Shrinking Post-Quantum Crypto for Tiny Devices

by

Author: Denis Avetisyan

Researchers have dramatically reduced the memory requirements of the HAETAE signature scheme, paving the way for secure communication on resource-limited microcontrollers.

This work presents a low-stack implementation of HAETAE, enabling its deployment on memory-constrained systems without sacrificing side-channel resistance.

Despite growing demand for post-quantum cryptography, deploying advanced signature schemes like HAETAE on resource-constrained microcontrollers presents a significant memory challenge. This work, ‘Low-Stack HAETAE for Memory-Constrained Microcontrollers’, addresses this limitation through a suite of optimizations targeting stack usage in the HAETAE module-lattice signature scheme. Specifically, we achieve substantial memory reductions-down to 5.8-6.0 kB for signing-via techniques including rejection-aware decomposition, component-level early rejection, and reverse-order streaming entropy coding. Will these optimizations unlock broader adoption of post-quantum signatures in embedded systems and IoT devices requiring robust, yet lightweight, cryptographic solutions?

The Impending Quantum Threat and the Necessity of Cryptographic Renewal

The foundations of modern digital security are facing an unprecedented challenge as the potential of quantum computation rapidly advances. Current encryption algorithms, such as RSA and ECC-cornerstones of online banking, secure communications, and data storage-rely on the computational difficulty of certain mathematical problems for their effectiveness. However, these problems, while intractable for classical computers, are susceptible to efficient solutions using quantum algorithms like Shorā€™s algorithm. This means that data encrypted today using these widely-deployed standards could be decrypted by a sufficiently powerful quantum computer in the future, potentially compromising sensitive information. Recognizing this looming threat, researchers and organizations are actively developing and standardizing new cryptographic methods-collectively known as Post-Quantum Cryptography-designed to resist attacks from both classical and quantum computers, ensuring continued confidentiality and integrity in the digital age.

The looming potential of quantum computers to break widely used encryption algorithms is driving a critical transition towards Post-Quantum Cryptography (PQC). Current public-key systems, such as RSA and ECC, rely on the computational difficulty of certain mathematical problems; however, Shor's\, algorithm, executable on a sufficiently powerful quantum computer, can efficiently solve these problems, rendering these systems vulnerable. Consequently, safeguarding digital infrastructure – encompassing everything from financial transactions and healthcare records to government communications – requires proactive development and implementation of cryptographic algorithms resistant to both classical and quantum attacks. PQC focuses on algorithms based on different mathematical problems, like lattices, codes, and multivariate equations, believed to be secure against known quantum algorithms, ensuring continued confidentiality, integrity, and authentication in a future dominated by quantum computation.

Conventional digital signature schemes, designed with the limitations of classical computing in mind, face significant challenges in the approaching era of quantum computation. These schemes often rely on the mathematical difficulty of problems like integer factorization or the discrete logarithm, which quantum algorithms – notably Shorā€™s algorithm – can solve with relative ease. Consequently, maintaining robust security necessitates substantially larger key and signature sizes to compensate for the weakened foundations, leading to unacceptable performance overheads in bandwidth-constrained environments and hindering scalability. This predicament drives the development of innovative signature schemes based on different mathematical structures, such as lattice-based cryptography, code-based cryptography, and multivariate cryptography, all striving to achieve a balance between computational efficiency, key size, and a proven resistance to both classical and quantum attacks. The search isn’t merely for quantum-resistant algorithms, but for solutions that are practically deployable and sustainable in the long term.

HAETAE: A Module-Lattice Signature Scheme – An Algebraically Sound Alternative

HAETAE represents a new module-lattice based signature scheme intended as a viable alternative to existing solutions, most notably ML-DSA. Module-lattice signatures utilize the mathematical properties of module lattices – generalizations of traditional lattices – to construct cryptographic primitives. This approach aims to improve upon the performance and potentially the security characteristics of established schemes. Unlike some lattice-based constructions relying on ideal lattices, HAETAEā€™s module lattice foundation offers a different trade-off between parameters and security levels. The design prioritizes practical efficiency alongside provable security, positioning it as a candidate for applications requiring compact signatures and relatively fast verification processes compared to other lattice-based signature schemes.

