Novel cryptography needs novel hardware.
And novel hardware architectures are well-suited to cryptography.
In 2021, I founded Radical Semiconductor, a startup developing novel processing-in-memory (PIM) chips for quantum-safe cryptography. Earlier this year, we were acquired by BTQ Technologies. Today, I’m really excited to announce that I’m going to be joining BTQ as an advisor to help bring our ultra-efficient architecture to market. I think that cryptography is one of the best places to deploy novel chip architectures like processing-in-memory, and the transition from classical to quantum-safe cryptography is the best time to do so.
One of the biggest challenges that emerging AI chip architectures face is balancing reconfigurability and performance. In an ideal world, a new chip would be able to offer great performance on LLMs, vision transformers, state-space models, diffusion models, and any new network architectures people invent in the future. Some startups are eschewing reconfigurability to hyperfocus on one kind of model, but this is a massive risk for a company to take. If their chip only supports one model, and that model falls out of favor in the future, that could bring down the entire company.
At the same time, there are startups developing AI chips based on novel hardware technologies, like PIM. PIM chips offer major performance and compute density gains, but their fixed structure makes certain functions, like floating point math, difficult. Building a chip that can leverage all of the technical advantages of PIM technology while still supporting every important model is a major challenge, especially as models keep evolving.
Cryptographic algorithms don’t have this problem. Cryptography is incredibly important -- perhaps even more important than AI -- and clearly benefits from novel chip architectures, but it doesn’t require architects to hit a moving target. As a matter of fact, cryptographic algorithms are standardized; they only change every few years, rather than every few months. This means that cryptography is a great place to deploy novel, ultra-efficient hardware, deliver meaningful value to real-world customers, and build a more secure world.
Processing-in-Memory for Quantum-Safe Cryptography
From a mathematical perspective, quantum-safe cryptography is fairly different from classical cryptography schemes like RSA and ECC.1 Those classical algorithms rely on the hardness of factoring extremely large integers. That means that hardware designed to accelerate these algorithms is designed to operate efficiently on large integers -- sometimes over 4000 bits. In contrast, quantum-safe algorithms like FIPS203 (Kyber) and FIPS204 (Dilithium) operate on large polynomials. These polynomials have hundreds of coefficients, but the coefficients themselves are only 12 bits for Kyber and 23 bits for Dilithium.
So, to run a quantum-safe cryptographic algorithm, we need to perform operations on many different small numbers. This is actually fairly similar to the matrix multiplications that happen in AI chips! That’s why processing-in-memory, an architecture originally designed for AI chips, is such a great fit for quantum-safe cryptography. Radical Semiconductor and BTQ have been developing quantum-safe processing-in-memory technologies independently for years, and now we’re combining Radical’s ultra-efficient quantum-safe architecture with BTQ’s deep technology portfolio to commercialize the most efficient architecture for quantum-safe cryptography.
There is one major difference between quantum-safe cryptography accelerators and AI accelerators, though. AI chips just need to multiply large matrices, but quantum-safe cryptography chips need to multiply polynomials. In practice, this is done with an algorithm called the number theoretic transform, or NTT. What makes Radical and BTQ’s architecture so unique is how we efficiently compute the NTT in-memory.
Efficiently mapping an NTT to a PIM architecture is no small task. But because algorithms like Kyber and Dilithium are standardized, it means that we only need to optimize the NTT once2, and then we have an amazing product that we can deploy at scale for practical use cases. We don’t need to develop intricate graph compilers to map arbitrary PyTorch models to our chip; instead, we can just focus on making incredibly efficient hardware for a small, well-defined set of algorithms.
Not only is PIM great at accelerating quantum-safe algorithms, but quantum-safe algorithms are a great application for PIM because of their standardized nature. And because quantum-safe algorithms are going to start mattering so much soon, this may be the first large-scale application of PIM outside of AI. But why do quantum safe algorithms matter so much if quantum computing hasn’t arrived yet?
Why Quantum-Safe Matters
“But Zach”, you might be asking, “weren’t you just talking about how quantum computing is super far away? Why does quantum-safe encryption matter now?”. Well, even if quantum computing may be years away, there are two major reasons we should start deploying quantum-safe cryptography hardware as soon as possible: store-now-decrypt-later attacks, and the long lifespan of hardware in the field.
Store Now, Decrypt Later
Store-now, decrypt-later attacks, or SNDL attacks, are fairly self-explanatory. An adversary starts collecting data encrypted with classical cryptographic algorithms, stores that data, and waits. Once they have access to a quantum computer capable of breaking RSA and ECC, they take all the data they’ve been storing, decrypt it, and recover secrets.
In practice, an adversary will have limited storage capacity, so this isn’t a huge concern for low-value data; nation-state adversaries won’t be using SNDL attacks on your personal web browsing. But SNDL could be a real vulnerability for high-value encrypted network traffic, like financial data, cryptocurrency transactions, and communications related to national security and defense.
In theory, a motivated attacker could gather and store data for years before cracking it with a quantum computer. In practice, they probably already have. Let’s assume, for the sake of argument, that our nation-state adversary is capable of storing 5 years worth of high-value encrypted data to decrypt once they have access to a quantum computer.
Still, that means we’re only at risk if quantum computers become practical by 2029, right? Well, there’s another major challenge: hardware deployed today might be in the field for a long, long time.
Hardware can have long lifetimes.
When you walk into your local convenience store and pay for something using their beat up, old credit card reader, you’re trusting your sensitive financial data to hardware that was deployed many years ago. Generally, IoT devices have lifetimes of 10 years, which means that a device deployed today might still be in use in 2034. With 5 years for SNDL attacks, and 10 years for IoT deployment, quantum computers developed in 2039 could pose a threat to devices deployed today.
Usually, it’s easy enough to update a device’s software to support new features, but that isn’t always the case with cryptography. To be able to meet demanding performance, power, and security requirements, devices often need to rely on hardware-accelerated cryptography. For example, payment terminals require relatively fast cryptography, and also have strict side-channel security requirements. Achieving both of these goals using software running on the low-power, low-cost microcontrollers inside of payment terminals is impossible. They need to use hardware-accelerated cryptography.
And this problem is exacerbated by quantum-safe cryptography, which is more complex and computationally intensive than its classical counterpart. The best way for device manufacturers to keep their devices secure and future-proof is to equip them with efficient quantum-safe hardware accelerators, like the ones we’ll be developing at BTQ.
ECC is technically based on the hardness of discrete logarithms, though it still requires large integer arithmetic.
Technically, twice, as Kyber’s NTT is missing one root of unity.