Try   HackMD

TODOs

  • trait for Ring, PolynomialRing, Module
  • implement cyclotomic polynomial and rings, and arithemetics
  • trait for Sampler
  • implement uniform sampler
  • implement CBD Sampler
  • (De)compression
  • (De)serialization
  • implement NTT
  • CPA-PKE.KeyGen, Enc, Dec
  • CCA-KEM.KeyGen, Encapsulate, Decapsulate (use RustCrypto's trait)
  • End-to-end Testvectors
  • Benchmarks & Profiling

System parameters

  • Degree of ring (over
    Z
    ):
    n=256
  • Rank of Mod-LWE:
    k
    • number of samples in RLWE
      m=k
      , thus ignored
  • Modulus for quotient ring:
    q=3329
  • Error distribution:
    η1,η2
    • central binomial distribution
      Bη
      (see definition below)
    • only for Kyber512,
      η1>η2
      , for the rest,
      η1=η2
    • secret
      s
      also drawn from this distribution, see rationale in the slide
  • Ciphertext round-off bits:
    du,dv
    • ct.u
      truncates to
      Z2du
      ,
      ct.v
      truncates to
      Z2dv
    • "truncate" means dropping the LSB of each coeff (originally
      Zq
      )

Building blocks

Algebriac Objects

Ring

R, Quotient Ring
Rq
, Module
M=Rqk
, Matrix (
Rqk×m
) and matrix multiplication.
Polynomial ring with polynomial modulo operation.

NTT

See Kyber spec.

Uniform Sampler

Idea behind

Parse() is simple: since
211<q<212
, let's use every 12 bits from a uniform random bytes string to generate a coeff in the NTT form of
Rq
.
Furthermore, when the 12-bit value
>q
, reject it.
Every 2 12-bit = 3 bytes, thus every 3 bytes can product at most 2
R^q
elements subject the sample rejection.

CBD Sampler

To sample a value from

Bη: Sample
(a1,,aη,b1,,bη){0,1}2η
, outputs
i=[η]aibi
.
To sample a
Rq
, just sample each coeff from
Bη
.

(De)Compression

  • Rounding/Discretization:
    :QZ
  • Compress:
    Compressq(x,d)=(2d/q)xmod2d
    • for
      xZq
    • for
      xRq
      (coeff-wise)
  • Decompress:
    Decompressq(x,d)=(q/2d)x
    • for
      xZq
    • for
      xRq
      (coeff-wise)

(De)Serialization

Namely Encoding/Decoding in Kyber Spec.

  • serde for ring element:
    Decode12(pkB32×12)Rq
  • serde for message:
    Decode1(msg{0,1}32)R2Rq

Symmetric Primitives

All available in RustCryto

FLPS-202 90s variant
PRF SHAKE-256 AES-256-CTR
XOF SHAKE-128 AES-256-CTR
KDF SHAKE-256 SHA-256
Hash.H SHA3-256 SHA-256
Hash.G SHA3-512 SHA-512

CPA-PKE + FO-derived KEM

See Algorithm 4~9 in Kyber's spec.

References