Paper 2023/1220

Quasilinear Masking to Protect ML-KEM Against Both SCA and FIA

Pierre-Augustin Berthet, Télécom Paris, Hensoldt SAS France
Yoan Rougeolle, Hensoldt SAS France
Cédric Tavernier, Hensoldt SAS France
Jean-Luc Danger, Télécom Paris
Laurent Sauvage, Télécom Paris
Abstract

The recent technological advances in Post-Quantum Cryptography (PQC) raise the questions of robust implementations of new asymmetric cryptography primitives in today's technology. This is the case for the lattice-based Module Lattice-Key Encapsulation Mechanism (ML-KEM) algorithm which is proposed by the National Institute of Standards and Technology (NIST) as the first standard for Key Encapsulation Mechanism (KEM), taking inspiration from CRYSTALS-Kyber. We must ensure that the ML-KEM implementation is resilient against physical attacks like Side-Channel Analysis (SCA) and Fault Injection Attacks (FIA). To reach this goal, we propose to adapt a masking countermeasure, more precisely the generic Direct Sum Masking method (DSM). We extend previous results from a paper using Reed-Solomon codes on AES for Code-Based Masking (CBM). This work present a complete masked implementation of ML-KEM with both SCA and FIA resilience thanks to the error correcting capabilities of Code-Based Masking. Due to the structure of this masking, we propose new generic solutions to address the non-linear parts of ML-KEM, with algorithmic optimizations. To do so, we develop a new conversion methodology between boolean and arithmetic Code-Based Maskings in the specific case of ML-KEM. Performances on a laptop as well as on a SAM4S microcontroller are detailed. Security is experimentally verified by performing a Test Vector Leakage Assessment (TVLA) on a SAM4S target thanks to a Chipwhisperer Husky. We also provide formal proofs of security in the SNI model.

Note: Revision 3: Added estimation of formal security within the SNI model and Welch t-tests, as well as performances on a SAM4S platform

Metadata
Available format(s)
PDF
Publication info
Preprint.
Keywords
Post-Quantum CryptograpyML-KEMSide Channel AnalysisFault Injection AttackCode Based MaskingConversion
Contact author(s)
berthet @ telecom-paris fr
yoan rougeolle @ hensoldt net
cedric tavernier @ hensoldt net
jean-luc danger @ telecom-paris fr
laurent sauvage @ telecom-paris fr
History
2024-10-15: last of 3 revisions
2023-08-11: received
See all versions
Short URL
https://ia.cr/2023/1220
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1220,
      author = {Pierre-Augustin Berthet and Yoan Rougeolle and Cédric Tavernier and Jean-Luc Danger and Laurent Sauvage},
      title = {Quasilinear Masking to Protect {ML}-{KEM} Against Both {SCA} and {FIA}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1220},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1220}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.