Skip to main content
SpringerLink
Log in

NFLlib: NTT-Based Fast Lattice Library

  • Conference paper
  • First Online:
Topics in Cryptology - CT-RSA 2016 (CT-RSA 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9610))

Included in the following conference series:

Abstract

Recent years have witnessed an increased interest in lattice cryptography. Besides its strong security guarantees, its simplicity and versatility make this powerful theoretical tool a promising competitive alternative to classical cryptographic schemes.

In this paper, we introduce NFLlib, an efficient and open-source C++ library dedicated to ideal lattice cryptography in the widely-spread polynomial ring \(\mathbb Z_{p}[x]/(x^n+1)\) for n a power of 2. The library combines algorithmic optimizations (Chinese Remainder Theorem, optimized Number Theoretic Transform) together with programming optimization techniques (SSE and AVX2 specializations, C++ expression templates, etc.), and will be fully available under an open source license.

The library compares very favorably to other libraries used in ideal lattice cryptography implementations (namely the generic number theory libraries NTL and flint implementing polynomial arithmetic, and the optimized library for lattice homomorphic encryption HElib): restricting the library to the aforementioned polynomial ring allows to gain several orders of magnitude in efficiency.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The open-source IPsec-based VPN solution strongSwan [31] includes the BLISS lattice signature [9] as an IKEv2 public key authentication method starting from version 5.2.2.

  2. 2.

    This is also hinted at in the HElib library [16, 17] which modifies the internal routines of NTL to achieve better performances — although for any cyclotomic polynomial ring \(\mathbb Z_p[x]/(\Phi )\).

  3. 3.

    Even though architecture-optimized implementations will always outperform generic libraries, this paper tackles the issue of designing an efficient library that can be used on a large range of architecture. Also, NFLlib includes state-of-the-art SSE and AVX2 optimizations for the NTT and the modular multiplication operation.

  4. 4.

    At the heart of many kinds of ideal-lattice schemes (ranging from classical encryption to fully homomorphic encryption and multilinear maps) is the decision-Ring-Learning-With-Errors (dRLWE) assumption. Working with cyclotomic polynomials \(\varPhi (x)=x^n+1\) implies that we have provable worst-case hardness for dRLWE with essentially any large enough p — splitting, inert, or anywhere in between [6]. In NFLlib, we therefore chose a p that splits completely for efficiency reasons.

  5. 5.

    NFLlib has been designed to work with a wide range of parameters: polynomial degrees \(2\leqslant n\leqslant 2^{20}\) and moduli \(2^{13}<p<2^{1000\cdot 62}\). However, the users of NFLlib are responsible for selecting parameters (np) that ensure \(\kappa \) bits of security for the specific application they are developing. We refer to [2, 3, 23] for selecting concrete security parameters of lattice encryption schemes.

  6. 6.

    In HElib, the instantiation of a FHEContext — storing the modulus decomposition — is needed to use DoubleCRT objects. Now, this constructor try to produced primes of a size close to 44 bits and this size is hard-coded in the value FHE_p2Size (maybe to fit largely the long primitive type and be able to do specific homomorphic operations?).

    For the sake of comparison, we kept this hardcoded value. Therefore the benchmarks of HElib are with a 44-bit prime for parameters (1) and (2), with two 44-bit primes for parameters (3) and 141 44-bit primes for parameters (4).

  7. 7.

    TurboBoost and Hyperthreading were disabled during the benchmarks. We chose an AWS machine as a typical cloud environment which allows reproductibility of the results.

  8. 8.

    We neglected the cost of the (linear) negative wrapped convolution computation in NTL to mitigate the impact of a non highly-optimized hand-made implementation; one would therefore have to expect slightly worse timings when working over \(R_p\).

  9. 9.

    We choose two parameter sets from [23], a 14-bit modulus with polynomials of degree 256, and the same modulus with polynomials of degree 512. These two parameter sets correspond roughly to 128 and 256 bits of security. Note that if these estimates are too low it is possible to choose parameters such as (14, 1024) and the performance presented in Table 4 is just divided by two.

References

  1. Albrecht, M.R., Cocis, C., Laguillaumie, F., Langlois, A.: Implementing candidate graded encoding schemes from ideal lattices. Cryptology ePrint Archive, Report 2014/928 (2014). http://eprint.iacr.org/2014/928

  2. Albrecht, M.R., Fitzpatrick, R., Göpfert, F.: On the efficacy of solving LWE by reduction to unique-SVP. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 293–310. Springer, Heidelberg (2014)

    Google Scholar 

  3. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015). http://eprint.iacr.org/2015/046

  4. Bos, J.W., Lauter, K., Loftus, J., Naehrig, M.: Improved security for a ring-based fully homomorphic encryption scheme. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 45–64. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  5. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S. (ed.) ITCS 2012, pp. 309–325. ACM, January 2012

    Google Scholar 

  6. Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 575–584. ACM Press, June 2013

