Abstract
In this work, we consider the formal verification of the public-key encryption scheme of Saber, one of the selected few post-quantum cipher suites currently considered for potential standardization. We formally verify this public-key encryption scheme’s security and \(\delta \)-correctness properties, i.e., the properties required to transform the public-key encryption scheme into an secure and \(\delta \)-correct key encapsulation mechanism, in EasyCrypt. To this end, we initially devise hand-written proofs for these properties that are significantly more detailed and meticulous than the presently existing proofs. Subsequently, these hand-written proofs serve as a guideline for the formal verification. The results of this endeavor comprise hand-written and computer-verified proofs which demonstrate that Saber’s public-key encryption scheme indeed satisfies the desired security and correctness properties.
Andreas Hülsing and Matthias Meijers are funded by an NWO VIDI grant (Project No. VI.Vidi.193.066). At the time of writing, Pierre-Yves Strub was at Institut Polytechnique de Paris, France, and was partially supported by the ERC Advanced Grant Procontra (ID: 885666). Date: 2022-07-31
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Note that the message \(m \in \{0,1\}^{n}\) is implicitly encoded as an element of \(R_{2}\) by dedicating a separate coefficient to each bit.
- 3.
However, since then, these features have been implemented and integrated into EasyCrypt, making the formal verification of the validity of the random oracle model proofs in the quantum setting a potential objective for future work [4].
- 4.
Notice that in \(\textrm{Game}_{\mathcal {R}^{\mathcal {A}}}^{3}\), the explicit modular reduction in \(v' + (\lfloor {m_{u}}\rfloor {_{2 \rightarrow p^2 / q}} \bmod p)\) is merely used to accentuate the interpretation of \(\lfloor {m_{u}}\rfloor {_{2 \rightarrow p^2 / q}}\) as an element of \(R_{p}\); that is, the modular reduction does not affect the actual value of \(m_u\).
- 5.
In EasyCrypt, an operator denotes a mathematical function.
- 6.
Nevertheless, albeit customary in hand-written cryptographic proofs, EasyCrypt currently does not provide the possibility to restrict the space or time complexity of module types.
- 7.
Remark that the considered parameters of \(\textrm{Game}_{\mathcal {A}, \textsf{gen}, l, \mu , q, p}^{\textrm{GMLWR}}(u)\) are the same as the similarly named (function and) parameters of Saber; hence, these are already formalized outside of the module, see the foregoing discussion concerning the fundamental specification.
- 8.
Analogously, there is a separate module type that formalizes the class of adversaries against \(\textrm{Game}_{\mathcal {A}}^{3}\) and \(\textrm{Game}_{\mathcal {A}}^{4}\).
- 9.
This alternative specification is based on the alternative specification of Saber’s key exchange scheme presented in [9].
- 10.
Recall that \(0< \epsilon _{t}+ 1< \epsilon _{p}< \epsilon _{q}\) and, hence, \(2 \le 2\cdot t< p < q\); as a consequence, \(\lfloor {\cdot }\rfloor {_{2 \rightarrow q}}\), \(\lfloor {\cdot }\rfloor {_{2\cdot t \rightarrow q}}\), and \(\lfloor {\cdot }\rfloor {_{p \rightarrow q}}\) effectively constitute left bit-shifts.
- 11.
- 12.
Similarly to the specification of \(\mathrm {Saber.{\textrm{PKE}}A}\), the definitions of these error terms are inspired by the error terms provided in [9].
- 13.
Remark that this implies the transpose reduces to the identity function.
- 14.
This suggests that the script merely approximates the actual correctness value. Nevertheless, if \(\textsf{gen}\) is adequately instantiated, i.e., its output distribution (closely) resembles the uniform distribution, this approximation is (almost) accurate.
- 15.
The in the return statement is a technical consequence of the fact that certain PKE schemes may explicitly indicate decryption failure; nevertheless, this is irrelevant to the current discussion and, thus, can be ignored. Alternatively stated, we can regard the return statement as being .
References
Almeida, J.B., Barbosa, M., Barthe, G., Grégoire, B., Koutsos, A., Laporte, V., Oliveira, T., Strub, P.-Y.: The last mile: high-assurance and high-speed cryptographic implementations. In: 2020 IEEE Symposium on Security and Privacy, pp. 965–982. IEEE Computer Society Press, May 2020
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Barbosa, M., Barthe, G., Bhargavan, K., Blanchet, B., Cremers, C., Liao, K., Parno, B.: SoK: computer-aided cryptography. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 777–795. IEEE Computer Society, May 2021
Barbosa, M., Barthe, G., Fan, X., Grégoire, B., Hung, S.-H., Katz, J., Strub, P.-Y., Wu, X., Zhou, L.: EasyPQC: verifying post-quantum cryptography. Cryptology ePrint Archive, Report 2021/1253 (2021)
Barthe, G., Crespo, J.M., Grégoire, B., Kunz, C., Zanella Béguelin, S.: Computer-aided cryptographic proofs. In: Beringer, L., Felty, A. (eds.) ITP 2012. LNCS, vol. 7406, pp. 11–27. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32347-8_2
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random Oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1773–1788. ACM Press, October/November 2017
D’Anvers, J.-P.: Design and security analysis of lattice-based post-quantum encryption. Ph.D. dissertation, KU Leuven Arenberg Doctoral School, May 2021
D’Anvers, J.-P., Karmakar, A., Sinha Roy, S., Vercauteren, F.: Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 282–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_16
Duman, J., Hövelmanns, K., Kiltz, E., Lyubashevsky, V., Seiler, G.: Faster Kyber and Saber via a generic Fujisaki-Okamoto transform for multi-user security in the QROM (2021)
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Hülsing, A., Meijers, M., Strub, P.-Y.: Formal verification of Saber’s public-key encryption scheme in EasyCrypt. Cryptology ePrint Archive, Paper 2022/351 (2022). https://eprint.iacr.org/2022/351
Koblitz, N., Menezes, A.J.: Critical perspectives on provable security: fifteen years of “another look’’ papers. Adv. Math. Commun. 13(4), 517–558 (2019)
Lazar, D., Chen, H., Wang, X., Zeldovich, N.: Why does cryptographic software fail? A case study and open problems. In: Proceedings of 5th Asia-Pacific Workshop on Systems, APSys 2014, pp. 1–7. Association for Computing Machinery (2014)
Mosca, M.: Cybersecurity in an era with quantum computers: will we be ready? IEEE Security & Privacy 16(5), 38–41 (2018). https://doi.org/10.1109/MSP.2018.3761723
Shor, P.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134 (1994)
Unruh, D.: Post-quantum verification of Fujisaki-Okamoto. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 321–352. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_11
Yan, S.Y.: Quantum Attacks on Public-Key Cryptosystems, 1st edn. Springer, Boston (2013). https://doi.org/10.1007/978-1-4419-7722-9
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Hülsing, A., Meijers, M., Strub, PY. (2022). Formal Verification of Saber’s Public-Key Encryption Scheme in EasyCrypt. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13507. Springer, Cham. https://doi.org/10.1007/978-3-031-15802-5_22
Download citation
DOI: https://doi.org/10.1007/978-3-031-15802-5_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15801-8
Online ISBN: 978-3-031-15802-5
eBook Packages: Computer ScienceComputer Science (R0)