Skip to main content
Log in

Arithmetic coding and blinding countermeasures for lattice signatures

Engineering a side-channel resistant post-quantum signature scheme with compact signatures

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

We describe new arithmetic coding techniques and side-channel blinding countermeasures for lattice-based cryptography. Using these techniques, we develop a practical, compact, and more quantum-resistant variant of the BLISS Ideal Lattice Signature Scheme. We first show how the BLISS parameters and hash-based random oracle can be modified to be more secure against quantum pre-image attacks while optimizing signature size. Arithmetic Coding offers an information theoretically optimal compression for stationary and memoryless sources, such as the discrete Gaussian distributions often present in lattice-based cryptography. We show that this technique gives better signature sizes than the previously proposed advanced Huffman-based signature compressors. We further demonstrate that arithmetic decoding from an uniform source to target distribution is also an optimal non-uniform sampling method in the sense that a minimal amount of true random bits is required. Performance of this new Binary Arithmetic Coding sampler is comparable to other practical samplers. The same code, tables, or circuitry can be utilized for both tasks, eliminating the need for separate sampling and compression components. We then describe simple randomized blinding techniques that can be applied to anti-cyclic polynomial multiplication to mask timing- and power consumption side-channels in ring arithmetic. We further show that the Gaussian sampling process can also be blinded by a split-and-permute techniques as an effective countermeasure against side-channel attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. Original BLISS reference implementations are available from: http://bliss.di.ens.fr/.

  2. strongSwan: https://wiki.strongswan.org/projects/strongswan/wiki/BLISS.

References

  1. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 237–343. USENIX Association (2016)

  2. Bruinderink, L.G., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload—a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016, vol. 9813 of LNCS, pp. 323–345. Springer, Berlin (2016)

  3. Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete ziggurat: a time-memory trade-off for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisonĕk, P. (eds.) SAC 2013, vol. 8282 of LNCS, pp. 402–417. Springer, Berlin. Extended version available as IACR ePrint 2014/510 (2014)

  4. Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: ETSI 2nd Quantum-Safe Crypto Workshop in Partnership with the IQC (2014)

  5. CESG. Quantum key distribution: a CESG white paper (2016)

  6. Chen, L., Jordan, S., Liu, Y.-K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: Report on post-quantum cryptography. NISTIR 8105, April 2016

  7. CNSS. Use of public standards for the secure sharing of information among national security systems. Committee on National Security Systems: CNSS Advisory Memorandum, Information Assurance 02-15 (2015)

  8. Ducas, L.: Accelerating bliss: the geometry of ternary polynomials. IACR ePrint 2014/874 (2014)

  9. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, pp. 40–56. Springer, Berlin, Extended version available as IACR ePrint 2013/383 (2013)

  10. Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  11. Edrees, H., Cheung, B., Sandora, M., Nummey, D.B., Stefan, D.: Hardware-optimized ziggurat algorithm for high-speed Gaussian random number generators. In: Plaks, T.P. (ed.) ERSA 2009, pp. 254–260. CSREA Press, Las Vegas (2009)

  12. FIPS. (FIPS) 186-4, digital signature standard (DSS). Federal Information Processing Standards Publication (2013)

  13. FIPS. Secure Hash Standard (SHS). Federal Information Processing Standards Publication 180-4 (2015)

  14. FIPS. SHA-3 standard: Permutation-based hash and extendable-output functions. Federal Information Processing Standards Publication 202 (2015)

  15. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, STOC’96, pp. 212–219. ACM (1996)

  16. Grover, L.K.: From Schrödinger’s equation to the quantum search algorithm. Am. J. Phys. 69(7), 769–777 (2001)

    Article  Google Scholar 

  17. Howe, J., Pöppelmann, T., O’Neill, M., O’Sullivan, E., Güneysu, T.: Practical lattice-based digital signature schemes. ACM Trans. Embed. Comput. Syst. 14(3), 41:1–41:24 (2015)

    Article  Google Scholar 

  18. Jonsson, J., Kaliski, B.: Public-key cryptography standards (PKCS) #1: RSA cryptography specifications version 2.1. IETF RFC 3447 (2003)

  19. Karney, C.F.F.: Sampling exactly from the normal distribution. Preprint arXiv:1303.6257, Version 2 (2014)

  20. Knuth, D.E., Yao, A.C.: Algorithms and complexity: new directions and recent results. In: Traub, J.F. (ed.) The Complexity of Nonuniform Random Number Generation, pp. 357–428. Academic Press, New York (1976)

    Google Scholar 

  21. Kocher, P.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: Koblitz, N., (ed.) CRYPTO’96, vol. 1109 of LNCS, pp. 104–113. Springer, Berlin (1996)

  22. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO’99, vol. 1666 of LNCS, pp. 388–397. Springer, Berlin (1999)

  23. Langdon Jr, G.G.: An introduction to arithmetic coding. IBM J. Res. Dev. 28(2), 135–149 (1984)

    Article  MathSciNet  MATH  Google Scholar 

  24. Liu, Z., Seo, H., Roy, SS., Großschädl, J., Kim, H., Verbauwhede, I.: Efficient ring-LWE encryption on 8-bit AVR processors. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015, vol. 9293 of LNCS, pp. 663–682. Springer, Berlin (2015)

  25. Marsaglia, G., Tsang, W.W.: A fast, easily implemented method for sampling from decreasing or symmetric unimodal density functions. SIAM J. Sci. Stat. Comput. 5(2), 349–359 (1984)

    Article  MathSciNet  MATH  Google Scholar 

  26. Marsaglia, G., Tsang, W.W.: The ziggurat method for generating random variables. J. Stat. Softw. 5(8), 1–7 (2000)

    Article  Google Scholar 

  27. NSA/CSS. Information assurance directorate: commercial national security algorithm suite and quantum computing FAQ (2016)

  28. Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010, vol. 6223 of LNCS, pp. 80–97. Springer, Berlin (2010)

  29. Pennebaker, W.B., Mitchell, J.L., Langdon Jr, G.G., Arps, R.B.: An overview of the basic principles of the Q-coder adaptive binary arithmetic coder. IBM J. Res. Dev. 32(6), 717–726 (1988)

    Article  Google Scholar 

  30. Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014, vol. 8731 of LNCS, pp. 353–370. Springer, Berlin. Extended version available as IACR ePrint 2014/254 (2014)

  31. Rissanen, J.J.: Generalized kraft inequality and arithmetic coding. IBM J. Res. Dev. 20, 198–203 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  32. Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Compact and side channel secure discrete Gaussian sampling. IACR ePrint 2014/591 (2014)

  33. Roy, S.S., Vercauteren, F., Mentens, N., Chen, D.D., Verbauwhede, I.: Compact ring-LWE cryptoprocessor. In: Batina, L., Robshaw, M. (eds.) CHES 2014, vol. 8731 of LNCS, pp. 371–391. Springer, Berlin (2014)

  34. Saarinen, M.-J.O.: Gaussian sampling precision in lattice cryptography. IACR ePrint 2015/953 (2015)

  35. Said, A.: Introduction to arithmetic coding—theory and practice. In: Sayood, K. (ed.) Lossless Compression Handbook. Academic Press, Chapter also published as HP Technical report HPL-2004-76 (2002)

  36. Valiant, G., Valiant, P.: An automatic inequality prover and instance optimal identity testing. In: FOCS 2014, pp. 51–60. IEEE Computer Society, Full version available as http://theory.stanford.edu/~valiant/papers/instanceOptFull.pdf (2014)

  37. Weiden, P., Hülsing, A., Cabarcas, D., Buchmann, J.: Instantiating treeless signature schemes. IACR ePrint 2013/065 (2013)

  38. Witten, I.H., Neal, R.M., Cleary, J.G.: Arithmetic coding for data compression. Commun. ACM 30(6), 520–540 (1987)

    Article  Google Scholar 

  39. Zalka, C.: Grover’s quantum searching algorithm is optimal. Phys. Rev. A 60, 2746–2751 (1999)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Markku-Juhani O. Saarinen.

Additional information

Part of this work was funded by the European Union H2020 SAFEcrypto project (Grant No. 644729) while the Author was visiting CSIT, Queen’s University Belfast, UK.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Saarinen, MJ.O. Arithmetic coding and blinding countermeasures for lattice signatures . J Cryptogr Eng 8, 71–84 (2018). https://doi.org/10.1007/s13389-017-0149-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-017-0149-6

Keywords

Navigation