Wenbo Guo,Shuguo Li

DOI: https://doi.org/10.1109/tcsi.2023.3306347

2023-01-01

Abstract:The attack on quantum computers is an enormous threat to conventional public-key cryptography. Hence, it is crucial to study quantum-resistant cryptosystems. After four rounds of evaluation, the National Institute of Standards and Technology (NIST) has decided to standardize CRYSTALS-Kyber as one of the public-key post-quantum cryptography (PQC) algorithms. In the hardware design of CRYSTALS-Kyber, the polynomial-related calculations are the most time-consuming. In this paper, we present a highly-efficient hardware architecture for CRYSTALS-Kyber. Firstly, we propose the CRYSTALS-Kyber-oriented conflict-free memory mapping scheme with two modes. Based on this scheme, we construct the mixed radix-2/4 NTT/INTT algorithm, which has no pre- or post-processing, for the first time. By using the “lazy-last-layer” trick, the available memory bandwidth of NTT is temporarily increased, and the average performance of NTT is improved. Besides, the point-wise-multiplication (PWM) is performed in a single memory bank by cooperating with the two modes of our memory mapping scheme. This avoids the waste of memory bandwidth, thus avoiding the usage of large FIFOs for the sampled data. Last, we propose an efficient modular multiplier for CRYSTALS-Kyber, and we merge the divide-by-2 operations in the finite field into modular adders and subtractors to reduce resource consumption. This design, which supports all three security levels, is implemented on Xilinx Artix-7 FPGA with 7.3k LUTs, 3.2k FFs, 2.2k Slices, 5 BRAMs, and 4 DSPs. It performs 12% better in area-time-product than other leading designs in the literature.

Wenbo Guo,Shuguo Li,Liang Kong

DOI: https://doi.org/10.1109/tcsii.2021.3103184

2022-01-01

Abstract:Quantum algorithms pose a huge threat to the current cryptosystems. In this article, we present a hardware implementation of CRYSTALS-KYBER which is one of the post-quantum cryptosystems based on the Module-LWE problem. Using the proposed modular reduction algorithm, modified modular adder and the reconfigurable data path, the design shares the computing resource for different polynomial related operations, and achieves higher degree of parallelism. Our design is implemented on a Xilinx Artix-7 FPGA. Compared with the leading hardware implementations, our design is more compact, the execution time is shorter, and it significantly consumes fewer registers.

Yufei Xing,Shuguo Li

DOI: https://doi.org/10.46586/tches.v2021.i2.328-356

2021-02-23

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Post-quantum cryptosystems should be prepared before the advent of powerful quantum computers to ensure information secure in our daily life. In 2016 a post-quantum standardization contest was launched by National Institute of Standards and Technology (NIST), and there have been lots of works concentrating on evaluation of these candidate protocols, mainly in pure software or through hardware-software co-design methodology on different platforms. As the contest progresses to third round in July 2020 with only 7 finalists and 8 alternate candidates remained, more dedicated and specific hardware designs should be considered to illustrate the intrinsic property of a certain protocol and achieve better performance. To this end, we present a standalone hardware design of CRYSTALS-KYBER, amodule learning-with-errors (MLWE) based key exchange mechanism (KEM) protocol within the 7 finalists on FPGA platform. Through elaborate scheduling of sampling and number theoretic transform (NTT) related calculations, decent performance is achieved with limited hardware resources. The way that Encode/Decode and the tweaked Fujisaki-Okamoto transform are implemented is demonstrated in detail. Analysis about minimizing memory footprint is also given out. In summary, we realize the adaptive chosen ciphertext attack (CCA) secure Kyber with all selectable module dimension k on the smallest Xilinx Artix-7 device. Our design computes key-generation, encapsulation (encryption) and decapsulation (decryption and reencryption) phase in 3768/5079/6668 cycles when k = 2, 6316/7925/10049 cycles when k = 3, and 9380/11321/13908 cycles when k = 4, consuming 7412/6785 LUTs, 4644/3981 FFs, 2126/1899 slices, 2/2 DSPs and 3/3 BRAMs in server/client with 6.2/6.0 ns critical path delay, outperforming corresponding high level synthesis (HLS) based designs or hardware-software co-designs to a large extent.

