Cryptology ePrint Archive: Report 2016/1109

Practical CCA2-Secure and Masked Ring-LWE Implementation

Tobias Oder and Tobias Schneider and Thomas Pöppelmann and Tim Güneysu

Abstract: In this work we provide the first practical instantiation of ring-LWE-based public-key encryption that is protected against active attacks (i.e., adaptive chosen-ciphertext attacks) and equipped with countermeasures against side-channel attacks (masking and hiding). We propose a novel provably first-order secure masking scheme that outperforms previous work and we combine this masking approach with blinding and shuffing techniques to further thwart higher-order attacks. Our work shows that extremely fast and secured implementations of postquantum public-key encryption are possible on constrained devices and we give evidence that ring-LWE-based schemes are highly suitable for implementations on smart cards due to the large amount of linear operations. Even with conservative parameter choices (n = 1024; q = 12289) for ring-LWE encryption we obtain 243 bits of quantum security based on a recently established model. Our implementation requires 1,222,054 cycles for encryption and 2,372,242 cycles for decryption with masking and hiding countermeasures on a Cortex-M4F. Furthermore, the first-order security of our masked implementation is practically verified using the non-specific t-test evaluation methodology.

Category / Keywords: public-key cryptography / CCA2-security, lattice-based cryptography, post-qunatum, implementation, ARM Cortex-M4, masking

Date: received 24 Nov 2016

Contact author: tobias oder at rub de

Available format(s): PDF | BibTeX Citation

Version: 20161125:140607 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]