Skip navigation

DSpace

機構典藏 DSpace 系統致力於保存各式數位資料(如:文字、圖片、PDF)並使其易於取用。

點此認識 DSpace
DSpace logo
English
中文
  • 瀏覽論文
    • 校院系所
    • 出版年
    • 作者
    • 標題
    • 關鍵字
    • 指導教授
  • 搜尋 TDR
  • 授權 Q&A
    • 我的頁面
    • 接受 E-mail 通知
    • 編輯個人資料
  1. NTU Theses and Dissertations Repository
  2. 電機資訊學院
  3. 電機工程學系
請用此 Handle URI 來引用此文件: http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/101747
完整後設資料紀錄
DC 欄位值語言
dc.contributor.advisor王勝德zh_TW
dc.contributor.advisorSheng-De Wangen
dc.contributor.author趙姿雅zh_TW
dc.contributor.authorTzu-Ya Chaoen
dc.date.accessioned2026-03-04T16:15:02Z-
dc.date.available2026-03-05-
dc.date.copyright2026-03-04-
dc.date.issued2026-
dc.date.submitted2026-02-23-
dc.identifier.citation[1] Gorjan Alagic, Quynh Dang, Dustin Moody, Angela Robinson, Hamilton Silberg, Daniel Smith-Tone, et al. Module-lattice-based key-encapsulation mechanism standard. Technical report, National Institute of Standards and Technology (NIST), 2024.
[2] Peter W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science (FOCS), pages 124–134. IEEE, 1994.
[3] Jean-Sébastien Coron, François Gérard, Simon Montoya, and Rina Zeitoun. High-order table-based conversion algorithms and masking lattice-based encryption. IACR Transactions on Cryptographic Hardware and Embedded Systems 2022(2), 2022.
[4] Emmanuel Prouff, Matthieu Rivain, and Thomas Roche. On the practical security of a leakage resilient masking scheme. In Cryptographers’ Track at the RSA Conference, pages 169–182. Springer, 2014.
[5] Kalle Ngo, Ruize Wang, Elena Dubrova, and Nils Paulsrud. Side-channel attacks on lattice-based KEMs are not prevented by higher-order masking. Cryptology ePrint Archive, 2022.
[6] Quentin L. Meunier, Etienne Pons, and Karine Heydemann. LeakageVerif: Efficient and scalable formal verification of leakage in symbolic expressions. IEEE Transactions on Software Engineering, 49(6):3359–3375, 2023.
[7] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé. CRYSTALS-Kyber algorithm specifications and supporting documentation. NIST PQC Round 2(4):1–43, 2019.
[8] Prasanna Ravi, Sujoy Sinha Roy, Anupam Chattopadhyay, and Shivam Bhasin. Generic side-channel attacks on CCA-secure lattice-based PKE and KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 307–335, 2020.
[9] Zhuang Xu, Owen Pemberton, Sujoy Sinha Roy, David Oswald, Wang Yao, and Zhiming Zheng. Magnifying side-channel leakage of lattice-based cryptosystems with chosen ciphertexts: The case study of Kyber. IEEE Transactions on Computers, 71(9):2163–2176, 2021.
[10] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. In Annual International Cryptology Conference, pages 398–412. Springer, 1999.
[11] Louis Goubin and Jacques Patarin. DES and differential power analysis: The “Duplication” method. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 158–172. Springer, 1999.
[12] Louis Goubin. A sound method for switching between Boolean and arithmetic masking. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 3–15. Springer, 2001.
[13] Jean-Sébastien Coron, Johann Großschädl, and Praveen Kumar Vadnala. Secure conversion between Boolean and arithmetic masking of any order. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 188–205. Springer, 2014.
[14] Jean-Sébastien Coron, Johann Großschädl, Mehdi Tibouchi, and Praveen Kumar Vadnala. Conversion from arithmetic to Boolean masking with logarithmic complexity. In International Workshop on Fast Software Encryption, pages 130–149. Springer, 2015.
[15] Peter M. Kogge and Harold S. Stone. A parallel algorithm for the efficient solution of a general class of recurrence equations. IEEE Transactions on Computers, 100(8):786–793, 2009.
[16] Gilles Barthe, Sonia Belaïd, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi. Masking the GLP lattice-based signature scheme at any order. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 354–384. Springer, 2018.
[17] Tobias Schneider, Clara Paglialonga, Tobias Oder, and Tim Güneysu. Efficiently masking binomial sampling at arbitrary orders for lattice-based crypto. In IACR International Workshop on Public Key Cryptography, pages 534–564. Springer, 2019.
[18] Michael Hutter and Michael Tunstall. Constant-time higher-order Boolean-to-arithmetic masking. Journal of Cryptographic Engineering, 9(2):173–184, 2019.
[19] Jean-Sébastien Coron. High-order conversion from Boolean to arithmetic masking. In International Conference on Cryptographic Hardware and Embedded Systems, pages 93–114. Springer, 2017.
[20] Luk Bettale, Jean-Sébastien Coron, and Rina Zeitoun. Improved high-order conversion from Boolean to arithmetic masking. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 22–45, 2018.
[21] Jiangxue Liu, Cankun Zhao, Shuohang Peng, Bohan Yang, Hang Zhao, Xiangdong Han, Min Zhu, Shaojun Wei, and Leibo Liu. A low-latency high-order arithmetic to Boolean masking conversion. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2024(2):630–653, 2024.
[22] Jean-Sébastien Coron and Alexei Tchulkine. A new algorithm for switching from arithmetic to Boolean masking. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 89–97. Springer, 2003.
[23] Olaf Neiße and Jürgen Pulkus. Switching blindings with a view towards IDEA. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 230–239. Springer, 2004.
[24] Blandine Debraize. Efficient and provably secure methods for switching from arithmetic to Boolean masking. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 107–121. Springer, 2012.
[25] Michiel Van Beirendonck, Jan-Pieter D’Anvers, and Ingrid Verbauwhede. Analysis and comparison of table-based arithmetic to Boolean masking. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 275–297, 2021.
[26] Jean-Sébastien Coron. Higher order masking of look-up tables. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 441–458. Springer, 2014.
[27] Jan-Pieter D’Anvers. One-hot conversion: Towards faster table-based A2B conversion. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 628–657. Springer, 2023.
[28] Florian Bache, Clara Paglialonga, Tobias Oder, Tobias Schneider, and Tim Güneysu. High-speed masking for polynomial comparison in lattice-based KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 483–507, 2020.
[29] Jean-Sébastien Coron, François Gérard, Simon Montoya, and Rina Zeitoun. High-order polynomial comparison and masking lattice-based encryption. Cryptology ePrint Archive, 2021.
[30] Jan-Pieter D’Anvers, Michiel Van Beirendonck, and Ingrid Verbauwhede. Revisiting higher-order masked comparison for lattice-based cryptography: Algorithms and bit-sliced implementations. IEEE Transactions on Computers, 72(2):321–332, 2022.
[31] Shivam Bhasin, Jan-Pieter D’Anvers, Daniel Heinz, Thomas Pöppelmann, and Michiel Van Beirendonck. Attacking and defending masked polynomial comparison for lattice-based cryptography. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 334–359, 2021.
[32] Joppe Willem Bos, Marc Olivier Gourjon, Joost Renes, Tobias Schneider, and Christine van Vredendaal. Masking Kyber: First- and higher-order implementations. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(4):173–214, 2021.
[33] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Building power analysis resistant implementations of Keccak. In Second SHA-3 Candidate Conference, volume 142. Citeseer, 2010.
[34] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi. Strong non-interference and type-directed higher-order masking. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 116–129, 2016.
[35] Daniel Heinz, Matthias J. Kannwischer, Georg Land, Thomas Pöppelmann, Peter Schwabe, and Amber Sprenkels. First-order masked Kyber on ARM Cortex-M4. Cryptology ePrint Archive, 2022.
[36] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, and Ingrid Verbauwhede. Theory and practice of a leakage resilient masking scheme. In International Conference on the Theory and Application of Cryptology and Information Security, pages 758–775. Springer, 2012.
[37] Andrew Moss, Elisabeth Oswald, Dan Page, and Michael Tunstall. Compiler assisted masking. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 58–75. Springer, 2012.
[38] Vincent Hwang, Jiaxiang Liu, Gregor Seiler, Xiaomu Shi, Ming-Hsien Tsai, Bow-Yaw Wang, and Bo-Yin Yang. Verified NTT multiplications for NISTPQC KEM lattice finalists: Kyber, SABER, and NTRU. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 718–750, 2022.
[39] Katharina Kreuzer. Verification of correctness and security properties for CRYSTALS-Kyber. In 2024 IEEE 37th Computer Security Foundations Symposium (CSF), pages 511–526. IEEE, 2024.
[40] José Bacelar Almeida et al. Formally verifying Kyber: Episode IV: Implementation correctness. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(3):164–193, 2023.
[41] José Bacelar Almeida et al. Formally verifying Kyber: Episode V: Machine-checked IND-CCA security and correctness of ML-KEM in EasyCrypt. In Annual International Cryptology Conference, pages 384–421. Springer, 2024.
[42] Ali Galip Bayrak, Francesco Regazzoni, David Novo, and Paolo Ienne. Sleuth: Automated verification of software power analysis countermeasures. In International Conference on Cryptographic Hardware and Embedded Systems, pages 293–310. Springer, 2013.
[43] Gilles Barthe et al. Verified proofs of higher-order masking. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 457–485. Springer, 2015.
[44] Gilles Barthe et al. maskverif: Automated verification of higher-order masking in the presence of physical defaults. In European Symposium on Research in Computer Security, pages 300–318. Springer, 2019.
[45] Elia Bisi, Filippo Melzani, and Vittorio Zaccaria. Symbolic analysis of higher-order side channel countermeasures. IEEE Transactions on Computers, 66(6):1099–1105, 2016.
[46] Jean-Sébastien Coron. Formal verification of side-channel countermeasures via elementary circuit transformations. In International Conference on Applied Cryptography and Network Security, pages 65–82. Springer, 2018.
[47] Roderick Bloem, Hannes Groß, Rinat Iusupov, Bettina Könighofer, Stefan Mangard, and Johannes Winter. Formal verification of masked hardware implementations in the presence of glitches. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 321–353. Springer, 2018.
[48] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, and François-Xavier Standaert. Composable masking schemes in the presence of physical defaults & the robust probing model. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 89–120, 2018.
[49] Hassan Eldib, Chao Wang, and Patrick Schaumont. Formal verification of software countermeasures against side-channel attacks. ACM Transactions on Software Engineering and Methodology (TOSEM), 24(2):1–24, 2014.
[50] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks. In Annual International Cryptology Conference, pages 463–481. Springer, 2003.
[51] Pengfei Gao. Formal verification of masking countermeasures for arithmetic programs. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering, pages 1385–1387, 2020.
[52] Pengfei Gao, Hongyi Xie, Fu Song, and Taolue Chen. A hybrid approach to formal verification of higher-order masked arithmetic programs. ACM Transactions on Software Engineering and Methodology (TOSEM), 30(3):1–42, 2021.
[53] Barbara Gigerl, Robert Primas, and Stefan Mangard. Formal verification of arithmetic masking in hardware and software. In International Conference on Applied Cryptography and Network Security, pages 3–32. Springer, 2023.		-
dc.identifier.urihttp://tdr.lib.ntu.edu.tw/jspui/handle/123456789/101747-
dc.description.abstract由於 Shor 演算法的出現,未來在具備大規模量子位元的通用型量子電腦出現後,現今廣泛使用的公鑰密碼系統(如 RSA 與橢圓曲線密碼系統)將不再安全。因此,後量子密碼學 (PQC) 近年來受到廣泛關注與研究。美國國家標準與技術研究院(NIST)於 2024 年公布首批標準化之後量子密碼演算法,其中 ML-KEM 為入選的演算法之一,使其成為旁通道分析研究的重要目標,ML-KEM 的旁通道防禦也因而隨之受到重視,其中遮罩(Masking)為常見的防禦方法之一。然而,遮罩實作往往容易因細微的實作錯誤仍然產生資訊洩漏,因此可藉由形式驗證工具使得遮罩實作具備安全性保證。本論文成果擴充了形式化驗證框架 LeakageVerif,使其支援先前尚未涵蓋但為 ML-KEM 必要的運算,包括模運算、向下取整除法,以及變數位移運算。使用擴充後的 LeakageVerif,我們對 Coron 等人於2022年所提出之算術與布林遮罩間的轉換進行形式驗證,並進一步驗證基於該遮罩轉換所實作之遮罩 ML-KEM。此研究成果顯示,形式驗證工具能有效應用於複雜之遮罩格密碼學實作,並能為其旁通道安全提供更為強力的保證。zh_TW
dc.description.abstractDue to the advent of Shor's algorithm, widely deployed public-key cryptosystems, such as RSA and elliptic curve cryptography (ECC), are expected to become vulnerable in the presence of large-scale universal quantum computers in the near future. As a result, post-quantum cryptography (PQC) has attracted significant attention and has been actively researched in recent years. In 2024, the first standardized PQC schemes were published by the U.S. National Institute of Standards and Technology (NIST). Among these schemes, ML-KEM was selected as one of the standardized algorithms, making it a critical target for side-channel analysis research. At the same time, the resistance of ML-KEM against side-channel attacks has also been carefully considered. Though masking is one of the commonly adopted countermeasures, masked implementations are known to be error-prone and may still leak sensitive information due to subtle implementation flaws. Therefore, formal verification is used as a tool to provide security guarantees for masked implementations. In this work, we extend the formal verification framework LeakageVerif to support operations that were previously unsupported but are essential for ML-KEM, including modulo operations, floor division, and variable shift operations. Based on the extended tool, we formally verify both the arithmetic-to-Boolean (A2B) and Boolean-to-arithmetic (B2A) masking conversions proposed by Coron et al. in 2022, as well as a masked ML-KEM implementation built upon these conversions. This work demonstrates that formal verification tools can be effectively applied to complex masked lattice-based cryptographic implementations, providing stronger assurance of side-channel security.en
dc.description.provenanceSubmitted by admin ntu (admin@lib.ntu.edu.tw) on 2026-03-04T16:15:02Z
No. of bitstreams: 0		en
dc.description.provenanceMade available in DSpace on 2026-03-04T16:15:02Z (GMT). No. of bitstreams: 0en
dc.description.tableofcontentsVerification Letter from the Oral Examination Committee i
摘要 iii
Abstract v
Contents vii
List of Figures ix
List of Tables xi

