Skip to main content

On Configurable SCA Countermeasures Against Single Trace Attacks for the NTT

A Performance Evaluation Study over Kyber and Dilithium on the ARM Cortex-M4

  • Conference paper
  • First Online:
Security, Privacy, and Applied Cryptography Engineering (SPACE 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12586))

Abstract

The Number Theoretic Transform (NTT) is a critical sub-block used in several structured lattice-based schemes, including Kyber and Dilithium, which are finalist candidates in the NIST’s standardization process for post-quantum cryptography. The NTT was shown to be susceptible to single trace side-channel attacks by Primas et al. in CHES 2017 and Pessl et al. in Latincrypt 2019 who demonstrated full key recovery from single traces on the ARM Cortex-M4 microcontroller. However, the cost of deploying suitable countermeasures to protect the NTT from these attacks on the same target platform has not yet been studied. In this work, we propose novel shuffling and masking countermeasures to protect the NTT from such single trace attacks. Firstly, we exploit arithmetic properties of twiddle constants used within the NTT computation to propose efficient and generic masking strategies for the NTT with configurable SCA resistance. Secondly, we also propose new variants of the shuffling countermeasure with varying granularity for the NTT. We perform a detailed comparative evaluation of the runtime performances for our proposed countermeasures within open source implementations of Kyber and Dilithium from the pqm4 library on the ARM Cortex-M4 microcontroller. Our proposed countermeasures yield a reasonable runtime overhead in the range of 7%78% across all procedures of Kyber, while the runtime overheads are much more pronounced for Dilithium, ranging from 12%197% for the key generation procedure and 32%490% for the signing procedure.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Reference Manual for STM32L47xxx, STM32L48xxx, STM32L49xxx and STM32L4Axxx advanced Arm-based 32-bit MCUs (2020)

    Google Scholar 

  2. Alagic, G., et al.: Status report on the second round of the NIST PQC standardization process. NIST, Technical report, July (2020)

    Google Scholar 

  3. Avanzi, R., et al.: CRYSTALS-Kyber (version 2.0) - Algorithm Specifications And Supporting Documentation (April 1, 2019). Submission to the NIST post-quantum project (2019)

    Google Scholar 

  4. Aysu, A., Tobah, Y., Tiwari, M., Gerstlauer, A., Orshansky, M.: Horizontal side-channel vulnerabilities of post-quantum key exchange protocols. In: 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 81–88. IEEE (2018)

    Google Scholar 

  5. Botros, L., Kannwischer, M.J., Schwabe, P.: Memory-efficient high-speed implementation of kyber on cortex-M4. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2019. LNCS, vol. 11627, pp. 209–228. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23696-0_11

    Chapter  Google Scholar 

  6. Cook, S.: On the minimum computation time for multiplication. Doctoral dissertation, Harvard U., Cambridge, Mass 1 (1966)

    Google Scholar 

  7. Cooley, J.W., Lewis, P.A., Welch, P.D.: Historical notes on the fast Fourier transform. Proc. IEEE 55(10), 1675–1677 (1967)

    Article  Google Scholar 

  8. Ducas, L., et al.: CRYSTALS-Dilithium: Algorithm Specifications and Supporting Documentation. Submission to the NIST post-quantum project (2020)

    Google Scholar 

  9. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34

    Chapter  Google Scholar 

  10. Gentleman, W.M., Sande, G.: Fast Fourier transforms: for fun and profit. In: Proceedings of the November 7–10, 1966, Fall Joint Computer Conference, pp. 563–578. ACM (1966)

    Google Scholar 

  11. Grosso, V., Standaert, F.-X.: ASCA, SASCA and DPA with enumeration: which one beats the other and when? In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 291–312. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_12

    Chapter  Google Scholar 

  12. Guo, Q., Grosso, V., Standaert, F.X., Bronchain, O.: Modeling soft analytical side-channel attacks from a coding theory viewpoint. IACR Trans. Cryptographic Hardw. Embedded Syst. (2020)

    Google Scholar 

  13. Howe, J., Khalid, A., Rafferty, C., Regazzoni, F., O’Neill, M.: On practical discrete Gaussian samplers for lattice-based cryptography. IEEE Trans. Comput. (2016)

