Cryptology ePrint Archive: Report 2016/1109

Practical CCA2-Secure and Masked Ring-LWE Implementation

Tobias Oder and Tobias Schneider and Thomas Pöppelmann and Tim Güneysu

Abstract: During the last years public-key encryption schemes based on the hardness of ring-LWE have gained significant popularity. For real-world security applications assuming strong adversary models, a number of practical issues still need to be addressed. In this work we thus present an instance of ring-LWE encryption that is protected against active attacks (i.e., adaptive chosen-ciphertext attacks) and equipped with countermeasures against side-channel analysis. Our solution is based on a postquantum variant of the Fujisaki-Okamoto (FO) transform combined with provably secure first-order masking. To protect the key and message during decryption, we developed a masked binomial sampler that secures the re-encryption process required by FO. Our work shows that CCA2-secured RLWE-based encryption can be achieved with reasonable performance on constrained devices but also stresses that the required transformation and handling of decryption errors implies a performance overhead that has been overlooked by the community so far. With parameters providing 233 bits of quantum security, our implementation requires 4,176,684 cycles for encryption and 25,640,380 cycles for decryption with masking and hiding countermeasures on a Cortex-M4F. The first-order security of our masked implementation is also practically verified using the non-specific t-test evaluation methodology.

Category / Keywords: public-key cryptography / CCA2-security, lattice-based cryptography, post-qunatum, implementation, ARM Cortex-M4, masking

Original Publication (in the same form): IACR-CHES-2018

Date: received 24 Nov 2016, last revised 23 Jan 2018

Contact author: tobias oder at rub de

Available format(s): PDF | BibTeX Citation

Version: 20180123:112800 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]