Paper 2023/1220
Quasilinear Masking to Protect ML-KEM Against Both SCA and FIA
Abstract
The recent technological advances in Post-Quantum Cryptography (PQC) raise the questions of robust implementations of new asymmetric cryptography primitives in today's technology. This is the case for the lattice-based Module Lattice-Key Encapsulation Mechanism (ML-KEM) algorithm which is proposed by the National Institute of Standards and Technology (NIST) as the first standard for Key Encapsulation Mechanism (KEM), taking inspiration from CRYSTALS-Kyber. We must ensure that the ML-KEM implementation is resilient against physical attacks like Side-Channel Analysis (SCA) and Fault Injection Attacks (FIA). To reach this goal, we propose to adapt a masking countermeasure, more precisely the generic Direct Sum Masking method (DSM). We extend previous results from a paper using Reed-Solomon codes on AES for Code-Based Masking (CBM). This work present a complete masked implementation of ML-KEM with both SCA and FIA resilience thanks to the error correcting capabilities of Code-Based Masking. Due to the structure of this masking, we propose new generic solutions to address the non-linear parts of ML-KEM, with algorithmic optimizations. To do so, we develop a new conversion methodology between boolean and arithmetic Code-Based Maskings in the specific case of ML-KEM. Performances on a laptop as well as on a SAM4S microcontroller are detailed. Security is experimentally verified by performing a Test Vector Leakage Assessment (TVLA) on a SAM4S target thanks to a Chipwhisperer Husky. We also provide formal proofs of security in the SNI model.
Note: Revision 3: Added estimation of formal security within the SNI model and Welch t-tests, as well as performances on a SAM4S platform
Metadata
- Available format(s)
- Publication info
- Preprint.
- Keywords
- Post-Quantum CryptograpyML-KEMSide Channel AnalysisFault Injection AttackCode Based MaskingConversion
- Contact author(s)
-
berthet @ telecom-paris fr
yoan rougeolle @ hensoldt net
cedric tavernier @ hensoldt net
jean-luc danger @ telecom-paris fr
laurent sauvage @ telecom-paris fr - History
- 2024-10-15: last of 3 revisions
- 2023-08-11: received
- See all versions
- Short URL
- https://ia.cr/2023/1220
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1220, author = {Pierre-Augustin Berthet and Yoan Rougeolle and Cédric Tavernier and Jean-Luc Danger and Laurent Sauvage}, title = {Quasilinear Masking to Protect {ML}-{KEM} Against Both {SCA} and {FIA}}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/1220}, year = {2023}, url = {https://eprint.iacr.org/2023/1220} }