Securing Lattice-Based KEMs with Code-Based Masking: A Theoretical Approach

Pierre-Augustin Berthet; Yoan Rougeolle; Cédric Tavernier; Jean-Luc Danger; Laurent Sauvage

Paper 2023/1220

Securing Lattice-Based KEMs with Code-Based Masking: A Theoretical Approach

Pierre-Augustin Berthet

, Télécom Paris, Hensoldt SAS France

Yoan Rougeolle

, Hensoldt SAS France

Cédric Tavernier

, Hensoldt SAS France

Jean-Luc Danger

, Télécom Paris

Laurent Sauvage

, Télécom Paris

Abstract

The recent technological advances in Post-Quantum Cryptography (PQC) raise the questions of robust implementations of new asymmetric cryptographic primitives in today’s technology. This is the case for the lattice-based Module Lattice-Key Encapsulation Mechanism (ML-KEM) algorithm which is proposed by the NIST as the first standard for Key Encapsulation Mechanism (KEM), taking inspiration from CRYSTALS-Kyber. We have notably to make sure the ML-KEM implementation is resilient against physical attacks like Side-Channel Analysis (SCA) and Fault Injection Attacks (FIA). To reach this goal, we propose to adapt a masking countermeasure, more precisely the generic Direct Sum Masking method (DSM). By taking inspiration of a previous paper on AES, we extend the method to finite fields of characteristic prime other than 2 and even-length codes. We also investigate its application to Keccak, which is the hash-based function used in ML-KEM. We propose masked conversions and use cost-amortization to perform this hash. We provide the first masked implementation of ML-KEM with both SCA and FIA resilience able of correcting errors. Our FIA resilience allows for fault correction even within the multiplicative gadget. Finally, we adapt a polynomial evaluation method to compute masked polynomials with public coefficients over finite fields of characteristic different from 2.

Note: Revision 2: Added Conversion between different code-based maskings and thus new performances comparison

Metadata

Available format(s): PDF
Publication info: Preprint.
Keywords: Post-Quantum Cryptograpy ML-KEM Side Channel Analysis Fault Injection Attack Code Based Masking Conversion
Contact author(s): berthet @ telecom-paris fr
yoan rougeolle @ hensoldt net
cedric tavernier @ hensoldt net
jean-luc danger @ telecom-paris fr
laurent sauvage @ telecom-paris fr
History: 2024-05-26: last of 2 revisions; 2023-08-11: received; See all versions
Short URL: https://ia.cr/2023/1220
License: CC BY

BibTeX

@misc{cryptoeprint:2023/1220,
      author = {Pierre-Augustin Berthet and Yoan Rougeolle and Cédric Tavernier and Jean-Luc Danger and Laurent Sauvage},
      title = {Securing Lattice-Based {KEMs} with Code-Based Masking: A Theoretical Approach},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1220},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1220}},
      url = {https://eprint.iacr.org/2023/1220}
}