Post-quantum cryptography is a new generation of cryptography technology for defending quantum computer attacks. It is regarded as a reliable alternative to traditional cryptography systems, and relevant international standards are gradually emerging. This paper briefly describes the development of post-quantum cryptography, and analyzes the latest development, mathematical principles and characteristics of current algorithm research. On this basis, the analysis is carried out from the three levels of algorithm, hardware architecture, and specific circuit implementation. Then we indicate key technologies that future research needs to overcome, such as efficient hardware implementation, dynamic reconfigurability, side channel attack defense, and secure SoC integration. Moreover, the low-power post-quantum cryptographic chip, the high-performance post-quantum cryptographic chip and core modules such as hashing, random sampling, operation acceleration and logic processing in the chip are described in detail. Finally, we summarize the application status and research value of the current chip implementation in terms of efficient IP design for core circuits, multi-scenario application compatibility, multiple defense mechanisms, and information infrastructure integration, and cover the future development trend of industrialization and diversification. By studying the post-quantum cryptography algorithm and its key technologies, then exploring efficient chip design and implementation methods, it is conducive to promoting the research on the theory and application of public key cryptosystems against quantum attacks, and provides guarantee for China's information security strategy in the quantum era.
[1] Shor P W. Algorithms for quantum computation:Discrete logarithms and factoring[C]//Proceedings 35th Annual Symposium on Foundations of Computer Science. Washington, DC:IEEE Computer Society Press, 1994:124-134.
[2] Joseph D, Misoczki R, Manzano M, et al. Transitioning organizations to post-quantum cryptography[J]. Nature, 2022, 605:237-243.
[3] Chen L, Jordan S, Liu Y K, et al. Report on post-quantum cryptography[M]. Gaithersburg, MD:National Institute of Standards and Technology, 2016.
[4] Moody D. Post-quantum cryptography:NIST's plan for the future[C]//Proceedings of the 7th International Conference on Post-Quantum Cryptography. Berlin, Heidelberg:Springer, 2016.
[5] Moody D, Alagic G, Apon D, et al. Status report on the second round of the NIST post-quantum cryptography standardization process[R]. Gaithersburg, MD:US Department of Commerce, National Institute of Standards and Technology, 2020.
[6] Peikert C. A decade of lattice cryptography[J]. Foundations and trends in theoretical computer science, 2016, 10(4):283-424.
[7] Mceliece R J. A public-key cryptosystem based on algebraic coding theory[J]. DSN Progress Report, 1978, 4244:114-116.
[8] Berlekamp E R, Mceliece R J, Tilborg H. On the inherent intractability of certain coding problems (Corresp)[J]. IEEE Transactions on Information Theory, 1978, 24(3):384-386.
[9] Merkle R C. A certified digital signature[C]//Advances in Cryptology:CRYPTO '89 Proceedings. Berlin, Heidelberg:Springer, 1989:218-238.
[10] Bostan A, Morain F, Salvy B, et al. Fast algorithms for computing isogenies between elliptic curves[J]. Mathematics of Computation, 2008, 77(263):1755-1778.
[11] Jao D, De Feo L. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies[C]//PostQuantum Cryptography:4th International Workshop. Berlin Heidelberg:Springer, 2011:19-34.
[12] Alagic G, Apon D, Cooper D, et al. Status report on the third round of the NIST post-quantum cryptography standardization process[R]. Gaithersburg, MD:National Institute of Standards and Technology, 2022.
[13] Basu K, Soni D, Nabeel M, et al. NIST post-quantum cryptography:A hardware evaluation study[J/OL]. Cryptology ePrint Archive, 2019, https://eprint.iacr.org/2019/047.pdf.
[14] Land G, Sasdrich P, Güneysu T. A hard crystal-implementing dilithium on reconfigurable hardware[C]//International Conference on Smart Card Research and Advanced Applications. Cham:Springer, 2021:210-230.
[15] Wang Y C, Paccagnella R, He E T, et al. Hertzbleed:Turning power {side-channel} attacks into remote timing attacks on x86[C]//31st USENIX Security Symposium (USENIX Security 22), Berkeley, California:The Adanced Computing Systems Association, 2022:679-697. https://www.hertzbleed.com/hertzbleed.pdf.
[16] Maino L, Martindale C. An attack on SIDH with arbitrary starting curve[J/OL]. Cryptology ePrint Archive, 2022, https://eprint.iacr.org/2022/1026.
[17] Da Costa V L R, López J, Ribeiro M V. A SoC implementation of a PQC scheme for smart meter[C]. XXXIX Brazilian Symposium on Telecommunications and Signal Processing - SBrT, 2021:26-29.
[18] Pöppelmann T, Güneysu T. Area optimization of lightweight lattice-based encryption on reconfigurable hardware[C]//2014 IEEE International Symposium on Circuits and Systems (ISCAS). Piscataway NJ:IEEE, 2014:2796-2799.
[19] Pöppelmann T, Ducas L, Güneysu T. Enhanced latticebased signatures on reconfigurable hardware[C]//Cryptographic Hardware and Embedded Systems. Berlin, Heidelberg:Springer, 2014:353-370.
[20] Zhang C, Liu Z L, Chen Y Y, et al. A flexible and generic gaussian sampler with power side-Channel countermeasures for quantum-secure internet of things[J]. IEEE Internet of Things Journal, 2020, 7(9):8167-8177.
