{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,9]],"date-time":"2026-05-09T05:30:39Z","timestamp":1778304639195,"version":"3.51.4"},"reference-count":56,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2025,4,28]],"date-time":"2025-04-28T00:00:00Z","timestamp":1745798400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,4,28]],"date-time":"2025-04-28T00:00:00Z","timestamp":1745798400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Fraunhofer-Institut f\u00fcr Angewandte und Integrierte Sicherheit AISEC"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptogr Eng"],"published-print":{"date-parts":[[2025,6]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>The first generation of post-quantum cryptography (PQC) standards by the National Institute of Standards and Technology (NIST) is just around the corner. The need for secure implementations is therefore increasing. In this work, we address this need and investigate the integration of lattice-based PQC into an open-source silicon root of trust (RoT), the OpenTitan. RoTs are important security building blocks that need to be future-proofed with PQC. The OpenTitan features multiple cryptographic hardware accelerators and countermeasures against physical attacks, but does not offer dedicated support for lattice-based PQC. Thus, we propose instruction set extensions for the OpenTitan Big Number Accelerator (OTBN) to improve the efficiency of polynomial arithmetic and sampling. As a case study we analyze the performance of signature verification of the digital signature schemes <jats:sc>Dilithium<\/jats:sc> and <jats:sc>Falcon<\/jats:sc>. Our implementation verifies signatures within 911,366 cycles for <jats:sc>Dilithium-II<\/jats:sc> and 759,779 cycles for <jats:sc>Falcon-512<\/jats:sc>, pushing this RoT functionality below 10\u00a0ms for the OpenTitan\u2019s target frequency of 100\u00a0MHz. In case of <jats:sc>Dilithium-II<\/jats:sc>, this can not be achieved without these hardware extensions, even for advanced implementation techniques such as Kronecker+. With an overhead of 437,665.00 kGE, our hardware extensions make up only about 2.93 % of the total RoT area. All our extensions integrate seamlessly with countermeasures against physical attacks which are already available within the OTBN and comply with the adversary model chosen by the OpenTitan project.<\/jats:p>","DOI":"10.1007\/s13389-025-00369-5","type":"journal-article","created":{"date-parts":[[2025,4,28]],"date-time":"2025-04-28T10:23:19Z","timestamp":1745835799000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Extended version: enabling lattice-based post-quantum cryptography on the opentitan platform"],"prefix":"10.1007","volume":"15","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-0058-1107","authenticated-orcid":false,"given":"Tobias","family":"Stelzer","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7822-2880","authenticated-orcid":false,"given":"Felix","family":"Oberhansl","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4171-1656","authenticated-orcid":false,"given":"Jonas","family":"Schupp","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9476-9651","authenticated-orcid":false,"given":"Patrick","family":"Karl","sequence":"additional","affiliation":[]},{"given":"Horia","family":"Turcuman","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,4,28]]},"reference":[{"key":"369_CR1","doi-asserted-by":"publisher","unstructured":"Abdulrahman A, Hwang V, Kannwischer MJ, Sprenkels A.: Faster Kyber and Dilithium on the Cortex-M4. In: Giuseppe A., Daniele V. (Eds.) Applied Cryptography and Network Security - 20th International Conference, ACNS 2022, Rome, Italy, June 20-23, 2022, Proceedings (Lecture Notes in Computer Science), vol.