LWE crypto in HLS on FPGA

Codes version 1.0, July 2020

Credits

General Description

In the context of the Post-Quantum Cryptography (PQC) standardisation effort launched by NIST in 2016, we implemented and optimized various hardware architectures for round-2 KEM candidates based on lattices: LWE, RLWE, MLWE using parameter sets from Frodo/NewHope/Kyber. Several variants of our architectures are available: multiple levels of parallelism for various speed/area trade-offs, various choices for the PRNG (Trivium, Shake or both), CPA and CCA secure solutions. Our FPGA implementations (on Xilinx Virtex-7 devices) have been described in C language and implemented using high-level synthesis (HLS) tools (Xilinx Vivado v2018.1). They provide better performances than most of those found in literature based on VHDL/Verilog implementations. Our codes and synthesis configuration scripts are distributed as open-source hardware under CeCILL-B license in the LWE-HLS-FPGA repository.

Example of a parallel architecture for the matrix-vector multiplication in MLWE-768 (see reference 1)
Example of a parallel architecture for the matrix-vector multiplication in MLWE-768 (see reference 1)

Supported Cryptosystems

For using our implementations, please refer to the internal documentation provided in the README file from the LWE-HLS-FPGA repository, it includes details on the commands to be used and tool configuration. Our C codes are quite generic and it should be easy to adapt or extend them to other parameters as well as to port them on other FPGAs and HLS tools. All our implementations have been intensively tested using functional simulation against mathematical values computed by Sage mathematical software.

In the case of the RLWE cryptosystem, we also provide a set of protections against side-channel attacks from the state-of-the-art, new ones and combinations: masking, blinding, shuffling, shifting. For more details, please refer to the specific folder in the global archive and reference 2).

References

The motivations, analysis of the state of the art, algorithms, security aspects, proposed architectures and implementations results are detailed in the papers:

  1. Lattice-based Cryptosystems on FPGA: Parallelization and Comparison.
    By T. Zijlstra, K. Bigou, and A. Tisserand.
    Submitted for publication in June 2020.

  2. FPGA Implementation and Comparison of Protections against SCAs for RLWE.
    By T. Zijlstra, K. Bigou, and A. Tisserand.
    Proc. International Conference on Cryptology in India (IndoCrypt), Dec. 2019,
    DOI: 10.1007/978-3-030-35423-7_27
    PDF access

Acknowledgments

This work was partially funded by a PhD grant from PEC - DGA - Région Bretagne. We sincerely thank Xilinx for University Program donations.