A High-performance Masking Design Approach for Saber against High-order Side-channel Attack
Article No.: 91, Pages 1 - 19
Abstract
Post-quantum cryptography (PQC) has become the most promising cryptographic scheme against the threat of quantum computing to conventional public-key cryptographic schemes. Saber, as the finalist in the third round of the PQC standardization procedure, presents an appealing option for embedded systems due to its high encryption efficiency and accessibility. However, side-channel attack (SCA) can easily reveal confidential information by analyzing the physical manifestations, and several works demonstrate that Saber is vulnerable to SCAs. In this work, a ciphertext comparison method for masking design based on the bitslicing technique and zerotest is proposed, which balances the tradeoff between the performance and security of comparing two arrays. The mathematical description of the proposed ciphertext comparison method is provided, and its correctness and security metrics are analyzed under the concept of PINI. Moreover, a high-order masking approach based on the state of the art, including the hash functions, centered binomial sampling, masking conversions, and proposed ciphertext comparison, is presented, using the bitslicing technique to improve throughput. As a proof of concept, the proposed implementation of Saber is on the ARM Cortex-M4. The performance results show that the runtime overhead factor of 1st-, 2nd-, and 3rd-order masking is 3.01×, 5.58×, and 8.68×, and the dynamic memory used for 1st-, 2nd-, and 3rd-order masking is 17.4kB, 24.0kB, and 30.2kB, respectively. The SCA-resilience evaluation results illustrate that the 1st-order Test Vectors Leakage Assessment (TVLA) result fails to reveal the secret key with 100,000 traces.
References
[1]
P. Kocher, J. Jaffe, and B. Jun. 1999. Differential power analysis. In Advances in Cryptology (CRYPTO’ 99), M. Wiener (Ed.). Springer, Berlin, 388–397.
[2]
S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi. 1999. Towards Sound Approaches to Counteract Power-Analysis Attacks. Springer, Berlin, 398–412.
[3]
A. Razafindraibe, M. Robert, and P. Maurine. 2007. Analysis and improvement of dual rail logic as a countermeasure against DPA. In Integrated Circuit and System Design: Power and Timing Modeling, Optimization and Simulation, N. Azémard and L. Svensson (Eds.). Springer, Berlin, 340–351.
[4]
J.-P. D'Anvers, A. Karmakar, S. Sinha Roy, and F. Vercauteren. 2018. Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In Progress in Cryptology (AFRICACRYPT’18), A. Joux, A. Nitaj and T. Rachidi (Eds.). Springer International Publishing, Cham, 282–305.
[5]
D. Hofheinz, K. Hövelmanns, and E. Kiltz. 2017. A modular analysis of the Fujisaki-Okamoto transformation. In Theory of Cryptography, Y. Kalai and L. Reyzin (Eds.). Springer International Publishing, Cham, 341–371.
[6]
J. P. D'Anvers, A. Karmakar, S. Sinha Roy, and F. Vercauteren. 2020. SABER algorithm specifications and supporting documentation. https://csrc.nist.gov/projects/postquantum-cryptography/round-3-submissions (2020).
[7]
Y. Ishai, A. Sahai, and D. Wagner. 2003. Private Circuits: Securing Hardware against Probing Attacks. Springer, Berlin, 463–481.
[8]
P. Kiaei, T. Conroy, and P. Schaumont. 2022. Architecture support for bitslicing. IEEE Transactions on Emerging Topics in Computing 11 (2022), 497–510.
[9]
R. S. Prasanna and Bhasin. 2020. Drop by drop you break the rock - Exploiting generic vulnerabilities in lattice-based PKE/KEMs using EM-based physical attacks. IACR Cryptol ePrint Arch. (2020), 549.
[10]
P. Ravi, S. Roy, A. Chattopadhyay, and S. Bhasin. 2020. Generic side-channel attacks on CCA-secure lattice-based PKE and KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems 3 (2020), 307–335.
[11]
B.-Y. Sim, J. Kwon, J. Lee, I.-J. Kim, T.-H. Lee, J. Han, H. Yoon, J. Cho, and D.-G. Han. 2020. Single-trace attacks on message encoding in lattice-based KEMs. IEEE Access 8 (2020), 183175–183191.
