Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols

Author(s)
Banerjee, UtsavUkyab, Tenzin SChandrakasan, Anantha P
Thumbnail
DownloadPublished version (7.340Mb)
Publisher with Creative Commons License
Terms of use
Creative Commons Attribution 4.0 International License https://creativecommons.org/licenses/by/4.0
Metadata
Show full item record
Abstract
<jats:p>Public key cryptography protocols, such as RSA and elliptic curve cryptography, will be rendered insecure by Shor’s algorithm when large-scale quantum computers are built. Cryptographers are working on quantum-resistant algorithms, and lattice-based cryptography has emerged as a prime candidate. However, high computational complexity of these algorithms makes it challenging to implement lattice-based protocols on low-power embedded devices. To address this challenge, we present Sapphire – a lattice cryptography processor with configurable parameters. Efficient sampling, with a SHA-3-based PRNG, provides two orders of magnitude energy savings; a single-port RAM-based number theoretic transform memory architecture is proposed, which provides 124k-gate area savings; while a low-power modular arithmetic unit accelerates polynomial computations. Our test chip was fabricated in TSMC 40nm low-power CMOS process, with the Sapphire cryptographic core occupying 0.28 mm2 area consisting of 106k logic gates and 40.25 KB SRAM. Sapphire can be programmed with custom instructions for polynomial arithmetic and sampling, and it is coupled with a low-power RISC-V micro-processor to demonstrate NIST Round 2 lattice-based CCA-secure key encapsulation and signature protocols Frodo, NewHope, qTESLA, CRYSTALS-Kyber and CRYSTALS-Dilithium, achieving up to an order of magnitude improvement in performance and energy-efficiency compared to state-of-the-art hardware implementations. All key building blocks of Sapphire are constant-time and secure against timing and simple power analysis side-channel attacks. We also discuss how masking-based DPA countermeasures can be implemented on the Sapphire core without any changes to the hardware.</jats:p>
Date issued
2019
URI
https://hdl.handle.net/1721.1/142901
Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Journal
IACR Transactions on Cryptographic Hardware and Embedded Systems
Publisher
Universitatsbibliothek der Ruhr-Universitat Bochum
Citation
Banerjee, Utsav, Ukyab, Tenzin S and Chandrakasan, Anantha P. 2019. "Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols." IACR Transactions on Cryptographic Hardware and Embedded Systems.
Version: Final published version
Collections