Designing and Implementing Efficient and Secure Hardware Primitives for ML-KEM

Abstract

The transition to post-quantum cryptography (PQC) has become a critical urgency in securing digital communications against the emerging threat of quantum computing. The Module-Lattice Key Encapsulation Mechanism (ML-KEM), formerly known as CRYSTALS-KYBER and recently standardised by National Institute of Standards and Technology (NIST) as the primary PQC algorithm for key encapsulation mechanism, offers strong theoretical security guarantees but poses significant implementation challenges in terms of efficient and secure implementation. This thesis presents the design, optimisation, and verification of efficient and secure hardware polynomial multipliers for ML-KEM, with a focus on performance, area efficiency, and resistance to side-channel and fault injection attacks. Towards this goal, the residue number system (RNS) and the redundant residue number system (RRNS) were considered as efficient and inherently secure methods of implementation. Firstly, a high-speed number theoretic transform (NTT)-based polynomial multiplier for ML-KEM is presented. The proposed architecture uses RNS to accelerate the main operation in the NTT, i.e., integer modular multiplication. The design uses read only memory (ROM)-based architecture to implement the RNS design and is integrated with an efficient memory access to form a hardware accelerator on a Field Programmable Gate Array (FPGA), yielding a significant improvement over state-of-the-art results. Secondly, an RNS NTT-based polynomial multiplier for ML-KEM is presented. The RNS methodology is extended to the whole polynomial multiplication of ML-KEM for efficiency and side-channel protection. The results of the FPGA implementation and experimental side-channel leakage evaluation show an efficient implementation and effectiveness in protecting against side-channel leakage. Thirdly, a fault detection architecture for the polynomial multiplication of ML-KEM is proposed. The design utilises the RRNS and is applied to the polynomial multiplication of ML-KEM. The proposed method can detect single faults in RRNS residues with 100% error coverage and the FPGA implementation results show minimal area and time overhead.