{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T01:54:46Z","timestamp":1773194086314,"version":"3.50.1"},"reference-count":0,"publisher":"Universitatsbibliothek der Ruhr-Universitat Bochum","license":[{"start":{"date-parts":[[2021,11,19]],"date-time":"2021-11-19T00:00:00Z","timestamp":1637280000000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["TCHES"],"abstract":"<jats:p>Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW\/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. With the proposed design, we achieved a cycle count of K:214k\/E:298k\/D:313k for Kyber and K:233k\/E:312k\/D:351k for Saber with NIST Level III parameter sets. For the same parameter sets, the masking overhead for the first-order secure decapsulation operation including randomness generation is a factor of 4.48 for Kyber (D:1403k)and 2.60 for Saber (D:915k).<\/jats:p>","DOI":"10.46586\/tches.v2022.i1.414-460","type":"journal-article","created":{"date-parts":[[2021,11,19]],"date-time":"2021-11-19T13:43:05Z","timestamp":1637329385000},"page":"414-460","source":"Crossref","is-referenced-by-count":57,"title":["Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography"],"prefix":"10.46586","author":[{"given":"Tim","family":"Fritzmann","sequence":"first","affiliation":[]},{"given":"Michiel","family":"Van Beirendonck","sequence":"additional","affiliation":[]},{"given":"Debapriya","family":"Basu Roy","sequence":"additional","affiliation":[]},{"given":"Patrick","family":"Karl","sequence":"additional","affiliation":[]},{"given":"Thomas","family":"Schamberger","sequence":"additional","affiliation":[]},{"given":"Ingrid","family":"Verbauwhede","sequence":"additional","affiliation":[]},{"given":"Georg","family":"Sigl","sequence":"additional","affiliation":[]}],"member":"25480","published-online":{"date-parts":[[2021,11,19]]},"container-title":["IACR Transactions on Cryptographic Hardware and Embedded Systems"],"original-title":[],"link":[{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/download\/9303\/8869","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/download\/9303\/8869","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,11,19]],"date-time":"2021-11-19T13:43:07Z","timestamp":1637329387000},"score":1,"resource":{"primary":{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/view\/9303"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,19]]},"references-count":0,"URL":"https:\/\/doi.org\/10.46586\/tches.v2022.i1.414-460","relation":{},"ISSN":["2569-2925"],"issn-type":[{"value":"2569-2925","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,11,19]]}}}