Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/trustcom.2015.399

2015-01-01

Abstract:Lattice based cryptography is considered as an important candidate for post-quantum cryptosystems. Various lattice based cryptosystems are based on the Ring learning with errors (Ring-LWE) problem. As a basic operation of Ring-LWE problem, polynomial multiplication over rings is the most critical and computationally intensive operation of these cryptosystems. In this paper, we exploit the number theoretic transform (NTT) to build a family of scalable polynomial multiplier architectures, which provide designers with a trade-off choice of speed vs. area. Our multiplier architectures reduce the required clock cycles from 8n+1.5n lg n) to (2n+1.5n lg n)/B, where n is the dimension of the polynomials and B is number of butterfly operators. The experimental results on a Spartan-6 FPGA show that our proposed polynomial multiplier (B = 2) achieves a speedup of 2.5 times on average and consumes less slices and block RAMs when compared with the state of art of compact design. On a Stratix FPGA, our polynomial multiplier (B = 4) is able to achieve a speedup of 1.2 times on average and save around 90% Memory ALUTs, 75% block memory bits, and 63% DSPs when compared with the state of art of high speed design. On a Spartan-6 FPGA, our polynomial multiplier (B = 8) is capable to calculate the product of two polynomials of degree 256/512/1024/2048 in 2.88/5.71/11.46/24.89 µs.

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/ISCAS.2016.7527452

2016-01-01

Abstract:The most critical and computationally intensive operation of Ring-LWE based public key cryptosystems is polynomial multiplication. In this paper, we introduce several optimization techniques to speed up polynomial multiplication with the number theoretic transform (NTT). We propose to precompute NTT of the constant polynomial to reduce the number of NTT computations. In order to reduce the cost of bit-reverse operation, a optimization technique is introduced to perform it on-the-fly. We also present a technique to improve the utilization rate of the butterfly operator. Moreover, the cancellation lemma is exploited to reduce the required ROM storage. Based on these optimizations, we present a versatile pipelined polynomial multiplication architecture, which takes around (n lg n + 1.5n) clock cycles to calculate the product of two n-degree polynomials. Experimental results on a Spartan-6 FPGA show that our polynomial multiplier achieves a speedup of 2.04 on average and consumes less hardware resources when compared with the state of art of efficient implementation.

Chaohui Du,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1145/2902961.2902969

2016-01-01

Abstract:Many lattice-based cryptosystems are based on the security of the Ring learning with errors (Ring-LWE) problem. The most critical and computationally intensive operation of these Ring-LWE based cryptosystems is polynomial multiplication. In this paper, we exploit the number theoretic transform to build a high-speed polynomial multiplier for the Ring-LWE based public key cryptosystems. We present a versatile pipelined polynomial multiplication architecture to calculate the product of two $n$-degree polynomials in about (( n lg n )/4 + n /2) clock cycles. In addition, we introduce several optimization techniques to reduce the required ROM storage. The experimental results on a Spartan-6 FPGA show that the proposed hardware architecture can achieve a speedup of on average 2.25 than the state of the art of high-speed design. Meanwhile, our design is able to save up to 47.06% memory blocks.

Chuhui Wang,Zewen Ye,Haibin Shen,Kejie Huang

DOI: https://doi.org/10.1007/978-3-031-69766-1_10

2024-01-01

Abstract:Bit Flipping Key Encapsulation (BIKE) is a code-based key encapsulation mechanism that utilizes Quasi-Cyclic Medium Density Parity-Check (QC-MDPC) codes, which is a promising candidate in the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization process. Polynomial multiplication calculation is the most critical operation in BIKE, which limits the speed of key generation and encapsulation. The high degree of the polynomial not only requires millions of computations but also necessitates complex memory access. To address this issue, we propose a Computation-in-Memory (CIM) based accelerator architecture for polynomial multiplication operations in BIKE. To minimize the size of the CIM core while maintaining high computational throughput, we propose a folded mapping strategy and a one-memory-multiple-NAND architecture. As a result, a 128x128 array is sufficient for the bike1 parameters, with zero padding at the higher part of the multiplicand. Furthermore, we introduce a data flow scheme that integrates carry-less multiplication and polynomial reduction operations to improve computational efficiency. The post-layout simulation results in 28nm CMOS technology show that our fastest configuration design occupies an area of approximately 1.37 mm(2) with a low power consumption of around 14.17 mW. Compared with state-of-the-art hardware implementations, our proposed design improves the speed of polynomial multiplication by approximately 2.5x.

