F. Arute, K. Arya, and R. Babbush, Quantum supremacy using a programmable superconducting processor". In: Nature 574, pp.505-510, 2019.

S. Agrawal, D. Boneh, and X. Boyen, Efficient Lattice (H)IBE in the Standard Model, LNCS, vol.6110, pp.553-572, 2010.

M. Abdalla, J. Hea-an, M. Bellare, and C. Namprempre, From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security". In: EUROCRYPT 2002, vol.2332, pp.418-433, 2002.
URL : https://hal.archives-ouvertes.fr/hal-02391526

M. R. Albrecht, A. Deo, and K. G. Paterson, Cold Boot Attacks on Ring and Module LWE Keys Under the NTT, IACR TCHES, vol.3, pp.173-213, 2018.

M. R. Albrecht, A. Deo, and K. G. Paterson, Cold Boot Attacks on Ring and Module LWE Keys Under the NTT, IACR TCHES, vol.2018, issue.3, pp.173-213, 2018.

M. Ajtai, Generating Hard Instances of Lattice Problems (Extended Abstract), 28th ACM STOC, pp.99-108, 1996.

M. Ajtai, The Shortest Vector Problem in L2 is NP-hard for Randomized Reductions (Extended Abstract), 30th ACM STOC, pp.10-19, 1998.

M. Ajtai, R. Kumar, and D. Sivakumar, A sieve algorithm for the shortest lattice vector problem, 33rd ACM STOC, pp.601-610, 2001.

F. Martin-r-albrecht, F. Göpfert, T. Virdia, and . Wunderer, Revisiting the expected cost of solving uSVP and applications to LWE, International Conference on the Theory and Application of Cryptology and Information Security, pp.297-322, 2017.

M. R. Albrecht, B. R. Curtis, A. Deo, A. Davidson, R. Player et al., Estimate All the LWE, NTRU Schemes!" In: SCN 18, LNCS, vol.11035, p.145, 2018.

E. Alkim, N. Bindel, J. Buchmann, and Ö. Dagdelen, TESLA: Tightly-Secure Efficient Signatures from Standard Lattices, Cryptology ePrint Archive, 2015.

E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe, NewHope without reconciliation. Cryptology ePrint Archive, p.113, 1157.

E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe, Post-quantum key exchange-a new hope, 25th USENIX Security Symposium (USENIX Security 16, pp.327-343, 2016.

E. Alkim, N. Bindel, J. A. Buchmann, Ö. Dagdelen, E. Eaton et al., Revisiting TESLA in the Quantum Random Oracle Model, Post-Quantum Cryptography -8th International Workshop, pp.143-162, 2017.

R. Martin-r-albrecht, S. Player, and . Scott, On the concrete hardness of learning with errors, p.128, 2015.

D. Aharonov and O. Regev, Lattice Problems in NP cap coNP, 45th FOCS, pp.362-371, 2004.

S. Arora, L. Babai, J. Stern, and Z. Sweedyk, The Hardness of Approximate Optimia in Lattices, Codes, and Systems of Linear Equations, 34th FOCS, pp.724-733, 1993.

H. Baan, S. Bhattacharya, S. R. Fluhrer, Ó. García-morchón, T. Laarhoven et al., Round5: Compact and Fast Post-quantum Public-Key Encryption, Post-Quantum Cryptography -10th International Conference, PQCrypto, pp.83-102, 2019.

L. Babai, On Lovász' Lattice Reduction and the Nearest Lattice Point Problem (Shortened Version)

C. B?etu, L. Durak, A. Huguenin-dumittan, S. Talayhan, and . Vaudenay, Misuse Attacks on Post-quantum Cryptosystems, EURO-CRYPT, 2019.

S. Bai, A. Langlois, T. Lepoint, D. Stehlé, and R. Steinfeld, Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather Than the Statistical Distance, ASIACRYPT 2015, Part I. Ed. by Tetsu Iwata and Jung Hee Cheon, vol.9452, pp.3-24, 2015.

