Abstract
In the final phase of the post-quantum cryptography standardization effort, the focus has been extended to include the side-channel resistance of the candidates. While some schemes have been already extensively analyzed in this regard, there is no such study yet of the finalist Kyber.In this work, we demonstrate the first completely masked implementation of Kyber which is protected against first- and higher-order attacks. To the best of our knowledge, this results in the first higher-order masked implementation of any post-quantum secure key encapsulation mechanism algorithm. This is realized by introducing two new techniques. First, we propose a higher-order algorithm for the one-bit compression operation. This is based on a masked bit-sliced binary-search that can be applied to prime moduli. Second, we propose a technique which enables one to compare uncompressed masked polynomials with compressed public polynomials. This avoids the costly masking of the ciphertext compression while being able to be instantiated at arbitrary orders.We show performance results for first-, second- and third-order protected implementations on the Arm Cortex-M0+ and Cortex-M4F. Notably, our implementation of first-order masked Kyber decapsulation requires 3.1 million cycles on the Cortex-M4F. This is a factor 3.5 overhead compared to the unprotected optimized implementationin pqm4. We experimentally show that the first-order implementation of our new modules on the Cortex-M0+ is hardened against attacks using 100 000 traces and mechanically verify the security in a fine-grained leakage model using the verification tool scVerif.
Highlights
Public-key cryptography is based on conjectured-to-be-hard mathematical problems
In the remainder we introduce the method with focus on the Kyber application, it should be noted that this approach works for any modulus q
It should be noted that the slowdown factor is relatively small due to the lack of assembly optimizations: since the cost of polynomial arithmetic is still significant, while it has a small slowdown factor, the overall slowdown compared to the reference implementation is brought down
Summary
Public-key cryptography is based on conjectured-to-be-hard mathematical problems. The most widely used examples are RSA, based on the integer factorization problem, and elliptic curve cryptography, based on the discrete logarithm problem. A challenge when protecting against side-channel attacks is the fact that many popular schemes, such as Kyber, use a prime modulus As observed in both [MGTF19] and [GR19], this results in a significant performance overhead compared to power-of-two moduli, which allow more efficient bit-operations and conversions. One of the other NIST finalists Saber [DKR+20] does use a power-of-two moduli for its operations, and it has been shown how to turn this into an efficient first-order protected scheme by Beirendonck, D’Anvers, Karmakar, Balasch and Verbauwhede in [BDK+20] An attack on this masked Saber implementation was subsequently presented by Ngo, Dubrova, Guo and Johansson [NDGJ21] who apply deep learning power analysis in combination with a lattice reductions step to recover the long-term secret key used. The first-order hardened implementation of our two new modules does not show any detectable leakage
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
