High-order Table-based Conversion Algorithms and Masking Lattice-based Encryption

Coron, Jean-Sébastien; Gérard, François; Montoya, Simon; Zeitoun, Rina

doi:10.46586/tches.v2022.i2.1-40

Cited by 8 publications

(34 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Instead of working with arithmetic multiplications modulo some big power-of-two, we propose to work in a Galois field, which saves us a conversion from the Boolean to the arithmetic masking domain and significantly reduces the cost of the comparison operation. We also develop a streamlined version of the Kyber-specific compression of Coron et al [2]. Both our algorithms outperform the comparisons they are based on.…”

Section: Contributionsmentioning

confidence: 99%

“…Coron et al [2] introduce a hybrid method to perform the comparison. They first build several subfunctions and combine them into one comparison algorithm aimed at prime moduli q, as used in Kyber.…”

Section: Hybrid Comparisonmentioning

confidence: 99%

“…

…”

mentioning

confidence: 99%

“…Masked implementations of encryption standardization candidates were presented for Saber by Van Beirendonck et al [22] for first order, and later by Coron et al [2] for higher masking orders. A masked Kyber implementation for generic masking orders was introduced by Bos et al [23].…”

mentioning

confidence: 99%

“…Removing the compression here comes at a cost of two (cheaper) checks per coefficient. Coron et al [2] introduced several new ideas to more efficiently perform this range check.…”

mentioning

confidence: 99%

See 4 more Smart Citations

Revisiting Higher-Order Masked Comparison for Lattice-Based Cryptography: Algorithms and Bit-Sliced Implementations

D’Anvers

Beirendonck

Verbauwhede

2023

IEEE Trans. Comput.

View full text Add to dashboard Cite

Masked comparison is one of the most expensive operations in side-channel secure implementations of lattice-based post-quantum cryptography, especially for higher masking orders. First, we introduce two new masked comparison algorithms, which improve the arithmetic comparison of D'Anvers et al. [1] and the hybrid comparison method of Coron et al. [2] respectively. We then look into implementation-specific optimizations, and show that small specific adaptations can have a significant impact on the overall performance. Finally, we implement various state-of-the-art comparison algorithms and benchmark them on the same platform (ARM-Cortex M4) to allow a fair comparison between them. We improve on the arithmetic comparison of D'Anvers et al. with a factor ≈ 20% by using Galois Field multiplications and the hybrid comparison of Coron et al. with a factor ≈25% by streamlining the design. Our implementation-specific improvements allow a speedup of a straightforward comparison implementation of ≈ 33%. We discuss the differences between the various algorithms and provide the implementations and a testing framework to ease future research.

show abstract

Section: Contributionsmentioning

confidence: 99%

Section: Hybrid Comparisonmentioning

confidence: 99%

“…

…”

mentioning

confidence: 99%

mentioning

confidence: 99%

“…Removing the compression here comes at a cost of two (cheaper) checks per coefficient. Coron et al [2] introduced several new ideas to more efficiently perform this range check.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Revisiting Higher-Order Masked Comparison for Lattice-Based Cryptography: Algorithms and Bit-Sliced Implementations

D’Anvers

Beirendonck

Verbauwhede

2023

IEEE Trans. Comput.

View full text Add to dashboard Cite

show abstract

Masking the GLP Lattice-Based Signature Scheme at Any Order

Barthe,

Belaïd,

Espitau

et al. 2023

J Cryptol

View full text Add to dashboard Cite

Recently, numerous physical a acks have been demonstrated against la icebased schemes, o en exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those a acks is an important problem. However, few countermeasures have been proposed so far. In particular, masking has been applied to the decryption procedure of some la ice-based encryption schemes, but the much more di cult case of signatures (which are highly non-linear and typically involve randomness) has not been considered until now. In this paper, we describe the rst masked implementation of a la ice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived probability distribution would be prohibitively ine cient, we focus on the GLP scheme of Güneysu, Lyubashevsky and Pöppelmann (CHES 2012). We show how to provably mask it in the Ishai-Sahai-Wagner model (CRYPTO 2003) at any order in a relatively e cient manner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the e ciency of the proposed countermeasure.

show abstract