\u00a013269), pp. 853\u2013871. Springer, Cham (2022). https:\/\/doi.org\/10.1007\/978-3-031-09234-3_42","DOI":"10.1007\/978-3-031-09234-3_42"},{"key":"369_CR2","unstructured":"Abdulrahman, A., Oberhansl, F., Pham, H.N., Philipoom, J., Schwabe, P., Stelzer, T., Zankl, A.: Towards ML-KEM & ML-DSA on OpenTitan. Cryptology ePrint Archive, Paper 2024\/1192. (2024) https:\/\/eprint.iacr.org\/2024\/1192"},{"key":"369_CR3","doi-asserted-by":"publisher","unstructured":"Ajtai, M.: Generating hard instances of lattice problems (Extended Abstract). In: Gary\u00a0L. Miller (Ed.) Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22\u201324, 1996, pp. 99\u2013108 . ACM (1996).https:\/\/doi.org\/10.1145\/237814.237838","DOI":"10.1145\/237814.237838"},{"key":"369_CR4","doi-asserted-by":"publisher","unstructured":"Albrecht, Martin\u00a0R., Deo, Amit: Large Modulus Ring-LWE $$\\ge $$ Module-LWE. In Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3-7, 2017, Proceedings, Part I (Lecture Notes in Computer Science, Vol.\u00a010624), Tsuyoshi Takagi and Thomas Peyrin (Eds.). Springer, 267\u2013296 (2017). https:\/\/doi.org\/10.1007\/978-3-319-70694-8_10","DOI":"10.1007\/978-3-319-70694-8_10"},{"issue":"1","key":"369_CR5","doi-asserted-by":"publisher","first-page":"169","DOI":"10.13154\/TCHES.V2019.I1.169-208","volume":"2019","author":"MR Albrecht","year":"2019","unstructured":"Albrecht, M.R., Hanser, C., H\u00f6ller, A., P\u00f6ppelmann, T., Virdia, F., Wallner, A.: Implementing RLWE-based schemes using an RSA co-processor. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(1), 169\u2013208 (2019). https:\/\/doi.org\/10.13154\/TCHES.V2019.I1.169-208","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"369_CR6","doi-asserted-by":"publisher","first-page":"219","DOI":"10.13154\/tches.v2020.i3.219-242","volume":"3","author":"E Alkim","year":"2020","unstructured":"Alkim, E., Evkan, H., Lahr, N., Niederhagen, R., Petri, R.: ISA extensions for finite field arithmetic accelerating Kyber and NewHope on RISC-V. IACR Trans. Cryptogr. Hardw. Embed. Syst. 3, 219\u2013242 (2020). https:\/\/doi.org\/10.13154\/tches.v2020.i3.219-242","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"369_CR7","unstructured":"ANSSI.: ANSSI views on the Post-Quantum Cryptography transition. (2022). https:\/\/www.ssi.gouv.fr\/en\/publication\/anssi-views-on-the-post-quantum-cryptography-transition\/"},{"key":"369_CR8","doi-asserted-by":"publisher","first-page":"17","DOI":"10.13154\/tches.v2019.i4.17-61","volume":"4","author":"U Banerjee","year":"2019","unstructured":"Banerjee, U., Ukyab, T.S., Chandrakasan, A.P.: Sapphire: a configurable crypto-processor for post-quantum lattice-based protocols. IACR Trans. Cryptogr. Hardw. Embed. Syst. 4, 17\u201361 (2019). https:\/\/doi.org\/10.13154\/tches.v2019.i4.17-61","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"369_CR9","doi-asserted-by":"crossref","unstructured":"Beckwith, L., Nguyen, D.T., Gaj, K.: High-performance hardware implementation of lattice-based digital signatures. IACR Cryptol. ePrint Arch. (2022). https:\/\/eprint.iacr.org\/2022\/217","DOI":"10.1109\/ICFPT52863.2021.9609917"},{"key":"369_CR10","unstructured":"Bernstein, D.J., H\u00fclsing, A., K\u00f6lbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS + Signature Framework. IACR Cryptol. ePrint Arch. 1086. (2019) https:\/\/eprint.iacr.org\/2019\/1086"},{"key":"369_CR11","doi-asserted-by":"publisher","first-page":"313","DOI":"10.1007\/978-3-642-38348-9_19","volume-title":"Advances in Cryptology - EUROCRYPT 2013","author":"G Bertoni","year":"2013","unstructured":"Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak. In: Johansson, T., Nguyen, P.Q. (eds.) Advances in Cryptology - EUROCRYPT 2013, pp. 313\u2013314. Springer, Berlin Heidelberg (2013)"},{"key":"369_CR12","unstructured":"Bos, J.W., Ducas, L., Kiltz, E., de Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehl\u00e9, D.