Researchers from the Technical University of Munich (TUM) have designed and commissioned fabrication of chip intended to implement so-called post-quantum cryptography. The ASIC’s design is based on RISC-V technology and is intended to demonstrate the ability to foil efforts by hackers using quantum computers to decrypt communications. Besides using co-design techniques to implement Kyber-based post-quantum detection, the team included hardware trojans on the chip to study methods for detecting this type of “malware from the chip factory.”
An interesting account of the work is posted on the TUM website. Worry over the future use of quantum computers to decrypt conventionally encrypted messages and data has been growing for years. Recent, very public hacks have ratcheted up pressure not only to deal with existing threats but to prepare for quantum computers.
In 2016, NIST (US National Institute of Standards and Technology) launched a Post-Quantum Cryptography Standardization effort saying, “If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.” This program is ongoing.
The TUM researchers say their chip is the first post-quantum cryptography device to be based entirely on a hardware/software co-design approach. “As a result, it is around 10 times as fast when encrypting with Kyber – one of the most promising candidates for post-quantum cryptography – as compared to chips based entirely on software solutions. It also uses around eight times less energy and is almost as flexible,” according to Georg Sigl, a TUM researcher who led the work and who is quoted in the posted article.
The chip incorporates a purpose-designed hardware accelerator and not only supports lattice-based post-quantum cryptography algorithms such as Kyber, but also could work with the SIKE algorithm, which requires much more computing power. Their design, reported the team, can implement SIKE 21 times faster than chips using only software-based encryption. SIKE is seen as a promising alternative “if the time comes when lattice-based approaches are no longer secure.”
As noted in the TUM article, “Another potential threat, alongside the rise in conventional attacks, is posed by hardware trojans. Computer chips are generally produced according to companies’ specifications and made in specialized factories. If attackers succeed in planting trojan circuitry in the chip design before or during the manufacturing stage, this could have disastrous consequences. As in the case of external hacker attacks, entire factories could be shut down or production secrets stolen. What’s more: Trojans built into the hardware can evade post-quantum cryptography.”
Sigl is quoted, “We still know very little about how hardware trojans are used by real attackers. To develop protective measures, we need to think like an attacker and try to develop and conceal our own trojans. In our post-quantum chip we have therefore developed and installed four hardware trojans, each of which works in an entirely different way.”
The TUM will test the chip’s cryptography capabilities and functionality and the detectability of the hardware Trojans for a few months. Then the chip will be destroyed in a complex process in which the circuit pathways will be shaved off incrementally while photographing each successive layer. The goal is to try out new machine learning methods developed by TUM for reconstructing the precise functions of chips even when no documentation is available. “These reconstructions can help to detect chip components that perform functions unrelated to the chip’s actual tasks and which may have been smuggled into the design,” according Sigl.
Segl and his team have a 2020 paper (RISQ-V: Tightly Coupled RISC-V Accelerators for Post-Quantum Cryptography) that broadly describes their ideas. Here is the abstract:
“First, we propose a set of powerful hardware accelerators deeply integrated into the RISC-V pipeline. Second, we extended the RISC-V ISA with 29 new instructions to efficiently perform operations for lattice-based cryptography. Third, we implemented our RISQ-V in ASIC technology and on FPGA. We evaluated the performance of NewHope, Kyber, and Saber on RISQ-V. Compared to the pure software implementation on RISC-V, our co-design implementations show a speedup factor of up to 11.4 for NewHope, 9.6 for Kyber, and 2.7 for Saber. For the ASIC implementation, the energy consumption was reduced by factors of up to 9.5 for NewHope, 7.7 for Kyber, and 2.1 for Saber. The cell count of the CPU was increased by a factor of 1.6 compared to the original RISC-V design, which can be considered as a moderate increase for the achieved performance gain.”
Source: TUM article
Link to full TUM article: https://www.tum.de/nc/en/about-tum/news/press-releases/details/36835/