Oscar Reparaz - NATO Workshop in Israel

Side-channel countermeasures for lattice-based post-quantum cryptographic implementations

Oscar Reparaz


Lattice-based cryptography has been proposed as a postquantum public-key crypto system.
In this talk I will describe two different side-channel countermeasures for ring-LWE (a post-quantum public-key crypto system based on lattices.)

In the first solution, we present a masked ring-LWE decryption implementation resistant to first-order side-channel attacks. Our solution has the peculiarity that the entire computation is performed in the masked domain. This is achieved thanks to a new, bespoke masked decoder implementation. The output of the ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. We have implemented a hardware architecture of the masked ring-LWE processor on a Virtex-II FPGA, and have performed side channel analysis to confirm the soundness of our approach. The area of the protected architecture is around 2000 LUTs, a 20% increase with respect to the unprotected architecture. The protected implementation takes 7478 cycles to compute, which is only a factor ×2.6 larger than the unprotected implementation. This work was presented at CHES 2015.

The second approach exploits the additively-homomorphic property of the existing ring-LWE encryption schemes and computes an additive-mask as an encryption of a random message. Our solution differs in several aspects from the previous approach; most notably we do not require a masked decoder but work with a conventional, unmasked decoder. As such, we can secure a ring-LWE implementation using additive masking with minimal changes. Our masking scheme is also very generic in the sense that it can be applied to other additively-homomorphic encryption schemes. This work was published at PQCrypto 2016.