Aobo Li,Dongsheng Liu,Cong Zhang,Xiang Li,Shuo Yang,Xingjie Liu,Jiahao Lu,Xuecheng Zou,Ang Hu,Tianming Ni

DOI: https://doi.org/10.1109/tii.2022.3195743

IF: 12.3

2022-12-17

IEEE Transactions on Industrial Informatics

Abstract:Progress of quantum computing technology seriously threaten the industrial information security based on traditional public-key cryptosystem. Thus, the cryptosystem with anti-quantum attack characteristics is gradually becoming a significant research in the security field. In this article, a flexible and high-performance secure coprocessor is designed for security in industrial processes, which can execute the post-quantum cryptographic algorithm Saber efficiently. Custom instruction set and arithmetic accelerators are proposed to effectively optimize the flexibility of system architecture, and improve the performance of calculation. The hardware implementation results show that the maximum operating frequency of the coprocessor can reach 345 MHz. Compared with related state-of-the-art works, it achieves the highest operating frequency on the same Xilinx UltraScale+ FPGA platform, performing the encryption and decryption operations within 13.5 and 15.4 μs, respectively. Meanwhile, this article achieves 1.7/3.1/5.9× area-time product improvements in look-up table flip-flop block memory storage with good flexibility.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Archisman Ghosh,Jose Maria Bermudo Mera,Angshuman Karmakar,Debayan Das,Santosh Ghosh,Ingrid Verbauwhede,Shreyas Sen

2023-05-18

Abstract:The hard mathematical problems that assure the security of our current public-key cryptography (RSA, ECC) are broken if and when a quantum computer appears rendering them ineffective for use in the quantum era. Lattice based cryptography is a novel approach to public key cryptography, of which the mathematical investigation (so far) resists attacks from quantum computers. By choosing a module learning with errors (MLWE) algorithm as the next standard, National Institute of Standard & Technology (NIST) follows this approach. The multiplication of polynomials is the central bottleneck in the computation of lattice based cryptography. Because public key cryptography is mostly used to establish common secret keys, focus is on compact area, power and energy budget and to a lesser extent on throughput or latency. While most other work focuses on optimizing number theoretic transform (NTT) based multiplications, in this paper we highly optimize a Toom-Cook based multiplier. We demonstrate that a memory-efficient striding Toom-Cook with lazy interpolation, results in a highly compact, low power implementation, which on top enables a very regular memory access scheme. To demonstrate the efficiency, we integrate this multiplier into a Saber post-quantum accelerator, one of the four NIST finalists. Algorithmic innovation to reduce active memory, timely clock gating and shift-add multiplier has helped to achieve 38% less power than state-of-the art PQC core, 4x less memory, 36.8% reduction in multiplier energy and 118x reduction in active power with respect to state-of-the-art Saber accelerator (not silicon verified). This accelerator consumes 0.158mm2 active area which is lowest reported till date despite process disadvantages of the state-of-the-art designs.

Cryptography and Security

Yifan Zhao,Ruiqi Xie,Guozhu Xin,Jun Han

DOI: https://doi.org/10.1109/tcsi.2022.3162593

2022-01-01

Abstract:The 5G edge computing infrastructure should be empowered with quantum attack resistance by implementing post-quantum cryptography (PQC). Among various PQC schemes, lattice-based cryptography (LBC) based on learning with error (LWE) has attracted much attention because of its performance efficiency and security guarantee. In LWE-based LBCs, the Module-LWE-based schemes gain advantage over the others benefiting from the unique polynomial matrix and vector structure. To provide a high-performance implementation of Module-LWE applications for the edge computing paradigm, we propose a domain-specific processor based on a matrix extension of RISC-V architecture. This custom extension encapsulates the matrix-based ring operations with a high-level functional abstraction. A 2-D systolic array with configurable functionality is proposed to perform matrix-based number theoretic transform (NTT) and other arithmetic operations, achieving high data-level parallelism with support for the variable-sized polynomial matrix and vector structure. As this structure of Module-LWE involves no data dependency between different inner elements, an out-of-order mechanism is further developed to exploit the instruction-level parallelism. We implement the proposed architecture under TSMC 28nm technology. The evaluation results show that our implementation can achieve up to and improvement in cycle count respectively in Kyber and Dilithium, compared to the state-of-the-art crypto-processor counterparts.

