Efficient FPGA Implementations of LowMC and Picnic

  • Daniel Kales
  • Sebastian Ramacher
  • Christian Rechberger
  • Roman WalchEmail author
  • Mario Werner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12006)


Post-quantum cryptography has received increased attention in recent years, in particular, due to the standardization effort by NIST. One of the second-round candidates in the NIST post-quantum standardization project is Picnic, a post-quantum secure signature scheme based on efficient zero-knowledge proofs of knowledge. In this work, we present the first FPGA implementation of Picnic. We show how to efficiently calculate LowMC, the block cipher used as a one-way function in Picnic, in hardware despite the large number of constants needed during computation. We then combine our LowMC implementation and efficient instantiations of Keccak to build the full Picnic algorithm. Additionally, we conform to recently proposed hardware interfaces for post-quantum schemes to enable easier comparisons with other designs. We provide evaluations of our Picnic implementation for both, the standalone design and a version wrapped with a PCIe interface, and compare them to the state-of-the-art software implementations of Picnic and similar hardware designs. Concretely, signing messages on our FPGA takes 0.25 ms for the L1 security level and 1.24 ms for the L5 security level, beating existing optimized software implementations by a factor of 4.


LowMC FPGA Digital signatures NIST PQC Picnic 



This work was partially supported by the EU’s Horizon 2020 ECSEL Joint Undertaking project SECREDAS under grant agreement Open image in new window 783119, by the European Research Council (ERC) under Horizon 2020 grant agreement Open image in new window 681402, by EU’s Horizon 2020 project Safe-DEED under grant agreement Open image in new window 825225, and by the IoT4CPS project which is partially funded by the “ICT of the Future” Program of the FFG and the BMVIT. D. Kales was supported by iov42 Ltd.


