Accelerating Post-Quantum Cryptography: A High-Efficiency NTT for ML-KEM on RISC-V

Post-quantum cryptography (PQC) is rapidly being standardized, with key primitives such as Key Encapsulation Mechanisms (KEMs) and Digital Signature Algorithms (DSAs) moving into practical applications. While initial research focused on pure software and hardware implementations, the focus is shifting toward flexible, high-efficiency solutions suitable for widespread deployment. A system-on-chip is a viable option with the ability to coordinate between hardware and software flexibly. However, the main drawback of this system is the time needed to exchange data during computation. Currently, most SoCs are implemented on FPGAs, and there is a lack of SoCs realized on ASICs. This paper introduces a complete RISC-V SoC design on an ASIC for Module Lattice-KEM. Our system features a RISC-V processor tightly integrated with a high-efficiency Number Theoretic Transform (NTT) accelerator. This accelerator is leveraging custom instructions to speed up cryptographic operations. Our research has achieved the following results: 1) The accelerator provides a speedup of up to 14.51 × for NTT and 16.75 × for inverse NTT operations compared to other RISC-V platforms; 2) This leads to end-to-end performance improvements for ML-KEM of up to 56.5% for security level I, 50.9% for level III, and 45.4% for level V; 3) The ASIC design is fabricated using a 180nm CMOS process at a maximum operating frequency of 118 MHz with an area overhead of 11.18%, with a minimum power consumption of 5.913 μW at 10 kHz and 0.9 V of supply voltage.