Zhe Liu,Reza Azarderakhsh,Howon Kim,Hwajeong Seo

DOI: https://doi.org/10.1007/978-3-319-62024-4_6

2017-01-01

Abstract:ARM NEON architecture has occupied a significant share of high-end Internet of Things platforms such as mini computer, tablet and smartphone markets due to its low cost and high performance. This paper studies efficient techniques of lattice-based cryptography on ARM processor and presents the first implementation of ring-LWE encryption on ARM NEON architecture. We propose a vectorized version of Iterative Number Theoretic Transform (NTT) for high-speed computation and present a 32-bit variant of SAMS2 technique, original from Liu et al. in CHES2015, for fast reduction. Subsequently, we present a full-fledged implementation of Ring-LWE by taking advantage of proposed and previous optimization techniques. Ultimately, our ring-LWE implementation requires only 145 k clock cycles for encryption and 32.8 k cycles for decryption for $$n=256$$. These results are more than 17.6 times faster than the fastest ECC implementation on ARM NEON with same security level.

Zewen Ye,Ruibing Song,Hao Zhang,Donglong Chen,Ray Chak-Chung Cheung,Kejie Huang

DOI: https://doi.org/10.46586/tches.v2024.i2.130-153

2024-01-01

Abstract:Lattice-Based Cryptography (LBC) schemes, like CRYSTALS-Kyber and CRYSTALS-Dilithium, have been selected to be standardized in the NIST Post-Quantum Cryptography standard. However, implementing these schemes in resourceconstrained Internet-of-Things (IoT) devices is challenging, considering efficiency, power consumption, area overhead, and flexibility to support various operations and parameter settings. Some existing ASIC designs that prioritize lower power and area can not achieve optimal performance efficiency, which are not practical for battery-powered devices. Custom hardware accelerators in prior co-processor and processor designs have limited applications and flexibility, incurring significant area and power overheads for IoT devices. To address these challenges, this paper presents an efficient lattice-based cryptography processor with customized Single-Instruction-Multiple-Data (SIMD) instruction. First, our proposed SIMD architecture supports efficient parallel execution of various polynomial operations in 256-bit mode and acceleration of Keccak in 320-bit mode, both utilizing efficiently reused resources. Additionally, we introduce data shuffling hardware units to resolve data dependencies within SIMD data. To further enhance performance, we design a dual-issue path for memory accesses and corresponding software design methodologies to reduce the impact of data load/store blocking. Through a hardware/software co-design approach, our proposed processor achieves high efficiency in supporting all operations in lattice-based cryptography schemes. Evaluations of Kyber and Dilithium show our proposed processor achieves over 10x speedup compared with the baseline RISC-V processor and over 5x speedup versus ARM Cortex M4 implementations, making it a promising solution for securing IoT communications and storage. Moreover, Silicon synthesis results show our design can run at 200 MHz with 2.01 mW for Kyber KEM 512 and 2.13 mW for Dilithium 2, which outperforms state-of-the-art works in terms of PPAP (Performance x Power x Area).

Chaohui Du,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1109/trustcom.2015.510

2015-01-01

Abstract:Lattice-based cryptography is considered as a main candidate for post-quantum cryptosystems. Its security is based on worst-case computational assumptions in lattices that remain hard even for quantum computers. In this paper, we present an efficient software implementation of lattice based Ring-LWE public key encryption scheme, which optimizes the two basic building blocks: multiplication over polynomial rings and discrete Gaussian sampling. We exploit the number theoretic transform (NTT) to speed up polynomial multiplication over rings and propose an optimized single instruction multiple data (SIMD) based implementation of NTT. It takes 1965/4411 clock cycles to perform a transform with 256/512 elements. Our implementation can save about 75% memory accesses and more than 51% modulo q operations during NTT computation. On the other hand, we propose an efficient implementation of high precision discrete Gaussian sampler, which is based on the inverse of the cumulative distribution function. Our implementation has maximum statistical distance of 2-90 to a theoretical discrete Gaussian distribution. It takes on average 15.4 ns and 9.5 uniformly random bits to generate a Gaussian sample. With these optimizations, our implementation of the public key encryption scheme performs encryption/decryption operations in 15.88/2.37 μs for medium security and 31.30/4.59 μs for high security on one core of an Intel Core i7-4771 processor. Its throughput is higher than the existing software implementation by about two orders of magnitude, and it is even higher than all the hardware implementations.

