Abstract
Empowering electronic devices to support Post-Quantum Cryptography (PQC) is a challenging task. PQC introduces new mathematical elements and operations which are usually not easy to implement on standard processors. Especially for low cost and resource constraint devices, hardware acceleration is usually required. In addition, as the standardization process of PQC is still ongoing, a focus on maintaining flexibility is mandatory. To cope with such requirements, hardware/software co-design techniques have been recently used for developing complex and highly customized PQC solutions. However, while most of the previous works have developed loosely coupled PQC accelerators, the design of tightly coupled accelerators and Instruction Set Architecture (ISA) extensions for PQC have been barely explored. To this end, we present RISQ-V, an enhanced RISC-V architecture that integrates a set of powerful tightly coupled accelerators to speed up lattice-based PQC. RISQ-V efficiently reuses processor resources and reduces the amount of memory accesses. This significantly increases the performance while keeping the silicon area overhead low. We present three contributions. First, we propose a set of powerful hardware accelerators deeply integrated into the RISC-V pipeline. Second, we extended the RISC-V ISA with 29 new instructions to efficiently perform operations for lattice-based cryptography. Third, we implemented our RISQ-V in ASIC technology and on FPGA. We evaluated the performance of NewHope, Kyber, and Saber on RISQ-V. Compared to the pure software implementation on RISC-V, our co-design implementations show a speedup factor of up to 11.4 for NewHope, 9.6 for Kyber, and 2.7 for Saber. For the ASIC implementation, the energy consumption was reduced by factors of up to 9.5 for NewHope, 7.7 for Kyber, and 2.1 for Saber. The cell count of the CPU was increased by a factor of 1.6 compared to the original RISC-V design, which can be considered as a moderate increase for the achieved performance gain.
Highlights
Public-Key Cryptography (PKC) provides the basis for establishing secured communication channels between multiple parties
The evaluation was performed for the Chosen Ciphertext Attacks (CCA) variants with different security levels
To analyze the influence of our accelerators on the two performance bottlenecks, we provide for each scheme and parameter set four implementations: i) baseline implementation; ii) implementation with optimized modular arithmetic and Number Theoretic Transform (NTT) computations; iii) implementation with optimized polynomial sampling; and iv) implementation with all optimizations presented in this work
Summary
Public-Key Cryptography (PKC) provides the basis for establishing secured communication channels between multiple parties. The security of the PKC in use today is mainly based on the hardness of two mathematical problems, the factorization of large numbers (e.g., RSA) and the calculation of discrete logarithms (e.g., ECC) Both problems can be solved in polynomial time when a large-scale quantum computer is built. Post-quantum cryptography refers to a set of algorithms based on different hard mathematical problems that are considered secure against traditional and quantum computer attacks. It can be deployed on both classical. In contrast to the plain LWE problem, R-LWE replaces n-dimensional vectors by polynomials of degree smaller than n These polynomials are an element of the ring R = Zq/ φ(x) , with integers n and q, and the cyclotomic polynomial φ(x) that is usually chosen to be xn + 1. The basic R-LWE instance can be written as in Eq (1), where a is a public polynomial, s a secret polynomial and e an error polynomial
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call