Optimized Implementation of SIKE Round 2 on 64-bit ARM Cortex-A Processors

In this work, we present the first highly-optimized implementation of Supersingular Isogeny Key Encapsulation (SIKE) submitted to NIST’s second round of post quantum standardization process, on 64-bit ARMv8 processors. To the best of our knowledge, this work is the first optimized implementation of SIKE round 2 on 64-bit ARM over SIKEp434 and SIKEp610. The proposed library is explicitly optimized for these two security levels and provides constant-time implementation of the SIKE mechanism on ARMv8-powered embedded devices. We adapt different optimization techniques to reduce the total number of underlying arithmetic operations on the field level. In particular, benchmark results on embedded processors equipped with ARM Cortex-A55@1.766GHz and ARM Cortex-A75@2.803GHz show that the entire SIKE round 2 Key Encapsulation Mechanism (KEM) takes only 98.6 ms and 85.3ms at NIST’s security level 1, respectively. We also evaluated the compressed version of NIST’s security level 1, which requires 134.7 ms and 113.7 ms for Cortex-A55 and Cortex-A75, respectively. Considering SIKE’s extremely small key size in comparison to other post-quantum cryptography candidates, our result implies that SIKE is one of the promising candidates for key encapsulation mechanism on embedded devices in the quantum era.

[1]  Craig Costello,et al.  Efficient Algorithms for Supersingular Isogeny Diffie-Hellman , 2016, CRYPTO.

[2]  Christopher C. White,et al.  Focus on Durability, PATH Research at the National Institute of Standards and Technology | NIST , 2001 .

[3]  Reza Azarderakhsh,et al.  ARMv8 SIKE: Optimized Supersingular Isogeny Key Encapsulation on ARMv8 Processors , 2019, IEEE Transactions on Circuits and Systems I: Regular Papers.

[4]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[5]  Eric Crockett,et al.  BIKE and SIKE Hybrid Key Exchange Cipher Suites for Transport Layer Security (TLS) , 2019 .

[6]  Michael Naehrig,et al.  Dual Isogenies and Their Application to Public-key Compression for Isogeny-based Cryptography , 2019, IACR Cryptol. ePrint Arch..

[7]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[8]  Paul G. Comba,et al.  Exponentiation Cryptosystems on the IBM PC , 1990, IBM Syst. J..

[9]  Joppe W. Bos,et al.  Fast Arithmetic Modulo 2xpy± 1 , 2016, IACR Cryptol. ePrint Arch..

[10]  Hwajeong Seo,et al.  SIKE Round 2 Speed Record on ARM Cortex-M4 , 2019, IACR Cryptol. ePrint Arch..

[11]  David Jao,et al.  Efficient Compression of SIDH Public Keys , 2017, EUROCRYPT.

[12]  Reza Azarderakhsh,et al.  Key Compression for Isogeny-Based Cryptosystems , 2016, AsiaPKC '16.

[13]  Peter L. Montgomery,et al.  Five, six, and seven-term Karatsuba-like formulae , 2005, IEEE Transactions on Computers.

[14]  Kristin E. Lauter,et al.  Cryptographic Hash Functions from Expander Graphs , 2008, Journal of Cryptology.

[15]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[16]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[17]  Francisco Rodríguez-Henríquez,et al.  On the cost of computing isogenies between supersingular elliptic curves , 2018, IACR Cryptol. ePrint Arch..

[18]  Steven D. Galbraith,et al.  On the Security of Supersingular Isogeny Cryptosystems , 2016, ASIACRYPT.

[19]  Reza Azarderakhsh,et al.  Supersingular Isogeny Diffie-Hellman Key Exchange on 64-Bit ARM , 2019, IEEE Transactions on Dependable and Secure Computing.

[20]  Paulo S. L. M. Barreto,et al.  Faster Key Compression for Isogeny-Based Cryptosystems , 2019, IEEE Transactions on Computers.

[21]  Reza Azarderakhsh,et al.  Efficient Post-Quantum Undeniable Signature on 64-Bit ARM , 2017, SAC.

[22]  Zhe Liu,et al.  SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange , 2018, IACR Cryptol. ePrint Arch..