232 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 29, NO.
1, JANUARY 2021
Reliable CRC-Based Error Detection Constructions for Finite Field
Multipliers With Applications in Cryptography
Alvaro Cintas Canto , Mehran Mozaffari-Kermani , and Reza Azarderakhsh
Abstract— Finite-field multiplication has received prominent attention
in the literature with applications in cryptography and error-detecting
codes. For many cryptographic algorithms, this arithmetic operation is
a complex, costly, and time-consuming task that may require millions
of gates. In this work, we propose efficient hardware architectures
based on cyclic redundancy check (CRC) as error-detection schemes
for postquantum cryptography (PQC) with case studies for the Luov
cryptographic algorithm. Luov was submitted for the National Institute
of Standards and Technology (NIST) PQC standardization competition
and was advanced to the second round. The CRC polynomials selected
are in-line with the required error-detection capabilities and with the field
sizes as well. We have developed verification codes through which software
implementations of the proposed schemes are performed to verify the
derivations of the formulations. Additionally, hardware implementations
of the original multipliers with the proposed error-detection schemes
are performed over a Xilinx field-programmable gate array (FPGA),
verifying that the proposed schemes achieve high error coverage with
acceptable overhead.
Index Terms— Cyclic redundancy check (CRC), fault detection,
field-programmable gate array (FPGA), finite-field multiplica-
tion.
I. I NTRODUCTION
Many modern, sensitive applications and systems use finite-field
operations in their schemes, among which finite-field multiplication
has received prominent attention. Finite-field multipliers perform
multiplication modulo, an irreducible polynomial used to define the
finite field. For postquantum cryptography (PQC), the inputs can
be very large, and the finite-field multipliers may require millions
of logic gates. Therefore, it is a complex task to implement such
architectures resilient to natural and malicious faults; consequently,
research has focused on ways to eliminate errors and obtain more
reliability with acceptable overhead [1]–[6]. Moreover, there has been
previous work on countering fault attacks and providing reliability for
PQC. Sarker et al. [7] used error-detection schemes of number theo-
retic transform (NTT) to detect both permanent and transient faults.
Mozaffari-Kermani et al. [8] performed fault detection for stateless
hash-based PQC signatures. Additionally, error-detection hash trees
for stateless hash-based signatures are proposed in [9] to make such
schemes more reliable against natural faults and help protecting them
against malicious faults. In [10], algorithm-oblivious constructions
are proposed through recomputing with swapped ciphertext and
additional authenticated blocks, which can be applied to the Galois
counter mode (GCM) architectures using different finite-field multi-
pliers in G F(2128 ). Several countermeasures based on error-detection
Manuscript received May 13, 2020; revised August 8, 2020 and
September 18, 2020; accepted October 11, 2020. Date of publication
October 26, 2020; date of current version December 29, 2020. This work
was supported by the U.S. National Science Foundation (NSF) under Award
SaTC-1801488. (Corresponding author: Mehran Mozaffari-Kermani.)
Alvaro Cintas Canto and Mehran Mozaffari-Kermani are with the Depart-
ment of Computer Science and Engineering, University of South Florida,
Tampa, FL 33620 USA (e-mail: [email protected]; [email protected]).
Reza Azarderakhsh is with the Department of Computer and Electrical
Engineering and Computer Science and I-SENSE, Florida Atlantic University,
Boca Raton, FL 33431 USA (e-mail: [email protected]).
Digital Object Identifier 10.1109/TVLSI.2020.3031170
1063-8210 © 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 15,2021 at 08:28:40 UTC from IEEE Xplore. Restrictions apply.
checksum codes and spatial/temporal redundancies for the NTRU
encryption algorithm have been presented in [11].
Our proposed error-detection architectures are adapted to the
Luov cryptographic algorithm [12]; however, they can be applied
to different PQC algorithms that use finite-field multipliers. The
Luov algorithm was submitted for National Institute of Standards
and Technology (NIST) standardization competition [13] and was
advanced to the second round [14]. Cyclic redundancy check (CRC)
error-detection schemes are applied in our proposed hardware con-
structions to make sure that they are overhead-aware with high
error coverage. Our contributions in this brief are summarized as
follows.
