Hai-bin SHEN,Hua-feng CHEN,Xiao-lang YAN

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.09.004

2006-01-01

Abstract:To accelerate point multiplication operation of elliptic curve cryptography (ECC), a fast reduction algorithm for modular operation was introduced. The algorithm applied the characteristic of the small second item's degree of irreducible polynomial in characteristic 2 finite field. Based on the algorithm and projective Montgomery point multiplication algorithm, a configurable ECC accelerator using very large scale integrated circuit technology was proposed. Scalable field design and unique pipeline technique was adapted in the accelerator. Simulation results show that the accelerator designed by the algorithm can rapidly complete ECC point multiplication operation. When 162 bits key and 192 bits key are selected, the point multiplication operation takes 0.22 ms and 0.43 ms respectively. The accelerator has simple interface and good flexibility, and provides a method for hardware implementation of public key cryptography algorithm.

Yi’er Jin,Haibin Shen,Huafeng Chen,Xiaolang Yan

DOI: https://doi.org/10.1007/s11767-006-0257-4

2008-01-01

Abstract:A new structure of bit-parallel Polynomial Basis (PB) multiplier is proposed, which is based on a fast modular reduction method. The method was recommended by the National Institute of Standards and Technology (NIST). It takes advantage of the characteristics of irreducible polynomial, i.e., the degree of the second item of irreducible polynomial is far less than the degree of the polynomial in the finite fields GF(2 m ). Deductions are made for a class of finite field in which trinomials are chosen as irreducible polynomials. Let the trinomial be x m + x h +1, where 1 ≤ k ≤ [m/1]. The proposed structure has shorter critical path than the best known one up to date, while the space requirement keeps the same. The structure is practical, especially in real time cryptographic applications.

Mengyuan Li,Haoran Geng,Michael Niemier,Xiaobo Sharon Hu

2023-07-27

Abstract:Lattice-based cryptographic algorithms built on ring learning with error theory are gaining importance due to their potential for providing post-quantum security. However, these algorithms involve complex polynomial operations, such as polynomial modular multiplication (PMM), which is the most time-consuming part of these algorithms. Accelerating PMM is crucial to make lattice-based cryptographic algorithms widely adopted by more applications. This work introduces a novel high-throughput and compact PMM accelerator, X-Poly, based on the crossbar (XB)-type compute-in-memory (CIM). We identify the most appropriate PMM algorithm for XB-CIM. We then propose a novel bit-mapping technique to reduce the area and energy of the XB-CIM fabric, and conduct processing engine (PE)-level optimization to increase memory utilization and support different problem sizes with a fixed number of XB arrays. X-Poly design achieves 3.1X10^6 PMM operations/s throughput and offers 200X latency improvement compared to the CPU-based implementation. It also achieves 3.9X throughput per area improvement compared with the state-of-the-art CIM accelerators.

Cryptography and Security,Hardware Architecture

Archisman Ghosh,Jose Maria Bermudo Mera,Angshuman Karmakar,Debayan Das,Santosh Ghosh,Ingrid Verbauwhede,Shreyas Sen

2023-05-18

Abstract:The hard mathematical problems that assure the security of our current public-key cryptography (RSA, ECC) are broken if and when a quantum computer appears rendering them ineffective for use in the quantum era. Lattice based cryptography is a novel approach to public key cryptography, of which the mathematical investigation (so far) resists attacks from quantum computers. By choosing a module learning with errors (MLWE) algorithm as the next standard, National Institute of Standard & Technology (NIST) follows this approach. The multiplication of polynomials is the central bottleneck in the computation of lattice based cryptography. Because public key cryptography is mostly used to establish common secret keys, focus is on compact area, power and energy budget and to a lesser extent on throughput or latency. While most other work focuses on optimizing number theoretic transform (NTT) based multiplications, in this paper we highly optimize a Toom-Cook based multiplier. We demonstrate that a memory-efficient striding Toom-Cook with lazy interpolation, results in a highly compact, low power implementation, which on top enables a very regular memory access scheme. To demonstrate the efficiency, we integrate this multiplier into a Saber post-quantum accelerator, one of the four NIST finalists. Algorithmic innovation to reduce active memory, timely clock gating and shift-add multiplier has helped to achieve 38% less power than state-of-the art PQC core, 4x less memory, 36.8% reduction in multiplier energy and 118x reduction in active power with respect to state-of-the-art Saber accelerator (not silicon verified). This accelerator consumes 0.158mm2 active area which is lowest reported till date despite process disadvantages of the state-of-the-art designs.

