Advertisement

Masking the GLP Lattice-Based Signature Scheme at Any Order

  • Gilles Barthe
  • Sonia Belaïd
  • Thomas Espitau
  • Pierre-Alain Fouque
  • Benjamin Grégoire
  • Mélissa Rossi
  • Mehdi Tibouchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10821)

Abstract

Recently, numerous physical attacks have been demonstrated against lattice-based schemes, often exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those attacks is an important problem. However, few countermeasures have been proposed so far. In particular, masking has been applied to the decryption procedure of some lattice-based encryption schemes, but the much more difficult case of signatures (which are highly non-linear and typically involve randomness) has not been considered until now.

In this paper, we describe the first masked implementation of a lattice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived probability distribution would be prohibitively inefficient, we focus on the GLP scheme of Güneysu, Lyubashevsky and Pöppelmann (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively efficient manner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the efficiency of the proposed countermeasure.

Keywords

Side-channel Masking GLP lattice-based signature 

Notes

Acknowledgements

We are indebted to Vadim Lyubashevsky for fruitful discussions, and to the reviewers of EUROCRYPT for their useful comments. We acknowledge the support of the French Programme d’Investissement d’Avenir under national project RISQ. This work is also partially supported by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701) and ONR Grant N000141512750.

References

  1. 1.
    Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the fiat-shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_28CrossRefGoogle Scholar
  2. 2.
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-04852-9_2CrossRefGoogle Scholar
  3. 3.
    Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y.: Verified proofs of higher-order masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 457–485. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_18Google Scholar
  4. 4.
    Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y., Zucchini, R.: Strong non-interference and type-directed higher-order masking. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, pp. 116–129. ACM Press, October 2016Google Scholar
  5. 5.
    Barthe, G., Belaïd, S., Espitau, T., Fouque, P.-A., Grégoire, B., Rossi, M., Tibouchi, M.: Masking the GLP lattice-based signature scheme at any order. Cryptology ePrint Archive (2018). http://eprint.iacr.org/. Full version of this paper
  6. 6.
    Bindel, N., Buchmann, J.A., Krämer, J.: Lattice-based signature schemes and their sensitivity to fault attacks. In: Maurine, P., Tunstall, M. (eds.) FDTC 2016, pp. 63–77. IEEE Computer Society (2016)Google Scholar
  7. 7.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski Jr., B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36400-5_3CrossRefGoogle Scholar
  8. 8.
    Chopra, A.: GLYPH: a new insantiation of the GLP digital signature scheme. Cryptology ePrint Archive, Report 2017/766 (2017). http://eprint.iacr.org/2017/766
  9. 9.
    Chopra, A.: Software implementation of GLYPH. GitHub repository (2017). https://github.com/quantumsafelattices/glyph
  10. 10.
    Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_25CrossRefGoogle Scholar
  11. 11.
    Coron, J.-S.: High-order conversion from Boolean to arithmetic masking. Cryptology ePrint Archive, Report 2017/252 (2017). http://eprint.iacr.org/2017/252
  12. 12.
    Coron, J.-S., Großschädl, J., Tibouchi, M., Vadnala, P.K.: Conversion from arithmetic to Boolean masking with logarithmic complexity. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 130–149. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48116-5_7CrossRefGoogle Scholar
  13. 13.
    Coron, J.-S., Großschädl, J., Vadnala, P.K.: Secure conversion between Boolean and arithmetic masking of any order. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 188–205. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44709-3_11Google Scholar
  14. 14.
    Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_24CrossRefGoogle Scholar
  15. 15.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_3CrossRefGoogle Scholar
  16. 16.
    Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehle, D.: CRYSTALS - dilithium: digital signatures from module lattices. Cryptology ePrint Archive, Report 2017/633 (2017). http://eprint.iacr.org/2017/633
  17. 17.
    Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Loop-abort faults on lattice-based Fiat-Shamir and hash-and-sign signatures. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 140–158. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-69453-5_8CrossRefGoogle Scholar
  18. 18.
    Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Side-channel attacks on BLISS lattice-based signatures: exploiting branch tracing against strongSwan and electromagnetic emanations in microcontrollers. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 17, pp. 1857–1874. ACM Press, October/November 2017Google Scholar
  19. 19.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press, May 2008Google Scholar
  20. 20.
    Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_16Google Scholar
  21. 21.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33027-8_31CrossRefGoogle Scholar
  22. 22.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_27CrossRefGoogle Scholar
  23. 23.
    Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_35CrossRefGoogle Scholar
  24. 24.
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_43CrossRefGoogle Scholar
  25. 25.
    Oder, T., Schneider, T., Pöppelmann, T., Güneysu, T.: Practical CCA2-secure and masked ring-LWE implementation. Cryptology ePrint Archive, Report 2016/1109 (2016). http://eprint.iacr.org/2016/1109
  26. 26.
    Pessl, P., Bruinderink, L.G., Yarom, Y.: To BLISS-B or not to be: attacking strongSwan’s implementation of post-quantum signatures. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 17, pp. 1843–1855. ACM Press, October/November 2017Google Scholar
  27. 27.
    Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44709-3_20Google Scholar
  28. 28.
    Reparaz, O., de Clercq, R., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Additively homomorphic ring-LWE masking. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 233–244. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29360-8_15CrossRefGoogle Scholar
  29. 29.
    Reparaz, O., Sinha Roy, S., Vercauteren, F., Verbauwhede, I.: A masked ring-LWE implementation. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 683–702. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48324-4_34CrossRefGoogle Scholar
  30. 30.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15031-9_28CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Gilles Barthe
    • 1
  • Sonia Belaïd
    • 2
  • Thomas Espitau
    • 3
  • Pierre-Alain Fouque
    • 4
  • Benjamin Grégoire
    • 5
  • Mélissa Rossi
    • 6
    • 7
  • Mehdi Tibouchi
    • 8
  1. 1.IMDEA Software InstituteMadridSpain
  2. 2.CryptoExpertsParisFrance
  3. 3.UPMCParisFrance
  4. 4.Univ RennesRennesFrance
  5. 5.Inria Sophia AntipolisSophia AntipolisFrance
  6. 6.ThalesParisFrance
  7. 7.Département d’informatique de l’École normale supérieure de ParisCNRS, PSL Research University, INRIAParisFrance
  8. 8.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations