Extended version: enabling lattice-based post-quantum cryptography on the opentitan platform

The first generation of post-quantum cryptography (PQC) standards by the National Institute of Standards and Technology (NIST) is just around the corner. The need for secure implementations is therefore increasing. In this work, we address this need and investigate the integration of lattice-based PQC into an open-source silicon root of trust (RoT), the OpenTitan. RoTs are important security building blocks that need to be future-proofed with PQC. The OpenTitan features multiple cryptographic hardware accelerators and countermeasures against physical attacks, but does not offer dedicated support for lattice-based PQC. Thus, we propose instruction set extensions for the OpenTitan Big Number Accelerator (OTBN) to improve the efficiency of polynomial arithmetic and sampling. As a case study we analyze the performance of signature verification of the digital signature schemes Dilithium and Falcon. Our implementation verifies signatures within 911,366 cycles for Dilithium-II and 759,779 cycles for Falcon-512, pushing this RoT functionality below 10 ms for the OpenTitan’s target frequency of 100 MHz. In case of Dilithium-II, this can not be achieved without these hardware extensions, even for advanced implementation techniques such as Kronecker+. With an overhead of 437,665.00 kGE, our hardware extensions make up only about 2.93 % of the total RoT area. All our extensions integrate seamlessly with countermeasures against physical attacks which are already available within the OTBN and comply with the adversary model chosen by the OpenTitan project.