The candidates for the NIST Post-Quantum Cryptography standardization have undergone extensive studies on efficiency and theoretical security, but research their side-channel security is largely lacking. This remains a considerable obstacle real-world deployment, where can be critical requirement. work describes side-channel-resistant instance of Saber, one lattice-based candidates, using masking as countermeasure. Saber proves to very efficient due two specific design choices: power-of-two...

In this work, we present a systematic study of Side-Channel Attacks (SCA) and Fault Injection (FIA) on structured lattice-based schemes, with main focus Kyber Key Encapsulation Mechanism (KEM) Dilithium signature scheme, which are leading candidates in the NIST standardization process for Post-Quantum Cryptography (PQC). Through our study, attempt to understand underlying similarities differences between existing attacks while classifying them into different categories. Given wide variety...

In this work, we are concerned with the hardening of post-quantum key encapsulation mechanisms (KEM) against side-channel attacks, a focus on comparison operation required for Fujisaki-Okamoto (FO) transform. We identify critical vulnerabilities in two proposals masked and successfully attack algorithms from TCHES 2018 2020. To do so, use first-order attacks show that advertised security properties not hold. Additionally, break higher-order secured 2020 using collision attack, which does...

In this work, we propose generic and novel adaptations to the binary Plaintext-Checking (PC) oracle based side-channel attacks for Kyber KEM. These operate in a chosen-ciphertext setting, are fairly easy mount on given target, as attacker requires very minimal information about target device. However, these have an inherent disadvantage of requiring few thousand traces perform full key recovery. This is due fact that typically work by recovering single bit secret per query/trace. respect,...

While error correcting codes (ECC) have the potential to significantly reduce failure probability of post-quantum schemes, they add an extra ECC decoding step algorithm. Even though this additional does not compute directly on secret key, it is susceptible side-channel attacks. We show that if no precaution taken, possible use timing information distinguish between ciphertexts result in before and do contain errors, due variable execution time demonstrate can be used break IND-CCA security...

Checking the equality of two arrays is a crucial building block Fujisaki-Okamoto transformation, and as such it used in several post-quantum key encapsulation mechanisms including Kyber Saber. While this comparison operation easy to perform black box setting, hard efficiently protect against side-channel attacks. For instance, hash-based method by Oder et al. limited first-order masking, higher-order Bache was shown be flawed, very recent technique Bos suffers runtime. In paper, we first...

Fully Homomorphic Encryption (FHE) is a technique that allows computation on encrypted data. It has the potential to drastically change privacy considerations in cloud, but high computational and memory overheads are preventing its broad adoption. TFHE promising Torus-based FHE scheme heavily relies bootstrapping, noise-removal tool invoked after each logical/arithmetical operation.

Masked comparison is one of the most expensive operations in side-channel secure implementations lattice-based post-quantum cryptography, especially for higher masking orders. First, we introduce two new masked algorithms, which improve arithmetic D'Anvers et al. (2021) and hybrid method Coron respectively. We then look into implementation-specific optimizations, show that small specific adaptations can have a significant impact on overall performance. Finally, implement various...

This study provides an overview of the current state affairs on standardization process Post-Quantum Cryptography (PQC). It presents 5 main families PQ algorithms; viz. code-based, isogeny-based, hash-based, lattice-based and multivariate-based. also describes NIST Round 3 finalists for encryption signature schemes, as well alternative candidate schemes. Given that will still run a few years, last chapter offers 2 proposals system owners can implement now in order to protect confidentiality...

In an effort to circumvent the high cost of standard countermeasures against side-channel attacks in post-quantum cryptography, some works have developed low-cost detection-based countermeasures. These try detect maliciously generated input ciphertexts and react them by discarding ciphertext or secret key. this work, we take a look at two previously proposed countermeasures: sanity check decapsulation failure check, demonstrate successful on these schemes. We show that first countermeasure...

Masking is a popular technique to protect cryptographic implementations against side-channel attacks and comes in several variants including Boolean arithmetic masking. Some masked require conversion between these two variants, which increasingly the case for masking of post-quantum encryption signature schemes. One way perform Arithmetic (A2B) mask table-based approach first introduced by Coron Tchulkine, later corrected adapted Debraize CHES 2012. In this work, we show both analytically...

Mersenne number schemes are a new strain of potentially quantum-safe cryptosystems that use sparse integer arithmetic modulo prime to encrypt messages. Two based were submitted the NIST post-quantum standardization process: Ramstake and Mersenne-756839. Typically, these admit low but non-zero probability ciphertexts fail decrypt correctly. In this work we show information leaked from failing can be used gain about secret key. We present an attack exploiting break IND-CCA security Ramstake....

Homomorphic encryption (HE) enables calculating on encrypted data, which makes it possible to perform privacy-preserving neural network inference. One disadvantage of this technique is that several orders magnitudes slower than calculation unencrypted data. Neural networks are commonly trained using floating-point, while most homomorphic libraries calculate integers, thus requiring a quantisation the network. A straightforward approach would be quantise large integer sizes (e.g. 32 bit)...

Chosen ciphertext security for lattice based encryption schemes is generally achieved through a generic transformation such as the Fujisaki-Okamoto transformation. This method requires full re-encryption of plaintext during decapsulation, which typically dominates cost latter procedure. In this work we show that it possible to develop alternative transformations specifically designed schemes. We propose two novel chosen transformations, ETC1 and ETC2, in replaced by checking error term input...

The candidates for the NIST Post-Quantum Cryptography standardization have undergone extensive studies on efficiency and theoretical security, but research their side-channel security is largely lacking. This remains a considerable obstacle real-world deployment, where can be critical requirement. work describes side-channel-resistant instance of Saber, one lattice-based candidates, using masking as countermeasure. Saber proves to very efficient due two specific design choices: power-of-two...