Paper 2020/321

Compact domain-specific co-processor for accelerating module lattice-based key encapsulation mechanism

Jose Maria Bermudo Mera, Furkan Turan, Angshuman Karmakar, Sujoy Sinha Roy, and Ingrid Verbauwhede


We present a domain-specific co-processor to speed up Saber, a post-quantum key encapsulation mechanism competing on the NIST Post-Quantum Cryptography standardization process. Contrary to most lattice-based schemes, Saber doesn’t use NTT-based polynomial multiplication. We follow a hardware-software co-design approach: the execution is performed on an ARM core and only the most computationally expensive operation, i.e., polynomial multiplication, is offloaded to the co-processor to obtain a compact design. We exploit the idea of distributed computing at micro-architectural level together with novel algorithmic optimizations to achieve approximately a 6 times speedup with respect to optimized software at a small area cost.

Note: Update with the acknowledgements and a missing reference

Available format(s)
Publication info
Published elsewhere. MINOR revision.DAC 2020 - 57th Design and Automation Conference
Domain-specific co-processorpost-quantum cryptographylattice- based cryptographySaber
Contact author(s)
Jose Bermudo @ esat kuleuven be
2020-04-04: revised
2020-03-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jose Maria Bermudo Mera and Furkan Turan and Angshuman Karmakar and Sujoy Sinha Roy and Ingrid Verbauwhede},
      title = {Compact domain-specific co-processor for accelerating module lattice-based key encapsulation mechanism},
      howpublished = {Cryptology ePrint Archive, Paper 2020/321},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.