A 334 - \mu \text 0.158 - \text^2 ASIC for Post-Quantum Key-Encapsulation Mechanism Saber With Low-Latency Striding Toom-Cook Multiplication

Lattice-based cryptography is a novel approach to public key cryptography (PKC), of which the mathematical investigation (so far) resists attacks from quantum computers. By choosing a module learning with errors (MLWE) algorithm as the next standard, the National Institute of Standards and Technolog...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE journal of solid-state circuits S. 1 - 16
Hauptverfasser: Ghosh, Archisman, Mera, Jose Maria Bermudo, Karmakar, Angshuman, Das, Debayan, Ghosh, Santosh, Verbauwhede, Ingrid, Sen, Shreyas
Format: Journal Article
Sprache:Englisch
Veröffentlicht: IEEE 22.03.2023
Schlagworte:
Compact design
Computers
Cryptography
Encryption
energy-efficient architecture
first accelerator
lazy interpolation
memory-efficient
NIST
post-quantum cryptography (PQC)
Quantum computing
Security
striding Toom–Cook
ISSN:0018-9200
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Lattice-based cryptography is a novel approach to public key cryptography (PKC), of which the mathematical investigation (so far) resists attacks from quantum computers. By choosing a module learning with errors (MLWE) algorithm as the next standard, the National Institute of Standards and Technology (NIST) follows this approach. The multiplication of polynomials is the central bottleneck in the computation of lattice-based cryptography. Because PKC is mostly used to establish common secret keys, the focus is on compact area, power, and energy budget and, to a lesser extent, on throughput or latency. While most other work focuses on optimizing number theoretic transform (NTT)-based multiplications, in this article, we highly optimize a Toom-Cook-based multiplier. We demonstrate that a memory-efficient striding Toom-Cook with lazy interpolation results in a highly compact, low-power implementation, which, on top, enables a very regular memory access scheme. To demonstrate the efficiency, we integrate this multiplier into a Saber post-quantum accelerator, one of the four NIST finalists. Algorithmic innovation to reduce active memory, timely clock gating, and shift-add multiplier has helped to achieve 38% less power than state-of-the-art post-quantum cryptography (PQC) core, 4<inline-formula> <tex-math notation="LaTeX">\times</tex-math> </inline-formula> less memory, 36.8% reduction in multiplier energy, and 118<inline-formula> <tex-math notation="LaTeX">\times</tex-math> </inline-formula> reduction in active power with respect to state-of-the-art Saber accelerator (not silicon verified). This accelerator consumes <inline-formula> <tex-math notation="LaTeX">0.158</tex-math> </inline-formula>-<inline-formula> <tex-math notation="LaTeX">\text{mm}^2</tex-math> </inline-formula> active area, which is the lowest reported to date despite the process disadvantages of the state-of-the-art designs.
ISSN:0018-9200
DOI:10.1109/JSSC.2023.3253425