Paper 2022/058

First-Order Masked Kyber on ARM Cortex-M4

Daniel Heinz, Matthias J. Kannwischer, Georg Land, Thomas Pöppelmann, Peter Schwabe, and Daan Sprenkels


In this work, we present a fast and first-order secure Kyber implementation optimized for ARM Cortex-M4. Most notably, to our knowledge this is the first liberally-licensed open-source Cortex-M4 implementation of masked Kyber. The ongoing NIST standardization process for post-quantum cryptography and newly proposed side-channel attacks have increased the demand for side-channel analysis and countermeasures for the finalists. On the foundation of the commonly used PQM4 project, we make use of the previously presented optimizations for Kyber on a Cortex-M4 and further combine different ideas from various recent works to achieve a better performance and improve the security in comparison to the original implementations. We show our performance results for first-order secure implementations. Our masked Kyber768 decapsulation on the ARM Cortex-M4 requires only 2 978 441 cycles, including randomness generation from the internal RNG. We then practically verify our implementation by using the t-test methodology with 100 000 traces.

Available format(s)
Publication info
Preprint. MINOR revision.
Lattice Based CryptographyKyberSide-Channel AnalysisARM Cortex-M4
Contact author(s)
daniel heinz @ unibw de
thomas poeppelmann @ infineon com
matthias @ kannwischer eu
georg land @ ruhr-uni-bochum de
peter @ cryptojedi org
daan @ dsprenkels com
2022-01-18: received
Short URL
Creative Commons Attribution


      author = {Daniel Heinz and Matthias J.  Kannwischer and Georg Land and Thomas Pöppelmann and Peter Schwabe and Daan Sprenkels},
      title = {First-Order Masked Kyber on ARM Cortex-M4},
      howpublished = {Cryptology ePrint Archive, Paper 2022/058},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.