Many new encryption techniques seek to resist powerful attacks that could be done using future quantum computers, but these methods often require enormous processing power. Now scientists in Germany have developed a microchip they say can implement such techniques very efficiently that could help make an era of "post-quantum cryptography" a reality.

In theory, quantum computers can rapidly find the answers to problems it might take classical computers eons to solve. For example, much of modern cryptography relies on the extreme difficulty that classical computers face when it comes to mathematical problems such as factoring huge numbers, but quantum computers can run algorithms that can quickly solve these problems.

To stay ahead of quantum computers, researchers around the world are designing post-quantum cryptography algorithms based on new mathematical problems that both quantum and classical computers find difficult to solve. Many of these algorithms rely on so-called lattice-based cryptography, which center around problems based on lattices of multiple points or vectors, explains electrical engineer Georg Sigl at the Technical University of Munich.

In a nutshell, a lattice-based cryptography algorithm usually selects a target point in a lattice on which a secret message depends. The algorithm then adds random noise so this point is close to, but not exactly on, a certain other lattice point. The problem of finding the original target point—and the corresponding secret message—without knowing what noise was added is challenging for both classical and quantum computers, especially when the lattice is extremely large, Sigl explains.

However, lattice-based cryptography algorithms can require a lot of processing power when it comes to operations such as generating randomness and multiplying polynomials. Now Sigl and his colleagues have developed a microchip with tailored accelerators that make it highly efficient at carrying out these steps.

The new chip is based on the open source RISC-V standard. Its hardware components and control software are designed to complement each other to efficiently generate randomness and to reduce the complexity of polynomial multiplication, Sigl explains. Industrial partners on this work include German companies such as Siemens, Infineon Technologies, and Giesecke+Devrient.

All in all, the new chip is roughly 10 times faster when encrypting with Kyber, one of the most promising post-quantum lattice-based cryptography algorithms, when compared to chips based entirely on software solutions, Sigl says. It also uses about eight times less energy. The German team detailed these findings in 2020 in the journal *IACR Transactions on Cryptographic Hardware and Embedded Systems*.

Moreover, the researchers say their microchip is flexible enough to also support SIKE, a different post-quantum algorithm that is not lattice-based and requires much more computing power than Kyber, but is seen as a promising alternative if lattice-based approaches no longer prove secure. They estimated their device could implement SIKE 21 times faster than chips using only software-based encryption, findings they detailed in 2020 in the *Proceedings of the 39th International Conference on Computer-Aided Design*.

"Our post-quantum cryptography accelerators combine flexibility, which is needed to adapt to changes in the standards, with significant speed up and power reduction," Sigl says.

Another potential threat to computer security comes from hardware trojans— malicious circuits deliberately implanted like Trojan horses—which could potentially evade evan post-quantum cryptography. Researchers currently know very little about how real attacks use hardware trojans, Sigl says. So to learn more about them, the researchers included four different hardware trojans on their chip.

"In order to decide if we trust a chip, we need to have the capabilities to verify our assumption in the trustworthiness of any supplier," Sigl says. "Therefore we have to find out how we can check the contents of a hardware component and how we can identify possible malware."

Each of the four test trojans works in an entirely different way. For instance, one could degrade the chip's performance, whereas another could leak data to eavesdroppers. The aim of this research was to develop ways to detect such malware, and they identified three methods to spot these hardware trojans during chip design.. "You have to know both the attacker and the defender side," Sigl says. They detailed these findings in May in the *Proceedings of the 18th ACM International Conference on Computing Frontiers*.

- Waiting for Quantum Computing? Try Probabilistic Computing - IEEE ... ›
- IBM's Quantum Computing Compromise—a Road to Scale? - IEEE ... ›
- The Case Against Quantum Computing - IEEE Spectrum ›
- Codebreaking Attacks Preparing for Quantum Computing Are Underway ›

Charles Q. Choi is a science reporter who contributes regularly to *IEEE Spectrum*. He has written for *Scientific American*, *The New York Times*, *Wired*, and *Science*, among others.