Abstract
Public-key cryptography is an indispensable component used in almost all of our present-day digital infrastructure. However, most if not all of it is predominantly built upon hardness guarantees of number theoretic problems that can be broken by large-scale quantum computers in the future. Sensing the imminent threat from continued advances in quantum computing, NIST has recently initiated a global-level standardization process for quantum resistant public-key cryptographic primitives such as public-key encryption, digital signatures, and key encapsulation mechanisms. While the process received proposals from various categories of post-quantum cryptography, lattice-based cryptography features most prominently among all the submissions. Lattice-based cryptography offers a very attractive alternative to traditional public-key cryptography mainly due to the variety of lattice-based schemes offering varying flavors of security and efficiency guarantees. In this article, we survey the evolution of lattice-based key-sharing schemes (public-key encryption and key encapsulation schemes) and cover various aspects ranging from theoretical security guarantees, general algorithmic frameworks, practical implementation aspects, and physical attack security, with special focus on lattice-based key-sharing schemes competing in the NIST’s standardization process.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, Lattice-based Key-sharing Schemes: A Survey
- Eric Rescorla. 2015. The Transport Layer Security (TLS) Protocol Version 1.3 draft-ietf-tls-tls13-07. Retrieved from https://tools.ietf.org/html/draft-ietf-tls-tls13-07.Google Scholar
- Eric Rescorla. 2016. The Transport Layer Security (TLS) Protocol Version 1.3 draft-ietf-tls-tls13-13. Retrieved from https://tools.ietf.org/html/draft-ietf-tls-tls13-13.Google Scholar
- Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. 2015. Solving the shortest vector problem in 2 n time using discrete Gaussian sampling. In Proceedings of the 47th Annual ACM Symposium on Theory of Computing. ACM, 733--742.Google ScholarDigital Library
- Miklós Ajtai. 1996. Generating hard instances of lattice problems. In Proceedings of the 28th Annual ACM Symposium on Theory of Computing. ACM, 99--108.Google Scholar
- Gorjan Alagic, Gorjan Alagic, Jacob Alperin-Sheriff, Daniel Apon, David Cooper, Quynh Dang, Yi-Kai Liu, Carl Miller, Dustin Moody, Rene Peralta et al. 2019. Status Report on the First Round of the NIST Post-quantum Cryptography Standardization Process. U.S. Department of Commerce, National Institute of Standards and Technology.Google Scholar
- Martin R. Albrecht, Benjamin R. Curtis, Amit Deo, Alex Davidson, Rachel Player, Eamonn W. Postlethwaite, Fernando Virdia, and Thomas Wunderer. 2018. Estimate all the {LWE, NTRU} schemes! In Proceedings of the International Conference on Security and Cryptography for Networks. Springer, 351--367.Google Scholar
- Erdem Alkim, Roberto Avanzi, Joppe W. Bos, Leo Ducas, Antonio de la Piedra, Thomas Poppelmann, Peter Schwabe, and Douglas Stebila [n.d.]. NewHope (Version 1.1): Algorithm specifications and supporting documentation. Retrieved from https://newhopecrypto.org/data/NewHope_2020_04_10.pdf.Google Scholar
- Erdem Alkim, Joppe W. Bos, Leo Ducas, Patrick Longa, Ilya Mironov, Michael Naehrig, Valeria Nikolaenko, Chris Peikert, Ananth Raghunathan, and Douglas Stebila [n.d.]. Frodo: Algorithm specifications and supporting documentation. Retrieved from https://frodokem.org/files/FrodoKEM-specification-20200325.pdf.Google Scholar
- Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. 2016. Newhope without reconciliation. IACR ePrint. Retrieved from https://eprint.iacr.org/2016/1157.Google Scholar
- Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. 2016. Post-quantum key exchange—A new hope. In Proceedings of the USENIX Security Symposium. 327--343.Google Scholar
- Erdem Alkim, Philipp Jakubeit, and Peter Schwabe. 2016. NewHope on ARM Cortex-M. In Proceedings of the International Conference on Security, Privacy, and Applied Cryptography Engineering. Springer, 332--349.Google ScholarCross Ref
- Roberto Avanzi, Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Vadim Lyubashevsky, John Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé [n.d.]. CRYSTALS-Kyber (version 2.0) - Algorithm specifications and supporting documentation. Retrieved from https://pq-crystals.org/kyber/data/kyber-specification-round2.pdf.Google Scholar
- Aydin Aysu, Michael Orshansky, and Mohit Tiwari. 2018. Binary Ring-LWE hardware with power side-channel countermeasures. In Proceedings of the Design, Automation 8 Test in Europe Conference 8 Exhibition (DATE’18). IEEE, 1253--1258.Google ScholarCross Ref
- Aydin Aysu, Cameron Patterson, and Patrick Schaumont. 2013. Low-cost and area-efficient FPGA implementations of lattice-based cryptography. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’13).Google ScholarCross Ref
