International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Enabling FrodoKEM on Embedded Devices

Authors:
Joppe W. Bos , NXP Semiconductors, Leuven, Belgium
Olivier Bronchain , NXP Semiconductors, Leuven, Belgium
Frank Custers , NXP Semiconductors, Leuven, Belgium
Joost Renes , NXP Semiconductors, Leuven, Belgium
Denise Verbakel , NXP Semiconductors, Leuven, Belgium; Radboud University, Nijmegen, Netherlands
Christine van Vredendaal , NXP Semiconductors, Leuven, Belgium
Download:
DOI: 10.46586/tches.v2023.i3.74-96
URL: https://tches.iacr.org/index.php/TCHES/article/view/10957
Search ePrint
Search Google
Abstract: FrodoKEM is a lattice-based Key Encapsulation Mechanism (KEM) based on unstructured lattices. From a security point of view this makes it a conservative option to achieve post-quantum security, hence why it is favored by several European authorities (e.g., German BSI and French ANSSI). Relying on unstructured instead of structured lattices (e.g., CRYSTALS-Kyber) comes at the cost of additional memory usage, which is particularly critical for embedded security applications such as smart cards. For example, prior FrodoKEM-640 implementations (using AES) on Cortex-M4 require more than 80 kB of stack making it impossible to run on some embedded systems. In this work, we explore several stack reduction strategies and the resulting time versus memory trade-offs. Concretely, we reduce the stack consumption of FrodoKEM by a factor 2–3x compared to the smallest known implementations with almost no impact on performance. We also present various time-memory trade-offs going as low as 8 kB for all AES parameter sets, and below 4 kB for FrodoKEM-640. By introducing a minor tweak to the FrodoKEM specifications, we additionally reduce the stack consumption down to 8 kB for all the SHAKE versions. As a result, this work enables FrodoKEM on more resource constrained embedded systems.
BibTeX
@article{tches-2023-33283,
  title={Enabling FrodoKEM on Embedded Devices},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2023, Issue 3},
  pages={74-96},
  url={https://tches.iacr.org/index.php/TCHES/article/view/10957},
  doi={10.46586/tches.v2023.i3.74-96},
  author={Joppe W. Bos and Olivier Bronchain and Frank Custers and Joost Renes and Denise Verbakel and Christine van Vredendaal},
  year=2023
}