Reference : A Lightweight Implementation of NTRUEncrypt for 8-bit AVR Microcontrollers
Scientific congresses, symposiums and conference proceedings : Unpublished conference
Engineering, computing & technology : Computer science
Security, Reliability and Trust
http://hdl.handle.net/10993/42597
A Lightweight Implementation of NTRUEncrypt for 8-bit AVR Microcontrollers
English
Cheng, Hao mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC) >]
Groszschädl, Johann mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Roenne, Peter mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Ryan, Peter mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Aug-2019
Yes
International
Second PQC Standardization Conference
from 22-08-2019 to 24-08-2019
NIST
Santa Barbara
CA
[en] Post-Quantum Cryptography ; NTRU ; Polynomial Arithmetic ; Product- Form Polynomials ; Constant-Time Implementation
[en] Introduced in 1996, NTRUEncrypt is not only one of the earliest but also one of the most scrutinized lattice-based cryptosystems and a serious contender in NIST’s ongoing Post-Quantum Cryptography (PQC) standardization project. An important criterion for the assessment of candidates is their computational cost in various hardware and software environments. This paper contributes to the evaluation of NTRUEncrypt on the ATmega class of AVR microcontrollers, which belongs to the most popular 8-bit platforms in the embedded domain. More concretely, we present AvrNtru, a carefully-optimized implementation of NTRUEncrypt that we developed from scratch with the goal of achieving high performance and resistance to timing attacks. AvrNtru complies with version 3.3 of the EESS#1 specification and supports recent product-form parameter sets like ees443ep1, ees587ep1, and ees743ep1. A full encryption operation (including mask generation and blinding- polynomial generation) using the ees443ep1 parameters takes 834,272 clock cycles on an ATmega1281 microcontroller; the decryption is slightly more costly and has an execution time of 1,061,683 cycles. When choosing the ees743ep1 parameters to achieve a 256-bit security level, 1,539,829 clock cycles are cost for encryption and 2,103,228 clock cycles for decryption. We achieved these results thanks to a novel hybrid technique for multiplication in truncated polynomial rings where one of the operands is a sparse ternary polynomial in product form. Our hybrid technique is inspired by Gura et al’s hybrid method for multiple-precision integer multiplication (CHES 2004) and takes advantage of the large register file of the AVR architecture to minimize the number of load instructions. A constant-time multiplication in the ring specified by the ees443ep1 parameters requires only 210,827 cycles, which sets a new speed record for the arithmetic component of a lattice-based cryptosystem on an 8-bit microcontroller.
Researchers
http://hdl.handle.net/10993/42597
H2020 ; 779391 - FutureTPM - Future Proofing the Connected World: A Quantum-Resistant Trusted Platform Module

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
NIST_PQC2019.pdfPublisher postprint533.19 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.