Abdulrahman, AminAminAbdulrahmanOberhansl, Felix FritzFelix FritzOberhanslHien Pham, Hoang NguyenHoang NguyenHien PhamPhilipoom, JadeJadePhilipoomSchwabe, PeterPeterSchwabeStelzer, TobiasTobiasStelzerSeelos-Zankl, AndreasAndreasSeelos-Zankl2025-08-142025-08-142025https://publica.fraunhofer.de/handle/publica/49052910.1109/SP61157.2025.002202-s2.0-105009323257This paper presents extensions to the OpenTitan hardware root of trust that aim at enabling high-performance lattice-based cryptography. We start by carefully optimizing ML-KEM and ML-DSA-the two algorithms primarily rec-ommended and standardized by NIST-in software targeting the OpenTitan Big Number (OTBN) accelerator. Based on profiling results of these implementations, we propose tightly integrated extensions to OTBN, specifically an interface from OTBN to OpenTitan's Keccak accelerator (KMAC core) and extensions to the OTBN ISA to support operations on 2S6-bit vectors. We implement these extensions in hardware and show that we achieve a speedup by a factor between 6 and 9 for different operations and parameter sets of ML-KEM and ML-DSA compared to our baseline implementation on unmodified OTBN. This speedup is achieved with an increase in cell count of less than 17% in OTBN, which corresponds to an increase of less than 3 % for the full Earl Grey OpenTitan core.enfalsehw/sw co-designinstruction set extensionml-dsaml-kemopentitanpost-quantum cryptographyconference paper