Latif Akçay,Berna Örs Yalçın

DOI: https://doi.org/10.1007/s13369-024-08976-w

IF: 2.807

2024-04-20

Arabian Journal for Science and Engineering

Abstract:Abstract Lattice-based cryptography (LBC) algorithms are considered suitable candidates for post-quantum cryptography (PQC), as they dominate the standardization process put forward by the National Institute of Standards and Technology (NIST). Indeed, three of the four key encapsulation mechanism (KEM) algorithms in the third round of the process are based on computationally hard lattice problems. On the other hand, there is an urgent need for processor designs that can run PQC algorithms efficiently, especially for embedded systems. This study presents an application-specific instruction set processor (ASIP) design for the Kyber, Saber, and NewHope algorithms based on transport triggered architecture (TTA). Custom hardware accelerators are added to the baseline processor architecture for computation-intensive steps without applying any software optimization to the reference code. We compared FPGA and ASIC implementations of our design with the prominent RISC-V cores and instruction set extension studies in the literature. According to the results, the proposed design offers greater efficiency, better performance, and lower resource utilization than its competitors in most cases.

multidisciplinary sciences

Yan Liu,Liji Wu,Zhenhui Zhang,Xiangmin Zhang,Jing Zhou,Yifan Yang,Le Wu

DOI: https://doi.org/10.1109/asid60355.2023.10426507

2023-01-01

Abstract:The security of existing cryptosystems mostly relies on the difficulty of solving integer factorization problems and discrete logarithm problems. However, in recent years, with the rapid development of quantum computers, the time required to solve these difficult problems has been significantly reduced, which will pose significant risks to the transmission of information. Post-quantum algorithms are a type of cryptographic algorithm specifically designed to resist quantum computer attacks. The National Institute of Standards and Technology of the United States(NIST) has completed four rounds of selection work from 2016 to 2022. The Classic McEliece algorithm is the only Post-Quantum Cryptography (PQC) algorithm that has been selected for the fourth round of selection after more than 50 years. However, currently, the research and implementation of this algorithm are mostly focused on the software algorithm level, while the hardware implementation can be said to be very few. At the same time, hardware-implemented cryptographic algorithms have certain advantages in terms of security, algorithm execution speed, and other aspects compared to software. In this paper, the arithmetic part and the encryption part of the Classic McEliece algorithm are designed, and a UVM verification platform is built to verify its functionality. Finally, the hardware circuit is verified on the SAKURA-G FPGA development board, relevant resource consumption was collected and compared with the work of the predecessors.

Yihong Zhu,Wenping Zhu,Chongyang Li,Min Zhu,Chenchen Deng,Chen Chen,Shuying Yin,Shouyi Yin,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1109/jssc.2022.3216758

2022-12-31

Abstract:Post-quantum cryptography (PQC) is investigated to replace the classical public cryptography algorithms, which would be completely broken by large-scale quantum computers. However, current PQC schemes have completely different mathematical foundations and parameter sets, which makes the implementation of unified PQC processor extremely challenging. To address this issue, an agile PQC processor, RePQC, is proposed in this work to support schemes on multiple mathematical problems. First, the hierarchical calculation framework, ranging from algorithm level, task level, and coefficient level, is proposed to achieve desirable flexibility and energy efficiency. Second, a hybrid processing element array is built to support arithmetic and logical operations simultaneously, while algorithm-hardware co-design is utilized in task-level schedulers to further improve the algorithm-oriented energy efficiency. Finally, parallelism exploration and algorithm-level computation transformation is further utilized to optimize the configuration on RePQC for higher throughput. Fabricated in a 28-nm process, RePQC achieves the energy efficiency of 3.4 uJ/Op and the throughput of 48 kOPS, which is and higher than the state-of-the-art work, respectively. To the best of our knowledge, RePQC is the first silicon-proven PQC processor for different mathematical problems.

engineering, electrical & electronic

Yihong Zhu,Min Zhu,Bohan Yang,Wenping Zhu,Chenchen Deng,Chen,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1109/tcsi.2020.3048395

