Practical CCA2-Secure and Masked Ring-LWE Implementation

Size: px

Start display at page:

Download "Practical CCA2-Secure and Masked Ring-LWE Implementation"

Shon Briggs
5 years ago
Views:

1 Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder 1, Tobias Schneider 2, Thomas Pöppelmann 3, Tim Güneysu 1,4 1 Ruhr-University Bochum, 2 Université Catholique de Louvain, 3 Infineon Technologies AG, 4 DFKI CHES

2 Motiviation 2

3 Ring-LWE NIST post-quantum standardization project Various NIST submissions are based on Ring-LWE including NewHope LIMA (Kyber) 3

4 Ring-LWE NIST post-quantum standardization project Various NIST submissions are based on Ring-LWE including NewHope LIMA (Kyber) Previous work A masked ring-lwe implementation. O. Reparaz, S. Sinha Roy, F. Vercauteren, I. Verbauwhede. CHES 2015 Additively homomorphic ring-lwe masking. O. Reparaz, S. Sinha Roy, R. de Clercq, F. Vercauteren, I. Verbauwhede. PQCrypto

5 CCA2-Security Plain Ring-LWE encryption is only secure against chosenplaintext attackers (CPA) Many use cases require security against chosen-ciphertext attackers (CCA) Generic Fujisaki-Okamoto transform Assumes negligible decryption error Tweak by Targhi and Unruh for post-quantum security [TU16] Expensive re-encryption in decryption [TU16] E. E. Targhi and D. Unruh. Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. TCC

6 CCA2-Security CCA2-secure Decryption 6

7 CCA2-Security CCA2-secure Decryption 7

8 CCA2-Security CCA2-secure Decryption 8

9 CCA2-Security CCA2-secure Decryption 9

10 Contribution 10

11 Embedded Implementation Our contribution: CCA2-secure first-order masked Ring-LWE implementation 11

12 Embedded Implementation Our contribution: CCA2-secure first-order masked Ring-LWE implementation Target platform ARM Cortex-M4 Constrained computing capabilities/memory 12

13 Embedded Implementation Our contribution: CCA2-secure first-order masked Ring-LWE implementation Target platform ARM Cortex-M4 Constrained computing capabilities/memory Secret-independent execution time as countermeasure against timing attacks Masking as countermeasure against Differential Power Analysis Boolean vs. arithmetic 13

14 Masking Ring-LWE Components to be masked in CCA2-secure Ring-LWE PRNG/Hash Ring-LWE CPA Encryption a x + c 1 BS BS BS NTT p x + + c 2 Polynomial multiplication m encode Binomial sampler (BS) Ring-LWE CPA Decryption c 1 x + decode m Encoding/Decoding r 1 c 2 14

15 Masking Ring-LWE Components to be masked in CCA2-secure Ring-LWE PRNG/Hash [BDPVA10] Ring-LWE CPA Encryption a x + c 1 BS BS BS NTT straight-forward p x + + c 2 Polynomial multiplication m encode Binomial sampler (BS) Ring-LWE CPA Decryption c 1 x + decode m Encoding/Decoding r 1 c 2 [BDPVA10] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Building power analysis resistant implementations of Keccak. Second SHA-3 candidate conference,

16 Masking Ring-LWE Components to be masked in CCA2-secure Ring-LWE PRNG/Hash [BDPVA10] Ring-LWE CPA Encryption a x + c 1 BS BS BS NTT straight-forward p x + + c 2 Polynomial multiplication m encode Binomial Sampler (BS) Ring-LWE CPA Decryption c 1 x + decode m Encoding/Decoding r 1 c 2 [BDPVA10] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Building power analysis resistant implementations of Keccak. Second SHA-3 candidate conference,

17 Encoding 17

18 Masked encoding Encoding transforms a bit string into a polynomial Without masking: coeff = bit q 2 18

19 Masked encoding Encoding transforms a bit string into a polynomial Without masking: coeff = bit q 2 With bit bit = bit: coeff = bit q 2 coeff = bit q 2 19

20 Masked encoding Encoding transforms a bit string into a polynomial Without masking: coeff = bit q 2 With bit bit = bit: coeff = bit q 2 coeff = bit q 2 q is a odd q 2 + q 2 q Problem: Result is off by one if bit = 1 and bit = 1 20

21 Masked encoding Solution: Add bit bit to the result Compute bit bit by splitting into subshares bit 1 + bit 2 (bit (1) + bit 2 ) = bit (1) bit 1 + bit 1 bit 2 + bit (2) bit 1 + bit (2) bit 2 Use fresh randomness to securely sum the cross-products 21

22 Decoding 22

23 Masked decoding Input: Coefficient [0, q 1] Output: Decoded bit Idea: Shift distribution of coefficients Apply arithmetic-to- Boolean conversion Extract sign bit 23

24 Masked decoding Input: Coefficient [0, q 1] Output: Decoded bit Idea: Shift distribution of coefficients Apply arithmetic-to- Boolean conversion Extract sign bit 24

25 Masked decoding Input: Coefficient [0, q 1] Output: Decoded bit Idea: Shift distribution of coefficients Apply arithmetic-to- Boolean conversion Extract sign bit 25

26 Masked decoding Input: Coefficient [0, q 1] Output: Decoded bit Idea: Shift distribution of coefficients Apply arithmetic-to- Boolean conversion Extract sign bit 26

27 Binomial Sampler 27

28 Masked sampler Input: Boolean shares; Output: Arithmetic shares Count Hamming weight as σ 7 i=0 (bit i bit i ) 7 = σ i=0 bit i + bit i 2bit (i)bit (i) Compute bit (i) bit (i) by splitting into subshares 28

29 Results 29

30 Side-Channel Evaluation T-test evaluation of the decoding (example) Blue: first-order evaluation Dashed red: second-order evaluation 30

31 Cortex-M4 Performance Dimension n = 1024 Modulus q = Standard deviation ς = 2 31

32 Cortex-M4 Performance Dimension n = 1024 Modulus q = Standard deviation ς = 2 32

33 Cortex-M4 Performance Dimension n = 1024 Modulus q = Standard deviation ς = 2 33

34 Cortex-M4 Performance Dimension n = 1024 Modulus q = Standard deviation ς = 2 34

35 Conclusion First masking of a Ring-LWE-based scheme that covers CCA2-security with first-order proof New masked encoder & decoder New masked sampler Future work: Higher-order masking 35

36 Thank You For Your Attention!

Eciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto

Eciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto Tobias Schneider 1, Clara Paglialonga 2, Tobias Oder 3, and Tim Güneysu 3,4 1 ICTEAM/ELEN/Crypto Group, Université Catholique