Cryptology ePrint Archive: Report 2021/1697

Where Star Wars Meets Star Trek: SABER and Dilithium on the Same Polynomial Multiplier

Andrea Basso and Furkan Aydin and Daniel Dinu and Joseph Friel and Avinash Varna and Manoj Sastry and Santosh Ghosh

Abstract: Secure communication often require both encryption and digital signatures to guarantee the confidentiality of the message and the authenticity of the parties. However, post-quantum cryptographic protocols are often studied independently. In this work, we identify a powerful synergy between two finalist protocols in the NIST standardization process. In particular, we propose a technique that enables SABER and Dilithium to share the exact same polynomial multiplier. Since polynomial multiplication plays a key role in each protocol, this has a significant impact on hardware implementations that support both SABER and Dilithium. We estimate that existing Dilithium implementations can add support for SABER with only a 4% increase in LUT count. A minor trade-off of the proposed multiplier is that it can produce inexact results with some limited inputs. We thus carry out a thorough analysis of such cases, where we prove that the probability of these events occurring is near zero, and we show that this characteristic does not affect the security of the implementation. We then implement the proposed multiplier in hardware to obtain a design that offers competitive performance/area trade-offs. Our NTT implementation achieves a latency of 519 cycles while consuming 2,012 LUTs and only 331 flip-flops when implemented on an Artix-7 FPGA. We also propose a shuffling-based method to provide side-channel protection with low overhead during polynomial multiplication. Finally, we evaluate the side-channel security of the proposed design on a Sakura-X FPGA board.

Category / Keywords: implementation / Polynomial multiplication, SABER, Dilithium

Date: received 27 Dec 2021

Contact author: a basso at cs bham ac uk

Available format(s): PDF | BibTeX Citation

Version: 20211230:171252 (All versions of this report)

Short URL: ia.cr/2021/1697


[ Cryptology ePrint archive ]