Implementing RLWE-based Schemes Using an RSA Co-Processor


  • Martin R. Albrecht Information Security Group, Royal Holloway, University of London
  • Christian Hanser Infineon Technologies Austria AG
  • Andrea Hoeller Infineon Technologies Austria AG
  • Thomas Pöppelmann Infineon Technologies Austria AG
  • Fernando Virdia Information Security Group, Royal Holloway, University of London
  • Andreas Wallner Infineon Technologies Austria AG



learning with errors, smart card, implementation


We repurpose existing RSA/ECC co-processors for (ideal) lattice-based cryptography by exploiting the availability of fast long integer multiplication. Such co-processors are deployed in smart cards in passports and identity cards, secured microcontrollers and hardware security modules (HSM). In particular, we demonstrate an implementation of a variant of the Module-LWE-based Kyber Key Encapsulation Mechanism (KEM) that is tailored for high performance on a commercially available smart card chip (SLE 78). To benefit from the RSA/ECC co-processor we use Kronecker substitution in combination with schoolbook and Karatsuba polynomial multiplication. Moreover, we speed-up symmetric operations in our Kyber variant using the AES co-processor to implement a PRNG and a SHA-256 co-processor to realise hash functions. This allows us to execute CCA-secure Kyber768 key generation in 79.6 ms, encapsulation in 102.4 ms and decapsulation in 132.7 ms.






How to Cite

Implementing RLWE-based Schemes Using an RSA Co-Processor. (2018). IACR Transactions on Cryptographic Hardware and Embedded Systems, 2019(1), 169-208.