Paper 2015/724

A masked ring-LWE implementation

Oscar Reparaz, Sujoy Sinha Roy, Frederik Vercauteren, and Ingrid Verbauwhede


Lattice-based cryptography has been proposed as a postquantum public-key cryptosystem. In this paper, we present a masked ring-LWE decryption implementation resistant to first-order side-channel attacks. Our solution has the peculiarity that the entire computation is performed in the masked domain. This is achieved thanks to a new, bespoke masked decoder implementation. The output of the ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. We have implemented a hardware architecture of the masked ring-LWE processor on a Virtex-II FPGA, and have performed side channel analysis to confirm the soundness of our approach. The area of the protected architecture is around $2000$ LUTs, a $20\%$ increase with respect to the unprotected architecture. The protected implementation takes $7478$ cycles to compute, which is only a factor $\times2.6$ larger than the unprotected implementation.

Available format(s)
Publication info
A minor revision of an IACR publication in CHES 2015
post-quantum cryptographylattice-based cryptographyring-LWEmaskingside-channel analysisDPA
Contact author(s)
oscar reparaz @ esat kuleuven be
2015-07-21: received
Short URL
Creative Commons Attribution


      author = {Oscar Reparaz and Sujoy Sinha Roy and Frederik Vercauteren and Ingrid Verbauwhede},
      title = {A masked ring-LWE implementation},
      howpublished = {Cryptology ePrint Archive, Paper 2015/724},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.