Abstrakti
We report on efficient and secure hardware implementation techniques for the FIPS 205 SLH-DSA Hash-Based Signature Standard. We demonstrate that very significant overall performance gains can be obtained from hardware that optimizes the padding formats and iterative hashing processes specific to SLH-DSA. A prototype implementation, SLotH, contains Keccak/SHAKE, SHA2-256, and SHA2-512 cores and supports all 12 parameter sets of SLH-DSA. SLotH also supports side-channel secure PRF computation and Winternitz chains. SLotH drivers run on a small RISC-V control core, as is common in current Root-of-Trust (RoT) systems.
The new features make SLH-DSA on SLotH many times faster compared to similarly-sized general-purpose hash accelerators. Compared to unaccelerated microcontroller implementations, the performance of SLotH ’s SHAKE variants is up to 300x faster; signature generation with 128f parameter set is 4,903,978 cycles, while signature verification with 128 s parameter set is only 179,603 cycles. The SHA2 parameter sets have approximately half of the speed of SHAKE parameter sets. We observe that the signature verification performance of SLH-DSA’s “s” parameter sets is generally better than that of accelerated ECDSA or Dilithium on similarly-sized RoT targets. The area of the full SLotH system is small, from 63 kGE (SHA2, Cat 1 only) to 155 kGe (all parameter sets). Keccak Threshold Implementation adds another 130 kGE.
We provide sensitivity analysis of SLH-DSA in relation to side-channel leakage. We show experimentally that an SLH-DSA implementation with CPU hashing will rapidly leak the master key. We perform a 100,000-trace TVLA leakage assessment with a protected SLotH unit.
The new features make SLH-DSA on SLotH many times faster compared to similarly-sized general-purpose hash accelerators. Compared to unaccelerated microcontroller implementations, the performance of SLotH ’s SHAKE variants is up to 300x faster; signature generation with 128f parameter set is 4,903,978 cycles, while signature verification with 128 s parameter set is only 179,603 cycles. The SHA2 parameter sets have approximately half of the speed of SHAKE parameter sets. We observe that the signature verification performance of SLH-DSA’s “s” parameter sets is generally better than that of accelerated ECDSA or Dilithium on similarly-sized RoT targets. The area of the full SLotH system is small, from 63 kGE (SHA2, Cat 1 only) to 155 kGe (all parameter sets). Keccak Threshold Implementation adds another 130 kGE.
We provide sensitivity analysis of SLH-DSA in relation to side-channel leakage. We show experimentally that an SLH-DSA implementation with CPU hashing will rapidly leak the master key. We perform a 100,000-trace TVLA leakage assessment with a protected SLotH unit.
Alkuperäiskieli | Englanti |
---|---|
Otsikko | Advances in Cryptology – CRYPTO 2024 |
Alaotsikko | 44th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2024, Proceedings, Part I |
Kustantaja | Springer |
Sivut | 276-304 |
Sivumäärä | 29 |
ISBN (elektroninen) | 978-3-031-68376-3 |
ISBN (painettu) | 978-3-031-68375-6 |
DOI - pysyväislinkit | |
Tila | Julkaistu - 16 elok. 2024 |
OKM-julkaisutyyppi | A4 Artikkeli konferenssijulkaisussa |
Tapahtuma | International cryptology conference - Santa Barbara, Yhdysvallat Kesto: 18 elok. 2024 → 22 elok. 2024 |
Julkaisusarja
Nimi | Lecture Notes in Computer Science |
---|---|
Vuosikerta | 14920 |
ISSN (elektroninen) | 1611-3349 |
Conference
Conference | International cryptology conference |
---|---|
Maa/Alue | Yhdysvallat |
Kaupunki | Santa Barbara |
Ajanjakso | 18/08/24 → 22/08/24 |
Julkaisufoorumi-taso
- Jufo-taso 3