Hwajeong Seo,Hyeokdong Kwon,Yongbeen Kwon,Kyungho Kim,Seungju Choi,Hyunjun Kim,Kyoungbae Jang

DOI: https://doi.org/10.3390/s20072039

2020-04-05

Abstract:In this paper, we optimized Number Theoretic Transform (NTT) and random sampling operations on low-end 8-bit AVR microcontrollers. We focused on the optimized modular multiplication with secure countermeasure (i.e., constant timing), which ensures high performance and prevents timing attack and simple power analysis. In particular, we presented combined Look-Up Table (LUT)-based fast reduction techniques in a regular fashion. This novel approach only requires two times of LUT access to perform the whole modular reduction routine. The implementation is carefully written in assembly language, which reduces the number of memory access and function call routines. With LUT-based optimization techniques, proposed NTT implementations outperform the previous best results by 9.0% and 14.6% for 128-bit security level and 256-bit security level, respectively. Furthermore, we adopted the most optimized AES software implementation to improve the performance of pseudo random number generation for random sampling operation. The encryption of AES-256 counter (CTR) mode used for random number generator requires only 3184 clock cycles for 128-bit data input, which is 9.5% faster than previous state-of-art results. Finally, proposed methods are applied to the whole process of Ring-LWE key scheduling and encryption operations, which require only 524,211 and 659,603 clock cycles for 128-bit security level, respectively. For the key generation of 256-bit security level, 1,325,171 and 1,775,475 clock cycles are required for H/W and S/W AES-based implementations, respectively. For the encryption of 256-bit security level, 1,430,601 and 2,042,474 clock cycles are required for H/W and S/W AES-based implementations, respectively.

Weizhen Wang,Jun Han,Xu Cheng,Xiaoyang Zeng

DOI: https://doi.org/10.1016/j.mejo.2021.105165

IF: 1.992

2021-01-01

Microelectronics Journal

Abstract:With the prevailing of Internet-of-Things (IoT) technology, information security for ever-growing connected devices is an inevitable issue and gaining more attention. However, implementation of cryptography algorithms on battery-powered IoT devices is challenging due to limited power-budget. In this paper, we present an energy-efficient crypto-coprocessor. This coprocessor is designed with a unified pipelined structure for cryptography primitives of 128-bit or 256-bit data path and supports cryptography algorithms including AES, ECC and SHA. Since the clock tree and the sequential circuits dissipate a large percentage of the chip power, a conditional-charged flip-flop is proposed to reduce the clock tree power. Our design is integrated with an open-sourced RISC-V core as a crypto-extension, and shows both good flexibility and high energy-efficiency. This work is implemented in 28 nm technology and the power consumption for different cryptography applications is evaluated with post-layout simulation. When simulated with NIST prime fields curve P-256 and binary fields curve K-233, the energy consumed for one base point scalar multiplication is 43.54 μJ and 20.40 μJ, respectively. The proposed design consumes 0.0568 nJ/bit and 0.0288 nJ/bit for the AES-GCM mode and the AES-CBC mode, respectively. As for SHA-256, each bit requires 0.0874 nJ. Compared with previous works, this work provides both flexibility and high energy performance.

Yifan Zhao,Ruiqi Xie,Guozhu Xin,Jun Han

DOI: https://doi.org/10.1109/tcsi.2022.3162593

2022-01-01

Abstract:The 5G edge computing infrastructure should be empowered with quantum attack resistance by implementing post-quantum cryptography (PQC). Among various PQC schemes, lattice-based cryptography (LBC) based on learning with error (LWE) has attracted much attention because of its performance efficiency and security guarantee. In LWE-based LBCs, the Module-LWE-based schemes gain advantage over the others benefiting from the unique polynomial matrix and vector structure. To provide a high-performance implementation of Module-LWE applications for the edge computing paradigm, we propose a domain-specific processor based on a matrix extension of RISC-V architecture. This custom extension encapsulates the matrix-based ring operations with a high-level functional abstraction. A 2-D systolic array with configurable functionality is proposed to perform matrix-based number theoretic transform (NTT) and other arithmetic operations, achieving high data-level parallelism with support for the variable-sized polynomial matrix and vector structure. As this structure of Module-LWE involves no data dependency between different inner elements, an out-of-order mechanism is further developed to exploit the instruction-level parallelism. We implement the proposed architecture under TSMC 28nm technology. The evaluation results show that our implementation can achieve up to and improvement in cycle count respectively in Kyber and Dilithium, compared to the state-of-the-art crypto-processor counterparts.