- Aydin Aysu, Youssef Tobah, Mohit Tiwari, Andreas Gerstlauer, and Michael Orshansky. 2018. Horizontal side-channel vulnerabilities of post-quantum key-exchange protocols. In Proceedings of the IEEE International Symposium on Hardware Oriented Security and Trust (HOST’18). IEEE, 81--88.Google ScholarCross Ref
- Hayo Baan, Sauvik Bhattacharya, Scott Fluhrer, Oscar Garcia-Morchon Garcia-Morchon, Thijs Laarhoven, Rachel Player, Ronald Rietman, Markku-Juhani O. Saarinen, Ludo Tolhuizen, Jos’e Luis Torre-Arce, and Zhenfei Zhang. [n.d.]. Round5: Algorithm specifications and supporting documentation. Retrieved from https://round5.org/doc/Round5_Submission042020.pdf.Google Scholar
- Ciprian Băetu, F. Betül Durak, Loïs Huguenin-Dumittan, Abdullah Talayhan, and Serge Vaudenay. 2019. Misuse attacks on post-quantum cryptosystems. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 747--776.Google ScholarDigital Library
- Daniel V. Bailey, Daniel Coffin, Adam Elbirt, Joseph H. Silverman, and Adam D. Woodbury. 2001. NTRU in constrained devices. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 262--272.Google Scholar
- Abhishek Banerjee, Chris Peikert, and Alon Rosen. 2012. Pseudorandom functions and lattices. In Proceedings of the Conference on Advances in Cryptology (EUROCRYPT’12). 719--737.Google ScholarDigital Library
- Utsav Banerjee, Tenzin S. Ukyab, and Anantha P. Chandrakasan. 2019. Sapphire: A configurable crypto-processor for post-quantum lattice-based protocols. Retrieved from https://arXiv:1910.07557.Google Scholar
- Paul Barrett. 1986. Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. In Proceedings of the Conference on the Theory and Application of Cryptographic Techniques. Springer, 311--323.Google Scholar
- Kanad Basu, Deepraj Soni, Mohammed Nabeel, and Ramesh Karri. 2019. NIST post-quantum cryptography-A hardware evaluation study. IACR ePrint Archive. https://eprint.iacr.org/2019/047.Google Scholar
- Aurélie Bauer, Henri Gilbert, Guénaël Renault, and Mélissa Rossi. 2019. Assessment of the key-reuse resilience of NewHope. In Proceedings of the Cryptographers’ Track at the RSA Conference. Springer, 272--292.Google ScholarDigital Library
- Daniel J. Bernstein. 2006. Curve25519: New Diffie-Hellman speed records. In Proceedings of the International Workshop on Public Key Cryptography. Springer, 207--228.Google ScholarDigital Library
- Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. [n.d.]. NTRU Prime: Algorithm specifications and supporting documentation. Retrieved from https://ntruprime.cr.yp.to/nist/ntruprime-20190330.pdf.Google Scholar
- Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. 2017. NTRU prime: Reducing attack surface at low cost. In Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 235--260.Google Scholar
- Daniel J. Bernstein, Tanja Lange, and Dan Page. [n.d.]. eBATS. ECRYPT Benchmarking of Asymmetric Systems: Performing Benchmarks (technical report).Google Scholar
- Daniel J. Bernstein and Edoardo Persichetti. 2018. Towards KEM unification. IACR ePrint Archive. https://eprint.iacr.org/2018/526.Google Scholar
- Daniel J. Bernstein and Bo-Yin Yang. 2019. Fast constant-time gcd computation and modular inversion. IACR Trans. Cryptogr. Hardware Embed. Syst. 2019 (2019), 340--398. https://doi.org/10.13154/tches.v2019.i3.340-398.Google ScholarCross Ref
- Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. 2009. Keccak specifications. Submission to NIST (Round 2) (2009), 320--337.Google Scholar
- Sauvik Bhattacharya, Oscar Garcia-Morchon, Ronald Rietman, and Ludo Tolhuizen. 2017. spKEX: An optimized lattice-based key exchange. IACR EPrint Archive (2017). Retrieved from https://eprint.iacr.org/2017/709.Google Scholar
- David Blackman and Sebastiano Vigna. 2018. Scrambled linear pseudorandom number generators. Retrieved from https://arXiv:1805.01407.Google Scholar
- Joppe Bos, Craig Costello, Léo Ducas, Ilya Mironov, Michael Naehrig, Valeria Nikolaenko, Ananth Raghunathan, and Douglas Stebila. 2016. Frodo: Take off the ring! practical, quantum-secure key exchange from LWE. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1006--1018.Google ScholarDigital Library
- Joppe Bos, Craig Costello, Léo Ducas, Ilya Mironov, Michael Naehrig, Valeria Nikolaenko, Ananth Raghunathan, and Douglas Stebila. 2016. Frodo: Take off the ring! practical, quantum-secure key exchange from LWE. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1006--1018.Google ScholarDigital Library
- Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé. 2018. CRYSTALS-Kyber: A CCA-secure module-lattice-based KEM. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS8P’18). IEEE, 353--367.Google ScholarCross Ref
- Joppe W. Bos, Craig Costello, Michael Naehrig, and Douglas Stebila. 2015. Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In Proceedings of the IEEE Symposium on Security and Privacy (SP’15). IEEE.Google ScholarDigital Library