G. Barthe, S. Bela?d, F. Dupressoir, P. Fouque, B. Grégoire et al., Strong Non-Interference and Type-Directed Higher-Order Masking, ACM CCS, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01410216

S. Weippl, C. Katzenbeisser, A. C. Kruegel, S. Myers, and . Halevi, , pp.116-129, 2016.

G. Barthe, S. Bela?d, T. Espitau, P. Fouque, B. Grégoire et al., Masking the GLP Lattice-Based Signature Scheme at Any Order, EUROCRYPT 2018, Part II, vol.10821, pp.354-384, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01900708

G. Barthe, S. Belaïd, T. Espitau, P. Fouque, M. Rossi et al., GALACTICS: Gaussian Sampling for Lattice-Based Constant-Time Implementation of Cryptographic Signatures, 2019.
URL : https://hal.archives-ouvertes.fr/hal-02470947

G. Barthes, S. Belaïd, T. Espitau, M. Rossi, and M. Tibouchi, GALACTICS implementations, 2019.

A. Bauer, H. Gilbert, G. Renault, and M. Rossi, Assessment of the Key-Reuse Resilience of NewHope, LNCS, vol.11405, pp.158-160, 2019.
URL : https://hal.archives-ouvertes.fr/hal-02139910

D. Brumley and D. Boneh, Remote Timing Attacks Are Practical, USENIX Security 2003. USENIX Association, 2003.

N. Brisebarre and S. Chevillard, Efficient polynomial L ? -approximations, 18th IEEE Symposium on Computer Arithmetic (ARITH 18, pp.169-176, 2018.
URL : https://hal.archives-ouvertes.fr/inria-00119513

W. Bosma, J. Cannon, and C. Playoust, The Magma algebra system I. The user language, J. Symbolic Comput, vol.24, pp.235-265, 1997.

D. J. Bernstein, L. G. Bruinderink, T. Lange, and L. Panny, HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction, Cryptology ePrint Archive, p.111, 2017.

D. J. Bernstein, C. Chuengsatiansup, T. Lange, and C. Van-vredendaal, NTRU Prime: Reducing Attack Surface at Low Cost, LNCS, vol.10719, pp.235-260, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01934158

P. Bert, P. Fouque, A. Roux-langlois, and M. Sabt, Practical Implementation of Ring-SIS/LWE Based Signature and IBE, Post-Quantum Cryptography -9th International Conference, PQCrypto, pp.271-291, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01878516

D. J. Bernstein, C. Chuengsatiansup, T. Lange, and C. Van-vredendaal, PQC Round-2 candidate: NTRU Prime, p.160, 2019.

D. J. Bernstein, Cache-timing attacks on AES, 2005.

S. Bai and S. D. Galbraith, An Improved Compression Technique for Signatures Based on Learning with Errors

, LNCS, vol.8366, p.187, 2014.

N. Bindel, S. Akleylek, E. Alkim, P. S. Barreto, J. Buchmann et al., , 2017.

N. Bindel, S. Akleylek, E. Alkim, P. S. Barreto, J. Buchmann et al., , p.94, 2019.

S. Bai, S. Miller, and W. Wen, A refined analysis of the cost for solving LWE via uSVP, Cryptology ePrint Archive, 2019.
URL : https://hal.archives-ouvertes.fr/hal-02886638

J. Daniel, Bernstein and VAMPIRE Lab others. System for Unified Performance Evaluation Related to Cryptographic Operations and Primitives

M. Bolboceanu, Z. Brakerski, R. Perlman, and D. Sharma, Order-LWE and the Hardness of Ring-LWE with Entropic Secrets, Advances in Cryptology -ASIACRYPT 2019, pp.91-120, 2019.

J. Bootle, C. Delaplace, T. Espitau, P. Fouque, and M. Tibouchi, LWE Without Modular Reduction and Improved Side-Channel Attacks Against BLISS, ASIACRYPT 2018, Part I. Ed. by Thomas Peyrin and Steven Galbraith, vol.11272, p.136, 2018.
URL : https://hal.archives-ouvertes.fr/hal-02073933

W. Joppe, C. Bos, L. Costello, I. Ducas, M. Mironov et al., Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE, p.154, 2016.

W. Joppe, S. Bos, M. Friedberger, E. Martinoli, M. Oswald et al., Assessing the Feasibility of Single Trace Power Analysis of Frodo, 2018.

W. Joppe, S. Bos, M. Friedberger, E. Martinoli, M. Oswald et al., Fly, you fool! Faster Frodo for the ARM Cortex-M4. Cryptology ePrint Archive, 1116.

Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé, Classical hardness of learning with errors, pp.575-584, 2013.
URL : https://hal.archives-ouvertes.fr/hal-00922194

L. Groot-bruinderink, A. Hülsing, T. Lange, and Y. Yarom, Flush, Gauss, and Reload -A Cache Attack on the BLISS Lattice-Based Signature Scheme, CHES 2016, vol.9813, p.148, 2016.

D. Blackman and S. Vigna, Scrambled Linear Pseudorandom Number Generators, 2018.

D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, Bonsai Trees, or How to Delegate a Lattice Basis, LNCS, vol.6110, pp.523-552, 2010.

