Skip to main content
SpringerLink
Log in

The Matrix Reloaded: Multiplication Strategies in FrodoKEM

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13099))

Included in the following conference series:

Abstract

Lattice-based schemes are promising candidates to replace the current public-key cryptographic infrastructure in wake of the looming threat of quantum computers. One of the Round 3 candidates of the ongoing NIST post-quantum standardization effort is FrodoKEM. It was designed to provide conservative security, which comes with the caveat that implementations are often bigger and slower compared to alternative schemes. In particular, the most time-consuming arithmetic operation of FrodoKEM is the multiplication of matrices with entries in \(\mathbb {Z}_q\).

In this work, we investigate the performance of different matrix multiplication approaches in the specific setting of FrodoKEM. We consider both optimized “naïve” matrix multiplication with cubic complexity, as well as the Strassen multiplication algorithm which has a lower asymptotic run-time complexity. Our results show that for the proposed parameter sets of FrodoKEM we can improve over the state-of-the-art implementation with a row-wise blocking and packing approach, denoted as RWCF in the following. For the matrix multiplication in FrodoKEM, this results in a factor two speed-up. The impact of these improvements on the full decapsulation operation is up to 22%. We additionally show that for batching use-cases, where many inputs are processed at once, the Strassen approach can be the best choice from batch size 8 upwards. For a practically-relevant batch size of 128 inputs the observed speed-up is in the range of 5 to 11% over using the efficient RWCF approach and this speed-up grows with the batch size.

M. Ofner—This work was performed while this author was an internship student at NXP Semiconductors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/microsoft/PQCrypto-LWEKE commit 5c3123f.

References

  1. Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 5–17. ACM Press (2015). https://doi.org/10.1145/2810103.2813707

  2. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press (1996). https://doi.org/10.1145/237814.237838

  3. Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: 29th ACM STOC, pp. 284–293. ACM Press (1997). https://doi.org/10.1145/258533.258604

  4. Alkim, E., et al.: FrodoKEM: Learning with Errors Key Encapsulations (2021). https://github.com/microsoft/PQCrypto-LWEKE

  5. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 327–343. USENIX Association (2016)

    Google Scholar 

  6. Alman, J., Williams, V.V.: A refined laser method and faster matrix multiplication. In: Marx, D. (ed.) Symposium on Discrete Algorithms - SODA, pp. 522–539. SIAM (2021). https://doi.org/10.1137/1.9781611976465.32

  7. Beller, M.J., Yacobi, Y.: Batch Diffie-Hellman key agreement systems and their application to portable communications. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 208–220. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-47555-9_19

    Chapter  Google Scholar 

  8. Bernstein, D.J., et al.: NTRU Prime. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  9. Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_12

    Chapter  Google Scholar 

  10. Bos, J.W., et al.: Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 1006–1018. ACM Press (2016). https://doi.org/10.1145/2976749.2978425

  11. Bos, J.W., et al.: CRYSTALS - kyber: a cca-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy - Euro S&P, pp. 353–367. IEEE (2018). https://doi.org/10.1109/EuroSP.2018.00032

  12. Bottinelli, P., Lambert, R.: Accelerating V2X cryptography through batch operations. Cryptology ePrint Archive, Report 2019/887 (2019). https://eprint.iacr.org/2019/887

  13. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S. (ed.) ITCS 2012, pp. 309–325. ACM (2012). https://doi.org/10.1145/2090236.2090262

  14. Bundesamt für Sicherheit in der Informationstechnik: Cryptographic mechanisms: Recommendations and key lengths. Bsi tr-02102-1, Federal Office for Information Security (2021). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf

  15. Chen, C., et al.: NTRU. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  16. Coppersmith, D., Winograd, S.: Matrix multiplication via arithmetic progressions. In: Aho, A. (ed.) 19th ACM STOC, pp. 1–6. ACM Press (1987). https://doi.org/10.1145/28395.28396

  17. D’Anvers, J.-P., Karmakar, A., Sinha Roy, S., Vercauteren, F.: Saber: module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 282–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_16

    Chapter  Google Scholar 

  18. D’Anvers, J.P., et al.: SABER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  19. Fiat, A.: Batch RSA. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 175–185. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_17

    Chapter  Google Scholar 

  20. Goto, K., van de Geijn, R.A.: Anatomy of high-performance matrix multiplication. ACM Trans. Math. Softw. 34(3) (2008). https://doi.org/10.1145/1356052.1356053

