Faster Multiplication in $$\mathbb {Z}_{2^m}[x]$$ on Cortex-M4 to Speed up NIST PQC Candidates

Kannwischer, Matthias J.; Rijneveld, Joost; Schwabe, Peter

doi:10.1007/978-3-030-21568-2_14

Cited by 29 publications

(38 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Table 7 shows the results for polynomial multiplication for NTRU for the four different polynomial degrees used in ntruhps2048509, ntruhps2048677, ntruhrss701, and ntruhps4096821. On the Cortex-M4, for the smallest polynomial size n = 509, our implementation using NTTs is performing only slightly better than the Toom4 implementation [KRS19]. For the larger sizes, the cost reduction on the Cortex-M4 is more pronounced with 10% or more.…”

Section: Saber Resultsmentioning

confidence: 81%

“…Benchmarking setup for the Cortex-M4. Our benchmarking setup is based on the pqm4 [KRSS] benchmarking framework and as such produces comparable cycle counts to previous work [BMKV20,KRS19]. We target the STM32F407-DISCOVERY board which has a STM32F407VG core.…”

Section: Resultsmentioning

confidence: 99%

“…Performance results in clock cycles for NTRU[KRS19] only reports cycle counts for the CCA-secure ntruhrss701 from the first round of the NIST competition. Cycle counts in this table are our own benchmarks of the second round code contained in pqm4[KRSS].…”

mentioning

confidence: 99%

See 2 more Smart Citations

NTT Multiplication for NTT-unfriendly Rings

Chung

Hwang

Kannwischer

et al. 2021

TCHES

Self Cite

View full text Add to dashboard Cite

In this paper, we show how multiplication for polynomial rings used in the NIST PQC finalists Saber and NTRU can be efficiently implemented using the Number-theoretic transform (NTT). We obtain superior performance compared to the previous state of the art implementations using Toom–Cook multiplication on both NIST’s primary software optimization targets AVX2 and Cortex-M4. Interestingly, these two platforms require different approaches: On the Cortex-M4, we use 32-bit NTT-based polynomial multiplication, while on Intel we use two 16-bit NTT-based polynomial multiplications and combine the products using the Chinese Remainder Theorem (CRT).For Saber, the performance gain is particularly pronounced. On Cortex-M4, the Saber NTT-based matrix-vector multiplication is 61% faster than the Toom–Cook multiplication resulting in 22% fewer cycles for Saber encapsulation. For NTRU, the speed-up is less impressive, but still NTT-based multiplication performs better than Toom–Cook for all parameter sets on Cortex-M4. The NTT-based polynomial multiplication for NTRU-HRSS is 10% faster than Toom–Cook which results in a 6% cost reduction for encapsulation. On AVX2, we obtain speed-ups for three out of four NTRU parameter sets.As a further illustration, we also include code for AVX2 and Cortex-M4 for the Chinese Association for Cryptologic Research competition award winner LAC (also a NIST round 2 candidate) which outperforms existing code.

show abstract

Section: Saber Resultsmentioning

confidence: 81%

Section: Resultsmentioning

confidence: 99%

See 1 more Smart Citation

NTT Multiplication for NTT-unfriendly Rings

Chung

Hwang

Kannwischer

et al. 2021

TCHES

Self Cite

View full text Add to dashboard Cite

show abstract

“…The mathematical fundamental is Ring-LWE introduced in [11,12], and the mathematical carrier is the polynomial rings. Recent work [13] implemented arithmetic in the polynomial ring with algorithms of Karatsuba [14] and ToomCook [15,16]. For Kyber, the original ring Z[X]/(X n +1) is denoted by R where n = 2 n ′ −1 such that X n +1 is the 2 n ′ −1 -th cyclotomic polynomial.…”

Section: Implementation Analysis Of Kyber Algorithmmentioning

confidence: 99%

A pure hardware implementation of CRYSTALS-KYBER PQC algorithm through resource reuse

Huang

Lei

et al. 2020

IEICE Electron. Express

View full text Add to dashboard Cite

This paper presents a pure hardware implementation of CRYSTALS-KYBER algorithm on Xilinx FPGAs. CRYSTALS-KYBER is one of 26 candidate algorithms in Round 2 of NIST Post-Quantum Cryptography (PQC) standardization process. The proposed design focuses on maximizing resource utilization by reusing most of the functional modules in the encapsulation and decapsulation processes of the algorithm. For instance, the hash module integrates several different hash functions in one module. Efficient parallel and pipelined computations are applied in the NTT module. Through the analysis of simulation and synthesis results, it is found that the proposed work has the advantages of higher frequencies and lower execution times. The scheme operates at 155 MHz and 192 MHz frequencies on Xilinx Artix-7 and Virtex-7 FPGAs, respectively. Compared with the performance of an embedded Cortex-M4 processor, the hardware implementation can achieve a maximum speedup of 129 times for encryption/decryption.

show abstract

“…The polynomial multiplication in R q is side-channel informative and computationally intensive, so the majority of optimizations for NTRU-like cryptosystems focus on this operation [SDC09,BCLvV16,HRSS17,DWZ18,KRS19]. The pursuit of faster implementations is not only for performance improvement but also for side-channel leakage suppression.…”

Section: Ntru Prime Optimized Using Smladxmentioning

confidence: 99%

Power Analysis on NTRU Prime

Huang¹,

Chen²,

Yang³

2019

TCHES

View full text Add to dashboard Cite

This paper applies a variety of power analysis techniques to several implementations of NTRU Prime, a Round 2 submission to the NIST PQC Standardization Project. The techniques include vertical correlation power analysis, horizontal indepth correlation power analysis, online template attacks, and chosen-input simple power analysis. The implementations include the reference one, the one optimized using smladx, and three protected ones. Adversaries in this study can fully recover private keys with one single trace of short observation span, with few template traces from a fully controlled device similar to the target and no a priori power model, or sometimes even with the naked eye. The techniques target the constant-time generic polynomial multiplications in the product scanning method. Though in this work they focus on the decapsulation, they also work on the key generation and encapsulation of NTRU Prime. Moreover, they apply to the ideal-lattice-based cryptosystems where each private-key coefficient comes from a small set of possibilities.

show abstract

Faster Multiplication in $$\mathbb {Z}_{2^m}[x]$$ on Cortex-M4 to Speed up NIST PQC Candidates

Cited by 29 publications

References 17 publications

NTT Multiplication for NTT-unfriendly Rings

NTT Multiplication for NTT-unfriendly Rings

A pure hardware implementation of CRYSTALS-KYBER PQC algorithm through resource reuse

Power Analysis on NTRU Prime

Contact Info

Product

Resources

About