T. Cai, J. Fan, and T. Jiang, Distributions of Angles in Random Packing on Spheres, Journal of Machine Learning Research, vol.14, pp.1837-1864, 2013.

Y. Chen, N. Genise, and P. Mukherjee, Approximate Trapdoors for Lattices and Smaller Hash-and-Sign Signatures, ASIACRYPT 2019, pp.3-32, 2019.

J. Jean-sébastien-coron, P. Großschädl, and . Vadnala, Secure Conversion between Boolean and Arithmetic Masking of Any Order, CHES 2014, vol.8731, pp.188-205, 2014.

S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi, Towards Sound Approaches to Counteract Power-Analysis Attacks, LNCS, vol.1666, pp.398-412, 1999.

L. Chen, S. Jordan, Y. Liu, D. Moody, R. Peralta et al., Report on Post-Quantum Cryptography. National Institute of Standards and Technology (NIST), NISTIR 8105 Draft, 2016.

D. Jung-hee-cheon, J. Kim, Y. Lee, and . Song, Lizard: Cut off the tail! A practical post-quantum public-key encryption from LWE and LWR, International Conference on Security and Cryptography for Networks, pp.160-177, 2018.

A. Chopra, GLYPH: A New Instantiation of the GLP Digital Signature Scheme. Cryptology ePrint Archive

L. Castelnovi, A. Martinelli, and T. Prest, Grafting Trees: A Fault Attack Against the SPHINCS Framework, Post-Quantum Cryptography -9th International Conference, PQCrypto, pp.165-184, 2018.

Y. Chen and P. Q. Nguyen, BKZ 2.0: Better Lattice Security Estimates, ASIACRYPT 2011, vol.7073, pp.1-20, 2011.
URL : https://hal.archives-ouvertes.fr/hal-01109961

E. Jean-sébastien-coron, M. Prouff, T. Rivain, and . Roche, Higher-Order Side Channel Security and Mask Refreshing, LNCS, vol.8424, p.66, 2014.

J. Jean-sébastien-coron, M. Großschädl, P. Tibouchi, and . Vadnala, Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity, FSE 2015, vol.9054, pp.130-149, 2015.

J. Coron, Higher Order Masking of Look-Up Tables, EURO-CRYPT 2014, vol.8441, pp.441-458, 2014.

J. Coron, High-Order Conversion from Boolean to Arithmetic Masking, CHES 2017, vol.10529, pp.93-114, 2017.

G. Couteau, A. Dupin, P. Méaux, M. Rossi, and Y. Rotella, On the Concrete Security of Goldreich's Pseudorandom Generator, ASI-ACRYPT 2018, Part II, vol.11273, pp.96-124, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01944772

S. Chari, J. R. Rao, and P. Rohatgi, Template Attacks, CHES 2002

E. Burton, S. Kaliski, C. Çetin-kaya-koç, and . Paar, LNCS, vol.2523, pp.13-28, 2003.

G. Casella, C. P. Robert, and M. T. Wells, Generalized Accept-Reject sampling schemes, Lecture Notes-Monograph Series, vol.45, pp.342-347, 2004.

D. Dachman-soled, L. Ducas, H. Gong, and M. Rossi, LWE with Side Information: Attacks and Concrete Security Estimation

J. Anvers, Q. Guo, T. Johansson, A. Nilsson, F. Vercauteren et al., Decryption Failure Attacks on IND-CCA Secure Lattice-Based Schemes, PKC 2019, Part II, vol.11443, p.158, 2019.

J. Anvers and A. Karmakar, Sujoy Sinha Roy, and Frederik Vercauteren. SABER. Tech. rep, 2019.

A. Duc, S. Dziembowski, and S. Faust, Unifying Leakage Models: From Probing Attacks to Noisy Leakage, LNCS. Springer, Heidelberg, vol.8441, pp.423-440, 2014.

W. Alexander and . Dent, A designer's guide to KEMs, 2003.

L. Devroye, Non-Uniform Random Variate Generation(originally published with, 1986.

W. Diffie and M. Hellman, New directions in cryptography, IEEE transactions on Information Theory, p.110, 1976.

J. Ding, New cryptographic constructions using generalized learning with errors problem, Cryptology ePrint Archive, 2012.

