Cryptology ePrint Archive: Report 2021/479

Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography

Tim Fritzmann and Michiel Van Beirendonck and Debapriya Basu Roy and Patrick Karl and Thomas Schamberger and Ingrid Verbauwhede and Georg Sigl

Abstract: Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. Our experimental results show a cycle count reduction factor of 3.18 for Kyber (K:245k/E:319k/D:339k) and 2.66 for Saber (K:229k/E:308k/D:347k) compared to the latest optimized ARM Cortex-M4 implementations. While Saber performs slightly better for the key generation and encapsulation, Kyber has slight performance advantages for the decapsulation. The masking overhead for the first-order secure decapsulation operation including randomness generation is around 4.14 for Kyber (D:1403k) and 2.63 for Saber (D:915k).

Category / Keywords: public-key cryptography / Post-quantum cryptography, Kyber, Saber, masking, RISC-V, accelerators, instruction set extensions

Date: received 15 Apr 2021

Contact author: tim fritzmann at tum de

Available format(s): PDF | BibTeX Citation

Version: 20210415:201027 (All versions of this report)

Short URL: ia.cr/2021/479


[ Cryptology ePrint archive ]