ABSTRACT
The first generation of post-quantum cryptography (PQC) standards by the National Institute of Standards and Technology (NIST) is just around the corner. The need for secure implementations is therefore increasing. In this work, we address this need and investigate the integration of lattice-based PQC into an open-source silicon root of trust (RoT), the OpenTitan. RoTs are important security building blocks that need to be future-proofed with PQC. The OpenTitan features multiple cryptographic hardware accelerators and countermeasures against physical attacks, but does not offer dedicated support for lattice-based PQC. Thus, we propose instruction set extensions for the OpenTitan Big Number Accelerator (OTBN) to improve the efficiency of polynomial arithmetic and sampling. As a case study we analyze the performance of signature verification of digital signature scheme Dilithium. Our implementation verifies signatures within 997,722 cycles for security level II, pushing this RoT functionality below 10 ms for the OpenTitan's target frequency of 100 MHz. With an overhead of 242 kGE, our hardware extensions make up only about 5% of the total RoT area. All our extensions integrate seamlessly with countermeasures against physical attacks and comply with the adversary model chosen by the OpenTitan project
- Amin Abdulrahman, Vincent Hwang, Matthias J. Kannwischer, and Amber Sprenkels. 2022. Faster Kyber and Dilithium on the Cortex-M4. In Applied Cryptography and Network Security - 20th International Conference, ACNS 2022, Rome, Italy, June 20--23, 2022, Proceedings (Lecture Notes in Computer Science, Vol. 13269), Giuseppe Ateniese and Daniele Venturi (Eds.). Springer, 853--871. https://doi.org/10.1007/978--3-031-09234--3_42Google ScholarCross Ref
- Mikló s Ajtai. 1996. Generating Hard Instances of Lattice Problems (Extended Abstract). In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22--24, 1996, , Gary L. Miller (Ed.). ACM, 99--108. https://doi.org/10.1145/237814.237838Google ScholarDigital Library
- Martin R. Albrecht and Amit Deo. 2017. Large Modulus Ring-LWE (geq) Module-LWE. In Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3--7, 2017, Proceedings, Part I (Lecture Notes in Computer Science, Vol. 10624), Tsuyoshi Takagi and Thomas Peyrin (Eds.). Springer, 267--296. https://doi.org/10.1007/978--3--319--70694--8_10Google ScholarCross Ref
- Erdem Alkim, Hü lya Evkan, Norman Lahr, Ruben Niederhagen, and Richard Petri. 2020. ISA Extensions for Finite Field Arithmetic Accelerating Kyber and NewHope on RISC-V. IACR Trans. Cryptogr. Hardw. Embed. Syst. , Vol. 2020, 3 (2020), 219--242. https://doi.org/10.13154/tches.v2020.i3.219--242Google ScholarCross Ref
- ANSSI. 2022. ANSSI views on the Post-Quantum Cryptography transition. https://www.ssi.gouv.fr/en/publication/anssi-views-on-the-post-quantum-cryptography-transition/.Google Scholar
- Utsav Banerjee, Tenzin S. Ukyab, and Anantha P. Chandrakasan. 2019. Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols. IACR Trans. Cryptogr. Hardw. Embed. Syst. , Vol. 2019, 4 (2019), 17--61. https://doi.org/10.13154/tches.v2019.i4.17--61Google ScholarCross Ref
- Daniel J. Bernstein, Andreas Hü lsing, Stefan Kö lbl, Ruben Niederhagen, Joost Rijneveld, and Peter Schwabe. 2019. The SPHINCS Signature Framework. IACR Cryptol. ePrint Arch. (2019), 1086. https://eprint.iacr.org/2019/1086Google Scholar
- Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. 2013. Keccak. In Advances in Cryptology -- EUROCRYPT 2013, Thomas Johansson and Phong Q. Nguyen (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 313--314.Google ScholarCross Ref
- Joppe W. Bos, Lé o Ducas, Eike Kiltz, Tancrè de Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, and Damien Stehlé. 2017. CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. IACR Cryptol. ePrint Arch. (2017), 634. http://eprint.iacr.org/2017/634Google Scholar
- Claudio Bozzato, Riccardo Focardi, and Francesco Palmarini. 2019. Shaping the Glitch: Optimizing Voltage Fault Injection Attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. , Vol. 2019, 2 (2019), 199--224. https://doi.org/10.13154/tches.v2019.i2.199--224Google ScholarCross Ref
- BSI. 2022. Technische Richtlinie: Kryptographische Verfahren: Empfehlungen und Schluessellaengen. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile.Google Scholar