Cryptography and Security

Chaohui Du,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1145/2902961.2902969

2016-01-01

Abstract:Many lattice-based cryptosystems are based on the security of the Ring learning with errors (Ring-LWE) problem. The most critical and computationally intensive operation of these Ring-LWE based cryptosystems is polynomial multiplication. In this paper, we exploit the number theoretic transform to build a high-speed polynomial multiplier for the Ring-LWE based public key cryptosystems. We present a versatile pipelined polynomial multiplication architecture to calculate the product of two $n$-degree polynomials in about (( n lg n )/4 + n /2) clock cycles. In addition, we introduce several optimization techniques to reduce the required ROM storage. The experimental results on a Spartan-6 FPGA show that the proposed hardware architecture can achieve a speedup of on average 2.25 than the state of the art of high-speed design. Meanwhile, our design is able to save up to 47.06% memory blocks.

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/trustcom.2015.399

2015-01-01

Abstract:Lattice based cryptography is considered as an important candidate for post-quantum cryptosystems. Various lattice based cryptosystems are based on the Ring learning with errors (Ring-LWE) problem. As a basic operation of Ring-LWE problem, polynomial multiplication over rings is the most critical and computationally intensive operation of these cryptosystems. In this paper, we exploit the number theoretic transform (NTT) to build a family of scalable polynomial multiplier architectures, which provide designers with a trade-off choice of speed vs. area. Our multiplier architectures reduce the required clock cycles from 8n+1.5n lg n) to (2n+1.5n lg n)/B, where n is the dimension of the polynomials and B is number of butterfly operators. The experimental results on a Spartan-6 FPGA show that our proposed polynomial multiplier (B = 2) achieves a speedup of 2.5 times on average and consumes less slices and block RAMs when compared with the state of art of compact design. On a Stratix FPGA, our polynomial multiplier (B = 4) is able to achieve a speedup of 1.2 times on average and save around 90% Memory ALUTs, 75% block memory bits, and 63% DSPs when compared with the state of art of high speed design. On a Spartan-6 FPGA, our polynomial multiplier (B = 8) is capable to calculate the product of two polynomials of degree 256/512/1024/2048 in 2.88/5.71/11.46/24.89 µs.

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/ISCAS.2016.7527452

2016-01-01

Abstract:The most critical and computationally intensive operation of Ring-LWE based public key cryptosystems is polynomial multiplication. In this paper, we introduce several optimization techniques to speed up polynomial multiplication with the number theoretic transform (NTT). We propose to precompute NTT of the constant polynomial to reduce the number of NTT computations. In order to reduce the cost of bit-reverse operation, a optimization technique is introduced to perform it on-the-fly. We also present a technique to improve the utilization rate of the butterfly operator. Moreover, the cancellation lemma is exploited to reduce the required ROM storage. Based on these optimizations, we present a versatile pipelined polynomial multiplication architecture, which takes around (n lg n + 1.5n) clock cycles to calculate the product of two n-degree polynomials. Experimental results on a Spartan-6 FPGA show that our polynomial multiplier achieves a speedup of 2.04 on average and consumes less hardware resources when compared with the state of art of efficient implementation.