1) Error-detection schemes for the finite-field multipliers G F(2m )
with m > 1 used in the Luov cryptographic algorithm are
proposed. These error-detection architectures are based on
CRC-5. Additionally, we explore and study both primitive and
standardized generator polynomials for CRC-5, comparing their
complexity.
2) We derive new formulations for the error-detection schemes
of Luov’s algorithm, performing software implementations for
the sake of verifications. We note that such derivation covers
a wide range of applications and security levels. Nevertheless,
the presented schemes are not confined to these case studies.
3) The proposed error-detection architectures are embedded into
the original finite-field multipliers. We perform the implemen-
tations using Xilinx field-programmable gate array (FPGA)
family Kintex Ultrascale+ for device xcku5p-ffvd900-1-i to
confirm that the schemes are overhead-aware and that they
provide high error coverage.
II. P RELIMINARIES
There are five popular PQC algorithm classes: code-based,
hash-based, isogeny-based, lattice-based, and multivariate-quadratic-
equation-based cryptosystems [15]. Code-based cryptography differs
from others in that its security relies on the hardness of decoding
in a linear error-correcting code. Hash-based cryptography creates
signature algorithms based on the security of a selected cryptographic
hash function. The security of isogeny-based cryptography is based
on the hard problem to find an isogeny between two given supersingu-
lar elliptic curves. Lattice-based cryptography is capable of creating
a public-key cryptosystem based on lattices. Lastly, the security of
multivariate-quadratic-equation-based cryptography depends on the
difficulty of solving a system of multivariate polynomials over a finite
field. Such cryptographic schemes use large field sizes to provide the
needed security levels.
Luov is a multivariate public key cryptosystem and an adaptation of
the unbalanced oil and vinegar (UOV) signature scheme, but there is
a restriction on the coefficients of the public key. Instead, the scheme
uses two finite fields: one is the binary field of two elements, whereas
the other is its extension of degree m. F2 is the binary field and F2m
is its extension of degree m. The central map F: F n2m → F o2m is a
quadratic map, where o and v satisfy n = o + v, αi, j,k , βi,k and γk
IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 29, NO. 1, JANUARY 2021
Fig. 1. Finite-field multiplier with the proposed error-detection schemes based on CRC.
are chosen from the base  field F2 , and whose components
 f1, . . . , fo
are in the form f k(x) = vi=1 nj =i αi, j,k xi x j + ni=1 βi,k xi + γk .
These finite-field multiplications are very complex and require
large-area footprint. Therefore, it is a complex task to implement
such architectures resilient to natural and malicious faults. The aim
of this work is to provide countermeasures against natural faults and
fault injections for the finite-field multipliers used in cryptosystems
such as the Luov algorithm as a case study, noting that the proposed
error-detection schemes can be adapted to other applications and
cryptographic algorithms whose building blocks need finite-field
multiplications. Readers who are interested in knowing more details
about the Luov’s cryptographic algorithm are encouraged to refer
to [12].
III. P ROPOSED FAULT-D ETECTION A RCHITECTURES
The multiplication of any two elements A and B of G F(2m ),
following
m−1 the approach in [16], can be presented as A · B mod f (x) =
b · ((Aα i ) mod f (x)) = m−1 b · X (i) , where the set of
i=0 i i=0 i
α i ’s is the polynomial basis of element A, the set of bi ’s is the B
coefficients, f (x) is the field polynomial, X (i) = α·X (i−1) mod f (x),
and X (0) = A. To perform finite-field multiplication, three different
modules are needed: sum, α, and pass-thru modules. The sum module
adds two elements in G F(2m ) using m two-input XOR gates, the α
module multiplies an element of G F(2m ) by α and then reduces
the result modulo f (x), and lastly, the pass-thru module multiplies a
G F(2m ) element by a G F(2) element. One finite-field multiplication
uses a total of m − 1 sum modules, m − 1 α modules, and m
pass-thru modules to get the output. Fault injection can occur in any
of these modules, and formulations for parity signatures in G F(2m )
are derived in [16]. Parity signatures provide an error flag (EF) on
each module. The major drawback of parity signatures is that their
error coverage is approximately 50%, that is, if the number of faults is
even, the approach would not be able to detect the faults. This highly
predictable countermeasure can be circumvented by intelligent fault
injection.