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. IACR Cryptol. ePrint Arch. 634 (2017). http:\/\/eprint.iacr.org\/2017\/634"},{"key":"369_CR13","unstructured":"Bos, J.W., Renes, J., van Vredendaal, C.: Post-Quantum Cryptography with Contemporary Co-Processors: Beyond Kronecker, Sch\u00f6nhage-Strassen & Nussbaumer. In Kevin R.B. Butler and Kurt T. (Eds.) 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, pp. 3683\u20133697 . USENIX Association (2022). https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/bos"},{"key":"369_CR14","doi-asserted-by":"publisher","first-page":"199","DOI":"10.13154\/tches.v2019.i2.199-224","volume":"2","author":"C Bozzato","year":"2019","unstructured":"Bozzato, C., Focardi, R., Palmarini, F.: Shaping the glitch: optimizing voltage fault injection attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2, 199\u2013224 (2019). https:\/\/doi.org\/10.13154\/tches.v2019.i2.199-224","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"369_CR15","unstructured":"BSI: Technische Richtlinie: Kryptographische Verfahren: Empfehlungen und Schluessellaengen. (2022) https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/Publikationen\/TechnischeRichtlinien\/TR02102\/BSI-TR-02102.pdf?__blob=publicationFile"},{"issue":"90","key":"369_CR16","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1090\/S0025-5718-1965-0178586-1","volume":"19","author":"JW Cooley","year":"1965","unstructured":"Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19(90), 297\u2013301 (1965)","journal-title":"Math. Comput."},{"issue":"2","key":"369_CR17","doi-asserted-by":"publisher","first-page":"306","DOI":"10.1109\/TC.2022.3222954","volume":"72","author":"VB Dang","year":"2023","unstructured":"Dang, V.B., Mohajerani, K., Gaj, K.: High-Speed Hardware Architectures and FPGA Benchmarking of CRYSTALS-Kyber, NTRU, and Saber. IEEE Trans. Comput. 72(2), 306\u2013320 (2023). https:\/\/doi.org\/10.1109\/TC.2022.3222954","journal-title":"IEEE Trans. Comput."},{"key":"369_CR18","doi-asserted-by":"publisher","first-page":"238","DOI":"10.13154\/tches.v2018.i1.238-268","volume":"2018","author":"L Ducas","year":"2018","unstructured":"Ducas, L., Eike, K., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehl\u00e9, D.: CRYSTALS-dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018, 238\u2013268 (2018). https:\/\/doi.org\/10.13154\/tches.v2018.i1.238-268","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"369_CR19","unstructured":"Fouque, P.A., Hoffstein, J., Kirchner, P., Lyubashevsky, V., Pornin, T., Prest, T., Ricosset, T., Seiler, G., Whyte, W., Zhang, Z.: Falcon Fast-Fourier Lattice-based Compact Signatures over NTRU. (2017) https:\/\/falcon-sign.info\/"},{"key":"369_CR20","doi-asserted-by":"publisher","first-page":"414","DOI":"10.46586\/tches.v2022.i1.414-460","volume":"2022","author":"T Fritzmann","year":"2022","unstructured":"Fritzmann, T., Van Beirendonck, M., Roy, D.B., Karl, P., Schamberger, T., Verbauwhede, I., Sigl, G.: Masked accelerators and instruction set extensions for post-quantum cryptography. