Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography

Abstract: Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel maske… Show more

“…where we can get to Equation 7if τ is large enough to avoid any error due to the flooring operation, as proven in [24]. Note that the flooring operation, the multiplications and the shift operation are performed independently on each share.…”

“…prime q. While the power-of-two technique is relatively straightforward, the necessary adaptations to make this technique work for prime moduli were introduced by Fritzmann et al [24].…”

“…Fritzmann et al [24] noticed that only a limited precision is needed in the fractional representation. Given a number of bits needed for the required precision τ, they rewrite the expression above as:…”

“…In this section we give an highlevel overview of their comparison algorithm, which is given in Algorithm 9. For more details we refer to [2], [24] and [27].…”

“…A masked Kyber implementation for generic masking orders was introduced by Bos et al [23]. Fritzmann et al [24] optimized a masked implementation of Saber and Kyber using instruction set extensions. For the signature candidates, Dilithium was masked by Migliore et al [25].…”

Revisiting Higher-Order Masked Comparison for Lattice-Based Cryptography: Algorithms and Bit-Sliced Implementations

“…where we can get to Equation 7if τ is large enough to avoid any error due to the flooring operation, as proven in [24]. Note that the flooring operation, the multiplications and the shift operation are performed independently on each share.…”

“…prime q. While the power-of-two technique is relatively straightforward, the necessary adaptations to make this technique work for prime moduli were introduced by Fritzmann et al [24].…”

“…Fritzmann et al [24] noticed that only a limited precision is needed in the fractional representation. Given a number of bits needed for the required precision τ, they rewrite the expression above as:…”

“…In this section we give an highlevel overview of their comparison algorithm, which is given in Algorithm 9. For more details we refer to [2], [24] and [27].…”

“…A masked Kyber implementation for generic masking orders was introduced by Bos et al [23]. Fritzmann et al [24] optimized a masked implementation of Saber and Kyber using instruction set extensions. For the signature candidates, Dilithium was masked by Migliore et al [25].…”

Revisiting Higher-Order Masked Comparison for Lattice-Based Cryptography: Algorithms and Bit-Sliced Implementations

Artificial Intelligence for Cyber Security

A Lightweight Implementation of Saber Resistant Against Side-Channel Attacks