Abstract
Generating, uniformly at random, a binary or a ternary string with a fixed length \(L\) and a prescribed weight W, is a step in several quantum safe cryptosystems (e. g., BIKE, NTRUEncrypt, NTRU LPrime, Lizard, McEliece).
This fixed weight vector selection generation is often implemented via a shuffling method or a rejection method, but not always in “constant time” side channel protected flow. A recently suggested constant time algorithm for this problem, uses Network Sorting and turns out to be quite efficient. This paper proposes a new method for this computation, with a side channel protected implementation. We compare it to the other methods for different combinations of \(L\) and W values. Our method turns out to be the fastest approach for the cases where \(L\) is (relatively) short and \(0.1 < W/L\le 0.5\). For example, this range falls within the parameters of NTRU LPrime, where our method achieves a \(3\times \) speedup in the string generation. This leads to an overall \(1.14 \times \) speedup for the NTRU LPrime key generation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
“Constant time” is the standard term for algorithms/implementations that are secure against (some) side channel attacks. Other terms that are used are “side channel protected” and “Isochronous”.
- 2.
Differential power attacks and fault injection attacks are outside the scope of this paper.
- 3.
\(L\) \(=\) 128, 251, 437, 512, 761, 1, 024, 1, 493, 2, 048, 4, 096, 5, 312, 8, 192, 6, 451, 10, 163, 16, 384, 24, 567, 32, 749, 32, 768, 65, 536.
- 4.
W \(=\) 10, 30, 50, 71, 110, 250, 286, 350, 512, 897, 1, 200, 1, 900, 2, 500, 3, 012, 3, 981, 4, 196, 4, 691, 5, 890, 7, 891, 9, 801, 12, 010, 14, 909, 15, 901, 19, 876, 23, 090, 27, 090, 32, 123, 40, 954, 51, 209, 52, 908, 59, 908, 65, 536.
- 5.
Note that SUPERCOP uses checksums that were generated by running NTRU LPrime with its original Sorting method. Thus, to use SUPERCOP for measuring the performance with our (different) method, we removed the checksums.
References
Intel architecture instruction set extensions programming reference October 2017. https://software.intel.com/sites/default/files/managed/c5/15/architecture-instruction-set-extensions-programming-reference.pdf
NIST Post Quantum Cryptography - Round 1 Submissions (2018). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Alagic, G., et al.: Status report on the first round of the NIST post-quantum cryptography standardization process. Technical report (2019). https://doi.org/10.6028/NIST.IR.8240
Aragon, N., et al.: BIKE: bit flipping key encapsulation (2017), https://bikesuite.org/files/BIKE.pdf
Bernstein, D.J.: djbsort (2018). https://sorting.cr.yp.to/index.html
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_12
Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems, December 2018. https://bench.cr.yp.to/
Drucker, N., Gueron, S.: A toolbox for software optimization of QC-MDPC code-based cryptosystems. Cryptology ePrint Archive, Report 2017/1251 (2017). https://eprint.iacr.org/2017/1251
Drucker, N., Gueron, S., Krasnov, V.: Making AES great again: the forthcoming vectorized AES instruction. Cryptology ePrint Archive, Report 2018/392 (2018). https://eprint.iacr.org/2018/392
Durstenfeld, R.: Algorithm 235: random permutation. Commun. ACM 7(7), 420 (1964)
Fisher, R.A., Yates, F., et al.: Statistical tables for biological, agricultural and medical research. In: Statistical Tables for Biological, Agricultural and Medical Research, 3 edn. (1949)
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 349–390. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02295-1_11
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) Algorithmic Number Theory, pp. 267–288. Springer, Berlin Heidelberg, Berlin, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Acknowledgments
We thank an anonymous reviewer for the comment that led to Algorithm 6. This research was supported by: The Israel Science Foundation (grant No. 1018/ 16); The BIU Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office; the Center for Cyber Law & Policy at the University of Haifa in conjunction with the Israel National Cyber Directorate in the Prime Minister’s Office.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A A variant of the RepeatedAND method
Step 13 of Algorithm 4 (\(\bar{A} = \bar{A} \wedge A_j\)) can be replaced with \(\bar{A} = \bar{A} \wedge \lnot A_j\) without affecting the correctness or the performance characteristics of the algorithm. This is because
and
Algorithm 6 is a variant of Algorithm 4 that leverages this fact. It replaces Step 13 in Algorithm 4 with Steps 13–19. The following example illustrates this optimization.