    Google Scholar 

  14. Hutter, M., Schwabe, P.: NaCl on 8-Bit AVR microcontrollers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 156–172. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_9

    Chapter  Google Scholar 

  15. Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: PQM4: Post-quantum crypto library for the ARM Cortex-M4. https://github.com/mupq/pqm4

  16. Karatsuba, A.: Multiplication of multidigit numbers on automata. Soviet physics doklady 7, 595–596 (1963)

    Google Scholar 

  17. Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2014). https://doi.org/10.1007/s10623-014-9938-4

    Article  MathSciNet  MATH  Google Scholar 

  18. Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35

    Chapter  Google Scholar 

  19. Lyubashevsky, V., et al.: CRYSTALS-dilithium. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions

  20. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43 (2013)

    Article  MathSciNet  Google Scholar 

  21. Nascimento, E., Chmielewski, Ł.: Applying horizontal clustering side-channel attacks on embedded ECC implementations. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 213–231. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75208-2_13

    Chapter  Google Scholar 

  22. Nascimento, E., Chmielewski, Ł., Oswald, D., Schwabe, P.: Attacking embedded ECC implementations through cmov side channels. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 99–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_6

    Chapter  Google Scholar 

  23. Oder, T., Schneider, T., Pöppelmann, T., Güneysu, T.: Practical CCA2-secure and masked ring-LWE implementation. IACR Trans. Cryptographic Hardware Embedded Syst. 2018(1), 142–174 (2018)

    Article  Google Scholar 

  24. Pearl, J.: Fusion, propagation, and structuring in belief networks. Artif. Intell. 29(3), 241–288 (1986)

    Article  MathSciNet  Google Scholar 

  25. Pessl, P., Primas, R.: More practical single-trace attacks on the number theoretic transform. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 130–149. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_7

    Chapter  Google Scholar 

  26. Pöppelmann, T., Oder, T., Güneysu, T.: High-performance ideal lattice-based cryptography on 8-bit ATxmega microcontrollers. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 346–365. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_19

    Chapter  Google Scholar 

  27. Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25

    Chapter  Google Scholar 

  28. Ravi, P., Roy, S.S., Chattopadhyay, A., Bhasin, S.: Generic side-channel attacks on CCA-secure lattice-based PKE and KEMs. IACR Trans. Cryptographic Hardware Embedded Syst. 307–335 (2020)

    Google Scholar 

  29. Reparaz, O., Sinha Roy, S., Vercauteren, F., Verbauwhede, I.: A masked ring-LWE implementation. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 683–702. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48324-4_34

    Chapter  Google Scholar 

  30. Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Compact and Side Channel Secure Discrete Gaussian Sampling. IACR ePrint Archive, p. 591 (2014)

    Google Scholar 

  31. Saarinen, M.J.O.: Arithmetic Coding and Blinding Countermeasures for Ring-LWE. IACR Cryptology ePrint Archive 2016, 276 (2016)

    Google Scholar 

  32. Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_15

    Chapter  Google Scholar 

  33. Zijlstra, T., Bigou, K., Tisserand, A.: FPGA implementation and comparison of protections against SCAs for RLWE. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 535–555. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7_27

    Chapter  Google Scholar 

Download references

Acknowledgment

The authors acknowledge the support from the Singapore National Research Foundation (“SOCure” grant NRF2018NCR-NCR002-0001 – www.green-ic.org/socure).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Prasanna Ravi .

Editor information

Editors and Affiliations

Appendices

A Stack Memory Consumption of Protected and Unprotected Implementations of Kyber and Dilithium

Table 5. Stack memory Consumption of our protected and unprotected implementations of Kyber and Dilithium across all parameter sets.

B Algorithmic Description of Kyber Encryption scheme and Dilithium Signature Scheme

figure g
figure h

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ravi, P., Poussier, R., Bhasin, S., Chattopadhyay, A. (2020). On Configurable SCA Countermeasures Against Single Trace Attacks for the NTT. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2020. Lecture Notes in Computer Science(), vol 12586. Springer, Cham. https://doi.org/10.1007/978-3-030-66626-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-66626-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-66625-5

  • Online ISBN: 978-3-030-66626-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics