A Compact and Scalable Hardware/Software Co-design of SIKE

We present efficient and compact hardware/software co-design implementations of the Supersingular Isogeny Key Encapsulation (SIKE) protocol on field-programmable gate arrays (FPGAs). In order to be better equipped for different post-quantum scenarios, our architectures were designed to feature high-flexibility by covering all the currently available parameter sets and with support for primes up to 1016 bits. In particular, any of the current SIKE parameters equivalent to the post-quantum security of AES-128/192/256 and SHA3-256 can be selected and run on-the-fly. This security scalability property, together with the small footprint and efficiency of our architectures, makes them ideal for embedded applications in a post-quantum world. In addition, the proposed implementations exhibit regular, constant-time execution, which provides protection against timing and simple sidechannel attacks. Our results demonstrate that supersingular isogeny-based primitives such as SIDH and SIKE can indeed be deployed for embedded applications featuring competitive performance. For example, our smallest architecture based on a 128-bit MAC unit takes only 3415 slices, 21 BRAMs and 57 DSPs on a Virtex 7 690T and can perform key generation, encapsulation and decapsulation in 14.4, 24.4 and 26.0 milliseconds for SIKEp434 and in 52.3, 86.4 and 93.2 milliseconds for SIKEp751, respectively.

[1]  K. Brown,et al.  Graduate Texts in Mathematics , 1982 .

[2]  Bogdan Pasca,et al.  FPGA-Specific Arithmetic Optimizations of Short-Latency Adders , 2011, 2011 21st International Conference on Field Programmable Logic and Applications.

[3]  Reza Azarderakhsh,et al.  A Post-quantum Digital Signature Scheme Based on Supersingular Isogenies , 2017, Financial Cryptography.

[4]  Reza Azarderakhsh,et al.  NEON-SIDH: Effi cient Implementation of Supersingular Isogeny Diffi e-Hellman Key-Exchange Protocol on ARM , 2016, IACR Cryptol. ePrint Arch..

[5]  Tim Güneysu,et al.  Cryptography for next generation TLS: Implementing the RFC 7748 elliptic Curve448 cryptosystem in hardware , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[6]  Joost Renes Computing isogenies between Montgomery curves using the action of (0, 0) , 2017, IACR Cryptol. ePrint Arch..

[7]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[8]  Michael Naehrig,et al.  Dual Isogenies and Their Application to Public-key Compression for Isogeny-based Cryptography , 2019, IACR Cryptol. ePrint Arch..

[9]  Patrick Longa A Note on Post-Quantum Authenticated Key Exchange from Supersingular Isogenies , 2018, IACR Cryptol. ePrint Arch..

[10]  Steven D. Galbraith,et al.  Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems , 2017, ASIACRYPT.

[11]  Lo'ai Tawalbeh,et al.  An efficient and scalable radix-4 modular multiplier design using recoding techniques , 2003, The Thrity-Seventh Asilomar Conference on Signals, Systems & Computers, 2003.

[12]  Debdeep Mukhopadhyay,et al.  Tile before multiplication: An efficient strategy to optimize DSP multiplier for accelerating prime field ECC for NIST curves , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[13]  Steven D. Galbraith,et al.  On the Security of Supersingular Isogeny Cryptosystems , 2016, ASIACRYPT.

[14]  Tsuyoshi Takagi Thomas Advances in Cryptology – ASIACRYPT 2017 , 2017, Lecture Notes in Computer Science.

[15]  Helen Tera,et al.  Post-Quantum Cryptography Standardization , 2017 .

[16]  Steven D. Galbraith,et al.  Computing isogenies between supersingular elliptic curves over F_p , 2013 .

[17]  Adam Langley,et al.  Elliptic Curves for Security , 2016, RFC.

[18]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[19]  Steven D. Galbraith Authenticated key exchange for SIDH , 2018, IACR Cryptol. ePrint Arch..

[20]  Marvin A. Carlson Editor , 2015 .

[21]  David Jao,et al.  A Quantum Algorithm for Computing Isogenies between Supersingular Elliptic Curves , 2014, INDOCRYPT.

[22]  Reza Azarderakhsh,et al.  Key Compression for Isogeny-Based Cryptosystems , 2016, AsiaPKC '16.

[23]  Craig Costello,et al.  A Simple and Compact Algorithm for SIDH with Arbitrary Degree Isogenies , 2017, ASIACRYPT.

