Cryptology ePrint Archive: Report 2016/758

A new hope on ARM Cortex-M

Erdem Alkim and Philipp Jakubeit and Peter Schwabe

Abstract: Recently, Alkim, Ducas, Pöppelmann, and Schwabe proposed a Ring-LWE-based key exchange protocol called "NewHope" (Usenix Security'16) and illustrated that this protocol is very effcient on large Intel processors. Their paper also claims that the parameter choice enables effcient implementation on small embedded processors. In this paper we show that these claims are actually correct and present NewHope software for the ARM Cortex-M family of 32-bit microcontrollers. More specifcally, our software targets the low-end Cortex-M0 and the high-end Cortex-M4 processor from this family. Our software starts from the C reference implementation by the designers of NewHope and then carefully optimizes subroutines in assembly. In particular, compared to best results known so far, our NTT implementation achieves a speedup of almost a factor of 2 on the Cortex-M4. Our Cortex-M0 NTT software slightly outperforms previously best results on the Cortex-M4, a much more powerful processor. In total, the server side of the key exchange executes in only 1,467,101 cycles on the M0 and only 860,388 cycles on the M4; the client side executes in 1,738,922 cycles on the M0 and 984,761 cycles on the M4.

Category / Keywords: implementation / Post-quantum key exchange, Ring-LWE, embedded microcontroller, NTT.

Date: received 5 Aug 2016

Contact author: erdemalkim at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20160810:203555 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]