Gadget-based Masking of Streamlined NTRU Prime Decapsulation in Hardware

IACR Transactions on Cryptographic Hardware and Embedded Systems Pub Date : 2023-12-04 DOI:10.46586/tches.v2024.i1.1-26

Georg Land, Adrian Marotzke, Jan Richter-Brockmann, T. Güneysu

{"title":"Gadget-based Masking of Streamlined NTRU Prime Decapsulation in Hardware","authors":"Georg Land, Adrian Marotzke, Jan Richter-Brockmann, T. Güneysu","doi":"10.46586/tches.v2024.i1.1-26","DOIUrl":null,"url":null,"abstract":"Streamlined NTRU Prime is a lattice-based Key Encapsulation Mechanism (KEM) that is, together with X25519, the default algorithm in OpenSSH 9. Based on lattice assumptions, it is assumed to be secure also against attackers with access to< large-scale quantum computers. While Post-Quantum Cryptography (PQC) schemes have been subject to extensive research in recent years, challenges remain with respect to protection mechanisms against attackers that have additional side-channel information, such as the power consumption of a device processing secret data. As a countermeasure to such attacks, masking has been shown to be a promising and effective approach. For public-key schemes, including any recent PQC schemes, usually, a mixture of Boolean and arithmetic techniques is applied on an algorithmic level. Our generic hardware implementation of Streamlined NTRU Prime decapsulation, however, follows an idea that until now was assumed to be solely applicable efficiently to symmetric cryptography: gadget-based masking. The hardware design is transformed into a secure implementation by replacing each gate with a composable secure gadget that operates on uniform random shares of secret values. In our work, we show the feasibility of applying this approach also to PQC schemes and present the first Public-Key Cryptography (PKC) – pre- and post-quantum – implementation masked with the gadget-based approach considering several trade-offs and design choices. By the nature of gadget-based masking, the implementation can be instantiated at arbitrary masking order. We synthesize our implementation both for Artix-7 Field-Programmable Gate Arrays (FPGAs) and 45nm Application-Specific Integrated Circuits (ASICs), yielding practically feasible results regarding the area, randomness requirement, and latency. We verify the side-channel security of our implementation using formal verification on the one hand, and practically using Test Vector Leakage Assessment (TVLA) on the other. Finally, we also analyze the applicability of our concept to Kyber and Dilithium, which will be standardized by the National Institute of Standards and Technology (NIST).","PeriodicalId":321490,"journal":{"name":"IACR Transactions on Cryptographic Hardware and Embedded Systems","volume":"31 15","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2023-12-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Transactions on Cryptographic Hardware and Embedded Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tches.v2024.i1.1-26","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Streamlined NTRU Prime is a lattice-based Key Encapsulation Mechanism (KEM) that is, together with X25519, the default algorithm in OpenSSH 9. Based on lattice assumptions, it is assumed to be secure also against attackers with access to< large-scale quantum computers. While Post-Quantum Cryptography (PQC) schemes have been subject to extensive research in recent years, challenges remain with respect to protection mechanisms against attackers that have additional side-channel information, such as the power consumption of a device processing secret data. As a countermeasure to such attacks, masking has been shown to be a promising and effective approach. For public-key schemes, including any recent PQC schemes, usually, a mixture of Boolean and arithmetic techniques is applied on an algorithmic level. Our generic hardware implementation of Streamlined NTRU Prime decapsulation, however, follows an idea that until now was assumed to be solely applicable efficiently to symmetric cryptography: gadget-based masking. The hardware design is transformed into a secure implementation by replacing each gate with a composable secure gadget that operates on uniform random shares of secret values. In our work, we show the feasibility of applying this approach also to PQC schemes and present the first Public-Key Cryptography (PKC) – pre- and post-quantum – implementation masked with the gadget-based approach considering several trade-offs and design choices. By the nature of gadget-based masking, the implementation can be instantiated at arbitrary masking order. We synthesize our implementation both for Artix-7 Field-Programmable Gate Arrays (FPGAs) and 45nm Application-Specific Integrated Circuits (ASICs), yielding practically feasible results regarding the area, randomness requirement, and latency. We verify the side-channel security of our implementation using formal verification on the one hand, and practically using Test Vector Leakage Assessment (TVLA) on the other. Finally, we also analyze the applicability of our concept to Kyber and Dilithium, which will be standardized by the National Institute of Standards and Technology (NIST).

查看原文本刊更多论文

基于小工具的简化 NTRU 主解封装硬件屏蔽

Streamlined NTRU Prime是一种基于格的密钥封装机制(KEM)，它与OpenSSH 9中的默认算法X25519一起使用。基于晶格假设，它也被认为是安全的，可以防止攻击者访问大型量子计算机。虽然后量子加密(PQC)方案近年来得到了广泛的研究，但在保护机制方面仍然存在挑战，防止攻击者拥有额外的侧信道信息，例如处理秘密数据的设备的功耗。作为一种对抗这种攻击的方法，掩蔽已被证明是一种有前途和有效的方法。对于公钥方案，包括最近的PQC方案，通常在算法级别上混合应用布尔和算术技术。然而，我们Streamlined NTRU Prime解封装的通用硬件实现遵循一个直到现在被认为只适用于对称加密的想法:基于小工具的屏蔽。通过将每个门替换为一个可组合的安全小工具，将硬件设计转换为安全实现，该小工具在统一随机的秘密值共享上运行。在我们的工作中，我们展示了将这种方法也应用于PQC方案的可行性，并提出了第一个公钥加密(PKC) -前量子和后量子实现与基于小工具的方法相掩盖，考虑了几种权衡和设计选择。根据基于小工具的屏蔽特性，可以按任意屏蔽顺序实例化实现。我们综合了Artix-7现场可编程门阵列(fpga)和45nm专用集成电路(asic)的实现，在面积，随机性要求和延迟方面产生了实际可行的结果。我们一方面使用形式验证来验证我们实现的侧信道安全性，另一方面实际使用测试向量泄漏评估(TVLA)。最后，我们还分析了我们的概念对Kyber和Dilithium的适用性，这些概念将由美国国家标准与技术研究院(NIST)进行标准化。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Transactions on Cryptographic Hardware and Embedded Systems

自引率

0.00%

发文量