Paper 2018/677

Module-lattice KEM Over a Ring of Dimension 128 for Embedded Systems

François Gérard

Abstract

Following the development of quantum computing, the demand for post-quantum alternatives to current cryptosystems has firmly increased recently. The main disadvantage of those schemes is the amount of resources needed to implement them in comparison to their classical counterpart. In conjunction with the growth of the Internet of Things, it is crucial to know if post-quantum algorithms can evolve in constraint environments without incurring an unacceptable performance penalty. In this paper, we propose an instantiation of a module-lattice-based KEM working over a ring of dimension 128 using a limited amount of memory at runtime. It can be seen as a lightweight version of Kyber or a module version of Frodo. We propose parameters targeting popular 8-bit AVR microcontrollers and security level 1 of NIST. Our implementation fits in around 2 KB of RAM while still providing reasonable efficiency and 128 bits of security, but at the cost of a reduced correctness.

Note: A flaw in this work as been pointed out by Leo Ducas. The CCA secure transformation cannot be applied to a scheme with such a low correctness. Hence, only results about the CPA version of the KEM are relevant.

Metadata
Available format(s)
PDF
Publication info
Preprint. MINOR revision.
Keywords
KEM Module lattices AVR embedded
Contact author(s)
fragerar @ ulb ac be
History
2018-07-19: revised
2018-07-13: received
See all versions
Short URL
https://ia.cr/2018/677
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2018/677,
      author = {François Gérard},
      title = {Module-lattice {KEM} Over a Ring of Dimension 128 for Embedded Systems},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/677},
      year = {2018},
      url = {https://eprint.iacr.org/2018/677}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.