Weizhen Wang,Jun Han,Zhicheng Xie,Shan Huang,Xiaoyang Zeng

DOI: https://doi.org/10.1109/isocc.2016.7799761

2016-01-01

Abstract:Together with the popularity of internet of things (IoT), the information security in IoT is becoming an urgent issue. In this paper, a cryptographic coprocessor is designed to provide security for IoT sensor nodes. This design incorporates the application-specific instruction set to support popular cryptography algorithms like advanced encryption standard (AES) and elliptic curve cryptography (ECC). The tailored instruction provides good flexibility, high energy efficiency and low latency. Local instruction and data ram is integrated into our coprocessor to reduce the instruction transfer between embedded processor and the coprocessor. Our work was synthesized under TSMC 65 nm technology. The measurement results show that our design consumes 32.7 uJ for each ECC point multiplication and 3 nJ for each AES encryption and decryption when working at 10 MHz.

Yiqun Zhang,Li Xu,Qing Dong,Jingcheng Wang,David Blaauw,Dennis Sylvester

DOI: https://doi.org/10.1109/jssc.2017.2776302

IF: 5.4

2018-01-01

IEEE Journal of Solid-State Circuits

Abstract:Providing security for the Internet of Things (IoT) is increasingly important, but supporting many different cryptographic algorithms and standards within the physical constraints of IoT devices is highly challenging. Software implementations are inefficient due to the high bitwidth cryptographic operations; domain-specific accelerators are often inflexible; and reconfigurable crypto processors generally have large area and power overhead. This paper proposes Recryptor, a reconfigurable cryptographic processor that augments the existing memory of a commercial general-purpose processor with compute capabilities. It supports in-memory bitline computing using a 10-transistor bitcell to support different bitwise operations up to 512-bits wide. Custom-designed shifter, rotator, and S-box modules sit near the memory, providing high-throughput near-memory computing capabilities. We demonstrate Recryptor’s programmability by implementing the cryptographic primitives of various public/ secret key cryptographies and hash functions. Recryptor runs at 28.8 MHz in 0.7 V, achieving $6.8\times $ average speedup and $12.8\times $ average energy improvements over the state-of-the-art software- and hardware-accelerated implementations with only 0.128 mm2 area overhead in 40-nm CMOS.

Sen Yang,Lian Shao,Junke Huang,Wanghui Zou

DOI: https://doi.org/10.3390/electronics12204222

IF: 2.9

2023-10-13

Electronics

Abstract:The security and reliability of data transmission between IoT devices are considered to be major challenges in the development of IoT technology. This paper presents a low-power, low-cost RISC-V processor for IoT applications with an integrated hybrid encryption accelerator, which can achieve efficient and secure encryption and decryption of data transmitted between IoT devices. The hybrid encryption accelerator, which uses the SM3 and the SM4, respectively, as hash and symmetric encryption algorithms, achieves a balance between encryption security, high speed, and key-management convenience. Both the processor and encryption accelerator are designed using the Verilog HDL language and are subsequently implemented and evaluated on both FPGA and ASIC platforms. The performance of the proposed processor and that of the Hummingbird E203 and the XuanTie E902 are compared. It is shown that, on the FPGA platform, the total resource utilization rate is reduced by 39.1~66.2%. In a 90 nm CMOS process, it is shown that the power efficiency of the proposed processor is increased by 10~34.8% and the circuit area is reduced by 32.5~57.1%.

engineering, electrical & electronic,computer science, information systems,physics, applied

Sumit Singh Dhanda,Brahmjit Singh,Chia-Chen Lin,Poonam Jindal,Deepak Panwar,Tarun Kumar Sharma,Saurabh Agarwal,Wooguil Pak

