Towards Practical Microcontroller Implementation of the Signature Scheme Falcon

Oder, Tobias; Speith, Julian; Höltgen, Kira; Güneysu, Tim

doi:10.1007/978-3-030-25510-7_4

Cited by 13 publications

(11 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To the author’s knowledge, some implementations of PQC schemes using the first and fourth approaches [ 18 , 49 , 50 , 51 ], but there is a gap in the literature concerning the second and third approaches. Regarding the third approach, only high-speed implementations are found in the literature [ 48 ], rather than the lightweight implementation targeted by this paper.…”

Section: Methodsmentioning

confidence: 99%

A System-on-a-Chip Implementation of a Post-Quantum Cryptography Scheme for Smart Meter Data Communications

Costa

López

Ribeiro

2022

Sensors

View full text Add to dashboard Cite

The security of Smart Meter (SM) systems will be a challenge in the era of quantum computing because a quantum computer might exploit characteristics of well-established cryptographic schemes to reach a successful security breach. From a practical perspective, this paper focuses on the feasibility of implementing a quantum-secure lattice-based key encapsulation mechanism in a SM, hardware-constrained equipment. In this regard, the post-quantum cryptography (PQC) scheme, FrodoKEM, an alternate candidate for the National Institute for Standards and Technology (NIST) post-quantum standardization process, is implemented using a System-on-a-Chip (SoC) device in which the Field Programmable Gate Array (FPGA) component is exploited to accelerate the most time-consuming routines in this scheme. Experimental results show that the execution time to run the FrodoKEM scheme in an SoC device reduces to one-third of that obtained by the benchmark implementation (i.e., the software implementation). Also, the attained execution time and hardware resource usage of this SoC-based implementation of the FrodoKEM scheme show that lattice-based cryptography may fit into SM equipment.

show abstract

Section: Methodsmentioning

confidence: 99%

A System-on-a-Chip Implementation of a Post-Quantum Cryptography Scheme for Smart Meter Data Communications

Costa

López

Ribeiro

2022

Sensors

View full text Add to dashboard Cite

show abstract

“…As explained in Section II-C, the main operation of KeyGen and Sign algorithm is the FFT/NTT-based multiplication algorithm. An optimization technique for ffSampling for ARM Cortex-M4 environment was proposed in [13], but this technique aims to reduce memory consumption by approaching the memory layout modification point of view. Unfortunately, as far as we know, performance optimization studies targeting FFT/NTT of the Falcon algorithm do not yet exist.…”

Section: Related Workmentioning

confidence: 99%

Accelerating Falcon on ARMv8

2022

View full text Add to dashboard Cite

Falcon is one of the promising digital-signature algorithms in NIST's ongoing Post-Quantum Cryptography (PQC) standardization finalist. Computational efficiency regarding software and hardware is also the main criteria for PQC standardization. In this paper, we present an efficient Falcon software implementation on ARMv8 environment. Until now, most of the software optimization on PQC algorithms have been conducted on 32-bit ARM (Cortex-M4) and typical CPUs (Intel and AMD CPUs). However, ARMv8 including Cortex-A30, 50, and 70 series have been widely used for various IoT (Internet of Things) applications, Edge computing devices, and OBUs (On Board Units) in autonomous driving cars. For optimizing the performance of Falcon, we take full advantage of NEON engine which is a kind of parallel processing unit in ARMv8 MCU. The main computation in Falcon belongs to polynomial multiplications in Complex number domain and Integer domain. Typically, FFT (Fast Fourier Transformation)-based multiplication method and NTT (Number Theoriteic Transform)-based multiplication method have been widely used for efficient polynomial multiplications in Complex number domain and Integer domain, respectively. Thus, in order to enhance the overall performance of Falcon, we improve the FFT-based multiplication method and NTT-based multiplication method by utilizing NEON engine in ARMv8. Specifically, we parallelize the overall process (FFT/NTT transformation, pointwise multiplication, and inverse FFT/NTT transformation) of FFT-based polynomial multiplication method and NTT-based polynomial multiplication method with strategically utilizing the NEON engine and vector instructions. Furthermore, we minimize the number of redundant memory accesses during FFT/NTT-based polynomial multiplication by making the most of available registers in NEON engine. Through the proposed parallel FFT/NTT-based polynomial multiplications, the proposed Falcon software provides 15.1% (resp. 18.1%), 16.5% (resp. 17.1%), and 65.4% (resp. 69.4%) of performance improvement in keypair generation, signing, and verification at security level 1 (resp. 5) compared with the reference Falcon implementation submitted to the final round of NIST PQC competition. Furthermore, as far as we know, this is the first optimized implementation of Falcon on ARMv8 environment.

show abstract

“…Aside from the original implementations of DLP and Falcon, which are the focus of this paper, several others have appeared in the literature. However, they usually do not aim for side-channel security [36,41] or only make the base discrete Gaussian sampler (with fixed standard deviation) constant time [29], but do not eliminate the leakage of the varying standard deviations. As a result, those implementations are also vulnerable to the attacks of this paper.…”

Section: Related Workmentioning

confidence: 99%

Key Recovery from Gram–Schmidt Norm Leakage in Hash-and-Sign Signatures over NTRU Lattices

Fouque

Kirchner

Tibouchi

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In this paper, we initiate the study of side-channel leakage in hash-and-sign lattice-based signatures, with particular emphasis on the two efficient implementations of the original GPV lattice-trapdoor paradigm for signatures, namely NIST second-round candidate Falcon and its simpler predecessor DLP. Both of these schemes implement the GPV signature scheme over NTRU lattices, achieving great speed-ups over the general lattice case. Our results are mainly threefold.First, we identify a specific source of side-channel leakage in most implementations of those schemes, namely, the one-dimensional Gaussian sampling steps within lattice Gaussian sampling. It turns out that the implementations of these steps often leak the Gram-Schmidt norms of the secret lattice basis.Second, we elucidate the link between this leakage and the secret key, by showing that the entire secret key can be efficiently reconstructed solely from those Gram-Schmidt norms. The result makes heavy use of the algebraic structure of the corresponding schemes, which work over a power-of-two cyclotomic field.Third, we concretely demonstrate the side-channel attack against DLP (but not Falcon due to the different structures of the two schemes). The challenge is that timing information only provides an approximation of the Gram-Schmidt norms, so our algebraic recovery technique needs to be combined with pruned tree search in order to apply it to approximate values. Experimentally, we show that around 2 35 DLP traces are enough to reconstruct the entire key with good probability.

show abstract

Towards Practical Microcontroller Implementation of the Signature Scheme Falcon

Cited by 13 publications

References 13 publications

A System-on-a-Chip Implementation of a Post-Quantum Cryptography Scheme for Smart Meter Data Communications

A System-on-a-Chip Implementation of a Post-Quantum Cryptography Scheme for Smart Meter Data Communications

Accelerating Falcon on ARMv8

Key Recovery from Gram–Schmidt Norm Leakage in Hash-and-Sign Signatures over NTRU Lattices

Contact Info

Product

Resources

About