Compact and Simple RLWE Based Key Encapsulation Mechanism

Abstract

In this paper, we propose a key encapsulation scheme based on NewHope and Kyber, two NIST post-quantum standardization project candidates. Our scheme is based on NewHope, thus it is simple and has fast implementation while it is making use of smaller key sizes and easily changeable security level advantages of Kyber . The scheme heavily use recent advances on Number Theoretic Transform (NTT) in a way that transformation from one degree polynomial to another is easy. To make it possible, we changed the definition of component in component-wise multiplication during polynomial multiplication and show that changing security level only requires to change the size of polynomial and the definition of component. Our scheme has \(11.5\%\) smaller communication cost for the same security level comparing with NewHope. In addition, it is at least \(17\%\) faster C implementation comparing with non-optimized Kyber implementation from the first round of the NIST standardization process.

A An Implementation for n = 768

NewHope does not offer a parameter set for NIST security level 3. However, a recent observation by [12] made it possible by offering a new ring structure \(\mathbb {Z}_{q}/(X^{768}-X^{384}+1)\). They start with splitting this polynomial into two polynomials of the form \(X^{n/2} - \zeta _1\) and \(X^{n/2} - \zeta _2\) such that \(\zeta _1\) and \(\zeta _2\) are two primitive sixth root of unity and \(\zeta _1 + \zeta _2 = 1\), \(\zeta _1 \cdot \zeta _2 = 1\). The CRT map of this ring is as follows:

Let \(f \in \mathcal {R}_q\). Then, in order to get the coefficients after the first level, we need to compute:

We know that \(\zeta _2 = 1 - \zeta _1\). Therefore, instead of computing \(h = f \mod (X^{n/2}-\zeta _2)\) we can compute \(h = f \mod (X^{n/2}+1-\zeta _1)\). Therefore, the burden of multiplication with \(\zeta _2\) to perform the modular reduction is removed. We can benefit from the already computed product with \(\zeta _1\). After this trick is applied, it turns out that a standard NTT can be performed. We have 7-level NTT left. We know that \(\zeta _1^6 \equiv 1 \mod q\). To be able to perform 7-level NTT by using \(\zeta _1\), \(\gamma ^{128} \equiv \zeta _1 \mod q\) is needed. Then, q needs to satisfy \(q \equiv 1 \mod 768\). The smallest q that satisfies this condition is 7681. That’s why, [12] selects q as 7681 and \(\gamma \) such that it satisfies \(\gamma ^{128} \equiv \zeta _1 \mod 7681\). This also implies that \(\gamma ^{640} \equiv \zeta _2 \mod 7681\), since \(\zeta _1^5 = \zeta _2\). After NTT, there are 256 polynomials of degree 3 in \(\mathbb {Z}_q[X]/(X^3 \pm r)\).

In order to keep our total NTT level the same for all of our implementations, we changed the parameters of [12]. Our algorithm for \(n=512\) and \(n=1024\) has 7-level NTT. Therefore, in order to use 7-level NTT q needs to satisfy \(q \equiv 1 \mod 384\) so that \(\gamma ^{64} \equiv \zeta _1 \mod q\) exits. We cannot use 3329, since \(3329 \ne 1 \mod 384\). The smallest such q is 3457. However, 3457 cannot be used for other rings \(\mathbb {Z}_{q}/(X^{512}+1)\) and \(\mathbb {Z}_{q}/(X^{1024}+1)\), because 256-th root of unity does not exits (\(3457 \ne 1 \mod 256\)) so there is no \(\gamma \) such that \(\gamma ^{256}=1\) and 7-level NTT is not possible. Therefore, we have selected our parameters for \(n=768\) as \(q=3457\), noise parameter \(k=2\). By using the “PQSecurity.py” script provided by NewHope, the post-quantum bit-security is estimated as 163. The result of this script is given in Table 7. Therefore, it achieves NIST security level 3.

Table 7. Core hardness of NewHope-Compact768

Although there are different approaches like [8] to analyze the failure probability for our parameters, we follow the approach from [3]. But because the underlying ring has trinomial quotient, each coefficients of the result of multiplication becomes a sum of \(\frac{n}{2}\) multiplication of elements in the form of \(ab+b'(a+a')\), where \(a, a', b, b'\) from \(\psi _{2}\). Although some coefficients of the result are of the form \(ab+ab'\) in their sum, we use the first form for simplicity, which is also suggested in [12]. Thus, the result is a sum of \(\frac{n}{2}\) multiplication of the form of \(ab+b'(a+a')\). This computation gave us \(2^{-170}\) failure probability for \(n=768\).

The sizes of public key, secret key, and ciphertext when q is selected as 3457 are 1184 bytes, 2400 bytes and 1568 bytes respectively.

Benchmark results for our C implementation can be found on Table 8. It is 1.18 times faster than non-optimized reference implementation of Kyber.

Table 8. Cycle counts of Kyber and NewHope C reference (non-optimized) implementation