International Association for Cryptologic Research

International Association
for Cryptologic Research

Crypto 2024

Accelerating SLH-DSA by Two Orders of Magnitude with a Single Hash Unit


Markku-Juhani Saarinen
Tampere University


Keywords: FIPS 205, SLH-DSA, SPHINCS+, Root-of-Trust, Side-Channel Security


Abstract

We report on efficient and secure hardware implementation techniques for the FIPS 205 SLH-DSA Hash-Based Signature Standard. We demonstrate that very significant overall performance gains can be obtained from hardware that optimizes the padding formats and iterative hashing processes specific to SLH-DSA. A prototype implementation, SLotH, contains Keccak/SHAKE, SHA2-256, and SHA2-512 cores and supports all 12 parameter sets of SLH-DSA. SLotH also supports sidechannel secure PRF computation and Winternitz chains. SLotH drivers run on a small RISC-V control core, as is common in current Root-ofTrust (RoT) systems.

The new features make SLH-DSA on SLotH many times faster compared to similarly-sized general-purpose hash accelerators. Compared to unaccelerated microcontroller implementations, the performance of SLotH’s SHAKE variants is up to 300× faster; signature generation with 128f parameter set is is 4,903,978 cycles, while signature verification with 128s parameter set is only 179,603 cycles. The SHA2 parameter sets have approximately half of the speed of SHAKE parameter sets. We observe that the signature verification performance of SLH-DSA’s “s” parameter sets is generally better than that of accelerated ECDSA or Dilithium on similarly-sized RoT targets. The area of the full SLotH system is small, from 63 kGE (SHA2, Cat 1 only) to 155 kGe (all parameter sets). Keccak Threshold Implementation adds another 130 kGE.

We provide sensitivity analysis of SLH-DSA in relation to side-channel leakage. We show experimentally that an SLH-DSA implementation with CPU hashing will rapidly leak the SK.seed master key. We perform a 100,000-trace TVLA leakage assessment with a protected SLotH unit.

Publication

Crypto 2024

Paper

Artifact

Artifact number
crypto/2024/a7

Artifact published
August 15, 2024

README

ZIP (500 KB)  

View on Github

License
This work is licensed under the 3-Clause BSD License.

Some files in this archive are licensed under a different license. See the contents of this archive for more information.


BibTeX How to cite

Saarinen, M. (2024). Accelerating SLH-DSA by Two Orders of Magnitude with a Single Hash Unit. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – Crypto 2024. Lecture Notes in Computer Science, vol. 14920. Springer, Cham. https://doi.org/10.1007/978-3-031-68376-3_9. Artifact available at https://artifacts.iacr.org/crypto/2024/a7