Masking-Friendly Post-Quantum Signatures in the Threshold-Computation-in-the-Head Framework
Thibauld Feneuil, CryptoExperts (France)
Matthieu Rivain, CryptoExperts (France)
Auguste Warmé-Janville, CryptoExperts (France)
Abstract
Side-channel attacks pose significant threats to cryptographic implementations, which require the inclusion of countermeasures to mitigate these attacks. In this work, we study the masking of state-of-the-art post-quantum signatures based on the MPC-in-the-head paradigm. More precisely, we focus on the recent threshold-computation-in-the-head (TCitH) framework that applies to some NIST candidates of the post-quantum standardization process. We first provide an analysis of side-channel attack paths in the signature algorithms based on the TCitH framework. We then explain how to apply standard masking to achieve a -probing secure implementation of such schemes, with performance scaling in , for the masking order.
Our main contribution is to introduce different ways to tweak those signature schemes towards their masking friendliness. While the TCitH framework comes in two variants, the GGM variant and the Merkle tree variant, we introduce a specific tweak for each of these variants. These tweaks allow us to achieve complexities of and at the cost of non-constant signature size, caused by the inclusion of additional seeds in the signature. We also propose a third tweak that takes advantage of the threshold secret sharing used in TCitH. With the right choice of parameters, we show how, by design, some parts of the TCitH algorithms satisfy probing security without additional countermeasures. While this approach can substantially reduce the cost of masking in some part of the signature algorithm, it degrades the soundness of the core zero-knowledge proof, hence slightly increasing the size of the signature.
We analyze the complexity of the masked implementations of our tweaked TCitH signatures and provide benchmarks on a RISC-V platform with built-in hash accelerator. We use a modular benchmarking approach, allowing to estimate the performance of diverse signature instances with different tweaks and parameters. Our results illustrate how the different variants scale for an increasing masking order. For instance, for a masking order , we obtain signatures of around kB that run in second on a the target RISC-V CPU with a MHz frequency. This is to be compared with the seconds required by the original signature scheme masked at the same order on the same platform. For a masking order , we obtain a signature of kB running in second, to be compared with seconds for the stardard masked signature.
Finally, we discuss the extension of our techniques to signature schemes based on the VOLE-in-the-Head framework, which shares similarities with the GGM variant of TCitH. One key takeaway of our work is that the Merkle tree variant of TCitH is inherently more amenable to efficient masking than frameworks based on GGM trees, such as TCitH-GGM or VOLE-in-the-Head.
@misc{cryptoeprint:2025/520,
author = {Thibauld Feneuil and Matthieu Rivain and Auguste Warmé-Janville},
title = {Masking-Friendly Post-Quantum Signatures in the Threshold-Computation-in-the-Head Framework},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/520},
year = {2025},
url = {https://eprint.iacr.org/2025/520}
}
Note: In order to protect the privacy of readers, eprint.iacr.org
does not use cookies or embedded third party content.