Paper 2021/1323

Anonymity of NIST PQC Round-3 KEMs

Keita Xagawa

Abstract

This paper investigates __anonymity__ of all NIST PQC Round-3 KEMs: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime (Streamlined NTRU Prime and NTRU LPRime), and SIKE. We show the following results: * NTRU is anonymous in the quantum random oracle model (QROM) if the underlying deterministic PKE is strongly disjoint-simulatable. NTRU is collision-free in the QROM. A hybrid PKE scheme constructed from NTRU as KEM and appropriate DEM is anonymous and robust. Similar results hold for BIKE, FrodoKEM, HQC, NTRU LPRime, and SIKE. * Classic McEliece is anonymous in the QROM if the underlying PKE is strongly disjoint-simulatable and a hybrid PKE scheme constructed from it as KEM and appropriate DEM is anonymous. * Grubbs, Maram, and Paterson pointed out that Kyber and Saber has a gap in the current IND-CCA security proof in the QROM (Cryptography ePrint Archive 2021/708). We found that Streamlined NTRU Prime has another technical obstacle for the IND-CCA security proof in the QROM. Those answer the open problem to investigate the anonymity and robustness of NIST PQC Round-3 KEMs posed by Grubbs, Maram, and Paterson (Cryptography ePrint Archive 2021/708). We use strong disjoint-simulatability of the underlying PKE of KEM and strong pseudorandomness and smoothness of KEMs, which will be of independent interest.

Note: This paper supersedes https://eprint.iacr.org/2021/741. Correct minor typos.