Paper 2021/1323
Anonymity of NIST PQC Round-3 KEMs
Keita Xagawa
Abstract
This paper investigates __anonymity__ of all NIST PQC Round-3 KEMs: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime (Streamlined NTRU Prime and NTRU LPRime), and SIKE. We show the following results: * NTRU is anonymous in the quantum random oracle model (QROM) if the underlying deterministic PKE is strongly disjoint-simulatable. NTRU is collision-free in the QROM. A hybrid PKE scheme constructed from NTRU as KEM and appropriate DEM is anonymous and robust. Similar results hold for BIKE, FrodoKEM, HQC, NTRU LPRime, and SIKE. * Classic McEliece is anonymous in the QROM if the underlying PKE is strongly disjoint-simulatable and a hybrid PKE scheme constructed from it as KEM and appropriate DEM is anonymous. * Grubbs, Maram, and Paterson pointed out that Kyber and Saber has a gap in the current IND-CCA security proof in the QROM (Cryptography ePrint Archive 2021/708). We found that Streamlined NTRU Prime has another technical obstacle for the IND-CCA security proof in the QROM. Those answer the open problem to investigate the anonymity and robustness of NIST PQC Round-3 KEMs posed by Grubbs, Maram, and Paterson (Cryptography ePrint Archive 2021/708). We use strong disjoint-simulatability of the underlying PKE of KEM and strong pseudorandomness and smoothness of KEMs, which will be of independent interest.
Note: This paper supersedes https://eprint.iacr.org/2021/741. Correct minor typos.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- Preprint. MINOR revision.
- Keywords
- anonymityrobustnesspost-quantum cryptographyNIST PQC standardizationKEMPKE
- Contact author(s)
- keita xagawa zv @ hco ntt co jp
- History
- 2022-09-22: last of 3 revisions
- 2021-10-05: received
- See all versions
- Short URL
- https://ia.cr/2021/1323
- License
-
CC BY