Paper 2016/758
A new hope on ARM Cortex-M
Erdem Alkim and Philipp Jakubeit and Peter Schwabe
Abstract
Recently, Alkim, Ducas, Pöppelmann, and Schwabe proposed a Ring-LWE-based key exchange protocol called "NewHope" (Usenix Security'16) and illustrated that this protocol is very effcient on large Intel processors. Their paper also claims that the parameter choice enables effcient implementation on small embedded processors. In this paper we show that these claims are actually correct and present NewHope software for the ARM Cortex-M family of 32-bit microcontrollers. More specifcally, our software targets the low-end Cortex-M0 and the high-end Cortex-M4 processor from this family. Our software starts from the C reference implementation by the designers of NewHope and then carefully optimizes subroutines in assembly. In particular, compared to best results known so far, our NTT implementation achieves a speedup of almost a factor of 2 on the Cortex-M4. Our Cortex-M0 NTT software slightly outperforms previously best results on the Cortex-M4, a much more powerful processor. In total, the server side of the key exchange executes in only 1,467,101 cycles on the M0 and only 860,388 cycles on the M4; the client side executes in 1,738,922 cycles on the M0 and 984,761 cycles on the M4.
Metadata
- Available format(s)
- Category
- Implementation
- Publication info
- Preprint. MINOR revision.
- Keywords
- Post-quantum key exchangeRing-LWEembedded microcontrollerNTT.
- Contact author(s)
- erdemalkim @ gmail com
- History
- 2019-10-18: revised
- 2016-08-10: received
- See all versions
- Short URL
- https://ia.cr/2016/758
- License
-
CC BY