Uyangaa Khuchit,Liji Wu,Xiangmin Zhang,Yanzhao Yin,Altantsooj Batsukh,Bayarpurev Mongolyn,Munkhbaatar Chinbat

DOI: https://doi.org/10.1109/asid50160.2020.9271725

2020-01-01

Abstract:An ideal lattice is defined over a ring learning with errors (Ring-LWE) problem. Polynomial multiplication over the ring is the most computational and time-consuming block in lattice-based cryptography. This paper presents the first hardware design of the polynomial multiplication for LAC, one of the Round-2 candidates of the NIST PQC Standardization Process, which has byte-level modulus p=251. The proposed architecture supports polynomial multiplications for different degree n (n=512/1024/2048). For designing the scheme, we used the Vivado HLS compiler, a high-level synthesis based hardware design methodology, which is able to optimize software algorithms into actual hardware products. The design of the scheme takes 274/280/291 FFs and 204/217/208 LUTs on the Xilinx Artix-7 family FPGA, requested by NIST PQC competition for hardware implementation. Multiplication core uses only 1/1/2 pieces of 18Kb BRAMs, 1/1/1 DSPs, and 90/94/95 slices on the board. Our timing result achieved in an alternative degree n with 5.052/4.3985/5.133ns.

Xiao Hu,Jing Tian,Minghao Li,Zhongfeng Wang

DOI: https://doi.org/10.1109/tcsi.2022.3218192

2022-01-01

IEEE Transactions on Circuits and Systems I Regular Papers

Abstract:As the computation bottleneck in lattice-based cryptography (LBC), the polynomial multiplication based on number theoretic transform (NTT) has been continuously studied for flexible hardware implementations with high area-efficiency. This paper presents an area-efficient and configurable NTT-based polynomial multiplier (AC-PM) incorporating algorithmic and architectural level optimization techniques. For the core operation of polynomial multiplication, two low-complexity and fast modular multiplication algorithms are introduced with loose constraints of LBC-friendly primes. Based on the proposed algorithms, a reconfigurable processing element (RPE) is dedicatedly designed to execute all the operations in an NTT-based polynomial multiplication: NTT, inverse NTT (INTT), and coefficient-wise multiplication (CWM). The proposed AC-PM can be configured with different numbers of RPEs and supports various polynomial degrees without recompilation. Additionally, the dataflow complexity is greatly simplified. More importantly, to the best of our knowledge, the twiddle factors are reused, for the first time, to support both NTT and INTT with multiple polynomial degrees, which leads to increased flexibility of AC-PM with small overhead on hardware resource. FPGA implementation results demonstrate that the proposed AC-PM significantly outperforms the prior arts in both flexibility and area efficiency.

Chaohui Du,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1109/trustcom.2015.510

2015-01-01

Abstract:Lattice-based cryptography is considered as a main candidate for post-quantum cryptosystems. Its security is based on worst-case computational assumptions in lattices that remain hard even for quantum computers. In this paper, we present an efficient software implementation of lattice based Ring-LWE public key encryption scheme, which optimizes the two basic building blocks: multiplication over polynomial rings and discrete Gaussian sampling. We exploit the number theoretic transform (NTT) to speed up polynomial multiplication over rings and propose an optimized single instruction multiple data (SIMD) based implementation of NTT. It takes 1965/4411 clock cycles to perform a transform with 256/512 elements. Our implementation can save about 75% memory accesses and more than 51% modulo q operations during NTT computation. On the other hand, we propose an efficient implementation of high precision discrete Gaussian sampler, which is based on the inverse of the cumulative distribution function. Our implementation has maximum statistical distance of 2-90 to a theoretical discrete Gaussian distribution. It takes on average 15.4 ns and 9.5 uniformly random bits to generate a Gaussian sample. With these optimizations, our implementation of the public key encryption scheme performs encryption/decryption operations in 15.88/2.37 μs for medium security and 31.30/4.59 μs for high security on one core of an Intel Core i7-4771 processor. Its throughput is higher than the existing software implementation by about two orders of magnitude, and it is even higher than all the hardware implementations.

