Advertisement

Towards Practical Microcontroller Implementation of the Signature Scheme Falcon

  • Tobias OderEmail author
  • Julian Speith
  • Kira Höltgen
  • Tim Güneysu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11505)

Abstract

The majority of submissions to NIST’s recent call for Post-Quantum Cryptography are encryption schemes or key encapsulation mechanisms. Signature schemes constitute a much smaller group of submissions with only 21 proposals. In this work, we analyze the practicability of one of the latter category – the signature scheme Falcon with respect to its suitability for embedded microcontroller platforms.

Falcon has a security proof in the QROM in combination with smallest public key and signature sizes among all lattice-based signature scheme submissions with decent performance on common x86 computing architectures. One of the specific downsides of the scheme is, however, that according to its specification it is “non-trivial to understand and delicate to implement”.

This work aims to provide some new insights on the realization of Falcon by presenting an optimized implementation for the ARM Cortex-M4F platform. This includes a revision of its memory layout as this is the limiting factor on such constrained platforms. We managed to reduce the dynamic memory consumption of Falcon by 43% in comparison to the reference implementation. Summarizing, our implementation requires 682 ms for key generation, 479 ms for signing, and only 3.2 ms for verification for the \(n=512\) parameter set.

Keywords

Ideal lattices Falcon Cortex-M Microcontroller NIST PQC 

Notes

Acknowledgement

We would also like to thank the anonymous reviewers for their very valuable and helpful feedback. The research in this work was supported in part by the European Unions Horizon 2020 program under project number 644729 SAFEcrypto and 780701 PROMETHEUS.

Supplementary material

References

  1. 1.
    pqm4 - post-quantum crypto library for the ARM cortex-M4. https://github.com/mupq/pqm4. Accessed 13 Nov 2018
  2. 2.
    Albrecht, M.R., Hanser, C., Höller, A., Pöppelmann, T., Virdia, F., Wallner, A.: Learning with errors on RSA co-processors. IACR Cryptology ePrint Archive 2018/425 (2018). https://eprint.iacr.org/2018/425
  3. 3.
    Alkim, E., et al.: FrodoKEM learning with errors key encapsulation. https://frodokem.org/files/FrodoKEM-specification-20171130.pdf. Accessed 13 Nov 2018
  4. 4.
    Andrysco, M., Nötzli, A., Brown, F., Jhala, R., Stefan, D.: Towards verified, constant-time floating point operations. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 1369–1382. ACM (2018).  https://doi.org/10.1145/3243734.3243766
  5. 5.
  6. 6.
    Bhattacharya, S., et al.: Round5: compact and fast post-quantum public-key encryption. IACR Cryptology ePrint Archive 2018/725 (2018). https://eprint.iacr.org/2018/725
  7. 7.
    Bindel, N., et al.: Submission to NIST’s post-quantum project: lattice-based digital signature scheme qTESLA. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/qTESLA.zip. Accessed 26 Nov 2018
  8. 8.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005).  https://doi.org/10.1016/j.comnet.2005.01.010CrossRefGoogle Scholar
  9. 9.
    Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete ziggurat: a time-memory trade-off for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 402–417. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43414-7_20CrossRefGoogle Scholar
  10. 10.
    Chen, C., Hoffstein, J., Whyte, W., Zhang, Z.: NIST PQ submission: pqNTRUSign - a modular lattice signature scheme. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/pqNTRUsign.zip. Accessed 26 Nov 2018
  11. 11.
    D’Anvers, J.P., Karmakar, A., Roy, S.S., Longa, P., Vercauteren, F.: SABER: Mod-LWR based KEM. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/SABER.zip. Accessed 13 Nov 2018
  12. 12.
    Ducas, L., et al.: CRYSTALS-dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018).  https://doi.org/10.13154/tches.v2018.i1.238-268MathSciNetCrossRefGoogle Scholar
  13. 13.
    Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45608-8_2CrossRefGoogle Scholar
  14. 14.
    Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014).  https://doi.org/10.1007/s00200-014-0218-3MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Fouque, P.A., et al.: Falcon: Fast-Fourier lattice-based compact signatures over NTRU. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/Falcon.zip. Accessed 26 Nov 2018
  16. 16.
    Fouque, P.A., et al.: Falcon: Fast-Fourier lattice-based compact signatures over NTRU. https://falcon-sign.info/. Accessed 26 Nov 2018
  17. 17.
    Garcia-Morchon, O., et al.: Round2: KEM and PKE based on GLWR. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/Round2.zip. Accessed 30 Nov 2018
  18. 18.
    Güneysu, T., Krausz, M., Oder, T., Speith, J.: Evaluation of lattice-based signature schemes in embedded systems. In: 25th IEEE International Conference on Electronics Circuits and Systems (2018)Google Scholar
  19. 19.
    Howe, J.: PQCzoo. https://pqczoo.com/. Accessed 13 Nov 2018
  20. 20.
    Howe, J., Oder, T., Krausz, M., Güneysu, T.: Standard lattice-based key encapsulation on embedded devices. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 372–393 (2018).  https://doi.org/10.13154/tches.v2018.i3.372-393CrossRefGoogle Scholar
  21. 21.
  22. 22.
    Kannwischer, M.J., Rijneveld, J., Schwabe, P.: Faster multiplication in \({\mathbb{z}}_2{}^{\text{m}}[x]\) on cortex-M4 to speed up NIST PQC candidates. IACR Cryptology ePrint Archive 2018/1018 (2018). https://eprint.iacr.org/2018/1018
  23. 23.
    Karmakar, A., Mera, J.M.B., Roy, S.S., Verbauwhede, I.: Saber on ARM cca-secure module lattice-based key encapsulation on ARM. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 243–266 (2018).  https://doi.org/10.13154/tches.v2018.i3.243-266CrossRefGoogle Scholar
  24. 24.
    Karmakar, A., Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Constant-time discrete Gaussian sampling. IEEE Trans. Comput. 67(11), 1561–1571 (2018).  https://doi.org/10.1109/TC.2018.2814587MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_9CrossRefGoogle Scholar
  26. 26.
    Micciancio, D., Walter, M.: Gaussian sampling over the integers: efficient, generic, constant-time. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 455–485. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63715-0_16CrossRefGoogle Scholar
  27. 27.
    National Institute of Standards and Technology: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf. Accessed 14 Nov 2018
  28. 28.
    Plantard, T., Sipasseuth, A., Dumondelle, C., Susilo, W.: DRS: diagonal dominant reduction for lattice-based signature. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/DRS.zip. Accessed 26 Nov 2018
  29. 29.
    Rane, A., Lin, C., Tiwari, M.: Secure, precise, and fast floating-point operations on x86 processors. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016, pp. 71–86. USENIX Association (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/rane
  30. 30.
  31. 31.
    Saarinen, M.J.O., Bhattacharya, S., García-Morchón, Ó., Rietman, R., Tolhuizen, L., Zhang, Z.: Shorter messages and faster post-quantum encryption with Round5 on Cortex M. IACR Cryptology ePrint Archive 2018/723 (2018). https://eprint.iacr.org/2018/723
  32. 32.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999).  https://doi.org/10.1137/S0036144598347011MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Tobias Oder
    • 1
    Email author
  • Julian Speith
    • 1
  • Kira Höltgen
    • 1
  • Tim Güneysu
    • 1
    • 2
  1. 1.Ruhr -University BochumBochumGermany
  2. 2.DFKIBremenGermany

Personalised recommendations