Post-Quantum Cryptography--Having It Implemented Right.

Post-quantum cryptography (PQC) refers to novel requirements in asymmetric cryptography, namely key exchange, asymmetric encryption and digital signature. In PQC, the cryptographic computation shall resist not only attacks from classic computers, but also from quantum computers. Still, PQC algorithms are mathematical functions which are implemented conventionally (as software, hardware, etc.). Therefore, regular implementation-level attacks apply. In this paper, we list the challenges associated with the implementation of PQC, in particular vulnerabilities related to side-channel analyses. Some features in PQC, such as modular arithmetic in finite fields, inversions, non-uniform random numbers sampling, or decoding algorithms, are intrinsically hard to evaluate in constant-time. First, we detail the detection and the prevention of leakage arising from conditional control-flow and from conditional access to data structures. Second, we apply the same methodology to data leakage, in the situation where the manipulated data is randomly split in several shares (protection known as "masking"). Conventional detection of vertical leakage is not appropriate in the presence of countermeasures, such as masking. This paper shows that proper implementation of PQC requires knowledge of security evaluation and of secure coding. Owing to the large variety of PQC algorithms (key generation, encapsulation/decapsulation, signature verification/generation), classes (lattice-based, code-based, multivariate, etc.) and their configurations (key size, conforming to IND-CCA or IND-CPA security, etc.), generic methods shall be available. Those are overviewed in this paper, which is intended to provide to the readers with a comprehensive coverage about secure code evaluation and design. [ABSTRACT FROM AUTHOR]