Paper 2024/114

Mask Conversions for d+1 shares in Hardware, with Application to Lattice-based PQC

Quinten Norga, COSIC, KU Leuven
Jan-Pieter D'Anvers, COSIC, KU Leuven
Suparna Kundu, COSIC, KU Leuven
Ingrid Verbauwhede, COSIC, KU Leuven
Abstract

The conversion between arithmetic and Boolean mask representations (A2B & B2A) is a crucial component for side-channel resistant implementations of lattice-based cryptography. In this paper, we present a first- and high-order masked, unified hardware implementation which can perform both A2B & B2A conversions. We optimize the operation on several layers of abstraction, applicable to any protection order. First, we propose novel higher-order algorithms for the secure addition and B2A operation. This is achieved through, among others, an improved method for repeated masked modular reduction and through the X2B operation, which can be viewed as a conversion from any type of additive masking to its Boolean representation. This allows for the removal of a full secure addition during B2A post-processing. Compared to prior work, our $B2A_q$ requires 51/46/45 % less fresh randomness at first through third protection order when implemented in software or hardware. Secondly, on the circuit level, we successfully introduce half-cycle data paths and demonstrate how careful, manual masking is a superior approach for masking highly non-linear operations and providing first- and high-order security. Our techniques significantly reduce the high latency and fresh randomness overhead, typically introduced by glitch-resistant masking schemes and universally composable gadgets, including HPC3 by Knichel et al. presented at CCS 2022. Compared to state-of-the-art algorithms and masking techniques, our unified and high-throughput hardware implementation requires up to 89/84/86 % fewer clock cycles and 78/71/55 % fewer fresh random bits. We show detailed performance results for first-, second- and third-order protected implementations on FPGA. Our proposed algorithms are proven secure in the glitch extended probing model and their implementations are validated via practical lab analysis using the TVLA methodology. We experimentally show that both our first- and second-order masked implementation is hardened against univariate and multivariate attacks using 100 million traces, for each mode of operation.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
Post-Quantum CryptographyHardware(Higher-Order) MaskingSide-Channel Analysis
Contact author(s)
quinten norga @ esat kuleuven be
janpieter danvers @ esat kuleuven be
suparna kundu @ esat kuleuven be
ingrid verbauwhede @ esat kuleuven be
History
2024-01-29: approved
2024-01-26: received
See all versions
Short URL
https://ia.cr/2024/114
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/114,
      author = {Quinten Norga and Jan-Pieter D'Anvers and Suparna Kundu and Ingrid Verbauwhede},
      title = {Mask Conversions for d+1 shares in Hardware, with Application to Lattice-based PQC},
      howpublished = {Cryptology ePrint Archive, Paper 2024/114},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/114}},
      url = {https://eprint.iacr.org/2024/114}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.