In this work, our aim is the derivation of error-detection schemes
that provide a broader and higher error coverage than parity
signatures and explore the application of such schemes to the
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 15,2021 at 08:28:40 UTC from IEEE Xplore. Restrictions apply.
233
Luov algorithm. Thus, we derive and apply CRC signatures [17] to
the finite-field multipliers used in Luov algorithm. This would be a
step forward toward detecting natural and malicious intelligent faults,
especially and as discussed in this brief, considering both primitive
and standardized CRCs with different fault multiplicity coverage.
CRC was first proposed in 1961 and it is based on the theory of cyclic
error-correcting codes. To implement CRC, a generator polynomial
g(x) is required. The message becomes as the dividend, the quotient
is discarded, and the remainder produces the result. In CRC, a fixed
number of check bits are appended to the data and these check bits
are inspected when the output is received to detect any errors.
The entire finite-field multiplier with our error-detection schemes
is shown in Fig. 1, where actual CRC (ACRC) and predicted
CRC (PCRC) stand for ACRC signatures and PCRC signatures,
respectively. In Fig. 1, only one EF is shown for clarity; however,
for CRC-5, which is the case study proposed in this brief, 5 EFs are
computed on each module. In Fig. 2, the α module is shown more
in-depth to clarify how the proposed CRC signatures work in each
finite-field multiplier.
For the sum and pass-thru modules, it follows the approach as for
parity signatures described in [16]. For the sum module in CRC-1,
p̂x is equal to the sum of the parity bits of the input elements A
and B in G F(2m ), p̂ X = p A + p B . Furthermore, for the pass-thru
module in CRC-1, p̂ X = b · p A , where b is an element in G F(2). For
any other CRC-n scheme, instead of summing all the bits, it checks
n bits at a time in the sum and pass-thru modules. For the α module,
we have
A(x) · x = am−1 · x m + am−2 · x m−1 + · · · + a0 · x (1)
for which a set of derivations is needed to implement CRC-n into
it. In Table I, the generator polynomials used to derive the CRC-5
signatures are shown. The generator polynomial g0 (x) is one of
the standards used for radio frequency identification [18]. The other
three generator polynomials g1 (x), g2 (x), and g3 (x) are primitive
polynomials. The benefit of using a primitive polynomial as the
generator that the resulting code has full total block length, which
means that all 1-bit errors within that block length have separate
234 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 29, NO. 1, JANUARY 2021
S TANDARDIZED (S TAND .) AND P RIMITIVE (P RIM .) G ENERATOR P OLYNOMIALS AND T HEIR C ORRESPONDING CRC S IGNATURES
remainders. Moreover, since the remainder is a linear function of the
block, all 2-bit errors within that block length can be identified.
For the α module of the Luov’s finite-field multipliers, g0 (x) =
x 5 + x 3 + 1 is used as the standardized generator polynomial for
CRC-5. To find its CRC signatures, this fixed polynomial is used as
follows:
x 5 ≡ x 3 + 1 mod g0 (x)
x 6 ≡ x 4 + x mod g0 (x)
x 7 ≡ x 5 + x 2 ≡ x 3 + x 2 + 1 mod g0 (x)
..
.
x 15 ≡ x 2 + 1 mod g0 (x).
According to (1), we obtain A(x) · x = a15 · x 16 + a14 · x 15 +
· · · + a1 · x 2 + a0 · x. Then, applying the irreducible polynomial
f (x) = x 16 + x 12 + x 3 + x + 1, one obtains
A(x) · x ≡ a15 x 12 + a15 x 3 + a15 x + a15 + a14 x 15
+ a13 x 14 + a12 x 13 + a11 x 12 + a10 x 11 + a9 x 10
+ a8 x 9 + a7 x 8 + a6 x 7 + a5 x 6 + a4 x 5 + a3 x 4
+ a2 x 3 + a1 x 2 + a1 x mod f (x).