    Google Scholar 

  7. Dai, W., Doröz, Y., Sunar, B.: Accelerating NTRU based homomorphic encryption using GPUs. In: IEEE High Performance Extreme Computing Conference, HPEC 2014, Waltham, MA, USA, 9–11 September 2014, pp. 1–6. IEEE (2014)

    Google Scholar 

  8. Doröz, Y., Shahverdi, A., Eisenbarth, T., Sunar, B.: Toward practical homomorphic evaluation of block ciphers using prince. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) FC 2014 Workshops. LNCS, vol. 8438, pp. 208–220. Springer, Heidelberg (2014)

    Google Scholar 

  9. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  10. Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014)

    Google Scholar 

  11. Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015)

    Google Scholar 

  12. El Bansarkhani, R., Buchmann, J.: High performance lattice-based CCA-secure encryption. Cryptology ePrint Archive, Report 2015/042 (2015). http://eprint.iacr.org/2015/042

  13. Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  14. Göttert, N., Feller, T., Schneider, M., Buchmann, J., Huss, S.: On the design of hardware building blocks for modern lattice-based encryption schemes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 512–529. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  15. Güneysu, T., Oder, T., Pöppelmann, T., Schwabe, P.: Software speed records for lattice-based signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 67–82. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  16. Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014)

    Google Scholar 

  17. Halevi, S., Shoup, V.: Bootstrapping for HElib. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 641–670. Springer, Heidelberg (2015)

    Google Scholar 

  18. Hart, W., et al.: Fast library for number theory (Version 2.5) (2015). http://www.flintlib.org

  19. Harvey, D.: Faster arithmetic for number-theoretic transforms. J. Symb. Comput. 60, 113–119 (2014)

    Article  MATH  Google Scholar 

  20. Itkis, G.: Forward security, adaptive cryptography: time evolution (2004). http://www.cs.bu.edu/fac/itkis/pap/forward-secure-survey.pdf

  21. Khedr, A., Gulak, G., Vaikuntanathan, V.: SHIELD: scalable homomorphic implementation of encrypted data-classifiers. Cryptology ePrint Archive, Report 2014/838 (2014). http://eprint.iacr.org/2014/838

  22. Lepoint, T., Naehrig, M.: A comparison of the homomorphic encryption schemes \({\sf FV}\) and \({\sf YASHE}\). In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 318–335. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  23. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  24. Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  25. Moller, N., Granlund, T.: Improved division by invariant integers. IEEE Trans. Comput. 60(2), 165–175 (2011)

    Article  MathSciNet  Google Scholar 

  26. Oder, T., Pöppelmann, T., Güneysu, T.: Beyond ECDSA and RSA: lattice-based digital signatures on constrained devices. In: The 51st Annual Design Automation Conference 2014, DAC 2014, San Francisco, CA, USA, 1–5 June 2014, pp. 1–6 (2014)

    Google Scholar 

  27. Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  28. Pollard, J.M.: The fast Fourier transform in a finite field. Math. Comput. 25(114), 365–374 (1971)

    Article  MathSciNet  MATH  Google Scholar 

  29. Pöppelmann, T., Güneysu, T.: Towards efficient arithmetic for lattice-based cryptography on reconfigurable hardware. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 139–158. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  30. Shoup, V.: Number theory library (Version 8.1) (2015). http://www.shoup.net/ntl

  31. Steffen, A., et al.: strongSwan (Version 5.2.2) (2015). https://www.strongswan.org/

Download references

Acknowledgements

This work has been supported in part by the European Union’s H2020 Programme under grant agreement number ICT-644209 and by French’s FUI project CRYPTOCOMP.

Author information

Authors and Affiliations

  1. INP-ENSEEIHT, CNRS, IRIT, Université de Toulouse, Toulouse, France

    Carlos Aguilar-Melchor

  2. CNRS, LAAS, Université de Toulouse, Toulouse, France

    Joris Barrier & Marc-Olivier Killijian

  3. Quarkslab, Paris, France

    Serge Guelton & Adrien Guinet

  4. CryptoExperts, Paris, France

    Tancrède Lepoint

Authors
  1. Carlos Aguilar-Melchor
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joris Barrier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Serge Guelton
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Adrien Guinet
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Marc-Olivier Killijian
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Tancrède Lepoint
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tancrède Lepoint .

Editor information

Editors and Affiliations

  1. NEC Cloud Systems Research Laboratories, Kawasaki, Japan

    Kazue Sako

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Aguilar-Melchor, C., Barrier, J., Guelton, S., Guinet, A., Killijian, MO., Lepoint, T. (2016). NFLlib: NTT-Based Fast Lattice Library. In: Sako, K. (eds) Topics in Cryptology - CT-RSA 2016. CT-RSA 2016. Lecture Notes in Computer Science(), vol 9610. Springer, Cham. https://doi.org/10.1007/978-3-319-29485-8_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-29485-8_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-29484-1

  • Online ISBN: 978-3-319-29485-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation