Abstract
Post-quantum cryptography (PQC) has become the most promising cryptographic scheme against the threat of quantum computing to conventional public-key cryptographic schemes. Saber, as the finalist in the third round of the PQC standardization procedure, presents an appealing option for embedded systems due to its high encryption efficiency and accessibility. However, side-channel attack (SCA) can easily reveal confidential information by analyzing the physical manifestations, and several works demonstrate that Saber is vulnerable to SCAs. In this work, a ciphertext comparison method for masking design based on the bitslicing technique and zerotest is proposed, which balances the tradeoff between the performance and security of comparing two arrays. The mathematical description of the proposed ciphertext comparison method is provided, and its correctness and security metrics are analyzed under the concept of PINI. Moreover, a high-order masking approach based on the state of the art, including the hash functions, centered binomial sampling, masking conversions, and proposed ciphertext comparison, is presented, using the bitslicing technique to improve throughput. As a proof of concept, the proposed implementation of Saber is on the ARM Cortex-M4. The performance results show that the runtime overhead factor of 1st-, 2nd-, and 3rd-order masking is 3.01×, 5.58×, and 8.68×, and the dynamic memory used for 1st-, 2nd-, and 3rd-order masking is 17.4kB, 24.0kB, and 30.2kB, respectively. The SCA-resilience evaluation results illustrate that the 1st-order Test Vectors Leakage Assessment (TVLA) result fails to reveal the secret key with 100,000 traces.
- [1] . 1999. Differential power analysis. In Advances in Cryptology (CRYPTO’ 99), M. Wiener (Ed.). Springer, Berlin, 388–397.Google Scholar
- [2] . 1999. Towards Sound Approaches to Counteract Power-Analysis Attacks. Springer, Berlin, 398–412.Google Scholar
- [3] . 2007. Analysis and improvement of dual rail logic as a countermeasure against DPA. In Integrated Circuit and System Design: Power and Timing Modeling, Optimization and Simulation, N. Azémard and L. Svensson (Eds.). Springer, Berlin, 340–351.Google Scholar
- [4] . 2018. Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In Progress in Cryptology (AFRICACRYPT’18), A. Joux, A. Nitaj and T. Rachidi (Eds.). Springer International Publishing, Cham, 282–305.Google Scholar
- [5] . 2017. A modular analysis of the Fujisaki-Okamoto transformation. In Theory of Cryptography, Y. Kalai and L. Reyzin (Eds.). Springer International Publishing, Cham, 341–371.Google ScholarDigital Library
- [6] . 2020. SABER algorithm specifications and supporting documentation. https://csrc.nist.gov/projects/postquantum-cryptography/round-3-submissions (2020).Google Scholar
- [7] . 2003. Private Circuits: Securing Hardware against Probing Attacks. Springer, Berlin, 463–481.Google Scholar
- [8] . 2022. Architecture support for bitslicing. IEEE Transactions on Emerging Topics in Computing 11 (2022), 497–510.Google Scholar
- [9] and Bhasin. 2020. Drop by drop you break the rock - Exploiting generic vulnerabilities in lattice-based PKE/KEMs using EM-based physical attacks. IACR Cryptol ePrint Arch. (2020), 549.Google Scholar
- [10] . 2020. Generic side-channel attacks on CCA-secure lattice-based PKE and KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems 3 (2020), 307–335.Google Scholar
- [11] . 2020. Single-trace attacks on message encoding in lattice-based KEMs. IEEE Access 8 (2020), 183175–183191.Google ScholarCross Ref
- [12] . 2022. On exploiting message leakage in (Few) Nist PQC candidates for practical message recovery attacks. IEEE Transactions on Information Forensics and Security 17 (2022), 684–699.Google ScholarDigital Library
- [13] . 2015. A masked Ring-LWE Implementation. Springer, Berlin, 683–702.Google Scholar
- [14] . 2016. Additively Homomorphic Ring-LWE Masking. Springer International Publishing, Cham, 233–244.Google Scholar
- [15] . 2018. Practical CCA2-secure and masked ring-LWE implementation. IACR Transactions on Cryptographic Hardware and Embedded Systems 1 (2018), 142–174.Google ScholarCross Ref
- [16] . 2021. A side-channel-resistant implementation of SABER. ACM Journal on Emerging Technologies in Computing Systems 17 (2021), 1–26.Google ScholarDigital Library
- [17] . 2022. Multi-moduli NTTs for Saber on Cortex-M3 and Cortex-M4. IACR Transactions on Cryptographic Hardware and Embedded Systems 1 (2022), 127–151.Google Scholar
- [18] . 2021. A side-channel attack on a masked IND-CCA secure Saber KEM implementation. IACR Transactions on Cryptographic Hardware and Embedded Systems 4 (2021), 676–707.Google ScholarCross Ref
- [19] . 2021. Breaking masked and shuffled CCA secure Saber KEM by power analysis. In Proceedings of the 5th Workshop on Attacks and Solutions in Hardware Security. Association for Computing Machinery. 51–61.Google ScholarDigital Library
