International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

SDitH in Hardware

Authors:
Sanjay Deshpande , SandboxAQ, Palo Alto, USA; Yale University, New Haven, USA
James Howe , SandboxAQ, Palo Alto, USA
Jakub Szefer , Yale University, New Haven, USA
Dongze Yue , SandboxAQ, Palo Alto, USA
Download:
DOI: 10.46586/tches.v2024.i2.215-251
URL: https://tches.iacr.org/index.php/TCHES/article/view/11426
Search ePrint
Search Google
Abstract: This work presents the first hardware realisation of the Syndrome-Decodingin-the-Head (SDitH) signature scheme, which is a candidate in the NIST PQC process for standardising post-quantum secure digital signature schemes. SDitH’s hardness is based on conservative code-based assumptions, and it uses the Multi-Party-Computation-in-the-Head (MPCitH) construction. This is the first hardware design of a code-based signature scheme based on traditional decoding problems and only the second for MPCitH constructions, after Picnic. This work presents optimised designs to achieve the best area efficiency, which we evaluate using the Time-Area Product (TAP) metric. This work also proposes a novel hardware architecture by dividing the signature generation algorithm into two phases, namely offline and online phases for optimising the overall clock cycle count. The hardware designs for key generation, signature generation, and signature verification are parameterised for all SDitH parameters, including the NIST security levels, both syndrome decoding base fields (GF256 and GF251), and thus conforms to the SDitH specifications. The hardware design further supports secret share splitting, and the hypercube optimisation which can be applied in this and multiple other NIST PQC candidates. The results of this work result in a hardware design with a drastic reducing in clock cycles compared to the optimised AVX2 software implementation, in the range of 2-4x for most operations. Our key generation outperforms software drastically, giving a 11-17x reduction in runtime, despite the significantly faster clock speed. On Artix 7 FPGAs we can perform key generation in 55.1 Kcycles, signature generation in 6.7 Mcycles, and signature verification in 8.6 Mcycles for NIST L1 parameters, which increase for GF251, and for L3 and L5 parameters.
BibTeX
@article{tches-2024-34050,
  title={SDitH in Hardware},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={024 No. 2},
  pages={215-251},
  url={https://tches.iacr.org/index.php/TCHES/article/view/11426},
  doi={10.46586/tches.v2024.i2.215-251},
  author={Sanjay Deshpande and James Howe and Jakub Szefer and Dongze Yue},
  year=2024
}