- Joppe W. Bos, Simon Friedberger, Marco Martinoli, Elisabeth Oswald, and Martijn Stam. 2018. Assessing the feasibility of single trace power analysis of Frodo. In Proceedings of the International Conference on Selected Areas in Cryptography. Springer.Google Scholar
- Joppe W. Bos, Simon Friedberger, Marco Martinoli, Elisabeth Oswald, and Martijn Stam. 2018. Fly, you fool! Faster Frodo for the ARM Cortex-M4.IACR ePrint Archive. Retrieved from https://eprint.iacr.org/2018/1116.Google Scholar
- Leon Botros, Matthias J. Kannwischer, and Peter Schwabe. 2019. Memory-efficient high-speed implementation of Kyber on Cortex-M4. In Proceedings of the International Conference on Cryptology in Africa. Springer, 209--228.Google ScholarDigital Library
- Matt Braithwaite. 2016. Experimenting with post-quantum cryptography. Google Security Blog 7 (2016).Google Scholar
- Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. 2014. (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory 6, 3 (2014), 13.Google ScholarDigital Library
- Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehlé. 2013. Classical hardness of learning with errors. In Proceedings of the 45th Annual ACM Symposium on Theory of Computing. ACM, 575--584.Google ScholarDigital Library
- Jacqueline Brendel, Marc Fischlin, Felix Günther, Christian Janson, and Douglas Stebila. 2019. Challenges in proving post-quantum key exchanges based on key encapsulation mechanisms.Google Scholar
- Leon Groot Bruinderink, Andreas Hülsing, Tanja Lange, and Yuval Yarom. 2016. Flush, Gauss, and Reload–a cache attack on the BLISS lattice-based signature scheme. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems. Springer, 323--345.Google ScholarCross Ref
- Johannes Buchmann, Daniel Cabarcas, Florian Göpfert, Andreas Hülsing, and Patrick Weiden. 2013. Discrete Ziggurat: A time-memory trade-off for sampling from a Gaussian distribution over the integers. In Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 402--417.Google Scholar
- Johannes Buchmann, Florian Göpfert, Tim Güneysu, Tobias Oder, and Thomas Pöppelmann. 2016. High-performance and lightweight lattice-based public-key encryption. In Proceedings of the 2nd ACM International Workshop on IoT Privacy, Trust, and Security. ACM, 2--9.Google ScholarDigital Library
- CESG. 2016. Quantum Key Distribution. Retrieved from https://www.cesg.gov.uk/white-papers/quantum-key-distribution.Google Scholar
- Cong Chen, Oussama Danba, Jeffrey Hoffstein, Andreas Hülsing, Joost Rijneveld, John M Schanck, Peter Schwabe, William Whyte, and Zhenfei Zhang. [n.d.]. NTRU: Algorithm specifications and supporting documentation. Retrieved from https://ntru.org/f/ntru-20190330.pdf.Google Scholar
- Donald Donglong Chen, Nele Mentens, Frederik Vercauteren, Sujoy Sinha Roy, Ray C. C. Cheung, Derek Pao, and Ingrid Verbauwhede. 2015. High-speed polynomial multiplication architecture for ring-LWE and SHE cryptosystems. IEEE Trans. Circ. Syst. I: Reg. Papers 62, 1 (2015), 157--166.Google ScholarCross Ref
- Jung Hee Cheon, Kyoohyung Han, Jinsu Kim, Changmin Lee, and Yongha Son. 2016. A practical post-quantum public-key cryptosystem based on spLWE. In Proceedings of the International Conference on Information Security and Cryptology. Springer, 51--74.Google Scholar
- Robert Chien. 1964. Cyclic decoding procedures for Bose-Chaudhuri-Hocquenghem codes. IEEE Trans. Info. Theory 10, 4 (1964), 357--363.Google ScholarDigital Library
- CNSS. 2015. Use of Public Standards for the Secure Sharing of Information Among National Security Systems. Committee on National Security Systems: CNSS Advisory Memorandum, Information Assurance 02-15.Google Scholar
- James Cooley and John Tukey. 1965. An algorithm for the machine calculation of complex fourier series. Math. Comp. 19, 90 (1965), 297--301.Google ScholarCross Ref
- Don Coppersmith and Adi Shamir. 1997. Lattice attacks on NTRU. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 52--61.Google ScholarCross Ref
- Ronald Cramer, Léo Ducas, and Benjamin Wesolowski. 2017. Short stickelberger class relations and application to Ideal-SVP. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer.Google ScholarCross Ref
- Jan-Pieter D’Anvers, Angshuman Karmakar, Sujoy Sinha Roy, and Frederik Vercauteren. [n.d.]. Saber: Algorithm specifications and supporting documentation (round 2). Retrieved from https://www.esat.kuleuven.be/cosic/pqcrypto/saber/resources.html.Google Scholar
- Jan-Pieter D’Anvers, Frederik Vercauteren, and Ingrid Verbauwhede. 2018. On the impact of decryption failures on the security of LWE/LWR based schemes. IACR ePrint Archive (2018). Retrieved from https://eprint.iacr.org/2018/1089.Google Scholar
- Ruan De Clercq, Sujoy Sinha Roy, Frederik Vercauteren, and Ingrid Verbauwhede. 2015. Efficient software implementation of Ring-LWE encryption. In Proceedings of the Design, Automation 8 Test in Europe Conference 8 Exhibition (DATE’15). IEEE.Google ScholarCross Ref
