Masking Kyber: First- and Higher-Order Implementations

In the final phase of post-quantum cryptography standardization effort, focus has been extended to include side-channel resistance candidates. While some schemes have already extensively analyzed in this regard, there is no such study yet finalist Kyber.In work, we demonstrate first completely masked implementation Kyber which protected against first- and higher-order attacks. To best our knowledge, results any secure key encapsulation mechanism algorithm. This realized by introducing two new techniques. First, propose a algorithm for one-bit compression operation. based on bit-sliced binary-search that can be applied prime moduli. Second, technique enables one compare uncompressed polynomials with compressed public polynomials. avoids costly masking ciphertext while being able instantiated at arbitrary orders.We show performance first-, second- third-order implementations Arm Cortex-M0+ Cortex-M4F. Notably, first-order decapsulation requires 3.1 million cycles factor 3.5 overhead compared unprotected optimized implementationin pqm4. We experimentally modules hardened attacks using 100 000 traces mechanically verify security fine-grained leakage model verification tool scVerif.