Leveraging Eideticom’s NoLoad® Cryptographic Accelerator, the SACA solution supports the integration of PQC algorithms such as ML-KEM and ML-DSA, which are designed to withstand the potential threats posed by quantum computers. The solution’s seamless integration with OpenSSL, NGINX, and Apache ensures that modern applications can securely offload these computationally intensive cryptographic operations without performance degradation.

Use Cases

•  Cloud Security: Protecting sensitive data in cloud infrastructures.
•  Financial Services: Ensuring secure transactions with PQC during key exchange and data encryption.
•  HPC and Research: Enabling quantum-safe cryptography for academic and scientific research.
•  Government and Defense: Meeting stringent security requirements with future-proof cryptographic solutions.

Problem Statement

As quantum computers become a real threat to conventional cryptographic systems, organizations must transition to PQC algorithms to secure sensitive data. However, these algorithms are computationally heavy, requiring significant processing power and causing performance bottlenecks, especially in large-scale applications. Traditional cryptographic accelerators, such as Intel’s QuickAssist Technology (QAT), offer limited flexibility to adapt to evolving PQC algorithms, resulting in higher maintenance costs and slower updates. A flexible, scalable solution, not tied to any one CPU vendor, is necessary to accommodate the rapid evolution of PQC standards without compromising performance or security. Focus can be on utilizing CPUs for application task and the CPUs selection can be made based on its ability to execute application tasks, rather than its limited offloading features like Intel’s integrated QAT®. Thus reducing overall platform cost while maintaining platform flexibility.

SACA Overview

The Silicom Accelerated Crypto Adapter (SACA) provides a look-aside PCIe solution that offloads computationally intensive PQC cryptographic operations. By leveraging Field Programmable Gate Arrays (FPGAs), the solution offers unparalleled flexibility to integrate custom and emerging cryptographic algorithms, including Post-Quantum Cryptography. The NoLoad® Cryptographic Accelerator enables efficient PQC offloading for algorithms like Module Lattice Based Key Encapsulation Mechanism (ML-KEM) and Module Lattice Based Digital Signature Algorithm (ML-DSA), ensuring future-proof security for systems.

Key Features NoLoad® Cryptographic Accelerator provides

i. Capabilities (Application Integrations)

• PQC Algorithm Support: Offloads PQC operations such as ML-KEM (512, 768, 1024) and ML-DSA (44, 65, 87).
• Cryptographic Agility: Easily adapt to new cryptographic algorithms as standards evolve, ensuring long-term security. Seamless Integration: Integrates with OpenSSL, NGINX, and Apache, providing out-of-the-box support for a wide range of applications.
• TLS 1.3 Support: Ensures modern secure communication protocols are supported for both traditional and PQC security standards.
• ECDSA/ECDH(E)/RSA
          o P-256, P-384, P-521 & X25519
• Hybrid PQC X25519MLKEM768 Support
• Key Management w/ Secure Key Import/Export/Rotate
• Side-Channel Resistant
• OpenSSL, NGINX, and Apache integration
• Cryptographic Agility
• True Random Number Generator
         o NIST SP 800-22/SP 800-90B

ii. Benchmarks

The performance of the Silicom Accelerated Crypto Adapter (SACA) scales with FPGA capacity. Below are the benchmarks for different FPGA models, focusing on PQC offloading performance:

Performance scaling is approximately linear with FPGA capacity, ensuring flexibility in selecting the optimal configuration, based on workload requirements.

Solution Details

The SACA solution is designed for organizations transitioning to PQC and requires offloading of heavy cryptographic operations. It is engineered to seamlessly integrate into existing infrastructures, providing efficient offloading capabilities and future-proof cryptographic support.

i. Deliverables

• Host Software:
      o  Seamless plug-and-play integration with OpenSSL, NGINX, and Apache.
      o  In-box driver support for Linux.
• Hardware and FPGA:
      o  ½-height, ½-length PCIe card with Altera Agilex F FPGA PCIe Gen4 x16.
(Form factors such as M.2, U.2, and E3.S may be offered)
      o  Different FPGA models available to suit various computational needs.
      o  FPGA IP delivered in compiled code format with configuration scripts.
• Management:
      o  NVMe-MI support for system-level administration, firmware updates, and logging.
      o NVMe log pages and administrative support.
• Documentation:
      o  Detailed datasheet, integration guide, and installation guide.

ii. Integration Process

• Define algorithmic requirements
• Request FPGA image with suitable algorithm mix
• Install HW card in suitable PCI slot, in a Linux or free BSD server
• Program accelerator card’s flash with FPGA image containing algorithm mix
• Configure services to utilize accelerator (OpenSSL integration, NGINX, Apache), incl supplied provider plug-in
• Use configuration scripts and tools provided for easy setup. Run management deamon
• Run service and verify functionality

Where to Buy

To explore the Silicom Accelerated Crypto Adapter (SACA) and its specifications, refer to the product brief here. For purchasing and additional inquiries, please contact your local Silicom distributor or sales representative.

• • Silicom FPGA SmartNIC N6010/N6011 (N6000-PL)
  • FPGA SmartNIC FB2CDG1@AGM39D-2 (ThunderFjord)