Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography

Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. With the proposed design, we achieved a cycle count of K:214k/E:298k/D:313k for Kyber and K:233k/E:312k/D:351k for Saber with NIST Level III parameter sets. For the same parameter sets, the masking overhead for the first-order secure decapsulation operation including randomness generation is a factor of 4.48 for Kyber (D:1403k)and 2.60 for Saber (D:915k).

Download Full-text

A RISC-V Post Quantum Cryptography Instruction Set Extension for Number Theoretic Transform to speed-up CRYSTALS Algorithms

IEEE Access ◽

10.1109/access.2021.3126208 ◽

2021 ◽

pp. 1-1

Author(s):

P. Nannipieri ◽

S. Di Matteo ◽

L. Zulberti ◽

F. Albicocchi ◽

S. Saponara ◽

...

Keyword(s):

Quantum Cryptography ◽

Instruction Set ◽

Instruction Set Extension ◽

Speed Up ◽

Post Quantum Cryptography

Download Full-text

A Side-Channel-Resistant Implementation of SABER

ACM Journal on Emerging Technologies in Computing Systems ◽

10.1145/3429983 ◽

2021 ◽

Vol 17 (2) ◽

pp. 1-26

Author(s):

Michiel Van Beirendonck ◽

Jan-Pieter D’anvers ◽

Angshuman Karmakar ◽

Josep Balasch ◽

Ingrid Verbauwhede

Keyword(s):

Quantum Cryptography ◽

Real World ◽

Side Channel ◽

Specific Design ◽

Dynamic Memory ◽

Channel Resistance ◽

Embedded Platforms ◽

Critical Requirement ◽

Post Quantum Cryptography

The candidates for the NIST Post-Quantum Cryptography standardization have undergone extensive studies on efficiency and theoretical security, but research on their side-channel security is largely lacking. This remains a considerable obstacle for their real-world deployment, where side-channel security can be a critical requirement. This work describes a side-channel-resistant instance of Saber, one of the lattice-based candidates, using masking as a countermeasure. Saber proves to be very efficient to masking due to two specific design choices: power-of-two moduli and limited noise sampling of learning with rounding. A major challenge in masking lattice-based cryptosystems is the integration of bit-wise operations with arithmetic masking, requiring algorithms to securely convert between masked representations. The described design includes a novel primitive for masked logical shifting on arithmetic shares and adapts an existing masked binomial sampler for Saber. An implementation is provided for an ARM Cortex-M4 microcontroller, and its side-channel resistance is experimentally demonstrated. The masked implementation features a 2.5x overhead factor, significantly lower than the 5.7x previously reported for a masked variant of NewHope. Masked key decapsulation requires less than 3,000,000 cycles on the Cortex-M4 and consumes less than 12kB of dynamic memory, making it suitable for deployment in embedded platforms.

Download Full-text

New Directions for NewHope: Improving Performance of Post-Quantum Cryptography through Algorithm-level Pipelining

2020 International Conference on Field-Programmable Technology (ICFPT) ◽

10.1109/icfpt51103.2020.00025 ◽

2020 ◽

Author(s):

Luke Beckwith ◽

William Diehl

Keyword(s):

Quantum Cryptography ◽

New Directions ◽

Post Quantum Cryptography ◽

Algorithm Level

Download Full-text

Network Coding-Based Post-Quantum Cryptography

IEEE Journal on Selected Areas in Information Theory ◽

10.1109/jsait.2021.3054598 ◽

2021 ◽

pp. 1-1

Author(s):

Alejandro Cohen ◽

Rafael G. L. DrOliveira ◽

Salman Salamatian ◽

Muriel Medard

Keyword(s):

Network Coding ◽

Quantum Cryptography ◽

Post Quantum Cryptography

Download Full-text

Speculative DMA for architecturally visible storage in instruction set extensions

Proceedings of the 6th IEEE/ACM/IFIP international conference on Hardware/Software codesign and system synthesis - CODES/ISSS '08 ◽

10.1145/1450135.1450191 ◽

2008 ◽

Cited By ~ 12

Author(s):

Theo Kluter ◽

Philip Brisk ◽

Paolo Ienne ◽

Edoardo Charbon

Keyword(s):

Instruction Set ◽

Instruction Set Extensions

Download Full-text

How to fool a black box machine learning based side-channel security evaluation

Cryptography and Communications ◽

10.1007/s12095-021-00479-x ◽

2021 ◽

Author(s):

Charles-Henry Bertrand Van Ouytsel ◽

Olivier Bronchain ◽

Gaëtan Cassiers ◽

François-Xavier Standaert

Keyword(s):

Machine Learning ◽

Black Box ◽

Security Evaluation ◽

Side Channel

Download Full-text

A secure and highly efficient first-order masking scheme for AES linear operations

Cybersecurity ◽

10.1186/s42400-021-00082-w ◽

2021 ◽

Vol 4 (1) ◽

Author(s):

Jingdian Ming ◽

Yongbin Zhou ◽

Huizhong Li ◽

Qian Zhang

Keyword(s):

Cost Reduction ◽

Provable Security ◽

State Of The Art ◽

Side Channel ◽

First Order ◽

Highly Efficient ◽

Non Linear ◽

Device Independence ◽

Practical Implications ◽

Provably Secure

AbstractDue to its provable security and remarkable device-independence, masking has been widely accepted as a noteworthy algorithmic-level countermeasure against side-channel attacks. However, relatively high cost of masking severely limits its applicability. Considering the high tackling complexity of non-linear operations, most masked AES implementations focus on the security and cost reduction of masked S-boxes. In this paper, we focus on linear operations, which seems to be underestimated, on the contrary. Specifically, we discover some security flaws and redundant processes in popular first-order masked AES linear operations, and pinpoint the underlying root causes. Then we propose a provably secure and highly efficient masking scheme for AES linear operations. In order to show its practical implications, we replace the linear operations of state-of-the-art first-order AES masking schemes with our proposal, while keeping their original non-linear operations unchanged. We implement four newly combined masking schemes on an Intel Core i7-4790 CPU, and the results show they are roughly 20% faster than those original ones. Then we select one masked implementation named RSMv2 due to its popularity, and investigate its security and efficiency on an AVR ATMega163 processor and four different FPGA devices. The results show that no exploitable first-order side-channel leakages are detected. Moreover, compared with original masked AES implementations, our combined approach is nearly 25% faster on the AVR processor, and at least 70% more efficient on four FPGA devices.

Download Full-text