### Masking Dilithium: Efficient Implementation and Side-Channel Evaluation

Vincent Migliore, Benoit Gérard, Mehdi Tibouchi, and Pierre-Alain Fouque

##### Abstract

Although security against side-channel attacks is not an explicit design criterion of the NIST post-quantum standardization effort, it is certainly a major concern for schemes that are meant for real-world deployment. In view of the numerous physical attacks that have been proposed against post-quantum schemes in recent literature, it is in particular very important to evaluate the cost and effectiveness of side-channel countermeasures in that setting. For lattice-based signatures, this work was initiated by Barthe et al., who showed at EUROCRYPT 2018 how to apply arbitrary order masking to the GLP signature scheme presented at CHES 2012 by Güneysu, Lyubashevsky and Pöppelman. However, although Barthe et al.’s paper provides detailed proofs of security in the probing model of Ishai, Sahai and Wagner, it does not include practical side-channel evaluations, and its proof-of-concept implementation has limited efficiency. Moreover, the GLP scheme has historical significance but is not a NIST candidate, nor is it being considered for concrete deployment. In this paper, we look instead at Dilithium, one of the most promising NIST candidates for postquantum signatures. This scheme, presented at CHES 2018 by Ducas et al. and based on module lattices, can be seen as an updated variant of both GLP and its more efficient sibling BLISS; it comes with an implementation that is both efficient and constant-time. Our analysis of Dilithium from a side-channel perspective is threefold. We first evaluate the side-channel resistance of an ARM Cortex-M3 implementation of Dilithium without masking, and identify exploitable side-channel leakage. We then describe how to securely mask the scheme, and verify that the masked implementation no longer leaks. Finally, we show how a simple tweak to Dilithium (namely, replacing the prime modulus by a power of two) makes it possible to obtain a considerably more efficient masked scheme, by a factor of 7.3 to 9 for the most time-consuming masking operations, without affecting security.

Note: This is the full version of a paper accepted to ACNS 2019. Difference mainly consists in the presence of detailed gadget in Appendix.

Available format(s)
Category
Implementation
Publication info
Published elsewhere. MAJOR revision.ACNS 2019
Contact author(s)
vincent migliore @ laas fr
benoit gerard @ irisa fr
History
2020-03-14: revised
See all versions
Short URL
https://ia.cr/2019/394

CC BY

BibTeX

@misc{cryptoeprint:2019/394,
author = {Vincent Migliore and Benoit Gérard and Mehdi Tibouchi and Pierre-Alain Fouque},
title = {Masking Dilithium: Efficient Implementation and Side-Channel Evaluation},
howpublished = {Cryptology ePrint Archive, Paper 2019/394},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/394}},
url = {https://eprint.iacr.org/2019/394}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.