2021-01-01

IEEE Transactions on Circuits and Systems I Regular Papers

Abstract:Saber, the only module-learning with rounding-based algorithm in NIST's third round of post-quantum cryptography (PQC) standardization process, is characterized by simplicity and flexibility. However, energy-efficient implementation of Saber is still under investigation since the commonly used number theoretic transform can not be utilized directly. In this manuscript, an energy-efficient configurable crypto-processor supporting multi-security-level key encapsulation mechanism of Saber, is proposed. First, an 8-level hierarchical Karatsuba framework is utilized to reduce degree-256 polynomial multiplication to the coefficient-wise multiplication. Second, a hardware-efficient Karatsuba scheduling strategy and an optimized pre-/post-processing structure is designed to reduce the area overheads of scheduling strategy. Third, a task-rescheduling-based pipeline strategy and truncated multipliers are proposed to enable fine-grained processing. Moreover, multiple parameter sets are supported in LWRpro to enable configurability among various security scenarios. Enabled by these optimizations, LWRpro requires 1066, 1456 and 1701 clock cycles for key generation, encapsulation, and decapsulation of Saber768. The post-layout version of LWRpro is implemented with TSMC 40 nm CMOS process within 0.38 mm 2 . The throughput for Saber768 is up to 275k encapsulation operations per second and the energy efficiency is 0.15 uJ/encapsulation while operating at 400 MHz, achieving nearly 50× improvement and 31× improvement, respectively compared with current PQC hardware solutions.

Shaik Ahmadunnisa,Sudha Ellison Mathe

DOI: https://doi.org/10.1109/access.2024.3426990

IF: 3.9

2024-07-19

IEEE Access

Abstract:The advancement in quantum computing has led to a significant progress in the development of public-key cryptosystems, referred as Post Quantum Cryptography (PQC) which has robust security to withstand both classical and quantum attacks. Lattice-based cryptography, one of the most promising PQC candidate offers low complexity and has strong security proof relying on the hardness of Learning-with-errors (LWE) problem. A variant of LWE, Ring-learning-with-error (RLWE) performs arithmetic operations over a polynomial ring and has more efficient implementations compared to LWE. Recent works propose Binary-ring-learning-with-error (BRLWE), a new variant of RLWE which has less key size and more efficient implementations compared to both LWE and RLWE-based schemes. In this paper, an algorithm is developed for BRLWE-based scheme based on decomposing the arithmetic operation into desired number of segments. The arithmetic operation includes polynomial multiplication and addition over the ring where H and M are two integer polynomials and L is a binary polynomial. We illustrate two efficient hardware architectures Dual-LFSR (DL) and Quad-LFSR (QL) to enable parallel execution of individual segments employing LFSR structures to have a significant reduction in latency compared to the existing works. Despite of having larger area, the reduction in latency leads to an improvement in other performance metrics such as delay, Area-Delay Product (ADP), Power-Delay Product (PDP), throughput and efficiency making the proposed structures well suitable for PQC schemes. Experimental results show that the proposed architectures when compared with the recently reported work has 23% and 25% ADP improvement with DL and QL structures respectively when n = 256.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yihong Zhu,Wenping Zhu,Min Zhu,Chongyang Li,Chenchen Deng,Chen Chen,Shuying Yin,Shouyi Yin,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1109/ISSCC42614.2022.9731783

2022-01-01

Abstract:In the post-quantum era, post-quantum cryptography (PQC) processors are required to ensure quantum-secure communication and e-commerce with high throughput, while maintaining adequate flexibility to execute different crypto-primitives, such as key encapsulation mechanism (KEM) and digital signature (DS) at multiple security levels with evolving modifications. The PQC standards, which are based on multiple mathematical problems, will be available around the end of 2021 in NIST's PQC standardization (Fig. 34.1.1). Crypto-agility, coupled with new mathematical calculations, high computing complexity, and large memory consumption brings challenges to the design of PQC processors considering flexibility, throughput, and energy efficiency.

Hui-Qin Li,Tao Chen,Wei Li,Long-Mei Nan

DOI: https://doi.org/10.1109/icsict55466.2022.9963339

2022-01-01

Abstract:In this work, after analyzing the reconfigurable requirement and feasibility, a reconfigurable KECCAK hardware design for lattice-based post-quantum cryptography on the RISCV architecture is implemented. The padding module can be filled with any number of bits in different ways by configuring the length and address. The output module can satisfy any bit output of SHAKE function. In addition, by comparing RISCV original instruction, partial extension and full extension, it is verified that the fully extended architecture can improve the energy efficiency by at least 30 times.