[24]  Cheng-Wen Wu,et al.  Radix-4 modular multiplication and exponentiation algorithms for the RSA public-key cryptosystem , 2000, ASP-DAC.

[25]  Craig Costello,et al.  Fourℚ: Four-Dimensional Decompositions on a ℚ-curve over the Mersenne Prime , 2015, ASIACRYPT.

[26]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[27]  G. Ballew,et al.  The Arithmetic of Elliptic Curves , 2020, Elliptic Curves.

[28]  Reza Azarderakhsh,et al.  SIKE'd Up: Fast and Secure Hardware Architectures for Supersingular Isogeny Key Encapsulation , 2019, IACR Cryptol. ePrint Arch..

[29]  Tim Güneysu,et al.  Standard Lattice-Based Key Encapsulation on Embedded Devices , 2018, IACR Cryptol. ePrint Arch..

[30]  Reza Azarderakhsh,et al.  Four ℚ on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime Characteristic Fields , 2016, CHES.

[31]  Reza Azarderakhsh,et al.  Efficient Implementations of A Quantum-Resistant Key-Exchange Protocol on Embedded systems , 2014 .

[32]  Michael J. Schulte,et al.  Design alternatives for barrel shifters , 2002, SPIE Optics + Photonics.

[33]  Reza Azarderakhsh,et al.  Fast Hardware Architectures for Supersingular Isogeny Diffie-Hellman Key Exchange on FPGA , 2016, IACR Cryptol. ePrint Arch..

[34]  Reza Azarderakhsh,et al.  A High-Performance and Scalable Hardware Architecture for Isogeny-Based Cryptography , 2018, IEEE Transactions on Computers.

[35]  David Jao,et al.  Isogeny-Based Quantum-Resistant Undeniable Signatures , 2014, PQCrypto.

[36]  Samuel Jaques,et al.  Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE , 2019, IACR Cryptol. ePrint Arch..

[37]  David Jao,et al.  Efficient Compression of SIDH Public Keys , 2017, EUROCRYPT.

[38]  S KaliskiBurton,et al.  Analyzing and Comparing Montgomery Multiplication Algorithms , 1996 .

[39]  Paulo S. L. M. Barreto,et al.  Faster isogeny-based compressed key agreement , 2017, IACR Cryptol. ePrint Arch..

[40]  Zhe Liu,et al.  SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange , 2018, IACR Cryptol. ePrint Arch..

[41]  Reza Azarderakhsh,et al.  Post-Quantum Cryptography on FPGA Based on Isogenies on Elliptic Curves , 2017, IEEE Transactions on Circuits and Systems I: Regular Papers.

[42]  Thomas B. Preußer,et al.  Survey on and re-evaluation of wide adder architectures on FPGAs , 2016, 2016 International Conference on ReConFigurable Computing and FPGAs (ReConFig).

[43]  Craig Costello,et al.  Efficient Algorithms for Supersingular Isogeny Diffie-Hellman , 2016, CRYPTO.

[44]  J. Meigs,et al.  WHO Technical Report , 1954, The Yale Journal of Biology and Medicine.

[45]  Christophe Petit,et al.  Faster Algorithms for Isogeny Problems Using Torsion Point Images , 2017, ASIACRYPT.

[46]  Francisco Rodríguez-Henríquez,et al.  On the cost of computing isogenies between supersingular elliptic curves , 2018, IACR Cryptol. ePrint Arch..

[47]  Craig Costello,et al.  Complete Addition Formulas for Prime Order Elliptic Curves , 2016, EUROCRYPT.

[48]  Paul Zbinden,et al.  Flexible FPGA-Based Architectures for Curve Point Multiplication over GF(p) , 2016, 2016 Euromicro Conference on Digital System Design (DSD).

[49]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[50]  Craig Costello,et al.  Improved Classical Cryptanalysis of the Computational Supersingular Isogeny Problem , 2019, IACR Cryptol. ePrint Arch..

[51]  Tim Güneysu,et al.  Implementing the NewHope-Simple Key Exchange on Low-Cost FPGAs , 2017, LATINCRYPT.

[52]  Bo-Yin Yang,et al.  Fast constant-time gcd computation and modular inversion , 2019, IACR Cryptol. ePrint Arch..

[53]  Hwajeong Seo,et al.  SIKE Round 2 Speed Record on ARM Cortex-M4 , 2019, IACR Cryptol. ePrint Arch..