Cryptology ePrint Archive: Report 2016/758

NewHope on ARM Cortex-M

Erdem Alkim and Philipp Jakubeit and Peter Schwabe

Abstract: Recently, Alkim, Ducas, Pöppelmann, and Schwabe proposed a Ring-LWE-based key exchange protocol called NewHope (Usenix Securitz 2016) and illustrated that this protocol is very efficient on large Intel processors. Their paper also claims that the parameter choice enables efficient implementation on small embedded processors. In this paper we show that these claims are actually correct and present NewHope software for the ARM Cortex-M family of 32-bit microcontrollers. More specifically, our software targets the low-end Cortex-M0 and the high-end Cortex-M4 processor from this family. Our software starts from the C reference implementation by the designers of NewHope and then carefully optimizes subroutines in assembly. In particular, compared to best results known so far, our NTT implementation achieves a speedup of almost a factor of 2 on the Cortex-M4. Our Cortex-M0 NTT software slightly outperforms previously best results on the Cortex-M4, a much more powerful processor. In total, the server side of the key exchange executes in only 1,476,101 cycles on the M0 and only 834,524 cycles on the M4; the client side executes in 1,760,837 cycles on the M0 and 982,384 cycles on the M4.

Category / Keywords: implementation / Post-quantum key exchange, Ring-LWE, embedded microcontroller, NTT.

Original Publication (with minor differences): Security, Privacy, and Applied Cryptography Engineering

Date: received 5 Aug 2016, last revised 18 Oct 2019

Contact author: erdemalkim at gmail com, peter at cryptojedi org

Available format(s): PDF | BibTeX Citation

Version: 20191018:180611 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]