--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/1952cb42-739c-8587-e1ba-ea695401aa28%40pqshield.com.
Dear Chris,
Thanks for this comment. We didn't study code-based schemes due to time constraints, however there are indeed a few code-based NIST candidates that seem amenable to our construction, such as BIKE-3, HQC, and Round 2 candidates ROLLO-3 and RQC. For BIKE-3 and HQC, it seems likely that security would rely on a variant of Ring-LPN, and for ROLLO-3 and RQC it would be variants of rank metric problems.
Regarding NTRU-style schemes, it would indeed be very interesting if there was a way to obtain efficient mKEMs from them. We didn't find a way to do it so it would likely require new insights.
We also want to thank Dan Bernstein for pointing out to us that
our construction can be applied to NTRU LPRime. We will update the
ePrint article shortly. In the meanwhile here are the numbers that
one would get for NTRU LPRime in Table 1 of our article (similarly
to NewHope, the CCA variant of NTRU LPRime includes a 32-byte hash
for key confirmation, hence |ct| = |ct_0| + |^ct_i| + 32):
ntrulpr653: |ct_0| = 865, |^ct_i| = 128, |ct| =
1025, k_comm = 8.0
ntrulpr761: |ct_0| = 1007, |^ct_i| = 128, |ct| =
1167, k_comm = 9.1
ntrulpr857: |ct_0| = 1152, |^ct_i| = 128, |ct| =
1312, k_comm = 10.3
Best regards,
Shu, Kris, Federico and Thomas
the followup argument
that cryptosystem parameters must be chosen to also be safe in different
cryptosystems.
Dear Chris and others,
Thank you for all these interesting comments. The potential
concrete security loss is not something that we discussed in our
paper, but it is indeed something very important. We hope our work
can be a starting point for research on post-quantum KEMs, and see
the points Chris mentioned (concrete security, code-based schemes)
as important research directions. In particular, we would be
interested in seeing the evolution of the security of NIST
candidates when used as mKEMs, as well as potential bounds on the
number of recipients.
Regarding NTRU Prime, an interesting phenomenon happens. With the notations of [1], Section 2.4, a (single-recipient) ciphertext is of the form (ct_0, ^ct_i), where:
- ct_0 = Round(b * G) performs a "ternary rounding" of b * G
- ^ct_i is a rounding of b * A, but this rounding is much coarser: only 4 top bits per coefficient are preserved (also, only 256 of the p={653,761,857} coefficients of b * A are considered, but this is not too unimportant for our discussion). Since the modulus q verifies q > 2^12, the (deterministic) added error is rather large.
A mKEM ciphertext with N recipients will be of the form (ct_0, ^ct_1, ..., ^ct_N), and therefore will give p "LWE" samples with ternary errors (given by ct_0), and 256 * N samples with larger errors (given by the ^ct_i). Because most of the equations are "super noisy" and not "ternary noisy", we don't see an obvious way of applying Arora-Ge, but we haven't seen this unbalanced problem considered before, so there might be room for improvement.
Fun fact: dropping bits in the right part of the ciphertext is also done in Kyber, Saber, etc. While it is good for efficiency, it also seems to be helpful for security in the mKEM case, at least with respect to the Arora-Ge attack.
Regarding TreeKEM, in our paper we recommend to use mKEM with a number of recipients that is *independent* of the number of users and only depends on the (m)KEM used. Indeed, TreeKEM arranges the N users as the leaves of a m-ary tree, and send one mKEM ciphertext per level of the tree. We suggest to take (m - 1) ~= (|pk| + |ct_0|) / |^ct_i|. If we take Martin's example with Kyber-768 and N = 50000 users, it would entail m ~= 18 and therefore a tree of depth ceil(log(N, m)) = 4. One important point is that the ciphertext corresponding to each level encapsulates a different session key, so for N = 50000 there would be 4 (multi-recipient) ciphertexts, each encapsulating a different session key and each having at most m - 1 = 17 recipients, not 50000. So TreeKEM is actually an example where the number of recipients per ciphertext would be really small.
Best regards,
Shu, Kris, Federico and Thomas
PS: many thanks to Eamonn Postlethwaite, Martin Albrecht and
Chris Peikert for useful discussions
[1] Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange,
Christine van Vredendaal
NTRU Prime: round 2
https://ntruprime.cr.yp.to/nist/ntruprime-20190330.pdf
Dr.
Thomas PREST
Senior Cryptography Researcher
PQShield Ltd.
E:
thomas...@pqshield.com
W: www.pqshield.com
This email and any attachment contain information that is private and confidential and is intended for the addressee only. If you are not an addressee, you are not authorised to read, copy or use the email or any attachment. If you have received this email in error, please notify the sender by return email and then destroy it. Any views expressed in this e-mail are not that of PQShield Ltd or its employees unless specifically stated. As e-mail communications are known to be unsecure, we accept no liability for any legal issues that may arise as a result of this e-mail. It is advised that you carry out a virus check with your own software before opening any attachments sent to you.