, sk = ((s 1,i ) 0?i?d , (s 2,i ) 0?i?d ) Result: Signature ? 1 (y 1,i ) 0?i?d ? DG(k, d) 2 (y 2,i ) 0?i?d ? DG(k, d) 3 (r i ), Algorithm 5: mSign Data: m, pk = (a, t)
, ? hash(r, m) 6 (z 1,i ) 0?i?d ?H 1 (c, (s 1,i ) 0?i?d , (y 1,i ) 0?i?d )
, ,i ) 0?i?d ?H 1 (c, (s 2,i ) 0?i?d , (y 2,i ) 0?i?d )
,i ) 0?i?d , (z 2,i ) 0?i?d , k ? ?) ,
, Algorithm 6: mKD Result: Signing key sk, veriication key pk 1 (s 1,i ) 0?i?d ? DG(1, d)
, ? H 1 (a, (s 1,i ) 0?i?d , (s 2,i ) 0?i?d )
From identiication to signatures via the FiatShamir transform: Minimizing assumptions for security and forward-security, LNCS, vol.2332, pp.418-433, 2002. ,
An improved compression technique for signatures based on learning with errors, LNCS, vol.8366, pp.28-47, 2014. ,
DOI : 10.1007/978-3-319-04852-9_2
Veriied proofs of higherorder masking, EUROCRYPT 2015, Part I, vol.9056, pp.457-485, 2015. ,
Strong noninterference and type-directed higher-order masking, ACM CCS 16, pp.116-129, 2016. ,
DOI : 10.1145/2976749.2978427
URL : https://hal.archives-ouvertes.fr/hal-01410216
EEcient commitments and zero-knowledge protocols from Ring-SIS with applications to laaice-based threshold cryptosystems, Cryptology ePrint Archive, 2016. ,
Multi-signatures in the plain public-key model and a general forking lemma, ACM CCS 06, pp.390-399, 2006. ,
Laaice-based signature schemes and their sensitivity to fault aaacks, pp.63-77, 2016. ,
DOI : 10.1109/fdtc.2016.11
Flush, gauss, and reload-A cache aaack on the BLISS laaice-based signature scheme, LNCS, vol.9813, pp.323-345, 2016. ,
Template aaacks, LNCS, vol.2523, pp.13-28, 2002. ,
GLYPH: A new insantiation of the GLP digital signature scheme. Cryptology ePrint Archive, 2017. ,
Sooware implementation of GLYPH. GitHub repository, 2017. ,
Higher order masking of look-up tables, LNCS, vol.8441, pp.441-458, 2014. ,
DOI : 10.1007/978-3-642-55220-5_25
URL : https://link.springer.com/content/pdf/10.1007%2F978-3-642-55220-5_25.pdf
High-order conversion from boolean to arithmetic masking, Cryptology ePrint Archive, 2017. ,
DOI : 10.1007/978-3-319-66787-4_5
URL : http://orbilu.uni.lu/bitstream/10993/34588/1/252.pdf
Conversion from arithmetic to Boolean masking with logarithmic complexity, LNCS, vol.9054, pp.130-149, 2015. ,
DOI : 10.1007/978-3-662-48116-5_7
URL : http://eprint.iacr.org/2014/891.pdf
Secure conversion between Boolean and arithmetic masking of any order, LNCS, vol.8731, pp.188-205, 2014. ,
DOI : 10.1007/978-3-662-44709-3_11
Unifying leakage models: From probing aaacks to noisy leakage, LNCS, vol.8441, pp.423-440, 2014. ,
DOI : 10.1007/s00145-018-9284-1
URL : https://link.springer.com/content/pdf/10.1007%2Fs00145-018-9284-1.pdf
Laaice signatures and bimodal Gaussians, CRYPTO 2013, Part I, vol.8042, pp.40-56, 2013. ,
DOI : 10.1007/978-3-642-40041-4_3
URL : https://link.springer.com/content/pdf/10.1007%2F978-3-642-40041-4_3.pdf
CRYSTALS-dilithium: Digital signatures from module laaices. Cryptology ePrint Archive, 2017. ,
Loop-abort faults on laaice-based Fiat-Shamir and hash-and-sign signatures, LNCS, vol.10532, pp.140-158, 2016. ,
DOI : 10.1007/978-3-319-69453-5_8
Side-channel aaacks on BLISS laaice-based signatures: Exploiting branch tracing against strongSwan and electromagnetic emanations in microcontrollers, ACM CCS 17, pp.1857-1874, 2017. ,
DOI : 10.1145/3133956.3134028
URL : https://hal.sorbonne-universite.fr/hal-01648080/file/main.pdf
Trapdoors for hard laaices and new cryptographic constructions, 40th ACM STOC, pp.197-206, 2008. ,
DOI : 10.1145/1374376.1374407
URL : http://eprint.iacr.org/2007/432.pdf
A digital signature scheme secure against adaptive chosenmessage aaacks, SIAM J. Comput, vol.17, issue.2, pp.281-308, 1988. ,
Practical laaice-based cryptography: A signature scheme for embedded systems, CHES 2012, vol.7428, pp.530-547, 2012. ,
Private circuits: Securing hardware against probing aaacks, LNCS, vol.2729, pp.463-481, 2003. ,
Fiat-Shamir with aborts: Applications to laaice and factoring-based signatures, LNCS, vol.5912, pp.598-616, 2009. ,
Laaice signatures without trapdoors, LNCS, vol.7237, pp.738-755, 2012. ,
Algorithm 29: GLP masked signature with commitment Data: m, pk = (a, t), sk = (s 1,i ) 0?i?d , (s 2,i ) 0?i?d , ck Result: Signature ? 1 (y 1,i ) 0?i?d ? DG(k, d) 2 (y 2,i ), 1109. ,
, 1,i ) 0?i?d , (f 2,i ) 0?i?d )? Comm
1,i ) 0?i?d ) ,
,i ) 0?i?d ) ,
, m) 11 (z 1,i ) 0?i?d ?H 1 (c, (s 1,i ) 0?i?d , (y 1,i ) 0?i?d ) 12 (z 2,i ) 0?i?d ?H 1 (c, (s 2,i ) 0?i?d, p.0
,i ) 0?i?d , k ? ?) set I with at most ? indices in [0, d] such that the distribution of any tuple (v 1 , ..., v ? ) of intermediate variables of the block can be perfectly simulated from the sensitive values ,
, At the end, any set of ? ? d intermediate variables can be perfectly simulated with at most ? shares of each sensitive input. is is enough to prove that Comm is d-NI secure, Algorithm, vol.30, p.0
, i ) 0?i?d ) ? 0 2d 2 for i = 0, ..., d + 1 do 3 f 1,i ? ck 1, p.0
, From Lemmas 6,7, 9 and 16 Algorithms DG, RS, H 1 , H 2 and Comm are all d-NI, From Lemma, vol.8