Comparing proofs of security The target KEMs (all proposed for - - PowerPoint PPT Presentation

1

Comparing proofs of security for lattice-based encryption Daniel J. Bernstein Primary objective of this paper: Make a complete plan for thorough security reviews

• f 36 target KEMs.

Much harder: Do the reviews! Complete plan is framework to evaluate which pieces are done, and to coordinate further efforts. KEMs vary in what’s needed.

2

The target KEMs (all proposed for wide deployment, IND-CCA2): frodo 640, 976, 1344. kyber 512, 768, 1024. lac 128, 192, 256. newhope 512, 1024. ntru hps2048509, hps2048677, hps4096821, hrss701. ntrulpr 653, 761, 857. round5n1 1, 3, 5. round5nd 1.0d, 3.0d, 5.0d, 1.5d, 3.5d, 5.5d. saber light, main, fire. sntrup 653, 761, 857. threebears baby, mama, papa.

1

Comparing proofs of security lattice-based encryption

• J. Bernstein

ry objective of this paper: a complete plan thorough security reviews target KEMs. harder: Do the reviews! Complete plan is framework evaluate which pieces are done, coordinate further efforts. vary in what’s needed.

2

The target KEMs (all proposed for wide deployment, IND-CCA2): frodo 640, 976, 1344. kyber 512, 768, 1024. lac 128, 192, 256. newhope 512, 1024. ntru hps2048509, hps2048677, hps4096821, hrss701. ntrulpr 653, 761, 857. round5n1 1, 3, 5. round5nd 1.0d, 3.0d, 5.0d, 1.5d, 3.5d, 5.5d. saber light, main, fire. sntrup 653, 761, 857. threebears baby, mama, papa. One catego frodo kyber lac newhope ntru ntrulpr round5n1 round5nd saber sntrup threebears

1

• fs of security

encryption Bernstein tive of this paper: complete plan security reviews KEMs. Do the reviews! is framework which pieces are done, te further efforts. what’s needed.

2

The target KEMs (all proposed for wide deployment, IND-CCA2): frodo 640, 976, 1344. kyber 512, 768, 1024. lac 128, 192, 256. newhope 512, 1024. ntru hps2048509, hps2048677, hps4096821, hrss701. ntrulpr 653, 761, 857. round5n1 1, 3, 5. round5nd 1.0d, 3.0d, 5.0d, 1.5d, 3.5d, 5.5d. saber light, main, fire. sntrup 653, 761, 857. threebears baby, mama, papa. One categorization frodo kyber lac newhope ntru Quotient ntrulpr round5n1 round5nd saber sntrup Quotient threebears

1

security encryption paper: reviews reviews! rk re done, efforts. ded.

2

The target KEMs (all proposed for wide deployment, IND-CCA2): frodo 640, 976, 1344. kyber 512, 768, 1024. lac 128, 192, 256. newhope 512, 1024. ntru hps2048509, hps2048677, hps4096821, hrss701. ntrulpr 653, 761, 857. round5n1 1, 3, 5. round5nd 1.0d, 3.0d, 5.0d, 1.5d, 3.5d, 5.5d. saber light, main, fire. sntrup 653, 761, 857. threebears baby, mama, papa. One categorization of the KEMs: frodo Product NTRU. kyber Product NTRU. lac Product NTRU. newhope Product NTRU. ntru Quotient NTRU. ntrulpr Product NTRU. round5n1 Product NTRU. round5nd Product NTRU. saber Product NTRU. sntrup Quotient NTRU. threebears Product NTRU.

2

The target KEMs (all proposed for wide deployment, IND-CCA2): frodo 640, 976, 1344. kyber 512, 768, 1024. lac 128, 192, 256. newhope 512, 1024. ntru hps2048509, hps2048677, hps4096821, hrss701. ntrulpr 653, 761, 857. round5n1 1, 3, 5. round5nd 1.0d, 3.0d, 5.0d, 1.5d, 3.5d, 5.5d. saber light, main, fire. sntrup 653, 761, 857. threebears baby, mama, papa.

3

One categorization of the KEMs: frodo Product NTRU. kyber Product NTRU. lac Product NTRU. newhope Product NTRU. ntru Quotient NTRU. ntrulpr Product NTRU. round5n1 Product NTRU. round5nd Product NTRU. saber Product NTRU. sntrup Quotient NTRU. threebears Product NTRU.

2

rget KEMs (all proposed e deployment, IND-CCA2): 640, 976, 1344. 512, 768, 1024. 128, 192, 256. newhope 512, 1024. hps2048509, hps2048677, hps4096821, hrss701. ntrulpr 653, 761, 857. round5n1 1, 3, 5. round5nd 1.0d, 3.0d, 5.0d, 1.5d, 3.5d, 5.5d. light, main, fire. 653, 761, 857. threebears baby, mama, papa.

3

One categorization of the KEMs: frodo Product NTRU. kyber Product NTRU. lac Product NTRU. newhope Product NTRU. ntru Quotient NTRU. ntrulpr Product NTRU. round5n1 Product NTRU. round5nd Product NTRU. saber Product NTRU. sntrup Quotient NTRU. threebears Product NTRU. An oversimplified Plan: Verify make sure

2

KEMs (all proposed yment, IND-CCA2): 640, 976, 1344. 512, 768, 1024. 128, 192, 256. 512, 1024. hps2048509, hps2048677, hps4096821, hrss701. 653, 761, 857. 1, 3, 5. 1.0d, 3.0d, 5.0d, 1.5d, 3.5d, 5.5d. light, main, fire. 653, 761, 857. baby, mama, papa.

