An Efficient and Provable Masked Implementation of qTESLA

Now that the NIST’s post-quantum cryptography competition has entered in its second phase, the time has come to focus more closely on practical aspects of the candidates. While efficient implementations of the proposed schemes are somewhat included in the submission packages, certain issues like the threat of side-channel attacks are often lightly touched upon by the authors. Hence, the community is encouraged by the NIST to join the war effort to treat those peripheral, but nonetheless crucial, topics. In this paper, we study the lattice-based signature scheme qTESLA in the context of the masking countermeasure. Continuing a line of research opened by Barthe et al. at Eurocrypt 2018 with the masking of the GLP signature scheme, we extend and modify their work to mask qTESLA. Based on the work of Migliore et al. in ACNS 2019, we slightly modify the parameters to improve the masked performance while keeping the same security. The masking can be done at any order and specialized gadgets are used to get maximal efficiency at order 1. We implemented our countermeasure in the original code of the submission and performed tests at different orders to assess the feasibility of our technique.

[1]  Mehdi Tibouchi,et al.  Masking Dilithium: Efficient Implementation and Side-Channel Evaluation , 2019, IACR Cryptol. ePrint Arch..

[2]  Sedat Akleylek,et al.  An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation , 2016, AFRICACRYPT.

[3]  Jean-Sébastien Coron,et al.  Higher-Order Side Channel Security and Mask Refreshing , 2013, FSE.

[4]  Damian Poddebniak,et al.  Attacking Deterministic Signature Schemes Using Fault Attacks , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[5]  Paulo S. L. M. Barreto,et al.  Sharper Ring-LWE Signatures , 2016, IACR Cryptol. ePrint Arch..

[6]  Sebastiano Vigna,et al.  Scrambled Linear Pseudorandom Number Generators , 2018, ACM Trans. Math. Softw..

[7]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[8]  Jean-Sébastien Coron,et al.  Secure Conversion between Boolean and Arithmetic Masking of Any Order , 2014, CHES.

[9]  Jean-Sébastien Coron,et al.  Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity , 2015, FSE.

[10]  Peter Schwabe,et al.  High-Speed Signatures from Standard Lattices , 2014, LATINCRYPT.

[11]  Jean-Sébastien Coron High-Order Conversion from Boolean to Arithmetic Masking , 2017, CHES.

[12]  Damien Stehlé,et al.  Hardness of decision (R)LWE for any modulus , 2012, IACR Cryptol. ePrint Arch..

[13]  Peter Pessl,et al.  Differential Fault Attacks on Deterministic Lattice Signatures , 2018, IACR Cryptol. ePrint Arch..

[14]  Erdem Alkim,et al.  Revisiting TESLA in the Quantum Random Oracle Model , 2017, PQCrypto.

[15]  Louis Goubin,et al.  A Sound Method for Switching between Boolean and Arithmetic Masking , 2001, CHES.

[16]  Shi Bai,et al.  An Improved Compression Technique for Signatures Based on Learning with Errors , 2014, CT-RSA.

[17]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[18]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[19]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[20]  Damien Stehlé,et al.  CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[21]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[22]  Alain Passelègue,et al.  Unifying Leakage Models on a Rényi Day , 2019, IACR Cryptol. ePrint Arch..

[23]  Paulo S. L. M. Barreto,et al.  The Lattice-Based Digital Signature Scheme qTESLA , 2020, IACR Cryptol. ePrint Arch..

[24]  Mehdi Tibouchi,et al.  Masking the GLP Lattice-Based Signature Scheme at Any Order , 2018, EUROCRYPT.

[25]  David M'Raïhi,et al.  Computational Alternatives to Random Number Generators , 1998, Selected Areas in Cryptography.

[26]  Jean-Sébastien Coron,et al.  Higher Order Masking of Look-up Tables , 2014, IACR Cryptol. ePrint Arch..

[27]  Daniele Micciancio,et al.  Gaussian Sampling over the Integers: Efficient, Generic, Constant-Time , 2017, CRYPTO.

[28]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[29]  Benjamin Grégoire,et al.  Strong Non-Interference and Type-Directed Higher-Order Masking , 2016, CCS.

[30]  Elisabeth Oswald,et al.  Fly, you fool! Faster Frodo for the ARM Cortex-M4 , 2018, IACR Cryptol. ePrint Arch..