Saber on ARM: CCA-secure module lattice-based key encapsulation on ARM

Angshuman Karmakar, Jose Maria Bermudo Mera Bermudo Mera, Sujoy Sinha Roy, Ingrid Verbauwhede

Research output: Contribution to journalArticlepeer-review

73 Downloads (Pure)

Abstract

The CCA-secure lattice-based post-quantum key encapsulation scheme Saber is a candidate in the NIST’s post-quantum cryptography standardization process. In this paper, we study the implementation aspects of Saber in resourceconstrained microcontrollers from the ARM Cortex-M series which are very popular for realizing IoT applications. In this work, we carefully optimize various parts of Saber for speed and memory. We exploit digital signal processing instructions and efficient memory access for a fast implementation of polynomial multiplication. We also use memory efficient Karatsuba and just-in-time strategy for generating the public matrix of the module lattice to reduce the memory footprint. We also show that our optimizations can be combined with each other seamlessly to provide various speed-memory trade-offs. Our speed optimized software takes just 1,147K, 1,444K, and 1,543K clock cycles on a Cortex-M4 platform for key generation, encapsulation and decapsulation respectively. Our memory efficient software takes 4,786K, 6,328K, and 7,509K clock cycles on an ultra resource-constrained Cortex-M0 platform for key generation, encapsulation, and decapsulation respectively while consuming only 6.2 KB of memory at most. These results show that lattice-based key encapsulation schemes are perfectly practical for securing IoT devices from quantum computing attacks.
Original languageEnglish
Pages (from-to)243-266
JournalIACR Transactions on Cryptographic Hardware and Embedded Systems
Volume2018
Issue number3
DOIs
Publication statusPublished - 4 Aug 2018

Keywords

  • Key encapsulation scheme
  • post-quantum cryptography
  • lattice-based cryptography
  • efficient software
  • Saber

Fingerprint

Dive into the research topics of 'Saber on ARM: CCA-secure module lattice-based key encapsulation on ARM'. Together they form a unique fingerprint.

Cite this