%0 Conference Proceedings
%T A Lightweight Implementation of NTRU Prime for the Post-quantum Internet of Things
%+ Université du Luxembourg (Uni.lu)
%+ Intel Corporation [USA]
%A Cheng, Hao
%A Dinu, Daniel
%A Grossschädl, Johann
%A Rønne, Peter, B.
%A Ryan, Peter
%Z Part 3: Cryptography
%< avec comité de lecture
%( Lecture Notes in Computer Science
%B 13th IFIP International Conference on Information Security Theory and Practice (WISTP)
%C Paris, France
%Y Maryline Laurent
%Y Thanassis Giannetsos
%I Springer International Publishing
%3 Information Security Theory and Practice
%V LNCS-12024
%P 103-119
%8 2019-12-11
%D 2019
%R 10.1007/978-3-030-41702-4_7
%K Lightweight cryptography
%K Post-Quantum Cryptography
%K Key Encapsulation Mechanism
%K NTRU Prime
%K Efficient implementation
%Z Computer Science [cs]Conference papers
%X The dawning era of quantum computing has initiated various initiatives for the standardization of post-quantum cryptosystems with the goal of (eventually) replacing RSA and ECC. NTRU Prime is a variant of the classical NTRU cryptosystem that comes with a couple of tweaks to minimize the attack surface; most notably, it avoids rings with “worrisome” structure. This paper presents, to our knowledge, the first assembler-optimized implementation of Streamlined NTRU Prime for an 8-bit AVR microcontroller and shows that high-security lattice-based cryptography is feasible for small IoT devices. An encapsulation operation using parameters for 128-bit post-quantum security requires 8.2 million clock cycles when executed on an 8-bit ATmega1284 microcontroller. The decapsulation is approximately twice as costly and has an execution time of 15.6 million cycles. We achieved this performance through (i) new low-level software optimization techniques to accelerate Karatsuba-based polynomial multiplication on the 8-bit AVR platform and (ii) an efficient implementation of the coefficient modular reduction written in assembly language. The execution time of encapsulation and decapsulation is independent of secret data, which makes our software resistant against timing attacks. Finally, we assess the performance one could theoretically gain by using a so-called product-form polynomial as part of the secret key and discuss potential security implications.
%G English
%Z TC 11
%Z WG 11.2
%2 https://inria.hal.science/hal-03173904/document
%2 https://inria.hal.science/hal-03173904/file/492809_1_En_7_Chapter.pdf
%L hal-03173904
%U https://inria.hal.science/hal-03173904
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-TC
%~ IFIP-TC11
%~ IFIP-WISTP
%~ IFIP-WG11-2
%~ IFIP-LNCS-12024