[21] Zhao Y F, Xie R Q, Xin G Z, et al. A high-performance domain-specific processor with matrix extension of RISC-V for module-LWE applications[J]. IEEE Transactions on Circuits and Systems I:Regular Papers, 2022, 69(7):2871-2884.
[22] Bos J, Ducas L, Kiltz E, et al. CRYSTALS-Kyber:A CCA-secure module-lattice-based KEM[C]//2018 IEEE European Symposium on Security and Privacy (EuroS&P). Piscataway NJ:IEEE, 2018:353-367.
[23] Bisheh-Niasar M, Azarderakhsh R, Mozaffari-Kermani M. Instruction-set accelerated implementation of CRYSTALS-kyber[J]. IEEE Transactions on Circuits and Systems I:Regular Papers, 2021, 68(11):4648-4659.
[24] Karabulut E, Aysu A. RANTT:A RISC-V architecture extension for the number theoretic transform[C]//2020 30th International Conference on Field-Programmable Logic and Applications (FPL). Piscataway NJ:IEEE, 2020:26-32.
[25] Zhang C, Liu D S, Liu X J, et al. Towards efficient hardware implementation of NTT for kyber on FPGAs[C]//2021 IEEE International Symposium on Circuits and Systems (ISCAS). Piscataway NJ:IEEE, 2021:1-5.
[26] Du C H, Bai G Q. Towards efficient polynomial multiplication for lattice-based cryptography[C]//2016 IEEE International Symposium on Circuits and Systems (ISCAS). Piscataway NJ:IEEE, 2016:1178-1181.
[27] Guo W B, Li S G, Kong L. An efficient implementation of KYBER[J]. IEEE Transactions on Circuits and Systems II:Express Briefs, 2021, 69(3):1562-1566.
[28] Liu D S, Zhang C, Lin H, et al. A resource-efficient and side-channel secure hardware implementation of ringLWE cryptographic processor[J]. IEEE Transactions on Circuits and Systems I:Regular Papers, 2018, 66(4):1474-1483.
[29] Du C H, Bai G Q. A family of scalable polynomial multiplier architectures for lattice-based cryptography[C]//2015 IEEE International Conference on Trust, Security and Privacy in Computing and Communications. Piscataway NJ:IEEE, 2015:392-399.
[30] Lyubashevsky V, Seiler G. NTTRU:Truly fast NTRU using NTT[C]//IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES). Bochum:IACR, 2019:180-201.
[31] Banerjee U, Pathak A, Chandrakasan A P. An energy-efficient configurable lattice cryptography processor for the quantum-secure Internet of Things[C]//2019 IEEE International Solid-State Circuits Conference(ISSCC). Piscataway NJ:IEEE, 2019:46-48.
[32] Ghosh A, Mera J M B, Karmakar A, et al. A 334 uW 0.158 mm2 saber learning with rounding based postquantum crypto accelerator[C]//2022 IEEE Custom Integrated Circuits Conference (CICC). Piscataway NJ:IEEE, 2022:1-2.
[33] Göttert N, Feller T, Schneider M, et al. On the design of hardware building blocks for modern lattice-based encryption schemes[C]//Cryptographic Hardware and Embedded Systems-CHES 2012. Berlin, Heidelberg:Springer, 2012:512-529.
[34] Pöppelmann T, Güneysu T. Towards practical latticebased public-key encryption on reconfigurable hardware[C]//Selected Areas in Cryptography-SAC 2013. Berlin, Heidelberg:Springer, 2013:68-85.
[35] Wang T F, Zhang C, Cao P, et al. Efficient Implementation of Dilithium Signature Scheme on FPGA SoC Platform[J]. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2022, 30(9):1158-1171.
[36] Aikata A, Mert A C, Imran M, et al. KaLi:A crystal for post-quantum security using Kyber and Dilithium[J]. IEEE Transactions on Circuits and Systems I:Regular Papers, 2022, 70(2):747-758.
[37] Güneysu T, Lyubashevsky V, Pöppelmann T, et al. Lattice-based signatures:Optimization and implementation on reconfigurable hardware[J]. IEEE Transactions on Computers, 2015, 64(7):1954-1967.
[38] Mohan P, Wang W, Jungk B, et al. ASIC accelerator in 28 nm for the post-quantum digital signature scheme XMSS[C]//2020 IEEE 38th International Conference on Computer Design (ICCD). Piscataway NJ:IEEE, 2020:656-662.
[39] Zhu Y, Zhu W, Zhu M, et al. A 28nm 48KOPS 3.4 μJ/OP agile crypto-processor for post-quantum cryptography on multi-mathematical problems[C]//2022 IEEE International Solid-State Circuits Conference (ISSCC). Piscataway NJ:IEEE, 2022, 65:514-516.
[40] Imran M, Almeida F, Raik J, et al. Design space exploration of saber in 65 nm ASIC[C]//Proceedings of the 5th Workshop on Attacks and Solutions in Hardware Security. New York:Association for Computing Machinery, 2021:85-90.
[41] Xing Y F, Li S G. A compact hardware implementation of CCA-secure key exchange mechanism CRYSTALSKYBER on FPGA[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021, 2021(2):328-356.
[42] Xin G Z, Han J, Yin T Y, et al. VPQC:A domain-specific vector processor for post-quantum cryptography based on RISC-V architecture[J]. IEEE transactions on circuits and systems I:Regular papers, 2020, 67(8):2672-2684.
