Cryptology ePrint Archive: Report 2018/682

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM

Angshuman Karmakar and Jose Maria Bermudo Mera and Sujoy Sinha Roy and Ingrid Verbauwhede

Abstract: The CCA-secure lattice-based post-quantum key encapsulation scheme Saber is a candidate in the NIST's post-quantum cryptography standardization process. In this paper, we study the implementation aspects of Saber in resource-constrained microcontrollers from the ARM Cortex-M series which are very popular for realizing IoT applications. In this work, we carefully optimize various parts of Saber for speed and memory. We exploit digital signal processing instructions and efficient memory access for a fast implementation of polynomial multiplication. We also use memory efficient Karatsuba and just-in-time strategy for generating the public matrix of the module lattice to reduce the memory footprint. We also show that our optimizations can be combined with each other seamlessly to provide various speed-memory trade-offs. Our speed optimized software takes just 1,147K, 1,444K, and 1,543K clock cycles on a Cortex-M4 platform for key generation, encapsulation and decapsulation respectively. Our memory efficient software takes 4,786K, 6,328K, and 7,509K clock cycles on an ultra resource-constrained Cortex-M0 platform for key generation, encapsulation, and decapsulation respectively while consuming only 6.2 KB of memory at most. These results show that lattice-based key encapsulation schemes are perfectly practical for securing IoT devices from quantum computing attacks.

Category / Keywords: public-key cryptography / Key encapsulation scheme, post-quantum cryptography, lattice-based cryptography, efficient software, Saber

Original Publication (with minor differences): IACR-CHES-2018

Date: received 16 Jul 2018, last revised 5 Mar 2020

Contact author: angshuman karmakar at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Note: Updated with the new repository link.

Version: 20200305:184948 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]