Pushing the speed limit of constant-time discrete Gaussian sampling. A case study on the Falcon signature scheme.

Sampling from a discrete Gaussian distribution has applications in lattice-based post-quantum cryptography. Several efficient solutions have been proposed in recent years. However, making a Gaussian sampler secure against timing attacks turned out to be a challenging research problem. In this work, we present a toolchain to instantiate an efficient constant-time discrete Gaussian sampler of arbitrary standard deviation and precision. We observe an interesting property of the mapping from input random bit strings to samples during a Knuth-Yao sampling algorithm and propose an efficient way of minimizing the Boolean expressions for the mapping. Our minimization approach results in up to 37% faster discrete Gaussian sampling compared to the previous work. Finally, we apply our optimized and secure Gaussian sampler in the lattice-based digital signature algorithm Falcon, which is a NIST submission, and provide experimental evidence that the overall performance of the signing algorithm degrades by at most 33% only due to the additional overhead of ‘constant-time’ sampling, including the 60% overhead of random number generation. Breaking a general belief, our results indirectly show that the use of discrete Gaussian samples in digital signature algorithms would be beneficial.CCS CONCEPTS• Security and privacy $\rightarrow$ Side-channel analysis and counter-measures; Digital signatures; Hardware attacks and countermeasures; Cryptography.

[1]  Joseph F. Traub,et al.  Algorithms and Complexity: New Directions and Recent Results , 1976 .

[2]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[3]  Frederik Vercauteren,et al.  Compact and Side Channel Secure Discrete Gaussian Sampling , 2014, IACR Cryptol. ePrint Arch..

[4]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[5]  Tanja Lange,et al.  Revised Selected Papers on Selected Areas in Cryptography -- SAC 2013 - Volume 8282 , 2013 .

[6]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[7]  Frederik Vercauteren,et al.  High Precision Discrete Gaussian Sampling on FPGAs , 2013, Selected Areas in Cryptography.

[8]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[9]  Steven D. Galbraith,et al.  Sampling from discrete Gaussians for lattice-based cryptography on a constrained device , 2014, Applicable Algebra in Engineering, Communication and Computing.

[10]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[12]  Frederik Vercauteren,et al.  Constant-Time Discrete Gaussian Sampling , 2018, IEEE Transactions on Computers.

[13]  Frederik Vercauteren,et al.  Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM , 2018, IACR Cryptol. ePrint Arch..

[14]  Peter Pessl,et al.  Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based Signatures , 2016, INDOCRYPT.

[15]  Damien Stehlé,et al.  CRYSTALS - Dilithium: Digital Signatures from Module Lattices , 2017, IACR Cryptol. ePrint Arch..

[16]  Chaohui Du,et al.  Towards efficient discrete Gaussian sampling for lattice-based cryptography , 2015, 2015 25th International Conference on Field Programmable Logic and Applications (FPL).

[17]  Daniele Micciancio,et al.  Gaussian Sampling over the Integers: Efficient, Generic, Constant-Time , 2017, CRYPTO.

[18]  Tanja Lange,et al.  Flush, Gauss, and reload : a cache attack on the BLISS lattice-based signature scheme , 2016 .

[19]  Tim Güneysu,et al.  Enhanced Lattice-Based Signatures on Reconfigurable Hardware , 2014, CHES.

[20]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[21]  Ingrid Verbauwhede,et al.  Dude, is my code constant time? , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[22]  Jung Hee Cheon,et al.  Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR , 2018, IACR Cryptol. ePrint Arch..

[23]  Frederik Vercauteren,et al.  Compact and Side Channel Resistant Discrete Gaussian Sampling , 2014 .

[24]  Paulo S. L. M. Barreto,et al.  Sharper Ring-LWE Signatures , 2016, IACR Cryptol. ePrint Arch..

[25]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[26]  RegevOded,et al.  On Ideal Lattices and Learning with Errors over Rings , 2013 .

[27]  Zhenfei Zhang,et al.  Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU , 2019 .