[12]
P. Ravi, S. Bhasin, S. S. Roy, and A. Chattopadhyay. 2022. On exploiting message leakage in (Few) Nist PQC candidates for practical message recovery attacks. IEEE Transactions on Information Forensics and Security 17 (2022), 684–699.
[13]
O. Reparaz, S. Sinha Roy, F. Vercauteren, and I. Verbauwhede. 2015. A masked Ring-LWE Implementation. Springer, Berlin, 683–702.
[14]
O. Reparaz, R. De Clercq, S. S. Roy, F. Vercauteren, and I. Verbauwhede. 2016. Additively Homomorphic Ring-LWE Masking. Springer International Publishing, Cham, 233–244.
[15]
T. Oder, T. Schneider, T. Pöppelmann, and T. Güneysu. 2018. Practical CCA2-secure and masked ring-LWE implementation. IACR Transactions on Cryptographic Hardware and Embedded Systems 1 (2018), 142–174.
[16]
M. Van Beirendonck, J.-P. d'Anvers, A. Karmakar, J. Balasch, and I. Verbauwhede. 2021. A side-channel-resistant implementation of SABER. ACM Journal on Emerging Technologies in Computing Systems 17 (2021), 1–26.
[17]
A. Abdulrahman, J.-P. Chen, Y.-J. Chen, V. Hwang, M. J. Kannwischer, and B.-Y. Yang. 2022. Multi-moduli NTTs for Saber on Cortex-M3 and Cortex-M4. IACR Transactions on Cryptographic Hardware and Embedded Systems 1 (2022), 127–151.
[18]
K. Ngo, E. Dubrova, Q. Guo, and T. Johansson. 2021. A side-channel attack on a masked IND-CCA secure Saber KEM implementation. IACR Transactions on Cryptographic Hardware and Embedded Systems 4 (2021), 676–707.
[19]
K. Ngo, E. Dubrova, and T. Johansson. 2021. Breaking masked and shuffled CCA secure Saber KEM by power analysis. In Proceedings of the 5th Workshop on Attacks and Solutions in Hardware Security. Association for Computing Machinery. 51–61.
[20]
F. Bache, C. Paglialonga, T. Oder, T. Schneider, and T. Güneysu. 2020. High-speed masking for polynomial comparison in lattice-based KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems 3 (2020), 483–507.
[21]
S. Bhasin, J.-P. D'Anvers, D. Heinz, T. Pöppelmann, and M. Van Beirendonck. 2021. Attacking and defending masked polynomial comparison for lattice-based cryptography. IACR Transactions on Cryptographic Hardware and Embedded Systems 3 (2021), 334–359.
[22]
J. W. Bos, M. Gourjon, J. Renes, T. Schneider, and C. Van Vredendaal. 2021. Masking Kyber: First- and higher-order implementations. IACR Transactions on Cryptographic Hardware and Embedded Systems 4 (2021), 173–214.
[23]
J. S. Coron, F. Gérard, S. Montoya, and R. Zeitoun. 2021. High-order polynomial comparison and masking lattice-based encryption. Cryptology ePrint Archive, Report 2021/1615. https://ia.cr/2021/1615
[24]
J.-P. D'Anvers, D. Heinz, P. Pessl, M. Van Beirendonck, and I. Verbauwhede. 2022. Higher-order masked ciphertext comparison for lattice-based cryptography. IACR Transactions on Cryptographic Hardware and Embedded Systems 2 (2022), 115–139.
[25]
G. Barthe, S. Belaïd, F. Dupressoir, P.-A. Fouque, B. Grégoire, P.-Y. Strub, and R. Zucchini. 2016. Strong non-interference and type-directed higher-order masking. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 116–129.
[26]
J. S. Coron, J. Großschädl, and P. K. Vadnala. 2014. Secure conversion between Boolean and arithmetic masking of any order. In Cryptographic Hardware and Embedded Systems (CHES’14), Lecture Notes in Computer Science, vol. 8731, L. Batina and M. Robshaw (Eds.). Springer, Berlin.
[27]
H. Gross, D. Schaffenrath, and S. Mangard. 2017. Higher-order side-channel protected implementations of KECCAK. In 2017 Euromicro Conference on Digital System Design (DSD’17). 205–212.
