Hombre y educación para la libertad

Round5 relies on an INDCCA KEM specified in Algorithms 7, 8, and 9. They are described from an implementation perspective in Algorithms 19, 20, and 21.

Algorithm 19:r5 cca kem keygen

output:pk:dkappa bytes+n bar·d/n·n·p bits/8ebyte string.

:sk:d3·kappa bytes+n bar·d/n·n·p bits/8ebyte string. 1 (pk, sk) =r5cpa pke keygen

2 y=randombytes(kappa bytes) 3 sk=sk||y||pk

4 return(pk, sk)

Algorithm 20:r5 cca kem encapsulate

input:pk:d3·kappa bytes+ (n bar·d/n·n·p bits)/8ebyte string.

output:ct:dkappa bytes+ (n bar·d/n·n·p bits+mu·t bits)/8ebyte string.

output:k:kappa bytesbyte string. 1 m=randombytes(kappa bytes) 2 L||g||rho=

hash(3·kappa bytes, m||pk,d2·kappa bytes+ (n bar·d/n·n·p bits)/8e,””,0) 3 (U,v) =r5cpa pke encrypt(pk, m, rho)

4 ct=U||v||g

5 k=hash(kappa bytes, L||ct, kappa bytes+d(n bar·d/n·n·p bits+mu· t bits)/8e,””,0)

6 returnct, k

Algorithm 21:r5 cca pke decapsulate

input:sk:d3·kappa bytes+n bar·d/n·n·p bits/8ebyte string.

input:ct:dkappa bytes+ (n bar·d/n·n·p bits+mu·t bits)/8ebyte string.

output:k:kappa bytesbyte string. 1 m0=r5cpa pke decrypt(sk, ct) 2 L prime||g prime||rho prime=

hash(3·kappa bytes, m0||pk,d2·kappa bytes+ (n bar·d/n·n·p bits)/8e,””,0) 3 (U prime,v prime) =r5cpa pke encrypt(pk, m prime, rho prime)

4 input=L prime||ct

5 f ail=verif y(ct, ct prime,dkappa bytes+ (n bar·d/n·n·p bits+mu·t bits)/8e) 6 conditional constant time memcpy(hashinput, y, kappa bytes, f ail)

7 k=hash(kappa bytes, hash input,2·kappa bytes+dn bar·d/n·n·p bits+ mu·t bits)/8e,””,0)

A

Formal security of Round5

This section contains details on the formal security of Round5, its algorithms and building blocks. It is organized as follows: Section A.2 introduces notions of security based on indistinguishablity of ciphertexts or encapsulated keys. Sec- tion A.3 gives results (existing and new) on the hardness of our underlying problem, or rather its two specific instances we use – the Learning with Round- ing problem with sparse ternary secrets (LWRspt) and the Ring Learning with

Rounding problem with sparse ternary secrets (RLWRspt). Sections A.6 and A.7

contain the first main result of this section – a proof of IND-CPA security for r5 cpa kem (Theorem A.6.0.1), and a proof of IND-CCA security of r5 cca pke (Theorems A.7.0.1 and A.7.0.2), assuming the hardness of the above problems. Finally, Section A.8 and Theorem A.8.0.1 contain the second main result of this reduction: a proof of the hardness for LWRspt, the underlying problem of our

schemes for the non-ring case (i.e., forn= 1) in the form of a polynomial-time reduction to it from the Learning with Errors (LWE) problem with secrets uni- formly chosen from_Zd

q and errors drawn according to a Gaussian distribution.

A.1

Deterministic generation of

A

The General Learning with Rounding (GLWR) public parameterAin Round5 is generated using the functionf_d,n(τ) from a short random seed (see Section 1.4.2). The core component in f_d,n(τ) responsible for deterministically expanding this short random seed into a longer random sequence is either AES(128 or 256) [44] or SHAKE(128 or 256) [45]. In order to relate Round5’s security to the hardness of the GLWR problem, we reuse Naehrig et al.’s argument in [75] to argue that we can replace a uniformly sampled matrixA ∈ Rd/n×d/nn,q with matrices sampled according to Round5’s key-generation algorithm, for both of the above two algorithms, while considering a realistic adversary with access to the seed. The proof for both the cases of AES and SHAKE proceeds by using the notion of indifferentiability [71, 37, Def. 3], in exactly the same manner as in [75, Sec. 5.1.4].

In case of AES, the proof holds directly for the instantiationf_d,n(0), and also forf_d,n(1) when the function permutes complete AES blocks. We explain the in- tuition behind the proof. LetF denote an “ideal domain expansion” primitive that expands a short random seed, block-wise, into a larger sequence, such that each block is unique and also sampled uniformly at random. In our security reductions, the GLWR public parameterAis generated by querying the GLWR oracle. It can be shown that marginally increasing the number of calls to the GLWR oracle makes it possible to construct a GLWR matrixAthat fits (with high probability) the output distribution ofF, without deteriorating the prob- lem’s hardness [75, Sec. 5.1.4]. Next, we consider a constructionCG _{in the Ideal} Cipher model implementingF as AES (as in Round5). It can be shown that CG _{is indifferentiable fromF[75, Sec. 5.1.4]. This therefore allows us to replace}

the uniformly random sampling ofAin the GLWR problem with one generated as in Round5’s f_d,n(τ) without affecting security. By definition, this is directly possible ifτ= 0; it also holds forτ = 1 iff_d,n(1) permutes complete AES blocks. Next, we explain the intuition behind the proof when SHAKE is used in

fn(0)| or fn(1). In the random oracle model, SHAKE is an ideal XOF [43]. It can be shown that [75, Sec. 5.1.4] SHAKE can be modeled as an ideal hash function used to expand a seed into each row of the matrixA, each step being independent, thereby expanding the uniformly random seed into a larger uni- formly random matrix. This construction implements the ideal functionalityF perfectly, completing the proof. We refer to [75, Sec. 5.1.4] for details.