- [20] . 2020. High-speed masking for polynomial comparison in lattice-based KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems 3 (2020), 483–507.Google ScholarCross Ref
- [21] . 2021. Attacking and defending masked polynomial comparison for lattice-based cryptography. IACR Transactions on Cryptographic Hardware and Embedded Systems 3 (2021), 334–359.Google ScholarCross Ref
- [22] . 2021. Masking Kyber: First- and higher-order implementations. IACR Transactions on Cryptographic Hardware and Embedded Systems 4 (2021), 173–214.Google ScholarCross Ref
- [23] . 2021. High-order polynomial comparison and masking lattice-based encryption. Cryptology ePrint Archive, Report 2021/1615. https://ia.cr/2021/1615Google Scholar
- [24] . 2022. Higher-order masked ciphertext comparison for lattice-based cryptography. IACR Transactions on Cryptographic Hardware and Embedded Systems 2 (2022), 115–139.Google ScholarCross Ref
- [25] . 2016. Strong non-interference and type-directed higher-order masking. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 116–129.Google Scholar
- [26] . 2014. Secure conversion between Boolean and arithmetic masking of any order. In Cryptographic Hardware and Embedded Systems (CHES’14), Lecture Notes in Computer Science, vol. 8731, (Eds.). Springer, Berlin.Google Scholar
- [27] . 2017. Higher-order side-channel protected implementations of KECCAK. In 2017 Euromicro Conference on Digital System Design (DSD’17). 205–212.Google ScholarCross Ref
- [28] . 2019. Efficiently masking binomial sampling at arbitrary orders for lattice-based crypto. In Public-Key Cryptography (PKC’19), D. Lin and K. Sako (Eds.). Springer International Publishing, Cham, 534–564.Google Scholar
- [29] . 2001. A sound method for switching between Boolean and arithmetic masking. In International Workshop on Cryptographic Hardware & Embedded Systems.Google Scholar
- [30] . 2003. A new algorithm for switching from arithmetic to boolean masking. In Cryptographic Hardware and Embedded Systems (CHES’03), C. D. Walter, Ç. K. Koç and C. Paar (Eds.). Springer, Berlin, 89–97.Google Scholar
- [31] . 2018. Improved high-order conversion from Boolean to arithmetic masking. IACR Transactions on Cryptographic Hardware and Embedded Systems 2 (2018), 22–45.Google ScholarCross Ref
- [32] . [n.d.]. PQM4: Post-quantum crypto library for the ARM Cortex-M4. https://github.com/mupq/pqm4Google Scholar
- [33] . 2011. A testing methodology for side-channel resistance validation. NIST Non-Invasive Attack Testing Workshop. 7 (2011), 115–136.Google Scholar
- [34] . Keccak specifications. https://keccak.team/index.htmlGoogle Scholar
- [35] . 2022. Higher-order masked Saber. In Security and Cryptography for Networks (SCN’22), Lecture Notes in Computer Science, vol. 13409, C. Galdi and S. Jarecki (Eds.). Springer, Cham.Google Scholar
- [36] . 2022. Bitslicing arithmetic/Boolean masking conversions for fun and profit: With application to lattice-based KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems 4 (2022), 553–588.Google ScholarCross Ref
- [37] . 2020. Trivially and efficiently composing masked gadgets with probe isolating non-interference. IEEE Transactions on Information Forensics and Security 15 (2020), 2542–2555.Google ScholarCross Ref
- [38] . 2022. Revisiting higher-order masked comparison for lattice-based cryptography: Algorithms and bit-sliced implementations. Cryptology ePrint Archive, Report 2022/110 (2022). https://ia.cr/2022/110Google Scholar
- [39] . 2021. Curse of re-encryption: A generic power/EM analysis on post-quantum KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems (2022), 296–322.Google ScholarCross Ref
Index Terms
- A High-performance Masking Design Approach for Saber against High-order Side-channel Attack
Recommendations
A Side-Channel-Resistant Implementation of SABER
Hardware and Algorithms for Efficient Machine LearningThe candidates for the NIST Post-Quantum Cryptography standardization have undergone extensive studies on efficiency and theoretical security, but research on their side-channel security is largely lacking. This remains a considerable obstacle for their ...
Higher-Order Masked Saber
Security and Cryptography for NetworksAbstractSide-channel attacks are formidable threats to the cryptosystems deployed in the real world. An effective and provably secure countermeasure against side-channel attacks is masking. In this work, we present a detailed study of higher-order masking ...
A Practical Key-Recovery Attack on LWE-Based Key-Encapsulation Mechanism Schemes Using Rowhammer
Applied Cryptography and Network SecurityAbstractPhysical attacks are serious threats to cryptosystems deployed in the real world. In this work, we propose a microarchitectural end-to-end attack methodology on generic lattice-based post-quantum key encapsulation mechanisms to recover the long-...
Comments