Neon NTT: Faster Dilithium, Kyber, and Saber on Cortex-A72 and Apple M1

We present new speed records on the Armv8-A architecture for the latticebased schemes Dilithium, Kyber, and Saber. The core novelty in this paper is the combination of Montgomery multiplication and Barrett reduction resulting in “Barrett multiplication” which allows particularly efficient modular one-known-factor multiplication using the Armv8-A Neon vector instructions. These novel techniques combined with fast two-unknown-factor Montgomery multiplication, Barrett reduction sequences, and interleaved multi-stage butterflies result in significantly faster code. We also introduce “asymmetric multiplication” which is an improved technique for caching the results of the incomplete NTT, used e.g. for matrix-to-vector polynomial multiplication. Our implementations target the Arm Cortex-A72 CPU, on which our speed is 1.7× that of the state-of-the-art matrix-to-vector polynomial multiplication in kyber768 [Nguyen–Gaj 2021]. For Saber, NTTs are far superior to Toom–Cook multiplication on the Armv8-A architecture, outrunning the matrix-to-vector polynomial multiplication by 2.0×. On the Apple M1, our matrix-vector products run 2.1× and 1.9× faster for Kyber and Saber respectively.

A New Side-Channel Attack on Reduction of RSA-CRT Montgomery Method Based

RSA-CRT is one of the most common algorithms in the digital signature. Several side-channel attacks have been presented on the implementation of RSA-CRT. One of the most important side-channel attacks on RSA-CRT is Modular Reduction on Equidistant Data (MRED). The implementation of RSA-CRT has too many challenges in the multiplications when the key size is too long (e.g. 2048 bits). Montgomery multiplication is one of the common methods for executing the RSA multiplication, which has many implementation problems and side-channel leakage challenges. This article first implements an RSA-CRT algorithm based on the Montgomery multiplication with the high-speed and low area hardware. The implementation is named RSA-CRT-MMB (Montgomery Method Based). Next, a new power analysis side-channel attack on RSA-CRT-MMB is presented. We name our attack MRED on MMB. The attack utilizes new side-channel leakage information about the CRT reduction algorithm implemented by the MMB, for the first time. The previous articles do not investigate the MRED attack on Montgomery multiplication in RSA-CRT. Finally, a new countermeasure is presented to prevent the MREDM attack. The countermeasure does not have any overload in the hardware area or running time of the RSA algorithm. The correctness of our scheme, the 2048-bit RSA-CRT-MMB, is investigated by the implementation of the scheme on the SASEBO-W board in our DPA laboratory. The total running time of 2048-bit RSA is 250[Formula: see text]ms and the RSA algorithm occupies only 23% of LUT slice on Spartan-6 FPGA. The proposed countermeasures are also verified by practical experiments.