Masking is a well-known and provably secure countermeasure against side-channel attacks. However, due to additional redundant computations, integrating masking schemes is expensive in terms of performance. The performance overhead of integrating masking countermeasures is heavily influenced by the design choices of a cryptographic algorithm and is often not considered during the design phase. In this work, we deliberate on the effect of design choices on integrating masking techniques into lattice-based cryptography. We select Scabbard, a suite of three lattice-based post-quantum key-encapsulation mechanisms (KEM), namely Florete, Espada, and Sable. We provide arbitrary-order masked implementations of all the constituent KEMs of the Scabbard suite by exploiting their specific design elements. We show that the masked implementations of Florete, Espada, and Sable outperform the masked implementations of Kyber in terms of speed for any order masking. Masked Florete exhibits a $73\%$, $71\%$, and $70\%$ performance improvement over masked Kyber corresponding to the first-, second-, and third-order. Similarly, Espada exhibits $56\%$, $59\%$, and $60\%$ and Sable exhibits $75\%$, $74\%$, and $73\%$ enhanced performance for first-, second-, and third-order masking compared to Kyber respectively. Our results show that the design decisions have a significant impact on the efficiency of integrating masking countermeasures into lattice-based cryptography.

翻译：掩码是一种众所周知且可证明安全的侧信道攻击防护对策。然而，由于额外的冗余计算，集成掩码方案在性能上成本高昂。集成掩码对策的性能开销在很大程度上受密码算法设计选择的影响，但通常在算法设计阶段未被考虑。本研究探讨设计选择对将掩码技术集成到格基密码中的影响。我们选取Scabbard这一包含三种格基后量子密钥封装机制（KEM）——Florete、Espada和Sable——的套件作为研究对象。通过利用其特定设计元素，我们提供了Scabbard套件中所有组成KEM的任意阶掩码实现。结果表明，在任何掩码阶数下，Florete、Espada和Sable的掩码实现在速度上均优于Kyber的掩码实现。具体而言，与Kyber的掩码实现相比，Florete在一阶、二阶和三阶掩码下性能提升分别为73%、71%和70%；Espada对应提升为56%、59%和60%；Sable对应提升为75%、74%和73%。我们的研究表明，设计决策对格基密码中掩码对策的集成效率具有显著影响。