Abstract
In this paper, we propose a key encapsulation scheme based on NewHope and Kyber, two NIST post-quantum standardization project candidates. Our scheme is based on NewHope, thus it is simple and has fast implementation while it is making use of smaller key sizes and easily changeable security level advantages of Kyber . The scheme heavily use recent advances on Number Theoretic Transform (NTT) in a way that transformation from one degree polynomial to another is easy. To make it possible, we changed the definition of component in component-wise multiplication during polynomial multiplication and show that changing security level only requires to change the size of polynomial and the definition of component. Our scheme has \(11.5\%\) smaller communication cost for the same security level comparing with NewHope. In addition, it is at least \(17\%\) faster C implementation comparing with non-optimized Kyber implementation from the first round of the NIST standardization process.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alagic, G., et al.: Status report on the first round of the NIST post-quantum cryptography standardization process. National Institute for Standards and Technology Internal Report 8240 (2019). https://doi.org/10.6028/NIST.IR.8240
Alkim, E., et al.: NewHope - algorithm specifications and supporting documentation (version 1.02). NIST Post-Quantum Cryptography Standardization Process (2019). https://newhopecrypto.org/
Avanzi, R., et al.: CYRYSTALS-Kyber - algorithm specifications and supporting documentation (version 2.0). NIST Post-Quantum Cryptography Standardization Process (2019). https://pq-crystals.org/kyber/
Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of complex fourier series. Math. Comput. 19(90), 297–301 (1965)
National Institute for Standards and Technology. Submission requirements and evaluation criteria for the postquantum cryptography standardization process. official call for proposals. NIST Post-Quantum Cryptography Standardization Process, December 2019. http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/call-for-proposals-final-dec-2016.pdf
Gentleman, W.M., Sande, G. Fast fourier transforms: for fun and profit. In: Proceedings of the 7–10 November 1966, Fall Joint Computer Conference, AFIPS 1966 (Fall), pp. 563–578. ACM, New York (1966)
Güneysu, T., Oder, T., Pöppelmann, T., Schwabe, P.: Software speed records for lattice-based signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 67–82. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_5
Hamburg, M.: Post-quantum cryptography proposal: ThreeBears. NIST Post-Quantum Cryptography Standardization Process (2019). https://www.shiftleft.org/papers/threebears/
İlter, M.B., Cenk, M.: Efficient big integer multiplication in cryptography. International Journal of Information Security Science 6(4), 70–78 (2017)
Bernstein, D.J.: Multidigit multiplication for mathematicians, September 2001
Longa, P., Naehrig, M.: Speeding up the number theoretic transform for faster ideal lattice-based cryptography. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 124–139. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_8
Lyubashevsky, V., Seiler, G.: NTTRU: truly fast NTRU using NTT. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(3), 180–201 (2019)
Moenck, R.T.: Practical fast polynomial multiplication. In: Proceedings of the Third ACM Symposium on Symbolic and Algebraic Computation, SYMSAC 1976, pp. 136–148. ACM, New York (1976)
Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985). http://www.ams.org/journals/mcom/1985-44-170/S0025-5718-1985-0777282-X/S0025-5718-1985-0777282-X.pdf
Moody, D.: Post-quantum cryptography: NIST’s plan for the future. In: PQCrypto 2016 Conference, Fukuoka, Japan, 23–26 February 2016, February 2016. https://pqcrypto2016.jp/data/pqc2016_nist_announcement.pdf
Moody, D.: Round 2 of the NIST PQC “competition” what was NIST thinking? In: PQCrypto 2019 Conference, 8–10 May 2019, Chongqing, China, May 2019. https://csrc.nist.gov/CSRC/media/Presentations/Round-2-of-the-NIST-PQC-Competition-What-was-NIST/images-media/pqcrypto-may2019-moody.pdf
Seiler, G.: Faster AVX2 optimized NTT multiplication for Ring-LWE lattice cryptography. Cryptology ePrint Archive, Report 2018/039 (2018). https://eprint.iacr.org/2018/039
Weimerskirch, A., Paar, C.: Generalizations of the Karatsuba algorithm for efficient implementations. Cryptology ePrint Archive, Report 2006/224 (2006). https://eprint.iacr.org/2006/224
