Paper 2016/758

NewHope on ARM Cortex-M

Erdem Alkim, Philipp Jakubeit, and Peter Schwabe

Abstract

Recently, Alkim, Ducas, Pöppelmann, and Schwabe proposed a Ring-LWE-based key exchange protocol called NewHope (Usenix Securitz 2016) and illustrated that this protocol is very efficient on large Intel processors. Their paper also claims that the parameter choice enables efficient implementation on small embedded processors. In this paper we show that these claims are actually correct and present NewHope software for the ARM Cortex-M family of 32-bit microcontrollers. More specifically, our software targets the low-end Cortex-M0 and the high-end Cortex-M4 processor from this family. Our software starts from the C reference implementation by the designers of NewHope and then carefully optimizes subroutines in assembly. In particular, compared to best results known so far, our NTT implementation achieves a speedup of almost a factor of 2 on the Cortex-M4. Our Cortex-M0 NTT software slightly outperforms previously best results on the Cortex-M4, a much more powerful processor. In total, the server side of the key exchange executes in only 1,476,101 cycles on the M0 and only 834,524 cycles on the M4; the client side executes in 1,760,837 cycles on the M0 and 982,384 cycles on the M4.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. Security, Privacy, and Applied Cryptography Engineering
Keywords
Post-quantum key exchangeRing-LWEembedded microcontrollerNTT.
Contact author(s)
erdemalkim @ gmail com
peter @ cryptojedi org
History
2019-10-18: revised
2016-08-10: received
See all versions
Short URL
https://ia.cr/2016/758
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/758,
      author = {Erdem Alkim and Philipp Jakubeit and Peter Schwabe},
      title = {{NewHope} on {ARM} Cortex-M},
      howpublished = {Cryptology {ePrint} Archive, Paper 2016/758},
      year = {2016},
      url = {https://eprint.iacr.org/2016/758}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.