Xiang Feng,Shuguo Li,Sufen Xu

DOI: https://doi.org/10.1109/tcsii.2019.2917621

2020-01-01

IEEE Transactions on Circuits & Systems II Express Briefs

Abstract:Cryptography based on ring learning with error (RLWE) problem has become increasingly popular due to its resistance against quantum analysis. The most time-consuming operation in RLWE cryptosystem is polynomial multiplication. This brief presents a novel polynomial multiplier based on Stockham fast Fourier transform (FFT) algorithm. We propose a multi-lane number theoretic transform (NTT) algorithm which can achieve ${n}$ -degree polynomial multiplication in ${(nlgn)/d+2n/d}$ clock cycles with ${d}$ lanes of butterfly units. In addition, we also customize a memory addressing strategy and a round constant managing scheme for the proposed multi-lane NTT algorithm. Based on our proposed algorithm, a high-speed polynomial multiplier is accomplished on FPGA platform. Implementation results on Spantan-6 FPGA show that our proposed algorithm can achieve a speed up factor of no less than 2.7 times compared with the state of art designs.

Chongyang Li,Wenping zhu,Leibo Liu

DOI: https://doi.org/10.1109/CISCE52179.2021.9445982

2021-01-01

Abstract:As the most computing-intensive operation in lattice-based cryptography, polynomial multiplication is the bottleneck for high speed and low-latency implementation of these schemes. In this paper, a vector number theoretic transform (NTT) accelerator is proposed to speed up this process. First, an efficient addressing scheme for the vectorized NTT/INTT is proposed to achieve a conflict free situati...

Xiao Hu,Minghao Li,Jing Tian,Zhongfeng Wang

DOI: https://doi.org/10.1109/asap52443.2021.00033

2021-01-01

Abstract:The lattice-based cryptography (LBC) has been widely used recently in many compute-intensive applications, such as the post-quantum cryptography (PQC) and privacy-preserving deep learning, where the main task for such applications is to improve the computational efficiency. The modular multiplication operations, mainly involved in the number theoretic transform (NTT), comprise a large proportion of the whole computations required by an LBC. This paper presents a novel "decompose-and-reduce" modular multiplication algorithm (DARM), considering primes with the form of q = 22N −δ and δ < 2N−2. The inherent structure of the modulus is exploited and the intermediates’ data widths are reduced. Moreover, a low-complexity and fast multiplier is elaborately devised based on DARM. To further validate the performance of our multiplier, an n-point NTT design with DARM is implemented with various configurations. FPGA implementation results demonstrate that compared with the prior arts, the proposed multiplier has 1.12-1.89× speedups with the least DSP utilization. For the case of ⌈log2 q⌉ = 60 and n = 4096, the NTT implementation with DARM achieves up to 41.2% and 61.2% reductions in LUTs and DSPs, respectively.

Liu Dongsheng,Zhang Cong,Lin Hui

DOI: https://doi.org/10.1109/mwscas.2017.8052914

2017-01-01

Abstract:Lattice-based cryptography has been widely researched due to its quantum attack resistance and versatility, but a practical hardware implementation that is suitable for constrained devices is still challenging. In this paper, a novel area-optimized Ring-LWE (Learning with Error) cryptographic processor is proposed. Effective structures are presented to solve the huge circuit consumption of high precision Gaussian sampling and modular multiplication in Ring-LWE public-key cryptosystem. The Ring-LWE processor is smaller than the current state of the art hardware implementations, occupying only 948 slices, 3 BRAMs and none DSP module on a Xilinx Spartan-6 FPGA. Additionally, this processor is designed with resistance to side-channel attack, while it can encrypt/decrypt 256-bit message in 1.4ms/0.4ms.

