Efficient Algorithm-Level Error Detection for Number-Theoretic Transform Used for Kyber Assessed on FPGAs and ARM

Efficient Algorithm-Level Error Detection for Number-Theoretic Transform Used for Kyber Assessed on FPGAs and ARM

연구 분야: Cryptography

학회: ACM Transactions on Embedded Computing Systems, Volume 24, Issue 5

Polynomial multiplication stands out as a highly demanding arithmetic process in the development of post-quantum cryptosystems. The importance of the number-theoretic transform (NTT) extends beyond post-quantum cryptosystems, proving valuable in enhancing existing security protocols such as digital signature schemes and hash functions. CRYSTALS-KYBER stands out as the sole public key encryption (PKE) algorithm chosen by the National Institute of Standards and Technology (NIST) in its third round selection, making it highly regarded as a leading post-quantum cryptography (PQC) solution. Faults have the potential to disrupt cryptographic systems, compromise data integrity, and enable side-channel attacks, making the incorporation of robust error detection mechanisms essential. This article introduces algorithm-level fault detection schemes in the NTT multiplication using Negative Wrapped Convolution (NWC) and the NTT tailored for Kyber Round 3, representing a significant enhancement compared with previous research. We evaluate this through the simulation of a fault model, ensuring that the conducted assessments accurately mirror the obtained results. Our fault detection scheme is designed to address both malicious fault injection attacks on Kyber and naturally occurring faults. Furthermore, we assessed the effectiveness of the proposed error detection scheme for the NTT implemented in both NWC and Kyber, using AMD/Xilinx Artix-7 FPGA, HLS and processor-based approaches. In our FPGA implementation of NWC, the integration of our error detection approach achieves near-100% fault coverage with minimal area overhead and results in only a 12% increase in latency compared with the original hardware design. Finally, we attained an error detection ratio of nearly 100% for the NTT operation in Kyber, with a clock cycle overhead of 16% on the Cortex-A72 processor.