IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS–I: REGULAR PAPERS, VOL. 66, NO. 11, NOVEMBER 2019 4209 ARMv8 SIKE: Optimized Supersingular Isogeny Key Encapsulation on ARMv8 Processors Amir Jalali , Reza Azarderakhsh , Member, IEEE, Mehran Mozaffari Kermani , Senior Member, IEEE, Matthew Campagna, and David Jao Abstract— In this paper, we present highly-optimized constant- which would be catastrophic to the confidentiality and integrity time software libraries for supersingular isogeny key encapsu- of any secure communication. To counteract this problem, lation (SIKE) protocol on ARMv8 processors. Our optimized post-quantum cryptography protocols are required to preserve hand-crafted assembly libraries provide the most efficient timing results on 64-bit ARM-powered devices. Moreover, the presented the security in the presence of quantum adversaries. Regardless libraries can be integrated into any other cryptography primitives of whether we can estimate the exact time for the advent of the targeting the same finite field size. We design a new mixed quantum computing era, we must begin to prepare the security implementation of field arithmetic on 64-bit ARM processors by protocols to be resistant against potentially-malicious power of exploiting the A64 and Advanced SIMD processing units working quantum computing. Accordingly, NIST initiated a process to in parallel. Using these techniques, we are able to improve the performance of the entire protocol by the factor of 5× evaluate, and standardize one or more post-quantum public- compared to optimized C implementations on 64-bit ARM high- key cryptography primitives [1]. Recently, the first round of performance cores, providing 83-, 124-, and 159-bit quantum- submission of the post-quantum primitives is completed and security levels. Furthermore, we compare the performance of all the proposals are publicly available1 to evaluate in terms our proposed library with the previous highly-optimized ARMv8 of the proof of security and efficiency. assembly library available in the literature. The implementation results illustrate the overall 10% performance improvement in The submitted public-key post-quantum cryptography comparison with previous work, highlighting the benefit of using (PQC) proposals are based on five different hard problems mixed implementation over relatively-large finite field size. and they are categorized as code-based cryptography [2], Index Terms— ARM assembly, finite field, isogeny-based (ring) lattice-based cryptography [3], [4], hash-based cryptog- cryptosystems, key encapsulation mechanism, post-quantum raphy [5], multivariate cryptography [6], and isogeny-based cryptography. cryptography [7]. The isogeny-based cryptography is based on the hardness of computing the isogenies between two I. INTRODUCTION isomorphic elliptic curves and it provides a complete key N RECENT years, extensive amount of research has been encapsulation protocol. The proposed method is denoted as Idevoted to quantum computers. These machines are envi- Supersingular Isogeny Key Encapsulation (SIKE) [8], and con- sioned to be able to solve mathematical problems which are structed upon the initial Diffie-Hellman key-exchange scheme currently unsolvable for conventional computers, because of proposed by Jao and De Feo [7]. their exceptional computational power from quantum mechan- SIKE protocol provides a standard method of key-exchange ics. Therefore, if quantum computers are ever built in large between two parties, and it has been claimed to be secure scale, they will certainly be able to break many or almost all against large-scale quantum adversaries running the Shor’s of the currently in-use public-key cryptosystems, the threat of quantum algorithm [9]. Compared to other post-quantum can- Manuscript received March 23, 2019; revised May 17, 2019; accepted didates, supersingular isogeny problem is a much younger May 29, 2019. Date of publication July 22, 2019; date of current ver- scheme and its security and performance need to be inves- sion October 30, 2019. This work was supported in part by NSF under tigated more. In terms of performance, SIKE is not a fast Grant CNS-1801341, in part by NIST under Grant 60NANB16D246, in part by NSERC, CryptoWorks21, Public Works and Government Services Canada, protocol due to the extensive number of point arithmetic which in part by the Canada First Research Excellence Fund, and in part by the are required for computing large-degree isogenies. However, Royal Bank of Canada. This paper was recommended by Associate Editor because of its significant smaller size of secret-key and public- G. Masera. (Corresponding author: Amir Jalali.) A. Jalali and R. Azarderakhsh are with the Department