Paper 2016/1109

Practical CCA2-Secure and Masked Ring-LWE Implementation

Tobias Oder and Tobias Schneider and Thomas Pöppelmann and Tim Güneysu

Abstract

In this work we provide the first practical instantiation of ring-LWE-based public-key encryption that is protected against active attacks (i.e., adaptive chosen-ciphertext attacks) and equipped with countermeasures against side-channel attacks (masking and hiding). We propose a novel provably first-order secure masking scheme that outperforms previous work and we combine this masking approach with blinding and shuffing techniques to further thwart higher-order attacks. Our work shows that extremely fast and secured implementations of postquantum public-key encryption are possible on constrained devices and we give evidence that ring-LWE-based schemes are highly suitable for implementations on smart cards due to the large amount of linear operations. Even with conservative parameter choices (n = 1024; q = 12289) for ring-LWE encryption we obtain 243 bits of quantum security based on a recently established model. Our implementation requires 1,222,054 cycles for encryption and 2,372,242 cycles for decryption with masking and hiding countermeasures on a Cortex-M4F. Furthermore, the first-order security of our masked implementation is practically verified using the non-specific t-test evaluation methodology.