如何正确和安全地开展后量子密码算法的相关实现  被引量：1

作　　者：Sylvain Guilley Youssef Souissi 张帆 杨博麟[5] Sylvain Guilley;Youssef Souissi;ZHANG Fan;YANG Bo-Lin(Télécom-Paris,Institut Polytechnique de Paris,Paris,France;Secure-IC,75014 Paris,France;College of Computer Science and Technology/School of Cyber Science and Technology,Zhejiang University,Hangzhou 310058,China;Alibaba-Zhejiang University Joint Institute of Frontier Technologies,Hangzhou 310058,China;College of Information Science and Electronic Engineering,Zhejiang University,Hangzhou 310058,China)

机构地区：[1]Télécom-Paris,InstitutPolytechniquedeParis,Paris,France [2]Secure-IC,75014Paris,France [3]浙江大学计算机科学与技术学院/网络空间安全学院,杭州310058 [4]阿里巴巴-浙江大学前沿技术联合研究中心,杭州310058 [5]浙江大学信息与电子工程学院,杭州310058

出　　处：《密码学报》2023年第3期650-666,共17页Journal of Cryptologic Research

基　　金：This work is partly financed via National Key Research and Development Program of China(2020AAA0107700);National Natural Science Foundation of China(62227805,62072398);SUTD-ZJU IDEA Grant for visiting professors(SUTD-ZJUVP201901);Alibaba-Zhejiang University Joint Institute of Frontier Technologies;National Key Laboratory of Science and Technology on Information System Security(6142111210301);State Key Laboratory of Mathematical Engineering and Advanced Computing;Key Laboratory of Cyberspace Situation Awareness of Henan Province(HNTS2022001);RISQ(http://risq.fr/)PIA Project;BRAINE Project from European Union’s Horizon 2020/ECSEL research and innovation program(N◦876967)。

摘　　要：后量子密码(PQC)算法的提出源于非对称密码的新需求.其主要包括密钥交换、非对称加密和数字签名.后量子密码算法的加密计算环节,需要同时抵御传统计算机以及量子计算机的破解和攻击.然而,PQC算法本身仍然需要进行一些基于常规数学函数的软件或者硬件实现.因此,通常的基于实现层面的攻击仍然有效.PQC算法的一些功能,例如有限域的取模、求逆、非均匀随机数采样以及解码算法等,已经采用了“常数时间”等相关防御实现,对其开展评估具有很大的难度.本文主要列举了PQC在实现过程中可能面临的挑战,特别是与旁路分析相关的泄漏,并进行更加深入的检测和研究.首先,我们详细说明了对条件控制语句以及条件访问数据结构中存在的旁路泄漏的探测与预防方法.其次,在操作数据被分成若干块(即掩码防御方法)的条件下,传统的纵向泄漏检测方法并不适用,但是我们的前述方法却可以适用于数据旁路的泄漏检测.本文反映出PQC算法的安全实现仍然需要安全评估以及安全编码等相关的知识.本文主要介绍了一种通用的检测方法,应对多种PQC算法存在不同算法类型、不同数学类型及其不同参数配置的复杂问题,并旨在给读者提供关于安全代码实现评估和设计的全面介绍.Post-quantum cryptography(PQC)refers to novel requirements in asymmetric cryptography,namely key exchange,asymmetric encryption and digital signature.In PQC,the cryptographic computation shall resist not only attacks from classic computers,but also from quantum computers.Still,PQC algorithms are mathematical functions which are implemented conventionally(as software,hardware,etc.).Therefore,regular implementation-level attacks apply.In this paper,we list the challenges associated with the implementation of PQC,in particular vulnerabilities related to side-channel analyses.Some features in PQC,such as modular arithmetic in finite fields,inversions,non-uniform random numbers sampling,or decoding algorithms,are intrinsically hard to evaluate in constant-time.First,we detail the detection and the prevention of leakage arising from conditional control-flow and from conditional access to data structures.Second,we apply the same methodology to data leakage,in the situation where the manipulated data is randomly split in several shares(protection known as“masking”).Conventional detection of vertical leakage is not appropriate in the presence of countermeasures,such as masking.This paper shows that proper implementation of PQC requires knowledge of security evaluation and of secure coding.Owing to the large variety of PQC algorithms(key generation,encapsulation/decapsulation,signature verification/generation),classes(lattice-based,code-based,multivariate,etc.)and their configurations(key size,conforming to IND-CCA or IND-CPA security,etc.),generic methods shall be available.Those are overviewed in this paper,which is intended to provide to the readers with a comprehensive coverage about secure code evaluation and design.

关 键 词：后量子密码算法 旁路攻击 安全性评估 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]