- James W Cooley and John W Tukey. 1965. An algorithm for the machine calculation of complex Fourier series. Mathematics of computation , Vol. 19, 90 (1965), 297--301.Google Scholar
- Viet Ba Dang, Kamyar Mohajerani, and Kris Gaj. 2023. High-Speed Hardware Architectures and FPGA Benchmarking of CRYSTALS-Kyber, NTRU, and Saber. IEEE Trans. Computers , Vol. 72, 2 (2023), 306--320. https://doi.org/10.1109/TC.2022.3222954Google ScholarCross Ref
- Lé o Ducas, Eike Kiltz, Tancrè de Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, and Damien Stehlé. 2018. CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. , Vol. 2018, 1 (2018), 238--268. https://doi.org/10.13154/tches.v2018.i1.238--268Google ScholarCross Ref
- Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Prest, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei Zhang. 2017. Falcon Fast-Fourier Lattice-based Compact Signatures over NTRU. https://falcon-sign.info/.Google Scholar
- Tim Fritzmann, Michiel Van Beirendonck, Debapriya Basu Roy, Patrick Karl, Thomas Schamberger, Ingrid Verbauwhede, and Georg Sigl. 2022. Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography. IACR Trans. Cryptogr. Hardw. Embed. Syst. , Vol. 2022, 1 (2022), 414--460. https://doi.org/10.46586/tches.v2022.i1.414--460Google ScholarCross Ref
- Tim Fritzmann and Johanna Sepú lveda. 2019. Efficient and Flexible Low-Power NTT for Lattice-Based Cryptography. In IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2019, McLean, VA, USA, May 5--10, 2019. IEEE, 141--150. https://doi.org/10.1109/HST.2019.8741027Google ScholarCross Ref
- Tim Fritzmann, Georg Sigl, and Johanna Sepú lveda. 2020. RISQ-V: Tightly Coupled RISC-V Accelerators for Post-Quantum Cryptography. IACR Trans. Cryptogr. Hardw. Embed. Syst. , Vol. 2020, 4 (2020), 239--280. https://doi.org/10.13154/tches.v2020.i4.239--280Google ScholarCross Ref
- W Morven Gentleman and Gordon Sande. 1966. Fast Fourier transforms: for fun and profit. In Proceedings of the November 7--10, 1966, fall joint computer conference. 563--578.Google ScholarDigital Library
- Ruben Gonzalez, Andreas Hü lsing, Matthias J. Kannwischer, Juliane Kr"a mer, Tanja Lange, Marc Stö ttinger, Elisabeth Waitz, Thom Wiggers, and Bo-Yin Yang. 2021. Verifying Post-Quantum Signatures in 8 kB of RAM. In Post-Quantum Cryptography - 12th International Workshop, PQCrypto 2021, Daejeon, South Korea, July 20--22, 2021, Proceedings (Lecture Notes in Computer Science, Vol. 12841), , Jung Hee Cheon and Jean-Pierre Tillich (Eds.). Springer, 215--233. https://doi.org/10.1007/978--3-030--81293--5_12Google ScholarCross Ref
- Denisa O. C. Greconici, Matthias J. Kannwischer, and Amber Sprenkels. 2021. Compact Dilithium Implementations on Cortex-M3 and Cortex-M4. IACR Trans. Cryptogr. Hardw. Embed. Syst. , Vol. 2021, 1 (2021), 1--24. https://doi.org/10.46586/tches.v2021.i1.1--24Google ScholarCross Ref
- Patrick Karl, Jonas Schupp, Tim Fritzmann, and Georg Sigl. 2023. Post-Quantum Signatures on RISC-V with Hardware Acceleration. ACM Trans. Embed. Comput. Syst. (jan 2023). https://doi.org/10.1145/3579092 Just Accepted.Google ScholarDigital Library
- Georg Land, Pascal Sasdrich, and Tim Gü neysu. 2021. A Hard Crystal - Implementing Dilithium on Reconfigurable Hardware. In Smart Card Research and Advanced Applications - 20th International Conference, CARDIS 2021, Lü beck, Germany, November 11--12, 2021, Revised Selected Papers (Lecture Notes in Computer Science, Vol. 13173), Vincent Grosso and Thomas Pö ppelmann (Eds.). Springer, 210--230. https://doi.org/10.1007/978--3-030--97348--3_12Google ScholarCross Ref
- Adeline Langlois and Damien Stehlé. 2015. Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. , Vol. 75, 3 (2015), 565--599. https://doi.org/10.1007/s10623-014--9938--4Google ScholarDigital Library
- lowRISC. 2018. Ibex: An embedded 32 bit RISC-V CPU core. https://ibex-core.readthedocs.io/en/latest/Google Scholar
- lowRISC. 2023 a. HMAC HWIP Technical Specification. https://opentitan.org/book/hw/ip/hmac/index.htmlGoogle Scholar
- lowRISC. 2023 b. OpenTitan. https://opentitan.org/Google Scholar
- lowRISC. 2023 c. OpenTitan Big Number Accelerator (OTBN) Technical Specification. https://opentitan.org/book/hw/ip/otbn/index.htmlGoogle Scholar
- Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2010. On Ideal Lattices and Learning with Errors over Rings. In Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings (Lecture Notes in Computer Science, Vol. 6110), Henri Gilbert (Ed.). Springer, 1--23. https://doi.org/10.1007/978--3--642--13190--5_1Google ScholarCross Ref
