A High-performance Masking Design Approach for Saber against High-order Side-channel Attack

Abstract

Post-quantum cryptography (PQC) has become the most promising cryptographic scheme against the threat of quantum computing to conventional public-key cryptographic schemes. Saber, as the finalist in the third round of the PQC standardization procedure, presents an appealing option for embedded systems due to its high encryption efficiency and accessibility. However, side-channel attack (SCA) can easily reveal confidential information by analyzing the physical manifestations, and several works demonstrate that Saber is vulnerable to SCAs. In this work, a ciphertext comparison method for masking design based on the bitslicing technique and zerotest is proposed, which balances the tradeoff between the performance and security of comparing two arrays. The mathematical description of the proposed ciphertext comparison method is provided, and its correctness and security metrics are analyzed under the concept of PINI. Moreover, a high-order masking approach based on the state of the art, including the hash functions, centered binomial sampling, masking conversions, and proposed ciphertext comparison, is presented, using the bitslicing technique to improve throughput. As a proof of concept, the proposed implementation of Saber is on the ARM Cortex-M4. The performance results show that the runtime overhead factor of 1st-, 2nd-, and 3rd-order masking is 3.01×, 5.58×, and 8.68×, and the dynamic memory used for 1st-, 2nd-, and 3rd-order masking is 17.4kB, 24.0kB, and 30.2kB, respectively. The SCA-resilience evaluation results illustrate that the 1st-order Test Vectors Leakage Assessment (TVLA) result fails to reveal the secret key with 100,000 traces.