Skip to main content
SpringerLink
Log in

SMAUG: Pushing Lattice-Based Key Encapsulation Mechanisms to the Limits

  • Conference paper
  • First Online:
Selected Areas in Cryptography – SAC 2023 (SAC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14201))

Included in the following conference series:

Abstract

Recently, NIST has announced Kyber, a lattice-based key encapsulation mechanism (KEM), as a post-quantum standard. However, it is not the most efficient scheme among the NIST’s KEM finalists. Saber enjoys more compact sizes and faster performance, and Mera et al. (TCHES ’21) further pushed its efficiency, proposing a shorter KEM, Sable. As KEM are frequently used on the Internet, such as in TLS protocols, it is essential to achieve high efficiency while maintaining sufficient security.

In this paper, we further push the efficiency limit of lattice-based KEMs by proposing SMAUG, a new post-quantum KEM scheme whose IND-CCA2 security is based on the combination of MLWE and MLWR problems. We adopt several recent developments in lattice-based cryptography, targeting the smallest and the fastest KEM while maintaining high enough security against various attacks, with a full-fledged use of sparse secrets. Our design choices allow SMAUG to balance the decryption failure probability and ciphertext sizes without utilizing error correction codes, whose side-channel resistance remains open.

With a constant-time C reference implementation, SMAUG achieves ciphertext sizes up to 12% and 9% smaller than Kyber and Saber, with much faster running time, up to 103% and 58%, respectively. Compared to Sable, SMAUG has the same ciphertext sizes but a larger public key, which gives a trade-off between the public key size versus performance; SMAUG has 39%–55% faster encapsulation and decapsulation speed in the parameter sets having comparable security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We used the lattice-estimator [2], from https://github.com/malb/lattice-estimator (commit 9687562), while additionally considering other attacks targeting the sparsity.

  2. 2.

    We use the python package, from https://github.com/dreylago/logicmin.

  3. 3.

    There are some suspicions on the unsubstantiated dual-sieve attacks assuming the flawed heuristic [30]. However, we hereby estimate the security of SMAUG following the methods in Kyber, Saber, and Sable for a fair comparison.

  4. 4.

    From https://github.com/pq-crystals/kyber (518de24), https://github.com/KULeuven-COSIC/SABER (f7f39e4), and https://github.com/josebmera/scabbard (4b2b5de), respectively.

References

  1. Akleylek, S., Alkım, E., Tok, Z.Y.: Sparse polynomial multiplication for lattice-based cryptography with small complexity. J. Supercomput. 72, 438–450 (2016)

    Article  Google Scholar 

  2. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)

    Article  MathSciNet  Google Scholar 

  3. Alkim, E., Barreto, P.S.L.M., Bindel, N., Kramer, J., Longa, P., Ricardini, J.E.: The lattice-based digital signature scheme qtesla. Cryptology ePrint Archive, Paper 2019/085 (2019). https://eprint.iacr.org/2019/085

  4. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 327–343. USENIX Association, August 2016

    Google Scholar 

  5. Alperin-Sheriff, J., Apon, D.: Dimension-preserving reductions from LWE to LWR. Cryptology ePrint Archive, Paper 2016/589 (2016). https://eprint.iacr.org/2016/589

  6. Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited. In: Canetti, R., Garay, J.A. (eds.) Advances in Cryptology - CRYPTO 2013. CRYPTO 2013. LNCS, vol. 8042, pp. 57–74. Springer, Berlin, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_4

  7. Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) Advances in Cryptology - EUROCRYPT 2012. EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Berlin, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42

  8. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving, pp. 10–24. Society for Industrial and Applied Mathematics (2016). https://doi.org/10.1137/1.9781611974331.ch2

  9. Beirendonck, M.V., D’anvers, J.P., Karmakar, A., Balasch, J., Verbauwhede, I.: A side-channel-resistant implementation of saber. J. Emerg. Technol. Comput. Syst. 17(2) (2021). https://doi.org/10.1145/3429983

  10. Bernstein, D.J., Chuengsatiansup, C., Lange, T., Van Vredendaal, C.: Ntru prime. IACR Cryptol. ePrint Arch. 2016, 461 (2016)

    Google Scholar 

  11. Bi, L., Lu, X., Luo, J., Wang, K.: Hybrid dual and meet-LWE attack. In: Nguyen, K., Yang, G., Guo, F., Susilo, W. (eds.) Information Security and Privacy. ACISP 2022. LNCS, vol. 13494, pp. 168–188. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22301-3_9

  12. Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) Theory of Cryptography. TCC 2019, Part II. LNCS, vol. 11892, pp. 61–90. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-36033-7_3

