2018
DOI: 10.1007/978-3-319-89339-6_16
|View full text |Cite
|
Sign up to set email alerts
|

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

Abstract: In this paper, we introduce Saber, a package of cryptographic primitives whose security relies on the hardness of the Module Learning With Rounding problem (Mod-LWR). We first describe a secure Diffie-Hellman type key exchange protocol, which is then transformed into an IND-CPA encryption scheme and finally into an IND-CCA secure key encapsulation mechanism using a post-quantum version of the Fujisaki-Okamoto transform. The design goals of this package were simplicity, efficiency and flexibility resulting in t… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
4
1

Citation Types

1
196
0
5

Year Published

2018
2018
2022
2022

Publication Types

Select...
4
2
1

Relationship

1
6

Authors

Journals

citations
Cited by 212 publications
(202 citation statements)
references
References 35 publications
1
196
0
5
Order By: Relevance
“…Note that we also ignored the constraint on the number of samples m as Duc et al did. We set a = 1 ln 2 W n ln q ln 2 πα 2 lwr and calculate m LWR and C LWR in (5) and (10), respectively. We also set = 0.01 in Table 1, † Letã satisfies e πα 2 lwr 2ã = q n/ã , and Let tã be the time complexity with a =ã, namely tã = O(e πα 2 lwr 2ã ( n a ) ln q).…”
Section: Concrete Analysismentioning
confidence: 99%
See 3 more Smart Citations
“…Note that we also ignored the constraint on the number of samples m as Duc et al did. We set a = 1 ln 2 W n ln q ln 2 πα 2 lwr and calculate m LWR and C LWR in (5) and (10), respectively. We also set = 0.01 in Table 1, † Letã satisfies e πα 2 lwr 2ã = q n/ã , and Let tã be the time complexity with a =ã, namely tã = O(e πα 2 lwr 2ã ( n a ) ln q).…”
Section: Concrete Analysismentioning
confidence: 99%
“…Subsequently, NIST announced 26 second-round candidates selected from the 69 first-round candidates in January 2019. LWE-based [3]- [5] and LWR-based [10], [12] schemes still remain on the second-round candidate list. Therefore, studies on the algorithms for solving LWE and LWR are important for design and security analysis of post-quantum cryptosystems.…”
Section: Introductionmentioning
confidence: 99%
See 2 more Smart Citations
“…These are frequently combined with the usage of polynomial matrix elements, resulting in Ring-LWE or Mod-LWE schemes such as New Hope [1], LAC [14], LIMA [16], R.Emblem [15] and Kyber [2]. Some schemes further reduce their communication bandwidth by replacing the pseudorandomly generated errors terms with rounding errors, resulting in Ring-LWR and Mod-LWR schemes as in Round2 [8] and Saber [3] respectively.…”
Section: Introductionmentioning
confidence: 99%