Area-Time Efficient Hardware Architecture for CRYSTALS-Kyber

Abstract

This paper presents a novel area-time efficient hardware architecture of the lattice-based CRYSTALS-Kyber, which has entered the third round of the post-quantum cryptography standardization competition hosted by the National Institute of Standards and Technology. By developing a dual-path delay feedback number theoretic transform multiplier dedicating for Kyber parameter set and deploying this multiplier in the Kyber architecture, the key generation, encryption, and decryption operations are accelerated substantially. Furthermore, the proposed architecture offers the best value of area-time product in comparison with existing approaches. The implementation results on Xilinx Vivado targeted for Virtex-7 FPGA board demonstrate that the proposed Kyber cryptoprocessor completes encryption and decryption operations in approximately 57.5 μs at the highest frequency of 226 MHz. Furthermore, the area-time product value when using the proposed Kyber architecture is improved by at least twofold compared with existing architectures.

1. Introduction

Existing public key cryptography schemes such as Rivest-Shamir-Adleman and elliptic curve cryptography can be broken by powerful quantum computers running Shor’s algorithm [1]. Consequently, post-quantum cryptography (PQC) has attracted immense attention from the research community [2,3,4,5,6] during the last few years. The National Institute of Standards and Technology (NIST) began promoting standardization of PQC [7] in 2016 through a competition. This competition attracted a large number of submissions, demonstrating the keen interest that has been engendered. There were initially 69 submissions, but only 25 and 16, respectively, remained after the first and second rounds. The results of round three are expected to be announced in 2022. Among the finalists of round three, CRYSTALS-Kyber [8,9] is considered a very promising candidate.

Implementations of Kyber have been described in recent works in pure software design [8,10,11], software-hardware codesign [11], and pure hardware design [11,12,13,14]. Authors in [8] presented the implementation of Kyber on Intel and ARM Cortex-M4 CPUs. In [11], authors reported the software implementation of Kyber using C language on ARM Cotex-A53. Authors in [10] introduced highly parallel algorithms implemented on a GPU to accelerate the operations of Kyber. Authors in [11] also introduced a software-hardware codesign of Kyber that helped improve the encapsulation and decapsulation times compared with those of the pure software design. Pure hardware implementations were presented in [11,12,13,14] to reduce the hardware complexity and speed up operations in Kyber. In hardware design of Kyber, many authors used the number theoretic transform (NTT)-based multiplier to execute the polynomial multiplication. However, the existing NTT-based multipliers which process data in serial limit the performance of operations in Kyber.

In this study, we focus on designing an area-time efficient hardware architecture for Kyber. Specifically, we introduce a dual-path delay feedback (DDF) number theoretic transform (NTT) designed for a specific Kyber’s parameter set. Next, we implement the proposed NTT/INTT architecture in the key generation, encryption, and decryption modules. We also present the architecture design of Kyber’s sub-modules in detail. The implementation results on Xilinx Vivado targeted for Virtex-7 FPGA board show that the proposed Kyber architecture offers the best value of area-time product compared with existing approaches. The contributions of this paper are itemized as follows:

• We introduce a DDF-based NTT architecture designed for Kyber. Specifically, the coefficients of the input polynomial are grouped into odd and even groups to increase the speed of the NTT operation.
• We deploy the proposed DDF-based NTT in the key generation, encryption, and decryption architectures of Kyber to accelerate these operations.
• We introduce a new architecture design for the main modules used in Kyber such as key generation, encryption, decryption, polynomial multiplication, compression, decompression, and modulo reduction in detail.
• We synthesize and implement the proposed Kyber architecture using Xilinx Vivado targeted for a Virtex-7 FPGA board. The implementation results show that the proposed Kyber architecture outperforms its predecessors in terms of area-time efficiency.

The remainder of this paper is structured as follows. In Section 2, we briefly discuss the preliminaries. In Section 3, we present the architecture design of the main modules in Kyber. The implementation results and comparison are discussed in Section 4. Finally, we conclude the paper in Section 5.

