Paper 2025/520

Masking-Friendly Post-Quantum Signatures in the Threshold-Computation-in-the-Head Framework

Thibauld Feneuil, CryptoExperts (France)
Matthieu Rivain, CryptoExperts (France)
Auguste Warmé-Janville, CryptoExperts (France)
Abstract

Side-channel attacks pose significant threats to cryptographic implementations, which require the inclusion of countermeasures to mitigate these attacks. In this work, we study the masking of state-of-the-art post-quantum signatures based on the MPC-in-the-head paradigm. More precisely, we focus on the recent threshold-computation-in-the-head (TCitH) framework that applies to some NIST candidates of the post-quantum standardization process. We first provide an analysis of side-channel attack paths in the signature algorithms based on the TCitH framework. We then explain how to apply standard masking to achieve a -probing secure implementation of such schemes, with performance scaling in , for the masking order. Our main contribution is to introduce different ways to tweak those signature schemes towards their masking friendliness. While the TCitH framework comes in two variants, the GGM variant and the Merkle tree variant, we introduce a specific tweak for each of these variants. These tweaks allow us to achieve complexities of and at the cost of non-constant signature size, caused by the inclusion of additional seeds in the signature. We also propose a third tweak that takes advantage of the threshold secret sharing used in TCitH. With the right choice of parameters, we show how, by design, some parts of the TCitH algorithms satisfy probing security without additional countermeasures. While this approach can substantially reduce the cost of masking in some part of the signature algorithm, it degrades the soundness of the core zero-knowledge proof, hence slightly increasing the size of the signature. We analyze the complexity of the masked implementations of our tweaked TCitH signatures and provide benchmarks on a RISC-V platform with built-in hash accelerator. We use a modular benchmarking approach, allowing to estimate the performance of diverse signature instances with different tweaks and parameters. Our results illustrate how the different variants scale for an increasing masking order. For instance, for a masking order , we obtain signatures of around kB that run in second on a the target RISC-V CPU with a MHz frequency. This is to be compared with the seconds required by the original signature scheme masked at the same order on the same platform. For a masking order , we obtain a signature of kB running in second, to be compared with seconds for the stardard masked signature. Finally, we discuss the extension of our techniques to signature schemes based on the VOLE-in-the-Head framework, which shares similarities with the GGM variant of TCitH. One key takeaway of our work is that the Merkle tree variant of TCitH is inherently more amenable to efficient masking than frameworks based on GGM trees, such as TCitH-GGM or VOLE-in-the-Head.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
MaskingPost-quantum signaturesMPC-in-the-headZero-knowledge proofsSide-channel analysis
Contact author(s)
thibauld feneuil @ cryptoexperts com
matthieu rivain @ cryptoexperts com
auguste warme-janville @ cryptoexperts com
History
2025-03-21: approved
2025-03-19: received
See all versions
Short URL
https://ia.cr/2025/520
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/520,
      author = {Thibauld Feneuil and Matthieu Rivain and Auguste Warmé-Janville},
      title = {Masking-Friendly Post-Quantum Signatures in the Threshold-Computation-in-the-Head Framework},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/520},
      year = {2025},
      url = {https://eprint.iacr.org/2025/520}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.