Crypto 2024
Accelerating SLH-DSA by Two Orders of Magnitude with a Single Hash Unit
Markku-Juhani Saarinen
Tampere University
Keywords: FIPS 205, SLH-DSA, SPHINCS+, Root-of-Trust, Side-Channel Security
Abstract
We report on efficient and secure hardware implementation techniques for the FIPS 205 SLH-DSA Hash-Based Signature Standard. We demonstrate that very significant overall performance gains can be obtained from hardware that optimizes the padding formats and iterative hashing processes specific to SLH-DSA. A prototype implementation, SLotH, contains Keccak/SHAKE, SHA2-256, and SHA2-512 cores and supports all 12 parameter sets of SLH-DSA. SLotH also supports sidechannel secure PRF computation and Winternitz chains. SLotH drivers run on a small RISC-V control core, as is common in current Root-ofTrust (RoT) systems.
The new features make SLH-DSA on SLotH many times faster compared to similarly-sized general-purpose hash accelerators. Compared to unaccelerated microcontroller implementations, the performance of SLotH’s SHAKE variants is up to 300× faster; signature generation with 128f parameter set is is 4,903,978 cycles, while signature verification with 128s parameter set is only 179,603 cycles. The SHA2 parameter sets have approximately half of the speed of SHAKE parameter sets. We observe that the signature verification performance of SLH-DSA’s “s” parameter sets is generally better than that of accelerated ECDSA or Dilithium on similarly-sized RoT targets. The area of the full SLotH system is small, from 63 kGE (SHA2, Cat 1 only) to 155 kGe (all parameter sets). Keccak Threshold Implementation adds another 130 kGE.
We provide sensitivity analysis of SLH-DSA in relation to side-channel leakage. We show experimentally that an SLH-DSA implementation with CPU hashing will rapidly leak the SK.seed master key. We perform a 100,000-trace TVLA leakage assessment with a protected SLotH unit.
Publication
Crypto 2024
PaperArtifact
Artifact number
crypto/2024/a7
Artifact published
August 15, 2024
License
This work is licensed under the 3-Clause BSD License.
Some files in this archive are licensed under a different license. See the contents of this archive for more information.
BibTeX How to cite
Saarinen, M. (2024). Accelerating SLH-DSA by Two Orders of Magnitude with a Single Hash Unit. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – Crypto 2024. Lecture Notes in Computer Science, vol. 14920. Springer, Cham. https://doi.org/10.1007/978-3-031-68376-3_9. Artifact available at https://artifacts.iacr.org/crypto/2024/a7