, sk = ((s 1,i ) 0?i?d , (s 2,i ) 0?i?d ) Result: Signature ? 1 (y 1,i ) 0?i?d ? DG(k, d) 2 (y 2,i ) 0?i?d ? DG(k, d) 3 (r i ), Algorithm 5: mSign Data: m, pk = (a, t)

, ? hash(r, m) 6 (z 1,i ) 0?i?d ?H 1 (c, (s 1,i ) 0?i?d , (y 1,i ) 0?i?d )

, ,i ) 0?i?d ?H 1 (c, (s 2,i ) 0?i?d , (y 2,i ) 0?i?d )

?. Rejsp and . Rs, ,i ) 0?i?d , (z 2,i ) 0?i?d , k ? ?)

, Algorithm 6: mKD Result: Signing key sk, veriication key pk 1 (s 1,i ) 0?i?d ? DG(1, d)

, ? H 1 (a, (s 1,i ) 0?i?d , (s 2,i ) 0?i?d )

M. Abdalla, J. H. An, M. Bellare, and C. Namprempre, From identiication to signatures via the FiatShamir transform: Minimizing assumptions for security and forward-security, LNCS, vol.2332, pp.418-433, 2002.

S. Bai and S. D. Galbraith, An improved compression technique for signatures based on learning with errors, LNCS, vol.8366, pp.28-47, 2014.
DOI : 10.1007/978-3-319-04852-9_2

G. Barthe, S. Bela¨?dbela¨?d, F. Dupressoir, P. Fouque, B. Grégoire et al., Veriied proofs of higherorder masking, EUROCRYPT 2015, Part I, vol.9056, pp.457-485, 2015.

G. Barthe, S. Bela¨?dbela¨?d, F. Dupressoir, P. Fouque, B. Grégoire et al., Strong noninterference and type-directed higher-order masking, ACM CCS 16, pp.116-129, 2016.
DOI : 10.1145/2976749.2978427
URL : https://hal.archives-ouvertes.fr/hal-01410216

C. Baum, I. Damgåard, S. Oechsner, and C. Peikert, EEcient commitments and zero-knowledge protocols from Ring-SIS with applications to laaice-based threshold cryptosystems, Cryptology ePrint Archive, 2016.

M. Bellare and G. Neven, Multi-signatures in the plain public-key model and a general forking lemma, ACM CCS 06, pp.390-399, 2006.

N. Bindel, J. A. Buchmann, and J. Krämer, Laaice-based signature schemes and their sensitivity to fault aaacks, pp.63-77, 2016.
DOI : 10.1109/fdtc.2016.11

L. G. Bruinderink, A. Hülsing, T. Lange, and Y. Yarom, Flush, gauss, and reload-A cache aaack on the BLISS laaice-based signature scheme, LNCS, vol.9813, pp.323-345, 2016.

S. Chari, J. R. Rao, and P. Rohatgi, Template aaacks, LNCS, vol.2523, pp.13-28, 2002.

A. Chopra, GLYPH: A new insantiation of the GLP digital signature scheme. Cryptology ePrint Archive, 2017.

A. Chopra, Sooware implementation of GLYPH. GitHub repository, 2017.

J. Coron, Higher order masking of look-up tables, LNCS, vol.8441, pp.441-458, 2014.
DOI : 10.1007/978-3-642-55220-5_25
URL : https://link.springer.com/content/pdf/10.1007%2F978-3-642-55220-5_25.pdf

J. Coron, High-order conversion from boolean to arithmetic masking, Cryptology ePrint Archive, 2017.
DOI : 10.1007/978-3-319-66787-4_5
URL : http://orbilu.uni.lu/bitstream/10993/34588/1/252.pdf

J. Coron, J. Großschädl, M. Tibouchi, and P. K. Vadnala, Conversion from arithmetic to Boolean masking with logarithmic complexity, LNCS, vol.9054, pp.130-149, 2015.
DOI : 10.1007/978-3-662-48116-5_7
URL : http://eprint.iacr.org/2014/891.pdf

J. Coron, J. Großschädl, and P. K. Vadnala, Secure conversion between Boolean and arithmetic masking of any order, LNCS, vol.8731, pp.188-205, 2014.
DOI : 10.1007/978-3-662-44709-3_11

