International Association for Cryptologic Research

International Association
for Cryptologic Research


High-order masking of NTRU

Jean-Sébastien Coron , University of Luxembourg, Luxembourg
François Gérard , University of Luxembourg, Luxembourg
Matthias Trannoy , University of Luxembourg, Luxembourg; IDEMIA, Cryptography & Security Labs, Courbevoie, France
Rina Zeitoun , IDEMIA, Cryptography & Security Labs, Courbevoie, France
DOI: 10.46586/tches.v2023.i2.180-211
Search ePrint
Search Google
Abstract: The main protection against side-channel attacks consists in computing every function with multiple shares via the masking countermeasure. While the masking countermeasure was originally developed for securing block-ciphers such as AES, the protection of lattice-based cryptosystems is often more challenging, because of the diversity of the underlying algorithms. In this paper, we introduce new gadgets for the high-order masking of the NTRU cryptosystem, with security proofs in the classical ISW probing model. We then describe the first fully masked implementation of the NTRU Key Encapsulation Mechanism submitted to NIST, including the key generation. To assess the practicality of our countermeasures, we provide a concrete implementation on ARM Cortex-M3 architecture, and eventually a t-test leakage evaluation.
  title={High-order masking of NTRU},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2023, Issue 2},
  author={Jean-Sébastien Coron and François Gérard and Matthias Trannoy and Rina Zeitoun},