Crypto 2024
Accelerating SLH-DSA by Two Orders of Magnitude with a Single Hash Unit
README
SLotH
An accelerator / codesign for SLH-DSA ("Stateless Hash-Based Digital Signature Standard") as described in FIPS 205 Initial Public Draft from August 2023.
To cite this work, and the related CRYPTO 2024 Paper, please use:
@InProceedings{ Sa24,
author = {Markku-Juhani O. Saarinen},
title = {Accelerating {SLH}-{DSA} by Two Orders of Magnitude with a
Single Hash Unit},
booktitle = {Advances in Cryptology - {CRYPTO} 2024 - 44th Annual
International Cryptology Conference, {CRYPTO} 2024, Santa
Barbara, CA, USA, August 18-2, 2024, Proceedings},
note = {Available as IACR ePrint Report 2024/367},
url = {https://eprint.iacr.org/2024/367},
pages = {to appear},
year = {2024}
}
Downloading
To clone the repository:
git clone https://github.com/slh-dsa/sloth.git
What's where
sloth
├── slh # Self-Contained C Implementation of SLH-DSA
├── rtl # Verilog HDL source code
├── drv # Accelerator drivers and test code
├── kat # SLH-DSA Known Answer Test data
├── flow # Misc files for FPGA and ASIC flows
├── Makefile # Convenience Makefile for the Accelerator
├── LICENSE
└── README.md
Core SLH-DSA Algorithm in ANSI C
The SLotH accelerator uses a core SLH-DSA algorithm implementation contained in the
slh directory. The core implementation is self-contained ANSI C code and should be able to run on pretty much any target. There are no prerequisites except for make
and a C compiler.
cd sloth/slh
make test
See slh/README.md for more information.
Verilator Simulation
As a prerequisite for simulation, you'll need:
- Verilator verilog simulator.
- A RISC-V cross-compiler that supports bare-metal targets. You can build a suitable riscv-gnu-toolchain
with./configure --enable-multilib
andmake newlib
.
Both of these may be available as packages for Linux operating systems. The name of your toolchain is set in XCHAIN
variable in the Makefile.
To build and run a quick end-to-end test, try:
make veri
After a successful compilation the output should look something like this:
./_build/Vsim_tb
[GPIO] 00 x 0
[RESET] ______ __ __ __
/ __/ / ___ / /_/ // / SLotH Accelerator Test 2024/05
_\ \/ /__/ _ \/ __/ _ / SLH-DSA / FIPS 205 ipd
/___/____/\___/\__/_//_/ markku-juhani.saarinen@tuni.fi
[INFO] === Basic health test ===
[CLK] 775 sha256_compress()
[PASS] sha256 ( chk= 55F39AFA )
[CLK] 1462 sha512_compress()
[PASS] sha512 ( chk= 1F59A287 )
[CLK] 1467 keccak_f1600()
[PASS] shake256 ( chk= 07C97065 )
[INFO] === Testbench ===
[INFO] SLH-DSA-SHAKE-128f
[INFO] kat test count = 0
[CLK] SLH-DSA-SHAKE-128f 204310 slh_keygen()
[STK] SLH-DSA-SHAKE-128f 3156 slh_keygen()
[PASS] sk ( chk= BCA6B2C3 )
[CLK] SLH-DSA-SHAKE-128f 4943111 slh_sign()
[STK] SLH-DSA-SHAKE-128f 3380 slh_sign()
[PASS] sm ( chk= C03DA016 )
[CLK] SLH-DSA-SHAKE-128f 434660 slh_verify()
[STK] SLH-DSA-SHAKE-128f 3284 slh_verify()
[PASS] slh_verify() flip bit = 12389
[PASS] All tests ok.
UART Test. Press x to exit.
GPIO 0xAA
UART 0x78 x
exit()
[**TRAP**] 8392281
- rtl/sim_tb.v:36: Verilog $finish
The readout from this particular execution of SLH-DSA-SHAKE-128f is that KeyGen was 204310 cycles, signing was 4943111 cycles, and verification was 434660 cycles. Furthermore, the self-tests were a PASS; the output matched the Known Answer Tests. Modify the end of test_bench.c
to have broader test behavior.
Some other targets
make prog_cw305
: Create and program the bitstream on CW305 (program using ChipWhisperer.)make prog_vcu118
: Ditto for on VCU118 (program using Vivado's hardware manager.)make synth
: Run a Nangate45 synthesis and timing (using Yosys/OpenSTA. See flow/yosys-sys.)make prof
: Profiling (see the per-code line instruction counts in annotated source files created in directory_prof
).
Side-Channel Collection
I collect traces from the 20dB low amplified SMA connector (X4). Bit 0 of the GPIO register connects to the SMA connector T13 "CLKOUT" on the board, and this is used as a trigger by test_leak.c
. The trace collection and analysis stuff is not included, and anyway works only with my oscilloscope.