DOI: https://doi.org/10.1109/access.2024.3472650

IF: 3.9

2024-10-12

IEEE Access

Abstract:The most widely used asymmetric cipher is ECC. It can be applied to IoT applications to offer various security services. However, a wide range of sectors have been investigated for applying ECC. The field of elliptic curve cryptographic processors for GF (2191) has received less attention. This study presents a low-resource, high-efficiency architecture for a 191-bit ECC processor. This design uses a novel hybrid Karatsuba multiplier for the multiplication of finite fields. For GF (2191), the Quad-Itoh-Tsuji algorithm has been altered to provide a small-size inversion unit. PlanAhead software synthesizes the CPU, which is then implemented on several Xilinx FPGAs. With savings in slice consumption ranging from 16 to 43 percent, the implemented design is the most restricted compared to the current designs. Compared to previously published designs, it is 3.8–1000 times faster. The elliptic curve scalar multiplication on the Virtex-7 FPGA is computed in s. Additionally, the proposed design achieves savings in area-time products of 77 to 90 percent. It may be beneficial for IoT edge devices. It utilizes 3120 mW of power for the operation. A state-of-the-art comparison based on the figure of merit (FoM) reveals that the proposed design outclasses the newest designs by a large margin. It also exhibits a throughput of 138.121 Kbps.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ronghua Lu,Jun Han,Xiaoyang Zeng,Qing Li,Lang Mai,Jia Zhao

DOI: https://doi.org/10.1109/aspdac.2008.4483921

2008-01-01

Abstract:A low-cost cryptographic processor for security embedded system is presented in this paper. The processor, without any assistance of dedicated cryptographic coprocessors, is scalable and very efficient for popular cryptographic algorithms such as RSA/ECC, AES, Hash, etc. Based on SMIC 0.18 um standard CMOS technology, the core circuit of the test chip has only about 32 k gates, and a max frequency of 200 MHz, under which the 1024-bit RSA algorithm takes only 150 ms and the throughout of AES reaches 256 Mbits/s.

Yong-xiang HAN,Guo-qiang BAI,Hong-yi CHEN

DOI: https://doi.org/10.3969/j.issn.1000-7180.2007.12.001

2007-01-01

Abstract:Through a compound hardware-design method of combining mathematical reasoning and circuit technology, this paper presents a VLSI implementation of ECC processor over GF(2m). Targeting low cost, we finish the optimal design of squaring, reduction, multiplication, inversion in Arithmetic logic module. According to different operation hierarchies, we designed different controlling circuits to match. The ECC processor has been synthesized on SMIC 0.18μm CMOS technology and has an area reduction of 48% comparing to international relevant research, with really fast speed at the same time.

Ruben De Smet,Robrecht Blancquaert,Tom Godden,Kris Steenhaut,An Braeken

DOI: https://doi.org/10.3390/s24031030

IF: 3.9

2024-02-06

Sensors

Abstract:Elliptic curve cryptography is a widely deployed technology for securing digital communication. It is the basis of many cryptographic primitives such as key agreement protocols, digital signatures, and zero-knowledge proofs. Fast elliptic curve cryptography relies on heavily optimised modular arithmetic operations, which are often tailored to specific micro-architectures. In this article, we study and evaluate optimisations of the popular elliptic curve Curve25519 for ARM processors. We specifically target the ARM NEON single instruction, multiple data (SIMD) architecture, which is a popular architecture for modern smartphones. We introduce a novel representation for 128-bit NEON SIMD vectors, optimised for SIMD parallelisation, to accelerate elliptic curve operations significantly. Leveraging this representation, we implement an extended twisted Edwards curve Curve25519 back-end within the popular Rust library "curve25519-dalek". We extensively evaluate our implementation across multiple ARM devices using both cryptographic benchmarks and the benchmark suite available for the Signal protocol. Our findings demonstrate a substantial back-end speed-up of at least 20% for ARM NEON, along with a noteworthy speed improvement of at least 15% for benchmarked Signal functions.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jose L. Imana,Pengzhou He,Tianyou Bao,Yazheng Tu,Jiafeng Xie