  13. Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Kushilevitz, E., Malkin, T. (eds.) Theory of Cryptography. TCC 2016. LNCS, vol. 9562, pp. 209–224. Springer, Berlin, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_9

  14. Bos, J., et al.: Crystals-kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 353–367. IEEE (2018)

    Google Scholar 

  15. Bos, J.W., et al.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 1006–1018. ACM Press, October 2016. https://doi.org/10.1145/2976749.2978425

  16. Bos, J.W., Gourjon, M., Renes, J., Schneider, T., van Vredendaal, C.: Masking kyber: first- and higher-order implementations. IACR TCHES 2021(4), 173–214 (2021). https://doi.org/10.46586/tches.v2021.i4.173-214, https://tches.iacr.org/index.php/TCHES/article/view/9064

  17. Boudgoust, K., Jeudy, C., Roux-Langlois, A., Wen, W.: On the hardness of module learning with errors with short distributions. J. Cryptol. 36(1), 1 (2023). https://doi.org/10.1007/s00145-022-09441-3

    Article  MathSciNet  Google Scholar 

  18. Chailloux, A., Loyer, J.: Lattice sieving via quantum random walks. In: Tibouchi, M., Wang, H. (eds.) Advances in Cryptology - ASIACRYPT 2021. ASIACRYPT 2021. LNCS, vol. 13093, pp. 63–91. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_3

  19. Chen, C., et al.: Ntru: algorithm specifications and supporting documentation (2020). nIST PQC Round 3 Submision

    Google Scholar 

  20. Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) Advances in Cryptology – ASIACRYPT 2011. ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Berlin, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1

  21. Cheon, J.H., Choe, H., Hong, D., Yi, M.: Smaug: pushing lattice-based key encapsulation mechanisms to the limits. Cryptology ePrint Archive, Paper 2023/739 (2023). https://eprint.iacr.org/2023/739

  22. Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: Bootstrapping for approximate homomorphic encryption. In: Nielsen, J.B., Rijmen, V. (eds.) Advances in Cryptology - EUROCRYPT 2018. EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 360–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_14

  23. Cheon, J.H., Han, K., Kim, J., Lee, C., Son, Y.: A practical post-quantum public-key cryptosystem based on spLWE. In: Hong, S., Park, J.H. (eds.) Information Security and Cryptology - ICISC 2016. ICISC 2016. LNCS, vol. 10157, pp. 51–74. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-53177-9_3

  24. Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: cut off the tail! A practical post-quantum public-key encryption from LWE and LWR. In: Catalano, D., De Prisco, R. (eds.) Security and Cryptography for Networks. SCN 2018. LNCS, vol. 11035, pp. 160–177. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-98113-0_9

  25. D’Anvers, J.P., Batsleer, S.: Multitarget decryption failure attacks and their application to saber and Kyber. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) Public-Key Cryptography - PKC 2022. PKC 2022, Part I. LNCS, vol. 13177, pp. 3–33. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97121-2_1

  26. D’Anvers, J.P., Guo, Q., Johansson, T., Nilsson, A., Vercauteren, F., Verbauwhede, I.: Decryption failure attacks on IND-CCA secure lattice-based schemes. In: Lin, D., Sako, K. (eds.) Public-Key Cryptography – PKC 2019. PKC 2019, vol. 11443, pp. 565–598. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_19

  27. D’Anvers, J.P., Karmakar, A., Roy, S.S., Vercauteren, F.: Saber: module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) Progress in Cryptology – AFRICACRYPT 2018. AFRICACRYPT 2018. LNCS, vol. 10831, pp. 282–305. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-89339-6_16

  28. Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (eds.) Cryptography and Coding. Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Berlin, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12

  29. Ducas, L., et al.: CRYSTALS-Dilithium: a lattice-based digital signature scheme. IACR TCHES 2018(1), 238–268 (2018). https://doi.org/10.13154/tches.v2018.i1.238-268, https://tches.iacr.org/index.php/TCHES/article/view/839

  30. Ducas, L., Pulles, L.: Does the dual-sieve attack on learning with errors even work? Cryptology ePrint Archive, Paper 2023/302 (2023). https://eprint.iacr.org/2023/302

  31. Espitau, T., Joux, A., Kharchenko, N.: On a dual/hybrid approach to small secret LWE - a dual/enumeration technique for learning with errors and application to security estimates of FHE schemes. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) Progress in Cryptology - INDOCRYPT 2020. INDOCRYPT 2020. LNCS, vol. 12578, pp. 440–462. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_20

  32. Fouque, P.A., et al.: Falcon: fast-fourier lattice-based compact signatures over NTRU. Submiss. NIST’s Post-quantum Cryptogr. Stand. Process 36(5) (2018)

