Look-up the Rainbow: Table-based Implementation of Rainbow Signature on 64-bit ARMv8 Processors

Abstract

The Rainbow Signature Scheme is one of the finalists in the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization competition, but failed to win because it has lack of stability in the parameter selection. It is the only signature candidate based on a multivariate quadratic equation. Rainbow signatures have smaller signature sizes compared with other post-quantum cryptography candidates. However, they require expensive tower-field based polynomial multiplications. In this article, we propose an efficient implementation of Rainbow signatures using a look-up table–based multiplication method. The polynomial multiplications in Rainbow signatures are performed on the 𝔽 16 field, which is divided into sub-fields 𝔽 4 and 𝔽 2 under the tower-field method. To accelerate the multiplication process on target processors, we propose a look-up table–based tower-field multiplication technique. In 𝔽 16 , all values are expressed in 4-bit data format and can be implemented using a 256-byte look-up table access. The implementation uses the TBL and TBX instructions of the 64-bit ARMv8 target processor. For Rainbow III and Rainbow V, they are computed on the 𝔽 256 field using an additional 16-byte table instead of creating a new look-up table. The proposed technique uses the vector registers of 64-bit ARMv8 processors and can calculate 16 result values with a single instruction. We also proposed implementations that are resistant to timing attacks. There are two types of implementations. The first one is the cache side-attack resistant implementation, which utilizes the 128-byte cache lines of the M1 processor. In this implementation, cache misses do not occur, and cache hits always occur. The second type is the constant-time implementation. This method takes a step-by-step approach to finding the required look-up table value and ensures that the same number of accesses is made regardless of which look-up table value is called. This implementation is designed to be constant-time, meaning it does not leak timing information. Our experiments on modern Apple M1 processors showed up to 428.73× and 114.16× better performance for finite field multiplications and Rainbow signatures schemes, respectively, compared with previous reference implementations. To the best of our knowledge, this proposed Rainbow implementation is the first optimized Rainbow implementation for 64-bit ARMv8 processors.