Example 6
Let \(L=2,048\), \(W=500\), and assume that \(wt(A_0)=1,024\) and \(wt(A_0) \wedge wt(A_1) = 524\). Then \(wt(A_0) \wedge \lnot wt(A_1) = 1,024 - 524 = 500 = W\). Therefore, Algorithm 6 ends after one round, while Algorithm 4 will ends after at least two rounds.
Algorithm 6 is only one example of a greedy algorithm that uses (2) to optimize Algorithm 4. Other optimizations may apply for specific choices of L and W. For example, when \(L=2,048\) and \(W=200\) a sequence \({\bar{A}}_{i \ge 0} = \{\ldots , 800, 400, 200\}\) will probably lead to a smaller number of rounds compared to the expected sequence \({\bar{A}}_{i \ge 0} = \{\ldots , 512, 256, 128\}\).
B Bounding the probability that the RepeatedAND algorithm does not stop
In theory, Algorithm 4 can enter an infinite loop if wt(A) does not change for an infinite number of times at (a) Step 13 ; (b) Step 15.
We first explain (heuristically) the claim in Lemma 1 that Algorithm 4 stops almost surely (i. e., the probability that it does not stops is negligible). We start by calculating the probability that the loop in Steps 10–14 ends after \(L-w\) iterations. Suppose that the vector A with weight \(x=wt(A)\) is converted to the vector \(A'\) with \(y=wt(A')\) at the end of a single iteration. If \(y \le w\) the loop ends. We consider the Markov chain that corresponds to transition from x to y, where we label the \(L+1\) weights (states) by \(0, \ldots , L\). The transition matrix \(P_{x,y}\) is:
In particular, \(P_{x,x} = \frac{1}{2^x} < \frac{1}{2^w}\) for \(x > w\). Denote by \(X\sim Geo(1-P_{x,x})\) the geometric random variable that counts the number of iterations until a state change occurs (\(y \ne x\)). Then for some k
If \(x > y\) in at least \(L-w\) iterations we get \(y < w\) (because every iteration reduces the weight by at least 1). Since the loop iterations are independent, after at most \(k(L-w)\) iterations we get (if \(2^{kw}\ge 5\))
where \(\delta _{L, w, k} = \frac{L-w}{2^{(kw-1)}}\). For example, in the first round of NTRU LPrime, \(L=761\), \(w=250\), we get \(\delta _{761, 250, 1} = \dfrac{511}{2^{250-1}}\) \(\approx \dfrac{1}{2^{239}}\). Consequently, the probability that the loop ends after at most \(k(L-w)=511\) iterations is almost 1. To bound the number of iterations when \(\delta _{L, w, k} > 1\), we first choose some \(1< w_1 < w\) such that \(\delta _{L, w_1, 1} < 1\) then continue recursively. For example, if \(L=761\), \(w=1\), we choose \(w_1 = 21\), and get \(\delta _{761, 21, 1} = \dfrac{740}{2^{20}} < \dfrac{1}{2^{10}}\). Thus, after \(L-w_1\) iterations \(P(wt(A) \le 20) > \root 2^{10} \of {0.5} \approx 0.999\). Subsequently, we set \(k_2=16\) such that with \(k_2(w_1 - w) = k_2(21 - 1) = 20 k_2\) additional iterations we get \(\delta _{w_1, w, k_2} = \dfrac{20}{2^{k_2-1}} < \dfrac{1}{2^{10}}\) and the probability \(P(wt(A) \le w) > \root 2^{10} \of {0.5} \approx 0.999\). Consequently, the loop ends with \((L-w_1) + 20 k_2\) iterations with probability at least 0.999. Obviously, a different choice of parameters can lead to a probability that is closer to 1.
Case (b) is the case where \(y=0\) for an infinite number of rounds of the external loop (Steps 6–17), i. e., the Markov chain hits the absorbing state with weight 0 an infinite number of times. The probability to hit this absorbing state is \(0< h_{n,0} < \frac{1}{2^w}\) (for every \(x < w\), \(P_{x,0} = \frac{1}{2^x} < \frac{1}{2^w}\)) and by the same reasoning as above, the probability to avoid it in a bounded number of rounds/attempts is close to 1.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Drucker, N., Gueron, S. (2019). Generating a Random String with a Fixed Weight. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2019. Lecture Notes in Computer Science(), vol 11527. Springer, Cham. https://doi.org/10.1007/978-3-030-20951-3_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-20951-3_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-20950-6
Online ISBN: 978-3-030-20951-3
eBook Packages: Computer ScienceComputer Science (R0)