Honglin Kuang,Yifan Zhao,Jun Han

DOI: https://doi.org/10.1109/APCCAS55924.2022.10090293

2022-01-01

Abstract:Saber is a module-learning with rounding-based post-quantum cryptography (PQC) scheme for key encapsulation mechanism (KEM). It is characterized by the use of power-of-two moduli, which makes all modulus reductions free in hardware. However, such a decision prevents the direct implementation of the asymptotically fastest number theoretic transform (NTT) for the time-consuming polynomial multiplication in Saber. To efficiently multiply polynomials, researches have been done using a schoolbook or Toom-Cook or Karatsuba algorithm. Though these approaches result in decent operating speed at moderate area cost, they are disadvantageous when considering expanding the system to support multiple PQC protocols. To enable NTT for Saber, we choose an appropriate prime and use the sign-magnitude format for computation. A concise and efficient vectorized NTT algorithm has been proposed, based on which we design a configurable vector NTT unit to perform NTT and other arithmetic operations. The accelerator is dedicatedly pipelined to achieve high speed and is driven by custom vector instruction extension of RISC-V. We implement the proposed architecture with vector lanes of 32 and 16 on Xilinx UltraScale+ ZCU111. Results show that our design can achieve up to 5x and 3x improvement in computation time and area-time-product (ATP) respectively for degree-256 polynomials multiplication, compared to the state-of-the-art Saber polynomial multiplier counterparts.

Dejian Li,Junjie Zhong,Song Cheng,Yuantuo Zhang,Shunxian Gao,Yijun Cui

DOI: https://doi.org/10.3390/electronics13040675

IF: 2.9

2024-02-07

Electronics

Abstract:Information is pivotal in contemporary society, highlighting the necessity for a secure cryptographic system. The emergence of quantum algorithms and the swift advancement of specialized quantum computers will render traditional cryptography susceptible to quantum attacks in the foreseeable future. The lattice-based Saber key encapsulation protocol holds significant value in cryptographic research and practical applications. In this paper, we propose three types of polynomial multipliers for various application scenarios including lightweight Schoolbook multiplier, high-throughput multiplier based on the TMVP-Schoolbook algorithm and improved pipelined NTT multiplier. Other principal modules of Saber are designed encompassing the hash function module, sampling module and functional submodule. Based on our proposed multiplier, we implement the overall hardware circuits of the Saber key encapsulation protocol. Experimental results demonstrate that our overall hardware circuits have different advantages. Our lightweight implementation has minimal resource consumption. Our high-throughput implementation only needs 23.28 μs to complete the whole process, which is the fastest among the existing works. The throughput rate is 10,988 Kbps and the frequency is 416 MHz. Our hardware implementation based on the improved pipelined NTT multiplier achieved a good balance between area and performance. The overall frequency can reach 357 MHz.

engineering, electrical & electronic,computer science, information systems,physics, applied

Trong-Hung Nguyen,Binh Kieu-Do-Nguyen,Cong-Kha Pham,Trong-Thuc Hoang

DOI: https://doi.org/10.1109/access.2024.3371581

IF: 3.9

2024-03-12

IEEE Access

Abstract:The efficiency of polynomial multiplication execution majorly impacts the performance of lattice-based post-quantum cryptosystems. In this research, we propose a high-speed hardware architecture to accelerate polynomial multiplication based on the Number Theoretic Transform (NTT) in CRYSTAL-Kyber and CRYSTAL-Dilithium. We design a Digital Signal Processing (DSP) architecture for modular multiplication in butterfly and Point-Wise Multiplication (PWM) operations. Our method reduces the critical path delay of an -bit multiplier to that of a ( -2)-bit adder, optimizing both area and speed. These dedicated DSPs are employed in butterfly and PWM operations, completely eliminating the pre-process and post-process of NTT transforms. Furthermore, we introduce a novel unified pipelined architecture for the NTT and Inverse NTT (INTT) transformations of Kyber and Dilithium, with corresponding high-speed (Radix-2) and ultra-high-speed (Radix-4) versions. Lastly, we construct a complete hardware accelerator for polynomial matrix-vector multiplication in Kyber. The Field-Programmable Gate Array (FPGA) implementation results have proven that our designs have significantly improved execution time by – for the NTT transforms in Dilithium and – for Kyber polynomial multiplication, compared to previous studies reported to date. Additionally, the hardware footprint results indicate that our proposed architectures exhibit superior hardware performance in Area-Time-Product (ATP), corresponding to a 44%–96% improvement. The proposed architectures are efficient and well-suited for high-performance lattice-based cryptography systems.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhuo Chen,Duoli Zhang,Zhenmin Li,Gaoming Du,Xiaolei Wang

