Abstract
The sampling of polynomials with fixed weight is a procedure required by round-4 Key Encapsulation Mechanisms (KEMs) for Post-Quantum Cryptography (PQC) standardization (BIKE, HQC, McEliece) as well as NTRU, Streamlined NTRU Prime, and NTRU LPRrime . Recent attacks have shown in this context that side-channel leakage of sampling methods can be exploited for key recoveries. While countermeasures regarding such timing attacks have already been presented, still, there is no comprehensive work covering solutions that are also secure against power side channels.
To close this gap, the contribution of this work is threefold: First, we analyze requirements for the different use cases of fixed weight sampling. Second, we demonstrate how all known sampling methods can be implemented securely against timing and power/EM side channels and propose performance-enhancing modifications. Furthermore, we propose a new, comparison-based methodology that outperforms existing methods in the masked setting for the three round-4 KEMs BIKE, HQC, and McEliece . Third, we present bitsliced and arbitrary-order masked software implementations and benchmarked them for all relevant cryptographic schemes to be able to infer recommendations for each use case. Additionally, we provide a hardware implementation of our new method as a case study and analyze the feasibility of implementing the other approaches in hardware.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
Stable sorting in ascending manner according to the MSB of (10, 11, 01) results in (01, 10, 11) and not (01, 11, 10).
References
Azouaoui, M., et al.: Leveling Dilithium against leakage: revisited sensitivity analysis and improved implementations. Cryptology ePrint Archive, Paper 2022/1406 (2022). https://eprint.iacr.org/2022/1406
Bache, F., Güneysu, T.: Boolean masking for arithmetic additions at arbitrary order in hardware. Appl. Sci. 12(5), 2274 (2022)
Barthe, G., et al.: Masking the GLP lattice-based signature scheme at any order. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 354–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_12
Batcher, K.E.: Sorting networks and their applications. In: AFIPS Conference, vol. 32, pp. 307–314. Thomson Book Company, Washington D.C. (1968)
Bernstein, D.J.: Divergence bounds for random fixed-weight vectors obtained by sorting (2020)
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_12
Bronchain, O., Cassiers, G.: Bitslicing Arithmetic/Boolean masking conversions for fun and profit with application to lattice-based KEMs. IACR Trans. Crypt. Hardware Embed. Syst. 2022(4), 553–588 (2022)
Cassiers, G., Grégoire, B., Levi, I., Standaert, F.-X.: Hardware private circuits: from trivial composition to full verification. IEEE Trans. Comput. 70(10), 1677–1690 (2021)
Coron, J.-S., Gérard, F., Trannoy, M., Zeitoun, R.: High-order masking of NTRU. Cryptology ePrint Archive, Report 2022/1188 (2022). https://eprint.iacr.org/2022/1188
Drucker, N., Gueron, S.: Generating a random string with a fixed weight. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds.) CSCML 2019. LNCS, vol. 11527, pp. 141–155. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-20951-3_13
Groß, H., Mangard, S., Korak, T.: Domain-oriented masking: compact masked hardware implementations with arbitrary protection order. In: TIS@CCS, p. 3. ACM (2016)
Guo, Q., Hlauschek, C., Johansson, T., Lahr, N., Nilsson, A., Schröder, R.L.: Don’t reject this: key-recovery timing attacks due to rejection-sampling in HQC and BIKE. IACR Trans. Crypt. Hardware Embed. Syst. 2022(3), 223–263 (2022)
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Karabulut, E., Alkim, E., Aysu, A.: Single-trace side-channel attacks on \(\omega \)-small polynomial sampling: with applications to NTRU, NTRU prime, and CRYSTALS-DILITHIUM. In: IEEE HOST, pp. 35–45. IEEE (2021)
Kostic, D., Drucker, N., Gueron, S.: Isochronous implementation of the errors-vector generation of BIKE (2022). https://github.com/awslabs/bike-kem. Accessed 25 Oct 2022
Richter-Brockmann, J., Mono, J., Güneysu, T.: Folding BIKE: scalable hardware implementation for reconfigurable devices. IEEE Trans. Comput. 71(5), 1204–1215 (2022)
Schneider, T., Moradi, A., Güneysu, T.: Arithmetic addition over boolean masking. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 559–578. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_27
Sendrier, N.: Secure sampling of constant-weight words - application to BIKE. Cryptology ePrint Archive, Report 2021/1631 (2021). https://eprint.iacr.org/2021/1631
Acknowledgments
The work described in this paper has been supported by the German Federal Ministry of Education and Research BMBF through the project QuantumRISC (16KIS1038) and PQC4Med (16KIS1044), the German Research Foundation DFG under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972 and the European Commission under the grant agreement number 101070374. We thank Eike Kiltz and Gregor Leander for their valuable comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Krausz, M., Land, G., Richter-Brockmann, J., Güneysu, T. (2023). A Holistic Approach Towards Side-Channel Secure Fixed-Weight Polynomial Sampling. In: Boldyreva, A., Kolesnikov, V. (eds) Public-Key Cryptography – PKC 2023. PKC 2023. Lecture Notes in Computer Science, vol 13941. Springer, Cham. https://doi.org/10.1007/978-3-031-31371-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-31371-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-31370-7
Online ISBN: 978-3-031-31371-4
eBook Packages: Computer ScienceComputer Science (R0)