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022, 414\u2013460 (2022). https:\/\/doi.org\/10.46586\/tches.v2022.i1.414-460","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"369_CR21","doi-asserted-by":"publisher","unstructured":"Fritzmann, T., Sep\u00falveda, J.: Efficient and Flexible Low-Power NTT for Lattice-Based Cryptography. In IEEE International Symposium on Hardware Oriented Security and Trust, HOST: McLean, VA, USA, May 5\u201310, 2019. pp. 141\u2013150. IEEE (2019). https:\/\/doi.org\/10.1109\/HST.2019.8741027","DOI":"10.1109\/HST.2019.8741027"},{"issue":"4","key":"369_CR22","doi-asserted-by":"publisher","first-page":"239","DOI":"10.13154\/tches.v2020.i4.239-280","volume":"2020","author":"T Fritzmann","year":"2020","unstructured":"Fritzmann, T., Sigl, G., Sep\u00falveda, J.: RISQ-V: tightly coupled RISC-V accelerators for post-quantum cryptography. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(4), 239\u2013280 (2020). https:\/\/doi.org\/10.13154\/tches.v2020.i4.239-280","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"369_CR23","doi-asserted-by":"crossref","unstructured":"Gentleman, W.M., Sande, G.: Fast Fourier Transforms: for Fun and Profit. In Proceedings of the November 7-10, 1966, fall joint computer conference.pp. 563\u2013578 (1966)","DOI":"10.1145\/1464291.1464352"},{"key":"369_CR24","doi-asserted-by":"publisher","unstructured":"Gonzalez, R., H\u00fclsing, A., Kannwischer, M.J., Kr\u00e4mer, J., Lange, T., St\u00f6ttinger, M., Waitz, E., Wiggers, T., Yang, B.Y.: Verifying Post-Quantum Signatures in 8 kB of RAM. In Cheon J.H. and Tillich, J.P. , (Eds.). Post-Quantum Cryptography\u201412th International Workshop, PQCrypto 2021, Daejeon, South Korea, July 20-22, 2021, Proceedings Lecture Notes in Computer Science, Vol.\u00a012841), pp. 215\u2013233 . Springer, Cham. (2021). https:\/\/doi.org\/10.1007\/978-3-030-81293-5_12","DOI":"10.1007\/978-3-030-81293-5_12"},{"issue":"1","key":"369_CR25","doi-asserted-by":"publisher","first-page":"1","DOI":"10.46586\/tches.v2021.i1.1-24","volume":"2021","author":"DO Greconici","year":"2021","unstructured":"Greconici, D.O., Kannwischer, M.J., Sprenkels, A.: Compact dilithium implementations on cortex-M3 and cortex-M4. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(1), 1\u201324 (2021). https:\/\/doi.org\/10.46586\/tches.v2021.i1.1-24","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"issue":"10","key":"369_CR26","doi-asserted-by":"publisher","first-page":"1502","DOI":"10.1016\/J.JSC.2009.05.004","volume":"44","author":"D Harvey","year":"2009","unstructured":"Harvey, D.: Faster polynomial multiplication via multipoint Kronecker substitution. J. Symb. Comput. 44(10), 1502\u20131510 (2009). https:\/\/doi.org\/10.1016\/J.JSC.2009.05.004","journal-title":"J. Symb. Comput."},{"key":"369_CR27","unstructured":"Kannwischer, M.J., Krausz, M. , Petri, R., Yang, S.Y.: pqm4: Benchmarking NIST Additional Post-Quantum Signature Schemes on Microcontrollers. IACR Cryptol. ePrint Arch. 112 (2024). https:\/\/eprint.iacr.org\/2024\/112"},{"key":"369_CR28","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3579092","volume":"23","author":"P Karl","year":"2023","unstructured":"Karl, P., Schupp, J., Fritzmann, T., Sigl, G.: Post-quantum signatures on RISC-V with hardware acceleration. ACM Trans. Embed. Comput. Syst. 23, 1\u201323 (2023). https:\/\/doi.org\/10.1145\/3579092","journal-title":"ACM Trans. Embed. Comput. Syst."},{"key":"369_CR29","doi-asserted-by":"crossref","unstructured":"Kronecker, L.: [n.\u00a0d.]. Grundz\u00fcge einer arithmetischen Theorie der algebraische Gr\u00f6ssen. Journal f\u00fcr die reine und angewandte Mathematik (Crelles Journal) 1882 ([n.