Abstract
We report on efficient and secure hardware implementation techniques for the FIPS 205 SLH-DSA Hash-Based Signature Standard. We demonstrate that very significant overall performance gains can be obtained from hardware that optimizes the padding formats and iterative hashing processes specific to SLH-DSA. A prototype implementation, SLotH, contains Keccak/SHAKE, SHA2-256, and SHA2-512 cores and supports all 12 parameter sets of SLH-DSA. SLotH also supports side-channel secure PRF computation and Winternitz chains. SLotH drivers run on a small RISC-V control core, as is common in current Root-of-Trust (RoT) systems.
The new features make SLH-DSA on SLotH many times faster compared to similarly-sized general-purpose hash accelerators. Compared to unaccelerated microcontroller implementations, the performance of SLotH ’s SHAKE variants is up to 300x faster; signature generation with 128f parameter set is 4,903,978 cycles, while signature verification with 128 s parameter set is only 179,603 cycles. The SHA2 parameter sets have approximately half of the speed of SHAKE parameter sets. We observe that the signature verification performance of SLH-DSA’s “s” parameter sets is generally better than that of accelerated ECDSA or Dilithium on similarly-sized RoT targets. The area of the full SLotH system is small, from 63 kGE (SHA2, Cat 1 only) to 155 kGe (all parameter sets). Keccak Threshold Implementation adds another 130 kGE.
We provide sensitivity analysis of SLH-DSA in relation to side-channel leakage. We show experimentally that an SLH-DSA implementation with CPU hashing will rapidly leak the master key. We perform a 100,000-trace TVLA leakage assessment with a protected SLotH unit.
The new features make SLH-DSA on SLotH many times faster compared to similarly-sized general-purpose hash accelerators. Compared to unaccelerated microcontroller implementations, the performance of SLotH ’s SHAKE variants is up to 300x faster; signature generation with 128f parameter set is 4,903,978 cycles, while signature verification with 128 s parameter set is only 179,603 cycles. The SHA2 parameter sets have approximately half of the speed of SHAKE parameter sets. We observe that the signature verification performance of SLH-DSA’s “s” parameter sets is generally better than that of accelerated ECDSA or Dilithium on similarly-sized RoT targets. The area of the full SLotH system is small, from 63 kGE (SHA2, Cat 1 only) to 155 kGe (all parameter sets). Keccak Threshold Implementation adds another 130 kGE.
We provide sensitivity analysis of SLH-DSA in relation to side-channel leakage. We show experimentally that an SLH-DSA implementation with CPU hashing will rapidly leak the master key. We perform a 100,000-trace TVLA leakage assessment with a protected SLotH unit.
Original language | English |
---|---|
Title of host publication | Advances in Cryptology – CRYPTO 2024 |
Subtitle of host publication | 44th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2024, Proceedings, Part I |
Publisher | Springer |
Pages | 276-304 |
Number of pages | 29 |
ISBN (Electronic) | 978-3-031-68376-3 |
ISBN (Print) | 978-3-031-68375-6 |
DOIs | |
Publication status | Published - 16 Aug 2024 |
Publication type | A4 Article in conference proceedings |
Event | International cryptology conference - Santa Barbara, United States Duration: 18 Aug 2024 → 22 Aug 2024 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Volume | 14920 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | International cryptology conference |
---|---|
Country/Territory | United States |
City | Santa Barbara |
Period | 18/08/24 → 22/08/24 |
Keywords
- FIPS 205
- SLH-DSA
- SPHINCS+
- Root-of-Trust
- Side-Channel Security
Publication forum classification
- Publication forum level 3