Practical CCA2-Secure and Masked Ring-LWE Implementation

Abstract: During the last years public-key encryption schemes based on the hardness of ring-LWE have gained significant popularity. For real-world security applications assuming strong adversary models, a number of practical issues still need to be addressed. In this work we thus present an instance of ring-LWE encryption that is protected against active attacks (i.e., adaptive chosen-ciphertext attacks) and equipped with countermeasures against side-channel analysis. Our solution is based on a postquantum variant of th… Show more

“…In fact, skipping this check was previously proposed by Valencia et al [VOGR18] in the context of their fault attacks. The need to protect the check was also noted by Oder et al [OSPG18] and by Bauer et al [BGRR19].…”

“…One possible way of building such a masked decoder was presented by Oder et al [OSPG18], who describe a fully masked implementation of an LPR-like lattice KEM. Similar to NewHope, their custom KEM encodes each message bit onto multiple polynomial coefficients.…”

“…Then, the shares are transformed, from arithmetically mod q to arithmetically mod 2 bits , where bits = log 2 q + 1. For the details of this transform, we refer to the original paper [OSPG18]. After subtracting q/2 (mod 2 bits ) from one of the shares and performing a final arithmetic-to-boolean mask conversion, a masked representation of the decoded message bit can be retrieved by selecting the MSBs of the shares.…”

“…While we do not claim that all masked implementations are susceptible, we demonstrate that masking as such does not hamper our attack. We do so by adapting the attack to the masked decoder of Oder et al [OSPG18], which we introduced in Section 2.5.…”

“…Visualization of the effect of skipping the first subtraction in the masked decoder of Oder et al[OSPG18] …”

Fault Attacks on CCA-secure Lattice KEMs

“…In fact, skipping this check was previously proposed by Valencia et al [VOGR18] in the context of their fault attacks. The need to protect the check was also noted by Oder et al [OSPG18] and by Bauer et al [BGRR19].…”

“…One possible way of building such a masked decoder was presented by Oder et al [OSPG18], who describe a fully masked implementation of an LPR-like lattice KEM. Similar to NewHope, their custom KEM encodes each message bit onto multiple polynomial coefficients.…”

“…Then, the shares are transformed, from arithmetically mod q to arithmetically mod 2 bits , where bits = log 2 q + 1. For the details of this transform, we refer to the original paper [OSPG18]. After subtracting q/2 (mod 2 bits ) from one of the shares and performing a final arithmetic-to-boolean mask conversion, a masked representation of the decoded message bit can be retrieved by selecting the MSBs of the shares.…”

“…While we do not claim that all masked implementations are susceptible, we demonstrate that masking as such does not hamper our attack. We do so by adapting the attack to the masked decoder of Oder et al [OSPG18], which we introduced in Section 2.5.…”

“…Visualization of the effect of skipping the first subtraction in the masked decoder of Oder et al[OSPG18] …”

Fault Attacks on CCA-secure Lattice KEMs

Efficiently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto

More Practical Single-Trace Attacks on the Number Theoretic Transform