Cryptology ePrint Archive: Report 2021/1323

Anonymity of NIST PQC Round-3 KEMs

Keita Xagawa

Abstract: This paper investigates __anonymity__ of all NIST PQC Round-3 KEMs: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime (Streamlined NTRU Prime and NTRU LPRime), and SIKE. We show the following results:

* NTRU is anonymous in the quantum random oracle model (QROM) if the underlying deterministic PKE is strongly disjoint-simulatable. NTRU is collision-free in the QROM. A hybrid PKE scheme constructed from NTRU as KEM and appropriate DEM is anonymous and robust. Similar results hold for BIKE, FrodoKEM, HQC, NTRU LPRime, and SIKE.

* Classic McEliece is anonymous in the QROM if the underlying PKE is strongly disjoint-simulatable and a hybrid PKE scheme constructed from it as KEM and appropriate DEM is anonymous.

* Grubbs, Maram, and Paterson pointed out that Kyber and Saber has a gap in the current IND-CCA security proof in the QROM (Cryptography ePrint Archive 2021/708). We found that Streamlined NTRU Prime has another technical obstacle for the IND-CCA security proof in the QROM.

Those answer the open problem to investigate the anonymity and robustness of NIST PQC Round-3 KEMs posed by Grubbs, Maram, and Paterson (Cryptography ePrint Archive 2021/708).

We use strong disjoint-simulatability of the underlying PKE of KEM and strong pseudorandomness and smoothness of KEMs, which will be of independent interest.

Category / Keywords: public-key cryptography / anonymity, robustness, post-quantum cryptography, NIST PQC standardization, KEM, PKE

Date: received 30 Sep 2021, last revised 8 Oct 2021

Contact author: keita xagawa zv at hco ntt co jp

Available format(s): PDF | BibTeX Citation

Note: This paper supersedes Correct minor typos.

Version: 20211008:041217 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]