An Efficient and Provable Masked Implementation of qTESLA

  • François GérardEmail author
  • Mélissa Rossi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11833)


Now that the NIST’s post-quantum cryptography competition has entered in its second phase, the time has come to focus more closely on practical aspects of the candidates. While efficient implementations of the proposed schemes are somewhat included in the submission packages, certain issues like the threat of side-channel attacks are often lightly touched upon by the authors. Hence, the community is encouraged by the NIST to join the war effort to treat those peripheral, but nonetheless crucial, topics. In this paper, we study the lattice-based signature scheme qTESLA in the context of the masking countermeasure. Continuing a line of research opened by Barthe et al. at Eurocrypt 2018 with the masking of the GLP signature scheme, we extend and modify their work to mask qTESLA. Based on the work of Migliore et al. in ACNS 2019, we slightly modify the parameters to improve the masked performance while keeping the same security. The masking can be done at any order and specialized gadgets are used to get maximal efficiency at order 1. We implemented our countermeasure in the original code of the submission and performed tests at different orders to assess the feasibility of our technique.


Lattice based signatures Side-channels Masking 



We thank Sonia Belaïd for interesting insights about the masking proofs. We acknowledge the support of the French Programme d’Investissement d’Avenir under national project RISQ P14158. This work is also partially supported by the European Union’s H2020 Programme under PROMETHEUS project (grant 780701). This research has been partially funded by ANRT under the programs CIFRE N 2016/1583.


  1. 1.
    Alkim, E., et al.: The lattice-based digital signature scheme qTESLA. Cryptology ePrint archive, report 2019/085 (2019).
  2. 2.
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). Scholar
  3. 3.
    Barthe, G., et al.: Masking the GLP lattice-based signature scheme at any order. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 354–384. Springer, Cham (2018). Scholar
  4. 4.
    Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: Weippl, E.R., et al. (ed.) ACM CCS 2016, pp. 116–129. ACM Press, October 2016Google Scholar
  5. 5.
    Bindel, N., et al.: qTESLA. Technical report, National Institute of Standards and Technology (2017).
  6. 6.
    Blackman, D., Vigna, S.: Scrambled linear pseudorandom number generators. In: CoRR abs/1805.01407 (2018). arXiv:1805.01407
  7. 7.
    Bos, J.W., et al.: Fly, you fool! Faster Frodo for the ARM Cortex-M4. Cryptology ePrint archive, report 2018/1116 (2018).
  8. 8.
    Bruinderink, L.G., Pessl, P.: Differential fault attacks on deterministic lattice signatures. IACR Trans. Cryptograph. Hardw. Embedded Syst. 2018(3), 21–43 (2018). Scholar
  9. 9.
    Coron, J.-S.: High-order conversion from boolean to arithmetic masking. Cryptology ePrint archive, report 2017/252 (2017).
  10. 10.
    Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014). Scholar
  11. 11.
    Coron, J.-S., Großschädl, J., Vadnala, P.K.: Secure conversion between boolean and arithmetic masking of any order. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 188–205. Springer, Heidelberg (2014). Scholar
  12. 12.
    Coron, J.-S., Großschädl, J., Tibouchi, M., Vadnala, P.K.: Conversion from arithmetic to boolean masking with logarithmic complexity. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 130–149. Springer, Heidelberg (2015). Scholar
  13. 13.
    Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014). Scholar
  14. 14.
    Ducas, L., et al.: CRYSTALS-Dilithium: a lattice-based digital signature scheme. IACR Trans. Ctyptograph. Hardw. Embedded Syst. 2018(1), 238–268 (2018). Scholar
  15. 15.
    Gérard, F., Rossi, M.: An efficient and provable masked implementation of qTESLA. Cryptology ePrint archive, report 2019/606 (2019).
  16. 16.
    Goubin, L.: A sound method for switching between boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001). Scholar
  17. 17.
    Goudarzi, D., et al.: Unifying leakage models on a Rényi Day. Cryptology ePrint archive, report 2019/138 (2019).
  18. 18.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). Scholar
  19. 19.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). Scholar
  20. 20.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). Scholar
  21. 21.
    Langlois, A., Stehlé, D.: Hardness of decision (R)LWE for any modulus. Cryptology ePrint archive, report 2012/091 (2012).
  22. 22.
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). Scholar
  23. 23.
    Migliore, V., et al.: Masking Dilithium: efficient implementation and side-channel evaluation. Cryptology ePrint archive, report 2019/394 (2019).
  24. 24.
    M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999). Scholar
  25. 25.
    Poddebniak, D., et al.: Attacking deterministic signature schemes using fault attacks. Cryptology ePrint archive, report 2017/1014 (2017).
  26. 26.
    qTESLA team.

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Université libre de BruxellesBrusselsBelgium
  2. 2.École normale supérieure, CNRSPSL UniversityParisFrance
  3. 3.ThalesGennevilliersFrance
  4. 4.InriaParisFrance

Personalised recommendations