Abstract

Since the introduction of the ring-learning with errors problem, the number theoretic transform (NTT) based polynomial multiplication algorithm has been studied extensively. Due to its faster quasilinear time complexity, it has been the preferred choice of cryptographers to realize ring-learning with errors cryptographic schemes. Compared to NTT, Toom-Cook or Karatsuba based polynomial multiplication algorithms, though being known for a long time, still have a fledgling presence in the context of post-quantum cryptography.In this work, we observe that the pre- and post-processing steps in Toom-Cook based multiplications can be expressed as linear transformations. Based on this observation we propose two novel techniques that can increase the efficiency of Toom-Cook based polynomial multiplications. Evaluation is reduced by a factor of 2, and we call this method precomputation, and interpolation is reduced from quadratic to linear, and we call this method lazy interpolation.As a practical application, we applied our algorithms to the Saber post-quantum key-encapsulation mechanism. We discuss in detail the various implementation aspects of applying our algorithms to Saber. We show that our algorithm can improve the efficiency of the computationally costly matrix-vector multiplication by 12−37% compared to previous methods on their respective platforms. Secondly, we propose different methods to reduce the memory footprint of Saber for Cortex-M4 microcontrollers. Our implementation shows between 2.6 and 5.7 KB reduction in the memory usage with respect to the smallest implementation in the literature.

Highlights

  • Using number theoretic transform (NTT) based polynomial multiplications in schemes based on ring learning with errors (RLWE) is almost ubiquitous due to their fast quasilinear (O(n · logn)) time complexity the use of the NTT influences the modulus of the ring

  • We discuss the effect of our Toom-Cook multiplication algorithm on the overall performance of Saber

  • We describe a time-memory trade-off for Toom-Cook based polynomial multiplications which can be of independent interest outside post-quantum cryptography

Read more

Summary

Introduction

Using number theoretic transform (NTT) based polynomial multiplications in schemes based on ring learning with errors (RLWE) is almost ubiquitous due to their fast quasilinear (O(n · logn)) time complexity the use of the NTT influences the modulus of the ring. Among the key-encapsulation mechanism schemes submitted to the NIST’s post-quantum standardization procedure, Saber [11] and ThreeBears [17] are the only two schemes that are based on module lattices and use Toom-Cook or Karatsuba based polynomial multiplication. Among these two schemes we choose Saber because there are more optimized implementations available in the literature for comparison.

Preliminaries
Polynomial multiplication
NTT multiplication
Saber key-encapsulation mechanism
Polynomial multiplication in Saber
AVX2 optimized polynomial multiplication
Faster Toom-Cook multiplication
Toom-Cook multiplication and linear maps
Lazy interpolation
Precomputation
Application to Saber
C implementation
Cortex-M4
Memory optimizations
Small storage for secrets
Reducing memory utilization
Results
AVX2 and C implementation
ARM Cortex-M4 implementation
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.