Paper 2020/733

A Side-Channel Resistant Implementation of SABER

Michiel Van Beirendonck, Jan-Pieter D'Anvers, Angshuman Karmakar, Josep Balasch, and Ingrid Verbauwhede


The candidates for the NIST Post-Quantum Cryptography standardization have undergone extensive studies on efficiency and theoretical security, but research on their side-channel security is largely lacking. This remains a considerable obstacle for their real-world deployment, where side-channel security can be a critical requirement. This work describes a side-channel resistant instance of Saber, one of the lattice-based candidates, using masking as a countermeasure. Saber proves to be very efficient to mask due to two specific design choices: power-of-two moduli, and limited noise sampling of learning with rounding. A major challenge in masking lattice-based cryptosystems is the integration of bit-wise operations with arithmetic masking, requiring algorithms to securely convert between masked representations. The described design includes a novel primitive for masked logical shifting on arithmetic shares, as well as adapts an existing masked binomial sampler for Saber. An implementation is provided for an ARM Cortex-M4 microcontroller, and its side-channel resistance is experimentally demonstrated. The masked implementation features a 2.5x overhead factor, significantly lower than the 5.7x previously reported for a masked variant of NewHope. Masked key decapsulation requires less than 3,000,000 cycles on the Cortex-M4 and consumes less than 12kB of dynamic memory, making it suitable for deployment in embedded platforms. We have made our implementation available at

Available format(s)
Publication info
Published elsewhere. ACM JETC
Post-Quantum CryptographyMaskingSABERARM Cortex-M4
Contact author(s)
michiel vanbeirendonck @ esat kuleuven be
janpieter danvers @ esat kuleuven be
2021-11-25: last of 2 revisions
2020-06-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Michiel Van Beirendonck and Jan-Pieter D'Anvers and Angshuman Karmakar and Josep Balasch and Ingrid Verbauwhede},
      title = {A Side-Channel Resistant Implementation of SABER},
      howpublished = {Cryptology ePrint Archive, Paper 2020/733},
      year = {2020},
      doi = {10.1145/3429983},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.