Implementing RLWE-based Schemes Using an RSA Co-Processor

  • Martin R. Albrecht Information Security Group, Royal Holloway, University of London
  • Christian Hanser Infineon Technologies Austria AG
  • Andrea Hoeller Infineon Technologies Austria AG
  • Thomas Pöppelmann Infineon Technologies Austria AG
  • Fernando Virdia Information Security Group, Royal Holloway, University of London
  • Andreas Wallner Infineon Technologies Austria AG
Keywords: learning with errors, smart card, implementation

Abstract

We repurpose existing RSA/ECC co-processors for (ideal) lattice-based cryptography by exploiting the availability of fast long integer multiplication. Such co-processors are deployed in smart cards in passports and identity cards, secured microcontrollers and hardware security modules (HSM). In particular, we demonstrate an implementation of a variant of the Module-LWE-based Kyber Key Encapsulation Mechanism (KEM) that is tailored for high performance on a commercially available smart card chip (SLE 78). To benefit from the RSA/ECC co-processor we use Kronecker substitution in combination with schoolbook and Karatsuba polynomial multiplication. Moreover, we speed-up symmetric operations in our Kyber variant using the AES co-processor to implement a PRNG and a SHA-256 co-processor to realise hash functions. This allows us to execute CCA-secure Kyber768 key generation in 79.6 ms, encapsulation in 102.4 ms and decapsulation in 132.7 ms.

Published
2018-11-09
How to Cite
Albrecht, M., Hanser, C., Hoeller, A., Pöppelmann, T., Virdia, F., & Wallner, A. (2018). Implementing RLWE-based Schemes Using an RSA Co-Processor. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2019(1), 169-208. https://doi.org/10.13154/tches.v2019.i1.169-208
Section
Articles