D6.7 Document of specifications for hardware implementations
Contributing Partners
CEA
Executive Summary
This document describes the specications of the selected cryptographic scheme for hardware implementation. The objective is to implement a redactable signature scheme that is robust to attacks with quantum computers. This redactable scheme will serve as a selective disclosure component that could be used in the e-health or smart-cities use cases. Redactable signature schemes are detailed in deliverable D4.4 [SHD+16]. They use a conventional signature scheme as a core component, but are vulnerable to attacks based on Shor's algorithm [Sho99]
implemented over a quantum computer. The post-quantum resistance requirement leads to the selection of a different technology: lattice-based cryptography [MR09]. The state-of-the-art of the implementation of lattice-based signature schemes is thus reviewed in order to select the most efficient algorithm that will be integrated in our redactable scheme. We finally chose the Bimodal Lattice Signature Scheme (BLISS) that is efficient, mature enough and supported by the SAFECrypto project (ICT-644729, http://www.safecrypto.eu/). It is thus described and
the complexity of its main components is analyzed.
A cryptographic accumulator is also a core component of a redactable signature scheme. The implementation based on Merkel trees is thus presented. Its may advantage is once again its resistance to attacks with quantum computers. The hardware implementation of a redactable signature scheme aims at providing tamper resistance and high speed. Even a correct hardware implementation of a strong cryptographic algorithm is not necessarily secure, since information about the secret key may leak through physical measurements such as power consumption, electromagnetic radiations or the timing of operations. This vulnerability has led to a large number of attacks, denoted side channel attacks. On the other hand, countermeasures have also been proposed in the literature to defeat these attacks. The specifications of our hardware must take into account the main attacks and incorporate adequate countermeasures. A review of the main side channel attacks and main countermeasures is proposed. Then we focus on the specic countermeasures dedicated to the main modules of the selected lattice-based signature scheme (e.g. NTT, gaussian sampler). These countermeasures will be implemented if the security evaluation (Task 6.4) reveals some effective vulnerabilities to side channel attacks.
Eventually, specifications of the implementation of the selected redactable signature scheme on a recongurable hardware are presented. The Merkle trees based accumulator and BLISS are the main parts of our post-quantum scheme. Their hardware implementation is presented and
discussed. This gives some inputs for the selection of the target device for the implementation on FPGA.