An Efficient and Provable Masked Implementation of qTESLA

Gérard, François; Rossi, Mélissa

doi:10.1007/978-3-030-42068-0_5

Cited by 14 publications

(12 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…A challenge when protecting against side-channel attacks is the fact that many popular schemes, such as Kyber, use a prime modulus. As observed in both [MGTF19] and [GR19], this results in a significant performance overhead compared to power-of-two moduli, which allow more efficient bit-operations and conversions. Due to the usage of such prime moduli in PQC schemes many prior algorithms needed to be adapted to fit this specific use-case.…”

Section: Related Workmentioning

confidence: 96%

“…An initial first-order masking scheme of a complete KEM similar to NewHope [BCNS15, ADPS16] was presented at CHES'18 [OSPG18]: building on the concepts of [RRVV15] but presenting a new decoding algorithm without tables and, in addition, proposes to mask all other secret-dependent modules. Similar as for the KEM case, masked signature schemes have been proposed in [BBE + 18, MGTF19,GR19].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Masking Kyber: First- and Higher-Order Implementations

Bos

Gourjon

Renes

et al. 2021

TCHES

View full text Add to dashboard Cite

In the final phase of the post-quantum cryptography standardization effort, the focus has been extended to include the side-channel resistance of the candidates. While some schemes have been already extensively analyzed in this regard, there is no such study yet of the finalist Kyber.In this work, we demonstrate the first completely masked implementation of Kyber which is protected against first- and higher-order attacks. To the best of our knowledge, this results in the first higher-order masked implementation of any post-quantum secure key encapsulation mechanism algorithm. This is realized by introducing two new techniques. First, we propose a higher-order algorithm for the one-bit compression operation. This is based on a masked bit-sliced binary-search that can be applied to prime moduli. Second, we propose a technique which enables one to compare uncompressed masked polynomials with compressed public polynomials. This avoids the costly masking of the ciphertext compression while being able to be instantiated at arbitrary orders.We show performance results for first-, second- and third-order protected implementations on the Arm Cortex-M0+ and Cortex-M4F. Notably, our implementation of first-order masked Kyber decapsulation requires 3.1 million cycles on the Cortex-M4F. This is a factor 3.5 overhead compared to the unprotected optimized implementationin pqm4. We experimentally show that the first-order implementation of our new modules on the Cortex-M0+ is hardened against attacks using 100 000 traces and mechanically verify the security in a fine-grained leakage model using the verification tool scVerif.

show abstract

Section: Related Workmentioning

confidence: 96%

Section: Related Workmentioning

confidence: 99%

Masking Kyber: First- and Higher-Order Implementations

Bos

Gourjon

Renes

et al. 2021

TCHES

View full text Add to dashboard Cite

show abstract

“…The main difference between Kyber and Saber is that Kyber uses a prime modulus while Saber uses a power-of-two modulus. In practice, the implementations in [MGTF19] and [GR19] observed a significant performance overhead for prime moduli compared to power-of-two moduli with regards to masking. Our work shows that the difference is not so significant.…”

Section: Directionmentioning

confidence: 99%

High-order Table-based Conversion Algorithms and Masking Lattice-based Encryption

Coron

Gérard

Montoya

et al. 2022

TCHES

Self Cite

View full text Add to dashboard Cite

Masking is the main countermeasure against side-channel attacks on embedded devices. For cryptographic algorithms that combine Boolean and arithmetic masking, one must therefore convert between the two types of masking, without leaking additional information to the attacker. In this paper we describe a new high-order conversion algorithm between Boolean and arithmetic masking, based on table recomputation, and provably secure in the ISW probing model. We show that our technique is particularly efficient for masking structured LWE encryption schemes such as Kyber and Saber. In particular, for Kyber IND-CPA decryption, we obtain an order of magnitude improvement compared to existing techniques.

show abstract

“…O primeiro relata sobre uma vulnerabilidade no esquema qTESLA e Dilithium contra ataques de injeção de falha [Ravi et al 2019]. O segundo apresenta uma correção para o problema com a aplicação de máscaras [Gérard and Rossi 2019].…”

Section: Trabalhos Relacionadosunclassified

Algoritmos de Assinatura Digital Baseada em Reticulados Candidatos a Padrão Pós-Quântico

Belarmino¹,

Goya²

2019

Anais Estendidos Do XIX Simpósio Brasileiro De Segurança Da Informação E De Sistemas Computacionais (SBSeg Estendido 2019)

View full text Add to dashboard Cite

Avanços na construção de computadores quânticos e o fato de vários dos atuais padrões criptográﬁcos serem inseguros na presença de um eventual computador quântico de maior porte levaram o NIST a promover um concurso de padronização de algoritmos pós-quânticos, caracterizados pela segurança em computadores convencionais e quânticos. Neste trabalho são comparados esquemas de assinatura digital baseada em reticulados que participam da segunda fase do concurso, com base nas propriedades, segurança e desempenho dos algoritmos.

show abstract

An Efficient and Provable Masked Implementation of qTESLA

Cited by 14 publications

References 22 publications

Masking Kyber: First- and Higher-Order Implementations

Masking Kyber: First- and Higher-Order Implementations

High-order Table-based Conversion Algorithms and Masking Lattice-based Encryption

Algoritmos de Assinatura Digital Baseada em Reticulados Candidatos a Padrão Pós-Quântico

Contact Info

Product

Resources

About