Yihong Zhu,Wenping Zhu,Yi Ouyang,Junwen Sun,Min Zhu,Qi Zhao,Jinjiang Yang,Chen Chen,Qichao Tao,Guang Yang,Aoyang Zhang,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1109/ISSCC49657.2024.10454332

2024-01-01

Abstract:The migration towards post-quantum cryptography (PQC) is in progress to secure communications and transactions against the impending quantum threat, while three key-encapsulation mechanisms (KEM) and one digital signature (DS) scheme are being standardized by NIST [1]. This multi-year migration poses serious challenges to PQC implementations for compatibility and performance requirements in various scenarios and settings: 1) Performance limitations caused by diverse computation patterns and relatively higher computation costs. 2) Crypto-agility resulting from different mathematical problems, various security parameters, or even different standardization bodies. 3.) Domain-specific optimization to address the long-term security of the evolving algorithm families. However, most existing PQC accelerators [2, 3, 5] were only customized for specific algorithms based on unique mathematical problems. The latest configurable PQC processor [4] did not support Falcon and Sphincs+, which are being drafted for standardization. To address this issue, a versatile PQC processor fabricated in 28nm is presented with three key features: 1) task-clustering-based architecture for scalable processing with aggressive parallelism; 2) region-based task-path (TP) with dynamic update for agile cryptographic computing; 3) efficient PQC task-operators (TO), including hash/sample, format, floating-point/complex, encoding/decoding operators, for further improvements on throughput and energy-efficiency. Based on these contributions, the proposed chip supports all predominant schemes in NIST’s PQC standardization, while still delivering 44.6% and 10.3% improvements in the throughput and energy-delay product (EDP), respectively, relative to a state-of-the-art design [4].

Guozhu Xin,Jun Han,Tianyu Yin,Yuchao Zhou,Jianwei Yang,Xu Cheng,Xiaoyang Zeng

DOI: https://doi.org/10.1109/tcsi.2020.2983185

2020-08-01

Abstract:In the 5G era, massive devices need to be securely connected to the edge of communication networks, while emerging quantum computers can easily crack the traditional public-key ciphers. Lattice-based cryptography (LBC) is one of the most promising types of schemes in all post-quantum cryptography (PQC) due to its security and efficiency. To meet the requirements of high-throughput and diverse application scenarios of 5G, we investigate the vectorization of kernel algorithms of several LBC candidates and thus present a domain-specific vector processor, VPQC, leveraging the extensible RISC-V architecture. To support the parallel computation of number theoretic transform (NTT) of different dimensions (from 64 to 2048), a vector NTT unit is implemented in VPQC. Besides, a vector sampler executing both uniform sampling and binomial sampling is also employed. Evaluated under TSMC 28nm technology, the vector coprocessor of VPQC consumes 942k equivalent logic gates and 12KB memories. Experimental results show that VPQC can speed up several typical key encapsulation mechanisms (NewHope, Kyber and LAC) by an order of magnitude compared with previous state-of-the-art hardware implementations.

Yihong Zhu,Wenping Zhu,Yi Ouyang,Junwen Sun,Qi Zhao,Min Zhu,Jinjiang Yang,Chen,Qichao Tao,Hanning Wang,Guang Yang,Shaojun Wei,Aoyang Zhang,Leibo Liu

DOI: https://doi.org/10.1109/jssc.2024.3476949

IF: 5.4

2024-01-01

IEEE Journal of Solid-State Circuits

Abstract:Post-quantum cryptography (PQC) is currently being standardized to replace the existing public-key cryptography for data security in the era of quantum computing. PQC algorithms exhibit considerable diversity in their underlying mathematical problems, storage requirements, and computational patterns, thus complicating unified PQC architecture design. To address this issue, a unified PQC domain-specific accelerator (DSA), post-quantum processing unit (PQPU), is proposed to address the trade-off between performance and flexibility at the algorithm, architecture, and circuit levels. First, a task-clustering-based framework is proposed to enable task-level parallel execution by utilizing the inherent parallelism and common functions across different PQC algorithms. Second, a region-based dynamically updated task path (TP) is constructed to facilitate automatic task-dependency management, with agile control flow and minimized overheads. Finally, algorithm-hardware co-optimizations are proposed in each task cluster to improve throughput and energy efficiency. Fabricated in a 28-nm process, PQPU has energy efficiency and throughput of 4.4 mu J/Op and 69.4 kOPS. The energy-delay product (EDP) and throughput achieved are 19.3% and 44.6% compared to the state-of-the-art design, respectively. To the best of our knowledge, PQPU is the first silicon-proven PQC accelerator that supports all valid schemes in NIST PQC standardization.