- Jintai Ding, Saed Alsayigh, R. V. Saraswathy, Scott Fluhrer, and Xiaodong Lin. 2017. Leakage of signal function with reused keys in RLWE key exchange. In Proceedings of the IEEE International Conference on Communications (ICC’17). IEEE, 1--6.Google ScholarCross Ref
- Jintai Ding, Chi Cheng, and Yue Qin. 2019. A simple key reuse attack on LWE and ring LWE encryption schemes as key encapsulation mechanisms (KEMs). IACR ePrint Archive. Retrieved from https://eprint.iacr.org/2019/271.Google Scholar
- Jintai Ding, Scott Fluhrer, and R. V. Saraswathy. 2018. Complete attack on RLWE key exchange with reused keys, without signal leakage. In Proceedings of the Australasian Conference on Information Security and Privacy. Springer, 467--486.Google Scholar
- Jintai Ding, Xiang Xie, and Xiaodong Lin. 2012. A simple provably secure key-exchange scheme based on the learning with errors problem. IACR EPrint Archive. Retrieved from https://eprint.iacr.org/2012/688.Google Scholar
- Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. 2013. Lattice signatures and bimodal Gaussians. In Proceedings of the Conference on Advances in Cryptology (CRYPTO’13). Springer, 40--56.Google ScholarCross Ref
- Jan-Pieter D’Anvers, Marcel Tiepelt, Frederik Vercauteren, and Ingrid Verbauwhede. 2019. Timing attacks on error correcting codes in post-quantum schemes. In Proceedings of the ACM Workshop on Theory of Implementation Security Workshop. ACM, 2--9.Google ScholarDigital Library
- Thomas Espitau, Pierre-Alain Fouque, Benoît Gérard, and Mehdi Tibouchi. 2016. Loop abort faults on lattice-based Fiat-Shamir 8 Hash’n sign signatures. IACR ePrint Archive. Retrieved from https://eprint.iacr.org/2016/449.Google Scholar
- Thomas Espitau, Pierre-Alain Fouque, Benoît Gérard, and Mehdi Tibouchi. 2017. Side-channel attacks on BLISS lattice-based signatures: Exploiting branch tracing against strongSwan and electromagnetic emanations in microcontrollers. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.Google ScholarDigital Library
- Viet Ba Dang, Farnoud Farahmand, Michal Andrzejczak, Kamyar Mohajerani, Duc Tri Nguyen, and Kris Gaj. 2008. Implementation and benchmarking of round 2 candidates in the NIST post-quantum cryptography standardization process using hardware and software/hardware Co-design approaches. IACR EPrint Archive (2008). Retrieved from https://eprint.iacr.org/2020/795/20200627:185511.Google Scholar
- Farnoud Farahmand, Viet B. Dang, Duc Tri Nguyen, and Kris Gaj. 2019. Evaluating the potential for hardware acceleration of four NTRU-based key encapsulation mechanisms using software/hardware codesign. In Proceedings of the International Conference on Post-Quantum Cryptography. Springer, 23--43.Google ScholarCross Ref
- Scott R. Fluhrer. 2016. Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR ePrint Archive (2016). Retrieved from https://eprint.iacr.org/2016/085.Google Scholar
- Tim Fritzmann, Thomas Pöppelmann, and Johanna Sepulveda. 2018. Analysis of error-correcting codes for lattice-based key exchange. In Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 369--390.Google Scholar
- Tim Fritzmann and Johanna Sepúlveda. 2019. Efficient and flexible low-power NTT for lattice-based cryptography. In Proceedings of the IEEE International Symposium on Hardware Oriented Security and Trust (HOST’19).Google ScholarCross Ref
- Tim Fritzmann, Uzair Sharif, Daniel Müller-Gritschneder, Cezar Reinbrecht, Ulf Schlichtmann, and Johanna Sepulveda. 2019. Towards reliable and secure post-quantum co-processors based on RISC-V. In Proceedings of the Design, Automation 8 Test in Europe Conference 8 Exhibition (DATE’19). IEEE, 1148--1153.Google ScholarCross Ref
- Eiichiro Fujisaki and Tatsuaki Okamoto. 1999. Secure integration of asymmetric and symmetric encryption schemes. In Proceedings of the Annual International Cryptology Conference. Springer, 537--554.Google ScholarCross Ref
- Robert Gallager. 1962. Low-density parity-check codes. IRE Trans. Info. Theory 8, 1 (1962), 21--28.Google ScholarCross Ref
- Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. 2008. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing. ACM, 197--206.Google ScholarDigital Library
- Chunsheng Gu. 2019. Integer version of ring-LWE and its applications. In Proceedings of the International Symposium on Security and Privacy in Social Networks and Big Data. Springer, 110--122.Google ScholarCross Ref
- Shay Gueron and Fabian Schlieker. 2016. Speeding up R-LWE post-quantum key exchange. In Proceedings of the Nordic Conference on Secure IT Systems. Springer, 187--198.Google ScholarCross Ref
- Mike Hamburg. [n.d.]. ThreeBears: Algorithm specifications and supporting documentation. Retrieved from https://www.shiftleft.org/papers/threebears/threebears-july2019.pdf.Google Scholar
