Cryptology ePrint Archive: Report 2021/998

Polynomial multiplication on embedded vector architectures

Hanno Becker and Jose Maria Bermudo Mera and Angshuman Karmakar and Joseph Yiu and Ingrid Verbauwhede

Abstract: High-degree, low-precision polynomial arithmetic is a fundamental computational primitive underlying structured lattice based cryptography. Its algorithmic properties and suitability for implementation on different compute platforms is an active area of research, and this article contributes to this line of work: Firstly, we present memory-efficiency and performance improvements for the Toom-Cook/Karatsuba polynomial multiplication strategy. Secondly, we provide implementations of those improvements on Arm® Cortex®-M4 CPU, as well as the newer Cortex-M55 processor, the first M-profile core implementing the M-profile Vector Extension (MVE), also known as Arm® Helium™ technology. We also implement the Number Theoretic Transform (NTT) on the Cortex-M55 processor. We show that despite being single issue, in-order and offering only 8 vector registers compared to 32 on A-profile SIMD architectures like Arm® Neon™ technology and the Scalable Vector Extension (SVE), by careful register management and instruction scheduling, we can obtain a 3× to 5× performance improvement over already highly optimized implementations on Cortex-M4, while maintaining a low area and energy profile necessary for use in embedded market. Finally, as a real-world application we integrate our multiplication techniques to post-quantum key-encapsulation mechanism Saber.

Category / Keywords: public-key cryptography / Post-Quantum Cryptography, Polynomial multiplication, IoT, Cortex-M55, Cortex-M4, M-profile Vector Extension (MVE), Helium vector extension, Number Theoretic Transform (NTT), Toom-Cook, Karatsuba

Date: received 26 Jul 2021, last revised 23 Aug 2021

Contact author: Hanno Becker at arm com, Jose Bermudo at esat kuleuven be, angshuman karmakar at esat kuleuven be, joseph yiu at arm com

Available format(s): PDF | BibTeX Citation

Note: Corrected few typos.

Version: 20210823:082527 (All versions of this report)

Short URL: ia.cr/2021/998


[ Cryptology ePrint archive ]