Efficiently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto

  • Tobias SchneiderEmail author
  • Clara Paglialonga
  • Tobias Oder
  • Tim Güneysu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11443)


With the rising popularity of lattice-based cryptography, the Learning with Errors (LWE) problem has emerged as a fundamental core of numerous encryption and key exchange schemes. Many LWE-based schemes have in common that they require sampling from a discrete Gaussian distribution which comes with a number of challenges for the practical instantiation of those schemes. One of these is the inclusion of countermeasures against a physical side-channel adversary. While several works discuss the protection of samplers against timing leaks, only few publications explore resistance against other side-channels, e.g., power. The most recent example of a protected binomial sampler (as used in key encapsulation mechanisms to sufficiently approximate Gaussian distributions) from CHES 2018 is restricted to a first-order adversary and cannot be easily extended to higher protection orders.

In this work, we present the first protected binomial sampler which provides provable security against a side-channel adversary at arbitrary orders. Our construction relies on a new conversion between Boolean and arithmetic (B2A) masking schemes for prime moduli which outperforms previous algorithms significantly for the relevant parameters, and is paired with a new masked bitsliced sampler allowing secure and efficient sampling even at larger protection orders. Since our proposed solution supports arbitrary moduli, it can be utilized in a large variety of lattice-based constructions, like NewHope, LIMA, Saber, Kyber, HILA5, or Ding Key Exchange.



The authors are grateful to the AsiaCrypt2018 reviewers for useful comments and feedback. The research in this work was supported in part by the European Unions Horizon 2020 program under project number 644729 SAFEcrypto and 724725 SWORD, by the VeriSec project 16KIS0634 from the Federal Ministry of Education and Research (BMBF) and by H2020 project PROMETHEUS, grant agreement ID 780701.


  1. 1.
    Alkim, E., et al.: NewHope algorithm specifications and supporting documentation. Accessed 09 May 2018
  2. 2.
    Alkim, E., Jakubeit, P., Schwabe, P.: NewHope on ARM Cortex-M. In: Carlet, C., Hasan, M.A., Saraswat, V. (eds.) SPACE 2016. LNCS, vol. 10076, pp. 332–349. Springer, Cham (2016). Scholar
  3. 3.
    Avanzi, R., et al.: CRYSTALS-Kyber. Technical report, National Institute of Standards and Technology (2017).
  4. 4.
    Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P., Grégoire, B.: Compositional verification of higher-order masking: application to a verifying masking compiler. IACR Cryptology ePrint Archive, 2015:506 (2015)Google Scholar
  5. 5.
    Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: ACM CCS 2016, pp. 116–129. ACM (2016)Google Scholar
  6. 6.
    Barthe, G., et al.: Masking the GLP lattice-based signature scheme at any order. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 354–384. Springer, Cham (2018). Scholar
  7. 7.
    Bettale, L., Coron, J., Zeitoun, R.: Improved high-order conversion from Boolean to arithmetic masking. TCHES 2018, 22–45 (2018)Google Scholar
  8. 8.
    Biryukov, A., Dinu, D., Corre, Y.L., Udovenko, A.: Optimal first-order Boolean masking for embedded IoT devices. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 22–41. Springer, Cham (2018). Scholar
  9. 9.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). Scholar
  10. 10.
    Chen, C., Eisenbarth, T., von Maurich, I., Steinwandt, R.: Differential power analysis of a McEliece cryptosystem. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 538–556. Springer, Cham (2015). Scholar
  11. 11.
    Chen, C., Eisenbarth, T., von Maurich, I., Steinwandt, R.: Masking large keys in hardware: a masked implementation of McEliece. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 293–309. Springer, Cham (2016). Scholar
  12. 12.
    Coron, J.-S.: High-order conversion from Boolean to arithmetic masking. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 93–114. Springer, Cham (2017). Scholar
  13. 13.
    Coron, J.-S., Großschädl, J., Tibouchi, M., Vadnala, P.K.: Conversion from arithmetic to Boolean masking with logarithmic complexity. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 130–149. Springer, Heidelberg (2015). Scholar
  14. 14.
    Coron, J.-S., Großschädl, J., Vadnala, P.K.: Secure conversion between Boolean and arithmetic masking of any order. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 188–205. Springer, Heidelberg (2014). Scholar
  15. 15.
    D’Anvers, J.-P., Karmakar, A., Roy, S.S., Vercauteren, F.: SABER: Mod-LWR based KEM. Technical report, National Institute of Standards and Technology (2017).
  16. 16.
    Debraize, B.: Efficient and provably secure methods for switching from arithmetic to Boolean masking. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 107–121. Springer, Heidelberg (2012). Scholar
  17. 17.
    Ding, J., Takagi, T., Gao, X., Wang, Y.: Ding Key Exchange. Technical report, National Institute of Standards and Technology (2017).
  18. 18.
    Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., Shalmani, M.T.M.: On the power of power analysis in the real world: a complete break of the KeeLoq code hopping scheme. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 203–220. Springer, Heidelberg (2008). Scholar
  19. 19.
    Goubin, L.: A sound method for switching between Boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001). Scholar
  20. 20.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). Scholar
  21. 21.
    Hutter, M., Tunstall, M.: Constant-time higher-order Boolean-to-arithmetic masking. IACR Cryptology ePrint Archive, 2016:1023 (2016)Google Scholar
  22. 22.
    Ishai, Y., Sahai, A., Wagner, D.A.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). Scholar
  23. 23.
    Karroumi, M., Richard, B., Joye, M.: Addition with blinded operands. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 41–55. Springer, Cham (2014). Scholar
  24. 24.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). Scholar
  25. 25.
    Oder, T., Schneider, T., Pöppelmann, T., Güneysu, T.: Practical CCA2-secure and masked ring-LWE implementation. TCHES 2018, 142–174 (2018)Google Scholar
  26. 26.
    National Institute of Standards and Technology. Post-quantum cryptography - round 1 submissions. Accessed 10 Dec 2018
  27. 27.
    National Institute of Standards and Technology. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. Accessed 10 May 2018
  28. 28.
    Reparaz, O., Roy, S.S., de Clercq, R., Vercauteren, F., Verbauwhede, I.: Masking ring-LWE. J. Crypt. Eng. 6(2), 139–153 (2016)CrossRefGoogle Scholar
  29. 29.
    Saarinen, M.-J.O.: HILA5. Technical report, National Institute of Standards and Technology (2017).
  30. 30.
    Schneider, T., Moradi, A., Güneysu, T.: Arithmetic addition over Boolean masking towards first- and second-order resistance in hardware. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 559–578. Springer, Cham (2015). Scholar
  31. 31.
    Smart, N.P., et al.: LIMA-1.1: a PQC encryption scheme. Technical report, National Institute of Standards and Technology (2017).
  32. 32.
    Standaert, F.-X., et al.: The world is not enough: another look on second-order DPA. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 112–129. Springer, Heidelberg (2010). Scholar
  33. 33.
    Won, Y.-S., Han, D.-G.: Efficient conversion method from arithmetic to Boolean masking in constrained devices. In: Guilley, S. (ed.) COSADE 2017. LNCS, vol. 10348, pp. 120–137. Springer, Cham (2017). Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Tobias Schneider
    • 1
    Email author
  • Clara Paglialonga
    • 2
  • Tobias Oder
    • 3
  • Tim Güneysu
    • 3
    • 4
  1. 1.ICTEAM/ELEN/Crypto GroupUniversité Catholique de LouvainLouvain-la-NeuveBelgium
  2. 2.Technische Universität DarmstadtDarmstadtGermany
  3. 3.Horst Görtz Institute for IT SecurityRuhr-Universität BochumBochumGermany
  4. 4.DFKIBremenGermany

Personalised recommendations