Décio Luiz Gazzoni Filho, Tomás Recio, Julio López Hernandez
{"title":"高效等时定量采样与 NTRU 的应用","authors":"Décio Luiz Gazzoni Filho, Tomás Recio, Julio López Hernandez","doi":"10.62056/a6n59qgxq","DOIUrl":null,"url":null,"abstract":"We present a solution to the open problem of designing a linear-time, unbiased and timing attack-resistant shuffling algorithm for fixed-weight sampling. Although it can be implemented without timing leakages of secret data in any architecture, we illustrate with ARMv7-M and ARMv8-A implementations; for the latter, we take advantage of architectural features such as NEON and conditional instructions, which are representative of features available on architectures targeting similar systems, such as Intel. Our proposed algorithm improves asymptotically upon the current approach based on constant-time sorting networks (\n \n O\n (\n n\n )\n \n versus \n \n O\n (\n n\n \n log\n 2\n \n n\n )\n \n ), and an implementation of the new algorithm applied to NTRU is also faster in practice, by a factor of up to \n \n 6.91\n \n (\n 591\n %\n )\n \n on ARMv8-A cores and \n \n 12.89\n \n (\n 1189\n %\n )\n \n on the Cortex-M4; it also requires fewer uniform random bits. This translates into performance improvements for NTRU encapsulation, compared to state-of-the-art implementations, of up to 50% on ARMv8-A cores and 72% on the Cortex-M4, and small improvements to key generation (up to 2.7% on ARMv8-A cores and 6.1% on the Cortex-M4), with negligible impact on code size and a slight improvement in RAM usage for the Cortex-M4.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"119 17","pages":"548"},"PeriodicalIF":0.0000,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Efficient isochronous fixed-weight sampling with applications to NTRU\",\"authors\":\"Décio Luiz Gazzoni Filho, Tomás Recio, Julio López Hernandez\",\"doi\":\"10.62056/a6n59qgxq\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"We present a solution to the open problem of designing a linear-time, unbiased and timing attack-resistant shuffling algorithm for fixed-weight sampling. Although it can be implemented without timing leakages of secret data in any architecture, we illustrate with ARMv7-M and ARMv8-A implementations; for the latter, we take advantage of architectural features such as NEON and conditional instructions, which are representative of features available on architectures targeting similar systems, such as Intel. Our proposed algorithm improves asymptotically upon the current approach based on constant-time sorting networks (\\n \\n O\\n (\\n n\\n )\\n \\n versus \\n \\n O\\n (\\n n\\n \\n log\\n 2\\n \\n n\\n )\\n \\n ), and an implementation of the new algorithm applied to NTRU is also faster in practice, by a factor of up to \\n \\n 6.91\\n \\n (\\n 591\\n %\\n )\\n \\n on ARMv8-A cores and \\n \\n 12.89\\n \\n (\\n 1189\\n %\\n )\\n \\n on the Cortex-M4; it also requires fewer uniform random bits. This translates into performance improvements for NTRU encapsulation, compared to state-of-the-art implementations, of up to 50% on ARMv8-A cores and 72% on the Cortex-M4, and small improvements to key generation (up to 2.7% on ARMv8-A cores and 6.1% on the Cortex-M4), with negligible impact on code size and a slight improvement in RAM usage for the Cortex-M4.\",\"PeriodicalId\":13158,\"journal\":{\"name\":\"IACR Cryptol. ePrint Arch.\",\"volume\":\"119 17\",\"pages\":\"548\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-07-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IACR Cryptol. ePrint Arch.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.62056/a6n59qgxq\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.62056/a6n59qgxq","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Efficient isochronous fixed-weight sampling with applications to NTRU
We present a solution to the open problem of designing a linear-time, unbiased and timing attack-resistant shuffling algorithm for fixed-weight sampling. Although it can be implemented without timing leakages of secret data in any architecture, we illustrate with ARMv7-M and ARMv8-A implementations; for the latter, we take advantage of architectural features such as NEON and conditional instructions, which are representative of features available on architectures targeting similar systems, such as Intel. Our proposed algorithm improves asymptotically upon the current approach based on constant-time sorting networks (
O
(
n
)
versus
O
(
n
log
2
n
)
), and an implementation of the new algorithm applied to NTRU is also faster in practice, by a factor of up to
6.91
(
591
%
)
on ARMv8-A cores and
12.89
(
1189
%
)
on the Cortex-M4; it also requires fewer uniform random bits. This translates into performance improvements for NTRU encapsulation, compared to state-of-the-art implementations, of up to 50% on ARMv8-A cores and 72% on the Cortex-M4, and small improvements to key generation (up to 2.7% on ARMv8-A cores and 6.1% on the Cortex-M4), with negligible impact on code size and a slight improvement in RAM usage for the Cortex-M4.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
