Masking ring-LWE

In this paper, we propose a masking scheme to protect ring-LWE decryption from first-order side-channel attacks. In an unprotected ring-LWE decryption, the recovered plaintext is computed by first performing polynomial arithmetic on the secret key and then decoding the result. We mask the polynomial operations by arithmetically splitting the secret key polynomial into two random shares; the final decoding operation is performed using a new bespoke masked decoder. The outputs of our masked ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. Thus, the masking scheme keeps all intermediates, including the recovered plaintext, in the masked domain. We have implemented the masking scheme on both hardware and software. On a Xilinx Virtex-II FPGA, the masked ring-LWE processor requires around 2000 LUTs, a $$20~\%$$20% increase in the area with respect to the unprotected architecture. A masked decryption operation takes 7478 cycles, which is only a factor $$2.6\times $$2.6× larger than the unprotected decryption. On a 32-bit ARM Cortex-M4F processor, the masked software implementation costs around $$5.2\times $$5.2× more cycles than the unprotected implementation.

[1]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[2]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.

[3]  Tim Güneysu,et al.  Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware , 2013, Selected Areas in Cryptography.

[4]  Ingrid Verbauwhede,et al.  Selecting Time Samples for Multivariate DPA Attacks , 2012, CHES.

[5]  William P. Marnane,et al.  Correlation Power Analysis of Large Word Sizes , 2007 .

[6]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[7]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[8]  Frederik Vercauteren,et al.  Compact Ring-LWE Cryptoprocessor , 2014, CHES.

[9]  R. Rudell,et al.  Multiple-Valued Logic Minimization for PLA Synthesis , 1986 .

[10]  Ingrid Verbauwhede,et al.  DPA, Bitslicing and Masking at 1 GHz , 2015, IACR Cryptol. ePrint Arch..

[11]  Frederik Vercauteren,et al.  Compact and Side Channel Secure Discrete Gaussian Sampling , 2014, IACR Cryptol. ePrint Arch..

[12]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[13]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[14]  Lubos Gaspar,et al.  FPGA Implementations of SPRING - And Their Countermeasures against Side-Channel Attacks , 2014, CHES.

[15]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[16]  Sorin A. Huss,et al.  On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes , 2012, CHES.

[17]  Tim Güneysu,et al.  Cryptographic hardware and embedded systems - CHES 2015 : 17th international workshop Saint-Malo, France, September 13-16, 2015 : proceedings , 2015 .

[18]  Jean-Sébastien Coron,et al.  Higher Order Masking of Look-up Tables , 2014, IACR Cryptol. ePrint Arch..

[19]  Frederik Vercauteren,et al.  Somewhat Practical Fully Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[20]  Frederik Vercauteren,et al.  Efficient software implementation of ring-LWE encryption , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[21]  Michael Naehrig,et al.  Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme , 2013, IMACC.

[22]  RegevOded On lattices, learning with errors, random linear codes, and cryptography , 2009 .

[23]  Jerry den Hartog,et al.  You Cannot Hide behind the Mask: Power Analysis on a Provably Secure S-Box Implementation , 2009, WISA.

[24]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[25]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[26]  OkamotoTatsuaki,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 2013 .

[27]  Michele Mosca,et al.  Post-quantum cryptography : 6th International Workshop, PQCrypto 2014 Waterloo, ON, Canada, October 1-3, 2014 : proceedings , 2014 .

[28]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[29]  Vincent Rijmen,et al.  Higher-Order Threshold Implementations , 2014, ASIACRYPT.

[30]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[31]  Emmanuel Prouff,et al.  Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.

[32]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, EUROCRYPT.

[33]  Chester Rebeiro,et al.  Pushing the Limits of High-Speed GF(2 m ) Elliptic Curve Scalar Multiplication on FPGAs , 2012, CHES.

[34]  Frederik Vercauteren,et al.  A masked ring-LWE implementation , 2015, IACR Cryptol. ePrint Arch..

[35]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..