Cryptology ePrint Archive: Report 2020/1038

On Configurable SCA Countermeasures Against Single Trace Attacks for the NTT - A Performance Evaluation Study over Kyber and Dilithium on the ARM Cortex-M4

Prasanna Ravi and Romain Poussier and Shivam Bhasin and Anupam Chattopadhyay

Abstract: The Number Theoretic Transform (NTT) is a critical sub-block used in several structured lattice-based schemes, including Kyber and Dilithium, which are finalist candidates in the NIST's standardization process for post-quantum cryptography. The NTT was shown to be susceptible to single trace side-channel attacks by Primas et al. in CHES 2017 and Pessl et al. in Latincrypt 2019 who demonstrated full key recovery from single traces on the ARM Cortex-M4 microcontroller. However, the cost of deploying suitable countermeasures to protect the NTT from these attacks on the same target platform has not yet been studied. In this work, we propose novel shuffling and masking countermeasures to protect the NTT from such single trace attacks. Firstly, we exploit arithmetic properties of twiddle constants used within the NTT computation to propose efficient and generic masking strategies for the NTT with configurable SCA resistance. Secondly, we also propose new variants of the shuffling countermeasure with varying granularity for the NTT. We perform a detailed comparative evaluation of the runtime performances for our proposed countermeasures within open source implementations of Kyber and Dilithium from the pqm4 library on the ARM Cortex-M4 microcontroller. Our proposed countermeasures yield a reasonable overhead in the range of 7%-78% across all procedures of Kyber, while the overheads are much more pronounced for Dilithium, ranging from 12%-197% for the key generation procedure and 32%-490% for the signing procedure.

Category / Keywords: implementation / Lattice-based cryptography, Side-Channel Attacks, Kyber, Dilithium, Shuffling, Masking, Number Theoretic Transform

Date: received 28 Aug 2020, last revised 29 Aug 2020

Contact author: PRASANNA RAVI at ntu edu sg

Available format(s): PDF | BibTeX Citation

Version: 20200829:080835 (All versions of this report)

Short URL: ia.cr/2020/1038


[ Cryptology ePrint archive ]