Upcoming SMAUG-T update
132 views
Skip to first unread message
Hyeongmin Choe
Jul 18, 2024, 2:05:22 AM7/18/24
to KpqC-bulletin
Dear all,
Smaug-T will be updated soon, with significant changes in its design and parameters
to make the implementation constant-time (against the vulnerabilities found from D. J. Bernstein's SUPERCOP) while keeping its efficiency,
and to avoid attacks exploiting the sparsity (such as May's Meet-LWE attack or its variant introduced by Joohee, Eunmin, and Yuntao).
To summarize the changes,
- We avoid using the fixed-weight sampler (HWT) during enc/dec, which was recently studied on its inefficiency for side-channel security.
We changed it into a non-fixed-weight but sparse secret sampler, which can be viewed as a narrower version of CBD, e.g., with distribution {0:3/4, -1:1/8, 1:1/8}.
- The parameters are changed accordingly, e.g., the secret key (for pk) with larger Hamming weights and secret randomness (for enc) with new sparse distributions.
- The polynomial multiplication is modified to use coefficient-representation of the secret key instead of using their index, to avoid the side-channel attacks and to utilize super-fast AVX optimizations on NTT.
We use NTT/Toom-Cook (like Saber).
As the changes are a lot, checks and optimizations are still in progress.
We expect the updated version to be available soon. We will reply here when it is ready.
Best,
Team Smaug-T
Smaug-T will be updated soon, with significant changes in its design and parameters
to make the implementation constant-time (against the vulnerabilities found from D. J. Bernstein's SUPERCOP) while keeping its efficiency,
and to avoid attacks exploiting the sparsity (such as May's Meet-LWE attack or its variant introduced by Joohee, Eunmin, and Yuntao).
To summarize the changes,
- We avoid using the fixed-weight sampler (HWT) during enc/dec, which was recently studied on its inefficiency for side-channel security.
We changed it into a non-fixed-weight but sparse secret sampler, which can be viewed as a narrower version of CBD, e.g., with distribution {0:3/4, -1:1/8, 1:1/8}.
- The parameters are changed accordingly, e.g., the secret key (for pk) with larger Hamming weights and secret randomness (for enc) with new sparse distributions.
- The polynomial multiplication is modified to use coefficient-representation of the secret key instead of using their index, to avoid the side-channel attacks and to utilize super-fast AVX optimizations on NTT.
We use NTT/Toom-Cook (like Saber).
As the changes are a lot, checks and optimizations are still in progress.
We expect the updated version to be available soon. We will reply here when it is ready.
Best,
Team Smaug-T
Reply all
Reply to author
Forward
0 new messages