Evaluating NTT/INTT Implementation Styles for Post-Quantum Cryptography

Unifying the forward and inverse operations of the number theoretic transform (NTT) into a single hardware module is a common practice when designing polynomial coefficient multiplier accelerators as used in the post-quantum cryptographic algorithms. This letter experimentally evaluates that this design unification is not always advantageous. In this context, we present three NTT hardware architectures: 1) a forward NTT (FNTT) architecture; 2) an inverse NTT (INTT) architecture; and 3) a unified NTT (UNTT) architecture for computing the FNTT and INTT computations on a single design. We benchmark our throughput/area and energy/area evaluations on Xilinx Virtex-7 field-programmable gate array (FPGA) and 28-nm application-specific integrated circuit (ASIC) platforms. The standalone FNTT and INTT designs, on average on FPGA, exhibit <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$4.66\times $ </tex-math></inline-formula> and <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$3.75\times $ </tex-math></inline-formula> higher throughput/area and energy/area values, respectively, than the UNTT design. Similarly, the individual FNTT and INTT designs, on average on ASIC, achieve <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$1.25\times $ </tex-math></inline-formula> and <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$1.09\times $ </tex-math></inline-formula> higher throughput/area and energy/area values, respectively, compared to the UNTT design.

Hali tarjima qilinmagan