Chapter 1 Introduction 1

Chapter 2 Background 5
2.1 ML-KEM 5
2.2 Masking 8
2.2.1 Masking Conversion 10
2.2.1.1 Algebraic Masking Conversion 10
2.2.1.2 Table-based Masking Conversion 12
2.2.2 Masked ML-KEM Scheme 14
2.3 Formal Verification 16
2.3.1 Formal Verification of ML-KEM 16
2.3.2 Formal Verification of Masking Schemes 17
2.3.2.1 Type System and Type Inference 18
2.3.2.2 Model-Counting 19
2.3.2.3 Probing Model 20
2.3.2.4 Hybrid Method 21
2.3.3 Research Gap 21

Chapter 3 Methods 23
3.1 Target Algorithm 23
3.2 Verification Tool: LeakageVerif 24
3.2.1 Ability and Strength 24
3.2.2 Usage 26
3.2.3 Limitation 27
3.2.4 Contribution: Extending LeakageVerif 27

Chapter 4 Experimental Results 29
4.1 Experimental Workflow 29
4.1.1 C-to-Python Translation 29
4.1.2 Equivalent Test Between C and Python 30
4.1.3 Writing Verification Scripts 31
4.2 Experiment Setup 31
4.3 Results of Masking Conversion Verification 32
4.4 Results of Masked ML-KEM Verification 33

Chapter 5 Conclusion 39

References 41		-
dc.language.isoen-
dc.subjectML-KEM-
dc.subject後量子密碼學-
dc.subject遮罩防禦-
dc.subject形式驗證-
dc.subjectLeakageVerif-
dc.subjectML-KEM-
dc.subjectPost-Quantum Cryptography-
dc.subjectMasking-
dc.subjectFormal Verification-
dc.subjectLeakageVerif-
dc.title遮罩 ML-KEM 抗旁通道攻擊性之形式驗證zh_TW
dc.titleFormal Verification of Side-Channel Resistance in Masked ML-KEMen
dc.typeThesis-
dc.date.schoolyear114-1-
dc.description.degree碩士-
dc.contributor.coadvisor陳君朋zh_TW
dc.contributor.coadvisorJiun-Peng Chenen
dc.contributor.oralexamcommittee王柏堯;楊柏因;雷欽隆zh_TW
dc.contributor.oralexamcommitteeBow-Yaw Wang;Bo-Yin Yang;Chin-Laung Leien
dc.subject.keywordML-KEM,後量子密碼學遮罩防禦形式驗證LeakageVerifzh_TW
dc.subject.keywordML-KEM,Post-Quantum CryptographyMaskingFormal VerificationLeakageVerifen
dc.relation.page49-
dc.identifier.doi10.6342/NTU202600792-
dc.rights.note未授權-
dc.date.accepted2026-02-24-
dc.contributor.author-college電機資訊學院-
dc.contributor.author-dept電機工程學系-
dc.date.embargo-liftN/A-
顯示於系所單位:電機工程學系

文件中的檔案:
檔案 大小格式 
ntu-114-1.pdf
  未授權公開取用 		8.14 MBAdobe PDF
顯示文件簡單紀錄


系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。

社群連結
聯絡資訊
10617臺北市大安區羅斯福路四段1號
No.1 Sec.4, Roosevelt Rd., Taipei, Taiwan, R.O.C. 106
Tel: (02)33662353
Email: ntuetds@ntu.edu.tw
意見箱
相關連結
館藏目錄
國內圖書館整合查詢 MetaCat
臺大學術典藏 NTU Scholars
臺大圖書館數位典藏館
本站聲明
© NTU Library All Rights Reserved