Yihong Zhu,Wenping Zhu,Chen,Min Zhu,Zhengdong Li,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1109/dac56929.2023.10247918

2023-01-01

Abstract:Classic McEliece is a code-based quantum-resistant public-key scheme characterized with relative high encapsulation/decapsulation speed and small ciphertexts, with an in-depth analysis on its security. However, slow key generation with large public key size make it hard for wider applications. Based on this observation, Mckeycutter, a high-throughput key generator in hardware, is proposed to accelerate the key generation in Classic McEliece based on algorithm-hardware co-design. Meanwhile the storage overhead caused by large-size keys is also minimized. First, compact large-size GF(2) Gauss elimination method is presented by adopting naive processing array and memory-friendly scheduling strategy. Second, an optimized constant-time hardware sorter is proposed to support regular memory accesses with less comparators and storage. Third, algorithmlevel pipeline is enabled for high-throughput processing, allowing for concurrent key generations. Our FPGA implementation results achieve around 4× improvements in throughput with 9~14× less memory-time product compared with the existing FPGA solutions.

Yi’er Jin,Haibin Shen,Huafeng Chen,Xiaolang Yan

DOI: https://doi.org/10.1007/s11767-006-0257-4

2008-01-01

Abstract:A new structure of bit-parallel Polynomial Basis (PB) multiplier is proposed, which is based on a fast modular reduction method. The method was recommended by the National Institute of Standards and Technology (NIST). It takes advantage of the characteristics of irreducible polynomial, i.e., the degree of the second item of irreducible polynomial is far less than the degree of the polynomial in the finite fields GF(2 m ). Deductions are made for a class of finite field in which trinomials are chosen as irreducible polynomials. Let the trinomial be x m + x h +1, where 1 ≤ k ≤ [m/1]. The proposed structure has shorter critical path than the best known one up to date, while the space requirement keeps the same. The structure is practical, especially in real time cryptographic applications.

Haibin Shen,Yier Jin,Rongquan You

DOI: https://doi.org/10.1109/ICICIC.2006.180

2006-01-01

Abstract:Modular reduction is the basic operation of cryptographic systems. The Barrett's algorithm and Montgomery's algorithm are widely used nowadays and they are both based on pre-computation. In the field of elliptic curve cryptosystem (ECC) over GF(2m), the reduction polynomials recommended by SEC have few items and the degree of second item is much less than that of the first one. Making use of this characteristic, the paper presents a new method to accelerate modular reduction without pre-computation which speeds up modular reduction by 10-30 times over GF(2m) and speeds up ECC point multiplication by 40%-50%. This algorithm has been implemented in a high-speed public-key cipher accelerator

Hai-bin SHEN,Hua-feng CHEN,Xiao-lang YAN

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.09.004

2006-01-01

Abstract:To accelerate point multiplication operation of elliptic curve cryptography (ECC), a fast reduction algorithm for modular operation was introduced. The algorithm applied the characteristic of the small second item's degree of irreducible polynomial in characteristic 2 finite field. Based on the algorithm and projective Montgomery point multiplication algorithm, a configurable ECC accelerator using very large scale integrated circuit technology was proposed. Scalable field design and unique pipeline technique was adapted in the accelerator. Simulation results show that the accelerator designed by the algorithm can rapidly complete ECC point multiplication operation. When 162 bits key and 192 bits key are selected, the point multiplication operation takes 0.22 ms and 0.43 ms respectively. The accelerator has simple interface and good flexibility, and provides a method for hardware implementation of public key cryptography algorithm.