2. CRYSTALS-Kyber Algorithms

CRYSTALS-Kyber [8] is a lattice-based CCA-secure key encapsulation mechanism based on the problem of module learning with errors. Kyber introduces three parameter sets corresponding to three security levels of NIST, as summarized in

Table 1. Kyber parameter sets [15].

Algorithm	NIST Security Level	Parameters
		$\mathit{n}$	$\mathit{k}$	$\mathit{q}$
Kyber-512	1	256	2	3329
Kyber-768	3	256	3	3329
Kyber-1024	5	256	4	3329

. Specifically, polynomials are of the same degree $n=256$, and their coefficients are members of the base prime field $Z_q$, where $q=3329$ for all security levels. However, different numbers of polynomials are required for each security level. These polynomials are treated as a vector whose size is specified using the parameter k, where k is 2, 3, and 4, corresponding to three security levels, 1, 3, and 5, respectively. Secret noise polynomials are sampled from a centered binomial distribution.

Kyber is categorized in the public-key encryption and key-establishment algorithms of NIST round three finalists. Functions in the Kyber public-key encryption algorithm include key generation, encryption, and decryption, which are described as follows:

• KeyGen(): Key generation creates a public key $pk$ used in the encryption process and a secret key $sk$ used in the decryption processes. Noise vectors s and e are sampled from a centered binomial distribution. The public matrix $\hat{\mathbf{A}}$ is sampled from a rejection sampler. The public key $pk$ and private key $sk$ are obtained from formulas $pk=(\rho ,\widehat{\mathbf{t}})$ and $sk=\widehat{\mathbf{s}}$, where $\widehat{\mathbf{t}}=\hat{\mathbf{A}}\circ \widehat{\mathbf{s}}+\widehat{\mathbf{e}}$.
• Enc($pk,m,r$): Encryption constructs ciphertexts $c=(c_1,c_2)$ from the input message m, public key $pk$, and random coins $r\in {\mathcal{B}}^{32}$. ${\hat{\mathbf{A}}}^T$ is sampled from a uniform distribution, and r, e${}_1$, $e_2$ are obtained from a binomial sampler. Ciphertext c is computed as $c=({\mathrm{Compress}}_q(\mathbf{u},d_u),{\mathrm{Compress}}_v(v,d_v))$, where $\mathbf{u}=\mathrm{INTT}({\hat{\mathbf{A}}}^T\circ \widehat{\mathbf{r}})+{\mathbf{e}}_1$ and $v=\mathrm{INTT}({\widehat{\mathbf{t}}}^T\circ \widehat{\mathbf{r}})+e_2+m$.
• Dec($sk,c$): Decryption recovers the original message m from ciphertext c using secret key $sk$. The value of m is calculated as $m=\mathrm{Compress}(v-\mathrm{INTT}({\widehat{\mathbf{s}}}^T\circ \widehat{\mathbf{u}})$, where u and v are obtained from c.

3. Proposed Area-Time Efficient Hardware Architecture for Kyber

In this section, we present the proposed DDF-based NTT/INTT architecture designed for Kyber. Next, we deploy the proposed NTT/INTT architecture in key generation, encryption, and decryption operations to enhance these operations. We also describe the architecture design of main modules used in Kyber in detail.

3.1. Proposed Dual-Path Delay Feedback NTT Architecture for Kyber

NTT is a variant of the conventional fast Fourier transform (FFT) [16,17] with arithmetic operations being performed in a finite field. NTT uses the n-th primitive root of unity ${\omega }_n$ in the ring ${\mathbb{Z}}_q$. NTT multiplication is selected as a part of the Kyber scheme. Consider a polynomial a in $R_q$ as follows:

$$a\left(x\right)=a_0+a_{1}x+a_2{x}^2+\cdots +a_{255}{x}^{255}$$

(1)

NTT(a) is defined as

$$\widehat{a}\left(x\right)={\widehat{a}}_0+{\widehat{a}}_{1}X+{\widehat{a}}_2{X}^2+\cdots ++{\widehat{a}}_{255}{X}^{255}$$

(2)