A. Duc, S. Dziembowski, and S. Faust, Unifying leakage models: From probing aaacks to noisy leakage, LNCS, vol.8441, pp.423-440, 2014.
DOI : 10.1007/s00145-018-9284-1
URL : https://link.springer.com/content/pdf/10.1007%2Fs00145-018-9284-1.pdf

L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, Laaice signatures and bimodal Gaussians, CRYPTO 2013, Part I, vol.8042, pp.40-56, 2013.
DOI : 10.1007/978-3-642-40041-4_3
URL : https://link.springer.com/content/pdf/10.1007%2F978-3-642-40041-4_3.pdf

L. Ducas, T. Lepoint, V. Lyubashevsky, P. Schwabe, G. Seiler et al., CRYSTALS-dilithium: Digital signatures from module laaices. Cryptology ePrint Archive, 2017.

T. Espitau, P. Fouque, B. Gérard, and M. Tibouchi, Loop-abort faults on laaice-based Fiat-Shamir and hash-and-sign signatures, LNCS, vol.10532, pp.140-158, 2016.
DOI : 10.1007/978-3-319-69453-5_8

T. Espitau, P. Fouque, B. Gérard, and M. Tibouchi, Side-channel aaacks on BLISS laaice-based signatures: Exploiting branch tracing against strongSwan and electromagnetic emanations in microcontrollers, ACM CCS 17, pp.1857-1874, 2017.
DOI : 10.1145/3133956.3134028
URL : https://hal.sorbonne-universite.fr/hal-01648080/file/main.pdf

C. Gentry, C. Peikert, and V. Vaikuntanathan, Trapdoors for hard laaices and new cryptographic constructions, 40th ACM STOC, pp.197-206, 2008.
DOI : 10.1145/1374376.1374407
URL : http://eprint.iacr.org/2007/432.pdf

S. Goldwasser, S. Micali, and R. L. Rivest, A digital signature scheme secure against adaptive chosenmessage aaacks, SIAM J. Comput, vol.17, issue.2, pp.281-308, 1988.

T. Güneysu, V. Lyubashevsky, and T. Pöppelmann, Practical laaice-based cryptography: A signature scheme for embedded systems, CHES 2012, vol.7428, pp.530-547, 2012.

Y. Ishai, A. Sahai, and D. Wagner, Private circuits: Securing hardware against probing aaacks, LNCS, vol.2729, pp.463-481, 2003.

V. Lyubashevsky, Fiat-Shamir with aborts: Applications to laaice and factoring-based signatures, LNCS, vol.5912, pp.598-616, 2009.

V. Lyubashevsky, Laaice signatures without trapdoors, LNCS, vol.7237, pp.738-755, 2012.

T. Oder, T. Schneider, T. Pöppelmann, and T. Güneysu, Algorithm 29: GLP masked signature with commitment Data: m, pk = (a, t), sk = (s 1,i ) 0?i?d , (s 2,i ) 0?i?d , ck Result: Signature ? 1 (y 1,i ) 0?i?d ? DG(k, d) 2 (y 2,i ), 1109.

, 1,i ) 0?i?d , (f 2,i ) 0?i?d )? Comm

?. Fulladd, 1,i ) 0?i?d )

?. Fulladd, ,i ) 0?i?d )

, m) 11 (z 1,i ) 0?i?d ?H 1 (c, (s 1,i ) 0?i?d , (y 1,i ) 0?i?d ) 12 (z 2,i ) 0?i?d ?H 1 (c, (s 2,i ) 0?i?d, p.0

?. Rejsp and . Rs, ,i ) 0?i?d , k ? ?) set I with at most ? indices in [0, d] such that the distribution of any tuple (v 1 , ..., v ? ) of intermediate variables of the block can be perfectly simulated from the sensitive values

, At the end, any set of ? ? d intermediate variables can be perfectly simulated with at most ? shares of each sensitive input. is is enough to prove that Comm is d-NI secure, Algorithm, vol.30, p.0

, i ) 0?i?d ) ? 0 2d 2 for i = 0, ..., d + 1 do 3 f 1,i ? ck 1, p.0

, From Lemmas 6,7, 9 and 16 Algorithms DG, RS, H 1 , H 2 and Comm are all d-NI, From Lemma, vol.8