- Peter L Montgomery. 1985. Modular multiplication without trial division. Mathematics of computation , Vol. 44, 170 (1985), 519--521.Google Scholar
- Pietro Nannipieri, Stefano Di Matteo, Luca Zulberti, Francesco Albicocchi, Sergio Saponara, and Luca Fanucci. 2021. A RISC-V Post Quantum Cryptography Instruction Set Extension for Number Theoretic Transform to Speed-Up CRYSTALS Algorithms. IEEE Access , Vol. 9 (2021), 150798--150808. https://doi.org/10.1109/ACCESS.2021.3126208Google ScholarCross Ref
- NIST. 2015. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. https://doi.org/10.6028/nist.fips.202 10.6028/nist.fips.202.Google ScholarCross Ref
- Thomas Pö ppelmann, Tobias Oder, and Tim Gü neysu. 2015. High-Performance Ideal Lattice-Based Cryptography on 8-Bit ATxmega Microcontrollers. In Progress in Cryptology - LATINCRYPT 2015 - 4th International Conference on Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23--26, 2015, Proceedings (Lecture Notes in Computer Science, Vol. 9230), , Kristin E. Lauter and Francisco Rodr'i guez-Henr'i quez (Eds.). Springer, 346--365. https://doi.org/10.1007/978--3--319--22174--8_19Google ScholarCross Ref
- Hemendra K. Rawat and Patrick Schaumont. 2017. Vector Instruction Set Extensions for Efficient Computation of Keccak. IEEE Trans. Computers , Vol. 66, 10 (2017), 1778--1789. https://doi.org/10.1109/TC.2017.2700795Google ScholarDigital Library
- Oded Regev. 2009. On lattices, learning with errors, random linear codes, and cryptography. J. ACM , Vol. 56, 6 (2009), 34:1--34:40. https://doi.org/10.1145/1568318.1568324Google ScholarDigital Library
- Sara Ricci, Lukas Malina, Petr Jedlicka, David Smé kal, Jan Hajny, Peter C'i bik, Petr Dzurenda, and Patrik Dobias. 2021. Implementing CRYSTALS-Dilithium Signature Scheme on FPGAs. In ARES 2021: The 16th International Conference on Availability, Reliability and Security, Vienna, Austria, August 17--20, 2021, Delphine Reinhardt and Tilo Mü ller (Eds.). ACM, 1:1--1:11. https://doi.org/10.1145/3465481.3465756Google ScholarDigital Library
- Peter W. Shor. 1997. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput. , Vol. 26, 5 (1997), 1484--1509. https://doi.org/10.1137/S0097539795293172Google ScholarDigital Library
- Yufei Xing and Shuguo Li. 2021. A Compact Hardware Implementation of CCA-Secure Key Exchange Mechanism CRYSTALS-KYBER on FPGA. IACR Trans. Cryptogr. Hardw. Embed. Syst. , Vol. 2021, 2 (2021), 328--356. https://doi.org/10.46586/tches.v2021.i2.328--356Google ScholarCross Ref
- Jiming Xu, Yujian Wang, Juan Liu, and Xin'an Wang. 2020. A General-Purpose Number Theoretic Transform Algorithm for Compact RLWE Cryptoprocessors. In 2020 IEEE 14th International Conference on Anti-counterfeiting, Security, and Identification (ASID). 1--5. https://doi.org/10.1109/ASID50160.2020.9271722Google ScholarCross Ref
- Yifan Zhao, Ruiqi Xie, Guozhu Xin, and Jun Han. 2022. A High-Performance Domain-Specific Processor With Matrix Extension of RISC-V for Module-LWE Applications. IEEE Trans. Circuits Syst. I Regul. Pap. , Vol. 69, 7 (2022), 2871--2884. https://doi.org/10.1109/TCSI.2022.3162593Google ScholarCross Ref
Index Terms
- Enabling Lattice-Based Post-Quantum Cryptography on the OpenTitan Platform
Recommendations
Post-Quantum Lattice-Based Cryptography Implementations: A Survey
The advent of quantum computing threatens to break many classical cryptographic schemes, leading to innovations in public key cryptography that focus on post-quantum cryptography primitives and protocols resistant to quantum computing threats. Lattice-...
Lattice-based certificateless encryption scheme
Certificateless public key cryptography (CL-PKC) can solve the problems of certificate management in a public key infrastructure (PKI) and of key escrows in identity-based public key cryptography (ID-PKC). In CL-PKC, the key generation center (KGC) does ...
Post-quantum cryptography: code-based signatures
AST/UCMA/ISA/ACN'10: Proceedings of the 2010 international conference on Advances in computer science and information technologyThis survey provides a comparative overview of code-based signature schemes with respect to security and performance. Furthermore, we explicitly describe serveral code-based signature schemes with additional properties such as identity-based, threshold ...
Comments