DOI: https://doi.org/10.1109/tcsi.2022.3169471

2022-07-29

Abstract:Ring learning-with-errors (RLWE)-based encryption scheme is a lattice-based cryptographic algorithm that constitutes one of the most promising candidates for Post-Quantum Cryptography (PQC) standardization due to its efficient implementation and low computational complexity. Binary Ring-LWE (BRLWE) is a new optimized variant of RLWE, which achieves smaller computational complexity and higher efficient hardware implementations. In this paper, two efficient architectures based on Linear-Feedback Shift Register (LFSR) for the arithmetic used in Inverted Binary Ring-LWE (InvBRLWE)-based encryption scheme are presented, namely the operation of over the polynomial ring . The first architecture optimizes the resource usage for major computation and has a novel input processing setup to speed up the overall processing latency with minimized input loading cycles. The second architecture deploys an innovative serial-in serial-out processing format to reduce the involved area usage further yet maintains a regular input loading time-complexity. Experimental results show that the architectures presented here improve the complexities obtained by competing schemes found in the literature, e.g., involving 71.23% less area-delay product than recent designs. Both architectures are highly efficient in terms of area-time complexities and can be extended for deploying in different lightweight application environments.

Uyangaa Khuchit,Liji Wu,Xiangmin Zhang,Yanzhao Yin,Altantsooj Batsukh,Bayarpurev Mongolyn,Munkhbaatar Chinbat

DOI: https://doi.org/10.1109/asid50160.2020.9271725

2020-01-01

Abstract:An ideal lattice is defined over a ring learning with errors (Ring-LWE) problem. Polynomial multiplication over the ring is the most computational and time-consuming block in lattice-based cryptography. This paper presents the first hardware design of the polynomial multiplication for LAC, one of the Round-2 candidates of the NIST PQC Standardization Process, which has byte-level modulus p=251. The proposed architecture supports polynomial multiplications for different degree n (n=512/1024/2048). For designing the scheme, we used the Vivado HLS compiler, a high-level synthesis based hardware design methodology, which is able to optimize software algorithms into actual hardware products. The design of the scheme takes 274/280/291 FFs and 204/217/208 LUTs on the Xilinx Artix-7 family FPGA, requested by NIST PQC competition for hardware implementation. Multiplication core uses only 1/1/2 pieces of 18Kb BRAMs, 1/1/1 DSPs, and 90/94/95 slices on the board. Our timing result achieved in an alternative degree n with 5.052/4.3985/5.133ns.

Dennis Agyemanh Nana Gookyi,Kwangki Ryoo

DOI: https://doi.org/10.3390/s22083004

2022-04-14

Abstract:The backbone of the Internet of things (IoT) platform consists of tiny low-cost devices that are continuously exchanging data. These devices are usually limited in terms of hardware footprint, memory capacity, and processing power. The devices are usually insecure because implementing standard cryptographic algorithms requires the use of a large hardware footprint which leads to an increase in the prices of devices. This study implements a System-on-Chip (SoC) based lightweight cryptographic core that consists of two encryption protocols, four authentication protocols, and a key generation/exchange protocol for ultra-low-cost devices. The hardware architectures use the concept of resource sharing to minimize the hardware area. The lightweight cryptographic SoC is tested by designing a desktop software application to serve as an interface to the hardware. The design is implemented using Verilog HDL and the 130 nm CMOS cell library is used for synthesis, which results in 33 k gate equivalents at a maximum clock frequency of 50 MHz.

