Advertisement

An Efficient and Provable Masked Implementation of qTESLA

  • François GérardEmail author
  • Mélissa Rossi
Conference paper
  • 21 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11833)

Abstract

Now that the NIST’s post-quantum cryptography competition has entered in its second phase, the time has come to focus more closely on practical aspects of the candidates. While efficient implementations of the proposed schemes are somewhat included in the submission packages, certain issues like the threat of side-channel attacks are often lightly touched upon by the authors. Hence, the community is encouraged by the NIST to join the war effort to treat those peripheral, but nonetheless crucial, topics. In this paper, we study the lattice-based signature scheme qTESLA in the context of the masking countermeasure. Continuing a line of research opened by Barthe et al. at Eurocrypt 2018 with the masking of the GLP signature scheme, we extend and modify their work to mask qTESLA. Based on the work of Migliore et al. in ACNS 2019, we slightly modify the parameters to improve the masked performance while keeping the same security. The masking can be done at any order and specialized gadgets are used to get maximal efficiency at order 1. We implemented our countermeasure in the original code of the submission and performed tests at different orders to assess the feasibility of our technique.

Keywords

Lattice based signatures Side-channels Masking 

Notes

Acknowledgements

We thank Sonia Belaïd for interesting insights about the masking proofs. We acknowledge the support of the French Programme d’Investissement d’Avenir under national project RISQ P14158. This work is also partially supported by the European Union’s H2020 Programme under PROMETHEUS project (grant 780701). This research has been partially funded by ANRT under the programs CIFRE N 2016/1583.

References

  1. 1.
    Alkim, E., et al.: The lattice-based digital signature scheme qTESLA. Cryptology ePrint archive, report 2019/085 (2019). https://eprint.iacr.org/2019/085
  2. 2.
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-04852-9_2CrossRefGoogle Scholar
  3. 3.
    Barthe, G., et al.: Masking the GLP lattice-based signature scheme at any order. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 354–384. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78375-8_12CrossRefGoogle Scholar
  4. 4.
    Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: Weippl, E.R., et al. (ed.) ACM CCS 2016, pp. 116–129. ACM Press, October 2016Google Scholar
  5. 5.
    Bindel, N., et al.: qTESLA. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  6. 6.
    Blackman, D., Vigna, S.: Scrambled linear pseudorandom number generators. In: CoRR abs/1805.01407 (2018). arXiv:1805.01407
  7. 7.
    Bos, J.W., et al.: Fly, you fool! Faster Frodo for the ARM Cortex-M4. Cryptology ePrint archive, report 2018/1116 (2018). https://eprint.iacr.org/2018/1116
  8. 8.
    Bruinderink, L.G., Pessl, P.: Differential fault attacks on deterministic lattice signatures. IACR Trans. Cryptograph. Hardw. Embedded Syst. 2018(3), 21–43 (2018). https://tches.iacr.org/index.php/TCHES/article/view/7267Google Scholar
  9. 9.
    Coron, J.-S.: High-order conversion from boolean to arithmetic masking. Cryptology ePrint archive, report 2017/252 (2017). http://eprint.iacr.org/2017/252
  10. 10.
    Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_25CrossRefGoogle Scholar
  11. 11.
    Coron, J.-S., Großschädl, J., Vadnala, P.K.: Secure conversion between boolean and arithmetic masking of any order. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 188–205. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44709-3_11CrossRefzbMATHGoogle Scholar
  12. 12.
    Coron, J.-S., Großschädl, J., Tibouchi, M., Vadnala, P.K.: Conversion from arithmetic to boolean masking with logarithmic complexity. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 130–149. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48116-5_7CrossRefGoogle Scholar
  13. 13.
    Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_24CrossRefGoogle Scholar
  14. 14.
    Ducas, L., et al.: CRYSTALS-Dilithium: a lattice-based digital signature scheme. IACR Trans. Ctyptograph. Hardw. Embedded Syst. 2018(1), 238–268 (2018). https://tches.iacr.org/index.php/TCHES/article/view/839MathSciNetGoogle Scholar
  15. 15.
    Gérard, F., Rossi, M.: An efficient and provable masked implementation of qTESLA. Cryptology ePrint archive, report 2019/606 (2019). https://eprint.iacr.org/2019/606
  16. 16.
    Goubin, L.: A sound method for switching between boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44709-1_2CrossRefGoogle Scholar
  17. 17.
    Goudarzi, D., et al.: Unifying leakage models on a Rényi Day. Cryptology ePrint archive, report 2019/138 (2019). https://eprint.iacr.org/2019/138
  18. 18.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33027-8_31CrossRefzbMATHGoogle Scholar
  19. 19.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_27CrossRefGoogle Scholar
  20. 20.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_9CrossRefGoogle Scholar
  21. 21.
    Langlois, A., Stehlé, D.: Hardness of decision (R)LWE for any modulus. Cryptology ePrint archive, report 2012/091 (2012). http://eprint.iacr.org/2012/091
  22. 22.
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_43CrossRefGoogle Scholar
  23. 23.
    Migliore, V., et al.: Masking Dilithium: efficient implementation and side-channel evaluation. Cryptology ePrint archive, report 2019/394 (2019). https://eprint.iacr.org/2019/394
  24. 24.
    M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48892-8_6CrossRefGoogle Scholar
  25. 25.
    Poddebniak, D., et al.: Attacking deterministic signature schemes using fault attacks. Cryptology ePrint archive, report 2017/1014 (2017). http://eprint.iacr.org/2017/1014
  26. 26.
    qTESLA team. https://qtesla.org/

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Université libre de BruxellesBrusselsBelgium
  2. 2.École normale supérieure, CNRSPSL UniversityParisFrance
  3. 3.ThalesGennevilliersFrance
  4. 4.InriaParisFrance

Personalised recommendations