Wentao Xi,Xingjun Wu,Kai Zhang

DOI: https://doi.org/10.1145/3638782.3638800

2024-01-01

Abstract:The development of quantum computers has introduced a significant threat to the security of traditional cryptographic algorithms. To address this challenge, post-quantum cryptographic algorithms (PQC) have been developed, offering robust resistance against attacks from quantum computers. The hash operation plays a critical role in many PQC algorithms based on lattice ciphers and represents a substantial resource-consuming component in algorithm implementations. In this paper, we propose a novel circuit structure for hash implementation in FPGA platform. Our design integrates the hash operations of Kyber and Dilithium by reusing a shared Keccak unit and achieves different hash operation modes through parameter configuration in the control unit. Furthermore, we introduce a novel pipeline structure that multiplexes two sets of pipeline registers with an unfolding factor of 1. This innovative approach significantly reduces hardware resource consumption while satisfying the performance requirements of the algorithm. The proposed architecture, implemented on the Kintex-7 FPGA, utilizes 7376 LUTs, 3059 FFs, and 4 DSPs. Compared to the existing state-of-the-art designs, our design reduces about 40.2% of LUT resources, and 14.1% of Flip Flops resources. Additionally, it achieves 391MHZ clock frequency and finishes Keccak operations in 0.123μs. As a result, our design offers a low-cost, configurable hash computing circuit architecture with relatively excellent performance.

Utsav Banerjee,Tenzin S. Ukyab,Anantha P. Chandrakasan

DOI: https://doi.org/10.13154/tches.v2019.i4.17-61

2019-10-26

Abstract:Public key cryptography protocols, such as RSA and elliptic curve cryptography, will be rendered insecure by Shor's algorithm when large-scale quantum computers are built. Cryptographers are working on quantum-resistant algorithms, and lattice-based cryptography has emerged as a prime candidate. However, high computational complexity of these algorithms makes it challenging to implement lattice-based protocols on low-power embedded devices. To address this challenge, we present Sapphire - a lattice cryptography processor with configurable parameters. Efficient sampling, with a SHA-3-based PRNG, provides two orders of magnitude energy savings; a single-port RAM-based number theoretic transform memory architecture is proposed, which provides 124k-gate area savings; while a low-power modular arithmetic unit accelerates polynomial computations. Our test chip was fabricated in TSMC 40nm low-power CMOS process, with the Sapphire cryptographic core occupying 0.28 mm2 area consisting of 106k logic gates and 40.25 KB SRAM. Sapphire can be programmed with custom instructions for polynomial arithmetic and sampling, and it is coupled with a low-power RISC-V micro-processor to demonstrate NIST Round 2 lattice-based CCA-secure key encapsulation and signature protocols Frodo, NewHope, qTESLA, CRYSTALS-Kyber and CRYSTALS-Dilithium, achieving up to an order of magnitude improvement in performance and energy-efficiency compared to state-of-the-art hardware implementations. All key building blocks of Sapphire are constant-time and secure against timing and simple power analysis side-channel attacks. We also discuss how masking-based DPA countermeasures can be implemented on the Sapphire core without any changes to the hardware.

Cryptography and Security,Hardware Architecture

Jihye Lee,Whijin Kim,Ji-Hoon Kim

DOI: https://doi.org/10.3390/s23239408

IF: 3.9

2023-11-25

Sensors

Abstract:The advancement of quantum computing threatens the security of conventional public-key cryptosystems. Post-quantum cryptography (PQC) was introduced to ensure data confidentiality in communication channels, and various algorithms are being developed. The National Institute of Standards and Technology (NIST) has initiated PQC standardization, and the selected algorithms for standardization and round 4 candidates were announced in 2022. Due to the large memory footprint and highly repetitive operations, there have been numerous attempts to accelerate PQC on both hardware and software. This paper introduces the RISC-V instruction set extension for NIST PQC standard algorithms and round 4 candidates. The proposed programmable crypto-processor can support a wide range of PQC algorithms with the extended RISC-V instruction set and demonstrates significant reductions in code size, the number of executed instructions, and execution cycle counts of target operations in PQC algorithms of up to 79%, 92%, and 87%, respectively, compared to RV64IM with optimization level 3 (-O3) in the GNU toolchain.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

JianLong Su,Yi Wu,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1109/icasid.2018.8693196

2018-01-01

Abstract:In this paper, a novel coprocessor architecture that provides a reconfigurable computing platform for modular exponentiation used in Public-Key cryptography is presented. Combined with other reconfigurable operators such as modular addition (subtraction) module, shift module, logic operation module, the coprocessor can support all Public-Key algorithms much better on prime Filed. The core of the architecture is a two-dimensional array which is made up of reconfigurable function units (RFU or PE). Each RFU can process eight-bits width for completing operations on GF(P) during one calculation period. The performance of the coprocessor is competitive in comparison to fixed functionality hardware implementations and is significantly faster than general purpose public-key cryptographic processor previously reported in the literature. Due to the advantage that it has a better trade-off between performance and area, the reconfigurable coprocessor can compete operation efficiently with a little of area overhead.