Yan Liu,Liji Wu,Zhenhui Zhang,Xiangmin Zhang,Jing Zhou,Yifan Yang,Le Wu

DOI: https://doi.org/10.1109/asid60355.2023.10426507

2023-01-01

Abstract:The security of existing cryptosystems mostly relies on the difficulty of solving integer factorization problems and discrete logarithm problems. However, in recent years, with the rapid development of quantum computers, the time required to solve these difficult problems has been significantly reduced, which will pose significant risks to the transmission of information. Post-quantum algorithms are a type of cryptographic algorithm specifically designed to resist quantum computer attacks. The National Institute of Standards and Technology of the United States(NIST) has completed four rounds of selection work from 2016 to 2022. The Classic McEliece algorithm is the only Post-Quantum Cryptography (PQC) algorithm that has been selected for the fourth round of selection after more than 50 years. However, currently, the research and implementation of this algorithm are mostly focused on the software algorithm level, while the hardware implementation can be said to be very few. At the same time, hardware-implemented cryptographic algorithms have certain advantages in terms of security, algorithm execution speed, and other aspects compared to software. In this paper, the arithmetic part and the encryption part of the Classic McEliece algorithm are designed, and a UVM verification platform is built to verify its functionality. Finally, the hardware circuit is verified on the SAKURA-G FPGA development board, relevant resource consumption was collected and compared with the work of the predecessors.

Guantong Su,Guoqiang Bai

DOI: https://doi.org/10.3390/electronics12051235

IF: 2.9

2023-03-05

Electronics

Abstract:Cryptosystems based on supersingular isogeny are a novel tool in post-quantum cryptography. One compelling characteristic is their concise keys and ciphertexts. However, the performance of supersingular isogeny computation is currently worse than that of other schemes. This is primarily due to the following factors. Firstly, the underlying field is a quadratic extension of the finite field, resulting in higher computational complexity. Secondly, the strategy for large-degree isogeny evaluation is complex and dependent on the elementary arithmetic units employed. Thirdly, adapting the same hardware to different parameters is challenging. Considering the evolution of similar curve-based cryptosystems, we believe proper algorithm optimization and hardware acceleration will reduce its speed overhead. This paper describes a high-performance and flexible hardware architecture that accelerates isogeny computation. Specifically, we optimize the design by creating a dedicated quadratic Montgomery multiplier and an efficient scheduling strategy that are suitable for supersingular isogeny. The multiplier operates on Fp2 under projective coordinate formulas, and the scheduling is tailored to it. By exploiting additional parallelism through replicated multipliers and concurrent isogeny subroutines, our 65 nm SMIC technology cryptographic accelerator can generate ephemeral public keys in 2.40 ms for Alice and 2.79 ms for Bob with a 751-bit prime setting. Sharing the secret key costs another 2.04 ms and 2.35 ms, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yufei Xing,Shuguo Li

DOI: https://doi.org/10.46586/tches.v2021.i2.328-356

2021-02-23

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Post-quantum cryptosystems should be prepared before the advent of powerful quantum computers to ensure information secure in our daily life. In 2016 a post-quantum standardization contest was launched by National Institute of Standards and Technology (NIST), and there have been lots of works concentrating on evaluation of these candidate protocols, mainly in pure software or through hardware-software co-design methodology on different platforms. As the contest progresses to third round in July 2020 with only 7 finalists and 8 alternate candidates remained, more dedicated and specific hardware designs should be considered to illustrate the intrinsic property of a certain protocol and achieve better performance. To this end, we present a standalone hardware design of CRYSTALS-KYBER, amodule learning-with-errors (MLWE) based key exchange mechanism (KEM) protocol within the 7 finalists on FPGA platform. Through elaborate scheduling of sampling and number theoretic transform (NTT) related calculations, decent performance is achieved with limited hardware resources. The way that Encode/Decode and the tweaked Fujisaki-Okamoto transform are implemented is demonstrated in detail. Analysis about minimizing memory footprint is also given out. In summary, we realize the adaptive chosen ciphertext attack (CCA) secure Kyber with all selectable module dimension k on the smallest Xilinx Artix-7 device. Our design computes key-generation, encapsulation (encryption) and decapsulation (decryption and reencryption) phase in 3768/5079/6668 cycles when k = 2, 6316/7925/10049 cycles when k = 3, and 9380/11321/13908 cycles when k = 4, consuming 7412/6785 LUTs, 4644/3981 FFs, 2126/1899 slices, 2/2 DSPs and 3/3 BRAMs in server/client with 6.2/6.0 ns critical path delay, outperforming corresponding high level synthesis (HLS) based designs or hardware-software co-designs to a large extent.

