Cryptology ePrint Archive: Report 2019/910

Efficiently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto

Tobias Schneider and Clara Paglialonga and Tobias Oder and Tim GŁneysu

Abstract: With the rising popularity of lattice-based cryptography, the Learning with Errors (LWE) problem has emerged as a fundamental core of numerous encryption and key exchange schemes. Many LWE-based schemes have in common that they require sampling from a discrete Gaussian distribution which comes with a number of challenges for the practical instantiation of those schemes. One of these is the inclusion of countermeasures against a physical side-channel adversary. While several works discuss the protection of samplers against timing leaks, only few publications explore resistance against other side-channels, e.g., power. The most recent example of a protected binomial sampler (as used in key encapsulation mechanisms to sufficiently approximate Gaussian distributions) from CHES 2018 is restricted to a first-order adversary and cannot be easily extended to higher protection orders. In this work, we present the first protected binomial sampler which provides provable security against a side-channel adversary at arbitrary orders. Our construction relies on a new conversion between Boolean and arithmetic (B2A) masking schemes for prime moduli which outperforms previous algorithms significantly for the relevant parameters, and is paired with a new masked bitsliced sampler allowing secure and efficient sampling even at larger protection orders. Since our proposed solution supports arbitrary moduli, it can be utilized in a large variety of lattice-based constructions, like NewHope, LIMA, Saber, Kyber, HILA5, or Ding Key Exchange.

Category / Keywords: implementation / Masking, Post-quantum Cryptography

Original Publication (with minor differences): IACR-PKC-2019
DOI:
10.1007/978-3-030-17259-6_18

Date: received 7 Aug 2019

Contact author: tobias schneider-a7a at rub de

Available format(s): PDF | BibTeX Citation

Version: 20190808:064517 (All versions of this report)

Short URL: ia.cr/2019/910


[ Cryptology ePrint archive ]