\u00a0d.]), 1 \u2013 122. https:\/\/api.semanticscholar.org\/CorpusID:201730953","DOI":"10.1515\/crll.1882.92.1"},{"key":"369_CR30","doi-asserted-by":"publisher","first-page":"210","DOI":"10.1007\/978-3-030-97348-3_12","volume-title":"Smart Card Research and Advanced Applications\u201420th International Conference, CARDIS 2021, L\u00fcbeck, Germany, November 11\u201312, 2021, Revised Selected Papers Lecture Notes in Computer Science","author":"G Land","year":"2021","unstructured":"Land, G., Sasdrich, P., G\u00fcneysu, T.: A Hard Crystal\u2014Implementing Dilithium on Reconfigurable Hardware. In: Grosso, V., P\u00f6ppelmann, T. (eds.) Smart Card Research and Advanced Applications\u201420th International Conference, CARDIS 2021, L\u00fcbeck, Germany, November 11\u201312, 2021, Revised Selected Papers Lecture Notes in Computer Science, vol. 13173, pp. 210\u2013230. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-97348-3_12"},{"issue":"3","key":"369_CR31","doi-asserted-by":"publisher","first-page":"565","DOI":"10.1007\/s10623-014-9938-4","volume":"75","author":"A Langlois","year":"2015","unstructured":"Langlois, A., Stehl\u00e9, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565\u2013599 (2015). https:\/\/doi.org\/10.1007\/s10623-014-9938-4","journal-title":"Des. Codes Cryptogr."},{"issue":"2","key":"369_CR32","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3643826","volume":"23","author":"L Li","year":"2024","unstructured":"Li, L., Tian, Q., Qin, G., Chen, S., Wang, W.: Compact instruction set extensions for dilithium. ACM Trans. Embed. Comput. Syst. 23(2), 1\u201321 (2024). https:\/\/doi.org\/10.1145\/3643826","journal-title":"ACM Trans. Embed. Comput. Syst."},{"key":"369_CR33","unstructured":"lowRISC. Ibex: An embedded 32 bit RISC-V CPU core. (2018). https:\/\/ibex-core.readthedocs.io\/en\/latest\/"},{"key":"369_CR34","unstructured":"lowRISC.: KMAC HWIP Technical Specification. (2023a). https:\/\/opentitan.org\/book\/hw\/ip\/kmac\/"},{"key":"369_CR35","unstructured":"lowRISC.: OpenTitan. (2023b). https:\/\/opentitan.org\/"},{"key":"369_CR36","unstructured":"lowRISC.: OpenTitan Big Number Accelerator (OTBN) Technical Specification. (2023c). https:\/\/opentitan.org\/book\/hw\/ip\/otbn\/index.html"},{"key":"369_CR37","unstructured":"lowRISC.: OpenTitan Big Number Accelerator (OTBN) Technical Specification - Hardware Interfaces: Security Countermeasures. (2024.) https:\/\/opentitan.org\/book\/hw\/ip\/otbn\/doc\/interfaces.html#security-countermeasures"},{"key":"369_CR38","doi-asserted-by":"publisher","unstructured":"Lyubashevsky, V., Peikert, C., and Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In Gilbert H. (Eds.) Advances in Cryptology\u2014EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco \/ French Riviera, May 30 - June 3, 2010. Proceedings Lecture Notes in Computer Science, Vol.\u00a06110, pp. 1\u201323. Springer, Cham. (2010). https:\/\/doi.org\/10.1007\/978-3-642-13190-5_1","DOI":"10.1007\/978-3-642-13190-5_1"},{"issue":"170","key":"369_CR39","doi-asserted-by":"publisher","first-page":"519","DOI":"10.1090\/S0025-5718-1985-0777282-X","volume":"44","author":"PL Montgomery","year":"1985","unstructured":"Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519\u2013521 (1985)","journal-title":"Math. Comput."},{"key":"369_CR40","doi-asserted-by":"publisher","first-page":"150798","DOI":"10.1109\/ACCESS.2021.3126208","volume":"9","author":"P Nannipieri","year":"2021","unstructured":"Nannipieri, P., Di Matteo, S., Zulberti, L., Albicocchi, F., Saponara, S., Fanucci, L.: A RISC-V post quantum cryptography instruction set extension for number theoretic transform to speed-up CRYSTALS algorithms. IEEE Access 9, 150798\u2013150808 (2021). https:\/\/doi.org\/10.1109\/ACCESS.2021.3126208","journal-title":"IEEE Access"},{"key":"369_CR41","doi-asserted-by":"publisher","unstructured":"NIST.: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (2015). https:\/\/doi.org\/10.6028\/nist.fips.202","DOI":"10.6028\/nist.fips.202"},{"issue":"3","key":"369_CR42","doi-asserted-by":"publisher","first-page":"1506","DOI":"10.1109\/TETC.2021.3073475","volume":"9","author":"T Plantard","year":"2021","unstructured":"Plantard, T.: Efficient word size modular arithmetic. IEEE Trans. Emerg. Top. Comput. 