[28]
T. Schneider, C. Paglialonga, T. Oder, and T. Güneysu. 2019. Efficiently masking binomial sampling at arbitrary orders for lattice-based crypto. In Public-Key Cryptography (PKC’19), D. Lin and K. Sako (Eds.). Springer International Publishing, Cham, 534–564.
[29]
L. Goubin. 2001. A sound method for switching between Boolean and arithmetic masking. In International Workshop on Cryptographic Hardware & Embedded Systems.
[30]
J.-S. Coron and A. Tchulkine. 2003. A new algorithm for switching from arithmetic to boolean masking. In Cryptographic Hardware and Embedded Systems (CHES’03), C. D. Walter, Ç. K. Koç and C. Paar (Eds.). Springer, Berlin, 89–97.
[31]
L. Bettale, J.-S. Coron, and R. Zeitoun. 2018. Improved high-order conversion from Boolean to arithmetic masking. IACR Transactions on Cryptographic Hardware and Embedded Systems 2 (2018), 22–45.
[32]
J. K. Matthias, R. Joost, S. Peter, and S. Ko. [n.d.]. PQM4: Post-quantum crypto library for the ARM Cortex-M4. https://github.com/mupq/pqm4
[33]
G. Goodwill, B. Jun, and J. Jaffe. 2011. A testing methodology for side-channel resistance validation. NIST Non-Invasive Attack Testing Workshop. 7 (2011), 115–136.
[34]
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, and R. Van Keer. Keccak specifications. https://keccak.team/index.html
[35]
S. Kundu, J. P. D'Anvers, M. Van Beirendonck, A. Karmakar, and I. Verbauwhede. 2022. Higher-order masked Saber. In Security and Cryptography for Networks (SCN’22), Lecture Notes in Computer Science, vol. 13409, C. Galdi and S. Jarecki (Eds.). Springer, Cham.
[36]
O. Bronchain and G. Cassiers. 2022. Bitslicing arithmetic/Boolean masking conversions for fun and profit: With application to lattice-based KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems 4 (2022), 553–588.
[37]
G. Cassiers and F. -X. Standaert. 2020. Trivially and efficiently composing masked gadgets with probe isolating non-interference. IEEE Transactions on Information Forensics and Security 15 (2020), 2542–2555.
[38]
J. P. D'Anvers, M. V. Beirendonck, and I. Verbauwhede. 2022. Revisiting higher-order masked comparison for lattice-based cryptography: Algorithms and bit-sliced implementations. Cryptology ePrint Archive, Report 2022/110 (2022). https://ia.cr/2022/110
[39]
R. Ueno, K. Xagawa, Y. Tanaka, A. Ito, J. Takahashi, and N. Homma. 2021. Curse of re-encryption: A generic power/EM analysis on post-quantum KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems (2022), 296–322.
Index Terms
- A High-performance Masking Design Approach for Saber against High-order Side-channel Attack
Recommendations
A Side-Channel-Resistant Implementation of SABER
Hardware and Algorithms for Efficient Machine LearningThe candidates for the NIST Post-Quantum Cryptography standardization have undergone extensive studies on efficiency and theoretical security, but research on their side-channel security is largely lacking. This remains a considerable obstacle for their ...
Higher-Order Masked Saber
Security and Cryptography for NetworksAbstractSide-channel attacks are formidable threats to the cryptosystems deployed in the real world. An effective and provably secure countermeasure against side-channel attacks is masking. In this work, we present a detailed study of higher-order masking ...
Key Recovery Attack on CRYSTALS-Kyber and Saber KEMs in Key Reuse Scenario
Computer Security – ESORICS 2024AbstractCrystals-Kyber, a key encapsulation mechanism (KEM) whose security is based on the Module-LWE problem, has recently been selected by NIST as part of its post-quantum cryptography initiative. At ASIACRYPT 2021, Qin et al. gave a method to evaluate ...
Comments
Information & Contributors
Information
Published In
November 2023
404 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Journal Family
Publication History
Published: 16 October 2023
Online AM: 03 August 2023
Accepted: 15 July 2023
Revised: 29 May 2023
Received: 26 January 2023
Published in TODAES Volume 28, Issue 6
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 226Total Downloads
- Downloads (Last 12 months)88
- Downloads (Last 6 weeks)3
Reflects downloads up to 01 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in