WrapQ: Side-Channel Secure Key Management for Post-quantum Cryptography | SpringerLink
Skip to main content
Springer Nature Link
Log in

WrapQ: Side-Channel Secure Key Management for Post-quantum Cryptography

  • Conference paper
  • First Online:
Post-Quantum Cryptography (PQCrypto 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14154))

Included in the following conference series:

  • 980 Accesses

Abstract

Transition to PQC brings complex challenges to builders of secure cryptographic hardware. PQC keys usually need to be stored off-module and protected via symmetric encryption and message authentication codes. Only a short, symmetric Key-Encrypting Key (KEK) can be managed on-chip with trusted non-volatile key storage. For secure use, PQC key material is handled in masked format; as randomized shares. Due to the masked encoding of the key material, algorithm-specific techniques are needed to protect the side-channel security of the PQC key import and export processes.

In this work, we study key handling techniques used in real-life secure Kyber and Dilithium hardware. We describe WrapQ, a masking-friendly key-wrapping mechanism designed for lattice cryptography. On a high level, WrapQ protects the integrity and confidentiality of key material and allows keys to be stored outside the main security boundary of the module. Significantly, its wrapping and unwrapping processes minimize side-channel leakage from the KEK integrity/authentication keys as well as the masked Kyber or Dilithium key material payload.

We demonstrate that masked Kyber or Dilithium private keys can be managed in a leakage-free fashion from a compact WrapQ format without updating its encoding in non-volatile (or read-only) memory. WrapQ has been implemented in a side-channel secure hardware module. Kyber and Dilithium wrapping and unwrapping functions were validated with 100K traces of ISO 17825/TVLA-type leakage assessment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 11210
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 14013
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The size of tr is 256 bits in Dilithium 3.1 [5]. It may change to 512 bits in a future revision of Dilithium [31].

References

  1. Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process. Interagency or internal report, National Institute of Standards and Technology (2022). https://doi.org/10.6028/NIST.IR.8413-upd1. https://csrc.nist.gov/publications/detail/nistir/8413/final

  2. Alioto, M., Bongiovanni, S., Djukanovic, M., Scotti, G., Trifiletti, A.: Effectiveness of leakage power analysis attacks on DPA-resistant logic styles under process variations. IEEE Trans. Circ. Syst. I Regul. Pap. 61(2), 429–442 (2014). https://doi.org/10.1109/TCSI.2013.2278350

    Article  Google Scholar 

  3. Avanzi, R., et al.: CRYSTALS-Kyber: algorithm specifications and supporting documentation (version 3.02). NIST PQC Project, 3rd Round Submission Update (2021). https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf

  4. Azouaoui, M., et al.: Leveling Dilithium against leakage: revisited sensitivity analysis and improved implementations. Cryptology ePrint Archive, Paper 2022/1406 (2022). https://eprint.iacr.org/2022/1406. Fourth PQC Standardization Conference, NIST (Virtual) 29 November–1 December 2022

  5. Bai, S., et al.: CRYSTALS-Dilithium: algorithm specifications and supporting documentation (version 3.1). NIST PQC Project, 3rd Round Submission Update (2021). https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf

  6. Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) CCS 2016: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 116–129. ACM (2016). https://doi.org/10.1145/2976749.2978427. http://dl.acm.org/citation.cfm?id=2976749

  7. Barthe, G., et al.: Masking the GLP lattice-based signature scheme at any order. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 354–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_12. https://eprint.iacr.org/2018/381

  8. Becker, G., et al.: Test vector leakage assessment (TVLA) methodology in practice. Presented at International Cryptography Module Conference - ICMC 2013 (2013)

    Google Scholar 

  9. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008). https://doi.org/10.1007/s00145-008-9026-x

    Article  MathSciNet  MATH  Google Scholar 

  10. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Building power analysis resistant implementations of Keccak (2010). https://csrc.nist.gov/Events/2010/The-Second-SHA-3-Candidate-Conference

  11. Bos, J.W., Gourjon, M., Renes, J., Schneider, T., van Vredendaal, C.: Masking kyber: first- and higher-order implementations. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(4), 173–214 (2021). https://doi.org/10.46586/tches.v2021.i4.173-214

    Article  Google Scholar 

  12. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener [39], pp. 398–412. https://doi.org/10.1007/3-540-48405-1_26

  13. Daemen, J.: Changing of the guards: a simple and efficient method for achieving uniformity in threshold sharing. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 137–153. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_7

    Chapter  Google Scholar 

  14. Ding, A.A., Zhang, L., Durvaux, F., Standaert, F.-X., Fei, Y.: Towards sound and optimal leakage detection procedure. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 105–122. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75208-2_7

    Chapter  Google Scholar 

  15. Dworkin, M.: Recommendation for block cipher modes of operation: methods for key wrapping. NIST Special Publication SP 800-38F (2012). https://doi.org/10.6028/NIST.SP.800-38F

