Improved Ring LWR-Based Key Encapsulation Mechanism Using Cyclotomic Trinomials
- Authors
- Park, So Hyun; Kim, Suhri; Lee, Dong Hoon; Park, Jong Hwan
- Issue Date
- 2020
- Publisher
- IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
- Keywords
- Encoding; NIST; Public key; Encapsulation; Error correction codes; Cyclotomic trinomial; key encapsulation mechanism; lattice-based encryption; post-quantum cryptography; ring-LWR problem
- Citation
- IEEE ACCESS, v.8, pp.112585 - 112597
- Indexed
- SCIE
SCOPUS
- Journal Title
- IEEE ACCESS
- Volume
- 8
- Start Page
- 112585
- End Page
- 112597
- URI
- https://scholar.korea.ac.kr/handle/2021.sw.korea/58948
- DOI
- 10.1109/ACCESS.2020.3002223
- ISSN
- 2169-3536
- Abstract
- In the field of post-quantum cryptography, lattice-based cryptography has received the most noticeable attention. Most lattice-based cryptographic schemes are constructed based on the polynomial ring R-q = Z(q) [x]/f (x), using a cyclotomic polynomial f (x). Until now, the most preferred cyclotomic polynomials have been x(n) + 1, where n is a power of two, and x(n) + ... + x + 1, where n + 1 is a prime. The former results in the smallest decryption error size, but the choice of degree is limited. On the other hand, the latter gives rise to the largest decryption error size, but the choice of degree is very flexible. In this paper, we use a new polynomial ring R-q = Z(q)/f (x) with a cyclotomic trinomial f (x) = x(n) - x(n/2) + 1 as an intermediate that combines the advantages of the other rings. Since the degree n is chosen freely as n D 2(a)3(b) for positive integers a and b, the choice of the degree n is moderate. Furthermore, since the error propagation is small in the middle of polynomial multiplication in the new ring, if the middle part is truncated and used, the decryption error size can be reduced. Based on these observations, we propose a new, practical key encapsulation mechanism (KEM) that is constructed over a ring with a cyclotomic trinomial. The security of our KEM is based on the hardness of ring learning-with-rounding (LWR) problems. With appropriate parameterization for the current 128-bit security model, we show that our KEM obtains shorter secret keys and ciphertexts, especially compared to the previous Ring-LWR-based KEM, Round5, with no error correction code. We then implement our KEM and compare its performance with that of several KEMs that were presented in the second round of the NIST PQC conference.
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - School of Cyber Security > Department of Information Security > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.