Khai-Minh Ma,Duc-Hung Le,Cong-Kha Pham,Trong-Thuc Hoang

DOI: https://doi.org/10.3390/fi15050186

2023-05-20

Future Internet

Abstract:The security of Internet of Things (IoTs) devices in recent years has created interest in developing implementations of lightweight cryptographic algorithms for such systems. Additionally, open-source hardware and field-programable gate arrays (FPGAs) are gaining traction via newly developed tools, frameworks, and HDLs. This enables new methods of creating hardware and systems faster, more simply, and more efficiently. In this paper, the implementation of a system-on-chip (SoC) based on a 32-bit RISC-V processor with lightweight cryptographic accelerator cores in FPGA and an open-source integrating framework is presented. The system consists of a 32-bit VexRiscv processor, written in SpinalHDL, and lightweight cryptographic accelerator cores for the PRINCE block cipher, the PRESENT-80 block cipher, the ChaCha stream cipher, and the SHA3-512 hash function, written in Verilog HDL and optimized for low latency with fewer clock cycles. The primary aim of this work was to develop a customized SoC platform with a register-controlled bus suitable for integrating lightweight cryptographic cores to become compact embedded systems that require encryption functionalities. Additionally, custom firmware was developed to verify the functionality of the SoC with all integrated accelerator cores, and to evaluate the speed of cryptographic processing. The proposed system was successfully implemented in a Xilinx Nexys4 DDR FPGA development board. The resources of the system in the FPGA were low with 11,830 LUTs and 9552 FFs. The proposed system can be applicable to enhancing the security of Internet of Things systems.

Quan Zhang,Yujie Huang,Yujie Cai,Yalong Pang,Jun Han

DOI: https://doi.org/10.1109/icsict.2018.8564985

2018-01-01

Abstract:A ring learning with errors(RLWE) cryptoprocessor based on the RISC-V instruction set architecture is proposed in this work. The cryptoprocessor is the integration of RISC-V core and co-processor. The co-processor is designed to complete complex polynomial operation such as addition, subtraction and multiplication. And RISC-V core is responsible for sending simple signals to control the operation of co-processor. To support parallel data processing and increase the bandwidth of accessing memory, this work extends vector channels and uses vector paths in internal data bus to transfer data. Besides, Operands adopt a memory-memory approach to reduce the latency of accessing data. The polynomial multiplication chooses the algorithm based on number theoretic transform(NTT). In the cryptosystem, arithmetic operations are performed on the NTT domain, which avoids the frequent operations of conversion to the finite-loop domain. And polynomial processing unit adopts the architecture of 8-lanes commutator to improve the degree of data parallelism. Barrett algorithm is chosen as module reduction operation in finite-loop domain. Simulation results show that RLWE cryptoprocessor operates properly and requires 60.5/22.0us to complete encryption/decryption. Results depict time-taken in encryption and decryption are both reduced comparing to designs based on FPGA Virtrex.

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/iscas.2016.7527456

2016-01-01

Abstract:Ring learning with errors (Ring-LWE) is the basis of various lattice based cryptosystems. The most critical and computationally intensive operation of Ring-LWE based cryptosystems is polynomial multiplication over rings. In this paper, we introduce several optimization techniques to build an efficient polynomial multiplier with the number theoretic transform (NTT). We propose a technique to optimize the bit-reverse operation of NTT and inverse-NTT. With additional optimizations, our polynomial multiplier reduces the required clock cycles from (8n+1.5n lg n) to (2n+1.5n lg n). By exploiting the relationship of the constant factors, our polynomial multiplier is able to reduce the number of constant factors from 4n to 2.5n, which saves about 37.5% ROM storage. In addition, we propose a novel memory access scheme to achieve maximum utilization of the butterfly operator. With these techniques, our polynomial multiplier is capable to perform 57304/26913 polynomial multiplications per second for dimension 256/512 on a Spartan-6 FPGA.

Wei Li,Xiaoyang Zeng,Xiao Feng,Zibin Dai

DOI: https://doi.org/10.1109/uic-atc-scalcom-cbdcom-iop.2015.114

2015-01-01

Abstract:In this paper, a mixture of VLIW and vector architecture of ECC processor is proposed to perform either prime field GF(p) operations or binary field GF(2(m)) operations for arbitrary prime numbers and irreducible polynomials. Besides, an application specific instruction set for ECC is presented to support parallel processing with VLIW instruction structure features and vector register addressing modes. Moreover, a new randomized clock cycle's insertion technique in regular calculation is designed against SPA and DPA attacks with 3% area and 4% power overhead. After implemented in 65-nm CMOS process, our proposed 521-bit dual field elliptic curve cryptographic processor can perform scalar multiplication in 1.3 ms over GF(p(521)) and 0.94 ms over GF(2(521)). Our ECC processor chip is advantageous not only in terms of functionality, scalability, and performance but also in protection against power-analysis attacks.