Xavier Carril,Charalampos Kardaris,Jordi Ribes-González,Oriol Farràs,Carles Hernandez,Vatistas Kostalabros,Joel Ulises González-Jiménez,Miquel Moretó

DOI: https://doi.org/10.1145/3675172

IF: 2.837

2024-07-03

ACM Transactions on Reconfigurable Technology and Systems

Abstract:Many high-demand digital services need to perform several cryptographic operations, such as key exchange or security credentialing, in a concise amount of time. In turn, the security of some of these cryptographic schemes is threatened by advances in quantum computing, as quantum computer could break their security in the near future. Post-Quantum Cryptography (PQC) is an emerging field that studies cryptographic algorithms that resist such attacks. The National Institute of Standards and Technology (NIST) has selected the CRYSTALS-Kyber Key Encapsulation Mechanism and the CRYSTALSDilithium Digital Signature algorithm as primary PQC standards. In this paper, we present FPGA-based hardware accelerators for high-volume operations of both schemes. We apply High-Level Synthesis (HLS) for hardware optimization, leveraging a batch processing approach to maximize the memory throughput, and applying custom HLS logic to specific algorithmic components. Using reconfigurable field-programmable gate arrays (FPGAs), we show that our hardware accelerators achieve speedups between 3x and 9x over software baseline implementations, even over ones leveraging CPU vector architectures. Furthermore, the methods used in this study can also be extended to the new CRYSTALS-based NIST FIPS drafts, ML-KEM and ML-DSA, with similar acceleration results.

computer science, hardware & architecture

Liejun Ma,Xingjun Wu,Guoqiang Bai

DOI: https://doi.org/10.1109/cisce52179.2021.9445987

2021-01-01

Abstract:With the development of quantum information theory, classical cryptographical schemes will be threatened. CRYSTALS-KYBER (KYBER) is a kind of lattice-based post quantum cryptographical algorithms which can resist the quantum attack to a large extent. The polynomial multiplication is the most computationally intensive operation in the KYBER algorithm. In this paper, we proposed a Number Theoretic Transformation (NTT) implementation strategy to speed up the polynomial multiplication in FPGA platform. We optimized the structure by adopting a parallel approach, this can further reduce the NTT iteration time and achieve better performance.

Wenbo Guo,Shuguo Li

DOI: https://doi.org/10.1109/tc.2023.3320040

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:Facing the threat of large-scale quantum computers to traditional public-key cryptography, the National Institute of Standards and Technology has conducted Post-Quantum Cryptography algorithms evaluation for a long time, and CRYSTALS-Kyber has been selected to enter the standardization process. In the previous literature, hardware designs can significantly improve the performance of CRYSTALS-Kyber, and the most time-consuming operations are Number Theoretic Transform (NTT) and point-wise multiplication (PWM). However, the split-radix algorithm, which has a lower theoretical complexity in the FFT, has rarely been studied in the NTT. In this paper, we studied whether there are advantages of introducing split-radix algorithms into the NTT defined by CRYSTALS-Kyber and detailed derived the split-radix algorithms for the forward and inverse NTT without pre- or post-processing. By further optimizing the split-radix algorithm for the forward NTT, one of the three modular multipliers in the $\boldsymbol{L}$L-shaped butterfly unit is replaced by shifting-and-addition, which will reduce the hardware resource consumption. Besides, we proposed a recombined formula for PWM, which reduces the capacity of the intermediate data RAM for PWM by 25%. Together with the proposed hardware scheduling method, the above algorithms can improve performance and save hardware resources.

Weihang Tan,Yingjie Lao,Keshab K. Parhi

DOI: https://doi.org/10.1109/ICCAD57390.2023.10323839

2023-10-07

Abstract:CRYSTAL-Kyber (Kyber) is one of the post-quantum cryptography (PQC) key-encapsulation mechanism (KEM) schemes selected during the standardization process. This paper addresses optimization for Kyber architecture with respect to latency and throughput constraints. Specifically, matrix-vector multiplication and number theoretic transform (NTT)-based polynomial multiplication are critical operations and bottlenecks that require optimization. To address this challenge, we propose an algorithm and hardware co-design approach to systematically optimize matrix-vector multiplication and NTT-based polynomial multiplication by employing a novel sub-structure sharing technique in order to reduce computational complexity, i.e., the number of modular multiplications and modular additions/subtractions consumed. The sub-structure sharing approach is inspired by prior fast parallel approaches based on polyphase decomposition. The proposed efficient feed-forward architecture achieves high speed, low latency, and full utilization of all hardware components, which can significantly enhance the overall efficiency of the Kyber scheme. The FPGA implementation results show that our proposed design, using the fast two-parallel structure, leads to an approximate reduction of 90% in execution time, along with a 66 times improvement in throughput performance.

