106 IEEE JOURNAL ON EMERGING AND SELECTED TOPICS IN CIRCUITS AND SYSTEMS, VOL. 3, NO. 1, MARCH 2013 Securing M2M With Post-Quantum Public-Key Cryptography Jie-Ren Shih, Yongbo Hu, Ming-Chun Hsiao, Ming-Shing Chen, Wen-Chung Shen, Bo-Yin Yang, An-Yeu Wu, Senior Member, IEEE, and Chen-Mou Cheng Abstract—In this paper, we present an ASIC implementation proliferates in today’s Internet age and permeates many aspects of two post-quantum public-key cryptosystems (PKCs): NTRU- of our daily life, ranging from communication to electronic Encrypt and TTS. It represents a first step toward securing commerce. machine-to-machine (M2M) systems using strong, hardware-as- sisted PKC. In contrast to the conventional wisdom that PKC is However, there is an emerging threat to the prevailing PKCs too “expensive” for M2M sensors, it actually can lower the total due to the recent development of quantum computers. The cost of ownership because of cost savings in provision, deployment, security of RSA, currently the most popular PKC, depends operation, maintenance, and general management. Furthermore, on the difficulty of the integer factorization problem, while PKC can be more energy-efficient because PKC-based security that of ECC, the runner-up PKC, depends on the discrete protocols usually involve less communication than their sym- metric-key-based counterparts, and communication is getting logarithm problem. As Shor has shown, both of them would relatively more and more expensive compared with computation. be solved by large quantum computers in polynomial time More importantly, recent algorithmic advances have brought [1]. Such a threat is more relevant in the machine-to-machine several new PKCs, NTRUEncrypt and TTS included, that are (M2M) context, as these systems tend to operate over a long orders of magnitude more efficient than traditional PKCs such as period of time, and we certainly should take precaution against RSA. It is therefore our primary goal in this paper to demonstrate the feasibility of using hardware-based PKC to provide general such a catastrophic attack, even though it might only happen data security in M2M applications. in the distant future. There are mostly four different kinds of approaches com- Index Terms—Bluespec SystemVerilog, lattice-based cryptog- raphy, multivariate cryptography. posing the so-called “post-quantum cryptography:” lat- tice-based cryptography, multivariate cryptography, hash-based signatures, and code-based cryptography. In this paper, we I. INTRODUCTION focus on NTRUEncrypt, a lattice-based cryptosystem, and TTS, a multivariate cryptosystem, as candidates in system RYPTOGRAPHY is the foundation of data security. development. C There are mainly two kinds of cryptography in use today, symmetric-key and public-key cryptography. In the former, A. Previous Attempts of Securing M2M Systems the communicating parties are assumed to share one or more secret keys apriori. How they can establish such a shared As networked machines become more popular around our secret is often referred to as the key-exchange problem. This living, information security on these devices becomes an im- problem is challenging not only from a technical but also from portant issue. Traditionally, PKC is regarded as too expensive a managerial point of view, as we will need to manage to deploy in M2M systems. Typical M2M systems only have keys in a network of size . limited computational power, making deploying strong cryptog- Public-key cryptography (PKC), on the other hand, provides raphy on them extremely challenging. an elegant solution to the key-exchange problem. With PKC, There have been numerous proposals how to secure M2M key management becomes straightforward. A user can encrypt systems from the academic research community [2], [3]. Most of a short-lived session key using the communicating party’s them use software-based symmetric-key cryptography. For ex- public key and simply send out the encrypted key. PKC ensures ample, TinySec provides link-layer security for sensor networks that only the holder of the corresponding private key can using software implementation of symmetric-key cryptosys- decrypt and obtain the session key. Furthermore, PKC can tems [4]. In many proposals, more bits will need to be sent provide digital signatures, which, like a person’s signature, over the air for achieving certain level of security, so using provides an efficient means of authentication. As a result, PKC hardware accelerators may not necessarily help in these cases [2]. The same functionality would be achieved by PKC in a Manuscript received August 06, 2012; revised December 31, 2012; accepted more communication-efficient way. This is becoming more January 05, 2013. Date of current version March 07, 2013. This work was sup- attractive as computation is getting cheaper in terms of hardware ported by the National Science Council, National Taiwan University and Intel cost and energy consumption, while wireless communication Corporation under Grant NSC101-2911-I-002-001 and Grant NTU102R7501. This paper was recommended by Guest Editor F. Koushanfar. is less so at the same time. As a result, communication is The authors are with Intel-NTU Connected Context Computing Center, Na- becoming more expensive compared with computation, not tional Taiwan University, Taipei 10617, Taiwan. to mention the spectrum will become one of the scarcest Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. resources when billions of M2M sensors are deployed and Digital Object Identifier 10.1109/JETCAS.2013.2244772 trying to send out their readings over the air. In this case, 2156-3357/$31.00 © 2013 IEEE SHIH et al.: SECURING M2M WITH POST-QUANTUM PUBLIC-KEY CRYPTOGRAPHY 107 it is advantageous to use PKC on sensors for the sake of reducing communication cost. Lastly, there have been several attempts in employing soft- ware-based PKC to secure inter-sensor communication [5], [6]. People have demonstrated that it is possible to run PKC on sen- sors with acceptable performance. We believe that this is the right direction to pursue, and we plantotakeitfurtherbyhard- ware acceleration. B. Contributions Fig. 1. Convolutional polynomial multiplication in NTRUEncrypt. Our approach is to provide a foundation for information secu- rity using hardware-assisted PKC. Specifically, we plan to de- sign and implement a complete, proof-of-concept PKC-based system. We choose two types of PKCs to support. First, multi- variate cryptosystems enjoy the benefit of executing much faster than traditional cryptosystems on the same hardware, making them ideal for securing sensors in M2M systems [7]. Specifi- cally, we support the (24,20,20) variant of TTS over ,which takes a 200-bit message digest and produces a 320-bit signature, providing a security level of about 80 bits. Second, we will in- clude lattice-based cryptosystems such as NTRUEncrypt to pro- vide encryption for key exchanging [8]. Specifically, we support the ees397ep1 variant of NTRUEncrypt, which encrypts a plaintext up to 397 bits and produces a ciphertext of 3573 bits long, providing a security level of about 128 bits. These are also future-proof in the sense that they can defend against the attack by thousand-qubit quantum computers, which might emerge in the next few decades. Based on these primitives, we can imple- ment security protocols and services like multi-way authentica- tion, key exchange, digital signature, etc. Fig. 2. Architecture for systolic Gaussian elimination. The main contributions of this paper include the following. • We present an efficient hardware design that supports two post-quantum PKCs, namely, NTRUEncrypt and the TTS nally, we conclude this paper by giving a few future directions signature scheme. Our approach not only allows reuse of of work in Section VI. sequential but also combinational circuits, resulting in a much more compact design than if done separately. II. NTRUENCRYPT • By using the high-level design tool Bluespec SystemVer- NTRUEncrypt is a lattice-based cryptosystem, whose secu- ilog, we are able to extensively explore architectural de- rity is based on the hardness of the shortest vector problem in sign space, including experimenting with an iterative linear high-dimensional euclidean lattices [9]. The main operations in system solver, which, to our best knowledge, has not been NTRUEncrypt involve arithmetic in a polynomial ring investigated on cases of solving such small systems. The addition in this ring is straightforward • We identify the designs that provide the best trade-off be- polynomial addition, while the multiplication in this ring is con- tween time, area, and total cycle count in order to mini- volutional, as shown in Fig. 1. All polynomials in the ring have mize total energy consumption. This is especially impor- integral coefficients (modulo some integers), and their degrees tant for M2M sensors, for many of them run on limited are at most , so a typical element can be represented as energy sources such as battery. NTRUEncrypt is parameterized by three parameters, , , and , which satisfy the following conditions. C. Organization • is a prime number such that the maximal degree for all The rest of this paper is organized as follows. In Section II and polynomials in the ring is . III, we give the detail of the implemented algorithms, NTRUEn- • and are two possible moduli for the coefficients of the crypt and TTS, respectively. The hardware design of these algo- polynomials in ,with ,and . rithms is also described at the end. We show our implementation After arithmetic operations in , the coefficients of the polyno- strategy for designing the ASIC in Section IV and compare the mials need to be reduced either modulo or . implementation results in Section V. Specifically, we will show and compare side-by-side the results obtained by a high-level A. Operations synthesis tool, Bluespec SystemVerilog, against that obtained NTRUEncrypt consists of three parts: key generation, en- by the more traditional hand-optimized RTL-based design.