Please use this identifier to cite or link to this item:
Publisher DOI: 10.46586/tches.v2021.i4.173-214
Title: Masking Kyber: first-and higher-order implementations
Language: English
Authors: Bos, Joppe Willem 
Gourjon, Marc Olivier 
Renes, Joost 
Schneider, Tobias 
Vredendaal, Christine van 
Keywords: Kyber;Masking;Post-Quantum Cryptography
Issue Date: 11-Aug-2021
Publisher: Ruhr-Universität Bochum
Source: IACR Transactions on Cryptographic Hardware and Embedded Systems 2021 (4): 173-214 (2021-08-11)
Journal: IACR transactions on cryptographic hardware and embedded systems 
Abstract (english): 
In the final phase of the post-quantum cryptography standardization effort, the focus has been extended to include the side-channel resistance of the candidates. While some schemes have been already extensively analyzed in this regard, there is no such study yet of the finalist Kyber. In this work, we demonstrate the first completely masked implementation of Kyber which is protected against first-and higher-order attacks. To the best of our knowledge, this results in the first higher-order masked implementation of any post-quantum secure key encapsulation mechanism algorithm. This is realized by introducing two new techniques. First, we propose a higher-order algorithm for the one-bit compression operation. This is based on a masked bit-sliced binary-search that can be applied to prime moduli. Second, we propose a technique which enables one to compare uncompressed masked polynomials with compressed public polynomials. This avoids the costly masking of the ciphertext compression while being able to be instantiated at arbitrary orders. We show performance results for first-, second-and third-order protected implementations on the Arm Cortex-M0+ and Cortex-M4F. Notably, our implementation of first-order masked Kyber decapsulation requires 3.1 million cycles on the Cortex-M4F. This is a factor 3.5 overhead compared to the unprotected optimized implementation in pqm4. We experimentally show that the first-order implementation of our new modules on the Cortex-M0+ is hardened against attacks using 100 000 traces and mechanically verify the security in a fine-grained leakage model using the verification tool scVerif.
DOI: 10.15480/882.3915
ISSN: 2569-2925
Institute: Secure Cyber-Physical Systems E-15 
Document Type: Article
License: CC BY 4.0 (Attribution) CC BY 4.0 (Attribution)
Appears in Collections:Publications with fulltext

Files in This Item:
File Description SizeFormat
TCHES2021_4_07.pdfVerlags-PDF1,24 MBAdobe PDFView/Open
Show full item record

Page view(s)

checked on Nov 27, 2021


checked on Nov 27, 2021

Google ScholarTM


Note about this record

Cite this record


This item is licensed under a Creative Commons License Creative Commons