HAETAE achieves reductions in signature and key sizes by operating within the algebraic structure of module lattices. Traditional lattice-based cryptography often relies on large vectors and matrices, leading to substantial storage and computational overhead. By utilizing modules – which are vector spaces with additional algebraic structure – HAETAE can represent cryptographic keys and signatures with fewer elements. Specifically, HAETAE employs structured lattices built from ideals in polynomial rings, enabling the use of techniques like Number Theoretic Transforms (NTT) for efficient computations. This modular approach directly translates to shorter keys and signatures compared to schemes like ML-DSA, improving bandwidth usage and storage requirements without compromising security.

HAETAE employs a Hyperball Sampler to generate ephemeral vectors, which are short, random vectors used during signature creation. This sampler operates within a hyperball – a generalization of a ball in higher dimensions – defined by a radius and centered at the origin. Generating these vectors using the Hyperball Sampler is critical for the security of the scheme, as it ensures that the ephemeral vectors are uniformly distributed and unpredictable, preventing potential attacks that might exploit predictable or biased random values. The sampler’s efficiency directly impacts the overall signature generation speed, and its cryptographic soundness is essential to the schemeā€™s resistance against forgery.

HAETAE utilizes Number Theoretic Transforms (NTT) to accelerate polynomial multiplications, a core operation within the signature scheme. NTTs offer a significant performance advantage over traditional polynomial multiplication algorithms, particularly when working with large coefficients, by transforming the problem into a discrete Fourier transform in a finite field. This transformation allows for element-wise multiplication and an inverse transform, resulting in a complexity of O(n log n) for multiplying two polynomials of degree n-1, compared to O(n^2) for naive methods. By leveraging NTTs, HAETAE minimizes computational overhead and enhances the overall efficiency of signature generation and verification.

Resource Optimization in HAETAE: Tailoring Performance for Constrained Environments

Memory optimization is a core component of HAETAEā€™s design, directly addressing the resource limitations of embedded systems and IoT devices. These techniques minimize the overall memory footprint required for operation by reducing data storage needs and streamlining algorithmic processes. Specifically, the scheme avoids large pre-allocated buffers and employs strategies for on-demand data generation and processing. This results in a significantly smaller runtime memory requirement, enabling deployment on devices with limited RAM, and contributes to improved energy efficiency by reducing memory access operations.

The Two-Pass Hyperball Sampler employed within HAETAE reduces memory consumption by adopting an on-demand sample generation strategy. Traditional methods often pre-compute and store a large number of samples, requiring significant memory allocation. This sampler instead generates each sample only when it is needed during the signing process, effectively eliminating the need for large storage buffers. This approach is particularly beneficial for resource-constrained devices where memory is a limited resource, and minimizes the overall memory footprint of the HAETAE scheme without compromising security.

Reverse-Order Streaming Entropy Coding optimizes the HAETAE scheme by removing the need for intermediate staging buffers during the encoding process. Traditional entropy coding methods often require buffering data before compression, increasing both memory usage and latency. This technique processes and encodes data sequentially, or ā€œstreaming,ā€ directly as it becomes available. By encoding in reverse order, the algorithm minimizes lookahead requirements and avoids the accumulation of partially processed data. This direct processing streamlines the encoding pipeline, leading to reduced memory overhead and improved encoding speeds, particularly beneficial for resource-constrained devices.

Resource optimization in HAETAE is achieved through techniques like Rejection-Aware Pass Decomposition and Component-Level Early Rejection, which terminate computational branches when a valid solution is unlikely, thereby minimizing wasted cycles. This approach significantly reduces resource consumption during the signing process, resulting in a peak signing stack usage of between 5.8kB and 6.0kB consistently across all implemented security levels. This measured stack usage demonstrates efficient memory management and suitability for deployment on resource-constrained devices without compromising security.

HAETAE in Deployment: Scalability, Portability, and Adaptability in Practice

HAETAEā€™s successful implementation across both Cortex-M4 and RISC-V architectures highlights its versatility and potential for widespread adoption in the Internet of Things. This cross-platform compatibility is a crucial feature for developers targeting diverse hardware ecosystems, ensuring that a single codebase can function effectively on commonly used microcontroller platforms. Rigorous testing on these architectures confirms HAETAEā€™s robustness and reliability, moving it beyond theoretical design toward practical application in resource-constrained devices. The ability to operate seamlessly on both established and emerging architectures positions HAETAE as a future-proof solution for securing a broad range of IoT deployments, fostering interoperability and simplifying development cycles.

Portability is a crucial feature for any cryptographic implementation intended for the diverse landscape of Internet of Things devices, and HAETAE benefits from rigorous testing facilitated by the RIOT-OS operating system. RIOT-OS provides a consistent platform for evaluating HAETAEā€™s performance across a wide array of microcontroller architectures and hardware constraints commonly found in IoT applications. This systematic testing ensures that HAETAE not only functions correctly, but also maintains its efficiency and security properties regardless of the underlying hardware. By leveraging RIOT-OSā€™s extensive device support and development tools, developers can confidently deploy HAETAE on various IoT platforms, streamlining integration and reducing the risk of compatibility issues. This focus on portability broadens the potential applications of HAETAE, making it a versatile solution for securing communication and data within the expanding IoT ecosystem.

HAETAEā€™s adaptability is demonstrated through its configurable variants – HAETAE-2, HAETAE-3, and HAETAE-5 – each engineered to provide a nuanced balance between security strength and computational cost. This tiered approach acknowledges that not all Internet of Things deployments demand the highest possible cryptographic protection; resource-constrained devices, for example, may prioritize efficiency. HAETAE-2 offers a lighter-weight solution for less sensitive applications, while HAETAE-5 provides robust security suitable for critical infrastructure or high-value asset protection. By offering these choices, developers can precisely tailor the cryptographic implementation to the specific needs of their application, optimizing both security posture and system performance without unnecessary overhead.

Significant gains in efficiency are realized through Row-Streamed Verification, a technique that optimizes HAETAE by streaming matrix generation and employing a single polynomial for computation. This approach dramatically reduces memory demands; peak signing stack usage is lowered by 91.9% to 95.8% relative to the standard implementation, while verification requires only 4.7kB to 4.8kB of stack space-an 85% to 93% reduction over previous methods. Performance benchmarks demonstrate that HAETAE-5 achieves verification speeds ranging from 0.69x to 0.88x that of the reference implementation, and key generation utilizes 4.816kB of stack space, representing a 7.6% improvement over published figures. These reductions in both stack usage and computational overhead make HAETAE particularly well-suited for resource-constrained IoT devices.

The pursuit of efficiency in cryptographic implementations, as demonstrated by this work on HAETAE, echoes a fundamental tenet of mathematical rigor. The optimization for memory-constrained microcontrollers isnā€™t merely about making the algorithm work; itā€™s about achieving a demonstrably correct and resource-conscious solution. This aligns perfectly with David Hilbertā€™s assertion: ā€œOne must be able to say everything that can be said.ā€ In the context of post-quantum cryptography, ā€˜everythingā€™ includes provable security and practical deployability, even within the severe limitations of embedded systems. The reduction in SRAM usage isnā€™t an approximation; itā€™s a concrete step towards a provably functional signature scheme, deployable on devices where resources are critically limited, and therefore, a complete statement of the algorithm’s potential.

Future Directions

The reduction of HAETAEā€™s memory footprint, as demonstrated, is not an end, but merely a necessary precondition. The true challenge lies not in fitting the algorithm onto the device, but in formally verifying its behaviour within the constraints of that limited environment. Current implementations rely heavily on empirical testing; a provably secure signature scheme demands a formal model of both the cryptography and the underlying hardware, including the subtle vulnerabilities introduced by limited stack space and potential side-channel leakage.

Further work must address the algorithmic cost of achieving this memory reduction. While SRAM usage is minimized, the presented optimizations invariably introduce computational overhead. The critical metric, then, is not simply speed or memory, but the product of the two-a quantifiable measure of efficiency that allows for meaningful comparison across different implementations and hardware platforms. A purely empirical approach to optimization is, frankly, unsatisfying; a mathematically rigorous analysis of the trade-offs is essential.

Ultimately, the long-term success of post-quantum cryptography on severely constrained devices will hinge on the development of tools and techniques for automatic formal verification. Hand-crafted proofs, while intellectually admirable, are unsustainable in the face of increasingly complex algorithms and evolving hardware architectures. The goal should be a system capable of automatically generating and verifying proofs of correctness, ensuring that these signatures are not merely ā€˜good enough,ā€™ but demonstrably secure.

Original article: https://arxiv.org/pdf/2604.15868.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-04-20 15:30