Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography

نویسندگان

چکیده

Checking the equality of two arrays is a crucial building block Fujisaki-Okamoto transformation, and as such it used in several post-quantum key encapsulation mechanisms including Kyber Saber. While this comparison operation easy to perform black box setting, hard efficiently protect against side-channel attacks. For instance, hash-based method by Oder et al. limited first-order masking, higher-order Bache was shown be flawed, very recent technique Bos suffers runtime. In paper, we first demonstrate that approach, likely many similar techniques, succumb relatively simple collision attack. We can successfully recover Kyber512 using just 6000 traces. does not break security claims, show need for efficient methods. then present new masked algorithm based on (insecure) Our 4.2x, resp. 7.5x, faster than 2nd, 3rd, -order masking ARM Cortex-M4, unlike al., takes ciphertext compression into account. prove correctness, security, detail provide performance numbers 2nd 3rd-order implementations. Finally, verify our implementation test vector leakage assessment (TVLA) methodology.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Lattice Based Cryptography for Beginners

The purpose of this lecture note is to introduce lattice based cryptography, which is thought to be a cryptosystem of post-quantum age. We have tried to give as many details possible specially for novice on the subject. Something may be trivial to an expert but not to a novice. Many fundamental problems about lattice are thought to be hard even against quantum computer, compared to factorizatio...

متن کامل

Lattice-Based Cryptography

In this chapter we describe some of the recent progress in lattice-based cryptography. Lattice-based cryptographic constructions hold a great promise for post-quantum cryptography, as they enjoy very strong security proofs based on worst-case hardness, relatively efficient implementations, as well as great simplicity. In addition, lattice-based cryptography is believed to be secure against quan...

متن کامل

A Statistical Model for Higher Order DPA on Masked Devices

A popular effective countermeasure to protect block cipher implementations against differential power analysis (DPA) attacks is to mask the internal operations of the cryptographic algorithm with random numbers. While the masking technique resists against first-order (univariate) DPA attacks, higher-order (multivariate) attacks were able to break masked devices. In this paper, we formulate a st...

متن کامل

Towards practical lattice-based cryptography

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

متن کامل

Towards efficient lattice-based cryptography

One essential quest in cryptography is the search for hard instances of a given computational problem that is known to be hard in the worst-case. In lattice cryptography we are in the unique situation that we have found a way of picking random instances which are at least as hard as well-studied lattice problems in the worst-case. At the same time, no attack running in subexponential time is kn...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

ژورنال

عنوان ژورنال: IACR transactions on cryptographic hardware and embedded systems

سال: 2022

ISSN: ['2569-2925']

DOI: https://doi.org/10.46586/tches.v2022.i2.115-139