To calculate the PCRC-5 for G F(216 ) in the α module
(PC RC516 ), the generator polynomial is applied as
A(x) · x ≡ a15 (x 4 + x 3 + x 2 + x) + a15 x 3 + a15 x + a15
+ a14 (x 2 + x) + a13 (x + 1) + a12 (x 4 + x 2 + 1)
+ a11 (x 4 + x 3 + x 2 + x) + a10 (x 3 + x 2 + x + 1)
+ a9 (x 4 + x + 1) + a8 (x 4 + x 3 + x 2 + 1)
+ a7 (x 4 + x 3 + x) + a6 (x 3 + x 2 + 1) + a5 (x 4 + x)
+ a4 (x 3 + 1) + a3 x 4 + a2 x 3 + a1 x 2 + a0 x mod g0 (x)
or
PCRC516 = (a15 + a12 + a11 + a9 + a8 + a7 + a5 + a3 )x 4
+ (a12 + a11 + a9 + a8 + a7 + a6 + a4 + a2 )x 3
+ (a15 + a14 + a12 + a11 + a10 + a8 + a6 + a1 )x 2
+ (a14 + a13 + a11 + a10 + a9 + a7 + a5 + a0 )x
+ (a15 + a13 + a12 + a10 + a9 + a8 + a6 + a4 ). (4)
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 15,2021 at 08:28:40 UTC from IEEE Xplore. Restrictions apply.
TABLE I
To calculate the ACRC-5 for G F(216 ) in the α module
(AC RC516 ), we rename the coefficients of (3): a14 as γ15 , . . ., a0
as γ1 :
A(x) · x ≡ γ15 x 15 + γ14 x 14 + γ13 x 13 + γ12 x 12
+ γ11 x 11 + γ10 x 10 + γ9 x 9 + γ8 x 8 + γ7 x 7
+ γ6 x 6 + γ5 x 5 + γ4 x 4 + γ3 x 3 + γ2 x 2 + γ1 x 1
+ γ0 mod g0 (x) (5)
and the generator polynomial is applied as follows:
A(x) · x ≡ γ15 (x 2 + x) + γ14 (x + 1) + γ13 (x 4 + x 2 + 1)
(2) + γ12 (x 4 + x 3 + x 2 + x) + γ11 (x 3 + x 2 + x + 1)
+ γ10 (x 4 + x + 1) + γ9 (x 4 + x 3 + x 2 + 1)
+ γ8 (x 4 + x 3 + x) + γ7 (x 3 + x 2 + 1) + γ6 (x 4 + x)
+ γ5 (x 3 + 1) + γ4 x 4 + γ3 x 3 + γ2 x 2
+ γ1 x 1 + γ0 mod g0 (x)
or
ACRC516 = (γ13 + γ12 + γ10 + γ9 + γ8 + γ6 + γ4 )x 4
(3) + (γ13 + γ12 + γ11 + γ9 + γ8 + γ7 + γ5 + γ3 )x 3
+ (γ15 + γ13 + γ12 + γ11 + γ9 + γ7 + γ2 )
· x 2 + (γ15 + γ14 + γ12 + γ11 + γ10 + γ8 + γ6 + γ1 )
· x + (γ14 + γ13 + γ11 + γ10 + γ9 + γ7 + γ5 + γ0 ).
(6)
The predicted output and the actual output are divided into five
parity groups as shown in (4) and (6), respectively. These parity
groups are XORed with each other to determine if there has been
any fault, for example, flip of bits, during the α module opera-
tion. In total, each α module outputs five EFs. Fig. 2 shows the
implementation of the α module with the proposed error-detection
schemes. A(x) is the input with the form p(x) = am−1 x m−1 +
· · · + a1 x + a0 , which goes to two different modules that run in
parallel. In the α module, (1) takes place. The output from the α
module is divided into five groups in the ACRC module, which
are denoted as xa1 –xa5 in Fig. 2. Meanwhile, A(x) is also being
divided into five groups in the PCRC module, which are denoted as
x 1p –x 5p . Once the two CRC modules are done, each group is XORed
IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 29, NO. 1, JANUARY 2021
TABLE II
OVERHEADS OF THE P ROPOSED E RROR -D ETECTION S CHEMES FOR THE F INITE -F IELD M ULTIPLIERS U SED IN THE L UOV A LGORITHM D URING THE
P OLYNOMIAL G ENERATION ON X ILINX FPGA FAMILY K INTEX U LTRASCALE+ FOR D EVICE XCKU 5 P - FFVD 900-1- I
Fig. 2. Proposed error-detection constructions for α module.
