International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Cryptographic Hardware and Embedded Systems, Volume 2024

Gadget-based Masking of Streamlined NTRU Prime Decapsulation in Hardware


      # Masked-SNTRUP

This is a gate-level masked implementation of Streamlined NTRU Prime, and is the code from the paper "Gadget-Based Masking of Streamlined NTRU Prime Decapsulation in Hardware", which is also available here 
The code is also available at

The contact author for this artifact is Adrian Marotzke (,

The top module is ntru_prime_top.vhd. While the port interface and top-level module contain signals and wires for other operations, only decapsulation for the parameter set sntrup761 is currently supported.

The masking degree of the design can be configured using the constant "shares" in the file constants.pkg.vhd (line 13).
All other constants should not be modified.

## Reproduction
To build and reproduce our FPGA benchmark numbers: 
- Install Vivado v2021.2 (64-bit). Other versions of Vivado should also work, but may have slightly different results.
- In Vivado, create a new project, with the "xc7a200tsbv484-3" FPGA as the target platform.
- Add ntru_prime_top.vhd, constants.pkg.vhd, data_type.pkg.vhd as well as all files in the folders sha_512, multiplication, misc, gadgets, encoding, decapsualtion as design files to the project.
- Add the constraints.xdc as a constraints file to the project.
- Set ntru_prime_top.vhd as the top-level module.
- In implementation run properties, enable opt_design, phys_opt_design and post-route phys_opt_design. All other synthesis and implementation options can be left as the default.
- The design can now be synthesized, with the number of shares set by the constant "shares" in the file constants.pkg.vhd (line 13). Vivado in general creates a large amout of warnings during synthesis, these can be ignored. However, critical warning indicate a more siginifcant issue, e.g, a missing file. For the steps above no critical warnings should occure. 

## Side-Channel Analysis

Please refer to Section 5.2 "Side-Channel Evaluation" in the paper on how to create a testbench setup for the practical SCA measurements and t-test, and on how to apply the Verica formal verification tool.

## Simulation

In order to simulate the design, use the testbench ./tb/tb_ntru_top_msk.vhd.
We recommend using the simulator in Vivado, but other HDL simulators should also work.
The simulation can take quite a long time: The design should run for 10ms, so its simulation can take several hours.  Depending on the system, you may need to replace the relative file paths of the stimulus files in line 143, line 169 and line 229 of ./tb/tb_ntru_top_msk.vhd to absolute file paths.
The stimulus data is gathered from the Known-Answer-Tests from the reference C implementation of NTRU Prime.
The testbench checks the decapsualtion output for correctness, and throws an VHDL assertion failure on a mismatch. 

## Caveats

We unfortunately cannot share the following artifacts:
- The original FPGA bitstream.
- The ASIC toolchain and ASIC synthesis scripts. However, as mentioned in the paper, we used the Nangate Opencell library.
- The FPGA harness used.

However, in order to reproduce the FPGA benchmark numbers, non of the above are needed.

## Acknowledgments

The HPC gadgets in the folder "gadgets/lib_v" are from

The Masked Sklansky Adder in the folder gadets/hpc2-sklansky-adder-main is based on the work from Florian Bache and Tim Güneysu, and their paper "Boolean Masking for Arithmetic Additions at Arbitrary Order in Hardware"

This implementation is based on the Streamlined NTRU Prime implementation from the paper "Streamlined NTRU Prime on FPGA" by Bo-Yuan Peng, Adrian Marotzke, Ming-Han Tsai, Bo-Yin Yang and Ho-Lin Chen, which is available at and

The implementation of the SHA-512 hash function is originally based on the unmasked implementation from