Efficiently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto
With the rising popularity of lattice-based cryptography, the Learning with Errors (LWE) problem has emerged as a fundamental core of numerous encryption and key exchange schemes. Many LWE-based schemes have in common that they require sampling from a discrete Gaussian distribution which comes with a number of challenges for the practical instantiation of those schemes. One of these is the inclusion of countermeasures against a physical side-channel adversary. While several works discuss the protection of samplers against timing leaks, only few publications explore resistance against other side-channels, e.g., power. The most recent example of a protected binomial sampler (as used in key encapsulation mechanisms to sufficiently approximate Gaussian distributions) from CHES 2018 is restricted to a first-order adversary and cannot be easily extended to higher protection orders.
In this work, we present the first protected binomial sampler which provides provable security against a side-channel adversary at arbitrary orders. Our construction relies on a new conversion between Boolean and arithmetic (B2A) masking schemes for prime moduli which outperforms previous algorithms significantly for the relevant parameters, and is paired with a new masked bitsliced sampler allowing secure and efficient sampling even at larger protection orders. Since our proposed solution supports arbitrary moduli, it can be utilized in a large variety of lattice-based constructions, like NewHope, LIMA, Saber, Kyber, HILA5, or Ding Key Exchange.
The authors are grateful to the AsiaCrypt2018 reviewers for useful comments and feedback. The research in this work was supported in part by the European Unions Horizon 2020 program under project number 644729 SAFEcrypto and 724725 SWORD, by the VeriSec project 16KIS0634 from the Federal Ministry of Education and Research (BMBF) and by H2020 project PROMETHEUS, grant agreement ID 780701.
- 1.Alkim, E., et al.: NewHope algorithm specifications and supporting documentation. https://newhopecrypto.org/data/NewHope_2017_12_21.pdf. Accessed 09 May 2018
- 3.Avanzi, R., et al.: CRYSTALS-Kyber. Technical report, National Institute of Standards and Technology (2017). https://pq-crystals.org/kyber/data/kyber-specification.pdf
- 4.Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P., Grégoire, B.: Compositional verification of higher-order masking: application to a verifying masking compiler. IACR Cryptology ePrint Archive, 2015:506 (2015)Google Scholar
- 5.Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: ACM CCS 2016, pp. 116–129. ACM (2016)Google Scholar
- 7.Bettale, L., Coron, J., Zeitoun, R.: Improved high-order conversion from Boolean to arithmetic masking. TCHES 2018, 22–45 (2018)Google Scholar
- 10.Chen, C., Eisenbarth, T., von Maurich, I., Steinwandt, R.: Differential power analysis of a McEliece cryptosystem. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 538–556. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_26CrossRefGoogle Scholar
- 11.Chen, C., Eisenbarth, T., von Maurich, I., Steinwandt, R.: Masking large keys in hardware: a masked implementation of McEliece. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 293–309. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_18CrossRefzbMATHGoogle Scholar
- 15.D’Anvers, J.-P., Karmakar, A., Roy, S.S., Vercauteren, F.: SABER: Mod-LWR based KEM. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
- 17.Ding, J., Takagi, T., Gao, X., Wang, Y.: Ding Key Exchange. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
- 18.Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., Shalmani, M.T.M.: On the power of power analysis in the real world: a complete break of the KeeLoq code hopping scheme. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 203–220. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_12CrossRefzbMATHGoogle Scholar
- 20.Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_31CrossRefzbMATHGoogle Scholar
- 21.Hutter, M., Tunstall, M.: Constant-time higher-order Boolean-to-arithmetic masking. IACR Cryptology ePrint Archive, 2016:1023 (2016)Google Scholar
- 25.Oder, T., Schneider, T., Pöppelmann, T., Güneysu, T.: Practical CCA2-secure and masked ring-LWE implementation. TCHES 2018, 142–174 (2018)Google Scholar
- 26.National Institute of Standards and Technology. Post-quantum cryptography - round 1 submissions. https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions. Accessed 10 Dec 2018
- 27.National Institute of Standards and Technology. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf. Accessed 10 May 2018
- 29.Saarinen, M.-J.O.: HILA5. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
- 30.Schneider, T., Moradi, A., Güneysu, T.: Arithmetic addition over Boolean masking towards first- and second-order resistance in hardware. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 559–578. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_27CrossRefzbMATHGoogle Scholar
- 31.Smart, N.P., et al.: LIMA-1.1: a PQC encryption scheme. Technical report, National Institute of Standards and Technology (2017). https://lima-pq.github.io/files/lima-pq.pdf