Round5: Compact and Fast Post-Quantum Public-Key Encryption

We present the ring-based configuration of the NIST submission Round5, a Ring Learning with Rounding (RLWR)- based IND-CPA secure public-key encryption scheme. It combines elements of the NIST candidates Round2 (use of RLWR as underlying problem, having \(1+x+\ldots +x^n\) with \(n+1\) prime as reduction polynomial, allowing for a large design space) and HILA5 (the constant-time error-correction code XEf). Round5 performs part of encryption, and decryption via multiplication in \(\mathbb {Z}_{p}[x]/(x^{n+1}-1)\), and uses secret-key polynomials that have a factor \((x-1)\). This technique reduces the failure probability and makes correlation in the decryption error negligibly low. The latter allows the effective application of error correction through XEf to further reduce the failure rate and shrink parameters, improving both security and performance.

[1]  Óscar García-Morchón,et al.  Round2: KEM and PKE based on GLWR , 2017, IACR Cryptol. ePrint Arch..

[2]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[3]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[4]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[5]  William Whyte,et al.  Choosing Parameters for NTRUEncrypt , 2017, CT-RSA.

[6]  Erdem Alkim,et al.  NewHope without reconciliation , 2016, IACR Cryptol. ePrint Arch..

[7]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[8]  Vikram Singh A Practical Key Exchange for the Internet using Lattice Cryptography , 2015, IACR Cryptol. ePrint Arch..

[9]  Tanja Lange,et al.  NTRU Prime: Reducing Attack Surface at Low Cost , 2017, SAC.

[10]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[11]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[12]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.

[13]  Léo Ducas,et al.  The closest vector problem in tensored root lattices of type A and in their duals , 2018, Des. Codes Cryptogr..

[14]  Craig Gentry,et al.  Fully Homomorphic Encryption without Bootstrapping , 2011, IACR Cryptol. ePrint Arch..

[15]  Shi Bai,et al.  Lattice Decoding Attacks on Binary LWE , 2014, ACISP.

[16]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[17]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[18]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[19]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[20]  Óscar García-Morchón,et al.  Shorter Messages and Faster Post-Quantum Encryption with Round5 on Cortex M , 2018, IACR Cryptol. ePrint Arch..

[21]  Jung Hee Cheon,et al.  Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR , 2018, IACR Cryptol. ePrint Arch..

[22]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Fernando Virdia,et al.  Estimate all the {LWE, NTRU} schemes! , 2018, IACR Cryptol. ePrint Arch..

[24]  Martin R. Albrecht On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL , 2017, EUROCRYPT.

[25]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[26]  Stephan Krenn,et al.  Learning with Rounding, Revisited: New Reduction, Properties and Applications , 2013, IACR Cryptol. ePrint Arch..

[27]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[28]  Damien Stehlé,et al.  CRYSTALS - Dilithium: Digital Signatures from Module Lattices , 2017, IACR Cryptol. ePrint Arch..

[29]  Silas Richelson,et al.  On the Hardness of Learning with Rounding over Small Modulus , 2016, TCC.

[30]  Markku-Juhani O. Saarinen HILA5: On Reliability, Reconciliation, and Error Correction for Ring-LWE Encryption , 2017, SAC.

[31]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[32]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[33]  Damien Stehlé,et al.  Worst-case to average-case reductions for module lattices , 2014, Designs, Codes and Cryptography.

[34]  Markku-Juhani O. Saarinen Ring-LWE Ciphertext Compression and Error Correction: Tools for Lightweight Post-Quantum Cryptography , 2017, IACR Cryptol. ePrint Arch..

[35]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[36]  MoscaMichele,et al.  Finding shortest lattice vectors faster using quantum search , 2015 .

[37]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[38]  Peter Schwabe,et al.  High-speed key encapsulation from NTRU , 2017, IACR Cryptol. ePrint Arch..

[39]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[40]  Ron Steinfeld,et al.  Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather than the Statistical Distance , 2015, Journal of Cryptology.

[41]  I. Vaughan L. Clarkson,et al.  An Algorithm to Compute the Nearest Point in the Lattice $A_{n}^*$ , 2008, IEEE Transactions on Information Theory.

[42]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[43]  Jung Hee Cheon,et al.  A Practical Post-Quantum Public-Key Cryptosystem Based on spLWE , 2016, IACR Cryptol. ePrint Arch..

[44]  Léo Ducas,et al.  Large FHE gates from Tensored Homomorphic Accumulator , 2018, IACR Cryptol. ePrint Arch..

[45]  Frederik Vercauteren,et al.  Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM , 2018, IACR Cryptol. ePrint Arch..

[46]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[47]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[48]  Óscar García-Morchón,et al.  spKEX: An optimized lattice-based key exchange , 2017, IACR Cryptol. ePrint Arch..

[49]  Chris Peikert,et al.  Pseudorandomness of ring-LWE for any ring and modulus , 2017, STOC.

[50]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[51]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[52]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[53]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[54]  Oded Regev,et al.  The Learning with Errors Problem (Invited Survey) , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[55]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[56]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[57]  Martha Johanna Sepúlveda,et al.  Analysis of Error-Correcting Codes for Lattice-Based Key Exchange , 2018, IACR Cryptol. ePrint Arch..

[58]  RegevOded,et al.  On Ideal Lattices and Learning with Errors over Rings , 2013 .

[59]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[60]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[61]  Yakov Rekhter,et al.  BGP/MPLS IP Virtual Private Networks (VPNs) , 2006, RFC.

[62]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.