- Jeffrey Hoffstein, Jill Pipher, and Joseph Silverman. 1998. NTRU: A ring-based public key cryptosystem. Algor. Number Theory (1998), 267--288.Google Scholar
- James Howe, Ayesha Khalid, Marco Martinoli, Francesco Regazzoni, and Elisabeth Oswald. 2019. Fault attack countermeasures for error samplers in lattice-based cryptography. In Proceedings of the IEEE International Symposium on Circuits and Systems (ISCAS’19). IEEE, 1--5.Google ScholarCross Ref
- James Howe, Ayesha Khalid, Ciara Rafferty, Francesco Regazzoni, and Máire O’Neill. 2016. On practical discrete Gaussian samplers for lattice-based cryptography. IEEE Trans. Comput. (2016).Google Scholar
- James Howe, Ciara Moore, Máire O’Neill, Francesco Regazzoni, Tim Güneysu, and Kevin Beeden. 2016. Lattice-based encryption over standard lattices in hardware. In Proceedings of the 53rd Annual Design Automation Conference. ACM.Google ScholarDigital Library
- James Howe, Tobias Oder, Markus Krausz, and Tim Güneysu. 2018. Standard lattice-based key encapsulation on embedded devices. IACR Trans. Cryptogr. Hardware Embed. Syst. 2018, 3 (2018), 372--393. https://doi.org/10.13154/tches.v2018.i3.372-393Google ScholarCross Ref
- James Howe, Thomas Pöppelmann, Máire O’Neill, Elizabeth O’Sullivan, and Tim Güneysu. 2015. Practical lattice-based digital signature schemes. ACM Trans. Embed. Comput. Syst. 14, 3 (2015), 41.Google ScholarDigital Library
- Nick Howgrave-Graham. 2007. A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In Proceedings of the Annual International Cryptology Conference. Springer, 150--169.Google ScholarCross Ref
- Nick Howgrave-Graham, Phong Q. Nguyen, David Pointcheval, John Proos, Joseph H. Silverman, Ari Singer, and William Whyte. 2003. The impact of decryption failures on the security of NTRU encryption. In Proceedings of the Annual International Cryptology Conference. Springer, 226--246.Google ScholarCross Ref
- Nick Howgrave-Graham, Joseph H. Silverman, Ari Singer, William Whyte, and NTRU Cryptosystems. 2003. NAEP: Provable security in the presence of decryption failures. IACR ePrint Archive. Retrieved from https://eprint.iacr.org/2003/172.Google Scholar
- Wei-Lun Huang, Jiun-Peng Chen, and Bo-Yin Yang. 2020. Power analysis on NTRU prime. IACR Trans. Cryptogr. Hardware Embed. Syst. 2020, 1 (2020), 123--151. https://doi.org/10.13154/tches.v2020.i1.123-151Google Scholar
- Andreas Hülsing, Joost Rijneveld, John Schanck, and Peter Schwabe. 2017. High-speed key encapsulation from NTRU. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems. Springer, 232--252.Google ScholarCross Ref
- Arpan Jati, Naina Gupta, Somitra Kumar Sanadhya, and Anupam Chattopadhyay. 2019. SPQCop: Side-channel protected post-quantum cryptoprocessor. IACR ePrint Archive. Retrieved from https://eprint.iacr.org/2019/765.Google Scholar
- Éliane Jaulmes and Antoine Joux. 2000. A chosen-ciphertext attack against NTRU. In Proceedings of the Annual International Cryptology Conference. Springer, 20--35.Google ScholarCross Ref
- Burton S. Kaliski. 1995. The Montgomery inverse and its applications. IEEE Trans. Comput. 44, 8 (1995).Google ScholarDigital Library
- Abdel Alim Kamal and Amr Youssef. 2011. Fault analysis of the NTRUEncrypt cryptosystem. IEICE Trans. Fund. Electr. Commun. Comput. Sci. 94, 4 (2011), 1156--1158.Google ScholarCross Ref
- Abdel Alim Kamal and Amr M. Youssef. 2009. An FPGA implementation of the NTRUEncrypt cryptosystem. In Proceedings of the International Conference on Microelectronics (ICM’09). IEEE, 209--212.Google Scholar
- Abdel Alim Kamal and Amr M. Youssef. 2013. Strengthening hardware implementations of NTRUEncrypt against fault analysis attacks. J. Cryptogr. Eng. 3, 4 (2013), 227--240.Google ScholarCross Ref
- Panos Kampanakis and Dimitrios Sikeridis. 2019. Two post-quantum signature use-cases: Non-issues, challenges and potential solutions. IACR ePrint Archive (2019). Retrieved from https://eprint.iacr.org/2019/1276.Google Scholar
- Matthias J. Kannwischer, Joost Rijneveld, and Peter Schwabe. 2018. Faster multiplication in Z2m [x] on cortex-M4 to speed up NIST PQC candidates. IACR ePrint Archive. Retrieved from https://eprint.iacr.org/2018/1018Google Scholar
- Matthias J. Kannwischer, Joost Rijneveld, Peter Schwabe, and Ko Stoffelen. 2019. pqm4: Testing and benchmarking NIST PQC on ARM Cortex-M4. Retrieved from https://github.com/mupq/pqm4/tree/c32bcd017b202d418c9135e2df77be73a69044a0.Google Scholar
- Anatolii Karatsuba. 1963. Multiplication of multidigit numbers on automata. In Sov. Phys. Dokl., Vol. 7. 595--596.Google Scholar
- Angshuman Karmakar, Jose Maria Bermudo Mera, Sujoy Sinha Roy, and Ingrid Verbauwhede. 2018. Saber on ARM. CCA-secure module lattice-based key encapsulation on ARM. IACR Trans. Cryptogr. Hardware Embed. Syst. 2018, 3 (2018), 243--266. https://doi.org/10.13154/tches.v2018.i3.243-266Google ScholarCross Ref
- Paul Kirchner and Pierre-Alain Fouque. 2017. Revisiting lattice attacks on overstretched NTRU parameters. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 3--26.Google ScholarCross Ref
