Abstract
Post-quantum cryptography with lattices typically requires high precision sampling of vectors with discrete Gaussian distributions. Lattice signatures require large values of the standard deviation parameter, which poses difficult problems in finding a suitable trade-off between throughput performance and memory resources on constrained devices. In this paper, we propose modifications to the Ziggurat method, known to be advantageous with respect to these issues, but problematic due to its inherent rejection-based timing profile. We improve upon information leakage through timing channels significantly and require: only 64-bit unsigned integers, no floating-point arithmetic, no division and no external libraries. Also proposed is a constant-time Gaussian function, possessing all aforementioned advantageous properties. The measures taken to secure the sampler completely close side-channel vulnerabilities through direct timing of operations and these have no negative implications on its applicability to lattice-based signatures. We demonstrate the improved method with a 128-bit reference implementation, showing that we retain the sampler’s efficiency and decrease memory consumption by a factor of 100. We show that this amounts to memory savings by a factor of almost 5,000, in comparison to an optimised, state-of-the-art implementation of another popular sampling method, based on cumulative distribution tables.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
These functions are adapted from https://cryptocoding.net/index.php/Coding_rules and have been extended to use multi-precision logic.
References
Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016). https://doi.org/10.1561/0400000074
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th Annual IEEE Symposium on Foundations of Computer Science, October 2004, pp. 372–381 (2004)
Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_16
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Genise, N., Micciancio, D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. Cryptology ePrint Archive, Report 2017/308 (2017). https://eprint.iacr.org/2017/308
Chen, L., et al.: Report on post-quantum cryptography. US Department of Commerce, National Institute of Standards and Technology (2016)
Hoffstein, J., Pipher, J., Whyte, W., Zhang, Z.: pqNTRUSign: update and recent results (2017). https://2017.pqcrypto.org/conference/slides/recent-results/zhang.pdf
Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: NTRUEncrypt. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Le Trieu Phong, T.H., Aono, Y., Moriai, S.: Lotus. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_5
Sinha Roy, S., Vercauteren, F., Verbauwhede, I.: High precision discrete gaussian sampling on FPGAs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 383–401. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_19
Micciancio, D., Walter, M.: Gaussian sampling over the integers: efficient, generic, constant-time. Technical report 259 (2017). https://eprint.iacr.org/2017/259
Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete Ziggurat: a time-memory trade-off for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 402–417. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_20
Shoup, V.: Number theory C++ library (NTL) version 10.3.0 (2003). http://www.shoup.net/ntl
GNU: glibc-2.7 (2018). https://www.gnu.org/software/libc/
Marsaglia, G., Tsang, W.W.: The ziggurat method for generating random variables. J. Stat. Softw. 5(1), 1–7 (2000). https://www.jstatsoft.org/index.php/jss/article/view/v005i08
libsafecrypto: WP6 of the SAFEcrypto project - a suite of lattice-based cryptographic schemes, July 2018, original-date: 2017-10-16T14:56:31Z. https://github.com/safecrypto/libsafecrypto
Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_20
Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Compact and side channel secure discrete Gaussian sampling. IACR Cryptology ePrint Archive 2014, 591 (2014)
Pessl, P.: Analyzing the shuffling side-channel countermeasure for lattice-based signatures. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 153–170. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49890-4_9
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Brannigan, S., O’Neill, M., Khalid, A., Rafferty, C. (2018). Addressing Side-Channel Vulnerabilities in the Discrete Ziggurat Sampler. In: Chattopadhyay, A., Rebeiro, C., Yarom, Y. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2018. Lecture Notes in Computer Science(), vol 11348. Springer, Cham. https://doi.org/10.1007/978-3-030-05072-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-05072-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05071-9
Online ISBN: 978-3-030-05072-6
eBook Packages: Computer ScienceComputer Science (R0)