Abstract
Masking is the main countermeasure against side-channel attacks on embedded devices. For cryptographic algorithms that combine Boolean and arithmetic masking, one must therefore convert between the two types of masking, without leaking additional information to the attacker. In this paper we describe a new high-order conversion algorithm between Boolean and arithmetic masking, based on table recomputation, and provably secure in the ISW probing model. We show that our technique is particularly efficient for masking structured LWE encryption schemes such as Kyber and Saber. In particular, for Kyber IND-CPA decryption, we obtain an order of magnitude improvement compared to existing techniques.
Highlights
Several works have demonstrated the effectiveness of side-channel attacks against post-quantum cryptography [TE15], for example against the BLISS signature scheme [BHLY16, EFGT17] and lattice-based encryption [PPM17, HCY20, XPRO20]
We have described a new high-order conversion algorithm between Boolean and arithmetic masking, based on a generalization of the table recomputation countermeasure from [Cor14]
For classical k-bit to k-bit conversions, the new algorithm offers a similar level of efficiency as in [CGV14]
Summary
When the private-key s is arithmetically masked modulo q with n shares, we obtain n shares for u = u1 + · · · + un (mod q), and we must convert from an arithmetically masked u modulo q into a 1-bit Boolean masked m = m1 ⊕ · · · ⊕ mn = th(u) For this one could use our generic table-based approach with the function f = th and f : Zq → {0, 1}. To encrypt a Boolean masked message m ∈ {0, 1}, we can use our generic table-based Boolean to arithmetic modulo q conversion algorithm. Our table-based approach for conversion between Boolean and arithmetic masking provides significant efficiency improvement in the context of lattice-based cryptography, especially for IND-CPA decryption (Step 1), while being relatively easy to implement. The code is publicly available at https://github.com/fragerar/HOTableConv
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
