CWI Cryptology Group

Abstract: Recently, numerous physical attacks have been demonstrated against lattice-based schemes, often exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those attacks is an important problem. However, few countermeasures have been proposed. In particular, masking has been applied to the decryption procedure of some lattice-based encryption schemes, but the much more difficult case of signatures (which are highly non-linear and typically involve randomness) has not been considered until now. In this presentation, I will describe the first masked implementation of a lattice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived probability distribution would be prohibitively inefficient, we focused on the GLP scheme of Güneysu, Lyubashevsky and Pöppelmann (CHES 2012). We showed how to provably mask it in the Ishai-Sahai-Wagner model (CRYPTO 2003) at any order in a relatively efficient manner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. I will extend the results to other Fiat—Shamir with aborts signatures and expose the new challenges. Blog article : http://risq.fr/?page_id=365&lang=en Presentation based on an extension of the following paper : https://eprint.iacr.org/2018/381.pdf