Practical CCA2-Secure and Masked Ring-LWE Implementation

Authors

  • Tobias Oder Horst Görtz Institute for IT Security, Ruhr-Universität Bochum
  • Tobias Schneider ICTEAM/ELEN/Crypto Group, Université Catholique de Louvain
  • Thomas Pöppelmann Infineon Technologies AG
  • Tim Güneysu Horst Görtz Institute for IT Security, Ruhr-Universität Bochum; DFKI

DOI:

https://doi.org/10.13154/tches.v2018.i1.142-174

Keywords:

Ideal Lattices, ring-LWE, CCA2 security, Masking, Hiding, Sampling, Implementation, ARM Cortex-M

Abstract

During the last years public-key encryption schemes based on the hardness of ring-LWE have gained significant popularity. For real-world security applications assuming strong adversary models, a number of practical issues still need to be addressed. In this work we thus present an instance of ring-LWE encryption that is protected against active attacks (i.e., adaptive chosen-ciphertext attacks) and equipped with countermeasures against side-channel analysis. Our solution is based on a postquantum variant of the Fujisaki-Okamoto (FO) transform combined with provably secure first-order masking. To protect the key and message during decryption, we developed a masked binomial sampler that secures the re-encryption process required by FO. Our work shows that CCA2-secured RLWE-based encryption can be achieved with reasonable performance on constrained devices but also stresses that the required transformation and handling of decryption errors implies a performance overhead that has been overlooked by the community so far. With parameters providing 233 bits of quantum security, our implementation requires 4,176,684 cycles for encryption and 25,640,380 cycles for decryption with masking and hiding countermeasures on a Cortex-M4F. The first-order security of our masked implementation is also practically verified using the non-specific t-test evaluation methodology.

Downloads

Published

2018-02-14

How to Cite

Oder, T., Schneider, T., Pöppelmann, T., & Güneysu, T. (2018). Practical CCA2-Secure and Masked Ring-LWE Implementation. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018(1), 142–174. https://doi.org/10.13154/tches.v2018.i1.142-174

Issue

Volume 2018, Issue 1

Section

Articles

License

Copyright (c) 2018 Tobias Oder, Tobias Schneider, Thomas Pöppelmann, Tim Güneysu

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.