Transactions on Cryptographic Hardware and Embedded Systems, Volume 2021
Side-Channel Protections for Picnic Signatures
We provide two variants of Picnic3-L1 implementations:
opt: a port of the optimized C implementation which is compatible with the Picnic specification, modified to use less memory, so as to fit in the available RAM of the STM32F4 (128KB)
masked: This is the masked implementation designed and analyzed in the paper Side-Channel Protections for Picnic Signatures. It aims to provide first order protection against probing side-channel attacks. See the paper for description and analysis of the countermeasures. Modify file
config.hfor selecting the masking approach (default is selective half-masking).
There are two possibilities to execute the implementations, both requiring the pqm4 framework. Copy the
crypto_sign/picnic3l1 folder inside
pqm4/crypto_sign, and after that:
* For x64 platforms, use the
masked/ to build the corresponding version.
Tests can be built and executed with
make kats and by running the produced binary. Benchmarks can be executed after
make bench by running the binary with instance number
* For ARM Cortex-M4, the whole
pqm4 functionality will be available (test, benchmarks, testvectors, etc). We refer to
pqm4 for additional usage documentation.
Our formal verification scripts can be validated with maskVerif. Check the README inside
crypto_sign/picnic3l1/masked/formal_verification for instructions.