Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography

Patrick Karl,Georg Sigl,Ingrid Verbauwhede,Michiel Van Beirendonck,Debapriya Basu Roy,Thomas Schamberger,Tim Fritzmann

doi:10.46586/tches.v2022.i1.414-460

Abstract

Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. With the proposed design, we achieved a cycle count of K:214k/E:298k/D:313k for Kyber and K:233k/E:312k/D:351k for Saber with NIST Level III parameter sets. For the same parameter sets, the masking overhead for the first-order secure decapsulation operation including randomness generation is a factor of 4.48 for Kyber (D:1403k)and 2.60 for Saber (D:915k).

Highlights

Rapid progress in the area of quantum computers drives the need for new cryptographic algorithms resistant against attacks that use quantum computers
The cycle count comparison between our work and the pure software Reduced Instruction Set Computer (RISC)-V implementations in [FSS20] and [Gre20] show that the integration of hardware accelerators and Instruction Set Architecture (ISA) extensions can lead to clear improvements
All non-linear operations discussed in Section 2 for masking Kyber and Saber are covered by our experiments

Summary

Introduction

Rapid progress in the area of quantum computers drives the need for new cryptographic algorithms resistant against attacks that use quantum computers. While classical publickey cryptography, such as RSA and Elliptic Curve Cryptography (ECC), will be broken with a large-scale quantum computer, Post-Quantum Cryptography (PQC) refers to a set of algorithms that are supposed to be secure against cryptanalytic attacks using a quantum computer. To accelerate the transition from classical to quantum-secure cryptography, the National Institute of Standards and Technology (NIST) started a standardization process [Nat16] and recently selected seven algorithms as finalists and eight alternate candidates [AASA+20]. Out of the seven finalists, five schemes are based on the hardness of structured lattice problems. Lattice-based cryptography has become one of the most important PQC categories as it is characterized by a very high performance and relatively small ciphertext and key sizes.

Objectives

Methods

Results

Conclusion