Weihang Tan,Antian Wang,Yingjie Lao,Xinmiao Zhang,Keshab K. Parhi

DOI: https://doi.org/10.1109/TC.2023.3251847

2023-02-24

Abstract:This paper presents a low-latency hardware accelerator for modular polynomial multiplication for lattice-based post-quantum cryptography and homomorphic encryption applications. The proposed novel modular polynomial multiplier exploits the fast finite impulse response (FIR) filter architecture to reduce the computational complexity of the schoolbook modular polynomial multiplication. We also extend this structure to fast $M$-parallel architectures while achieving low-latency, high-speed, and full hardware utilization. We comprehensively evaluate the performance of the proposed architectures under various polynomial settings as well as in the Saber scheme for post-quantum cryptography as a case study. The experimental results show that our proposed modular polynomial multiplier reduces the computation time and area-time product, respectively, compared to the state-of-the-art designs.

Cryptography and Security,Hardware Architecture

Jianfei Wang,Chen Yang,Fahong Zhang,Yishuo Meng,Yang Su

DOI: https://doi.org/10.1109/tvlsi.2023.3277865

2023-01-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:Polynomial multiplication over rings is a significant bottleneck of ring learning with error (RLWE)-based encryption. To speed it up, three algorithms are widely used, i.e., number theoretic transform (NTT), Schoolbook, and Toom-Cook. Compared with Schoolbook and NTT, Toom-Cook can achieve a better trade-off between performance and flexibility. However, in Toom-Cook postprocessing, there are many redundant steps and calculations that have not been eliminated. Therefore, we propose an efficient, compressed, and fused Toom-Cook postprocessing algorithm that reduces the number of steps and at least 33.33% of the arithmetic operations of postprocessing. A highly reconfigurable and efficient Toom-Cook-based polynomial multiplier (TCPM) is proposed to speed up polynomial multiplication over rings. In TCPM, a high-throughput and efficient heterogeneous processing element (PE) array is designed to exploit the parallelism of Toom-Cook, and based on the compressed algorithm, the PE array for postprocessing is scaled down. In addition, as it is provided with a reconfigurable evaluation module, a flexible polynomial data storage module and a universal PE array, TCPM can efficiently map and execute Toom-Cook-2, 3, and 4 on a unified hardware architecture. Implemented on the Xilinx VC709 field-programmable gate array (FPGA) platform, TCPM can perform a Toom-Cook-4-based $256\times256$ polynomial multiplication over rings with a modulus of a power of two or a prime every 3.28 $\mu \text{s}$ at a 360-MHz clock frequency. It achieves a $2.47\times $ to $50.11\times $ speedup compared with the previous designs.

Zepeng Yang,Chen Yang,Fahong Zhang,Jianfei Wang,Jia Hou,Yang Su

DOI: https://doi.org/10.1109/icicm59499.2023.10365797

2023-01-01

Abstract:The Number Theoretic Transform (NTT) is currently widely used to accelerate polynomial multiplication in finite fields, which is the computational bottleneck of lattice-based fully homomorphic encryption schemes. The key challenge of NTT hardware structure implementation lies in the large amount of data storage and the complex pattern of data access. This paper proposes an efficient data access pattern of NTT algorithm. Benefiting from the specific pattern optimization of different stages of NTT, the use of hardware resource can be reduced by 46%~80%, and the performance based on FPGA is increased up to 4.9x compared with state-of-the-art NTT implementation. Furthermore, we apply the proposed hardware structure to realize the homomorphic evaluation of the CKKS homomorphic scheme, whose performance is improved by 7300x compared with software implementation.

