Masking ring-LWE

Abstract

In this paper, we propose a masking scheme to protect ring-LWE decryption from first-order side-channel attacks. In an unprotected ring-LWE decryption, the recovered plaintext is computed by first performing polynomial arithmetic on the secret key and then decoding the result. We mask the polynomial operations by arithmetically splitting the secret key polynomial into two random shares; the final decoding operation is performed using a new bespoke masked decoder. The outputs of our masked ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. Thus, the masking scheme keeps all intermediates, including the recovered plaintext, in the masked domain. We have implemented the masking scheme on both hardware and software. On a Xilinx Virtex-II FPGA, the masked ring-LWE processor requires around 2000 LUTs, a \(20~\%\) increase in the area with respect to the unprotected architecture. A masked decryption operation takes 7478 cycles, which is only a factor \(2.6\times \) larger than the unprotected decryption. On a 32-bit ARM Cortex-M4F processor, the masked software implementation costs around \(5.2\times \) more cycles than the unprotected implementation.

Appendices

Appendix A: Optimal values of \(\Delta _i\) for \(q=7681\)

$$\begin{aligned} \Delta (i)&= (960,1440,480,1680,240,720,1200,1800, \end{aligned}$$

(6)

$$\begin{aligned}&\qquad 120,360,600,840,1080,1320,1560,1860, \end{aligned}$$

(7)

$$\begin{aligned}&\qquad 60,180,300,420,540,660,780,900,1020, \end{aligned}$$

(8)

$$\begin{aligned}&\qquad 1140,1260,1380,1500,1620,1740,1890, \end{aligned}$$

(9)

$$\begin{aligned}&\qquad 30,90,150,210,270,330,390,450,510, \end{aligned}$$

(10)

$$\begin{aligned}&\qquad 570,630,690,750,810,870,930,990,1050, \end{aligned}$$

(11)

$$\begin{aligned}&\qquad 1110,1170,1230) \end{aligned}$$

(12)

These values were found by exhaustive first-order search. The value \(\Delta _i\) is chosen so that it maximizes the number of pairs that get decoded after i iterations.

Appendix B: Attack on half-masked variant

In this section, we analyze the security of a masked ring-LWE variant where the intermediates just before decoding are unmasked, and the decoding is performed in the unmasked domain. This alternative is definitely cheaper than full masking.

In the following, we provide evidence to show that this clearly does not provide enough security in our case.

(A seemingly similar situation appears in [5]. However, there are important differences—namely, it is not possible to choose ciphertexts. In the following, we are not analyzing the variant of [5], but only the half-masked ring-LWE.)

A common argument is that after key diffusion is complete, prediction of the intermediates is not possible and hence standard DPA attacks to the half-masked ring-LWE do not apply. We will see that this is not strictly true, if the attacker can choose ciphertexts.

Assume that the coefficients of the polynomial \(a={\text {INTT}}(r\cdot c_1 + c_2)\) appear unmasked in the implementation. Let the adversary collect measurements with the chosen ciphertext. The ciphertext \(c_1\) has the following structure: all the coefficients are fixed except \(c_1[0]\) that is randomly varying. The ciphertext \(c_2\) has the same structure. Then observe that due to linearity of the \({\text {INTT}}\) operation, a[0] can be written as \(a[0]=\alpha (r[0] \cdot c_1[0] + c_2[0]) + \beta \), where

• \(\alpha \) is a public constant determined by the \({\text {INTT}}\) transformation.

• \(\beta \) is a secret constant that is a function of the other (unknown) key coefficients \(r[1], \ldots , r[255]\). Note that by construction, \(\beta \) is constant within the set of collected traces.

Thus, an attacker can perform a DPA attack targeting the intermediate a[0] and placing predictions on \((r[0], \beta )\). The adversary recovers r[0] and proceeds to recover other key coefficients. We have verified this attack in simulations, even when using \({\text {th}}(a[i])\) as intermediate.

(It may seem that the high number of hypotheses, \(2^{26},\) may produce a cumbersome attack. However, one can apply techniques of partial correlation [6] to alleviate the computational effort of DPA on large word sizes [31]. We have experimented that in practice it makes sense to first recover r[0] (this is easier due to larger non-linearity of the modular multiplication) and then \(\beta \) (which may be harder due to the low non-linearity of the modular addition), splitting the \(2^{26}\) effort in two \(2^{13}\) steps.)

Appendix C: Generalization of the decoding scheme

Table 4 The rules for octant decoding

The probability of not hitting any rule can be reduced by increasing the number of rules, i.e., by splitting the domain of decoding into more than four sections. For example, in Table 4, the rules are shown for the case when the decoding domain is split into eight sections or octant. As seen from the table, the probability of not hitting a rule has reduced to 1 / 4. Hence to meet a same decryption failure rate, an octant decoder needs almost half the number of iterations as required by a quad decoder. However, there are overheads associated with an octant decoder when it is compared to a quad decoder: the number of comparisons to locate the position of a coefficient in the octant chart doubles and the sizes of the tables quadruple.