Advances in Reed-Solomon Code-Based Masking and Application to ML-KEM

Physical attacks such as Side-Channel Analysis (SCA) or Fault Injection Attacks (FIA) can recover sensitive data from cryptographic primitives otherwise thought theoretically secure. To counter such threats, generic countermeasures such as masking are studied. In this work, we provide some advances on one particular form of masking, Reed-Solomon Code-Based Masking (RS-CBM). Although its application to the AES primitive with Boolean logic has been investigated, we propose arithmetic gadgets and constrained conversions from arithmetic to boolean logic and back. We also investigate Cost-Amortisation (CA), a method to encode several sensitive data into one masked code word, and propose techniques to swap between an un-amortised masking and an amortised one. Security is experimentally verified by performing a Test Vector Leakage Assessment (TVLA) on a SAM4S target thanks to a Chipwhisperer Husky. We also provide formal proofs of security in the SNI model. Finally, we apply our gadgets to a post-quantum Key Encapsulation Mechanism (KEM), ML-KEM. Notably, we propose a full arithmetisation of the masked calculations of the message compression and of the ciphertext comparison of ML-KEM.