DOI: https://doi.org/10.1145/3649476.3658794

2024-06-12

Abstract:In the post-quantum signature CRYSTALS-Dilithium algorithm, polynomial multiplication accounts for 32% of the total computation Latency. It is necessary to design a high-performance polynomial multiplication module. In this paper, we have proposed a low-Latency polynomial multiplier. First, we insert registers in the Radix-2 Multi-path Delay Commutator (R2MDC) structure to increase clock frequency. Additionally, to further enhance the computational clock frequency, we have designed a five-stage pipelined Butterfly unit. Secondly, we have proposed a fully pipelined polynomial multiplier that supports polynomial point-wise multiplication during NTT/INTT transformations to save a significant number of cycles. We also designed a configurable Polynomial Pointwise Multiplication (PPM) module that supports calculations with three different security levels. Our polynomial multiplier structure is implemented on the K7 model of FPGA. Compared to the currently fastest design in terms of computational speed, we have saved between 13% and 39% of the computation latency.

Engineering,Computer Science

Yalong Pang,Ying Zhang,Jun Han,Xiaoyang Zeng

DOI: https://doi.org/10.1109/asicon.2017.8252537

2017-01-01

Abstract:The quadratic extension field F p 2 is the underlying field in pairing, and speeding up the F p 2 arithmetic will benefit the overall pairing computation largely. This paper we proposed a modified Barrett modular multiplication algorithm and devise an architecture to perform the operation in the form of “AB+ηCD mod M”. In our design, the η is a 5-bit two's complement. The proposed Barrett modular multiplier can implement the fundamental operations of F p 2 multiplication efficiently. The advantages of our design are that the proposed hardware circuit can adapt different parameters of pairing flexibly, and each final result is reduced under modulus M as well, which will shorten the width of the operands and decrease the overhead of the memory access bandwidth. The proposed architecture is synthesized under SMIC 65nm CMOS technology. And the results show that the max work frequency is 709MHz (1.2V) and the design requires 226kGates. It can compute F p 2 multiplication (254 bits) in 0.07us.

Weihang Tan,Antian Wang,Yingjie Lao,Xinmiao Zhang,Keshab K. Parhi

DOI: https://doi.org/10.1109/TC.2023.3251847

2023-02-24

Abstract:This paper presents a low-latency hardware accelerator for modular polynomial multiplication for lattice-based post-quantum cryptography and homomorphic encryption applications. The proposed novel modular polynomial multiplier exploits the fast finite impulse response (FIR) filter architecture to reduce the computational complexity of the schoolbook modular polynomial multiplication. We also extend this structure to fast $M$-parallel architectures while achieving low-latency, high-speed, and full hardware utilization. We comprehensively evaluate the performance of the proposed architectures under various polynomial settings as well as in the Saber scheme for post-quantum cryptography as a case study. The experimental results show that our proposed modular polynomial multiplier reduces the computation time and area-time product, respectively, compared to the state-of-the-art designs.