In Equation (2), ${\widehat{a}}_{2i}={\sum }_{j=0}^{127}{a}_{2j}{\zeta }^{(2{\mathrm{br}}_7\left(i\right)+1)j)}$ and ${\widehat{a}}_{2i+1}={\sum }_{j=0}^{127}{a}_{2j+1}{\zeta }^{(2{\mathrm{br}}_7\left(i\right)+1)j)}$, where $\zeta =17$ is the first primitive 256th root of unity modulo q, and br₇(i) is the bit reversal of the unsigned 7-bit integer i. The inverse NTT (INTT) operation is similar to NTT, which converts $\widehat{a}\left(x\right)$ back to $a\left(x\right)$, where ${\omega }_n$ is replaced by ${\omega }_n^{-1}$, and the resulting coefficients of $a\left(x\right)$ are divided by n [14]. We proposed a DDF-based NTT/INTT architecture to enhance the polynomial multiplication in Kyber. A polynomial a defined in Equation (1) can be rewritten as

$$a\left(x\right)=\sum _{i=0}^{127}{a}_{2i}{x}^{2i}+\sum _{i=0}^{127}{a}_{2i+1}{x}^{2i+1}$$

(3)

In order to accelerate NTT/INTT operations, the coefficients of input polynomial are divided into two parts to be processed in parallel. The proposed NTT/INTT architecture for Kyber is presented in Figure 1. As can be seen from Figure 1a, the coefficients of input polynomials are divided into two groups, odd and even coefficients, so that they can be handled simultaneously. Each group will be processed through seven stages which include two modulo reduction modules, butterfly units, first-in-first-out (FIFO) registers, and pipelined stages. Values of ${\omega }_n$ and ${\omega }_n^{-1}$ are loaded from memory (MEM). The output of the NTT module includes two parts, $A_0,A_2,\cdots ,A_{254}$ and $A_1,A_3,\cdots ,A_{255}$, corresponding to the coefficients $a_0,a_2,\cdots ,a_{254}$ and $a_1,a_3,\cdots ,a_{255}$ of the input polynomial. In the proposed NTT architecture, modulo reduction modules M1 and M2 are Barret reduction [18] and Montgomery reduction [19], respectively. Architectures of Montgomery reduction and Barret reduction are introduced in Figure 2a,b, respectively.

The INTT architecture in Figure 1b converts $A_0,A_1,\cdots ,A_{255}$ back to $a_0,a_1,\cdots ,a_{255}$. These coefficients are also divided into two groups to process simultaneously.

$$A=\sum _{i=0}^{127}{A}_{2i}{X}^{2i}+\sum _{i=0}^{127}{A}_{2i+1}{X}^{2i+1}$$

(4)

The remaining parts of INNT architecture are similar to NTT architecture, with ${\omega }_n$ being replaced by ${\omega }_n^{-1}$, as shown in Figure 1b. Montgomery reduction and Barret reduction are also used in INTT architecture.

3.2. Proposed Kyber Key Generation Architecture

The proposed DDF NTT multiplier-based key generation architecture is introduced in Figure 3. Specifically, Figure 3a presents the key generation architecture to construct public key $pk$ and secret key $sk$ from input noise vectors. The PRNG core, a Keccak-based architecture [20,21] used to generate random values from the input seed, is presented in Figure 3b. Noise vectors s and e are generated from a binomial sampler. In addition, $\hat{\mathbf{A}}$ is chosen from a uniform distribution. The architecture of the binomial sampler and rejection sampler is introduced in Figure 3c.

To accelerate the NTT operation, we deploy the proposed DDF-based NTT architecture in the key generation architecture to obtain the values of $\widehat{\mathbf{s}}$ = NTT(s) and $\widehat{\mathbf{e}}$ = NTT(e). Specifically, coefficients of each noise vector s and e are divided into two groups to be processed in parallel in order to reduce processing time. The values of NTT(s) and NTT(e) are then stored in BRAM. In addition, the value of $\widehat{\mathbf{t}}$ is calculated by adding the point-wise multiplication result $\hat{\mathbf{A}}\circ \widehat{\mathbf{s}}$ to $\widehat{\mathbf{e}}$. Finally, a key pair ($pk,sk$) is generated using two encoders $pk=\mathrm{Encode}\left(\widehat{\mathbf{t}}{\mathrm{mod}}^{+}q\right)\left|\right|\rho$ and $sk=\mathrm{Encode}\left(\widehat{\mathbf{s}}{\mathrm{mod}}^{+}q\right)$. The public key $pk$ and secret key $sk$ then participate in encryption and decryption processes, respectively.