with its respective one to produce five EFs, which are represented
as E F1 –E F5 . As an example, to obtain E F1 , x 1p (or a15 + a13 +
a12 + a10 + a9 + a8 + a6 + a4 for g0 (x)) is XORed with xa1 (or
γ14 + γ13 + γ11 + γ10 + γ9 + γ7 + γ5 + γ0 for g0 (x)), which are
calculated in (4) and (6), respectively. For our case study, the outputs
are divided into five groups since we use CRC-5; however, if any
other CRC-n is used, there will be n EFs and the actual and predicted
outputs will be divided into n groups. In Table I, the CRC signatures
for the different primitive polynomials are shown. We note that the
choice of the utilized CRC can be tailored based on the reliability
requirements and the overhead to be tolerated. In other words, for
applications such as game consoles in which performance is critical
(and power consumption is not because these are plugged in), one
can increase the size of CRC. However, for deeply embedded systems
such as implantable and wearable medical devices, smaller CRC is
preferred.
IV. E RROR C OVERAGE AND FPGA I MPLEMENTATIONS
Finite-field multiplication is a costly operation and requires large
footprint. We implement Luov polynomial generation to show that the
proposed error-detection schemes provide high error coverage with
acceptable overhead. Such implementation produces a polynomial
p(x) = am−1 x m−1 +· · ·+a1 x +a0 , which requires m −1 finite-field
multiplications and m−1 XOR operations. As pointed out before, each
finite-field multiplication uses three different modules called α, sum,
and pass − thr u modules. A total of m − 1 α modules, m − 1 sum
modules, and m pass − thr u modules are needed to perform each
finite-field multiplication. Moreover, a total of m−1 sum modules are
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 15,2021 at 08:28:40 UTC from IEEE Xplore. Restrictions apply.
235
needed to perform an XOR operation. For each architecture, the error
coverage is calculated as 100 · (1 − (1/2)sign )%, where sign denotes
the number of signatures.
Luov uses the finite-field G F(216 ), or m = 16. Implementing
its polynomials in the form of p(x) = a15 x 15 + · · · + a1 x + a0
requires 14 finite-field multiplications and 15 XOR operations. Since
each finite-field multiplication uses m − 1 α modules, m − 1 sum
modules, and m pass−thr u modules, 14×15 α modules, 14×15 sum
modules, and 14 × 16 pass − thr u modules are needed. Moreover,
a total of 14multiplications · (15α + 15sum + 16pass-thru ) + 15XOR or
659 signatures are implemented. The error coverage percentage for
the generation of Luov’s polynomial using the finite-field G F(216 )
is 100 · (1 − (1/2)659 )%. In Table II, we present the overhead
of our error-detection architectures in terms of area-configurable
logic blocks (CLBs), delay, power consumption (at the frequency
of 50 MHz), throughput, and efficiency for the generation of poly-
nomial p(x), where p(x) = am−1 x m−1 + · · · + a1 x + a0 .
We utilize Xilinx FPGA family Kintex Ultrascale+ for device
xcku5p-ffvd900-1-i, using Verilog as the hardware design entry and
Vivado as the tool for the implementations. As shown in Table II,
when CRC signatures are applied to the original architecture, with
higher error coverage, they end up having higher overhead in terms
of area, delay, and power, and lower overhead in terms of throughput
and efficiency. CLBs, which are the main resources for implementing
general-purpose combinational and sequential circuits, are read in the
Vivado’s place utilization report to obtain the area. To determine the
delay, we use the Timing Constraints Wizard function in Vivado,
setting a primary clock period constraint of 20 ns, which equals to
a frequency of 50 MHz. We also report the total on-chip power,
which is the power consumed internally within the FPGA and it is
obtained by adding device static power and design power. Throughput
is obtained by dividing the total number of output bits over the delay
and efficiency is obtained by dividing throughput over area. As seen
in this table, acceptable overheads are obtained with efficiency degra-
dations of at most 19%. The error-detection architecture that uses the
primitive generator polynomial g2 (x) has the least amount of area
overhead with 9.17%; however, the error-detection implementation
using g0 (x), or the standardized generator polynomial for CRC-5,
performs the fastest, obtaining the least amount of delay overhead
with 3.71%.
There has not been any prior work done on this type of
error-detection methods for the Luov’s finite-field multipliers to the
best of our knowledge. For qualitative comparison to verify that the
overheads incurred are acceptable, let us go over some case studies.
Subramanian et al. [19] presented a signature-based fault diagnosis
for cryptographic block Ciphers LED and HIGHT, obtaining a
combined area and delay overhead of 21.9% and 31.9% for LED
and HIGHT, respectively. Additionally, Mozaffari-Kermani et al. [6]
have presented the fault diagnosis of Pomaranch cipher, obtaining
a combined area and throughput overhead of 35.5%. The proposed
schemes in this brief have combined area and delay overheads of
less than 32% (worst case scenario). In [7], the worst case area
236 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 29, NO. 1, JANUARY 2021
overhead obtained by applying error-detection schemes of NTT
architectures is 24%. The worst case area overhead of [8] and [9]
is more than 33% with a performance degradation of more than 14%
when fault-detection architectures are applied to stateless hash-based
signatures. These and similar prior works on classical cryptography
verify that the proposed error-detection architectures obtain similar
overheads compared to other works on fault detection, achieving an
acceptable overhead. These degradations are acceptable for providing
error detection to the original architectures which lack such capability
to thwart natural or malicious faults.
V. C ONCLUSION
In this work, we have derived error-detection schemes for the
finite-field multipliers used in postquantum cryptographic algorithms
such as Luov, noting that the proposed error-detection schemes can
be adapted to other applications and cryptographic algorithms whose
building blocks need finite-field multiplications. The error-detection
architectures proposed in this work are based on CRC-5 signatures
and we have performed software implementations for the sake of
verification. Additionally, we have explored and studied both prim-
itive and standardized generator polynomials for CRC-5, comparing
the complexity for each of them. We have embedded the proposed
error-detection schemes into the original finite-field multipliers of
the Luov’s algorithm, obtaining high error coverage with acceptable
overhead.
R EFERENCES
[1] J. L. Danger et al., “On the performance and security of multiplication
in G F(2 N ),” Cryptography, vol. 2, no. 3, pp. 25–46, 2018.
[2] M. Mozaffari-Kermani and A. Reyhani-Masoleh, “Reliable hardware
architectures for the third-round SHA-3 finalist Grostl benchmarked on
FPGA platform,” in Proc. DFT, Oct. 2011, pp. 325–331.
[3] M. Mozaffari-Kermani and A. Reyhani-Masoleh, “A low-cost
S-box for the advanced encryption standard using normal basis,”
in Proc. IEEE Int. Conf. Electro/Inf. Technol., Jun. 2009, pp. 52–55.
[4] M. Yasin, B. Mazumdar, S. S. Ali, and O. Sinanoglu, “Security analysis
of logic encryption against the most effective side-channel attack: DPA,”
in Proc. IEEE Int. Symp. Defect Fault Tolerance VLSI Nanotechnol. Syst.
(DFTS), Oct. 2015, pp. 97–102.
[5] M Mozaffari-Kermani, R. Azarderakhsh, A. Sarker, and A. Jalali,
“Efficient and reliable error detection architectures of hash-counter-hash
tweakable enciphering schemes,” ACM Trans. Embedded Comput. Syst.,
vol. 17, no. 2, pp. 54:1–54:19, May 2018.
