Skip to main content
SpringerLink
Log in

Anonymity of NIST PQC Round 3 KEMs

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2022 (EUROCRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13277))

Abstract

This paper investigates anonymity of all NIST PQC Round 3 KEMs: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime (Streamlined NTRU Prime and NTRU LPRime), and SIKE. We show the following results:

  • NTRU is anonymous in the quantum random oracle model (QROM) if the underlying deterministic PKE is strongly disjoint-simulatable. NTRU is collision-free in the QROM. A hybrid PKE scheme constructed from NTRU as KEM and appropriate DEM is anonymous and robust. (Similar results for BIKE, FrodoKEM, HQC, NTRU LPRime, and SIKE hold except one of three parameter sets of HQC.)

  • Classic McEliece is anonymous in the QROM if the underlying PKE is strongly disjoint-simulatable and a hybrid PKE scheme constructed from it as KEM and appropriate DEM is anonymous.

  • Grubbs, Maram, and Paterson pointed out that Kyber and Saber have a gap in the current IND-CCA security proof in the QROM (EUROCRYPT 2022). We found that Streamlined NTRU Prime has another technical obstacle for the IND-CCA security proof in the QROM.

Those answer the open problem to investigate the anonymity and robustness of NIST PQC Round 3 KEMs posed by Grubbs, Maram, and Paterson (EUROCRYPT 2022).

We use strong disjoint-simulatability of the underlying PKE of KEM and strong pseudorandomness and smoothness/sparseness of KEM as the main tools, which will be of independent interest.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 179.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A variant of the FO transform with implicit rejection using ‘pre-key’ technique. They wrote “a variant of the \(\mathsf {FO}^{\not \bot }\) transform” in their paper.

  2. 2.

    They modify ‘key-confirmation hash’ to involve a ciphertext on input.

  3. 3.

    If the simulator can depend on an encryption key, then we just say pseudorandom.

  4. 4.

    HQC-256 is not anonymous because the parity of the ciphertext leaks the parity of the encapsulation key. See the full version for the detail.

  5. 5.

    The key and key-confirmation value on a plaintext \(\mu \) and an encapsulation key \( ek \) is computed as \(K = \mathsf {H}(k,c_0,c_1)\) and \(h = \mathsf {F}(k,\mathsf {Hash}( ek ))\), where \(k = \mathsf {H}_3(\mu )\) and \((c_0,c_1)\) is a main body of a ciphertext.

References

  1. Abdalla, M., et al.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_13

    Chapter  Google Scholar 

  2. Abdalla, M., Bellare, M., Neven, G.: Robust encryption. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 480–497. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_28

    Chapter  Google Scholar 

  3. Abe, M. (ed.): ASIACRYPT 2010. LNCS, vol. 6477. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8

  4. Aguilar Melchor, C., et al.: HQC. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  5. Albrecht, M.R., et al.: Classic McEliece. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  6. Aragon, N., et al.: BIKE. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  7. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33

    Chapter  MATH  Google Scholar 

  8. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055718

    Chapter  Google Scholar 

  9. Bernstein, D.J.: Personal communication (October 2021)

    Google Scholar 

  10. Bernstein, D.J., et al.: NTRU Prime. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  11. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3

    Chapter  MATH  Google Scholar 

  12. Boyd, C., Cliff, Y., González Nieto, J.M., Paterson, K.G.: One-round key exchange in the standard model. Int. J. Appl. Cryptogr. 1(3), 181–199 (2009). https://doi.org/10.1504/IJACT.2009.023466

  13. Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7

    Chapter  Google Scholar 

  14. Chen, C., et al.: NTRU. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  15. Cohen, H., et al.: Handbook of elliptic and hyperelliptic curve cryptography (2005)

    Google Scholar 

  16. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4

    Chapter  Google Scholar 

  17. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)

    Article  MathSciNet  Google Scholar 

  18. D’Anvers, J.P., et al.: SABER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  19. Farshim, P., Orlandi, C., Roşie, R.: Security of symmetric primitives under incorrect usage of keys. IACR Trans. Symmetric Cryptol. 2017(1), 449–473 (2017). https://doi.org/10.13154/tosc.v2017.i1.449-473

  20. Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism. In: Chen, K., Xie, Q., Qiu, W., Li, N., Tzeng, W.G. (eds.) ASIACCS 2013, pp. 83–94. ACM Press (May 2013)

    Google Scholar 

  21. Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. Des. Codes Cryptogr. 76(3), 469–504 (2015). https://doi.org/10.1007/s10623-014-9972-2

  22. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34

    Chapter  Google Scholar 

  23. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2011). https://doi.org/10.1007/s00145-011-9114-1

    Article  MathSciNet  MATH  Google Scholar 

  24. Grubbs, P., Maram, V., Paterson, K.G.: Anonymous, robust post-quantum public key encryption. Cryptology ePrint Archive, Report 2021/708 (2021). https://eprint.iacr.org/2021/708. To appear in EUROCRYPT 2022

  25. Grubbs, P., Maram, V., Paterson, K.G.: Anonymous, robust post-quantum public key encryption (presentation slides). In: Proceedings of the Third NIST PQC Standardization Conference (2021). https://csrc.nist.gov/Presentations/2021/anonymous-robust-post-quantum-public-key-encryptio

  26. Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12

    Chapter  MATH  Google Scholar 

  27. Hopper, N.: On steganographic chosen covertext security. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 311–323. Springer, Heidelberg (2005). https://doi.org/10.1007/11523468_26

    Chapter  Google Scholar 

  28. Hosoyamada, A.: Personal communication (June 2021)

    Google Scholar 

  29. Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D.: Generic authenticated key exchange in the quantum random oracle model. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part II. LNCS, vol. 12111, pp. 389–422. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_14