    Google Scholar 

  33. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M.J. (ed.) Advances in Cryptology – CRYPTO’99. CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Berlin, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34

  34. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013). https://doi.org/10.1007/s00145-011-9114-1

    Article  MathSciNet  Google Scholar 

  35. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219 (1996)

    Google Scholar 

  36. Halevi, S., Shoup, V.: Bootstrapping for HElib. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 641–670. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_25

  37. Hanrot, G., Pujol, X., Stehlé, D.: Algorithms for the shortest and closest lattice vector problems. In: Chee, Y.M., et al. (eds.) Coding and Cryptology. IWCC 2011. LNCS, vol. 6639, pp. 159–190. Springer, Berlin, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20901-7_10

  38. Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) Theory of Cryptography. TCC 2017, Part I. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12

  39. Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D.: Generic authenticated key exchange in the quantum random oracle model. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) Public-Key Cryptography - PKC 2020. PKC 2020, Part II. LNCS, vol. 12111, pp. 389–422. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45388-6_14

  40. Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) Advances in Cryptology – CRYPTO 2003. CRYPTO 2003. vol. 2729, pp. 226–246. Springer, Berlin, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_14

  41. Krausz, M., Land, G., Richter-Brockmann, J., Güneysu, T.: A holistic approach towards side-channel secure fixed-weight polynomial sampling. In: Boldyreva, A., Kolesnikov, V. (eds.) Public-Key Cryptography – PKC 2023. PKC 2023, Part II. LNCS, vol. 13941, pp. 94–124. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-31371-4_4

  42. Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology – EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Berlin, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_14

  43. Lee, J., Kim, D., Lee, H., Lee, Y., Cheon, J.H.: RLizard: post-quantum key encapsulation mechanism for IoT devices. IEEE Access 7, 2080–2091 (2018)

    Article  Google Scholar 

  44. MATZOV: Report on the Security of LWE: Improved Dual Lattice Attack, April 2022. https://doi.org/10.5281/zenodo.6493704

  45. May, A.: How to meet ternary LWE keys. In: Malkin, T., Peikert, C. (eds.) Advances in Cryptology – CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 701–731. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_24

  46. Mera, J.M.B., Karmakar, A., Kundu, S., Verbauwhede, I.: Scabbard: a suite of efficient learning with rounding key-encapsulation mechanisms. IACR TCHES 2021(4), 474–509 (2021). https://doi.org/10.46586/tches.v2021.i4.474-509, https://tches.iacr.org/index.php/TCHES/article/view/9073

  47. Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) Advances in Cryptology - EUROCRYPT 2018. EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17

  48. Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994)

    Article  MathSciNet  Google Scholar 

  49. Son, Y., Cheon, J.H.: Revisiting the hybrid attack on sparse secret LWE and application to he parameters. In: Proceedings of the 7th ACM Workshop on Encrypted Computing & Applied Homomorphic Cryptography, pp. 11–20. WAHC’19, Association for Computing Machinery, New York, NY, USA (2019). https://doi.org/10.1145/3338469.3358941

  50. Vercauteren, I.F., Sinha Roy, S., D’Anvers, J.P., Karmakar, A.: Saber: mod-LWR based KEM, nIST PQC Round 3 Submision

    Google Scholar 

Download references

Acknowledgments

This work was submitted to the ‘Korean Post-Quantum Cryptography Competition’ (www.kpqc.or.kr). Part of this work was done while MinJune Yi was in CryptoLab Inc.

Author information

Authors and Affiliations

  1. Seoul National University, Seoul, South Korea

    Jung Hee Cheon, Hyeongmin Choe & MinJune Yi

  2. CryptoLab Inc., Seoul, South Korea

    Jung Hee Cheon & Dongyeon Hong

Authors
  1. Jung Hee Cheon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyeongmin Choe
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dongyeon Hong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. MinJune Yi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hyeongmin Choe .

Editor information

Editors and Affiliations

  1. University Paris 8, Paris, France

    Claude Carlet

  2. University of New Brunswick, Fredericton, NB, Canada

    Kalikinkar Mandal

  3. University of Leuven and University of Bergen, Heverlee, Belgium

    Vincent Rijmen

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cheon, J.H., Choe, H., Hong, D., Yi, M. (2024). SMAUG: Pushing Lattice-Based Key Encapsulation Mechanisms to the Limits. In: Carlet, C., Mandal, K., Rijmen, V. (eds) Selected Areas in Cryptography – SAC 2023. SAC 2023. Lecture Notes in Computer Science, vol 14201. Springer, Cham. https://doi.org/10.1007/978-3-031-53368-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-53368-6_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-53367-9

  • Online ISBN: 978-3-031-53368-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation