Paper 2022/1188

High-order masking of NTRU

Jean-Sebastien Coron, University of Luxembourg
François Gérard, University of Luxembourg
Matthias Trannoy, IDEMIA
Rina Zeitoun, IDEMIA

The main protection against side-channel attacks consists in computing every function with multiple shares via the masking countermeasure. While the masking countermeasure was originally developed for securing block-ciphers such as AES, the protection of lattice-based cryptosystems is often more challenging, because of the diversity of the underlying algorithms. In this paper, we introduce new gadgets for the high-order masking of the NTRU cryptosystem, with security proofs in the classical ISW probing model. We then describe the first fully masked implementation of the NTRU Key Encapsulation Mechanism submitted to NIST, including the key generation. To assess the practicality of our countermeasures, we provide a concrete implementation on ARM Cortex-M3 architecture, and eventually a t-test leakage evaluation.

Available format(s)
Publication info
A minor revision of an IACR publication in TCHES 2023
High-order maskinglattice-based cryptographyNTRU
Contact author(s)
jean-sebastien coron @ uni lu
francois gerard @ uni lu
matthias trannoy @ idemia com
rina zeitoun @ idemia com
2023-05-21: last of 2 revisions
2022-09-09: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jean-Sebastien Coron and François Gérard and Matthias Trannoy and Rina Zeitoun},
      title = {High-order masking of NTRU},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1188},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.