Cryptology ePrint Archive: Report 2020/1602

Speeding-up Ideal Lattice-Based Key Exchange Using a RSA/ECC Coprocessor

Aurélien Greuet and Simon Montoya and Guénaël Renault

Abstract: Polynomial multiplication is one of the most costly operations of ideal lattice-based cryptosystems. In this work, we study its optimization when one of the operand has coefficients close to 0. We focus on this structure since it is at the core of lattice-based Key Exchange Mechanisms submitted to the NIST call for post-quantum cryptography. In particular, we propose optimization of this operation for embedded devices by using a RSA/ECC coprocessor that provides efficient large-integer arithmetic. In this context, we compare Kronecker Substitution, already studied by Albrecht et al. in TCHES 2019, with two specific algorithms that we introduce: KSV, a variant of this substitution, and an adaptation of the schoolbook multiplication, denoted Shift&Add. All these algorithms rely on the transformation of polynomial multiplication to large-integer arithmetic. Then, thanks to these algorithms, existing coprocessors dedicated to large-integer can be re-purposed in order to speed-up post-quantum schemes. The efficiency of these algorithms depends on the component specifications and the cryptosystem parameters set. Thus, we establish a methodology to determine which algorithm to use, for a given component, by only implementing basic large-integer operations. Moreover, the three algorithms are assessed on a chip ensuring that the theoretical methodology matches with practical results. They are also compared to reference software implementations such as NTT or schoolbook multiplication.

Category / Keywords: implementation / Post-Quantum Lattice-based Cryptography, Polynomial Multplication, Smart Cards

Date: received 24 Dec 2020

Contact author: simon montoya at idemia com

Available format(s): PDF | BibTeX Citation

Version: 20201227:131401 (All versions of this report)

Short URL: ia.cr/2020/1602