L. Ducas and T. Lepoint, BLISS: Bimodal Lattice Signature Schemes, p.52, 2013.

L. Ducas, V. Lyubashevsky, and T. Prest, Efficient Identity-Based Encryption over NTRU Lattices, ASIACRYPT 2014, Part II. Ed. by Palash Sarkar and Tetsu Iwata, vol.8874, p.60, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01094814

L. Ducas and P. Q. Nguyen, Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic, LNCS, vol.7658, p.30, 2012.
URL : https://hal.archives-ouvertes.fr/hal-00864360

L. Ducas and P. Q. Nguyen, Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures, LNCS, vol.7658, p.12, 2012.
URL : https://hal.archives-ouvertes.fr/hal-00864359

J. Anvers, M. Rossi, and F. Virdia, One) failure is not an option: Bootstrapping the search for failures in lattice-based encryption schemes

L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, Lattice Signatures and Bimodal Gaussians, CRYPTO 2013, Part I, vol.8042, pp.40-56, 2013.
URL : https://hal.archives-ouvertes.fr/hal-00864298

L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, P. Schwabe et al., CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme, IACR TCHES 2018, vol.1, p.94, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01934176

J. Anvers, F. Vercauteren, and I. Verbauwhede, On the impact of decryption failures on the security of LWE/LWR based schemes, In: IACR Cryptology ePrint Archive, vol.2018, p.159, 2018.

T. Elgamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE transactions on information theory, vol.31, pp.469-472, 1985.

T. Espitau, P. Fouque, B. Gérard, and M. Tibouchi, Loop-Abort Faults on Lattice-Based Fiat-Shamir and Hash-and-Sign Signatures, SAC 2016, vol.10532, pp.140-158, 2016.

T. Espitau, P. Fouque, B. Gérard, and M. Tibouchi, Side-Channel Attacks on BLISS Lattice-Based Signatures: Exploiting Branch Tracing against strongSwan and Electromagnetic Emanations in Microcontrollers, ACM CCS 2017, p.63, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01648080

G. Estrin, Organization of Computer Systems: The Fixed Plus Variable Structure Computer, Western Joint IRE-AIEE-ACM Computer Conference. IRE-AIEE-ACM '60 (Western), pp.33-40, 1960.

A. Facon, S. Guilley, M. Lec'hvien, A. Schaub, and Y. Souissi, Detecting cache-timing vulnerabilities in post-quantum cryptography algorithms, 2018 IEEE 3rd International Verification and Security Workshop (IVSW), pp.7-12, 2018.

S. Fluhrer, Cryptanalysis of ring-LWE based key exchange with key share reuse, Cryptology ePrint Archive

E. Fujisaki and T. Okamoto, Secure Integration of Asymmetric and Symmetric Encryption Schemes, Journal of Cryptology, vol.26, p.119, 2013.

P. Fouque, P. Kirchner, M. Tibouchi, A. Wallet, and Y. Yu, Key Recovery from Gram-Schmidt Norm Leakage in Hash-and-Sign Signatures over NTRU Lattices, Cryptology ePrint Archive, p.58, 2019.

U. Fincke and M. Pohst, Improved methods for calculating vectors of short lengthin a lattice, including a complexity analysis, vol.44, pp.463-471, 1985.

O. Garcia-morchon, Z. Zhang, S. Bhattacharya, R. Rietman, L. Tolhuizen et al., Thijs Laarhoven, and Rachel Player. Round5. Tech. rep. NIST, p.137, 2019.

O. Goldreich and S. Goldwasser, On the Limits of Non-Approximability of Lattice Problems, 30th ACM STOC, pp.1-9, 1998.

O. Goldreich, S. Goldwasser, and S. Halevi, Public-Key Cryptosystems from Lattice Reduction Problems, LNCS, vol.1294, p.12, 1997.

Q. Guo, T. Johansson, and A. Nilsson, A Generic Attack on Latticebased Schemes using Decryption Errors with Application to ss-ntru-pke

Q. Guo, T. Johansson, and A. Nilsson, A Generic Attack on Latticebased Schemes using Decryption Errors, Cryptology ePrint Archive

T. Güneysu, V. Lyubashevsky, and T. Pöppelmann, Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems, CHES 2012, vol.7428, pp.530-547, 2012.

N. Genise and D. Micciancio, Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus, EUROCRYPT 2018, Part I, vol.10820, pp.174-203, 2018.

N. Gama and . Phong-q-nguyen, New Chosen-Ciphertext Attacks on NTRU, Public Key Cryptography -PKC, 2007.

N. Gama and P. Q. Nguyen, Predicting Lattice Reduction, EURO-CRYPT, vol.4965, pp.31-51, 2008.

L. Goubin, A Sound Method for Switching between Boolean and Arithmetic Masking, LNCS, vol.2162, p.69, 2001.

L. Bruinderink and P. Pessl, Differential Fault Attacks on Deterministic Lattice Signatures". In: IACR TCHES, vol.2018, issue.3, p.136, 2018.

