Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography
Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-ch...
Guardado en:
| Autores principales: | , , , , , , |
|---|---|
| Formato: | article |
| Lenguaje: | EN |
| Publicado: |
Ruhr-Universität Bochum
2021
|
| Materias: | |
| Acceso en línea: | https://doaj.org/article/3cfe8bdcb938402d9db6c5b9b93e3636 |
| Etiquetas: |
Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
| id |
oai:doaj.org-article:3cfe8bdcb938402d9db6c5b9b93e3636 |
|---|---|
| record_format |
dspace |
| spelling |
oai:doaj.org-article:3cfe8bdcb938402d9db6c5b9b93e36362021-11-19T14:36:08ZMasked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography10.46586/tches.v2022.i1.414-4602569-2925https://doaj.org/article/3cfe8bdcb938402d9db6c5b9b93e36362021-11-01T00:00:00Zhttps://tches.iacr.org/index.php/TCHES/article/view/9303https://doaj.org/toc/2569-2925 Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. With the proposed design, we achieved a cycle count of K:214k/E:298k/D:313k for Kyber and K:233k/E:312k/D:351k for Saber with NIST Level III parameter sets. For the same parameter sets, the masking overhead for the first-order secure decapsulation operation including randomness generation is a factor of 4.48 for Kyber (D:1403k) and 2.60 for Saber (D:915k). Tim FritzmannMichiel Van BeirendonckDebapriya Basu RoyPatrick KarlThomas SchambergerIngrid VerbauwhedeGeorg SiglRuhr-Universität BochumarticlePost-quantum cryptographyKyberSabermaskingRISC-VacceleratorsComputer engineering. Computer hardwareTK7885-7895Information technologyT58.5-58.64ENTransactions on Cryptographic Hardware and Embedded Systems, Vol 2022, Iss 1 (2021) |
| institution |
DOAJ |
| collection |
DOAJ |
| language |
EN |
| topic |
Post-quantum cryptography Kyber Saber masking RISC-V accelerators Computer engineering. Computer hardware TK7885-7895 Information technology T58.5-58.64 |
| spellingShingle |
Post-quantum cryptography Kyber Saber masking RISC-V accelerators Computer engineering. Computer hardware TK7885-7895 Information technology T58.5-58.64 Tim Fritzmann Michiel Van Beirendonck Debapriya Basu Roy Patrick Karl Thomas Schamberger Ingrid Verbauwhede Georg Sigl Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography |
| description |
Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. With the proposed design, we achieved a cycle count of K:214k/E:298k/D:313k for Kyber and K:233k/E:312k/D:351k for Saber with NIST Level III parameter sets. For the same parameter sets, the masking overhead for the first-order secure decapsulation operation including randomness generation is a factor of 4.48 for Kyber (D:1403k)
and 2.60 for Saber (D:915k).
|
| format |
article |
| author |
Tim Fritzmann Michiel Van Beirendonck Debapriya Basu Roy Patrick Karl Thomas Schamberger Ingrid Verbauwhede Georg Sigl |
| author_facet |
Tim Fritzmann Michiel Van Beirendonck Debapriya Basu Roy Patrick Karl Thomas Schamberger Ingrid Verbauwhede Georg Sigl |
| author_sort |
Tim Fritzmann |
| title |
Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography |
| title_short |
Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography |
| title_full |
Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography |
| title_fullStr |
Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography |
| title_full_unstemmed |
Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography |
| title_sort |
masked accelerators and instruction set extensions for post-quantum cryptography |
| publisher |
Ruhr-Universität Bochum |
| publishDate |
2021 |
| url |
https://doaj.org/article/3cfe8bdcb938402d9db6c5b9b93e3636 |
| work_keys_str_mv |
AT timfritzmann maskedacceleratorsandinstructionsetextensionsforpostquantumcryptography AT michielvanbeirendonck maskedacceleratorsandinstructionsetextensionsforpostquantumcryptography AT debapriyabasuroy maskedacceleratorsandinstructionsetextensionsforpostquantumcryptography AT patrickkarl maskedacceleratorsandinstructionsetextensionsforpostquantumcryptography AT thomasschamberger maskedacceleratorsandinstructionsetextensionsforpostquantumcryptography AT ingridverbauwhede maskedacceleratorsandinstructionsetextensionsforpostquantumcryptography AT georgsigl maskedacceleratorsandinstructionsetextensionsforpostquantumcryptography |
| _version_ |
1718420065284521984 |