A Unified Cryptoprocessor for Lattice-Based Signature and Key-Exchange

We propose design methodologies for building a compact, unified and programmable cryptoprocessor architecture that computes post-quantum key agreement and digital signature. Synergies in the two types of cryptographic primitives are used to make the cryptoprocessor compact. As a case study, the cryptoprocessor architecture has been optimized targeting the signature scheme 'CRYSTALS-Dilithium' and the key encapsulation mechanism (KEM) 'Saber,' both finalists in the NIST's post-quantum cryptography standardization project. The programmable cryptoprocessor executes key generations, encapsulations, decapsulations, signature generations, and signature verifications for all the security levels of Dilithium and Saber. On a Xilinx Ultrascale+ FPGA, the proposed cryptoprocessor consumes 18,406 LUTs, 9,323 FFs, 4 DSPs, and 24 BRAMs. It achieves 200 MHz clock frequency and finishes CCA-secure key-generation/encapsulation/decapsulation operations for LightSaber in 29.6/40.4/ 58.3 mu s; for Saber in 54.9/69.7/ 94.9 mu s; and for FireSaber in 87.6/108.0/139.4 mu s, respectively. It finishes key-generation/sign/verify operations for Dilithium-2 in 70.9/ 151.6/75.2 mu s; for Dilithium-3 in 114.7/237/127.6 mu s; and for Dilithium-5 in 194.2/342.1/228.9 mu s, respectively, for the best-case scenario. On UMC 65 nm library for ASIC the latency is improved by a factor of two due to a 2x increase in clock frequency.