  1. 1.
    Alagic, G., et al.: Status report on the first round of the NIST post-quantum cryptography standardization process (2019).
  2. 2.
    Albrecht, M.R., et al.: Feistel structures for MPC, and more. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 151–171. Springer, Cham (2019). Scholar
  3. 3.
    Albrecht, M.R., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). Scholar
  4. 4.
    Albrecht, M.R., Hanser, C., Höller, A., Pöppelmann, T., Virdia, F., Wallner, A.: Implementing RLWE-based schemes using an RSA co-processor. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(1), 169–208 (2019)Google Scholar
  5. 5.
    Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). Scholar
  6. 6.
    Amiet, D., Curiger, A., Zbinden, P.: Flexible FPGA-based architectures for curve point multiplication over GF(p). In: DSD, pp. 107–114. IEEE Computer Society (2016)Google Scholar
  7. 7.
    Amiet, D., Curiger, A., Zbinden, P.: FPGA-based accelerator for post-quantum signature scheme SPHINCS-256. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 18–39 (2018)Google Scholar
  8. 8.
    Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013). Scholar
  9. 9.
    Basu, K., Soni, D., Nabeel, M., Karri, R.: NIST post-quantum cryptography-a hardware evaluation study. ePrint 2019, 47 (2019)Google Scholar
  10. 10.
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. ePrint 2013, 404 (2013)Google Scholar
  11. 11.
    Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). Scholar
  12. 12.
    Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS\({}^{\text{+}}\) signature framework. In: CCS, pp. 2129–2146. ACM (2019)Google Scholar
  13. 13.
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). Scholar
  14. 14.
    Boneh, D., Eskandarian, S., Fisch, B.: Post-quantum EPID signatures from symmetric primitives. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 251–271. Springer, Cham (2019). Scholar
  15. 15.
    Bouillaguet, C., Derbez, P., Fouque, P.-A.: Automatic search of attacks on round-reduced AES and applications. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 169–187. Springer, Heidelberg (2011). Scholar
  16. 16.
    Boyar, J., Matthews, P., Peralta, R.: Logic minimization techniques with applications to cryptology. J. Cryptol. 26(2), 280–312 (2013)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 313–333. Springer, Heidelberg (2016). Scholar
  18. 18.
    Chailloux, A.: Quantum security of the Fiat-Shamir transform of commit and open protocols. ePrint 2019, 699 (2019)Google Scholar
  19. 19.
    Chase, M., et al.: The picnic signature scheme design document (version 2) (2019).
  20. 20.
    Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: ACM CCS, pp. 1825–1842. ACM (2017)Google Scholar
  21. 21.
    Derler, D., Ramacher, S., Slamanig, D.: Generic double-authentication preventing signatures and a post-quantum instantiation. In: Baek, J., Susilo, W., Kim, J. (eds.) ProvSec 2018. LNCS, vol. 11192, pp. 258–276. Springer, Cham (2018). Scholar
  22. 22.
    Derler, D., Ramacher, S., Slamanig, D.: Post-quantum zero-knowledge proofs for accumulators with applications to ring signatures from symmetric-key primitives. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 419–440. Springer, Cham (2018). Scholar
  23. 23.
    Dinur, I., Kales, D., Promitzer, A., Ramacher, S., Rechberger, C.: Linear equivalence of block ciphers with partial non-linear layers: application to LowMC. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 343–372. Springer, Cham (2019). Scholar
  24. 24.
    Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). Scholar
  25. 25.
    El-Razouk, H., Reyhani-Masoleh, A.: New bit-level serial GF (2\({}^{\text{m }}\)) multiplication using polynomial basis. In: ARITH, pp. 129–136. IEEE (2015)Google Scholar
  26. 26.
    Ferozpuri, A., Farahmand, F., Dang, V., Sharif, M.U., Kaps, J.P., Gaj, K.: Hardware API for Post-Quantum Public Key Cryptosystems (2018).
  27. 27.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). Scholar
  28. 28.
    Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword search and oblivious pseudorandom functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 303–324. Springer, Heidelberg (2005). Scholar
  29. 29.
    Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: USENIX Security Symposium, pp. 1069–1083. USENIX Association (2016)Google Scholar
  30. 30.
    Grassi, L., Kales, D., Khovratovich, D., Roy, A., Rechberger, C., Schofnegger, M.: Starkad and poseidon: new hash functions for zero knowledge proof systems. ePrint 2019, 458 (2019)Google Scholar
  31. 31.
    Grassi, L., Rechberger, C., Rotaru, D., Scholl, P., Smart, N.P.: MPC-friendly symmetric key primitives. In: ACM CCS, pp. 430–443. ACM (2016)Google Scholar
  32. 32.
    Grosso, V., Leurent, G., Standaert, F.-X., Varıcı, K.: LS-Designs: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015). Scholar
  33. 33.
    Güneysu, T.: Utilizing hard cores of modern FPGA devices for high-performance cryptography. J. Cryptogr. Eng. 1(1), 37–55 (2011)CrossRefGoogle Scholar
  34. 34.
    Howe, J., Oder, T., Krausz, M., Güneysu, T.: Standard lattice-based key encapsulation on embedded devices. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 372–393 (2018)Google Scholar
  35. 35.
    Intel Corporation: Securing the enterprise with intel\(\textregistered \) AES-NI (2010).
  36. 36.
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: STOC, pp. 21–30. ACM (2007)Google Scholar
  37. 37.
    Kales, D., Rechberger, C., Schneider, T., Senker, M., Weinert, C.: Mobile private contact discovery at scale. In: USENIX Security Symposium, pp. 1447–1464. USENIX Association (2019)Google Scholar
  38. 38.
    Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: ACM CCS, pp. 525–537. ACM (2018)Google Scholar
  39. 39.
    LowMC: Official LowMC Github Repository.
  40. 40.
    Mohassel, P., Rindal, P., Rosulek, M.: Fast database joins for secret shared data. ePrint 2019, 518 (2019)Google Scholar
  41. 41.
    Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: a very compact and a threshold implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 69–88. Springer, Heidelberg (2011). Scholar
  42. 42.
    Naehrig, M., Lauter, K.E., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: CCSW, pp. 113–124. ACM (2011)Google Scholar
  43. 43.
    Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014). Scholar
  44. 44.
    Rechberger, C., Soleimany, H., Tiessen, T.: Cryptanalysis of low-data instances of full LowMCv2. IACR Trans. Symmetric Cryptol. 2018(3), 163–181 (2018)Google Scholar
  45. 45.
    Rotaru, D., Smart, N.P., Stam, M.: Modes of operation suitable for computing on encrypted data. IACR Trans. Symmetric Cryptol. 2017(3), 294–324 (2017)Google Scholar
  46. 46.
    Roy, D.B., Mukhopadhyay, D.: Post quantum ECC on FPGA platform. ePrint 2019, 568 (2019)Google Scholar
  47. 47.
    San, I., At, N.: Improving the computational efficiency of modular operations for embedded systems. J. Syst. Archit. Embed. Syst. Des. 60(5), 440–451 (2014)CrossRefGoogle Scholar
  48. 48.
    Sasdrich, P., Güneysu, T.: Implementing curve25519 for side-channel-protected elliptic curve cryptography. TRETS 9(1), 3:1–3:15 (2015)CrossRefGoogle Scholar
  49. 49.
    Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). Scholar
  50. 50.
    Wang, W., Szefer, J., Niederhagen, R.: FPGA-based niederreiter cryptosystem using binary goppa codes. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 77–98. Springer, Cham (2018). Scholar
  51. 51.
    Werner, M., Unterluggauer, T.: Transparent memory encryption and authentication.
  52. 52.
    Werner, M., Unterluggauer, T., Schilling, R., Schaffenrath, D., Mangard, S.: Transparent memory encryption and authentication. In: FPL, pp. 1–6. IEEE (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Daniel Kales
    • 1
  • Sebastian Ramacher
    • 2
  • Christian Rechberger
    • 1
  • Roman Walch
    • 1
    • 3
    Email author
  • Mario Werner
    • 1
  1. 1.Graz University of TechnologyGrazAustria
  2. 2.AIT Austrian Institute of TechnologyViennaAustria
  3. 3.Know-Center GmbHGrazAustria

Personalised recommendations