3.3. Proposed Kyber Encryption Architecture

The proposed encryption architecture constructs the ciphertext c = $(c_1,c_2)$ from input message m using public key $pk$. The main modules in the proposed encryption architecture include samplers, DDF-based NTT, DDF-based INTTs (INTT1 and INTT2), decoder, encoder, compression, decompression, point-wise multiplication, and addition modules, as shown in Figure 4.

The value of $\rho$ is obtained using the formula $\rho =pk+12·k·n/8$. The rejection sampler generates ${\widehat{\mathbf{A}}}^T$ from the seed $\rho$, while the binomial sampler generates error vectors e₁ and $e_2$ from a random coin r. $\widehat{\mathbf{r}}$ is obtained by performing NTT(r) using the DDF-based NTT module in Figure 4. A part of ciphertext, c, $c_1$, is constructed by encoding the compressed message u, where $\mathbf{u}=\mathrm{INTT}({\hat{\mathbf{A}}}^T\circ \widehat{\mathbf{r}})+{\mathbf{e}}_1$. $\mathrm{INTT}({\hat{\mathbf{A}}}^T\circ \hat{\mathbf{r}})$ is performed by the proposed DDF-based INTT1 module in Figure 4.

The architecture design of the compression block is presented in Figure 5. The compression elements (CE) in Figure 5a are detailed in Figure 5b.

The remaining part of ciphertext c, $c_2$ is constructed from the public key $pk$, error polynomial $e_2$, input coin r, and input message m. The output $\widehat{\mathbf{t}}$ of the decode module in Figure 4 is multiplied with the transform of sample r, $\widehat{\mathbf{r}}=\mathrm{NTT}\left(\mathbf{r}\right)$ using point-wise multiplication. This result is transformed using the DDF-based INTT2 module in Figure 4, and then the error polynomial $e_2$ is added. The result of this addition, INTT(${\widehat{\mathbf{t}}}^T\circ \widehat{\mathbf{r}}$) + $e_2$, is added with the decompression of input message m to generate v = INTT(${\widehat{\mathbf{t}}}^T\circ \widehat{\mathbf{r}}$) + $e_2$ + Decompress(m). The architecture design of the decompression block is presented in Figure 6. The decompression elements (DE) in Figure 6a are detailed in Figure 6b. Ciphertext $c_2$ is generated by encoding the compression of v, $c_2=\mathrm{Encode}\left(\mathrm{Compress}(v,d_v)\right)$ using compression and encoder modules. Finally, ciphertext $c=(c_1,c_2)$ is constructed.

3.4. Proposed Decryption Architecture Design

The proposed Kyber decryption architecture to recover the input message m from ciphertext $c=(c_1,c_2)$ and secret key $sk$ is presented in Figure 7.

Secret key $sk$ and ciphertext c are decoded and then decompressed to obtained the values of $\widehat{\mathbf{s}}$ and $\mathbf{u}$, respectively. In particular, $\mathbf{u}={\mathrm{Decompress}}_q({\mathrm{Decode}}_{d_u}\left(c\right),d_u)$, and $\widehat{\mathbf{s}}=\mathrm{Decode}\left(sk\right)$. In addition, the value of $v={\mathrm{Decompress}}_q({\mathrm{Decode}}_{d_v}(c+d_u·k·n/8),d_v)$ can be reconstructed from ciphertext c through the decompression and decoding operations. The obtained value of u is transformed using the proposed DDF-based NTT, and then multiplied by ${\widehat{\mathbf{s}}}^T$. The product ${\widehat{\mathbf{s}}}^T\circ \mathrm{NTT}\left(\mathbf{u}\right)$ is transformed using DDF-based INTT module, and then subtracted by v to obtain the value $v-\mathrm{INTT}({\widehat{\mathrm{s}}}^T\circ \mathrm{NTT}\left(\mathbf{u}\right))$. This result is compressed using the compression module in Figure 5, and encoded to obtain the value $m=\mathrm{Encode}\left(\mathrm{Compress}(v-\mathrm{INTT}({\widehat{\mathbf{s}}}^T\circ \mathrm{NTT}\left(\mathbf{u}\right)),1)\right)$. The original message m is finally recovered.

