A Lightweight Implementation of Saber Resistant Against Side-Channel Attacks

The field of post-quantum cryptography aims to develop and analyze algorithms that can withstand classical and quantum cryptanalysis. The NIST PQC standardization process, now in its third round, specifies ease of protection against side-channel analysis as an important selection criterion. In this work, we develop and validate a masked hardware implementation of Saber key encapsulation mechanism, a thirdround NIST PQC finalist. We first design a baseline lightweight hardware architecture of Saber and then apply side-channel countermeasures. Our protected hardware implementation is significantly faster than previously reported protected software and software/hardware co-design implementations. Additionally, applying side-channel countermeasures to our baseline design incurs approximately 2.9× and 1.4× penalty in terms of the number of LUTs and latency, respectively, in modern FPGAs.

[1]  Jean-Sébastien Coron,et al.  Secure Conversion between Boolean and Arithmetic Masking of Any Order , 2014, CHES.

[2]  Stefan Mangard,et al.  Side-Channel Leakage of Masked CMOS Gates , 2005, CT-RSA.

[3]  François Gérard,et al.  An Efficient and Provable Masked Implementation of qTESLA , 2019, IACR Cryptol. ePrint Arch..

[4]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[5]  Elena Dubrova,et al.  A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM , 2021, IACR Cryptol. ePrint Arch..

[6]  Anupam Chattopadhyay,et al.  SPQCop: Side-channel protected Post-Quantum Cryptoprocessor , 2019, IACR Cryptol. ePrint Arch..

[7]  Frederik Vercauteren,et al.  A masked ring-LWE implementation , 2015, IACR Cryptol. ePrint Arch..

[8]  Tim Güneysu,et al.  Efficiently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto , 2019, Public Key Cryptography.

[9]  Blandine Debraize Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking , 2012, CHES.

[10]  Elena Dubrova,et al.  Breaking Masked and Shuffled CCA Secure Saber KEM by Power Analysis , 2021, IACR Cryptol. ePrint Arch..

[11]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[13]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[14]  Jean-Sébastien Coron,et al.  A New Algorithm for Switching from Arithmetic to Boolean Masking , 2003, CHES.

[15]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[16]  Stefan Mangard,et al.  Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order , 2016, IACR Cryptol. ePrint Arch..

[17]  Vincent Rijmen,et al.  Rhythmic Keccak: SCA Security and Low Latency in HW , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[18]  Louis Goubin,et al.  A Sound Method for Switching between Boolean and Arithmetic Masking , 2001, CHES.

[19]  Martha Johanna Sepúlveda,et al.  Extending the RISC-V Instruction Set for Hardware Acceleration of the Post-Quantum Scheme LAC , 2020, 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[20]  Ingrid Verbauwhede,et al.  Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography , 2021, IACR Cryptol. ePrint Arch..

[21]  Mehdi Tibouchi,et al.  Masking the GLP Lattice-Based Signature Scheme at Any Order , 2018, EUROCRYPT.

[22]  Abubakr Abdulgadir,et al.  An Open-Source Platform for Evaluation of Hardware Implementations of Lightweight Authenticated Ciphers , 2019, 2019 International Conference on ReConFigurable Computing and FPGAs (ReConFig).

[23]  Mehdi Tibouchi,et al.  Masking Dilithium: Efficient Implementation and Side-Channel Evaluation , 2019, IACR Cryptol. ePrint Arch..

[24]  Oscar Reparaz Dominguez Analysis and Design of Masking Schemes for Secure Cryptographic Implementations , 2016 .

[25]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[26]  Ingrid Verbauwhede,et al.  A Side-Channel-Resistant Implementation of SABER , 2021, IACR Cryptol. ePrint Arch..

[27]  Stefan Mangard,et al.  Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations , 2006, CHES.

[28]  Chenchen Deng,et al.  A High-performance Hardware Implementation of Saber Based on Karatsuba Algorithm , 2020, IACR Cryptol. ePrint Arch..

[29]  I. Verbauwhede,et al.  A dynamic and differential CMOS logic with signal independent power consumption to withstand differential power analysis on smart cards , 2002, Proceedings of the 28th European Solid-State Circuits Conference.