9(3), 1506\u20131518 (2021). https:\/\/doi.org\/10.1109\/TETC.2021.3073475","journal-title":"IEEE Trans. Emerg. Top. Comput."},{"key":"369_CR43","doi-asserted-by":"publisher","unstructured":"P\u00f6ppelmann, T., Oder, T., G\u00fcneysu, T.: High-Performance Ideal Lattice-Based Cryptography on 8-Bit ATxmega Microcontrollers. In Lauter, K.E. and Rodr\u00edguez-Henr\u00edquez, F. (Eds.). Progress in Cryptology\u2014LATINCRYPT 2015\u20144th International Conference on Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23\u201326, 2015, Proceedings Lecture Notes in Computer Science, Vol.\u00a09230). Springer, Cham, pp. 346\u2013365. (2015). https:\/\/doi.org\/10.1007\/978-3-319-22174-8_19","DOI":"10.1007\/978-3-319-22174-8_19"},{"issue":"10","key":"369_CR44","doi-asserted-by":"publisher","first-page":"1778","DOI":"10.1109\/TC.2017.2700795","volume":"66","author":"HK Rawat","year":"2017","unstructured":"Rawat, H.K., Schaumont, P.: Vector instruction set extensions for efficient computation of Keccak. IEEE Trans. Comput. 66(10), 1778\u20131789 (2017). https:\/\/doi.org\/10.1109\/TC.2017.2700795","journal-title":"IEEE Trans. Comput."},{"issue":"6","key":"369_CR45","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1568318.1568324","volume":"56","author":"O Regev","year":"2009","unstructured":"Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1\u201340 (2009). https:\/\/doi.org\/10.1145\/1568318.1568324","journal-title":"J. ACM"},{"key":"369_CR46","unstructured":"Reuse, D.: Nuvoton Develops OpenTitan based Security Chip as Next Gen Security Solution for Chromebooks. (2024). https:\/\/www.design-reuse.com\/news\/56335\/nuvoton-lowrisc-opentitan-security-chip-chromebooks.html"},{"key":"369_CR47","doi-asserted-by":"publisher","unstructured":"Ricci, S., Malina, L., Jedlicka, P., Sm\u00e9kal, D., Hajny, J., C\u00edbik, P., Dzurenda, P., Dobias, P.: Implementing CRYSTALS-Dilithium Signature Scheme on FPGAs. In Reinhardt, D., M\u00fcller, T. (Eds.) ARES 2021: The 16th International Conference on Availability, Reliability and Security, Vienna, Austria, August 17-20, 2021, vol. 1, pp. 1\u201311. ACM (2021). https:\/\/doi.org\/10.1145\/3465481.3465756","DOI":"10.1145\/3465481.3465756"},{"key":"369_CR48","unstructured":"Schmid, M., Amiet, D., Wendler, J., Zbinden,, P., Wei, T.: Falcon Takes Off - A Hardware Implementation of the Falcon Signature Scheme. IACR Cryptol. ePrint Arch. (2023), 1885. https:\/\/eprint.iacr.org\/2023\/1885"},{"issue":"5","key":"369_CR49","doi-asserted-by":"publisher","first-page":"1484","DOI":"10.1137\/S0097539795293172","volume":"26","author":"PW Shor","year":"1997","unstructured":"Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484\u20131509 (1997). https:\/\/doi.org\/10.1137\/S0097539795293172","journal-title":"SIAM J. Comput."},{"key":"369_CR50","doi-asserted-by":"publisher","unstructured":"Soni, D., Basu, K., Nabeel, M., Aaraj, N., Manzano, M., Karri, R., Soni, D., Basu, K., Nabeel, M., Aaraj, N., Manzano, M.: FALCON, pp. 31\u201341. Springer International Publishing, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-57682-0_3","DOI":"10.1007\/978-3-030-57682-0_3"},{"key":"369_CR51","doi-asserted-by":"publisher","unstructured":"Bin Wang, Xiaozhuo Gu, and Yingshan Yang. 2020. Saber on ESP32. In Applied Cryptography and Network Security - 18th International Conference, ACNS 2020, Rome, Italy, October 19-22, 2020, Proceedings, Part I (Lecture Notes in Computer Science, Vol.