Wenbo Guo,Shuguo Li

DOI: https://doi.org/10.1109/tcsi.2023.3306347

2023-01-01

Abstract:The attack on quantum computers is an enormous threat to conventional public-key cryptography. Hence, it is crucial to study quantum-resistant cryptosystems. After four rounds of evaluation, the National Institute of Standards and Technology (NIST) has decided to standardize CRYSTALS-Kyber as one of the public-key post-quantum cryptography (PQC) algorithms. In the hardware design of CRYSTALS-Kyber, the polynomial-related calculations are the most time-consuming. In this paper, we present a highly-efficient hardware architecture for CRYSTALS-Kyber. Firstly, we propose the CRYSTALS-Kyber-oriented conflict-free memory mapping scheme with two modes. Based on this scheme, we construct the mixed radix-2/4 NTT/INTT algorithm, which has no pre- or post-processing, for the first time. By using the “lazy-last-layer” trick, the available memory bandwidth of NTT is temporarily increased, and the average performance of NTT is improved. Besides, the point-wise-multiplication (PWM) is performed in a single memory bank by cooperating with the two modes of our memory mapping scheme. This avoids the waste of memory bandwidth, thus avoiding the usage of large FIFOs for the sampled data. Last, we propose an efficient modular multiplier for CRYSTALS-Kyber, and we merge the divide-by-2 operations in the finite field into modular adders and subtractors to reduce resource consumption. This design, which supports all three security levels, is implemented on Xilinx Artix-7 FPGA with 7.3k LUTs, 3.2k FFs, 2.2k Slices, 5 BRAMs, and 4 DSPs. It performs 12% better in area-time-product than other leading designs in the literature.

Anna Inn-Tung Chen,Ming-Shing Chen,Tien-Ren Chen,Chen-Mou Cheng,Jintai Ding,Eric Li-Hsiang Kuo,Frost Yu-Shuang Lee,Bo-Yin Yang

DOI: https://doi.org/10.1007/978-3-642-04138-9_3

2009-01-01

Abstract:Multivariate Public Key Cryptosystems (MPKCs) are often touted as future-proofing against Quantum Computers. It also has been known for efficiency compared to "traditional" alternatives. However, this advantage seems to erode with the increase of arithmetic resources in modern CPUs and improved algorithms, especially with respect to Elliptic Curve Cryptography (ECC). In this paper, we show that hardware advances do not just favor ECC. Modern commodity CPUs also have many small integer arithmetic/logic resources, embodied by SSE2 or other vector instruction sets, that are useful for MPKCs. In particular, Intel's SSSE3 instructions can speed up both public and private maps over prior software implementations of Rainbow-type systems up to 4×. Furthermore, MPKCs over fields of relatively small odd prime characteristics can exploit SSE2 instructions, supported by most modern 64-bit Intel and AMD CPUs. For example, Rainbow over ${\mathbb F}_{31}$ can be up to 2× faster than prior implementations of similarly-sized systems over ${\mathbb F}_{16}$. Here a key advance is in using Wiedemann (as opposed to Gauss) solvers to invert the small linear systems in the central maps. We explain the techniques and design choices in implementing our chosen MPKC instances over fields such as ${\mathbb F}_{31}$, ${\mathbb F}_{16}$ and ${\mathbb F}_{256}$. We believe that our results can easily carry over to modern FPGAs, which often contain a large number of small multipliers, usable by odd-field MPKCs.

Bing Li,Bingjie Lei,Yunlong Zhang,Shaochong Lei

DOI: https://doi.org/10.1109/tcsii.2018.2867618

2018-01-01

IEEE Transactions on Circuits & Systems II Express Briefs

Abstract:In this brief, we present a novel and high-performance modular squaring scheme with low complexity and a small hardware area for elliptic curve cryptography over GF(p). First, we develop a method to reduce half of partial products in a squaring operation by using the proposed same items merging and logic combination. Second, we propose the modular squaring scheme that can compress the partial products based on the method above and accomplish accumulation and reduction simultaneously. Third, we devise the implementation circuits for the proposed modular squaring scheme and then simplify the circuits by using the property of the prime number. Finally, we implement the circuits on different platform and the 0.13-mu m CMOS ASIC implementation demonstrates that our design can perform a 256-bit modular squaring in 0.36-mu s with 17 200 gates, which achieves a desirable balance between hardware resource and performance.

