International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Bitslicing Arithmetic/Boolean Masking Conversions for Fun and Profit: with Application to Lattice-Based KEMs

Authors:
Olivier Bronchain , Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium
Gaëtan Cassiers , Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium.
Download:
DOI: 10.46586/tches.v2022.i4.553-588
URL: https://tches.iacr.org/index.php/TCHES/article/view/9831
Search ePrint
Search Google
Presentation: Slides
Abstract: The performance of higher-order masked implementations of lattice-based based key encapsulation mechanisms (KEM) is currently limited by the costly conversions between arithmetic and Boolean masking. While bitslicing has been shown to strongly speed up masked implementations of symmetric primitives, its use in arithmetic-to-Boolean and Boolean-to-arithmetic masking conversion gadgets has never been thoroughly investigated. In this paper, we first show that bitslicing can indeed accelerate existing conversion gadgets. We then optimize these gadgets, exploiting the degrees of freedom offered by bitsliced implementations. As a result, we introduce new arbitrary-order Boolean masked addition, arithmetic-to-Boolean and Boolean-to-arithmetic masking conversion gadgets, each in two variants: modulo 2k and modulo p (for any integers k and p). Practically, our new gadgets achieve a speedup of up to 25x over the state of the art. Turning to the KEM application, we develop the first open-source embedded (Cortex-M4) implementations of Kyber768 and Saber masked at arbitrary order. The implementations based on the new bitsliced gadgets achieve a speedup of 1.8x for Kyber and 3x for Saber, compared to the implementation based on state-of-the-art gadgets. The bottleneck of the bitslice implementations is the masked Keccak-f[1600] permutation.
BibTeX
@article{tches-2022-32377,
  title={Bitslicing Arithmetic/Boolean Masking Conversions for Fun and Profit: with Application to Lattice-Based KEMs},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2022, Issue 4},
  pages={553-588},
  url={https://tches.iacr.org/index.php/TCHES/article/view/9831},
  doi={10.46586/tches.v2022.i4.553-588},
  author={Olivier Bronchain and Gaëtan Cassiers},
  year=2022
}