\u00a012146), Mauro Conti, Jianying Zhou, Emiliano Casalicchio, and Angelo Spognardi (Eds.). Springer, 421\u2013440https:\/\/doi.org\/10.1007\/978-3-030-57808-4_21","DOI":"10.1007\/978-3-030-57808-4_21"},{"issue":"2","key":"369_CR52","doi-asserted-by":"publisher","first-page":"328","DOI":"10.46586\/tches.v2021.i2.328-356","volume":"2021","author":"Y Xing","year":"2021","unstructured":"Xing, Y., Li, S.: A Compact Hardware Implementation of CCA-secure key exchange mechanism CRYSTALS-KYBER on FPGA. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(2), 328\u2013356 (2021). https:\/\/doi.org\/10.46586\/tches.v2021.i2.328-356","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"369_CR53","doi-asserted-by":"publisher","unstructured":"Xu, J., Wang, Y., Liu, J., Wang, X.: A General-Purpose Number Theoretic Transform Algorithm for Compact RLWE Cryptoprocessors. In 2020 IEEE 14th International Conference on Anti-counterfeiting, Security, and Identification (ASID), pp. 1\u20135. (2020). https:\/\/doi.org\/10.1109\/ASID50160.2020.9271722","DOI":"10.1109\/ASID50160.2020.9271722"},{"issue":"2","key":"369_CR54","doi-asserted-by":"publisher","first-page":"130","DOI":"10.46586\/TCHES.V2024.I2.130-153","volume":"2024","author":"Z Ye","year":"2024","unstructured":"Ye, Z., Song, R., Zhang, H., Chen, D., Cheung, R.C.C., Huang, K.: A highly-efficient lattice-based post-quantum cryptography processor for IoT applications. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2024(2), 130\u2013153 (2024). https:\/\/doi.org\/10.46586\/TCHES.V2024.I2.130-153","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"369_CR55","doi-asserted-by":"crossref","unstructured":"Yu, X., Sun, X., Zhao, Y., Kuang, H., Han, J.: RVCE-FAL: A RISC-V Scalar-Vector Custom Extension for Faster FALCON Digital Signature. In Design, Automation & Test in Europe Conference & Exhibition, DATE 2024, Valencia, Spain, March 25\u201327, 2024, pp. 1\u20136. IEEE (2024). https:\/\/ieeexplore.ieee.org\/document\/10546713","DOI":"10.23919\/DATE58400.2024.10546713"},{"key":"369_CR56","doi-asserted-by":"crossref","unstructured":"Zhao, Y., Xie, R., Xin, G., Han, J.: A High-Performance Domain-Specific Processor With Matrix Extension of RISC-V for Module-LWE Applications. IEEE Trans.Circuits Syst. I Regul. Pap. 69(7), 2871\u20132884 (2022)","DOI":"10.1109\/TCSI.2022.3162593"}],"container-title":["Journal of Cryptographic Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s13389-025-00369-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s13389-025-00369-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s13389-025-00369-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,20]],"date-time":"2025-06-20T18:03:16Z","timestamp":1750442596000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s13389-025-00369-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,28]]},"references-count":56,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,6]]}},"alternative-id":["369"],"URL":"https:\/\/doi.org\/10.1007\/s13389-025-00369-5","relation":{},"ISSN":["2190-8508","2190-8516"],"issn-type":[{"value":"2190-8508","type":"print"},{"value":"2190-8516","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,4,28]]},"assertion":[{"value":"5 August 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 March 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"28 April 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"11"}}