  21. Harn, L.: Batch verifying multiple RSA digital signatures. Electron. Lett. 34, 1219–1220 (1998)

    Article  Google Scholar 

  22. Huang, J., Smith, T.M., Henry, G.M., van de Geijn, R.A.: Strassen’s algorithm reloaded. In: West, J., Pancake, C.M. (eds.) International Conference for High Performance Computing, Networking, Storage and Analysis - SC, pp. 690–701. IEEE Computer Society (2016). https://doi.org/10.1109/SC.2016.58

  23. Intel: Advanced vector extensions programming reference (2011). https://software.intel.com/content/dam/develop/external/us/en/documents/36945

  24. Karati, S., Das, A.: Faster batch verification of standard ECDSA signatures using summation polynomials. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 438–456. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07536-5_26

    Chapter  Google Scholar 

  25. Karati, S., Das, A., Roychowdhury, D., Bellur, B., Bhattacharya, D., Iyer, A.: Batch verification of ECDSA signatures. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 1–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31410-0_1

    Chapter  Google Scholar 

  26. Karati, S., Das, A., Roychowdhury, D., Bellur, B., Bhattacharya, D., Iyer, A.: New algorithms for batch verification of standard ECDSA signatures. J. Cryptogr. Eng. 4(4), 237–258 (2014). https://doi.org/10.1007/s13389-014-0082-x

    Article  MATH  Google Scholar 

  27. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)

    Article  MathSciNet  Google Scholar 

  28. Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2014). https://doi.org/10.1007/s10623-014-9938-4

    Article  MathSciNet  MATH  Google Scholar 

  29. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    Chapter  Google Scholar 

  30. Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31

    Chapter  Google Scholar 

  31. Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  32. National Institute of Standards and Technology: Post-quantum cryptography standardization. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization

  33. Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016). https://doi.org/10.1561/0400000074

    Article  MathSciNet  MATH  Google Scholar 

  34. Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: Hatami, H., McKenzie, P., King, V. (eds.) 49th ACM STOC, pp. 461–473. ACM Press (2017). https://doi.org/10.1145/3055399.3055489

  35. Proos, J., Zalka, C.: Shor’s discrete logarithm quantum algorithm for elliptic curves. Quant. Inf. Comput. 3, 317–344 (2003). https://cds.cern.ch/record/602816

  36. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press (2005). https://doi.org/10.1145/1060590.1060603

  37. Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. Assoc. Comput. Mach 21(2), 120–126 (1978)

    MathSciNet  MATH  Google Scholar 

  38. Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  39. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th FOCS, pp. 124–134. IEEE Computer Society Press (1994). https://doi.org/10.1109/SFCS.1994.365700

  40. Smith, T.M., van de Geijn, R.A., Smelyanskiy, M., Hammond, J.R., Van Zee, F.G.: Anatomy of high-performance many-threaded matrix multiplication. In: IEEE International Parallel and Distributed Processing Symposium, pp. 1049–1059. IEEE Computer Society (2014). https://doi.org/10.1109/IPDPS.2014.110

  41. Strassen, V.: Gaussian elimination is not optimal. Numerische mathematik 13(4), 354–356 (1969)

    Article  MathSciNet  Google Scholar 

  42. Van Zee, F.G., van de Geijn, R.A.: BLIS: A framework for rapidly instantiating BLAS functionality. ACM Trans. Math. Softw. 41(3), 14:1-14:33 (2015). https://doi.org/10.1145/2764454

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. NXP Semiconductors, Eindhoven, The Netherlands

    Joppe W. Bos, Maximilian Ofner, Joost Renes, Tobias Schneider & Christine van Vredendaal

  2. Graz University of Technology, Graz, Austria

    Maximilian Ofner

Authors
  1. Joppe W. Bos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maximilian Ofner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Joost Renes
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tobias Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Christine van Vredendaal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tobias Schneider .

Editor information

Editors and Affiliations

  1. University of Padua, Padua, Italy

    Mauro Conti

  2. Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

    Marc Stevens

  3. AIT Austrian Institute of Technology, Vienna, Austria

    Stephan Krenn

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bos, J.W., Ofner, M., Renes, J., Schneider, T., van Vredendaal, C. (2021). The Matrix Reloaded: Multiplication Strategies in FrodoKEM. In: Conti, M., Stevens, M., Krenn, S. (eds) Cryptology and Network Security. CANS 2021. Lecture Notes in Computer Science(), vol 13099. Springer, Cham. https://doi.org/10.1007/978-3-030-92548-2_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92548-2_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92547-5

  • Online ISBN: 978-3-030-92548-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation