Analysis of Block Recombination and Lazy Interpolation Methods and Their Applications to Saber

Abstract

Since the beginning of the National Institute of Standards and Technology (NIST), The Post-Quantum Cryptog-raphy (PQC) Standardization Process, efficient implementations of lattice-based algorithms have been studied extensively. Lattice-based NIST PQC finalists use polynomial or matrix-vector multiplications on the ring with type <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$\mathbb{Z}_{q}[x]/f(x)$</tex> . For convenient ring types, Number Theoretic Transform (NTT) can be used to perform multiplications as done in Crystals-KYBER among the finalists of the NIST PQC Standardization Process. On the other hand, if the <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$q$</tex> value of the scheme is a power of 2, as in NTRU and Saber, which are among the other lattice-based finalists, NTT can not be used explicitly. Hence multiplications are performed by the combination of Toom-Cook and Karatsuba algorithms. Recently, a novel technique called lazy interpolation [IACR Transactions on Cryptographic Hardware and Embedded Systems 2020.2: 222–244 (2020)] has been introduced to increase the performance of Toom-Cook and Karatsuba algorithms. This paper shows that the block recombination method [IEEE Transactions on Computers 63(9): 2273–2287 (2014)] is equivalent to lazy interpolation and can be used efficiently on multiplication algorithms. On the practical side, we compare different hybrid multiplications algorithms, then implement the block recombination method for Saber. Performance results are given in cycle values on general-purpose Intel processors with C implementation. Our work speeds up key generation, encapsulation, and decapsulation parts of Saber than the previous C implementations in the literature with a rate of between 10% - 13%.