Cryptography and Security,Hardware Architecture

Arpan Jati,Naina Gupta,Anupam Chattopadhyay,Somitra Kumar Sanadhya

DOI: https://doi.org/10.1145/3587037

2023-03-06

ACM Transactions on Embedded Computing Systems

Abstract:In this work, we present a configurable and side channel resistant implementation of the post-quantum key-exchange algorithm CRYSTALS-Kyber . The implemented design can be configured for different performance and area requirements leading to different trade-offs for different applications. A low area implementation can be achieved in 5269 LUTs and 2422 FFs, whereas a high performance implementation required 7151 LUTs and 3730 FFs. Due to a deeply pipelined architecture, a high operating speed of more than 250 MHz could be achieved on 28nm Xilinx FPGAs. The side channel resistance is implemented using a carefully chosen set of novel and known techniques such as Fault Detection Hashes, Instruction Randomization, FSM Protection etc. resulting in a low overhead of less than \(5\% \) while being highly configurable. To the best of our knowledge, this work presents the first side-channel and fault attack protected configurable accelerator for CRYSTALS-Kyber . Using TVLA (test vector leakage assessment), we validate the implemented protection techniques and demonstrate that the design does not leak information even after 200K traces. Furthermore, one of the configuration choices results in the smallest hardware implementation of CRYSTALS-Kyber known in literature.

computer science, software engineering, hardware & architecture

Luke Beckwith,Duc Tri Nguyen,Kris Gaj

DOI: https://doi.org/10.1109/icfpt52863.2021.9609917

2021-12-06

Abstract:Many currently deployed public-key cryptosystems are based on the difficulty of the discrete logarithm and integer factorization problems. However, given an adequately sized quantum computer, these problems can be solved in polynomial time as a function of the key size. Due to the future threat of quantum computing to current cryptographic standards, alternative algorithms that remain secure under quantum computing are being evaluated for future use. One such algorithm is CRYSTALS-Dilithium, a lattice-based digital signature scheme, which is a finalist in the NIST Post Quantum Cryptography (PQC) competition. As a part of this evaluation, high-performance implementations of these algorithms must be investigated. This work presents a high-performance implementation of CRYSTALS-Dilithium targeting FPGAs. In particular, we present a design that achieves the best latency for an FPGA implementation to date. We also compare our results with the most-relevant previous work on hardware implementations of NIST Round 3 post-quantum digital signature candidates.

Kang Sun,Lingdi Ping,Jiebing Wang,Zugen Liu,Xuezeng Pan

DOI: https://doi.org/10.1109/imsccs.2006.208

2006-01-01

Abstract:Cryptographic algorithms are usually compute-intensive and more efficiently implemented in hardware than in software. By taking advantage of FPGA technology, some work offers high performance and flexible solutions for cryptographic algorithms. But FPGAs still have some drawbacks. To overcome inherent shortages of FPGA, a novel asynchronous reconfigurable cryptographic engine (ARCEN) is introduced. In this architecture, reconfigurable cryptographic array is the kernel. It routes signals asynchronously between adjacent cells through Neighbor-to-Neighbor wires with 4-phase handshaking protocol. Computation circuit for reconfigurable cell is developed with modified DSDCVS logic. Experiment results show that the architecture has a better performance than FPGA.

Wentao Xi,Xingjun Wu,Kai Zhang

DOI: https://doi.org/10.1145/3638782.3638800

2024-01-01

Abstract:The development of quantum computers has introduced a significant threat to the security of traditional cryptographic algorithms. To address this challenge, post-quantum cryptographic algorithms (PQC) have been developed, offering robust resistance against attacks from quantum computers. The hash operation plays a critical role in many PQC algorithms based on lattice ciphers and represents a substantial resource-consuming component in algorithm implementations. In this paper, we propose a novel circuit structure for hash implementation in FPGA platform. Our design integrates the hash operations of Kyber and Dilithium by reusing a shared Keccak unit and achieves different hash operation modes through parameter configuration in the control unit. Furthermore, we introduce a novel pipeline structure that multiplexes two sets of pipeline registers with an unfolding factor of 1. This innovative approach significantly reduces hardware resource consumption while satisfying the performance requirements of the algorithm. The proposed architecture, implemented on the Kintex-7 FPGA, utilizes 7376 LUTs, 3059 FFs, and 4 DSPs. Compared to the existing state-of-the-art designs, our design reduces about 40.2% of LUT resources, and 14.1% of Flip Flops resources. Additionally, it achieves 391MHZ clock frequency and finishes Keccak operations in 0.123μs. As a result, our design offers a low-cost, configurable hash computing circuit architecture with relatively excellent performance.

Xinyi Ji,Jiankuo Dong,Tonggui Deng,Pinchang Zhang,Jiafeng Hua,Fu Xiao

DOI: https://doi.org/10.1109/tpds.2024.3379734

IF: 5.3

2024-04-10

IEEE Transactions on Parallel and Distributed Systems

Abstract:CRYSTALS-Kyber, as the only public key encryption (PKE) algorithm selected by the National Institute of Standards and Technology (NIST) in the third round, is considered one of the most promising post-quantum cryptography (PQC) schemes. Lattice-based cryptography uses complex discrete algorithm problems on lattices to build secure encryption and decryption systems to resist attacks from quantum computing. Performance is an important bottleneck affecting the promotion of post quantum cryptography. In this paper, we present a High-performance Implementation of Kyber (named HI-Kyber) on the NVIDIA GPUs, which can increase the key-exchange performance of Kyber to the million-level. Firstly, we propose a lattice-based PQC implementation architecture based on kernel fusion, which can avoid redundant global-memory access operations. Secondly, We optimize and implement the core operations of CRYSTALS-Kyber, including Number Theoretic Transform (NTT), inverse NTT (INTT), pointwise multiplication, etc. Especially for the calculation bottleneck NTT operation, three novel methods are proposed to explore extreme performance: the sliced layer merging (SLM), the sliced depth-first search (SDFS-NTT) and the entire depth-first search (EDFS-NTT), which achieve a speedup of 7.5%, 28.5%, and 41.6% compared to the native implementation. Thirdly, we conduct comprehensive performance experiments with different parallel dimensions based on the above optimization. Finally, our key exchange performance reaches 1,664 kops/s. Specifically, based on the same platform, our HI-Kyber is 3.52× that of the GPU implementation based on the same instruction set and 1.78× that of the state-of-the-art one based on AI-accelerated tensor core.

computer science, theory & methods,engineering, electrical & electronic

Dejun Xu,Kai Wang,Jing Tian

2024-07-03

Abstract:CRYSTALS-Kyber (a.k.a. Kyber) has been drafted to be standardized as the only key encapsulation mechanism (KEM) scheme by the national institute of standards and technology (NIST) to withstand attacks by large-scale quantum computers. However, the side-channel attack (SCA) on its implementation is still needed to be well considered for the upcoming migration. In this brief, we propose a secure and efficient hardware implementation for Kyber by incorporating a novel compact shuffling architecture. First of all, we modify the Fisher-Yates shuffle to make it more hardware-friendly. We then design an optimized shuffling architecture for the well-known open-source Kyber hardware implementation to enhance the security of all the potential side-channel leakage points. Finally, we implement the modified Kyber design on FPGA and evaluate its security and performance. The security is verified by conducting the correlation power analysis (CPA) attacks on the hardware. Meanwhile, FPGA place-and-route results show that the proposed design reports only 8.7% degradation on the hardware efficiency compared with the original unprotected version, much better than existing hiding schemes.

Cryptography and Security

Stefano Di Matteo,Ivan Sarno,Sergio Saponara

DOI: https://doi.org/10.1109/access.2024.3367109

IF: 3.9

2024-02-28

IEEE Access

Abstract:This paper presents the design and FPGA implementation of a hardware accelerator for the Post-Quantum CRYSTALS-Kyber and CRYSTALS-Dilithium algorithms, named CRYPHTOR (CRYstals Polynomial HW acceleraTOR). The proposed architecture includes a unified memory arrangement and dedicated ALUs for Kyber and Dilithium, capable of accelerating several polynomial operations such as Number Theoretic Transform (NTT), Inverse NTT, Coefficient-Wise Multiplication (CWM), modular addition and subtraction, modular reduction, and the multiply-accumulate operation. CRYPHTOR has been integrated into two SoCs: one based on a 64-bit RISC-V processor and the other on a 32-bit RISC-V microcontroller. In these configurations, up to 26x and 300x of speedup has been obtained for the NTT, and up to 30x and 140x of speedup for the matrix-vector multiplication compared to the software implementation running on the RISC-V processors.

computer science, information systems,telecommunications,engineering, electrical & electronic

Latif Akçay,Berna Örs Yalçın

DOI: https://doi.org/10.1007/s13369-024-08976-w

IF: 2.807

2024-04-20

Arabian Journal for Science and Engineering

Abstract:Abstract Lattice-based cryptography (LBC) algorithms are considered suitable candidates for post-quantum cryptography (PQC), as they dominate the standardization process put forward by the National Institute of Standards and Technology (NIST). Indeed, three of the four key encapsulation mechanism (KEM) algorithms in the third round of the process are based on computationally hard lattice problems. On the other hand, there is an urgent need for processor designs that can run PQC algorithms efficiently, especially for embedded systems. This study presents an application-specific instruction set processor (ASIP) design for the Kyber, Saber, and NewHope algorithms based on transport triggered architecture (TTA). Custom hardware accelerators are added to the baseline processor architecture for computation-intensive steps without applying any software optimization to the reference code. We compared FPGA and ASIC implementations of our design with the prominent RISC-V cores and instruction set extension studies in the literature. According to the results, the proposed design offers greater efficiency, better performance, and lower resource utilization than its competitors in most cases.

multidisciplinary sciences

Yan Liu,Liji Wu,Zhenhui Zhang,Xiangmin Zhang,Jing Zhou,Yifan Yang,Le Wu

DOI: https://doi.org/10.1109/asid60355.2023.10426507

2023-01-01

Abstract:The security of existing cryptosystems mostly relies on the difficulty of solving integer factorization problems and discrete logarithm problems. However, in recent years, with the rapid development of quantum computers, the time required to solve these difficult problems has been significantly reduced, which will pose significant risks to the transmission of information. Post-quantum algorithms are a type of cryptographic algorithm specifically designed to resist quantum computer attacks. The National Institute of Standards and Technology of the United States(NIST) has completed four rounds of selection work from 2016 to 2022. The Classic McEliece algorithm is the only Post-Quantum Cryptography (PQC) algorithm that has been selected for the fourth round of selection after more than 50 years. However, currently, the research and implementation of this algorithm are mostly focused on the software algorithm level, while the hardware implementation can be said to be very few. At the same time, hardware-implemented cryptographic algorithms have certain advantages in terms of security, algorithm execution speed, and other aspects compared to software. In this paper, the arithmetic part and the encryption part of the Classic McEliece algorithm are designed, and a UVM verification platform is built to verify its functionality. Finally, the hardware circuit is verified on the SAKURA-G FPGA development board, relevant resource consumption was collected and compared with the work of the predecessors.

Yihong Zhu,Wenping Zhu,Yi Ouyang,Junwen Sun,Min Zhu,Qi Zhao,Jinjiang Yang,Chen Chen,Qichao Tao,Guang Yang,Aoyang Zhang,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1109/ISSCC49657.2024.10454332

2024-01-01

Abstract:The migration towards post-quantum cryptography (PQC) is in progress to secure communications and transactions against the impending quantum threat, while three key-encapsulation mechanisms (KEM) and one digital signature (DS) scheme are being standardized by NIST [1]. This multi-year migration poses serious challenges to PQC implementations for compatibility and performance requirements in various scenarios and settings: 1) Performance limitations caused by diverse computation patterns and relatively higher computation costs. 2) Crypto-agility resulting from different mathematical problems, various security parameters, or even different standardization bodies. 3.) Domain-specific optimization to address the long-term security of the evolving algorithm families. However, most existing PQC accelerators [2, 3, 5] were only customized for specific algorithms based on unique mathematical problems. The latest configurable PQC processor [4] did not support Falcon and Sphincs+, which are being drafted for standardization. To address this issue, a versatile PQC processor fabricated in 28nm is presented with three key features: 1) task-clustering-based architecture for scalable processing with aggressive parallelism; 2) region-based task-path (TP) with dynamic update for agile cryptographic computing; 3) efficient PQC task-operators (TO), including hash/sample, format, floating-point/complex, encoding/decoding operators, for further improvements on throughput and energy-efficiency. Based on these contributions, the proposed chip supports all predominant schemes in NIST’s PQC standardization, while still delivering 44.6% and 10.3% improvements in the throughput and energy-delay product (EDP), respectively, relative to a state-of-the-art design [4].

Suraj Mandal,Debapriya Basu Roy

2023-11-08

Abstract:Large-degree polynomial multiplication is an integral component of post-quantum secure lattice-based cryptographic algorithms like CRYSTALS-Kyber and Dilithium. The computational complexity of large-degree polynomial multiplication can be reduced significantly through Number Theoretic Transformation (NTT). In this paper, we aim to develop a unified and shared NTT architecture that can support polynomial multiplication for both CRYSTALS-Kyber and Dilithium. More specifically, in this paper, we have proposed three different unified architectures for NTT multiplication in CRYSTALS-Kyber and Dilithium with varying numbers of configurable radix-2 butterfly units. Additionally, the developed implementation is coupled with a conflict-free memory mapping scheme that allows the architecture to be fully pipelined. We have validated our implementation on Artix-7, Zynq-7000 and Zynq Ultrascale+ FPGAs. Our standalone implementations for NTT multiplication for CRYSTALS-Kyber and Dilithium perform better than the existing works, and our unified architecture shows excellent area and timing performance compared to both standalone and existing unified implementations. This architecture can potentially be used for compact and efficient implementation for CRYSTALS-Kyber and Dilithium.

Hardware Architecture,Cryptography and Security

Jonathan López-Valdivieso,René Cumplido

DOI: https://doi.org/10.1145/3653459

IF: 2.837

2024-03-28

ACM Transactions on Reconfigurable Technology and Systems

Abstract:Advances in quantum computing have posed a future threat to today's cryptography. With the advent of these quantum computers, security could be compromised. Therefore, the National Institute of Standards and Technology (NIST) has issued a request for proposals to standardize algorithms for post-quantum cryptography (PQC), which is considered difficult to solve for both classical and quantum computers. Among the proposed technologies, the most popular choices are lattice-based (shortest vector problem) and hash-based approaches. Other important categories are public key cryptography (PKE) and digital signatures. Within the realm of digital signatures lies SPHINCS+. However, there are few implementations of this scheme in hardware architectures. In this article, we present a hardware-software architecture for the SPHINCS+ scheme. We utilized a free RISC-V (Reduced Instruction Set Computer) processor synthesized on a Field Programmable Gate Array (FPGA), primarily integrating two accelerator modules for Keccak-1600 and the Haraka hash function. Additionally, modifications were made to the processor to accommodate the execution of these added modules. Our implementation yielded a 15-fold increase in performance with the SHAKE-256 function and nearly 90-fold improvement when using Haraka, compared to the reference software. Moreover, it is more compact compared to related works. This implementation was realized on a Xilinx FPGA Arty S7: Spartan-7.

computer science, hardware & architecture

Rui Tong,Yanzhao Yin,Liji Wu,Xiangmin Zhang,Zhenhui Qin,Xingjun Wu,Linlin Su

DOI: https://doi.org/10.1109/asid50160.2020.9271776

2020-01-01

Abstract:As the computing power of quantum computers continues to improve, the security of the mathematical problems on current cryptographic algorithm used today will be challenged. It is necessary to formulate the standard of post-quantum cryptographic algorithm. LAC is one of 26 candidates for the Round 2 of NIST PQC contest. In this paper, we implement the high-speed anti-SPA hardware implementation of security level 1. Finally, since our work is the first implementation of LAC on Zynq-7000, there is no preliminary comparison, so we have a horizontal comparison with implementation of the same type of algorithm NewHope-512.