CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM

Rapid advances in quantum computing, together with the announcement by the National Institute of Standards and Technology (NIST) to define new standards for digitalsignature, encryption, and key-establishment protocols, have created significant interest in post-quantum cryptographic schemes. This paper introduces Kyber (part of CRYSTALS – Cryptographic Suite for Algebraic Lattices – a package submitted to NIST post-quantum standardization effort in November 2017), a portfolio of post-quantum cryptographic primitives built around a key-encapsulation mechanism (KEM), based on hardness assumptions over module lattices. Our KEM is most naturally seen as a successor to the NEWHOPE KEM (Usenix 2016). In particular, the key and ciphertext sizes of our new construction are about half the size, the KEM offers CCA instead of only passive security, the security is based on a more general (and flexible) lattice problem, and our optimized implementation results in essentially the same running time as the aforementioned scheme. We first introduce a CPA-secure public-key encryption scheme, apply a variant of the Fujisaki–Okamoto transform to create a CCA-secure KEM, and eventually construct, in a black-box manner, CCA-secure encryption, key exchange, and authenticated-key-exchange schemes. The security of our primitives is based on the hardness of Module-LWE in the classical and quantum random oracle models, and our concrete parameters conservatively target more than 128 bits of postquantum security.

[1]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[2]  Shay Gueron,et al.  Speeding up R-LWE Post-quantum Key Exchange , 2016, NordSec.

[3]  Erdem Alkim,et al.  NewHope without reconciliation , 2016, IACR Cryptol. ePrint Arch..

[4]  Silas Richelson,et al.  On the Hardness of Learning with Rounding over Small Modulus , 2016, TCC.

[5]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[6]  Damien Stehlé,et al.  CRYSTALS-Kyber Algorithm Specifications And Supporting Documentation , 2017 .

[7]  Florence March,et al.  2016 , 2016, Affair of the Heart.

[8]  Peter Schwabe,et al.  High-speed key encapsulation from NTRU , 2017, IACR Cryptol. ePrint Arch..

[9]  Ronald Cramer,et al.  Short Stickelberger Class Relations and Application to Ideal-SVP , 2016, EUROCRYPT.

[10]  Tanja Lange,et al.  The Security Impact of a New Cryptographic Library , 2012, LATINCRYPT.

[11]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[12]  Martin R. Albrecht,et al.  A Subfield Lattice Attack on Overstretched NTRU Assumptions - Cryptanalysis of Some FHE and Graded Encoding Schemes , 2016, CRYPTO.

[13]  Michael Alekhnovich More on Average Case vs Approximation Complexity , 2011, computational complexity.

[14]  Jung Hee Cheon,et al.  Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR , 2018, IACR Cryptol. ePrint Arch..

[15]  Shu-jen H. Chang,et al.  SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash , 2016 .

[16]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[17]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[18]  Fang Song,et al.  Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields , 2016, SODA.

[19]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[20]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[21]  Ronald Cramer,et al.  Recovering Short Generators of Principal Ideals in Cyclotomic Rings , 2016, EUROCRYPT.

[22]  William Whyte,et al.  Choosing Parameters for NTRUEncrypt , 2017, CT-RSA.

[23]  Jung Hee Cheon,et al.  A Practical Post-Quantum Public-Key Cryptosystem Based on spLWE , 2016, IACR Cryptol. ePrint Arch..

[24]  Peter Schwabe,et al.  Software Speed Records for Lattice-Based Signatures , 2013, PQCrypto.

[25]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[26]  Jakob Jonsson,et al.  PKCS #1: RSA Cryptography Specifications Version 2.2 , 2016, RFC.

[27]  Thomas Wunderer,et al.  Revisiting the Hybrid Attack: Improved Analysis and Refined Security Estimates , 2016, IACR Cryptol. ePrint Arch..

[28]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[29]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[30]  Zhengzhong Jin,et al.  Optimal Key Consensus in Presence of Noise , 2016, IACR Cryptol. ePrint Arch..

[31]  Jintai Ding,et al.  A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem , 2012, IACR Cryptol. ePrint Arch..

[32]  Adam Langley,et al.  ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) , 2016, RFC.

[33]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[34]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[35]  Takashi Yamakawa,et al.  Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[36]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[37]  Daniele Micciancio Improved cryptographic hash functions with worst-case/average-case connection , 2002, STOC '02.

[38]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[39]  Pierre-Alain Fouque,et al.  Revisiting Lattice Attacks on Overstretched NTRU Parameters , 2017, EUROCRYPT.

[40]  Douglas Stebila,et al.  Post-quantum Key Exchange for the Internet and the Open Quantum Safe Project , 2016, SAC.

[41]  P. Campbell,et al.  SOLILOQUY: A CAUTIONARY TALE , 2014 .

[42]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[43]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[44]  Peter Schwabe,et al.  McBits: Fast Constant-Time Code-Based Cryptography , 2013, CHES.

[45]  Craig Costello,et al.  Efficient Algorithms for Supersingular Isogeny Diffie-Hellman , 2016, CRYPTO.

[46]  Abhishek Banerjee,et al.  SPRING: Fast Pseudorandom Functions from Rounded Ring Products , 2014, FSE.

[47]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[48]  Atsushi Fujioka,et al.  Strongly Secure Authenticated Key Exchange from Factoring, Codes, and Lattices , 2012, Public Key Cryptography.

[49]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[50]  Damien Stehlé,et al.  Worst-case to average-case reductions for module lattices , 2014, Designs, Codes and Cryptography.

[51]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[52]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[53]  Gregor Seiler,et al.  Faster AVX2 optimized NTT multiplication for Ring-LWE lattice cryptography , 2018, IACR Cryptol. ePrint Arch..

[54]  Tim Güneysu,et al.  Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware , 2013, Selected Areas in Cryptography.

[55]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[56]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[57]  Patrick Longa,et al.  Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography , 2016, CANS.

[58]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[59]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[60]  R. Schoelkopf,et al.  Superconducting Circuits for Quantum Information: An Outlook , 2013, Science.

[61]  Christine van Vredendaal,et al.  A Quantum Attack on LWE with Arbitrary Error Distribution , 2017, IACR Cryptol. ePrint Arch..

[62]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[63]  Jintai Ding,et al.  Authenticated Key Exchange from Ideal Lattices , 2015, EUROCRYPT.

[64]  Dominique Unruh,et al.  Post-Quantum Security of the Fujisaki-Okamoto and OAEP Transforms , 2016, TCC.

[65]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[66]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[67]  Kenneth G. Paterson,et al.  Efficient One-Round Key Exchange in the Standard Model , 2008, ACISP.

[68]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[69]  J. Pollard,et al.  The fast Fourier transform in a finite field , 1971 .

[70]  Ron Steinfeld,et al.  Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather than the Statistical Distance , 2015, Journal of Cryptology.