Paulo Almeida,Miguel Beltrá,Diego Napp,Cláudia Sebastião

2023-12-11

Abstract:In this paper we present a variant of the McEliece cryptosystem that possesses several interesting properties, including a reduction of the public key for a given security level. In contrast to the classical McEliece cryptosystems, where block codes are used, we propose the use of a convolutional encoder to be part of the public key. The permutation matrix is substituted by a polynomial matrix whose coefficient matrices have columns with weight zero or at least weight two. This allows the use of Generalized Reed-Solomon (GRS) codes which translates into shorter keys for a given security level. Hence, the private key is constituted by a generator matrix of a GRS code and two polynomial matrices containing large parts generated completely at random. In this setting the message is a sequence of messages instead of a single block message and the errors are added throughout the sequence. We discuss possible structural and ISD attacks to this scheme. We conclude presenting the key sizes obtained for different parameters and estimating the computational cost of encryption and decryption process.

Information Theory

Archisman Ghosh,Jose Maria Bermudo Mera,Angshuman Karmakar,Debayan Das,Santosh Ghosh,Ingrid Verbauwhede,Shreyas Sen

2023-05-18

Abstract:The hard mathematical problems that assure the security of our current public-key cryptography (RSA, ECC) are broken if and when a quantum computer appears rendering them ineffective for use in the quantum era. Lattice based cryptography is a novel approach to public key cryptography, of which the mathematical investigation (so far) resists attacks from quantum computers. By choosing a module learning with errors (MLWE) algorithm as the next standard, National Institute of Standard & Technology (NIST) follows this approach. The multiplication of polynomials is the central bottleneck in the computation of lattice based cryptography. Because public key cryptography is mostly used to establish common secret keys, focus is on compact area, power and energy budget and to a lesser extent on throughput or latency. While most other work focuses on optimizing number theoretic transform (NTT) based multiplications, in this paper we highly optimize a Toom-Cook based multiplier. We demonstrate that a memory-efficient striding Toom-Cook with lazy interpolation, results in a highly compact, low power implementation, which on top enables a very regular memory access scheme. To demonstrate the efficiency, we integrate this multiplier into a Saber post-quantum accelerator, one of the four NIST finalists. Algorithmic innovation to reduce active memory, timely clock gating and shift-add multiplier has helped to achieve 38% less power than state-of-the art PQC core, 4x less memory, 36.8% reduction in multiplier energy and 118x reduction in active power with respect to state-of-the-art Saber accelerator (not silicon verified). This accelerator consumes 0.158mm2 active area which is lowest reported till date despite process disadvantages of the state-of-the-art designs.

Cryptography and Security

Wenbo Guo,Shuguo Li

DOI: https://doi.org/10.1109/tc.2023.3320040

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:Facing the threat of large-scale quantum computers to traditional public-key cryptography, the National Institute of Standards and Technology has conducted Post-Quantum Cryptography algorithms evaluation for a long time, and CRYSTALS-Kyber has been selected to enter the standardization process. In the previous literature, hardware designs can significantly improve the performance of CRYSTALS-Kyber, and the most time-consuming operations are Number Theoretic Transform (NTT) and point-wise multiplication (PWM). However, the split-radix algorithm, which has a lower theoretical complexity in the FFT, has rarely been studied in the NTT. In this paper, we studied whether there are advantages of introducing split-radix algorithms into the NTT defined by CRYSTALS-Kyber and detailed derived the split-radix algorithms for the forward and inverse NTT without pre- or post-processing. By further optimizing the split-radix algorithm for the forward NTT, one of the three modular multipliers in the $\boldsymbol{L}$L-shaped butterfly unit is replaced by shifting-and-addition, which will reduce the hardware resource consumption. Besides, we proposed a recombined formula for PWM, which reduces the capacity of the intermediate data RAM for PWM by 25%. Together with the proposed hardware scheduling method, the above algorithms can improve performance and save hardware resources.

