An Overview about FIPS 203: Module-Lattice-based Key-Encapsulation-Mechanism

Introduction

In August 13th, 2024, NIST announced three post-quantum cryptography standards, where two of them are from lattice-based cryptography and the other one is from hash-based cryptography. In this post, we will have an overview about FIPS 203, which specify algorithms derived from CRYSTALS-Kyber, is a key encapsulation mechanism based on module lattice.

Notation

Pre-requisited

The LWE Problem

Definition

The Learning with Errors Problem (LWE) has an important role in many cryptographic schemes that are related to lattice cryptography, so let's review this problem again.

Definition 1. For positive integer

• $(A,As+e)$ where
  $A\leftarrow {\mathbb{Z}}_q^{n\times m}$,
  $s\leftarrow [\beta {]}^m$,
  $e\leftarrow [\beta {]}^n$.
• $(A,u)$ where
  $A\leftarrow {\mathbb{Z}}_q^{n\times m}$,
  $u\leftarrow {\mathbb{Z}}_q^n$.

The crucial part that makes this problem hard is the exist of error vector

We also notice that there is nothing too special about using the uniform distribution for the secret and error terms, it just makes the presentation simpler. When rounded Gaussian distribution is chosen in the original definition of LWE, some practical implementations like Kyber uses the binomial distribution to generate the error because of it speed. To account for different distributions that one could use, we can define the LWE problem with the distribution like this:

Definition 2. For positive integer

• $(A,As+e)$ where
  $A\leftarrow {\mathbb{Z}}_q^{n\times m}$,
  $s\leftarrow {\psi }^m$,
  $e\leftarrow {\psi }^n$.
• $(A,u)$ where
  $A\leftarrow {\mathbb{Z}}_q^{n\times m}$,
  $u\leftarrow {\mathbb{Z}}_q^n$.

An LWE-based Encryption Scheme

Let's talk about an encryption scheme based on LWE, which relys on the hardness of

• Key generation:

  $$\begin{array}{rl}sk& :\mathbf{s}\leftarrow \mathbf{[}\beta {\mathbf{]}}^{\mathbf{m}}\\ pk& :(A\in {\mathbb{Z}}_q^{m\times m},t=As+e_1)\end{array}$$
  where
  $e_1\leftarrow [\beta {]}^m$

• Encryption: To encrypt a message

  $m\in \{0,1\}$, the encryptor chooses
  $r,{\mathbf{e}}_{\mathbf{2}}\leftarrow \mathbf{[}\beta {\mathbf{]}}^{\mathbf{m}}$ and
  $e_3\leftarrow [\beta ]$ and output:
  $$(u^T=r^{T}A+e_2^T,v=r^{T}t+e_3+[\frac{q}{2}]m)$$

• Decryption: To decrypt, one computes

  $v-{\mathbf{u}}^{\mathbf{T}}\mathbf{s}$. Instead of receiving message
  $m$ directly, we will get:
  $$\begin{array}{rl}v-{\mathbf{u}}^{\mathbf{T}}\mathbf{s}& =r^T(As+e_1)+e_3+\frac{q}{2}m-(r^{T}A+e_2^T)s\\ & =r^T{e}_1+e_3+\frac{q}{2}m-e_2^{T}s\end{array}$$

We can rewrite the final equation as

Lattices

The core of lattice-based cryptography, include LWE, are objects known as lattices. An

In this post, we will just learn about

For a matrix

The most well known computational problems on lattices are the following:

• Shortest Vector Problem (SVP): Given a lattice basis
  $\mathbf{B}$, find the shortest nonzero vector in
  $\mathcal{L}(\mathbf{B}\mathbf{)}$
• Closest Vector Problem (CVP): Given a lattice basis
  $\mathbf{B}$ and a target vector
  $\mathbf{t}$ (not necessarily in the lattice), find the lattice point
  $\mathbf{v}\in \mathcal{L}\mathbf{(}\mathbf{B}\mathbf{)}$ closest to
  $\mathbf{t}$
• Shortest Independent Vectors Problem (SIVP): Given a lattice basis
  $\mathbf{B}\in {\mathbb{R}}^{\mathbf{n}\times \mathbf{n}}$, find
  $n$ linearity independent lattice vectors
  $\mathbf{S}\mathbf{=}\mathbf{[}{\mathbf{s}}_{\mathbf{1}}\mathbf{,}{\mathbf{s}}_{\mathbf{2}}\mathbf{,}\mathbf{.}\mathbf{.}\mathbf{.}\mathbf{,}{\mathbf{s}}_{\mathbf{n}}\mathbf{]}$ (where
  $s_i\in \mathcal{L}(\mathbf{B}\mathbf{)}$ for all
  $i$) so that
  $max||v_i||\le max||b_i||$, where
  $||x||=\sqrt{x_1^2+x_2^2+...+x_n^2}$

We can represent the LWE problem in the language of lattices. Notice that these problems have the relationship: if someone find a way to solve one of these problems efficiently, then he/she can also solve remain problems.

