Performance and Communication Cost of Hardware Accelerators for Hashing in Post-Quantum Cryptography

Abstract

SPHINCS+ is a signature scheme included in the first NIST post-quantum standard, that bases its security on the underlying hash primitive. As most of the runtime of SPHINCS+ is caused by the evaluation of several hash- and pseudo-random functions, offloading this computation to dedicated hardware accelerators is a natural step. In this work, we evaluate different architectures for hardware acceleration of such a hash primitive with respect to its use-case and evaluate them in the context of SPHINCS+. We attach hardware accelerators for different hash primitives (SHAKE128 and Ascon-Xof for both, full and round-reduced versions) to CPU interfaces having different transfer speeds. We show, that for most use-cases, data transfer determines the overall performance if accelerators are equipped with FIFOs and that reducing the number of rounds in the permutation does not necessarily lead to significant performance improvements when using hardware acceleration. This work extends on a conference paper accepted at COSADE’24, first published in [19], and written by the same authors, where different architectures for hardware accelerators of hash functions are benchmarked and evaluated for SPHINCS+ as a case study. In this paper, we provide results for additional parameter sets for SPHINCS+ and improve the performance of one of the accelerators by adding an additional RISC-V instruction for faster absorption. We then extend the performance benchmark by including the algorithms CRYSTALS-Kyber, CRYSTALS-Dilithium and Falcon. Finally we provide a power/energy comparison for the accelerators.