Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols (1910.07557v2)

Abstract: Public key cryptography protocols, such as RSA and elliptic curve cryptography, will be rendered insecure by Shor's algorithm when large-scale quantum computers are built. Cryptographers are working on quantum-resistant algorithms, and lattice-based cryptography has emerged as a prime candidate. However, high computational complexity of these algorithms makes it challenging to implement lattice-based protocols on low-power embedded devices. To address this challenge, we present Sapphire - a lattice cryptography processor with configurable parameters. Efficient sampling, with a SHA-3-based PRNG, provides two orders of magnitude energy savings; a single-port RAM-based number theoretic transform memory architecture is proposed, which provides 124k-gate area savings; while a low-power modular arithmetic unit accelerates polynomial computations. Our test chip was fabricated in TSMC 40nm low-power CMOS process, with the Sapphire cryptographic core occupying 0.28 mm2 area consisting of 106k logic gates and 40.25 KB SRAM. Sapphire can be programmed with custom instructions for polynomial arithmetic and sampling, and it is coupled with a low-power RISC-V micro-processor to demonstrate NIST Round 2 lattice-based CCA-secure key encapsulation and signature protocols Frodo, NewHope, qTESLA, CRYSTALS-Kyber and CRYSTALS-Dilithium, achieving up to an order of magnitude improvement in performance and energy-efficiency compared to state-of-the-art hardware implementations. All key building blocks of Sapphire are constant-time and secure against timing and simple power analysis side-channel attacks. We also discuss how masking-based DPA countermeasures can be implemented on the Sapphire core without any changes to the hardware.

• The paper introduces Sapphire, a configurable crypto-processor optimized for post-quantum lattice-based protocols through innovations like a low-power modular arithmetic unit and single-port RAM.
• Fabricated on 40nm CMOS, the Sapphire chip demonstrates substantial energy efficiency and performance gains for protocols like NewHope and CRYSTALS-Kyber.
• Sapphire's programmable architecture supports evolving lattice schemes and incorporates constant-time building blocks to enhance security against side-channel attacks.

Analysis of Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-Based Protocols

The paper introduces Sapphire, a dedicated cryptographic processor designed to address the challenges posed by the high computational demands of post-quantum lattice-based cryptographic protocols. Given the prospective vulnerabilities of classical protocols like RSA and ECC to quantum attacks, lattice-based cryptography has risen as a noteworthy contender due to its resilience against such vulnerabilities. Sapphire seeks to optimize both performance and energy-efficiency in executing protocols that hinge upon lattice-based cryptographic problems, notably managing the learning with errors (LWE) and its variants.

Key Contributions

The paper posits several architectural innovations calling attention to Sapphire's design ethos and performance metrics, which include:

1. Modular Arithmetic Unit: The processor integrates a low-power modular arithmetic unit, facilitating accelerated polynomial operations under configurable parameters, establishing notable energy savings of up to threefold compared to conventional implementations.
2. Single-Port RAM Architecture: Eschewing dual-port SRAMs, Sapphire employs a single-port RAM-based architecture to achieve substantial area savings without sacrificing performance, optimizing for energy-efficient polynomial transformations using the Number Theoretic Transform (NTT).
3. Sampling Optimization: Incorporating a Keccak-based pseudo-random number generator (PRNG), efficient sampling methodologies are employed, leading to substantial reductions in computational overhead for probabilistic sampling operations crucial for protocol security.
4. Programmability: Sapphire's instruction set is tailored to lattice protocol requirements, allowing custom instructions for polynomial arithmetic and sampling, coupled feasibly with a RISC-V microprocessor to run comprehensive tests for cryptographic protocols.
5. Side-Channel Attack Mitigation: Fundamental building blocks are constant-time, securing the processor against timing side-channel exploits, with examinations on masking-based differential power analysis (DPA) countermeasures proposed without fundamental hardware alterations.

Experimental Evaluation and Implications

The Chip, fabricated via TSMC’s 40nm CMOS process, exhibits substantial performance gains, promising up to an order of magnitude improvement in energy-efficient execution compared to software standards. Significant reduction in power consumption is noted in the executions of protocols such as NewHope, CRYSTALS-Kyber, qTESLA, and Frodo. Moreover, Sapphire extends applicability across modular lattice configurations (conducive to evolving cryptographic standards), resolving computational intricacies without hardware rigidity.

The theoretical implications postulate that with its configurability, Sapphire can efficiently support evolving lattice schemes like Saber and Round5. Furthermore, the architectural basis of Sapphire encourages exploration into non-lattice cryptographic implementations, thereby broadening the practical applications through efficient arithmetic and hashing optimizations.

Future Research Directions

The prospect of further configurability, enhanced security features against differential power attacks, and exploration of non-lattice post-quantum protocols provide viable pathways for advancing cryptographic processors like Sapphire. As quantum computing capabilities scale, so will the demand for robust yet agile cryptographic solutions. Sapphire, with its foundational design, stands as a promising candidate in postgraduate cryptography circles, setting a precedent for further scalable research and development.

In conclusion, the paper comprehensively delineates Sapphire’s impactful contributions to post-quantum cryptography through its dedicated hardware innovations. It positions itself as not only a potential solution to post-quantum cryptographic demands but also an exemplar for further research efforts in secure and efficient cryptographic hardware.