L. Goubin and J. Patarin, DES and Differential Power Analysis (The "Duplication" Method), CHES'99, vol.1717, pp.158-172, 1999.

C. Gentry, C. Peikert, and V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, 40th ACM STOC, pp.197-206, 2008.

F. Gérard and M. Rossi, An Efficient and Provable Masked Implementation of qTESLA, Cryptology ePrint Archive, p.184

K. Lov and . Grover, A Fast Quantum Mechanical Algorithm for Database Search, Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing. STOC '96, 1996.

D. Hofheinz, K. Hövelmanns, and E. Kiltz, A Modular Analysis of the Fujisaki-Okamoto Transformation, p.110, 2017.

N. J. Higham, Accuracy and Stability of Numerical Algorithms, Second. SIAM, 2002.

A. Hülsing, T. Lange, and K. Smeets, Rounded Gaussians -Fast and Secure Constant-Time Sampling for Lattice-Based Crypto, PKC 2018, Part II, vol.10770, pp.728-757, 2018.

J. Hoffstein, N. Howgrave-graham, J. Pipher, J. H. Silverman, and W. Whyte, NTRUSIGN: Digital Signatures Using the NTRU Lattice, CT-RSA 2003, vol.2612, pp.122-140, 2003.

J. Hoffstein, N. Howgrave-graham, J. Pipher, and W. Whyte, Practical lattice-based cryptography: NTRUEncrypt and NTRUSign, The LLL Algorithm, pp.349-390, 2009.

N. Howgrave-graham, Q. Phong, D. Nguyen, J. Pointcheval, . Proos et al., The Impact of Decryption Failures on the Security of NTRU Encryption, p.111, 2003.

J. Howe, T. Prest, T. Ricosset, and M. Rossi, Isochronous Gaussian Sampling: From Inception to Implementation, 2020 Cited on pages 17, vol.24, p.58

N. Howgrave-graham, A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU, CRYPTO 2007, vol.4622, pp.150-169, 2007.

J. Hoffstein, J. Pipher, and J. H. Silverman, NSS: An NTRU Lattice-Based Signature Scheme, EUROCRYPT 2001. Ed. by Birgit Pfitzmann, vol.2045, pp.211-228, 2001.

G. Hanrot, X. Pujol, and D. Stehlé, Algorithms for the Shortest and Closest Lattice Vector Problems, Ling, Fengjing Shao, Yuansheng Tang, Huaxiong Wang, and Chaoping Xing, pp.159-190, 2011.
URL : https://hal.archives-ouvertes.fr/hal-00640637

G. Hanrot, X. Pujol, and D. Stehlé, Analyzing Blockwise Lattice Algorithms Using Dynamical Systems, CRYPTO 2011. Ed. by Phillip Rogaway, vol.6841, pp.447-464, 2011.
URL : https://hal.archives-ouvertes.fr/hal-00640638

J. Hoffstein, J. Pipher, and J. H. Silverman, NTRU: A ring-based public key cryptosystem, Algorithmic Number Theory, p.12, 1998.

Y. Ishai, A. Sahai, and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks, CRYPTO 2003. Ed. by Dan Boneh, vol.2729, pp.463-481, 2003.

H. Jiang, Z. Zhang, L. Chen, H. Wang, and Z. Ma, Postquantum IND-CCA-secure KEM without Additional Hash

É. Jaulmes and A. Joux, A Chosen-Ciphertext Attack against NTRU

R. Kannan, Improved Algorithms for Integer Programming and Related Lattice Problems, 15th ACM STOC, pp.193-206, 1983.

R. Kannan, Minkowski's convex body theorem and integer programming, Mathematics of operations research, vol.12, p.142, 1987.

A. Karmakar, S. S. Roy, O. Reparaz, F. Vercauteren, and I. Verbauwhede, Constant-Time Discrete Gaussian Sampling, vol.67, pp.1561-1571, 2018.

, Cited on page 30

A. Karmakar, S. Sinha-roy, F. Vercauteren, and I. Verbauwhede, Pushing the speed limit of constant-time discrete Gaussian sampling. A case study on the Falcon signature scheme, Proceedings of the 56th Annual Design Automation Conference, pp.1-6, 2019.

. Kelenner, Message on StackExchange, p.36, 2020.

A. Khalid, J. Howe, C. Rafferty, F. Regazzoni, and M. Neill, Compact, scalable, and efficient discrete Gaussian samplers for latticebased cryptography, 2018 IEEE International Symposium on Circuits and Systems (ISCAS), pp.1-5, 2018.

S. Khot, Hardness of Approximating the Shortest Vector Problem in Lattices, 45th FOCS, pp.126-135, 2004.

C. Paul, J. Kocher, B. Jaffe, and . Jun, Differential Power Analysis, LNCS, vol.1666, pp.388-397, 1999.

J. Katz and Y. Lindell, Introduction to Modern Cryptography, 2014.

C. Paul and . Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, LNCS, vol.1109, pp.104-113, 1996.

A. K. Lenstra, Lattices and Factorization of Polynomials, In: SIGSAM Bull, vol.15, issue.3, pp.15-16, 1981.

M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas et al., Meltdown: Reading Kernel Memory from User Space, pp.973-990, 2018.

L. Liu, Linear Transformation of Multivariate Normal Distribution: Marginal, Joint and Posterior, 2019.

A. Lenstra, H. Lenstra, and L. Lovász, Factoring Polynomials with Rational Coefficients, Mathematische Annalen 261, 1982.

V. Lyubashevsky and D. Micciancio, Generalized Compact Knapsacks Are Collision Resistant, ICALP 2006, Part II, vol.4052, pp.144-155, 2006.

R. Lindner and C. Peikert, Better Key Sizes (and Attacks) for LWE-Based Encryption, Aggelos Kiayias, vol.6558, pp.319-339, 2011.

V. Lyubashevsky, C. Peikert, and O. Regev, On Ideal Lattices and Learning with Errors over Rings, LNCS, vol.6110, p.120, 2010.
URL : https://hal.archives-ouvertes.fr/hal-00921792

V. Lyubashevsky, C. Peikert, and O. Regev, A Toolkit for Ring-LWE Cryptography, EUROCRYPT 2013, vol.7881, pp.35-54, 2013.
URL : https://hal.archives-ouvertes.fr/hal-00864284

A. Langlois and D. Stehlé, Hardness of decision (R)LWE for any modulus, Cryptology ePrint Archive, 2012.

A. Langlois and D. Stehlé, Worst-Case to Average-Case Reductions for Module Lattices, Cryptology ePrint Archive
URL : https://hal.archives-ouvertes.fr/hal-01091291

X. Lu, Y. Liu, D. Jia, H. Xue, J. He et al., PQC Round-2 candidate: LAC. Tech. rep. NIST, 2019.

V. Lyubashevsky and D. Wichs, Simple Lattice Trapdoor Sampling from a Broad Class of Distributions, PKC 2015. Ed. by Jonathan Katz, vol.9020, pp.716-730, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01235177

V. Lyubashevsky, L. Ducas, E. Kiltz, T. Lepoint, P. Schwabe et al., CRYSTALS-DILITHIUM. Tech. rep. National Institute of Standards and Technology, 2019.

V. Lyubashevsky, Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures, ASIACRYPT 2009. Ed. by Mitsuru Matsui, vol.5912, pp.598-616, 2009.

V. Lyubashevsky, Lattice Signatures without Trapdoors, EUROCRYPT 2012, vol.7237, pp.738-755, 2012.
URL : https://hal.archives-ouvertes.fr/hal-00864308

J. Martinet, Perfect lattices in Euclidean spaces, vol.327, p.141, 2013.

D. Micciancio, Lattices Algorithms and Applications (course CSE206A). Accessed on, 2020.

B. Vincent-migliore, M. Gérard, P. Tibouchi, and . Fouque, Masking Dilithium -Efficient Implementation and Side-Channel Evaluation, LNCS, vol.11464, p.184, 2019.

L. Martino and J. Míguez, Generalized rejection sampling schemes and applications in signal processing, Signal Processing, vol.90, pp.2981-2995, 2010.

S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards, 2007.

D. Mccann, E. Oswald, and C. Whitnall, Towards Practical Tools for Side Channel Aware Software Engineering: 'Grey Box' Modelling for Instruction Leakages, 26th USENIX Security Symposium (USENIX Security 17), pp.199-216, 2017.

D. Micciancio and C. Peikert, Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller". In: EUROCRYPT 2012, vol.7237, p.60, 2012.

D. Micciancio and O. Regev, Worst-case to average-case reductions based on Gaussian measures, vol.37, p.149, 2007.

D. David-m'raïhi, D. Naccache, S. Pointcheval, and . Vaudenay, Computational Alternatives to Random Number Generators, LNCS, vol.1556, pp.72-80, 1999.