Yang Su,Bai-Long Yang,Chen Yang,Ze-Peng Yang,Yi-Wei Liu

DOI: https://doi.org/10.1109/tvlsi.2022.3166355

2022-01-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:The ring learning with error (RLWE)-based fully homomorphic encryption (FHE) scheme has become one of the most promising FHE schemes. However, its performance is limited by the homomorphic multiplication, especially the polynomial multiplication which occupies major computing resources. Therefore, efficient implementation of polynomial multiplication is crucial for high-performance FHE applications. In this article, we present an area-efficient and highly unified reconfigurable multicore number theoretic transform (NTT)/inverse NTT (INTT) architecture (named MCNA), which employs NTT and INTT for polynomial multiplier with a variable number of reconfigurable processing elements. To reduce latency, MCNA merges the preprocessing and postprocessing into the constant-geometry NTT and INTT, respectively. Also, a reconfigurable modular multiplier based on digital signal processor (DSP) is proposed to speed up the modular multiplication. In order to avoid designing independent memory access pattern for INTT, a unified read/write structure of NTT/INTT is presented. Furthermore, a novel memory access pattern named “cyclic-sharing” is proposed to reduce 25% memory capacity. MCNA is evaluated on a Xilinx Virtex-7 field-programmable gate array (FPGA) platform. Running at 250-MHz clock frequency, the throughput of MCNA for NTT/INTT achieves $2.78\times \sim 9.32\times $ improvements in comparison to prior works, while the area efficiency of lookup table (LUT) and flip-flop (FF) is improved by $1.25\times \sim 4.79\times $ . For polynomial multiplication, the throughput of MCNA achieves $3.73\times \sim 7.69\times $ enhancements, as well as $1.13\times \sim 14.8\times $ area efficiency improvements.

Hui Lin,Dongsheng Liu,Cong Zhang,Yahui Dong

DOI: https://doi.org/10.1142/s0218126618502018

2018-01-01

Abstract:Due to its advantage of quantum resistance and the provable security under some worst-case hardness assumptions, lattice-based cryptography is being increasingly researched. This paper tries to explore and present a novel lattice-based public key cryptography and its implementation of circuits. In this paper, the LWE (learning with error) cryptography is designed for circuit realization in a practical way. A strategy is proposed to dramatically reduce the stored public key size from [Formula: see text] to [Formula: see text], with only several additional linear feedback shift registers. The circuit design is implemented on Xilinx Spartan-3A FPGA and performs very well with limited resources. Only 125 slices and 8 BRAMs are occupied, and there are no complex operation devices such as multipliers or dividers, all the involved arithmetic operations are additions. This design is smaller than most hardware implementations of LWE or Ring-LWE cryptography in current state, while having an acceptable frequency at 111 MHz. Therefore, LWE cryptography can be practically realized, and its advantages of quantum resistance and simple implementation make the public key cryptography promising for some applications in devices such as smart cards.

Liejun Ma,Xingjun Wu,Guoqiang Bai

DOI: https://doi.org/10.1109/icet49382.2020.9119654

2020-01-01

Abstract:In the last few years, with the fleeting progress of quantum computer the traditional encryption technology is being threatened. Lattice based cryptography is a new post quantum cryptography which has been proved the security under the quantum computer attack. However, due to the limitation of communication frequency and power consumption, it is difficult to implement the lattice based cryptographic algorithm on the existing general processor platform. The polynomial multiplication is the most basic and critical operation in these lattice based cryptographic systems. It is also the computationally intensive operation which is more suitable for hardware implement. In this paper, we proposed a small area, low-power polynomial multiplier design in a specific field. Our scheme not only ensures the performance requirements, but also reduces the overhead of area and power consumption. The proposed scheme in this paper need not use the DSP resources on FPGA so that we can maximize the parallel NTT butterfly operators to improve the computing efficiency. It is a low-cost, high-performance implementation scheme.

