Side-channel resistant hardware implementation of the Keccak Hash Primitive

In our digital era, communication security is of utter importance and this is where cryptography comes into play. Cryptography is the enabling factor to perform encryption and authentication algorithms which are necessary to guarantee the legitimacy of any given data. The most widespread algorithms are based on so called hard mathematical problems, which are computationally unfeasible to solve in reasonable time. This principles are believed to provide a sufficient degree of security. However, with the advent of efficient quantum computers the above mentioned algorithms will not be resistant enough to protect data. Even if such quantum computers are still not available, starting in the 2015 the National Institute of Standards and Technology (NIST) launched the public standardization process for Post-Quantum Cryptography (PQC) algorithms. These algorithms are designed to be run on classical computing systems but still offering a security level which is believed enough to be resistant to quantum computer attacks. Among these, focusing in particular on secure key encapsulation mechanisms which are crucial for secure communications, CRYSTALS-Kyber has been recently standardized and is now recognizable as FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM) after a few proper modifications. As the name suggests, ML-KEM algorithm is based on hard problems over module lattices and is designed to be resistant to attacks performed by large quantum computers. The main operations required by ML-KEM are Number Theoretic Transform (NTT), modular additions and multiplications, and variants of Keccak. The latter, together with the NTT, are required frequently in the flow of ML-KEM and are in fact proven to be the main bottleneck for CPU execution of its software implementations. In this thesis we address the problem of the Keccak primitive computation by performing a complete study up to the design of a FIPS 202 hardware accelerator, which is the current standard for all Keccak variants. The scope of the accelerator extends to a broader view, which is to allow much more efficient runs of ML-KEM. On top of that, the key exchange mechanism is not the only vulnerable spot for security. When dealing with hardware implementations, an attacker could be able to reveal the secret keys by physically probing the circuit and collecting enough execution traces to reconstruct sensitive data. This procedure is commonly known in the field as side channel attack, which indeed exploits possible sources of information that differ from the processed data itself, but are instead indirect quantities produced by the circuit itself as it is a physical existing object. Some examples of exploitable side channels are timing information, power consumption, electromagnetic leaks, and sound. Our work also addresses the side channels weaknesses and is in fact centered around a first-order resistant implementation of a Keccak core, which makes it the first complete FIPS 202 accelerator with such characteristics. In conclusion, we performed the synthesis of the design using a 22nm FDSOI library, and the ultimate objective will be to integrate the accelerator within a cryptography-oriented system-on-chip.