Abstract
In recent years, a substantial amount of research has been conducted and progress made in the area of quantum computers. Small functional prototypes have already been reported. If they scale as expected, they will eventually be able to break current public-key cryptosystems. The goal of post-quantum cryptography is to develop cryptographic systems that are secure against attacks originating from both quantum and classical computers. Frequently referred post-quantum signature schemes are based on the security of hash functions. A promising candidate in this group is SPHINCS-256. This paper presents the first FPGA-based hardware accelerator for SPHINCS-256. It can be implemented on an entry-level FPGA, occupying roughly 19,000 LUTs, 38,000 FFs and 36 BRAMs. On a Kintex-7 Xilinx FPGA, signing takes 1.53 milliseconds, and verification needs only 65 microseconds. Area and throughput of the accelerator are in a range that outperform today’s widely used RSA signature scheme. The performance can even keep up with ECDSA accelerators. Hence, SPHINCS-256 is a hot candidate to replace RSA and ECDSA in a post-quantum world.
Highlights
At the time of writing, it is still not clear whether large-scale quantum computers will ever be feasible
It will be essential that all digital signing systems based on RSA or ECDSA be replaced by a system which will resist a quantum computer attack before large scale quantum computers become available
We showed that the SPHINCS signature scheme can be extensively parallelized
Summary
At the time of writing, it is still not clear whether large-scale quantum computers will ever be feasible. It will be essential that all digital signing systems based on RSA or ECDSA be replaced by a system which will resist a quantum computer attack before large scale quantum computers become available. Several approaches which enable quantum computer safe signing can be found in the literature. Most of these so-called post-quantum signature schemes can be assigned to one of the following four groups [BL17]: 1. Lattice-based signature schemes: They are often favored as replacement candidates, because operations are usually faster compared to ECDSA and RSA. Key and signature sizes are only moderately larger. Their security level is not at all clear, especially with respect to quantum computers
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have