- Donald Ervin Knuth. 1998. The Art of Computer Programming: Sorting and Searching. Vol. 3. Pearson Education.Google Scholar
- Donald E. Knuth and Andrew C. Yao. 1976. The complexity of nonuniform random number generation. In Algorithms and Complexity: New Directions and Recent Results. Academic Press, 357--428.Google Scholar
- Po-Chun Kuo, Wen-Ding Li, Yu-Wei Chen, Yuan-Che Hsu, Bo-Yuan Peng, Chen-Mou Cheng, and Bo-Yin Yang. 2017. Post-quantum key exchange on FPGAs. IACR ePrint Archive (2017). Retrieved from https://eprint.iacr.org/2017/690.Google Scholar
- Adam Langley. [n.d.]. Post-quantum confidentiality for TLS. Retrieved from https://www.imperialviolet.org/2018/04/11/pqconftls.html.Google Scholar
- Adam Langley. [n.d.]. Real-world measurements of structured-lattices and supersingular isogenies in TLS. Retrieved from https://www.imperialviolet.org/.Google Scholar
- Adeline Langlois and Damien Stehlé. 2015. Worst-case to average-case reductions for module lattices. Designs, Codes Cryptogr. 75, 3 (2015), 565--599.Google ScholarDigital Library
- Mun-Kyu Lee, Jung Woo Kim, Jeong Eun Song, and Kunsoo Park. 2007. Sliding window method for NTRU. In Applied Cryptography and Network Security. Springer, 432--442.Google Scholar
- Mun-Kyu Lee, Jeong Eun Song, Dooho Choi, and Dong-Guk Han. 2010. Countermeasures against power analysis attacks for the NTRU public key cryptosystem. IEICE Trans. Fund. Electron. Commun. Comput. Sci. 93, 1 (2010), 153--163.Google ScholarCross Ref
- Arjen Klaas Lenstra, Hendrik Willem Lenstra, and László Lovász. 1982. Factoring polynomials with rational coefficients. Math. Ann. 261, 4 (1982), 515--534.Google ScholarCross Ref
- Richard Lindner and Chris Peikert. 2011. Better key sizes (and attacks) for LWE-based encryption. In Proceedings of the Cryptographer’s Track at RSA Conference (CT-RSA’11).Google ScholarCross Ref
- Bingxin Liu and Huapeng Wu. 2015. Efficient architecture and implementation for NTRUEncrypt system. In Proceedings of the IEEE 58th International Midwest Symposium on Circuits and Systems (MWSCAS’15). IEEE, 1--4.Google Scholar
- Bingxin Liu and Huapeng Wu. 2016. Efficient multiplication architecture over truncated polynomial ring for NTRUEncrypt system. In Proceedings of the IEEE International Symposium on Circuits and Systems (ISCAS’16). IEEE, 1174--1177.Google ScholarDigital Library
- Zhe Liu and Johann Großschädl. 2014. New speed records for Montgomery modular multiplication on 8-bit AVR microcontrollers. In Proceedings of the International Conference on Cryptology in Africa. Springer, 215--234.Google ScholarCross Ref
- Xianhui Lu, Yamin Liu, Dingding Jia, Haiyang Xue, Jingnan He, Zhenfei Zhang, Zhe Liu, Hao Yang, Bao Li, and Kunpeng Wang. 2018. LAC: Practical ring-LWE based public-key encryption with byte-level modulus. IACR ePrint Archive (2018). Retrieved from https://eprint.iacr.org/2018/1009.Google Scholar
- Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2010. On ideal lattices and learning with errors over rings. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’10). 1--23.Google ScholarDigital Library
- Vadim Lyubashevsky and Gregor Seiler. 2019. NTTRU: Truly fast NTRU using NTT. IACR Trans. Cryptogr. Hardware Embed. Syst. 2019, 3 (2019), 180--201. https://doi.org/10.13154/tches.v2019.i3.180-201Google ScholarCross Ref
- Daniele Micciancio. 2010. Duality in lattice cryptography. In Public Key Cryptography. Springer, 2.Google Scholar
- Masoud Mohseni, Peter Read, Hartmut Neven, Sergio Boixo, Vasil Denchev, Ryan Babbush, Austin Fowler, Vadim Smelyanskiy, and John Martinis. 2017. Commercialize quantum technologies in five years. Nature News 543, 7644 (2017), 171.Google ScholarCross Ref
- Peter L Montgomery. 1985. Modular multiplication without trial division. Math. Comput. 44, 170 (1985).Google Scholar
- Michele Mosca and Douglas Stebila. 2017. Open quantum safe. Software for Prototyping Quantum-resistant Cryptography. Open Quantum Safe.Google Scholar
- Hamid Nejatollahi, Nikil Dutt, Sandip Ray, Francesco Regazzoni, Indranil Banerjee, and Rosario Cammarota. 2019. Post-quantum lattice-based cryptography implementations: A survey. ACM Comput. Surveys 51, 6 (2019).Google ScholarDigital Library
- Phong Q. Nguyen and David Pointcheval. 2002. Analysis and improvements of NTRU encryption paddings. In Proceedings of the Annual International Cryptology Conference. Springer, 210--225.Google Scholar
- NIST. 2016. Post-Quantum Crypto Project. Retrieved from http://csrc.nist.gov/groups/ST/post-quantum-crypto/.Google Scholar
- Tobias Oder and Tim Güneysu. 2017. Implementing the NewHope-simple key exchange on low-cost FPGAs. In Proceedings of the Conference on Progress in Cryptology (LATINCRYPT’17).Google Scholar
