Mar 4 2019
Researchers at MIT have created an innovative cryptography circuit, using which low-power “internet of things” (IoT) devices can be protected in the evolving quantum computing age.
MIT researchers have developed a novel chip that can compute complex quantum-proof encryption schemes efficiently enough to protect low-power “internet of things” (IoT) devices. (Image credit: Image courtesy of the researchers)
Principally, quantum computers have the ability to perform calculations that are currently practically not feasible for classical computers. If quantum computers are brought online and to market, someday, it might be possible to achieve advances in drug discovery, medical research, and other applications. However there is a problem: In case hackers too have access to quantum computers, they could possibly gain access through the robust encryption schemes that are protecting the data exchanged between devices at present.
The most propitious quantum-resistant encryption scheme used at present is known as “lattice-based cryptography,” which conceals information in highly complex mathematical structures. Until now, there has been no known quantum algorithm with the ability to break through its defenses. However, these schemes are very much computationally intense for IoT devices, which can only allocate energy sufficient for simple data processing.
In a paper presented recently at the International Solid-State Circuits Conference, MIT scientists have reported about an innovative circuit architecture as well as statistical optimization tricks that can be applied to effectively compute lattice-based cryptography. The size of the chips created researchers was only 2 mm2 and they are adequately efficient to be integrated into any existing IoT device.
The architecture can be customized to incorporate the multiple lattice-based schemes that are being analyzed at present as a preparation for the time when quantum computers will be online.
That might be a few decades from now, but figuring out if these techniques are really secure takes a long time. It may seem early, but earlier is always better.
Utsav Banerjee, Graduate Student, Electrical Engineering and Computer Science, MIT.
Banerjee is also the first author of the study.
Furthermore, according to the researchers, the circuit is the first ever to comply with standards for lattice-based cryptography established by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce that finds and writes regulations for existing encryption schemes.
Banerjee was joined by Anantha Chandrakasan, dean of MIT’s School of Engineering and the Vannevar Bush Professor of Electrical Engineering and Computer Science, and Abhishek Pathak of the Indian Institute of Technology on this study.
Efficient Sampling
In the mid-1990s, Peter Shor, an MIT Professor, created a quantum algorithm with the ability to typically break through all sophisticated cryptography schemes. From that time, NIST has been making attempts to find the most secure postquantum encryption schemes. This occurs in phases; where each phase boils down to a list of most practical and secure schemes. Two weeks earlier, the agency commenced its second phase of postquantum cryptography, where lattice-based schemes made up half of its list.
In this study, the scientists initially executed a number of NIST lattice-based cryptography schemes from the agency’s first phase on commercial microprocessors. This brought to light two obstacles to better performance and efficiency: data storage and the generation of random numbers.
The generation of random numbers is the most crucial aspect of all cryptography schemes, since these numbers are applied to create secure encryption keys that are hard to be predicted. Such calculations are performed by means of a two-step process known as “sampling.”
As part of sampling, pseudorandom numbers are first generated from a known, finite set of values with an equal probability of being chosen. Subsequently, in a “postprocessing” step, those pseudorandom numbers are converted into a distinct probability distribution with a stipulated standard deviation—a limit for the extent to which the values can differ from one another—which further randomizes the numbers. Essentially, it is necessary for the random numbers to satisfy statistical parameters that are chosen carefully. Nearly 80% of all the computation energy required for lattice-based cryptography is consumed by this complex mathematical problem.
Once all available sampling techniques were scrutinized, the scientists discovered that one technique, known as SHA-3, had the potential to generate several pseudorandom numbers two or three times more efficient compared to all other techniques. They modified SHA-3 to deal with lattice-based cryptography sampling. In addition, they used certain mathematical tricks to perform pseudorandom sampling, as well as the postprocessing conversion to new distributions, more efficient and faster.
They ran the technique with the help of energy-efficient, tailored hardware that occupies just 9% of the surface area of their chip. Ultimately, this rendered the sampling process more efficient than conventional techniques by two orders of magnitude.
Splitting the Data
Regarding the hardware aspect, the scientists made innovations in the flow of data. Lattice-based cryptography involves processing data in vectors—tables of a few hundred or thousand numbers. In order to store and move those data, it is necessary to use physical memory components that occupy nearly 80% of a circuit’s hardware area.
Conventionally, the data are stored on a single two- or four-port random access memory (RAM) device. Although multiport devices offer the high data throughput essential for encryption schemes, they occupy a great deal of space.
For designing their circuit, the scientists tweaked a method known as “number theoretic transform” (NTT) that works quite similar to the Fourier transform mathematical methods, in which a signal is decomposed into the multiple frequencies by which it is formed. The tweaked NTT splits vector data and distributes portions of it over four single-port RAM devices. It is still possible to access each vector as a whole for sampling as if it were stored on a single multiport device. The advantage is that the four single-port RAM devices take up nearly one-third less total area compared to one multiport device.
We basically modified how the vector is physically mapped in the memory and modified the data flow, so this new mapping can be incorporated into the sampling process. Using these architecture tricks, we reduced the energy consumption and occupied area, while maintaining the desired throughput.
Utsav Banerjee, Graduate Student, Electrical Engineering and Computer Science, MIT.
In addition, the circuit includes a small instruction memory component that can be programmed using tailored instructions to deal with different sampling techniques—for example, specific standard deviations and probability distributions—and different operations and vector sizes. This is specifically helpful since lattice-based cryptography schemes will most probably change a bit in the future.
It is also possible to improve security and efficiency by using adjustable parameters. The complexity of the computation is inversely proportional to the efficiency. In their paper, the scientists have described ways to navigate these tradeoffs using their adjustable parameters. As a next step, they intend to modify the chip to run all the lattice-based cryptography schemes listed in NIST’s second phase.
The study was supported by Texas Instruments and the TSMC University Shuttle Program.