Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols

Abstract

Sapphire is a configurable crypto-processor designed to accelerate computationally intensive lattice-based post-quantum cryptography (PQC) protocols on low-power embedded devices. Utilizing optimizations such as a SHA-3-based PRNG and a single-port RAM NTT memory architecture, the core achieves substantial area and energy savings while maintaining constant-time security. Coupled with a low-power RISC-V microprocessor, Sapphire demonstrates several NIST Round 2 protocols, achieving up to an order of magnitude improvement in performance and energy efficiency over prior state-of-the-art hardware.

Report

Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols

Key Highlights

• PQC Acceleration: Sapphire is a hardware accelerator specifically designed for lattice-based post-quantum cryptography, addressing the high computational complexity of these quantum-resistant algorithms.
• Performance Gain: Achieves up to an order of magnitude improvement in performance and energy-efficiency compared to existing state-of-the-art hardware implementations.
• Protocol Support: Successfully demonstrated implementation of major NIST Round 2 lattice-based protocols, including Frodo, NewHope, qTESLA, CRYSTALS-Kyber, and CRYSTALS-Dilithium.
• Security Focus: The processor ensures constant-time operation and is secure against timing and simple power analysis (SPA) side-channel attacks.

Technical Details

• Fabrication and Area: The test chip was fabricated in the TSMC 40nm low-power CMOS process.
• Core Specifications: The cryptographic core occupies 0.28 mm² area, comprising 106k logic gates and 40.25 KB of SRAM.
• Architectural Optimizations:
  • Efficient sampling utilizing a SHA-3-based Pseudo-Random Number Generator (PRNG), resulting in two orders of magnitude energy savings in the sampling block.
  • A single-port RAM-based Number Theoretic Transform (NTT) memory architecture, which provides significant area savings (124k gates).
  • Includes a low-power modular arithmetic unit specifically designed to accelerate polynomial computations.
• Customization: Sapphire can be programmed using custom instructions for polynomial arithmetic and sampling, integrating closely with a host processor.
• Side-Channel Resilience: The design allows for the implementation of masking-based Differential Power Analysis (DPA) countermeasures without requiring any changes to the hardware.

Implications

• Enabling PQC in Embedded Systems: Sapphire directly addresses the critical challenge of deploying high-complexity PQC schemes on low-power and resource-constrained embedded devices, which are pervasive in IoT and secure computing environments.
• RISC-V Ecosystem Integration: The core is demonstrated coupled with a low-power RISC-V micro-processor. This provides a clear, high-performance architectural blueprint for integrating PQC capabilities into the growing open-source RISC-V hardware ecosystem.
• Future-Proofing Security: Its configurable parameters allow the processor to adapt to various parameter sets and potential modifications in lattice-based protocols as NIST standards evolve, providing a flexible and durable security platform.
• Practical Security Assurance: By implementing constant-time execution and resistance to SPA attacks, Sapphire provides a foundation for truly secure, deployable PQC solutions, a necessary feature for commercial and government cryptographic applications.