TY - JOUR
T1 - Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography
AU - Fritzmann, Tim
AU - Van Beirendonck, Michiel
AU - Roy, Debapriya Basu
AU - Karl, Patrick
AU - Schamberger, Thomas
AU - Verbauwhede, Ingrid
AU - Sigl, Georg
N1 - Publisher Copyright:
© 2022, Ruhr-University of Bochum. All rights reserved.
PY - 2021
Y1 - 2021
N2 - Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. With the proposed design, we achieved a cycle count of K:214k/E:298k/D:313k for Kyber and K:233k/E:312k/D:351k for Saber with NIST Level III parameter sets. For the same parameter sets, the masking overhead for the first-order secure decapsulation operation including randomness generation is a factor of 4.48 for Kyber (D:1403k) and 2.60 for Saber (D:915k).
AB - Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. With the proposed design, we achieved a cycle count of K:214k/E:298k/D:313k for Kyber and K:233k/E:312k/D:351k for Saber with NIST Level III parameter sets. For the same parameter sets, the masking overhead for the first-order secure decapsulation operation including randomness generation is a factor of 4.48 for Kyber (D:1403k) and 2.60 for Saber (D:915k).
KW - Accelerators
KW - Instruction set extensions
KW - Kyber
KW - Masking
KW - Post-quantum cryptography
KW - RISC-V
KW - Saber
UR - http://www.scopus.com/inward/record.url?scp=85130477271&partnerID=8YFLogxK
U2 - 10.46586/tches.v2022.i1.414-460
DO - 10.46586/tches.v2022.i1.414-460
M3 - Article
AN - SCOPUS:85130477271
SN - 2569-2925
VL - 2022
SP - 414
EP - 460
JO - IACR Transactions on Cryptographic Hardware and Embedded Systems
JF - IACR Transactions on Cryptographic Hardware and Embedded Systems
IS - 1
ER -