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 15,2021 at 08:28:40 UTC from IEEE Xplore. Restrictions apply.
[6] M. Mozaffari-Kermani, R. Azarderakhsh, and A. Aghaie, “Reliable
and error detection architectures of Pomaranch for false-alarm-sensitive
cryptographic applications,” IEEE Trans. Very Large Scale Integr. (VLSI)
Syst., vol. 23, no. 12, pp. 2804–2812, Dec. 2015.
[7] A. Sarker, M. Mozaffari-Kermani, and R. Azarderakhsh, “Hardware
constructions for error detection of number-theoretic transform utilized
in secure cryptographic architectures,” IEEE Trans. Very Large Scale
Integr. (VLSI) Syst., vol. 27, no. 3, pp. 738–741, Mar. 2019.
[8] M. Mozaffari-Kermani, R. Azarderakhsh, and A. Aghaie, “Fault detec-
tion architectures for post-quantum cryptographic stateless hash-based
secure signatures benchmarked on ASIC,” ACM Trans. Embedded Com-
put. Syst., vol. 16, no. 2, pp. 59:1–59:19, Dec. 2016.
[9] M. Mozaffari-Kermani and R. Azarderakhsh, “Reliable hash trees for
post-quantum stateless cryptographic hash-based signatures,” in Proc.
IEEE Int. Symp. Defect Fault Tolerance VLSI Nanotechnol. Syst. (DFTS),
Oct. 2015, pp. 103–108.
[10] M. M. Kermani and R. Azarderakhsh, “Reliable architecture-oblivious
error detection schemes for secure cryptographic GCM structures,” IEEE
Trans. Rel., vol. 68, no. 4, pp. 1347–1355, Dec. 2019.
[11] A. A. Kamal and A. M. Youssef, “Strengthening hardware implemen-
tations of NTRUEncrypt against fault analysis attacks,” J. Cryptograph.
Eng., vol. 3, no. 4, pp. 227–240, Nov. 2013.
[12] A. Kipnis, J. Patarin, and L. Goubin, “Unbalanced oil and vinegar
signature schemes,” in Proc. Int. Conf. Theory Appl. Cryptograph. Techn.
Berlin, Germany: Springer, 1999, pp. 206–222.
[13] D. Moody, “Post-quantum cryptography: NIST’s plan for the future,”
Tech. Rep., Feb. 2016. [Online]. Available: https://csrc.nist.gov/csrc/
media/projects/post-quantum-cryptography/documents/pqcrypto-2016-
presentation.pdf
[14] D. Moody, “Post-quantum cryptography: Round 2 submissions,”
Tech. Rep., Mar. 2019. [Online]. Available: https://csrc.nist.gov/CSRC/
media/Presentations/Round-2-of-the-NIST-PQC-Competition-What-
was-NIST/images-media/pqcrypto-may2019-moody.pdf
[15] D. J. Bernstein, “Post-quantum cryptography,” in Encyclopedia of Cryp-
tography and Security, H. C. A. van Tilborg and S. Jajodia, Eds. Boston,
MA, USA: Springer, 2011, pp. 949–950, doi: 10.1007/978-1-4419-5906-
5_386.
[16] A. Reyhani-Masoleh and M. A. Hasan, “Error detection in polynomial
basis multipliers over binary extension fields,” in Proc. CHES, 2002,
pp. 515–528.
[17] EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF
RFID Protocol for Communications at 860 MHz 960 MHz, EPC Global,
Brussels, Belgium, Version 1.0.23, 2008.
[18] T. V. Ramabadran and S. S. Gaitonde, “A tutorial on CRC computations,”
IEEE Micro, vol. 8, no. 4, pp. 62–75, Aug. 1988.
[19] S. Subramanian, M. Mozaffari-Kermani, R. Azarderakhsh, and
M. Nojoumian, “Reliable hardware architectures for cryptographic
block ciphers LED and HIGHT,” IEEE Trans. Comput.-Aided
Design Integr. Circuits Syst., vol. 36, no. 10, pp. 1750–1758,
Oct. 2017.