Encryption over Polynomial Rings

The main inefficiency with the LWE-based encryption scheme above was that it required a large ciphertext for encrypting one bit. To deal with this, we can consider the LWE problem over high-degree polynomial rings, rather than just over

Polynomial Rings

The polynomial ring

We will work with the ring

So the addition of polynomial in

Multiplication of two polynomials in

Generalized-LWE Problems and Encryption

With the polynomial ring

Definition 3: For positive integer

• $(A,As+e)$ where
  $A\leftarrow {\mathcal{R}}_{q,f}^{n\times m}$,
  $s\leftarrow [\beta {]}^m$,
  $e\leftarrow [\beta {]}^n$.
• $(A,u)$ where
  $A\leftarrow {\mathcal{R}}_{q,f}^{n\times m}$,
  $u\leftarrow {\mathcal{R}}_{q,f}^n$.

We can also improve the LWE-based encryption scheme which are described in previous section:

• Key generation:

  $$\begin{array}{rl}sk& :\mathbf{s}\leftarrow \mathbf{[}\beta {\mathbf{]}}^{\mathbf{m}}\\ pk& :(A\in {\mathcal{R}}_{q,f}^{m\times m},t=As+e_1)\end{array}$$
  where
  $e_1\leftarrow [\beta {]}^m$

• Encryption: To encrypt a message

  $m\in {\mathcal{R}}_f$, where the coefficients are in
  $\{0,1\}$, the encryptor chooses
  $r,{\mathbf{e}}_{\mathbf{2}}\leftarrow \mathbf{[}\beta {\mathbf{]}}^{\mathbf{m}}$ and
  $e_3\leftarrow [\beta ]$ and output:
  $$(u^T=r^{T}A+e_2^T,v=r^{T}t+e_3+[\frac{q}{2}]m)$$

• Decryption: To decrypt, one computes:

  $$\begin{array}{rl}v-{\mathbf{u}}^{\mathbf{T}}\mathbf{s}& =r^T(As+e_1)+e_3+\frac{q}{2}m-(r^{T}A+e_2^T)s\\ & =r^T{e}_1+e_3+\frac{q}{2}m-e_2^{T}s\end{array}$$

And we can extract the message

Optimizations

Number Theoretic Transform

The main problem of cryptographic scheme using polynomial is the complexity of multiplying two polynomials of degree

Compression/Decompression function

A compression function is an operation that takes an element from one set into smaller target set. When the target set is bigger than start set, it will be called a decompress function.

Definition 4: For an element

We can use the function above to compress/decompress data: when we compress an element in

Lemma 1. For integers

There are two reasons for using these functions:

• Recovering the message
  $m$ from the noisy decryption output can be done using the compression function. In particular, for an element
  $x\in {\mathbb{Z}}_q,[x{]}_{q\to 2}$ will map to
  $0$ if
  $x$ is closer to
  $0$ than to
  $\frac{1}{2}$, and to
  $1$ otherwise.
• Using these function will bring bandwidth efficiency while maintaining security properties.

Key Encapsulation Mechanism

In cryptography, a key encapsulation mechanism, or KEM, is a public-key cryptosystem that allows a sender to generate a short secret key and transmit it to a receiver securely, in spite of eavesdropping and intercepting adversaries.

There are three algorithms in KEM - KEM-KeyGen, KEM-Encaps and KEM-Decaps.

• The key generation algorithms outputs a secret key and a public key.
• The encapsulation algorithm takes the public key as input and outputs a share key and a ciphertext.
• The decapsulation algorithm takes the ciphertext and the secret key as input and produces the same shared key as output

A CPA-secure KEM is one in which an adversary cannot distinguish the shared key from uniform when given the public key and ciphertext. Such a KEM can be constructed from any CPA-secure public key encryption scheme by simply encrypting a random message and setting it as the shared key.