4. Implementation Results

The proposed architectures for Kyber are modeled using Verilog HDL and synthesized using the Xilinx Vivado 2020.1. The implementation results are the placed-and-routed data on Xilinx Virtex-7. The results for key generation and encryption/decryption are presented in

Table 2. Implementation results of Kyber key generation architectures.

Parameters	This Work
Devices	Virtex-7
LUTs	22K
FFs	12K
DSPs	21
BRAMs	4.5
Frequency (MHz)	217
Time (μs)	39
Area × Time (LUTs × s)	0.86

and

Table 3. Performance comparison with existing schemes in NIST security level 5.

Parameters	This Work	[14]	[12]	[13]	[22]
Devices	Virtex-7	Virtex-7	UltraScale+	Virtex-7	Virtex-7
Protocol	Kyber-1024	Kyber-1024	Kyber-1024	Kyber-1024	SIKEp751
LUTs	29,718	16,000	23,868	252,107	20,207
FFs	22,556	6000	9805	335,125	39,339
DSPs	71	12	0	584	452
BRAMs	11	17	2	402.5	41.5
Frequency (MHz)	226	156	150	192	233
Time (μs)	57.5	205	153	1264	25,500
Area × Time (LUTs × s)	1.68	3.28	3.62	318.66	515.28
Norm. Area × Time	1.00	1.95	2.15	189.68	306.71

, respectively.

From Table 2, the proposed key generation architecture requires 22K LUTs, 12K FFs, 21 DSPs, and 4.5 BRAMs. As can be seen, the proposed key generation architecture can operate at a maximum frequency of 217 MHz. Public key $pk$ and secret key $sk$ are successfully generated after only 39 μs. As a result, the proposed key generation architecture achieves the area-to-time value of 0.86.

Table 3 describes a comparison between the proposed Kyber architecture with the most recent works [12,13,14,22]. The reported values of the proposed work in Table 3 are for encryption and decryption operations. Generally, the proposed architecture offers the best value of area-time product. The proposed architecture requires 29,718 LUTs, 22,556 FFs, 71 DSPs, and 11 BRAMs to perform Kyber encryption and decryption operations. These hardware resource requirements are substantially lower than those of the architecture in [13]. The hardware cost of the proposed architecture is slightly higher than that of the architectures in [12,22]. However, the proposed architecture outperforms those architectures in terms of processing time and area-time product. Specifically, the total encryption and decryption time of the proposed architecture is approximately 57.5 μs, which is approximately 3.6 times and 2.7 times faster than that of architectures in [12,14], respectively. Noticeably, the proposed architecture is much better than that of architectures in [13,22] in terms of latency. Furthermore, the area-time product value of the proposed architecture is 1.68, which is approximately half of that of the architectures in [12,14]. Specifically, this area-time product value is approximately 189 times and 306 times smaller than that of the designs in [13,22]. Furthermore, the proposed architecture can operate at the highest frequency of 226 MHz, which is higher than the frequency at which architectures in [12,13,14] operate.

5. Conclusions

An area-time efficient hardware architecture for CRYSTALS-Kyber is introduced in this paper. By implementing the proposed dual-path delay feedback NTT and INTT architectures in key generation, encryption, and decryption, these operations are noticeably improved in terms of processing time and area-time efficiency. Specifically, the key generation operation in the proposed architecture is accelerated by twofold compared with existing works. In addition, the proposed architecture offers the best value of area-time product among the state-of-the-art Kyber architectures. Therefore, the proposed architecture can be applied in designs where the high balance between hardware complexity and processing time is strictly considered.