Hardware Acceleration of Crystals-Kyber in Low-Complexity Embedded Systems With RISC-V Instruction Set Extensions

Abstract

Read online

The imminent rise of practical quantum computing threatens well-established cryptography algorithms for secret key exchange in use today, such as Diffie-Hellman, RSA and Elliptic Curve based schemes. To answer this challenge, the National Institute for Standard and Technology (NIST) has launched a competition for Key Encapsulation Mechanism (KEM) algorithms showing resistance to classical and quantum-based attacks. In July 2022, NIST announced that the Crystals-Kyber algorithm was chosen as the competition’s winner, being standardized as ML-KEM. This work aims to explore hardware acceleration through Instruction Set Extensions (ISEs) in a low-end 32-bit RISC-V core (Ibex) in a comprehensive evaluation of performance, energy consumption, memory footprint and die area costs. Four different parametrizations of Kyber symmetric primitives are evaluated: the well-known SHA-3 and AES/SHA-2 based versions (Kyber-FIPS202 and Kyber-90s); and 2 novel parametrizations using Ascon and TurboSHAKE (Kyber-Ascon and Kyber-Turbo). Hardware acceleration of symmetric primitives in Kyber-90s with the Zkne and Zknh ISEs shows performance and energy gains of 42% and 37% for Kyber-512 encapsulation. Combining the acceleration of primitives with a novel Xkyber ISE accelerating polynomial arithmetic, CBD sampling and coefficient compression, further gains of 47% and 41% in performance and energy consumption are observed (for Kyber-512 encapsulation), while also reducing Kyber code size by 15%. Xkyber area costs are of 13% of the baseline Ibex processor with no ISEs or 4.3K equivalent gates. Software and RTL implementations are publicly available at github.com/cggewehr/RISCV-crypto.

Keywords

• Post-quantum cryptography
• Crystals-Kyber
• embedded systems
• low power
• RISC-V