Abstract
Now that the NIST’s post-quantum cryptography competition has entered in its second phase, the time has come to focus more closely on practical aspects of the candidates. While efficient implementations of the proposed schemes are somewhat included in the submission packages, certain issues like the threat of side-channel attacks are often lightly touched upon by the authors. Hence, the community is encouraged by the NIST to join the war effort to treat those peripheral, but nonetheless crucial, topics. In this paper, we study the lattice-based signature scheme qTESLA in the context of the masking countermeasure. Continuing a line of research opened by Barthe et al. at Eurocrypt 2018 with the masking of the GLP signature scheme, we extend and modify their work to mask qTESLA. Based on the work of Migliore et al. in ACNS 2019, we slightly modify the parameters to improve the masked performance while keeping the same security. The masking can be done at any order and specialized gadgets are used to get maximal efficiency at order 1. We implemented our countermeasure in the original code of the submission and performed tests at different orders to assess the feasibility of our technique.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The other condition on q in the parameters table of the submission is to enable the NTT.
- 2.
Note that the fault attacks is still possible in case of failure of the RNG picking r.
- 3.
Here too, the number of iterations of the gadget DG is ommited as a public output.
- 4.
To switch the RNG off, we just set the rand_uint32() function to return 0.
References
Alkim, E., et al.: The lattice-based digital signature scheme qTESLA. Cryptology ePrint archive, report 2019/085 (2019). https://eprint.iacr.org/2019/085
Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_2
Barthe, G., et al.: Masking the GLP lattice-based signature scheme at any order. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 354–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_12
Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: Weippl, E.R., et al. (ed.) ACM CCS 2016, pp. 116–129. ACM Press, October 2016
Bindel, N., et al.: qTESLA. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Blackman, D., Vigna, S.: Scrambled linear pseudorandom number generators. In: CoRR abs/1805.01407 (2018). arXiv:1805.01407
Bos, J.W., et al.: Fly, you fool! Faster Frodo for the ARM Cortex-M4. Cryptology ePrint archive, report 2018/1116 (2018). https://eprint.iacr.org/2018/1116
Bruinderink, L.G., Pessl, P.: Differential fault attacks on deterministic lattice signatures. IACR Trans. Cryptograph. Hardw. Embedded Syst. 2018(3), 21–43 (2018). https://tches.iacr.org/index.php/TCHES/article/view/7267
Coron, J.-S.: High-order conversion from boolean to arithmetic masking. Cryptology ePrint archive, report 2017/252 (2017). http://eprint.iacr.org/2017/252
Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_25
Coron, J.-S., Großschädl, J., Vadnala, P.K.: Secure conversion between boolean and arithmetic masking of any order. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 188–205. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_11
Coron, J.-S., Großschädl, J., Tibouchi, M., Vadnala, P.K.: Conversion from arithmetic to boolean masking with logarithmic complexity. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 130–149. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_7
Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_24
Ducas, L., et al.: CRYSTALS-Dilithium: a lattice-based digital signature scheme. IACR Trans. Ctyptograph. Hardw. Embedded Syst. 2018(1), 238–268 (2018). https://tches.iacr.org/index.php/TCHES/article/view/839
Gérard, F., Rossi, M.: An efficient and provable masked implementation of qTESLA. Cryptology ePrint archive, report 2019/606 (2019). https://eprint.iacr.org/2019/606
Goubin, L.: A sound method for switching between boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_2
Goudarzi, D., et al.: Unifying leakage models on a Rényi Day. Cryptology ePrint archive, report 2019/138 (2019). https://eprint.iacr.org/2019/138
Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_31
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Langlois, A., Stehlé, D.: Hardness of decision (R)LWE for any modulus. Cryptology ePrint archive, report 2012/091 (2012). http://eprint.iacr.org/2012/091
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Migliore, V., et al.: Masking Dilithium: efficient implementation and side-channel evaluation. Cryptology ePrint archive, report 2019/394 (2019). https://eprint.iacr.org/2019/394
M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48892-8_6
Poddebniak, D., et al.: Attacking deterministic signature schemes using fault attacks. Cryptology ePrint archive, report 2017/1014 (2017). http://eprint.iacr.org/2017/1014
qTESLA team. https://qtesla.org/
Acknowledgements
We thank Sonia Belaïd for interesting insights about the masking proofs. We acknowledge the support of the French Programme d’Investissement d’Avenir under national project RISQ P14158. This work is also partially supported by the European Union’s H2020 Programme under PROMETHEUS project (grant 780701). This research has been partially funded by ANRT under the programs CIFRE N 2016/1583.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Gérard, F., Rossi, M. (2020). An Efficient and Provable Masked Implementation of qTESLA. In: Belaïd, S., Güneysu, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2019. Lecture Notes in Computer Science(), vol 11833. Springer, Cham. https://doi.org/10.1007/978-3-030-42068-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-42068-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42067-3
Online ISBN: 978-3-030-42068-0
eBook Packages: Computer ScienceComputer Science (R0)