Digital signature schemes based on multivariate- and code-based hard problems are promising alternatives for lattice-based signature schemes due to their smaller signature size. Hence, several candidates in the ongoing additional standardization for quantum secure digital signature (DS) schemes by the NIST rely on such alternate hard problems. Gaussian Elimination (GE) is a critical component in the signing procedure of these schemes. In this paper, we provide a masking scheme for GE with back substitution to defend against first- and higher-order attacks. To the best of our knowledge, this work is the first to analyze and propose masking techniques for multivariate- or code-based DS algorithms. We propose a masked algorithm for transforming a system of linear equations into row-echelon form. This is realized by introducing techniques for efficiently making leading (pivot) elements one while avoiding costly conversions between Boolean and multiplicative masking at all orders. We also propose a technique for efficient masked back substitution, which eventually enables a secure unmasking of the public output. We evaluate the overhead of our countermeasure for several post-quantum candidates and their different security levels at first-, second-, and third-order, including UOV, MAYO, SNOVA, QR-UOV, and MQ-Sign. Notably, the operational cost of first-, second-, and third-order masked GE is 2.3x higher, and the randomness cost is 1.2x higher in MAYO compared to UOV for security levels III and V. We also show detailed performance results for masked GE implementations for all three security versions of UOV on the Arm Cortex-M4 and compare them with unmasked results. Our first-order implementations targeting UOV parameters have overheads of factor 6.5x, 5.9x, and 5.7x compared to the unprotected implementation for NIST security level I, III, and V.
翻译:基于多变量和基于编码难题的数字签名方案因其较小的签名尺寸,成为基于格签名方案的有前景替代方案。因此,美国国家标准与技术研究院(NIST)当前开展的量子安全数字签名(DS)方案附加标准化进程中,多个候选方案依赖于此类替代性难题。高斯消元法(GE)是这些方案签名流程中的关键组成部分。本文提出了一种带回代的高斯消元法掩码方案,以防御一阶及高阶攻击。据我们所知,本研究首次针对多变量或基于编码的DS算法进行掩码技术分析与方案设计。我们提出了一种将线性方程组转化为行阶梯形式的掩码算法,通过引入高效使主元归一化的技术实现,该技术可在任意阶次下避免布尔掩码与乘法掩码间的高成本转换。同时,我们提出了一种高效的掩码回代技术,最终实现公共输出的安全解掩。我们评估了该防护措施在多个后量子候选方案及其不同安全级别(一阶、二阶、三阶)下的开销,包括UOV、MAYO、SNOVA、QR-UOV和MQ-Sign。值得注意的是,对于安全级别III和V,MAYO中一阶、二阶、三阶掩码高斯消元法的运算成本比UOV高2.3倍,随机数成本高1.2倍。我们还展示了UOV所有三个安全版本在Arm Cortex-M4处理器上掩码高斯消元法实现的详细性能结果,并与未掩码结果进行对比。针对UOV参数的一阶实现,在NIST安全级别I、III和V下,其开销分别为未防护实现的6.5倍、5.9倍和5.7倍。