D. Micciancio and M. Walter, Fast Lattice Point Enumeration with Minimal Overhead, pp.276-294, 2015.

D. Micciancio and M. Walter, Gaussian Sampling over the Integers: Efficient, Generic, Constant-Time, CRYPTO 2017, Part II, vol.10402, pp.455-485, 2017.

, Cited on pages 30, vol.32, p.78

M. Naehrig, E. Alkim, J. Bos, L. Ducas, K. Easterbrook et al., Ananth Raghunathan, and Douglas Stebila. FrodoKEM. Tech. rep. National Institute of Standards and Technology, 2017.

M. Naehrig, E. Alkim, J. Bos, L. Ducas, K. Easterbrook et al., FrodoKEM. Tech. rep. NIST, 2019.

P. Nguyen, Giophanthus and *LWR-based submissions, 2019.

, Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process, 2016.

Q. Phong, O. Nguyen, and . Regev, Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures, EUROCRYPT 2006

, LNCS. Springer, vol.4004, p.12, 2006.

P. Pessl, L. G. Bruinderink, and Y. Yarom, To BLISS-B or not to be: Attacking strongSwan's Implementation of Post-Quantum Signatures, ACM CCS 2017, pp.1843-1855, 2017.

T. Pöppelmann, L. Ducas, and T. Güneysu, Enhanced Lattice-Based Signatures on Reconfigurable Hardware, LNCS, vol.8731, pp.353-370, 2014.

J. Pearl, Probabilistic reasoning in intelligent systems: networks of plausible inference, 2014.

C. Peikert, An Efficient and Parallel Gaussian Sampler for Lattices, CRYPTO 2010, vol.6223, p.60, 2010.

C. Peikert, Lattice Cryptography for the Internet, Post-Quantum Cryptography -6th International Workshop, PQCrypto, pp.197-219, 2014.

D. Poddebniak, J. Somorovsky, S. Schinzel, M. Lochter, and P. Rösler, Attacking Deterministic Signature Schemes using Fault Attacks. Cryptology ePrint Archive, 1014.

T. Pöppelmann, E. Alkim, R. Avanzi, J. Bos, L. Ducas et al., NewHope. Tech. rep. NIST, p.148, 2019.

T. Pornin, Why Constant-Time Crypto?, 2018.

T. Pornin, New Efficient, Constant-Time Implementations of Falcon. Cryptology ePrint Archive, 2019.

T. Pornin and . Bearssl, , 2020.

C. Peikert and A. Rosen, Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices, LNCS, vol.3876, p.12, 2006.

T. Prest, P. Fouque, J. Hoffstein, P. Kirchner, V. Lyubashevsky et al., FALCON. Tech. rep. National Institute of Standards and Technology, 2019.

T. Prest, Sharper Bounds in Lattice-Based Cryptography Using the Rényi Divergence, ASIACRYPT 2017, Part I, vol.10624, p.34, 2017.

Y. Qin, C. Cheng, and J. Ding, A Complete and Optimized Key Mismatch Attack on NIST Candidate NewHope, Cryptology ePrint Archive, 2019.

P. Ravi, M. P. Jhanwar, J. Howe, A. Chattopadhyay, and S. Bhasin, Side-channel Assisted Existential Forgery Attack on Dilithium -A NIST PQC candidate. Cryptology ePrint Archive, vol.821, p.136, 2018.

P. Ravi, M. P. Jhanwar, J. Howe, A. Chattopadhyay, and S. Bhasin, Exploiting Determinism in Lattice-based Signatures: Practical Fault Attacks on pqm4 Implementations of NIST Candidates, ASIACCS 19, pp.427-440, 2019.

O. Regev, New lattice based cryptographic constructions, 35th ACM STOC, pp.407-416, 2003.

O. Regev, On lattices, learning with errors, random linear codes, and cryptography, 37th ACM STOC, pp.84-93, 2005.

O. Regev, Lattice-Based Cryptography (Invited Talk)". In: CRYPTO, Cynthia Dwork, vol.4117, p.12, 2006.

M. Rossi, M. Hamburg, M. Hutter, and M. E. Marson, A Side-Channel Assisted Cryptanalytic Attack Against QcBits, CHES 2017, vol.10529, pp.3-23, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01614569

M. Rivain and E. Prouff, Provably Secure Higher-Order Masking of AES, CHES 2010. Ed. by Stefan Mangard and François-Xavier Standaert, vol.6225, pp.413-427, 2010.

P. Rogaway and T. Shrimpton, A Provable-Security Treatment of the Key-Wrap Problem, EUROCRYPT 2006. Ed. by Serge Vaudenay, vol.4004, pp.373-390, 2006.

P. Schwabe, R. Avanzi, J. Bos, L. Ducas, E. Kiltz et al., CRYSTALS-KYBER. Tech. rep. NIST, p.148, 2019.

C. Schnorr and M. Euchner, Lattice basis reduction: Improved practical algorithms and solving subset sum problems, Mathematical programming, p.128, 1994.

W. Peter and . Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring, 35th FOCS, pp.124-134, 1994.

S. Chevillard, M. Jolde?, and C. Lauter, Sollya: An Environment for the Development of Numerical Codes, Mathematical Software -ICMS 2010, vol.6327, pp.28-31, 2010.
URL : https://hal.archives-ouvertes.fr/hal-00761644

S. Sobolev, On a theorem of functional analysis, Transl. Amer. Math. Soc, vol.34, pp.39-68, 1963.

D. Stehlé, R. Steinfeld, K. Tanaka, and K. Xagawa, Efficient Public Key Encryption Based on Ideal Lattices, ASIACRYPT 2009. Ed. by Mitsuru Matsui, vol.5912, p.12, 2009.

T. Saito, K. Xagawa, and T. Yamakawa, Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model

E. Ehsan, D. Targhi, and . Unruh, Post-Quantum Security of the Fujisaki-Okamoto and OAEP Transforms, TCC 2016, 2016.

M. Tibouchi and A. Wallet, One Bit is All It Takes: A Devastating Timing Attack on BLISS's Non-Constant Time Sign Flips, Cryptology ePrint Archive, 2019.

M. Walter, Sampling the Integers with Low Relative Error, LNCS, vol.11627, p.31, 2019.

T. Wunderer, A detailed analysis of the hybrid lattice-reduction and meetin-the-middle attack, J. Mathematical Cryptology, vol.13, pp.1-26, 2019.

Z. Zhang, C. Chen, J. Hoffstein, W. Whyte, and . Ntruencrypt, , 2017.

Z. Zhang, C. Chen, J. Hoffstein, W. Whyte, J. M. Schanck et al., Joost Rijneveld, Peter Schwabe, and Oussama Danba. PQC Round-2 candidate, 2019.

R. K. Zhao, R. Steinfeld, and A. Sakzad, FACCT: FAst, Compact, and Constant-Time Discrete Gaussian Sampler over Integers, Cryptology ePrint Archive, 1234.

R. K. Zhao, R. Steinfeld, and A. Sakzad, Compact and Scalable Arbitrarycentered Discrete Gaussian Sampling over Integers. Cryptology ePrint Archive

, All the ? 0 ? d observations made by the attacker of this last instance of Full? can be perfectly first compute the absolute value of x and perform the masked test |x| ? param. This saves the need for a masked operation to aggregate both tests

, Data: The shared element (x i ) 0?i?d to check in mod-q arithmetic masked representation; param Result: The bit rs equal to 1 iff |x| ? param

, Thus, for proving its d-NI security, it remains to prove the d-NIo or d-NI security of each of its gadgets: A q B, sec|.|, sec +q , and Full?. As seen before, A q B (Lemma 23), sec|.| (Lemma 25), Full? (Lemma 11) and sec + (Lemma 14) are d-NI. The is linear for Boolean masking, so it is d-NI. Thus, rejection sampling is d-NI, The rejection sampling is a succession of gadgets without cycle

, Data: Integer x ? Z q in arithmetic masked form (x i ) 0?i?d , param 1 , param 2 and Tail the number of least significant bits that are kept. Result: wr = 1 iff (|x| ? param 1 ) ? (| x Lst | ? param 2 )

, Lemma 28. The gadget WRnd-Coeff in Gadget 21 is d-NI secure

, Our goal is to prove that all these ? observations can be perfectly simulated with at most ? shares of (x i ) 0?i?d . In the following, we consider the following distribution of the attacker's ? observations: ? 1 observed during the computation of A q B that produces shares of (x i ) 0?i?d , ? 2 observed during the computation of the upper sec|.| that produces the shares of (a i ) 0?i?d , ? 3 observed during the Refresh, ? 4 observed during the computations of the ? and sec|.| that produces the shares of (y i ) 0?i?d , ? 5 observed during the sec + that produces (a i ) 0?i?d , ? 6 observed during the sec +, Proof: A graphical representation of Gadget 21 is in Fig. A.6. Let ? ? d be the number of observations made by the attacker