Основные понятия
This work proposes a suite of three new lattice-based key encapsulation mechanisms (KEMs) called Scabbard, which are designed to improve the efficiency and hardware-awareness of learning with rounding (LWR)-based cryptographic schemes.
Аннотация
The authors present three new LWR-based KEMs as part of the Scabbard suite:
-
Florete: Designed for efficiency, it utilizes optimized polynomial multiplication techniques from the Saber KEM to outperform state-of-the-art lattice-based KEMs on software platforms.
-
Espada: Aimed at improving parallelization, flexibility, and memory footprint, this scheme uses a small polynomial size of 64 to be suitable for resource-constrained devices.
-
Sable: An improved version of the Saber KEM, it provides a trade-off between performance and memory usage. The authors also propose an NTT-based polynomial multiplication variant of Sable that outperforms Saber and Kyber-Speed on the Cortex-M4 platform.
The authors provide detailed software and hardware implementations of all three Scabbard schemes, comparing their performance against state-of-the-art lattice-based KEMs. The results demonstrate the efficiency and hardware-awareness of the proposed designs.
Статистика
Florete's high-security key generation algorithm outperforms Kyber, Frodo, and Saber by 47%, 99%, and 57% respectively on the ARM Cortex-M4 platform.
Espada's high-security encapsulation algorithm uses 30% less stack memory than Kyber, 57% less than Frodo, and 67% less than Saber on the Cortex-M4 platform.
Sable's NTT-based polynomial multiplication implementation outperforms Kyber-Speed by 7-29%, Saber by 2-13%, and Frodo by around 99% on the Cortex-M4 platform.
Цитаты
"LWR-based schemes require fewer pseudo-random numbers than LWE-based schemes, as errors are not required to be sampled explicitly here. The error is generated inherently from rounding operations, which helps to gain better performance."
"LWR-based schemes, in general, use Toom-Cook based polynomial multiplication instead of NTT-based polynomial multiplication. It helps to reduce the area requirements to implement LWR-based schemes in hardware compared to the LWE-based schemes."