  16. Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side-channel resistance validation. CMVP & AIST Non-Invasive Attack Testing Workshop (NIAT 2011) (2011). https://csrc.nist.gov/csrc/media/events/non-invasive-attack-testing-workshop/documents/08_goodwill.pdf

  17. Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_3

    Chapter  Google Scholar 

  18. Heinz, D., Kannwischer, M.J., Land, G., Pöppelmann, T., Schwabe, P., Sprenkels, D.: First-order masked Kyber on ARM Cortex-M4. IACR ePrint 2022/058 (2022). https://eprint.iacr.org/2022/058

  19. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27

    Chapter  Google Scholar 

  20. ISO: Information technology - security techniques - security requirements for cryptographic modules. Standard ISO/IEC WD 19790:2022(E), International Organization for Standardization (2022)

    Google Scholar 

  21. ISO: Information technology - security techniques - testing methods for the mitigation of non-invasive attack classes against cryptographic modules. Draft International Standard ISO/IEC DIS 17825:2022(E), International Organization for Standardization (2023)

    Google Scholar 

  22. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9

    Chapter  Google Scholar 

  23. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener [39], pp. 388–397. https://doi.org/10.1007/3-540-48405-1_25

  24. Menhorn, N.: External secure storage using the PUF. Application Note: Zynq UltraScale+ Devices, XAPP1333 (v1.2) (2022). https://docs.xilinx.com/r/en-US/xapp1333-external-storage-puf

  25. Microsoft: Bring your own key specification. Online documentation: Azure Key Vault/Microsoft Learn (2022). https://learn.microsoft.com/en-us/azure/key-vault/keys/byok-specification. Accessed 12 Oct 2022

  26. Migliore, V., Gérard, B., Tibouchi, M., Fouque, P.-A.: Masking Dilithium. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 344–362. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_17

    Chapter  MATH  Google Scholar 

  27. Moriarty, K.M., Nystrom, M., Parkinson, S., Rusch, A., Scott, M.: PKCS #12: personal information exchange syntax v1.1. IETF RFC 7292 (2014). https://doi.org/10.17487/RFC7292

  28. NIST: SHA-3 standard: permutation-based hash and extendable-output functions. Federal Information Processing Standards Publication FIPS 202 (2015). https://doi.org/10.6028/NIST.FIPS.202

  29. NIST: Security requirements for cryptographic modules. Federal Information Processing Standards Publication FIPS 140-3 (2019). https://doi.org/10.6028/NIST.FIPS.140-3

  30. NSA: Announcing the commercial national security algorithm suite 2.0. National Security Agency, Cybersecurity Advisory (2022). https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF

  31. Perlner, R.: Planned changes to the Dilithium spec. Posting on PQC Forum (2023). https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/3pBJsYjfRw4/m/GjJ2icQkAQAJ

  32. Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_9

    Chapter  Google Scholar 

  33. Quisquater, J.-J., Samyde, D.: ElectroMagnetic Analysis (EMA): measures and counter-measures for smart cards. In: Attali, I., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45418-7_17

    Chapter  MATH  Google Scholar 

  34. Rambus: Test vector leakage assessment (TVLA) derived test requirements (DTR) with AES. Rambus CRI Technical Note (2015). https://www.rambus.com/wp-content/uploads/2015/08/TVLA-DTR-with-AES.pdf

  35. Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_28

    Chapter  Google Scholar 

  36. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, 18–22 November 2002, pp. 98–107. ACM (2002). https://doi.org/10.1145/586110.586125. http://dl.acm.org/citation.cfm?id=586110

  37. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23

    Chapter  Google Scholar 

  38. Schneider, T., Moradi, A.: Leakage assessment methodology. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 495–513. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48324-4_25

    Chapter  Google Scholar 

  39. Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1

    Book  MATH  Google Scholar 

Download references

Acknowledgments

The author wishes to thank Ben Marshall for running the leakage assessment tests and Oussama Danba and Kevin Law for helping to make the FPGA test target operational. Further thanks to Thomas Prest, Rafael del Pino, and Melissa Rossi for the technical and theoretical discussions. The author is to blame for all errors and omissions.

Author information

Authors and Affiliations

  1. PQShield Ltd., Oxford, UK

    Markku-Juhani O. Saarinen

  2. Tampere University, Tampere, Finland

    Markku-Juhani O. Saarinen

Authors
  1. Markku-Juhani O. Saarinen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Markku-Juhani O. Saarinen .

Editor information

Editors and Affiliations

  1. Lund University, Lund, Sweden

    Thomas Johansson

  2. National Institute of Standards and Technology, Gaithersburg, MD, USA

    Daniel Smith-Tone

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Saarinen, MJ.O. (2023). WrapQ: Side-Channel Secure Key Management for Post-quantum Cryptography. In: Johansson, T., Smith-Tone, D. (eds) Post-Quantum Cryptography. PQCrypto 2023. Lecture Notes in Computer Science, vol 14154. Springer, Cham. https://doi.org/10.1007/978-3-031-40003-2_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-40003-2_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-40002-5

  • Online ISBN: 978-3-031-40003-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation