Arithmetic Coding and Blinding Countermeasures for Ring-LWE

We describe new arithmetic coding techniques and side-channel blinding countermeasures for lattice-based cryptography. Using these techniques we develop a practical, compact, and more quantum-resistant variant of the BLISS Ring-LWE Signature Scheme. We first show how the BLISS hash-based random oracle can be modified to be more secure against quantum preimage attacks while optimising signature size. Arithmetic Coding offers an information theoretically optimal compression for stationary and memoryless sources, such as the discrete Gaussian distributions often present in lattice-based cryptography. We show that this technique gives better signature sizes than the previously proposed advanced Huffman-based signature compressors. We further demonstrate that arithmetic decoding from an uniform source to target distribution is also an optimal non-uniform sampling method in the sense that a minimal amount of true random bits is required. Performance of this new Binary Arithmetic Coding (BAC) sampler is comparable to other practical samplers. The same code, tables, or circuitry can be utilised for both tasks, eliminating the need for separate sampling and compression components. We then describe simple randomised blinding techniques that can be applied to anti-cyclic polynomial multiplication to mask timingand power consumption sidechannels in ring arithmetic. We further show that the Gaussian sampling process can also be blinded by a split-and-permute techniques as an effective countermeasure against side-channel attacks.

[1]  Christof Zalka GROVER'S QUANTUM SEARCHING ALGORITHM IS OPTIMAL , 1997, quant-ph/9711070.

[2]  Deian Stefan,et al.  Hardware-Optimized Ziggurat Algorithm for High-Speed Gaussian Random Number Generators , 2009, ERSA.

[3]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[4]  Glen G. Langdon,et al.  An Overview of the Basic Principles of the Q-Coder Adaptive Binary Arithmetic Coder , 1988, IBM J. Res. Dev..

[5]  A. Said Introduction to Arithmetic Coding - Theory and Practice , 2023, ArXiv.

[6]  Lov K. Grover From Schrödinger’s equation to the quantum search algorithm , 2001, quant-ph/0109116.

[7]  Glen G. Langdon,et al.  An Introduction to Arithmetic Coding , 1984, IBM J. Res. Dev..

[8]  G. Marsaglia,et al.  The Ziggurat Method for Generating Random Variables , 2000 .

[9]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[10]  Frederik Vercauteren,et al.  Compact and Side Channel Secure Discrete Gaussian Sampling , 2014, IACR Cryptol. ePrint Arch..

[11]  Markku-Juhani O. Saarinen Gaussian Sampling Precision in Lattice Cryptography , 2015 .

[12]  Frederik Vercauteren,et al.  Compact Ring-LWE Cryptoprocessor , 2014, CHES.

[13]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[14]  Jakob Jonsson,et al.  Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 , 2003, RFC.

[15]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[16]  Tim Güneysu,et al.  Enhanced Lattice-Based Signatures on Reconfigurable Hardware , 2014, CHES.

[17]  Léo Ducas,et al.  Accelerating Bliss: the geometry of ternary polynomials , 2014, IACR Cryptol. ePrint Arch..

[18]  Tanja Lange,et al.  Flush, Gauss, and reload : a cache attack on the BLISS lattice-based signature scheme , 2016 .

[19]  Charles F. F. Karney Sampling Exactly from the Normal Distribution , 2013, ACM Trans. Math. Softw..

[20]  Andrew Chi-Chih Yao,et al.  The complexity of nonuniform random number generation , 1976 .

[21]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[22]  Steven D. Galbraith,et al.  Sampling from discrete Gaussians for lattice-based cryptography on a constrained device , 2014, Applicable Algebra in Engineering, Communication and Computing.

[23]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[24]  Gregory Valiant,et al.  An Automatic Inequality Prover and Instance Optimal Identity Testing , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[25]  George Marsaglia,et al.  A Fast, Easily Implemented Method for Sampling from Decreasing or Symmetric Unimodal Density Functions , 1984 .

[26]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[27]  Zhe Liu,et al.  Efficient Ring-LWE Encryption on 8-Bit AVR Processors , 2015, CHES.

[28]  GüneysuTim,et al.  Practical Lattice-Based Digital Signature Schemes , 2015 .

[29]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[30]  Johannes A. Buchmann,et al.  Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers , 2013, IACR Cryptol. ePrint Arch..