Efficiently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto

With the rising popularity of lattice-based cryptography, the Learning with Errors (LWE) problem has emerged as a fundamental core of numerous encryption and key exchange schemes. Many LWE-based schemes have in common that they require sampling from a discrete Gaussian distribution which comes with a number of challenges for the practical instantiation of those schemes. One of these is the inclusion of countermeasures against a physical side-channel adversary. While several works discuss the protection of samplers against timing leaks, only few publications explore resistance against other side-channels, e.g., power. The most recent example of a protected binomial sampler (as used in key encapsulation mechanisms to sufficiently approximate Gaussian distributions) from CHES 2018 is restricted to a first-order adversary and cannot be easily extended to higher protection orders.

[1]  Michael Tunstall,et al.  Constant-time higher-order Boolean-to-arithmetic masking , 2018, Journal of Cryptographic Engineering.

[2]  Dong-Guk Han,et al.  Efficient Conversion Method from Arithmetic to Boolean Masking in Constrained Devices , 2016, COSADE.

[3]  Jean-Sébastien Coron,et al.  Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity , 2015, FSE.

[4]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[5]  Benjamin Grégoire,et al.  Strong Non-Interference and Type-Directed Higher-Order Masking , 2016, CCS.

[6]  Jean-Sébastien Coron,et al.  Improved High-Order Conversion From Boolean to Arithmetic Masking , 2018, IACR Cryptol. ePrint Arch..

[7]  Thomas Eisenbarth,et al.  Differential Power Analysis of a McEliece Cryptosystem , 2015, ACNS.

[8]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[9]  Jean-Sébastien Coron High-Order Conversion from Boolean to Arithmetic Masking , 2017, CHES.

[10]  Louis Goubin,et al.  A Sound Method for Switching between Boolean and Arithmetic Masking , 2001, CHES.

[11]  Alex Biryukov,et al.  Optimal First-Order Boolean Masking for Embedded IoT Devices , 2017, CARDIS.

[12]  Mehdi Tibouchi,et al.  Masking the GLP Lattice-Based Signature Scheme at Any Order , 2018, EUROCRYPT.

[13]  Koh-ichi Nagao Masking Large Keys in Hardware: A Masked Implementation of McEliece. , 2015 .

[14]  Erdem Alkim,et al.  NewHope on ARM Cortex-M , 2016, SPACE.

[15]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[16]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[17]  Benjamin Grégoire,et al.  Verified Proofs of Higher-Order Masking , 2015, EUROCRYPT.

[18]  Martin R. Albrecht,et al.  NewHope Algorithm Specifications and Supporting Documentation , 2017 .

[19]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[20]  Jean-Sébastien Coron,et al.  Secure Conversion between Boolean and Arithmetic Masking of Any Order , 2014, CHES.

[21]  Tim Güneysu,et al.  Arithmetic Addition over Boolean Masking - Towards First- and Second-Order Resistance in Hardware , 2015, ACNS.

[22]  Marc Joye,et al.  Addition with Blinded Operands , 2014, COSADE.

[23]  Benjamin Grégoire,et al.  Compositional Verification of Higher-Order Masking: Application to a Verifying Masking Compiler , 2015, IACR Cryptol. ePrint Arch..

[24]  Blandine Debraize Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking , 2012, CHES.

[25]  Tim Güneysu,et al.  Practical CCA2-Secure and Masked Ring-LWE Implementation , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[26]  Frederik Vercauteren,et al.  Masking ring-LWE , 2016, Journal of Cryptographic Engineering.

[27]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[28]  Markus Kasper,et al.  The World is Not Enough: Another Look on Second-Order DPA , 2010, IACR Cryptol. ePrint Arch..