Detail

Algorithms

CRYSTALS-Kyber CPA-secure Encryption Scheme

Let's talk about CRYSTALS-Kyber CPA-secure Encryption Scheme, which is based on the hardness of the generalized LWE problem. The scheme works over the ring

• Public parameters:
  $k,{\eta }_1,{\eta }_2,d_u,d_v\in {\mathbb{Z}}^{+}$
• CPA-KeyGen:
  $$\begin{array}{rl}A& \leftarrow {\mathcal{R}}_{3329,X^{256}+1}^{k\times k}\\ (s,e)& \leftarrow {\psi }_{{\eta }_1}^k\times {\psi }_{{\eta }_1}^k\\ t& =As+e\\ pk& =(A,t),sk=s\end{array}$$
• CPA-Encrypt(pk, m):
  $$\begin{array}{rl}(r,e_1,e_2)& \leftarrow {\psi }_{{\eta }_1}^k\times {\psi }_{{\eta }_2}^k\times {\psi }_{{\eta }_2}\\ u^T& =[r^{T}A+e_1^T{]}_{q\to 2^{d_u}}\\ v& =[r^{T}t+e_2+\frac{q-1}{2}m{]}_{q\to 2^{d_v}}\\ c& =(u,v)\end{array}$$
• CPA-Decrypt(sk, c):
  $$\begin{array}{rl}{u}^{\prime }& =[u{]}_{2^{d_u}\to q}\\ v^{\prime }& =[v{]}_{2^{d_v}\to q}\\ m^{\prime }& =[v-u^{T}s{]}_{q\to 2}\end{array}$$

ML-KEM

Wrapped everything above, we can talk about ML-KEM right now!

• Public parameters: Same as CPA-Encryption scheme.
• KEM-KeyGen:
  $$\begin{array}{rl}(pk,sk)& \leftarrow \text{CPA-KeyGen}\\ pk& :=(A,t),sk:=s\end{array}$$
• KEM-Encaps(pk):
  $$\begin{array}{rl}m& \leftarrow \{0,1{\}}^{256}\in {\mathcal{R}}_{X^{256}+1}\\ (K,\rho )& :=\mathcal{H}(m,pk)\in \{0,1{\}}^{512}\\ c& :=\text{CPA-Encrypt}(pk,m,\rho )\\ sk& :=K,ctxt:=c\end{array}$$
• KEM-Decaps(sk, c, h, z):
  $$\begin{array}{rl}{m}^{\prime }& :=\text{CPA-Decrypt}(sk,c)\\ (K^{\prime },{\rho }^{\prime })& :=\mathcal{H}(m^{\prime },pk)\\ c^{\prime }& :=\text{CPA-Encrypt}(pk,m^{\prime },{\rho }^{\prime })\\ c\ne c^{\prime }& ⟹K^{\prime }:=\perp \\ \text{Shared Key}& :=K^{\prime }\end{array}$$

There are some notices about ML-KEM:

• The polynomials comprising the matrix
  $A$ are sampled at random. And in order to efficiently do the multiplication
  $As$, we need to convert all polynomials in
  $A$ to their NTT representation. The best strategy here is sample
  $A$ randomly in its NTT representation. Furthermore, the public key
  $t$ should be stored in its NTT representation for many benefits it brings.
• We can't sample
  $s,e,r,e_1,e_2$ directly in their NTT representation because their distribution is not uniformly random.
• We cannot perform the compression operations
  $[.{]}_{q\to p}$ when the element is in its NTT representation.

The table below is parameters for the three instantiations of Kyber. The security of the three schemes are approximately equivalent to that of AES-128, AES-192, and AES-256, respectively.

Implementation

The implementation is described clearly at here. You can find example implementation of ML-KEM at https://github.com/Giapppp/ml-kem.

Benchmark

This part uses the implementation above to run three instantiations of Kyber. The environment uses here is MacOS Solama, 1,4 GHz Quad-Core Intel Core i5, 16 GB 2133 MHz LPDDR3.

Conclusion

FIPS 203 and the ML-KEM standard represent significant advancements in cryptographic technology, particularly in preparing for potential future threats posed by quantum computing. By understanding the parameter sets, differences from previous schemes, and practical considerations, organizations can effectively implement ML-KEM to enhance their data protection strategies.

Resources

FIPS 203: Module-Lattice-based Key-Encapsulation-Mechanism

Vadim Lyubashevsky, Basic Lattice Cryptography: The concepts behind Kyber (ML-KEM) and Dilithium (ML-DSA)