Paper 2016/1109

Practical CCA2-Secure and Masked Ring-LWE Implementation

Tobias Oder, Tobias Schneider, Thomas Pöppelmann, and Tim Güneysu


During the last years public-key encryption schemes based on the hardness of ring-LWE have gained significant popularity. For real-world security applications assuming strong adversary models, a number of practical issues still need to be addressed. In this work we thus present an instance of ring-LWE encryption that is protected against active attacks (i.e., adaptive chosen-ciphertext attacks) and equipped with countermeasures against side-channel analysis. Our solution is based on a postquantum variant of the Fujisaki-Okamoto (FO) transform combined with provably secure first-order masking. To protect the key and message during decryption, we developed a masked binomial sampler that secures the re-encryption process required by FO. Our work shows that CCA2-secured RLWE-based encryption can be achieved with reasonable performance on constrained devices but also stresses that the required transformation and handling of decryption errors implies a performance overhead that has been overlooked by the community so far. With parameters providing 233 bits of quantum security, our implementation requires 4,176,684 cycles for encryption and 25,640,380 cycles for decryption with masking and hiding countermeasures on a Cortex-M4F. The first-order security of our masked implementation is also practically verified using the non-specific t-test evaluation methodology.

Available format(s)
Public-key cryptography
Publication info
Published by the IACR in TCHES 2018
CCA2-securitylattice-based cryptographypost-qunatumimplementationARM Cortex-M4masking
Contact author(s)
tobias oder @ rub de
2018-01-23: last of 3 revisions
2016-11-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Tobias Oder and Tobias Schneider and Thomas Pöppelmann and Tim Güneysu},
      title = {Practical {CCA2}-Secure and Masked Ring-{LWE} Implementation},
      howpublished = {Cryptology ePrint Archive, Paper 2016/1109},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.