- Tobias Oder, Tobias Schneider, Thomas Pöppelmann, and Tim Güneysu. 2018. Practical CCA2-secure and masked ring-LWE implementation. IACR Trans. Cryptogr. Hardware Embed. Syst. 2018, 1 (2018), 142--174. https://doi.org/10.13154/tches.v2018.i1.142-174Google ScholarCross Ref
- Christian Paquin, Douglas Stebila, and Goutam Tamvada. 2019. Benchmarking post-quantum cryptography in TLS. IACR ePrint Archive (2019). Retrieved from https://eprint.iacr.org/2019/1447.Google Scholar
- Judea Pearl. 1986. Fusion, propagation, and structuring in belief networks. Artific. Intell. 29, 3 (1986), 241--288.Google ScholarDigital Library
- Chris Peikert. 2008. Public-key cryptosystems from the worst-case shortest vector problem. Electr. Colloq. Comput. Complex. 15, 100 (2008).Google Scholar
- Chris Peikert. 2010. An efficient and parallel Gaussian sampler for lattices. In Proceedings of the Annual Cryptology Conference. Springer.Google ScholarCross Ref
- Chris Peikert. 2014. Lattice cryptography for the Internet. In Proceedings of the International Workshop on Post-Quantum Cryptography. Springer, 197--219.Google ScholarCross Ref
- Peter Pessl and Robert Primas. 2019. More practical single-trace attacks on the number theoretic transform. In Proceedings of the International Conference on Cryptology and Information Security in Latin America. Springer, 130--149.Google ScholarDigital Library
- Thomas Pöppelmann and Tim Güneysu. 2012. Towards efficient arithmetic for lattice-based cryptography on reconfigurable hardware. In Proceedings of the International Conference on Cryptology and Information Security in Latin America. Springer.Google ScholarDigital Library
- Thomas Pöppelmann and Tim Güneysu. 2014. Area optimization of lightweight lattice-based encryption on reconfigurable hardware. In Proceedings of the IEEE International Symposium on Circuits and Systems (ISCAS’14). IEEE, 2796--2799.Google ScholarCross Ref
- Thomas Pöppelmann, Tobias Oder, and Tim Güneysu. 2015. High-performance ideal lattice-based cryptography on 8-Bit ATxmega microcontrollers. In Proceedings of the 4th International Conference on Cryptology and Information Security in Latin America (LATINCRYPT’15). 346--365.Google ScholarDigital Library
- Robert Primas, Peter Pessl, and Stefan Mangard. 2017. Single-trace side-channel attacks on masked lattice-based encryption. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems. Springer, 513--533.Google ScholarCross Ref
- Yue Qin, Chi Cheng, and Jintai Ding. 2019. A complete and optimized key mismatch attack on NIST candidate NewHope. IACR ePrint Archive (2019). Retrieved from https://eprint.iacr.org/2019/435.Google Scholar
- Prasanna Ravi, Debapriya Basu Roy, Shivam Bhasin, Anupam Chattopadhyay, and Debdeep Mukhopadhyay. 2019. Number ”not used” once-practical fault attack on pqm4 implementations of NIST candidates. In Proceedings of the International Workshop on Constructive Side-Channel Analysis and Secure Design. Springer, 232--250.Google ScholarDigital Library
- Prasanna Ravi, Sujoy Sinha Roy, Anupam Chattopadhyay, and Shivam Bhasin. 2019. Generic side-channel attacks on CCA-secure lattice-based PKE and KEM schemes. IACR ePrint Archive (2019). Retrieved from https://eprint.iacr.org/2019/948.Google Scholar
- Oded Regev. 2009. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56, 6 (2009), 34.Google ScholarDigital Library
- Oscar Reparaz, Ruan de Clercq, Sujoy Sinha Roy, Frederik Vercauteren, and Ingrid Verbauwhede. 2016. Additively homomorphic ring-LWE masking. In Proceedings of the International Workshop on Post-Quantum Cryptography. Springer.Google ScholarDigital Library
- Oscar Reparaz, Sujoy Sinha Roy, Frederik Vercauteren, and Ingrid Verbauwhede. 2015. A masked ring-LWE implementation. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 683--702.Google ScholarCross Ref
- Sujoy Sinha Roy, Oscar Reparaz, Frederik Vercauteren, and Ingrid Verbauwhede. 2014. Compact and side channel secure discrete Gaussian sampling. IACR ePrint Archive. Retrieved from https://eprint.iacr.org/2014/591.Google Scholar
- Sujoy Sinha Roy, Frederik Vercauteren, Nele Mentens, Donald Donglong Chen, and Ingrid Verbauwhede. 2014. Compact ring-LWE cryptoprocessor. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 371--391.Google ScholarDigital Library
- Sujoy Sinha Roy, Frederik Vercauteren, and Ingrid Verbauwhede. 2013. High precision discrete Gaussian sampling on FPGAs. In Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 383--401.Google Scholar
- Markku-Juhani O. Saarinen. 2019. Exploring NIST LWC/PQC Synergy R5Sneik: How SNEIK 1.1 algorithms were designed to support round5. IACR ePrint Archive (2019). Retrieved from https://eprint.iacr.org/2019/685.Google Scholar
- Markku-Juhani O. Saarinen. 2016. Arithmetic coding and blinding countermeasures for ring-LWE. IACR ePrint Archive (2016). Retrieved from https://eprint.iacr.org/2016/276.Google Scholar
- Markku-Juhani O. Saarinen. 2017. HILA5: On reliability, reconciliation, and error correction for Ring-LWE encryption. In Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 192--212.Google Scholar