    Chapter  MATH  Google Scholar 

  30. Jao, D., et al.: SIKE. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  31. Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4

    Chapter  Google Scholar 

  32. Jiang, H., Zhang, Z., Ma, Z.: Key encapsulation mechanism with explicit rejection in the quantum random oracle model. In: Lin, D., Sako, K. (eds.) PKC 2019, Part II. LNCS, vol. 11443, pp. 618–645. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_21

    Chapter  Google Scholar 

  33. Liu, X., Wang, M.: QCCA-secure generic key encapsulation mechanism with tighter security in the quantum random oracle model. In: Garay, J.A. (ed.) PKC 2021, Part I. LNCS, vol. 12710, pp. 3–26. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_1

    Chapter  Google Scholar 

  34. López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Karloff, H.J., Pitassi, T. (eds.) 44th ACM STOC, pp. 1219–1234. ACM Press (May 2012). https://doi.org/10.1145/2213977.2214086

  35. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    Chapter  Google Scholar 

  36. Mohassel, P.: A closer look at anonymity and robustness in encryption schemes. In: Abe [3], pp. 501–518

    Google Scholar 

  37. Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  38. Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_35

    Chapter  Google Scholar 

  39. Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17

    Chapter  MATH  Google Scholar 

  40. Sako, K.: An auction protocol which hides bids of losers. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 422–432. Springer, Heidelberg (2000). https://doi.org/10.1007/978-3-540-46588-1_28

    Chapter  Google Scholar 

  41. Schanck, J.: Personal communication (June 2021)

    Google Scholar 

  42. Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  43. Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020, pp. 1461–1480. ACM Press (November 2020). https://doi.org/10.1145/3372297.3423350

  44. Stehlé, D., Steinfeld, R.: Faster fully homomorphic encryption. In: Abe [3], pp. 377–394

    Google Scholar 

  45. Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36

    Chapter  Google Scholar 

  46. von Ahn, L., Hopper, N.J.: Public-key steganography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 323–341. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_20

    Chapter  Google Scholar 

  47. Xagawa, K., Yamakawa, T.: (Tightly) QCCA-secure key-encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 249–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_14

    Chapter  MATH  Google Scholar 

  48. Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Inf. Comput. 15(7–8), 557–567 (2015)

    MathSciNet  Google Scholar 

  49. Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9

    Chapter  Google Scholar 

Download references

Acknowledgement

The author is grateful to John Schanck for insightful comments and suggestions on NTRU, Akinori Hosoyamada and Takashi Yamakawa for insightful comments and discussion on quantum random oracles. The author would like to thank Daniel J. Bernstein for insightful comments and discussion on the indifferentiability of the quantum random oracles. The author would like to thank anonymous reviewers for their valuable comments and suggestions on this paper.

Author information

Authors and Affiliations

  1. NTT Social Informatics Laboratories, Tokyo, Japan

    Keita Xagawa

Authors
  1. Keita Xagawa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Keita Xagawa .

Editor information

Editors and Affiliations

  1. University of Haifa, Haifa, Haifa, Israel

    Orr Dunkelman

  2. University of Warsaw, Warsaw, Poland

    Stefan Dziembowski

A Missing Lemma

A Missing Lemma

Lemma 8

Let \(\mathsf {A}\) and \(\mathsf {B}\) denote events. Suppose that we have \(\Pr [\mathsf {A}] \le \delta \). For any \(p \ge 0\), we have

$$ \left|\Pr [\mathsf {B}] - p \right| \le \left|\Pr [\mathsf {B} \wedge \lnot \mathsf {A}] - p \right| + \delta ~~~\text {and}~~~ \left|\Pr [\mathsf {B} \wedge \lnot \mathsf {A}] - p \right| \le \left|\Pr [\mathsf {B}] - p \right| + \delta . $$

Proof

Those bounds are obtained by using the triangle inequality. We have

$$\begin{aligned} \left|\Pr [\mathsf {B}] - p \right|&= \left|\Pr [\mathsf {B} \wedge \mathsf {A}] + \Pr [\mathsf {B} \wedge \lnot \mathsf {A}] - p \right| \le \Pr [\mathsf {B} \wedge \mathsf {A}] + \left|\Pr [\mathsf {B} \wedge \lnot \mathsf {A}] - p \right| \\&\le \Pr [\mathsf {A}] + \left|\Pr [\mathsf {B} \wedge \lnot \mathsf {A}] - p \right| \le \left|\Pr [\mathsf {B} \wedge \lnot \mathsf {A}] - p \right| + \delta \end{aligned}$$

and

$$\begin{aligned} \left|\Pr [\mathsf {B}\wedge \lnot \mathsf {A}] - p \right|&= \left|\Pr [\mathsf {B}\wedge \lnot \mathsf {A}] + \Pr [\mathsf {B}\wedge \mathsf {A}] - \Pr [\mathsf {B}\wedge \mathsf {A}] - p \right| \\&= \left|\Pr [\mathsf {B}] - p - \Pr [\mathsf {B}\wedge \mathsf {A}] \right| \le \left|\Pr [\mathsf {B}] - p \right| + \Pr [\mathsf {B}\wedge \mathsf {A}] \\&\le \left|\Pr [\mathsf {B}] - p \right| + \Pr [\mathsf {A}] \le \left|\Pr [\mathsf {B}] - p \right| + \delta \end{aligned}$$

as we wanted.    \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Xagawa, K. (2022). Anonymity of NIST PQC Round 3 KEMs. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13277. Springer, Cham. https://doi.org/10.1007/978-3-031-07082-2_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07082-2_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07081-5

  • Online ISBN: 978-3-031-07082-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation