Abstract
In the field of post-quantum cryptography, lattice-based cryptography has received the most noticeable attention. Most lattice-based cryptographic schemes are constructed based on the polynomial ring R q = Z q [x]/f (x), using a cyclotomic polynomial f (x). Until now, the most preferred cyclotomic polynomials have been x n + 1, where n is a power of two, and x n + · · · + x + 1, where n + 1 is a prime. The former results in the smallest decryption error size, but the choice of degree is limited. On the other hand, the latter gives rise to the largest decryption error size, but the choice of degree is very flexible. In this paper, we use a new polynomial ring Rq = Zq/f (x) with a cyclotomic trinomial f (x) = x n - x n/2 + 1 as an intermediate that combines the advantages of the other rings. Since the degree n is chosen freely as n = 2 a 3 b for positive integers a and b, the choice of the degree n is moderate. Furthermore, since the error propagation is small in the middle of polynomial multiplication in the new ring, if the middle part is truncated and used, the decryption error size can be reduced. Based on these observations, we propose a new, practical key encapsulation mechanism (KEM) that is constructed over a ring with a cyclotomic trinomial. The security of our KEM is based on the hardness of ring learning-with-rounding (LWR) problems. With appropriate parameterization for the current 128-bit security model, we show that our KEM obtains shorter secret keys and ciphertexts, especially compared to the previous Ring-LWR-based KEM, Round5, with no error correction code. We then implement our KEM and compare its performance with that of several KEMs that were presented in the second round of the NIST PQC conference.
Highlights
As quantum computers advance, post-quantum cryptography has become one of the most demanding research topics
Unlike previous Ring-LWRbased key encapsulation mechanism (KEM), our scheme has a clear distinction in that it is constructed using a ring with a cyclotomic trinomial xn − xn/2 + 1 where n = 2a3b for positive integers a and b
While two polynomial rings Zq[x]/xn + 1 and Zq[x]/xn + · · · + x + 1 have been used to construct several KEMs that are presented in the second round National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) conference, the two rings have distinct advantages and disadvantages with respect to the density of parameter space and decryption failure rate
Summary
Post-quantum cryptography has become one of the most demanding research topics. Similar to the LWR case, the Ring-LWR problem was defined in [3], and several PKE/KEM schemes [7], [8] have been proposed based on the Ring-LWR problem that have the advantages of shorter bandwidths and no error sampling For this reason of efficiency improvements, most of the lattice-based PKE/KEM candidates presented in the second round of the NIST PQC conference were constructed based on the hardness of Ring{LWE, LWR} problems or their variants. Fixed-weight ternary distribution: following Round5 [8], two secret polynomials r and s in our KEM are sampled from a fixed-weight ternary distribution, where only non-zero coefficients are represented as an array called ‘index.’ We adopt the index-based method to make polynomial multiplication in our new ring simple and fast.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