Wenbo Guo,Shuguo Li,Liang Kong

DOI: https://doi.org/10.1109/tcsii.2021.3103184

2022-01-01

Abstract:Quantum algorithms pose a huge threat to the current cryptosystems. In this article, we present a hardware implementation of CRYSTALS-KYBER which is one of the post-quantum cryptosystems based on the Module-LWE problem. Using the proposed modular reduction algorithm, modified modular adder and the reconfigurable data path, the design shares the computing resource for different polynomial related operations, and achieves higher degree of parallelism. Our design is implemented on a Xilinx Artix-7 FPGA. Compared with the leading hardware implementations, our design is more compact, the execution time is shorter, and it significantly consumes fewer registers.

Xingjun Wu,Hongyi Chen,Yihe Sun,Weixin Gai

DOI: https://doi.org/10.1023/a:1021110405895

2003-01-01

Abstract:In this paper, a fully-pipeline linear systolic array based on adjusted Montgomery's algorithm is presented to perform modular multiplication at extremely high speed. The processing element ( PE) consists of only 4 full-adders and 14 flip-flops. Three-stage internal pipelined PE results in a very short critical path with only a one-bit full-adder delay. Thus, it can run at a very high cycle rate. The total execution time for an n-bit modular multiplication is 2n + 11 cycles with only (n/2+ 2) PEs. A modular exponentiation based on it takes (3n + 16.5)n cycles in average. Compared with most published VLSI modular multipliers, the hardware complexity is greatly reduced while keeping very high throughput. Therefore it is a good candidate of the arithmetic units used in the many public-key crypto-systems, e.g. RSA, Elliptic Curve and so on, especially for the embedded applications concerning information security.

LI Ming,WU Dan,DAI Kui,ZOU Xue-cheng

2011-01-01

Abstract:In this paper,an effective strategy of point multiplication scheduling and an improved algorithm of dual-field high radix Montgomery modular multiplication are proposed.Based on them,a new high-performance scalable public-key cipher coprocessor architecture for RSA and ECC computing acceleration is designed,which is implemented using the 0.18μm 1P6M standard CMOS technology.The coprocessor has strong scalability and flexibility,which can support the modular exponentiation up to 2048 bit and the dual-field elliptic curve scalar multiplication up to 576 bit by enlarging the high-speed memory on chip and using the radix-length as processing base.The measured result shows that the coprocessor chip has high performance for accelerating the computation of RSA and ECC and can perform one 1024-bit modular exponentiation only in 197μs,one the prime field 192-bit scalar multiplication only in 225μs and the binary field 163-bit scalar multiplication only in 200.7μs.

Yang Zhang,Renzhang Liu,Dongdai Lin

DOI: https://doi.org/10.48550/arXiv.1709.06724

2017-09-20

Cryptography and Security

Abstract:At EUROCRYPT 2011, Gentry and Halevi implemented a variant of Gentry's fully homomorphic encryption scheme. The core part in their key generation is to generate an odd-determinant ideal lattice having a particular type of Hermite Normal Form. However, they did not give a rigorous proof for the correctness. We present a better key generation algorithm, improving their algorithm from two aspects. -We show how to deterministically generate ideal lattices with odd determinant, thus increasing the success probability close to 1. -We give a rigorous proof for the correctness. To be more specific, we present a simpler condition for checking whether the ideal lattice has the desired Hermite Normal Form. Furthermore, our condition can be checked more efficiently. As a result, our key generation is about 1.5 times faster. We also give experimental results supporting our claims. Our optimizations are based on the properties of ideal lattices, which might be of independent interests.