Wenbo Guo,Shuguo Li

DOI: https://doi.org/10.1109/tcsi.2023.3306347

2023-01-01

Abstract:The attack on quantum computers is an enormous threat to conventional public-key cryptography. Hence, it is crucial to study quantum-resistant cryptosystems. After four rounds of evaluation, the National Institute of Standards and Technology (NIST) has decided to standardize CRYSTALS-Kyber as one of the public-key post-quantum cryptography (PQC) algorithms. In the hardware design of CRYSTALS-Kyber, the polynomial-related calculations are the most time-consuming. In this paper, we present a highly-efficient hardware architecture for CRYSTALS-Kyber. Firstly, we propose the CRYSTALS-Kyber-oriented conflict-free memory mapping scheme with two modes. Based on this scheme, we construct the mixed radix-2/4 NTT/INTT algorithm, which has no pre- or post-processing, for the first time. By using the “lazy-last-layer” trick, the available memory bandwidth of NTT is temporarily increased, and the average performance of NTT is improved. Besides, the point-wise-multiplication (PWM) is performed in a single memory bank by cooperating with the two modes of our memory mapping scheme. This avoids the waste of memory bandwidth, thus avoiding the usage of large FIFOs for the sampled data. Last, we propose an efficient modular multiplier for CRYSTALS-Kyber, and we merge the divide-by-2 operations in the finite field into modular adders and subtractors to reduce resource consumption. This design, which supports all three security levels, is implemented on Xilinx Artix-7 FPGA with 7.3k LUTs, 3.2k FFs, 2.2k Slices, 5 BRAMs, and 4 DSPs. It performs 12% better in area-time-product than other leading designs in the literature.

Dejian Li,Junjie Zhong,Song Cheng,Yuantuo Zhang,Shunxian Gao,Yijun Cui

DOI: https://doi.org/10.3390/electronics13040675

IF: 2.9

2024-02-07

Electronics

Abstract:Information is pivotal in contemporary society, highlighting the necessity for a secure cryptographic system. The emergence of quantum algorithms and the swift advancement of specialized quantum computers will render traditional cryptography susceptible to quantum attacks in the foreseeable future. The lattice-based Saber key encapsulation protocol holds significant value in cryptographic research and practical applications. In this paper, we propose three types of polynomial multipliers for various application scenarios including lightweight Schoolbook multiplier, high-throughput multiplier based on the TMVP-Schoolbook algorithm and improved pipelined NTT multiplier. Other principal modules of Saber are designed encompassing the hash function module, sampling module and functional submodule. Based on our proposed multiplier, we implement the overall hardware circuits of the Saber key encapsulation protocol. Experimental results demonstrate that our overall hardware circuits have different advantages. Our lightweight implementation has minimal resource consumption. Our high-throughput implementation only needs 23.28 μs to complete the whole process, which is the fastest among the existing works. The throughput rate is 10,988 Kbps and the frequency is 416 MHz. Our hardware implementation based on the improved pipelined NTT multiplier achieved a good balance between area and performance. The overall frequency can reach 357 MHz.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yifan Zhao,Honglin Kuang,Yi Sun,Zhen Yang,Chen,Jianyi Meng,Jun Han

DOI: https://doi.org/10.1109/asap57973.2023.00014

2023-01-01

Abstract:We present a cryptography extension built on RISC-V Vector Extension for efficient application of lattice-based post-quantum cryptography, offering custom instructions that can perform vectorized operations on polynomials of variable length and data width. We use micro-operation architecture to simplify the execution of variable-latency vector instructions and propose fracturable modular arithmetic units to support operations on variable coefficient width. On this basis, a vector unit is designed, achieving significant speed-up compared to the state-of-the-art counterparts for number-theoretic-transform-based polynomial multiplication. This cryptography extension is further integrated into the gem5 simulator to evaluate CRYSTALS-Kyber and CRYSTALS-Dilithium; results outperform the state-of-the-art implementations with more than 2.3 × improvement in cycle count.