2021
DOI: 10.46586/tches.v2021.i4.173-214
|View full text |Cite
|
Sign up to set email alerts
|

Masking Kyber: First- and Higher-Order Implementations

Abstract: In the final phase of the post-quantum cryptography standardization effort, the focus has been extended to include the side-channel resistance of the candidates. While some schemes have been already extensively analyzed in this regard, there is no such study yet of the finalist Kyber.In this work, we demonstrate the first completely masked implementation of Kyber which is protected against first- and higher-order attacks. To the best of our knowledge, this results in the first higher-order masked implementatio… Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1

Citation Types

0
20
0

Year Published

2021
2021
2023
2023

Publication Types

Select...
5
2
1

Relationship

0
8

Authors

Journals

citations
Cited by 49 publications
(20 citation statements)
references
References 23 publications
0
20
0
Order By: Relevance
“…We will show that bitslicing the A2B conversion gives a significant speedup and is essential to obtain an efficient implementation. Moreover, bitslicing is applied in the comparison implementation by D'Anvers et al [1] but not in the implementations by Bos et al [23] and Coron et al [2]. This makes comparing these results difficult.…”
Section: Implementation Aspectsmentioning
confidence: 99%
See 2 more Smart Citations
“…We will show that bitslicing the A2B conversion gives a significant speedup and is essential to obtain an efficient implementation. Moreover, bitslicing is applied in the comparison implementation by D'Anvers et al [1] but not in the implementations by Bos et al [23] and Coron et al [2]. This makes comparing these results difficult.…”
Section: Implementation Aspectsmentioning
confidence: 99%
“…Masked implementations of encryption standardization candidates were presented for Saber by Van Beirendonck et al [22] for first order, and later by Coron et al [2] for higher masking orders. A masked Kyber implementation for generic masking orders was introduced by Bos et al [23]. Fritzmann et al [24] optimized a masked implementation of Saber and Kyber using instruction set extensions.…”
mentioning
confidence: 99%
See 1 more Smart Citation
“…KYBER has fast key generation, encapsulation and decapsulation in software [33] (see Section 2.2.2). There have been several works on optimizing implementations of KYBER in both software and hardware, as well as in hybrid hardware/software settings [35,[40][41][42][43][44][45]80]. For high-speed FPGA implementations, [46] shows that in terms of speed and resource realization, KYBER is a leading performer for all operations: key generation, encapsulation and decapsulation (among the finalist lattice KEMs).…”
Section: Crystals-kybermentioning
confidence: 99%
“…Since the proposed attack constructs an intermediate value t, which is affected by only one coefficient of s j , and exploits it, masking [22], [50] can be secure against the proposed attack. However, substantial time and memory resources are needed because masking would not be appropriate for use in resourceconstrained IoT devices due to its high-performance overhead.…”
Section: Countermeasuresmentioning
confidence: 99%