Hwajeong Seo,Jihyun Kim,Jongseok Choi,Taehwan Park,Zhe Liu,Howon Kim

DOI: https://doi.org/10.3390/s140305441

2014-03-19

Abstract:Multivariate quadratic (MQ) cryptography requires the use of long public and private keys to ensure a sufficient security level, but this is not favorable to embedded systems, which have limited system resources. Recently, various approaches to MQ cryptography using reduced public keys have been studied. As a result of this, at CHES2011 (Cryptographic Hardware and Embedded Systems, 2011), a small public key MQ scheme, was proposed, and its feasible implementation on an embedded microprocessor was reported at CHES2012. However, the implementation of a small private key MQ scheme was not reported. For efficient implementation, random number generators can contribute to reduce the key size, but the cost of using a random number generator is much more complex than computing MQ on modern microprocessors. Therefore, no feasible results have been reported on embedded microprocessors. In this paper, we propose a feasible implementation on embedded microprocessors for a small private key MQ scheme using a pseudo-random number generator and hash function based on a block-cipher exploiting a hardware Advanced Encryption Standard (AES) accelerator. To speed up the performance, we apply various implementation methods, including parallel computation, on-the-fly computation, optimized logarithm representation, vinegar monomials and assembly programming. The proposed method reduces the private key size by about 99.9% and boosts signature generation and verification by 5.78% and 12.19% than previous results in CHES2012.

Junbin Fang,Zoe L. Jiang,Kexin Ren,Yunhan Luo,Zhe Chen,Weiping Liu,Xuan Wang,Xiamu Niu,S. M. Yiu,Lucas C. K. Hui

DOI: https://doi.org/10.1007/s11128-014-0737-7

IF: 1.965

2014-01-01

Quantum Information Processing

Abstract:Key integrity checking is a necessary process in practical quantum key distribution (QKD) to check whether there is any error bit escaped from the previous error correction procedure. The traditional single-hash method may become a bottleneck in high-speed QKD since it has to discard all the key bits even if just one error bit exists. In this paper, we propose an improved scheme using combinatorial group testing (CGT) based on strong selective family design to verify key integrity in fine granularity and consequently improve the total efficiency of key generation after the error correction procedure. Code shortening technique and parallel computing are also applied to enhance the scheme’s flexibility and to accelerate the computation. Experimental results show that the scheme can identify the rare error bits precisely and thus avoid dropping the great majority of correct bits, while the overhead is reasonable. For a \(2^{20}\)-bit key, the disclosed information for public comparison is 800 bits (about 0.076 % of the key bits), reducing 256 bits when compared with the previous CGT scheme. Besides, with an Intel® quad-cores CPU at 3.40 GHz and 8 GB RAM, the computational times are 3.0 and 6.3 ms for hashing and decoding, respectively, which are reasonable in real applications and will not cause significant latency in practical QKD systems.

Wenqi Liang,Zhaoman Liu,Xuyang Zhao,Yafang Yang,Zhichuang Liang

DOI: https://doi.org/10.3390/math12111769

IF: 2.4

2024-06-07

Mathematics

Abstract:In order to resist the security risks caused by quantum computing, post-quantum cryptography (PQC) has been a research focus. Constructing a key encapsulation mechanism (KEM) based on lattices is one of the promising PQC routines. The algebraically structured learning with errors (LWE) problem over power-of-two cyclotomics has been one of the most widely used hardness assumptions for lattice-based cryptographic schemes. However, power-of-two cyclotomic rings may be exploited in the inflexibility of selecting parameters. Recently, trinomial cyclotomic rings of the form Zq[x]/(xn−xn/2+1), where n=2k3l, k≥1,l≥0, have received widespread attention due to their flexible parameter selection. In this paper, we propose Tyber, a variant scheme of the NIST-standardized KEM candidate Kyber over trinomial cyclotomic rings. We provide three parameter sets, aiming at the quantum security of 128, 192, and 256 bits (actually achieving 129, 197, and 276 bits) with matching and negligible error probabilities. When compared to Kyber, our Tyber exhibits stronger quantum security, by 22, 31, and 44 bits, than Kyber for three security levels.

mathematics