Abstract
The majority of submissions to NIST’s recent call for Post-Quantum Cryptography are encryption schemes or key encapsulation mechanisms. Signature schemes constitute a much smaller group of submissions with only 21 proposals. In this work, we analyze the practicability of one of the latter category – the signature scheme Falcon with respect to its suitability for embedded microcontroller platforms.
Falcon has a security proof in the QROM in combination with smallest public key and signature sizes among all lattice-based signature scheme submissions with decent performance on common x86 computing architectures. One of the specific downsides of the scheme is, however, that according to its specification it is “non-trivial to understand and delicate to implement”.
This work aims to provide some new insights on the realization of Falcon by presenting an optimized implementation for the ARM Cortex-M4F platform. This includes a revision of its memory layout as this is the limiting factor on such constrained platforms. We managed to reduce the dynamic memory consumption of Falcon by 43% in comparison to the reference implementation. Summarizing, our implementation requires 682 ms for key generation, 479 ms for signing, and only 3.2 ms for verification for the \(n=512\) parameter set.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
pqm4 - post-quantum crypto library for the ARM cortex-M4. https://github.com/mupq/pqm4. Accessed 13 Nov 2018
Albrecht, M.R., Hanser, C., Höller, A., Pöppelmann, T., Virdia, F., Wallner, A.: Learning with errors on RSA co-processors. IACR Cryptology ePrint Archive 2018/425 (2018). https://eprint.iacr.org/2018/425
Alkim, E., et al.: FrodoKEM learning with errors key encapsulation. https://frodokem.org/files/FrodoKEM-specification-20171130.pdf. Accessed 13 Nov 2018
Andrysco, M., Nötzli, A., Brown, F., Jhala, R., Stefan, D.: Towards verified, constant-time floating point operations. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 1369–1382. ACM (2018). https://doi.org/10.1145/3243734.3243766
Avanzi, R., et al.: CRYSTALS-kyber. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/CRYSTALS_Kyber.zip. Accessed 30 Nov 2018
Bhattacharya, S., et al.: Round5: compact and fast post-quantum public-key encryption. IACR Cryptology ePrint Archive 2018/725 (2018). https://eprint.iacr.org/2018/725
Bindel, N., et al.: Submission to NIST’s post-quantum project: lattice-based digital signature scheme qTESLA. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/qTESLA.zip. Accessed 26 Nov 2018
Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005). https://doi.org/10.1016/j.comnet.2005.01.010
Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete ziggurat: a time-memory trade-off for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 402–417. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_20
Chen, C., Hoffstein, J., Whyte, W., Zhang, Z.: NIST PQ submission: pqNTRUSign - a modular lattice signature scheme. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/pqNTRUsign.zip. Accessed 26 Nov 2018
D’Anvers, J.P., Karmakar, A., Roy, S.S., Longa, P., Vercauteren, F.: SABER: Mod-LWR based KEM. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/SABER.zip. Accessed 13 Nov 2018
Ducas, L., et al.: CRYSTALS-dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018). https://doi.org/10.13154/tches.v2018.i1.238-268
Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_2
Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014). https://doi.org/10.1007/s00200-014-0218-3
Fouque, P.A., et al.: Falcon: Fast-Fourier lattice-based compact signatures over NTRU. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/Falcon.zip. Accessed 26 Nov 2018
Fouque, P.A., et al.: Falcon: Fast-Fourier lattice-based compact signatures over NTRU. https://falcon-sign.info/. Accessed 26 Nov 2018
Garcia-Morchon, O., et al.: Round2: KEM and PKE based on GLWR. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/Round2.zip. Accessed 30 Nov 2018
Güneysu, T., Krausz, M., Oder, T., Speith, J.: Evaluation of lattice-based signature schemes in embedded systems. In: 25th IEEE International Conference on Electronics Circuits and Systems (2018)
Howe, J.: PQCzoo. https://pqczoo.com/. Accessed 13 Nov 2018
Howe, J., Oder, T., Krausz, M., Güneysu, T.: Standard lattice-based key encapsulation on embedded devices. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 372–393 (2018). https://doi.org/10.13154/tches.v2018.i3.372-393
Hulsing, A., et al.: SPHINCS+. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/SPHINCS_Plus.zip. Accessed 26 Nov 2018
Kannwischer, M.J., Rijneveld, J., Schwabe, P.: Faster multiplication in \({\mathbb{z}}_2{}^{\text{m}}[x]\) on cortex-M4 to speed up NIST PQC candidates. IACR Cryptology ePrint Archive 2018/1018 (2018). https://eprint.iacr.org/2018/1018
Karmakar, A., Mera, J.M.B., Roy, S.S., Verbauwhede, I.: Saber on ARM cca-secure module lattice-based key encapsulation on ARM. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 243–266 (2018). https://doi.org/10.13154/tches.v2018.i3.243-266
Karmakar, A., Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Constant-time discrete Gaussian sampling. IEEE Trans. Comput. 67(11), 1561–1571 (2018). https://doi.org/10.1109/TC.2018.2814587
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Micciancio, D., Walter, M.: Gaussian sampling over the integers: efficient, generic, constant-time. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 455–485. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_16
National Institute of Standards and Technology: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf. Accessed 14 Nov 2018
Plantard, T., Sipasseuth, A., Dumondelle, C., Susilo, W.: DRS: diagonal dominant reduction for lattice-based signature. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/DRS.zip. Accessed 26 Nov 2018
Rane, A., Lin, C., Tiwari, M.: Secure, precise, and fast floating-point operations on x86 processors. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016, pp. 71–86. USENIX Association (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/rane
Saarinen, M.J.O.: HILA5. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/Hila5.zip. Accessed 30 Nov 2018
Saarinen, M.J.O., Bhattacharya, S., García-Morchón, Ó., Rietman, R., Tolhuizen, L., Zhang, Z.: Shorter messages and faster post-quantum encryption with Round5 on Cortex M. IACR Cryptology ePrint Archive 2018/723 (2018). https://eprint.iacr.org/2018/723
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999). https://doi.org/10.1137/S0036144598347011
Acknowledgement
We would also like to thank the anonymous reviewers for their very valuable and helpful feedback. The research in this work was supported in part by the European Unions Horizon 2020 program under project number 644729 SAFEcrypto and 780701 PROMETHEUS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Algorithms
A Algorithms
1.1 A.1 The Falcon Tree
Please note that there is a typo in the Falcon specification [15] in Algorithm 15, Line 3. The description in Algorithm 5 in this section correctly states \(n = 2\) instead of \(n = 1\).
1.2 A.2 Fast Fourier Sampling
The description can be found in Algorithm 6.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Oder, T., Speith, J., Höltgen, K., Güneysu, T. (2019). Towards Practical Microcontroller Implementation of the Signature Scheme Falcon. In: Ding, J., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2019. Lecture Notes in Computer Science(), vol 11505. Springer, Cham. https://doi.org/10.1007/978-3-030-25510-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-25510-7_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25509-1
Online ISBN: 978-3-030-25510-7
eBook Packages: Computer ScienceComputer Science (R0)