International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography

Authors:
Tim Fritzmann , Technical University of Munich, TUM Department of Electrical and Computer Engineering, Chair of Security in Information Technology, Munich, Germany
Michiel Van Beirendonck , imec-COSIC KU Leuven Kasteelpark Arenberg 10 - bus 2452, 3001 Leuven, Belgium
Debapriya Basu Roy , Technical University of Munich, TUM Department of Electrical and Computer Engineering, Chair of Security in Information Technology, Munich, Germany
Patrick Karl , Technical University of Munich, TUM Department of Electrical and Computer Engineering, Chair of Security in Information Technology, Munich, Germany
Thomas Schamberger , Technical University of Munich, TUM Department of Electrical and Computer Engineering, Chair of Security in Information Technology, Munich, Germany
Ingrid Verbauwhede , imec-COSIC KU Leuven Kasteelpark Arenberg 10 - bus 2452, 3001 Leuven, Belgium
Georg Sigl , Technical University of Munich, TUM Department of Electrical and Computer Engineering, Chair of Security in Information Technology, Munich, Germany; Fraunhofer Institute for Applied and Integrated Security, Garching, Germany
Download:
DOI: 10.46586/tches.v2022.i1.414-460
URL: https://tches.iacr.org/index.php/TCHES/article/view/9303
Search ePrint
Search Google
Abstract: Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. With the proposed design, we achieved a cycle count of K:214k/E:298k/D:313k for Kyber and K:233k/E:312k/D:351k for Saber with NIST Level III parameter sets. For the same parameter sets, the masking overhead for the first-order secure decapsulation operation including randomness generation is a factor of 4.48 for Kyber (D:1403k)and 2.60 for Saber (D:915k).
BibTeX
@article{tches-2021-31656,
  title={Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universit├Ąt Bochum},
  volume={2022, Issue 1},
  pages={414-460},
  url={https://tches.iacr.org/index.php/TCHES/article/view/9303},
  doi={10.46586/tches.v2022.i1.414-460},
  author={Tim Fritzmann and Michiel Van Beirendonck and Debapriya Basu Roy and Patrick Karl and Thomas Schamberger and Ingrid Verbauwhede and Georg Sigl},
  year=2021
}