Mengyuan Li,Haoran Geng,Michael Niemier,Xiaobo Sharon Hu

2023-07-27

Abstract:Lattice-based cryptographic algorithms built on ring learning with error theory are gaining importance due to their potential for providing post-quantum security. However, these algorithms involve complex polynomial operations, such as polynomial modular multiplication (PMM), which is the most time-consuming part of these algorithms. Accelerating PMM is crucial to make lattice-based cryptographic algorithms widely adopted by more applications. This work introduces a novel high-throughput and compact PMM accelerator, X-Poly, based on the crossbar (XB)-type compute-in-memory (CIM). We identify the most appropriate PMM algorithm for XB-CIM. We then propose a novel bit-mapping technique to reduce the area and energy of the XB-CIM fabric, and conduct processing engine (PE)-level optimization to increase memory utilization and support different problem sizes with a fixed number of XB arrays. X-Poly design achieves 3.1X10^6 PMM operations/s throughput and offers 200X latency improvement compared to the CPU-based implementation. It also achieves 3.9X throughput per area improvement compared with the state-of-the-art CIM accelerators.

Cryptography and Security,Hardware Architecture

Weihang Tan,Sin-Wei Chiu,Antian Wang,Yingjie Lao,Keshab K. Parhi

DOI: https://doi.org/10.1109/TIFS.2023.3338553

2023-07-07

Abstract:High-speed long polynomial multiplication is important for applications in homomorphic encryption (HE) and lattice-based cryptosystems. This paper addresses low-latency hardware architectures for long polynomial modular multiplication using the number-theoretic transform (NTT) and inverse NTT (iNTT). Chinese remainder theorem (CRT) is used to decompose the modulus into multiple smaller moduli. Our proposed architecture, namely PaReNTT, makes four novel contributions. First, parallel NTT and iNTT architectures are proposed to reduce the number of clock cycles to process the polynomials. This can enable real-time processing for HE applications, as the number of clock cycles to process the polynomial is inversely proportional to the level of parallelism. Second, the proposed architecture eliminates the need for permuting the NTT outputs before their product is input to the iNTT. This reduces latency by n/4 clock cycles, where n is the length of the polynomial, and reduces buffer requirement by one delay-switch-delay circuit of size n. Third, an approach to select special moduli is presented where the moduli can be expressed in terms of a few signed power-of-two terms. Fourth, novel architectures for pre-processing for computing residual polynomials using the CRT and post-processing for combining the residual polynomials are proposed. These architectures significantly reduce the area consumption of the pre-processing and post-processing steps. The proposed long modular polynomial multiplications are ideal for applications that require low latency and high sample rate as these feed-forward architectures can be pipelined at arbitrary levels.

Hardware Architecture,Cryptography and Security

Jianfei Wang,Chen Yang,Yishuo Meng,Fahong Zhang,Jia Hou,Siwei Xiang,Yang Su

DOI: https://doi.org/10.1109/tcsi.2024.3483229

2024-01-01

IEEE Transactions on Circuits and Systems I Regular Papers

Abstract:Out-of-place constant-geometry (CG) NTT usually has a simple and uniform memory access pattern. However, out-of-place CG NTT always requires ping-pong memory, resulting in a memory capacity requirement of 2 $N$ . Therefore, we propose a novel radix-4 in-place CG (IPCG) NTT/INTT that reduces the capacity requirement from 2 $N$ to $N$ . An area-efficient and dynamical reconfigurable polynomial multiplier (RAEPM) based on IPCG NTT is proposed to speed up polynomial multiplication over rings. In RAEPM, a Barrett modular multiplier using area-efficient radix-4 booth multiplier is designed to reduce area. In addition, an odd-bank buffer structure is proposed to achieve conflict-free memory mapping independent of polynomial length $N$ and NTT/INTT stage. Moreover, we also proposed an efficient modular reduction for specific numbers and introduced a division equivalent method to eliminate the odd number modular reduction and odd number division in addressing. RAEPM is implemented on Xilinx VC709 FPGA and runs at 294MHz clock frequency. Compared with the prior pure NTT accelerators, under the same parameters, RAEPM achieves a decrease of 39.02% $\sim$ 57.63% in area-time complexity of equivalent LUT, and a decrease of 15.97% $\sim$ 49.24% in area-time complexity of equivalent FF. Compared with the prior NTT-based polynomial multipliers, under the same parameters, RAEPM achieves a decrease of 35.48% $\sim$ 90.81% in area-time complexity of equivalent LUT, and a decrease of 24.24% $\sim$ 88.41% in area-time complexity of equivalent FF.