Cryptography and Security,Hardware Architecture

Lijuan Li,Shuguo Li

DOI: https://doi.org/10.1109/tcsii.2017.2785382

2018-01-01

Abstract:Point multiplication is the key operation that dominates the speed and area of each elliptic curve cryptosystem. In this brief, we propose a highly efficient architecture for point multiplication on Koblitz curves. The right-to-left point multiplication algorithm is adopted to allow parallel computation of Frobenius maps and point additions. In order to achieve short latency as well as high frequency, we explore operation rescheduling in consecutive point additions with a pipelined bitparallel finite field multiplier accumulator. Furthermore, the pipelined mixed-form double-digit scalar converter with compact recoding is employed to reduce the wait time and consumed logic resources by scalar conversion. Fast inversion based on optimal addition chains is used to further reduce the latency. Implementation results on Xilinx Virtex V show that the proposed architecture can perform a point multiplication in as few as 2.50, 4.09, 5.81, 9.50, 18.51 mu s over the five NIST Koblitz curves K-163, K-233, K-283, K-409, and K-571, respectively. To the best of our knowledge, the proposed architecture of point multiplication has the fastest speed in comparison to the reported results.

Gretchen L Matthews,Emily McMillon

2024-10-15

Abstract:Bit Flipping Key Encapsulation (BIKE) is a code-based cryptosystem being considered in Round 4 of the NIST Post-Quantum Cryptography Standardization process. It is based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes paired with an iterative decoder. While (low-density) parity-check codes have been demonstrated to perform well in practice, their capabilities are governed by the code's graphical representation and the choice of decoder rather than the traditional code parameters making it a challenge to determine the decoder failure rate (DFR). Moreover, decoding failures have been demonstrated to lead to attacks that recover the BIKE private key. In this paper, we consider structures leading to decoding failure for the iterative decoder used in BIKE. We demonstrate a strong relationship between weak keys and 4-cycles in the associated Tanner graph and harness it to describe the distance profile directly from the defining codeword. By exploiting the cycle structure of the graphs, we provide a new filter for the allowable keys in BIKE. These results apply to more general parity-check codes as well.

Information Theory

Weihang Tan,Yingjie Lao,Keshab K. Parhi

DOI: https://doi.org/10.1109/ICCAD57390.2023.10323839

2023-10-07

Abstract:CRYSTAL-Kyber (Kyber) is one of the post-quantum cryptography (PQC) key-encapsulation mechanism (KEM) schemes selected during the standardization process. This paper addresses optimization for Kyber architecture with respect to latency and throughput constraints. Specifically, matrix-vector multiplication and number theoretic transform (NTT)-based polynomial multiplication are critical operations and bottlenecks that require optimization. To address this challenge, we propose an algorithm and hardware co-design approach to systematically optimize matrix-vector multiplication and NTT-based polynomial multiplication by employing a novel sub-structure sharing technique in order to reduce computational complexity, i.e., the number of modular multiplications and modular additions/subtractions consumed. The sub-structure sharing approach is inspired by prior fast parallel approaches based on polyphase decomposition. The proposed efficient feed-forward architecture achieves high speed, low latency, and full utilization of all hardware components, which can significantly enhance the overall efficiency of the Kyber scheme. The FPGA implementation results show that our proposed design, using the fast two-parallel structure, leads to an approximate reduction of 90% in execution time, along with a 66 times improvement in throughput performance.

Cryptography and Security,Hardware Architecture

Buqing Xu,Jinjiang Yang,Wei Ge,Qiyi Zhao,Min Zhu,Youyu Wu

DOI: https://doi.org/10.1117/12.2642606

2022-01-01

Abstract:Polynomial multiplication is the most compute-intensive in the Lattice-based post-quantum cryptography (PQC). This operation can be sped up using the number theoretic transform (NTT). A lot of research is currently being done on how to speed up the NTT algorithm. In light of these considerations, this study presents an NTT accelerator with a greatly simplified butterfly unit (BFU) architecture, a completely pipelined modular multiplication (MM) unit, and two parallel computing units. FPGA implementation is realized to evaluate this work. Through the experimental results, processing speed can achieve 2× improvements with controllable resource consumption.

