

# A RISC-V BASED ACCELERATOR FOR POST QUANTUM CRYPTOGRAPHY

Ambily Suresh, Manuel Freiberger, Andrew Wilson, Diego Gigena-Ivanovich, Willibald Krenn

Funded by

 Federal Ministry Innovation, Mobility and Infrastructure Republic of Austria















### SILICON AUSTRIA LABS

SAL
SILICON AUSTRIA LABS

What do we do?

Silicon Austria Labs (SAL), established in 2018, is a European **R&D center** with a focus on the development of efficient and trustworthy technologies in the field of **electronic systems.** 

- Industry-oriented research
- R&D services
- Well-equipped research infrastructures
- Customized opportunities for co-operation



### THE ISOLDE PROJECT



- HIgh Performance, Safe, Secure, Open-Source
   Leveraged RISC-V Domain-Specific Ecosystems
- Chips-JU + FFG funding for Austrian partners
- May 2023 to April 2026
- Around 40 partners from 9 countries
- Enhance European high-performance RISC-Vbased Systems-on-a-Chip (SoC)
- Development of advanced architectures, novel accelerators, and reusable IPs











This research received funding from the Austrian Research Promotion Agency and the Austrian ministry for Climate Action, Environment, Energy, Mobility, Innovation, and Technology under project **FO999899263** and the Chips Joint Undertaking and its members Austria, Czechia, France, Germany, Italy, Romania, Spain, Sweden, and Switzerland under the ISOLDE project (no. **101112274**)

### **RISC-V TOPICS @ SAL**



### Post Quantum Cryptography

- Evaluate candidate algorithms for hardware implementation
- Quantum-safe encryption for resource constrained, edge environments

### Edge AI

- Minimize privacy risks through local Al acceleration.
- Speed up neural network processing for efficient, low-latency AI on edge devices

### Integration with RISC-V platform

- Customizable and cost-effective RC
- HW-SW co-development for custom instructions



Applications: Automotive, IoT

### POST QUANTUM CRYPTOGRAPHY



- "...secure against both quantum and classical computers..."
- "...interoperate with existing communications protocols and networks..."
- Candidates from the NIST PQC standardization process



 Final selection in 2024 - CRYSTALS Kyber (For general encryption), CRYSTALS Dilithium, Falcon, and SPHINCS+ (Digital Signatures)

### THE MCELIECE CRYPTO SYSTEM





*m* ... message (binary vector)



- S ... invertible matrix
- *G* ... generator matrix (error-correcting code)
- P ... permutation matrix



$$c = m\hat{G} + e_t$$

t bits of error

$$\hat{G} = SGP$$

$$c = m\hat{G} + e_t$$

$$c = mSGP + e_t$$
 t bits of error

$$cP^{-1} = (mSGP + e_t)P^{-1} = mSG + e_tP^{-1}$$

$$c' = mS$$

$$c'S^{-1} = m$$



### THE MCELIECE CRYPTO SYSTEM



- Fast encrypt. & decrypt., hardened against SCA
- Proven resilience (since 1978) for high-security applications (military, space)
- Large key sizes Handling of large memory

| Parameter Set   | Security<br>Level | Public<br>Key | Private Key<br>Size | Ciphertext<br>Size |
|-----------------|-------------------|---------------|---------------------|--------------------|
| mceliece348864  | 1 (~128-bit)      | 256 KB        | 6,492 bytes         | 128 bytes          |
| mceliece460896  | 3 (~192-bit)      | 512 KB        | 13,060 bytes        | 188 bytes          |
| mceliece6688128 | 5 (~256-bit)      | 1.0 MB        | 13,892 bytes        | 240 bytes          |
| mceliece6960119 | Level 5           | 1.0 MB        | 13,948 bytes        | 226 bytes          |
| mceliece8192128 | Level 5           | 1.3 MB        | 14,120 bytes        | 240 bytes          |



### IMPLEMENTATION CHALLENGES



| Parameter Set   | Security<br>Level | m  | n    | t   | k    | n – k | Public Key  |
|-----------------|-------------------|----|------|-----|------|-------|-------------|
| mceliece348864  | 1 (128-bit)       | 12 | 3488 | 64  | 2720 | 768   | 768 × 2720  |
| mceliece460896  | 3 (192-bit)       | 13 | 4608 | 96  | 3359 | 1249  | 1249 × 3359 |
| mceliece6688128 | 5 (256-bit)       | 13 | 6688 | 128 | 5024 | 1664  | 1664 × 5024 |
| mceliece6960119 | 5                 | 13 | 6960 | 119 | 5283 | 1677  | 1677 × 5283 |
| mceliece8192128 | 5                 | 13 | 8192 | 128 | 6528 | 1664  | 1664 × 6528 |

### Matrix systemization

WSN '16, '17, '18, Chen et al. '23

### Polynomial evaluation



https://fprox.substack.com

### **ACCELERATOR IMPLEMENTATION**



### **Objectives**

- Accelerating primitives in current opensource HW & SW implementations
- This work optimizing the FFT module used in
  - Keygen for the parity check matrix H
  - Decap for the error locator polynomial  $\sigma(x)$
  - Based on NTT implementations
- Optimize the timing and area performance



Open-source IPs are shown in white Blocks from SAL are highlighted



### HARDWARE IMPLEMENTATION



#### **Current Status**

- Simulations and synthesis for AMD VCU128 FPGA
  - the ISOLDE automotive demonstrator
  - Integration with CVA6<sup>1</sup> core with an AXI4<sup>2</sup> interface
    - IPs from ISOLDE and TRISTAN
  - Loosely coupled accelerator
- SW codesign with a reference C implementation
  - Exploring CV-X-IF based coprocessor

| Module | LUTs  | Latency | Time x Area | Speed-up* |
|--------|-------|---------|-------------|-----------|
| Encap  | 977   | 0.14 ms | 0.13        | -         |
| Decap  | 17109 | 0.16 ms | 2.74        | 1.6       |
| Keygen | 26674 | 1.16 ms | 30.94       | 1.3       |

<sup>\*</sup> comparing cycle counts to SOTA Taylor series-based algorithm



Vivado Implementation for mceliece348864 in VCU128

### **SUMMARY AND FUTURE**



- The CM cryptosystem has proven resilience despite the memory challenges
- Multiple operations to optimize
  - Primitives can be reused for multiple applications – PQC or otherwise
- Current design is WIP but feasible approach for embedded HW in timing & area estimates
- RISC-V based design seamless integration of toolchains, simulator, peripheral IPs
  - Tightly coupled coprocessors through X-IF
- Chips-JU projects play a crucial role in advancing the RISC-V ecosystem

### Visit our poster - P1.1.10!

### **Future plans**

- SoC for acceleration of distributed learning tasks via Quantum-Safe Cryptography
- Integration of the FW and SW framework (LLVM/MLIR)























































www.isolde-project.eu





www.linkedin.com/company/isolde-project/



## UNFOLD THE FUTURE

WWW.SILICON-AUSTRIA-LABS.COM



| Hash-based             | Code-based                     | Lattice-based                        | Other types              |
|------------------------|--------------------------------|--------------------------------------|--------------------------|
| One-time<br>signatures | Error correcting codes         | Nearest point in lattices            | Multivariate,<br>Isogeny |
| SPHINCS+,<br>XMSS      | Classic McEliece,<br>BIKE, HQC | CRYSTALS Kyber,<br>Dilithium, Falcon | Rainbow,<br>SIKE         |







