{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,17]],"date-time":"2026-01-17T00:45:29Z","timestamp":1768610729730,"version":"3.49.0"},"reference-count":0,"publisher":"Universitatsbibliothek der Ruhr-Universitat Bochum","issue":"1","license":[{"start":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T00:00:00Z","timestamp":1768521600000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["TCHES"],"abstract":"<jats:p>We present SUCRE, a novel countermeasure designed to physically protect the rejection sampling step of ML-DSA, one of the post-quantum signature schemes standardized by NIST. At the core of SUCRE is a masking gadget that securely unmasks a vector while simultaneously applying a random permutation of its coefficients. This lightweight mechanism preserves the vector\u2019s infinity norm, enabling rejection sampling to proceed as usual without requiring any complex mask conversions.We formally prove that a d-probing adversary can learn at most some permuted rejected values\u2014information which, we show, should remain insufficient to endanger the security of the signature scheme. This security argument relies on a new variant of the Module Learning with Rounding (MLWR) assumption, for which we provide a dedicated concrete security analysis to assess its hardness relative to the standard MLWR assumption.Our implementation of SUCRE achieves a significant performance improvement over previous masked non-bitsliced implementations of rejection sampling\u2014delivering four to six times faster execution than Coron et al. (TCHES 2024)\u2014albeit at the cost of increased memory usage. Since the rejection step accounts for approximately 25% of the total runtime in masked ML-DSA implementations, and given the expected adoption of ML-DSA on embedded platforms, this speedup could significantly enhance efficiency in real-world applications.<\/jats:p>","DOI":"10.46586\/tches.v2026.i1.618-659","type":"journal-article","created":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T15:14:24Z","timestamp":1768576464000},"page":"618-659","source":"Crossref","is-referenced-by-count":0,"title":["ML-DSA masking sweetened with SUCRE: Shuffle-and-Unmask Countermeasure for REjection sampling"],"prefix":"10.46586","volume":"2026","author":[{"given":"Sonia","family":"Bela\u00efd","sequence":"first","affiliation":[]},{"given":"Ryad","family":"Benadjila","sequence":"additional","affiliation":[]},{"given":"Julien","family":"Devevey","sequence":"additional","affiliation":[]},{"given":"Morgane","family":"Guerreau","sequence":"additional","affiliation":[]},{"given":"Thomas","family":"Legavre","sequence":"additional","affiliation":[]},{"given":"Ange","family":"Martinelli","sequence":"additional","affiliation":[]},{"given":"Thomas","family":"Ricosset","sequence":"additional","affiliation":[]},{"given":"Matthieu","family":"Rivain","sequence":"additional","affiliation":[]},{"given":"M\u00e9lissa","family":"Rossi","sequence":"additional","affiliation":[]}],"member":"25480","published-online":{"date-parts":[[2026,1,16]]},"container-title":["IACR Transactions on Cryptographic Hardware and Embedded Systems"],"original-title":[],"link":[{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/download\/12695\/12378","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/download\/12695\/12378","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T15:14:24Z","timestamp":1768576464000},"score":1,"resource":{"primary":{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/view\/12695"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,16]]},"references-count":0,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,1,16]]}},"URL":"https:\/\/doi.org\/10.46586\/tches.v2026.i1.618-659","relation":{},"ISSN":["2569-2925"],"issn-type":[{"value":"2569-2925","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,16]]}}}