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/iscas.2016.7527456

2016-01-01

Abstract:Ring learning with errors (Ring-LWE) is the basis of various lattice based cryptosystems. The most critical and computationally intensive operation of Ring-LWE based cryptosystems is polynomial multiplication over rings. In this paper, we introduce several optimization techniques to build an efficient polynomial multiplier with the number theoretic transform (NTT). We propose a technique to optimize the bit-reverse operation of NTT and inverse-NTT. With additional optimizations, our polynomial multiplier reduces the required clock cycles from (8n+1.5n lg n) to (2n+1.5n lg n). By exploiting the relationship of the constant factors, our polynomial multiplier is able to reduce the number of constant factors from 4n to 2.5n, which saves about 37.5% ROM storage. In addition, we propose a novel memory access scheme to achieve maximum utilization of the butterfly operator. With these techniques, our polynomial multiplier is capable to perform 57304/26913 polynomial multiplications per second for dimension 256/512 on a Spartan-6 FPGA.

Guantong Su,Guoqiang Bai

DOI: https://doi.org/10.3390/electronics12051235

IF: 2.9

2023-03-05

Electronics

Abstract:Cryptosystems based on supersingular isogeny are a novel tool in post-quantum cryptography. One compelling characteristic is their concise keys and ciphertexts. However, the performance of supersingular isogeny computation is currently worse than that of other schemes. This is primarily due to the following factors. Firstly, the underlying field is a quadratic extension of the finite field, resulting in higher computational complexity. Secondly, the strategy for large-degree isogeny evaluation is complex and dependent on the elementary arithmetic units employed. Thirdly, adapting the same hardware to different parameters is challenging. Considering the evolution of similar curve-based cryptosystems, we believe proper algorithm optimization and hardware acceleration will reduce its speed overhead. This paper describes a high-performance and flexible hardware architecture that accelerates isogeny computation. Specifically, we optimize the design by creating a dedicated quadratic Montgomery multiplier and an efficient scheduling strategy that are suitable for supersingular isogeny. The multiplier operates on Fp2 under projective coordinate formulas, and the scheduling is tailored to it. By exploiting additional parallelism through replicated multipliers and concurrent isogeny subroutines, our 65 nm SMIC technology cryptographic accelerator can generate ephemeral public keys in 2.40 ms for Alice and 2.79 ms for Bob with a 751-bit prime setting. Sharing the secret key costs another 2.04 ms and 2.35 ms, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Weizhen Wang,Jun Han,Jielin Wang,Xiaoyang Zeng

DOI: https://doi.org/10.1109/asicon.2015.7516999

2015-01-01

Abstract:Finite field arithmetic is the base of cryptography algorithms like Elliptic Curves Cryptography (ECC) and RSA. In this paper, We have designed an arithmetic unit to implement the operation (A ± αB)mod N, where α is a small number compared with N. In our design, the coefficient α is smaller than 128. The basic motivation of designing this multiply-accumulate (MAC) unit is to support some high security ECC algorithms such as Optimal Ate Pairings. The well-known Optimal Ate Pairing based on Barreto-Naehrig elliptic curve is famous for it's efficient implementation. In those cryptography algorithms, the calculation of αB mod N is required, where α is a small number. It is unefficient to use modular multiplication to calculate it. This is the basic motivation of implementing the operation (A ± αB)mod N with α <;<; N. Considering that the Barreto-Naehrig elliptic curve for pairing are defined in F P12 , we implement the arithmetic unit to be a Single Instruction Multiple Data (SIMD) unit with pipelined structure. Thus, the design is suitable for arithmetic in extensions of finte fields. We have modified the Barrett reduction algorithm to make it suitable for the design. The design is synthesized with SMIC 65nm CMOS process. Compared with using modular multiplication to calculate (A ± αB)mod N, Our work shows better performance with small latency and high throughput.