of Computer and key compared to other PQC candidates, SIKE is a suitable Electrical Engineering and Computer Science, Florida Atlantic University, option for the applications where communication bandwidth Boca Raton, FL 33431 USA (e-mail: [email protected]; razarderakhsh@ is critical. Furthermore, since it is the only post-quantum fau.edu). M. Mozaffari Kermani is with the Department of Computer Science and cryptography protocol which is constructed on elliptic curves, Engineering, University of South Florida, Tampa, FL 33620 USA (e-mail: hybrid cryptography protocols can be derived from SIKE and [email protected]). classical elliptic curve cryptography (ECC) to make the transi- M. Campagna is with Amazon Web Services, Inc., Seattle, WA 98108-1207 USA (e-mail: [email protected]). tion towards post-quantum cryptography more convenient and D. Jao is with the Department of Mathematics, University of Waterloo, practical. Waterloo, ON N2L 3G1, Canada (e-mail: [email protected]). Color versions of one or more of the figures in this article are available online at http://ieeexplore.ieee.org. 1NIST Standardization Process (Accessed Feb. 2019): https://csrc.nist.gov/ Digital Object Identifier 10.1109/TCSI.2019.2920869 projects/post-quantum-cryptography/round-1-submissions 1549-8328 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. 4210 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS–I: REGULAR PAPERS, VOL. 66, NO. 11, NOVEMBER 2019 The initial idea of constructing cryptography schemes processors by adopting a novel engineering technique which from the isogenies of regular elliptic curves was intro- takes advantage of out-of-order execution pipeline on high- duced by Rostovtsev and Stolbunov [10] in 2006. Later, performance ARM cores. We compare the performance of our Charles et al. [11] presented a set of cryptography hash arithmetic libraries inside the SIKE reference implementation, functions constructed from Ramanujan graphs, i.e., the set of and conclude the benefits of using mixed implementation over F supersingular elliptic curves over p2 with -isogenies. The relatively-large finite fields. main breakthrough in constructing a post-quantum cryptogra- phy protocol based on the hardness of computing isogenies A. Contributions was proposed by Jao and De Feo [7]. Their proposed scheme In this work, we study different approaches of implementing presents a set of public-key cryptography schemes such as key- SIKE on 64-bit ARM. We engineer the finite field arithmetic exchange and encryption-decryption protocols with a coherent implementation accurately to provide the fastest timing records proof of security. Later, De Feo et al. [12] presented the first of the protocol on our target platforms. Our contributions can practical implementation of the Supersingular Isogeny Diffie- be categorized as follows: Hellman (SIDH) key-exchange protocol using optimized curve • We propose a new approach for implementing finite field arithmetic techniques such as Montgomery arithmetic. Since arithmetic on 64-bit ARM processors. We combine gen- the introduction of supersingular isogeny public-key protocol, eral register and vector limbs in an efficient way to reduce many different schemes and implementations such as digital the pipeline stalls and improve the overall performance. signature [13], [14], undeniable signature [15], [16], group To the best of our knowledge, this work is the first imple- key agreement [17], and static-static key agreement [18] have mentation of such a technique on ARMv8 processors. been proposed which are all built on the hardness of comput- • We implement different optimized versions of finite field ing isogenies. The fast hardware architectures for computing multiplication using Karatsuba multiplication method isogenies of elliptic curves proposed by Koziel et al. [19] which outperforms the previous implementation of the demonstrated that isogeny-based cryptography has the poten- field multiplication with the same size on ARMv8 target tial to be considered as a practical candidates on FPGAs. platform. The proposed implementations are constant- However, the initial performance evaluations in software were time and resistant to timing attacks. not promising compared to other post-quantum candidates. • Our optimized software provides a constant-time imple- In particular to those which are constructed over learning with mentation of the post-quantum SIKE protocol over three errors problem [20]–[22]. The SIDH projective formulas and different quantum security levels. We state that, this work implementation by Costello et al. [23] smashed the perfor- is the first implementation of SIKEp964 which provides mance bar of the protocol considerably by eliminating field