Introduction to Application
As the world transitions to new cryptographic standards in anticipation of quantum computing, Post-Quantum Cryptography (PQC) has become an essential requirement for securing future communication channels. The Silicom Accelerated Crypto Adapter (SACA), developed in collaboration with Eideticom, offers a flexible, high-performance PQC offloading solution designed to meet the growing demands for quantum-safe encryption. By offloading complex PQC operations, SACA ensures that systems can adapt to emerging cryptographic algorithms, providing long-term security and boosting system efficiency. The SACA solution ensures that CPU systems can benefit from hardware-based acceleration of cryptographic, without relying on any integrated CPU functions and equally not being limited by what a CPU supports or not. The acceleration will boost both Intel, AMD and ARM systems alike.
Leveraging Eideticom's NoLoad® Cryptographic Accelerator, the SACA solution supports the integration of PQC algorithms such as ML-KEM and ML-DSA, which are designed to withstand the potential threats posed by quantum computers. The solution's seamless integration with OpenSSL, NGINX, and Apache ensures that modern applications can securely offload these computationally intensive cryptographic operations without performance degradation.
Use Cases
- Cloud Security: Protecting sensitive data in cloud infrastructures.
- Financial Services: Ensuring secure transactions with PQC during key exchange and data encryption.
- HPC and Research: Enabling quantum-safe cryptography for academic and scientific research.
- Government and Defense: Meeting stringent security requirements with future-proof cryptographic solutions.
Problem Statement
As quantum computers become a real threat to conventional cryptographic systems, organizations must transition to PQC algorithms to secure sensitive data. However, these algorithms are computationally heavy, requiring significant processing power and causing performance bottlenecks, especially in large-scale applications. Traditional cryptographic accelerators, such as Intel's QuickAssist Technology (QAT), offer limited flexibility to adapt to evolving PQC algorithms, resulting in higher maintenance costs and slower updates.
A flexible, scalable solution, not tied to any one CPU vendor, is necessary to accommodate the rapid evolution of PQC standards without compromising performance or security. Focus can be on utilizing CPUs for application task and the CPUs selection can be made based on its ability to execute application tasks, rather than its limited offloading features like Intel's integrated QAT®. Thus reducing overall platform cost while maintaining platform flexibility.
SACA Overview
The Silicom Accelerated Crypto Adapter (SACA) provides a look-aside PCIe solution that offloads computationally intensive PQC cryptographic operations. By leveraging Field Programmable Gate Arrays (FPGAs), the solution offers unparalleled flexibility to integrate custom and emerging cryptographic algorithms, including Post-Quantum Cryptography. The NoLoad® Cryptographic Accelerator enables efficient PQC offloading for algorithms like Module Lattice Based Key Encapsulation Mechanism (ML-KEM) and Module Lattice Based Digital Signature Algorithm (ML-DSA), ensuring future-proof security for systems.
Key Features NoLoad® Cryptographic Accelerator provides
Capabilities (Application Integrations)
- PQC Algorithm Support: Offloads PQC operations such as ML-KEM (512, 768, 1024) and ML-DSA (44, 65, 87).
- Cryptographic Agility: Easily adapt to new cryptographic algorithms as standards evolve, ensuring long-term security. Seamless Integration: Integrates with OpenSSL, NGINX, and Apache, providing out-of-the-box support for a wide range of applications.
- TLS 1.3 Support: Ensures modern secure communication protocols are supported for both traditional and PQC security standards.
- ECDSA/ECDH(E)/RSA : P-256, P-384, P-521 & X25519
- Hybrid PQC X25519MLKEM768 Support
- Key Management w/ Secure Key Import/Export/Rotate
- Side-Channel Resistant
- OpenSSL, NGINX, and Apache integration
- Cryptographic Agility
- True Random Number Generator : NIST SP 800-22/SP 800-90B
Benchmarks
The performance of the Silicom Accelerated Crypto Adapter (SACA) scales with FPGA capacity. Below are the benchmarks for different FPGA models, focusing on PQC offloading performance:
| FPGA MODEL | POC Algorithm | TLS Handshakes per Second (CPS PQC) |
Notes |
| AGF008 | ML-KEM(768) | 290k | Entry-level model, minimal power consumption |
| AGF014 | ML-KEM(768) | 817k | Suitable for general-purpose offloading |
| AGF022 | ML-KEM(768) | 1.4M | Optimized for mid-range workloads |
| AGF027 | ML-KEM(768) | 1.8M | High-performance model |
Performance scaling is approximately linear with FPGA capacity, ensuring flexibility in selecting the optimal configuration, based on workload requirements.
Solution Details
The SACA solution is designed for organizations transitioning to PQC and requires offloading of heavy cryptographic operations. It is engineered to seamlessly integrate into existing infrastructures, providing efficient offloading capabilities and future-proof cryptographic support.
Deliverables
- Host Software:
- Seamless plug-and-play integration with OpenSSL, NGINX, and Apache.
- In-box driver support for Linux.
- Hardware and FPGA:
- ½-height, ½-length PCIe card with Altera Agilex F FPGA PCIe Gen4 x16.(Form factors such as M.2, U.2, and E3.S may be offered)
- Different FPGA models available to suit various computational needs.
- FPGA IP delivered in compiled code format with configuration scripts.
- Management:
- NVMe-MI support for system-level administration, firmware updates, and logging.
- NVMe log pages and administrative support.
- Documentation: Detailed datasheet, integration guide, and installation guide.
Integration Process
- Define algorithmic requirements
- Request FPGA image with suitable algorithm mix
- Install HW card in suitable PCI slot, in a Linux or freeBSD server
- Program accelerator card’s flash with FPGA image containing algorithm mix
- Configure services to utilize accelerator (OpenSSL integration, NGINX, Apache), incl supplied provider plug-in
- Use configuration scripts and tools provided for easy setup. Run management daemon
- Run service and verify functionality
About Eideticom
Eideticom secures and accelerates the data center with scalable solutions for cryptography, compression, and analytics. Our products are deployed world-wide and are securing mission critical infrastructure for customers in Fintech, High Performance Computing, Content Delivery Networks and Big Data. For more information, please visit: www.eideticom.com
*Excerpted from Silicom