- Markku-Juhani O. Saarinen, Sauvik Bhattacharya, Oscar Garcia-Morchon, Ronald Rietman, Ludo Tolhuizen, and Zhenfei Zhang. 2018. Shorter messages and faster post-quantum encryption with Round5 on Cortex M. In Proceedings of the International Conference on Smart Card Research and Advanced Applications. Springer, 95--110.Google Scholar
- Tsunekazu Saito, Keita Xagawa, and Takashi Yamakawa. 2018. Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 520--551.Google ScholarCross Ref
- Thomas Schamberger, Oliver Mischke, and Johanna Sepulveda. 2019. Practical evaluation of masking for NTRUEncrypt on ARM Cortex-M4. In Proceedings of the International Workshop on Constructive Side-Channel Analysis and Secure Design. Springer.Google ScholarDigital Library
- Claus-Peter Schnorr and Martin Euchner. 1994. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Program. 66, 1–3 (1994), 181--199.Google ScholarDigital Library
- Gregor Seiler. 2018. Faster AVX2 optimized NTT multiplication for Ring-LWE lattice cryptography. IACR ePrint Archive (2018). Retrieved from https://eprint.iacr.org/2018/039.Google Scholar
- Peter W. Shor. 1994. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science. IEEE, 124--134.Google ScholarDigital Library
- Joseph H. Silverman. 1999. Almost inverses and fast NTRU key creation. NTRU Cryptosyst. Technical Report #014. Retrieved from https://ntru.org/f/tr/tr014v1.pdf.Google Scholar
- Shiming Song, Wei Tang, Thomas Chen, and Zhengya Zhang. 2018. LEIA: A 2.05 mm 2 140mW lattice encryption instruction accelerator in 40nm CMOS. In Proceedings of the IEEE Custom Integrated Circuits Conference (CICC’18). IEEE, 1--4.Google ScholarCross Ref
- Douglas Stebila, Michele Mosca, Christian Paquin, Dimitris Sikeridis, and Goutam Tamvada. [n.d.]. OQS-OpenSSL_1_1_1-Fork of OpenSSL by OpenOQS project. Retrieved from https://github.com/open-quantum-safe/openssl.Google Scholar
- Damien Stehlé and Ron Steinfeld. 2011. Making NTRU as secure as worst-case problems over ideal lattices. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 27--47.Google ScholarCross Ref
- Ehsan Ebrahimi Targhi and Dominique Unruh. 2016. Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In Proceedings of the 14th International Conference on Theory of Cryptography (TCC’16-B). Springer, Berlin, 192--216.Google ScholarDigital Library
- Ludo Tolhuizen, Ronald Rietman, and Oscar Garcia-Morchon. 2017. Improved key-reconciliation method. IACR ePrint Archive (2017). Retrieved from https://eprint.iacr.org/2017/295.Google Scholar
- Andrei L. Toom. 1963. The complexity of a scheme of functional elements realizing the multiplication of integers. In Soviet Mathematics Doklady, Vol. 3. 714--716.Google Scholar
- Felipe Valencia, Tobias Oder, Tim Güneysu, and Francesco Regazzoni. 2018. Exploring the vulnerability of R-LWE encryption to fault attacks. In Proceedings of the 5th Workshop on Cryptography and Security in Computing Systems. ACM.Google ScholarDigital Library
- William Whyte, Nick Howgrave-Graham, Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman, and Philip S. Hirschhorn. 2008. IEEE P1363. 1 Draft 10: Draft standard for public key cryptographic techniques based on hard problems over lattices. IACR EPrint Archive (2008). Retrieved from https://eprint.iacr.org/2008/361.Google Scholar
- Xuexin Zheng, An Wang, and Wei Wei. 2013. First-order collision attack on protected NTRU cryptosystem. Microprocess. Microsyst. 37, 6–7 (2013), 601--609.Google ScholarDigital Library
- Timo Zijlstra, Karim Bigou, and Arnaud Tisserand. 2019. FPGA implementation and comparison of protections against SCAs for RLWE. In Proceedings of the International Conference on Cryptology in India. Springer, 535--555.Google ScholarDigital Library
Index Terms
- Lattice-based Key-sharing Schemes: A Survey
Recommendations
Lattice-based certificateless encryption scheme
Certificateless public key cryptography (CL-PKC) can solve the problems of certificate management in a public key infrastructure (PKI) and of key escrows in identity-based public key cryptography (ID-PKC). In CL-PKC, the key generation center (KGC) does ...
Security of encryption schemes in weakened random oracle models
PKC'10: Proceedings of the 13th international conference on Practice and Theory in Public Key CryptographyLiskov proposed several weakened versions of the random oracle model, called weakened random oracle models (WROMs), to capture the vulnerability of ideal compression functions, which are expected to have the standard security of hash functions, i.e., ...
Hidden attribute-based signcryption scheme for lattice
As a novel cryptographic primitive, signcryption realizes the function of digital signature and public-key encryption simultaneously, at a cost significantly lower than that of the traditional sign-then-encrypt approach. To the best of the authors' ...
Comments