Faster modular arithmetic for isogeny-based crypto on embedded devices

We show how to implement the Montgomery reduction algorithm for isogeny-based cryptography such that it can utilize the unsigned multiply accumulate accumulate long instruction present on modern ARM architectures. This results in a practical speedup of a factor 1.34 compared to the approach used by SIKE: the supersingular isogeny-based submission to the ongoing post-quantum standardization effort. Moreover, motivated by the recent work of Costello and Hisil (A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: ASIACRYPT 2017, Part II, LNCS. Springer, Heidelberg 2017), which shows that there is only a moderate degradation in performance when evaluating large odd-degree isogenies, we search for more general supersingular isogeny friendly moduli. Using graphics processing units to accelerate this search, we find many such moduli which allow for faster implementations on embedded devices. By combining these two approaches, we manage to make the modular reduction 1.5 times as fast on a 32-bit ARM platform.