Abstract
During the last years public-key encryption schemes based on the hardness of ring-LWE have gained significant popularity. For real-world security applications assuming strong adversary models, a number of practical issues still need to be addressed. In this work we thus present an instance of ring-LWE encryption that is protected against active attacks (i.e., adaptive chosen-ciphertext attacks) and equipped with countermeasures against side-channel analysis. Our solution is based on a postquantum variant of the Fujisaki-Okamoto (FO) transform combined with provably secure first-order masking. To protect the key and message during decryption, we developed a masked binomial sampler that secures the re-encryption process required by FO. Our work shows that CCA2-secured RLWE-based encryption can be achieved with reasonable performance on constrained devices but also stresses that the required transformation and handling of decryption errors implies a performance overhead that has been overlooked by the community so far. With parameters providing 233 bits of quantum security, our implementation requires 4,176,684 cycles for encryption and 25,640,380 cycles for decryption with masking and hiding countermeasures on a Cortex-M4F. The first-order security of our masked implementation is also practically verified using the non-specific t-test evaluation methodology.
Highlights
Public-key encryption (PKE) is a fundamental asymmetric cryptographic primitive and plays an extremely important role in numerous applications and security protocols, such as key-transport or email encryption
In this work we address the aforementioned issues of ring-LWE PKE schemes that need to be considered before any wide-spread deployment of latticebased cryptography can be initiated
In this work we presented a new instantiation of chosen plaintext attacks (CPA)-secured ring-LWE encryption with masked decoding that outperforms previous proposals at a reduced decryption failure probability
Summary
Public-key encryption (PKE) is a fundamental asymmetric cryptographic primitive and plays an extremely important role in numerous applications and security protocols, such as key-transport or email encryption. Most applications deploy RSA- and ECC-based schemes that are known to be broken by powerful quantum computers running Shor’s polynomial-time algorithm [Sho94] on a sufficiently large number of qubits. Given that such large-scale quantum computers are expected to exist in the future, the effects would be devastating as it would jeopardize the security of RSA or ECC protected ciphertexts exchanged today in case they are stored and decrypted in the future by a malicious entity[1]. A practical advantage of ring-LWE-based encryption over NTRU is relatively easy constant-time implementation and fast key generation, which is useful when constructing schemes for ephemeral key exchange (e.g., NewHope [ADPS16b] and BNCS [BCNS15])
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
