors Daniel J. Bernstein and Tanja Lange for giving me the chance to work with them. Dan offered me the freedom to work on what I found interesting, and I really appreciate all the suggestions and comments he gave me during our discussions. Tanja always tries to give me reasons to feel more confident in myself and has always been helpful and supportive in many different ways. Most of my papers are joint work with others, and therefore I would like to thank my coauthors Daniel J. Bernstein, Chen-Mou Cheng, Chitchanok Chuengsatiansup, Andreas Hülsing, Eran Lambooij, Tanja Lange, Ruben Niederhagen, Claudio Or- landi, Peter Schwabe, Christine van Vredendaal, and Bo-Yin Yang for the fruitful collaborations. I thank Jan Draisma, Michael Scott, Nicolas Sendrier, Victor Shoup, and Bo-Yin Yang for joining my committee and giving valuable feedback for my thesis. I thank Tsuyoshi Takagi, Chen-Mou Cheng, Claudio Orlandi, Tim Güneysu and Christof Paar for inviting (or helping) me to have research visits in their current or previous groups. I would like to thank Peter Schwabe for the discussions we had in Nijmegen and for proofreading part of my thesis. I would like to thank Ruben Niederhagen for giving me lots of useful comments and tips on how to improve my thesis. Special thanks go to my previous supervisor Chen-Mou Cheng and my previous boss Bo-Yin Yang. It felt difficult to find motivation, until they brought me into the area of cryptography. Finally, I would like to thank my parents for all the support. Contents 1 Introduction1 I Preliminaries5 2 Cryptographic implementations7 2.1 Vectorization ................................ 7 2.2 Timing attacks and constant-time implementations........... 8 2.3 Bitslicing .................................. 9 2.4 qhasm.................................... 9 3 The Gao–Mateer additive FFT 11 3.1 Additive FFT: overview .......................... 12 3.2 Additive FFT: detail............................ 12 3.3 Radix conversion: an example....................... 13 3.4 The radix-conversion subroutine ..................... 14 II Binary-field Cryptography 17 4 McBits: fast constant-time code-based cryptography 19 4.1 Field arithmetic............................... 24 4.1.1 Addition............................... 24 4.1.2 Multiplication............................ 24 4.1.3 Squaring............................... 24 4.1.4 Inversion .............................. 25 4.2 Finding roots: the Gao–Mateer additive FFT.............. 25 4.2.1 Application to decoding...................... 25 4.2.2 Multipoint evaluation ....................... 25 4.2.3 FFT improvement: 1-coefficient polynomials .......... 26 4.2.4 FFT improvement: 2-coefficient and 3-coefficient polynomials . 26 4.2.5 Results ............................... 26 4.2.6 Other algorithms.......................... 27 4.3 Syndrome computation: transposing the additive FFT......... 28 4.3.1 Application to decoding...................... 28 4.3.2 Syndrome computation as the transpose of multipoint evaluation 28 4.3.3 Transposing linear algorithms................... 28 4.3.4 Transposing the additive FFT................... 29 4.3.5 Improvement: transposed additive FFT on scaled bits . 30 4.4 Secret permutations without secret array indices: odd-even sorting . 31 4.4.1 Sorting networks.......................... 31 4.4.2 Precomputed comparisons..................... 32 4.4.3 Permutation networks....................... 32 4.4.4 Alternative: random condition bits................ 32 4.5 A complete code-based cryptosystem................... 33 4.5.1 Parameters ............................. 34 4.5.2 Key generation........................... 34 4.5.3 Encryption ............................. 35 4.5.4 Decryption ............................. 35 4.6 New speed records for CFS signatures .................. 36 4.6.1 Review of CFS........................... 37 4.6.2 Previous CFS speeds........................ 37 4.6.3 New CFS software......................... 37 4.6.4 New CFS speeds.......................... 38 5 QcBits: constant-time small-key code-based cryptography 39 5.1 Preliminaries ................................ 42 5.1.1 QC-MDPC codes.......................... 42 5.1.2 Decoding (QC-)MDPC codes................... 43 5.1.3 The Niederreiter KEM/DEM encryption system for QC-MDPC codes ................................ 44 5.2 Key-pair generation ............................ 45 5.2.1 Private-key generation....................... 45 5.2.2 Polynomial view: public-key generation ............. 46 n 5.2.3 Generic multiplication in F2[x]=(x − 1) . 47 n 5.2.4 Generic squaring in F2[x]=(x − 1) . 48 5.3 KEM encryption .............................. 49 5.3.1 Generating the error vector.................... 49 5.3.2 Polynomial view: public-syndrome computation......... 49 n 5.3.3 Sparse-times-dense multiplications in F2[x]=(x − 1) . 49 5.4 KEM decryption .............................. 51 5.4.1 Polynomial view: private-syndrome computation . 51 5.4.2 Polynomial view: counting unsatisfied parity checks . 52 5.4.3 Sparse-times-dense multiplications in Z[x]=(xn − 1) . 52 5.4.4 Flipping bits ............................ 53 5.5 Experimental results for decoding..................... 54 5.6 The future of QC-MDPC-based cryptosystems ............. 55 6 Auth256: faster binary-field multiplication and faster binary-field MACs 57 6.1 Field arithmetic in F28 ........................... 60 6.1.1 Review of tower fields ....................... 60 6.1.2 Variable multiplications...................... 60 6.1.3 Constant multiplications...................... 61 6.1.4 Subfields and decomposability................... 61 6.2 Faster additive FFTs............................ 62 6.2.1 Size-4 FFTs: the lowest level of recursion ............ 62 6.2.2 The size-8 FFTs: the first recursive case............. 62 6.2.3 The size-16 FFTs: saving additions for radix conversions . 63 6.2.4 Size-16 FFTs continued: decomposition at field-element level . 64 6.2.5 Improvements: a summary .................... 64 6.2.6 Polynomial multiplications: a comparison with Karatsuba and Toom ................................ 65 6.3 The Auth256 message-authentication code: major features . 65