Zhou, S., et al.: Preprocess-then-NTT technique and its applications to Kyber and NewHope. In: Guo, F., Huang, X., Yung, M. (eds.) Inscrypt 2018. LNCS, vol. 11449, pp. 117–137. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-14234-6_7
Acknowledgments
The authors are grateful to Nicolas Thériault and anonymous referees for helpful comments and discussions on drafts of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A An Implementation for n = 768
A An Implementation for n = 768
NewHope does not offer a parameter set for NIST security level 3. However, a recent observation by [12] made it possible by offering a new ring structure \(\mathbb {Z}_{q}/(X^{768}-X^{384}+1)\). They start with splitting this polynomial into two polynomials of the form \(X^{n/2} - \zeta _1\) and \(X^{n/2} - \zeta _2\) such that \(\zeta _1\) and \(\zeta _2\) are two primitive sixth root of unity and \(\zeta _1 + \zeta _2 = 1\), \(\zeta _1 \cdot \zeta _2 = 1\). The CRT map of this ring is as follows:
Let \(f \in \mathcal {R}_q\). Then, in order to get the coefficients after the first level, we need to compute:
We know that \(\zeta _2 = 1 - \zeta _1\). Therefore, instead of computing \(h = f \mod (X^{n/2}-\zeta _2)\) we can compute \(h = f \mod (X^{n/2}+1-\zeta _1)\). Therefore, the burden of multiplication with \(\zeta _2\) to perform the modular reduction is removed. We can benefit from the already computed product with \(\zeta _1\). After this trick is applied, it turns out that a standard NTT can be performed. We have 7-level NTT left. We know that \(\zeta _1^6 \equiv 1 \mod q\). To be able to perform 7-level NTT by using \(\zeta _1\), \(\gamma ^{128} \equiv \zeta _1 \mod q\) is needed. Then, q needs to satisfy \(q \equiv 1 \mod 768\). The smallest q that satisfies this condition is 7681. That’s why, [12] selects q as 7681 and \(\gamma \) such that it satisfies \(\gamma ^{128} \equiv \zeta _1 \mod 7681\). This also implies that \(\gamma ^{640} \equiv \zeta _2 \mod 7681\), since \(\zeta _1^5 = \zeta _2\). After NTT, there are 256 polynomials of degree 3 in \(\mathbb {Z}_q[X]/(X^3 \pm r)\).
In order to keep our total NTT level the same for all of our implementations, we changed the parameters of [12]. Our algorithm for \(n=512\) and \(n=1024\) has 7-level NTT. Therefore, in order to use 7-level NTT q needs to satisfy \(q \equiv 1 \mod 384\) so that \(\gamma ^{64} \equiv \zeta _1 \mod q\) exits. We cannot use 3329, since \(3329 \ne 1 \mod 384\). The smallest such q is 3457. However, 3457 cannot be used for other rings \(\mathbb {Z}_{q}/(X^{512}+1)\) and \(\mathbb {Z}_{q}/(X^{1024}+1)\), because 256-th root of unity does not exits (\(3457 \ne 1 \mod 256\)) so there is no \(\gamma \) such that \(\gamma ^{256}=1\) and 7-level NTT is not possible. Therefore, we have selected our parameters for \(n=768\) as \(q=3457\), noise parameter \(k=2\). By using the “PQSecurity.py” script provided by NewHope, the post-quantum bit-security is estimated as 163. The result of this script is given in Table 7. Therefore, it achieves NIST security level 3.
Although there are different approaches like [8] to analyze the failure probability for our parameters, we follow the approach from [3]. But because the underlying ring has trinomial quotient, each coefficients of the result of multiplication becomes a sum of \(\frac{n}{2}\) multiplication of elements in the form of \(ab+b'(a+a')\), where \(a, a', b, b'\) from \(\psi _{2}\). Although some coefficients of the result are of the form \(ab+ab'\) in their sum, we use the first form for simplicity, which is also suggested in [12]. Thus, the result is a sum of \(\frac{n}{2}\) multiplication of the form of \(ab+b'(a+a')\). This computation gave us \(2^{-170}\) failure probability for \(n=768\).
The sizes of public key, secret key, and ciphertext when q is selected as 3457 are 1184 bytes, 2400 bytes and 1568 bytes respectively.
Benchmark results for our C implementation can be found on Table 8. It is 1.18 times faster than non-optimized reference implementation of Kyber.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Alkım, E., Bilgin, Y.A., Cenk, M. (2019). Compact and Simple RLWE Based Key Encapsulation Mechanism. In: Schwabe, P., Thériault, N. (eds) Progress in Cryptology – LATINCRYPT 2019. LATINCRYPT 2019. Lecture Notes in Computer Science(), vol 11774. Springer, Cham. https://doi.org/10.1007/978-3-030-30530-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-30530-7_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-30529-1
Online ISBN: 978-3-030-30530-7
eBook Packages: Computer ScienceComputer Science (R0)