Abstract
In this paper, we present a new masking scheme for ring-LWE decryption. Our scheme exploits the additively-homomorphic property of the existing ring-LWE encryption schemes and computes an additive-mask as an encryption of a random message. Our solution differs in several aspects from the recent masked ring-LWE implementation by Reparaz et al. presented at CHES 2015; most notably we do not require a masked decoder but work with a conventional, unmasked decoder. As such, we can secure a ring-LWE implementation using additive masking with minimal changes. Our masking scheme is also very generic in the sense that it can be applied to other additively-homomorphic encryption schemes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aysu, A., Patterson, C., Schaumont, P.: Low-cost and area-efficient FPGA implementations of lattice-based cryptography. In: 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 81–86 (2013)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
Bos, J.W., Lauter, K., Loftus, J., Naehrig, M.: Improved security for a ring-based fully homomorphic encryption scheme, Cryptology ePrint Archive, Report 2013/075 (2013). http://eprint.iacr.org/
Boorghany, A., Sarmadi, S.B., Jalili, R.: On constrained implementation of lattice-based cryptographic primitives and schemes on smart cards. ACM Trans. Embed. Comput. Syst. 14(3), 42 (2015)
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)
de Clercq, R., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Efficient software implementation of ring-lwe encryption. In: Nebel, W., Atienza, D. (ed.) Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, Grenoble, France, 9–13 March 2015, pp. 339–344. ACM (2015)
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption, Cryptology ePrint Archive, Report 2012/144 (2012). http://www.eprint.iacr.org/
Göttert, N., Feller, T., Schneider, M., Buchmann, J., Huss, S.: On the design of hardware building blocks for modern lattice-based encryption schemes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 512–529. Springer, Heidelberg (2012)
Güneysu, T., Oder, T., Pöppelmann, T., Schwabe, P.: Software speed records for lattice-based signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 67–82. Springer, Heidelberg (2013)
Goubin, L., Patarin, J.: DES and differential power analysis. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)
Golic, J.D., Tymen, T.: Multiplicative masking and power analysis of AES, cryptographic hardware and embedded systems - CHES 2002. In: Kaliski Jr, Burton S., Koç, Çetin Kaya, Paar, Christof (eds.) CHES 2002. LNCS, vol. 2523, pp. 198–212. Springer, Heidelberg (2002)
Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)
Liu, Z., Seo, H., Roy, S.S. Großschädl, J., Kim, H., Verbauwhede, I.: Efficient ring-lwe encryption on 8-bit avr processors, Cryptology ePrint Archive, Report 2015/410 (2015). http://eprint.iacr.org/
Cryptography today, Last Modified on 19, Aug 2015. https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014)
Pöppelmann, T., Güneysu, T.: Towards practical lattice-based public-key encryption on reconfigurable hardware. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 68–86. Springer, Heidelberg (2014)
Pöppelmann, T., Oder, T., Güneys, T.: High-performance ideal lattice-based cryptography on 8-bit atxmega microcontrollers, Cryptology ePrint Archive, Report 2015/382 (2015). http://eprint.iacr.org/
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, New York, NY, USA, STOC 2005, pp. 84–93. ACM (2005)
Reparaz, O., Roy, S.S., Vercauteren, F., Verbauwhede, I.: A masked ring-LWE implementation. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 683–702. Springer, Heidelberg (2015)
Roy, S.S., Vercauteren, F., Mentens, N., Chen, D.D., Verbauwhede, I.: Compact ring-LWE cryptoprocessor. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 371–391. Springer, Heidelberg (2014)
Roy, S.S., Vercauteren, F., Verbauwhede, I.: High precision discrete gaussian sampling on FPGAs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 383–401. Springer, Heidelberg (2014)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Review. 41, 303–332 (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
An Attack on the Multiplication
An Attack on the Multiplication
An adversary could mount the following attack with a zero-value power model to recover only whether \(s[i]=0\) or not. Note that the distribution of \((c_1+c'_1)\cdot s\) when \(s=0\) and \(c_1+c'_1\) is uniform random is different from the distribution of \((c_1+c'_1) \cdot s\) when \(s\ne 0\). This effect resembles [GT02], with the important difference that here the attacker has no control over \((c_1+c'_1)\) and that the outcome of the attack is recovering only whether \(s[i]=0\) or not.
-
1.
locate time samples where \((c_1+c'_1)[i] \cdot s[i]\) is handled \(i\in \{0,\ldots , 255\}\).
-
2.
cluster \((c_1+c'_1)[i] \cdot s[i]\) into two groups according to mean power consumption (or variance).
-
3.
tag the two groups as \(s[i]=0\) or \(s[i]\ne 0\).
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Reparaz, O., de Clercq, R., Roy, S.S., Vercauteren, F., Verbauwhede, I. (2016). Additively Homomorphic Ring-LWE Masking. In: Takagi, T. (eds) Post-Quantum Cryptography. PQCrypto 2016. Lecture Notes in Computer Science(), vol 9606. Springer, Cham. https://doi.org/10.1007/978-3-319-29360-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-29360-8_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29359-2
Online ISBN: 978-3-319-29360-8
eBook Packages: Computer ScienceComputer Science (R0)