3

One categorization of the KEMs: frodo Product NTRU. kyber Product NTRU. lac Product NTRU. newhope Product NTRU. ntru Quotient NTRU. ntrulpr Product NTRU. round5n1 Product NTRU. round5nd Product NTRU. saber Product NTRU. sntrup Quotient NTRU. threebears Product NTRU. An oversimplified plan Plan: Verify the securit make sure there are

2

• sed

IND-CCA2): , 1344. , 1024. 192, 256. , 1024. hps2048677, hrss701. 761, 857. 1, 3, 5. , 5.0d, , 5.5d. , fire. 761, 857. , papa.

3

One categorization of the KEMs: frodo Product NTRU. kyber Product NTRU. lac Product NTRU. newhope Product NTRU. ntru Quotient NTRU. ntrulpr Product NTRU. round5n1 Product NTRU. round5nd Product NTRU. saber Product NTRU. sntrup Quotient NTRU. threebears Product NTRU. An oversimplified plan Plan: Verify the security pro make sure there are no mistak

3

One categorization of the KEMs: frodo Product NTRU. kyber Product NTRU. lac Product NTRU. newhope Product NTRU. ntru Quotient NTRU. ntrulpr Product NTRU. round5n1 Product NTRU. round5nd Product NTRU. saber Product NTRU. sntrup Quotient NTRU. threebears Product NTRU.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes.

3

One categorization of the KEMs: frodo Product NTRU. kyber Product NTRU. lac Product NTRU. newhope Product NTRU. ntru Quotient NTRU. ntrulpr Product NTRU. round5n1 Product NTRU. round5nd Product NTRU. saber Product NTRU. sntrup Quotient NTRU. threebears Product NTRU.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error.

3

One categorization of the KEMs: frodo Product NTRU. kyber Product NTRU. lac Product NTRU. newhope Product NTRU. ntru Quotient NTRU. ntrulpr Product NTRU. round5n1 Product NTRU. round5nd Product NTRU. saber Product NTRU. sntrup Quotient NTRU. threebears Product NTRU.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error. I did some sanity checks (tiny part of full verification!) and found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong hypotheses for newhope theorem.

3

categorization of the KEMs: Product NTRU. Product NTRU. Product NTRU. newhope Product NTRU. Quotient NTRU. ntrulpr Product NTRU. round5n1 Product NTRU. round5nd Product NTRU. Product NTRU. Quotient NTRU. threebears Product NTRU.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error. I did some sanity checks (tiny part of full verification!) and found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong hypotheses for newhope theorem. Strategy explain all to a thoroughly that completely

3

rization of the KEMs: Product NTRU. Product NTRU. Product NTRU. Product NTRU. Quotient NTRU. Product NTRU. Product NTRU. Product NTRU. Product NTRU. Quotient NTRU. Product NTRU.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error. I did some sanity checks (tiny part of full verification!) and found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong hypotheses for newhope theorem. Strategy to eliminate explain all of the ta to a thoroughly audited that completely verifies

3

KEMs: duct NTRU. duct NTRU. duct NTRU. duct NTRU. Quotient NTRU. duct NTRU. duct NTRU. duct NTRU. duct NTRU. Quotient NTRU. duct NTRU.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error. I did some sanity checks (tiny part of full verification!) and found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong hypotheses for newhope theorem. Strategy to eliminate proof erro explain all of the target proofs to a thoroughly audited program that completely verifies proofs.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error. I did some sanity checks (tiny part of full verification!) and found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong hypotheses for newhope theorem.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error. I did some sanity checks (tiny part of full verification!) and found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong hypotheses for newhope theorem.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error. I did some sanity checks (tiny part of full verification!) and found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong hypotheses for newhope theorem.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.
• Progress is painful and slow.

Will we even reach 1% before post-quantum standardization?

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error. I did some sanity checks (tiny part of full verification!) and found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong hypotheses for newhope theorem.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.
• Progress is painful and slow.

Will we even reach 1% before post-quantum standardization?

• Easier-to-use proof tools

could make strategy work.

4

An oversimplified plan Plan: Verify the security proofs— make sure there are no mistakes. Why verification is important: e.g., Asiacrypt 2004 Rogaway “OCB2” was standardized in 2009, completely broken in 2018. The attack exploited proof error. I did some sanity checks (tiny part of full verification!) and found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong hypotheses for newhope theorem.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.
• Progress is painful and slow.

Will we even reach 1% before post-quantum standardization?

• Easier-to-use proof tools

could make strategy work. Backup strategies: Clean up

• proofs. Check proofs by hand.

Track bug categories, as in code.

4

• versimplified plan

Verify the security proofs— sure there are no mistakes. verification is important: Asiacrypt 2004 Rogaway “OCB2” was standardized in completely broken in 2018. attack exploited proof error. some sanity checks part of full verification!) found unproven theorems claimed by frodo, round5n1, round5nd, saber; also wrong

• theses for newhope theorem.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.
• Progress is painful and slow.

Will we even reach 1% before post-quantum standardization?

• Easier-to-use proof tools

could make strategy work. Backup strategies: Clean up

• proofs. Check proofs by hand.

Track bug categories, as in code. Why call What “securit is not actually

4

• versimplified plan

security proofs— are no mistakes. is important: 2004 Rogaway standardized in completely broken in 2018. exploited proof error. y checks full verification!) roven theorems , round5n1, ; also wrong newhope theorem.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.
• Progress is painful and slow.

Will we even reach 1% before post-quantum standardization?

• Easier-to-use proof tools

could make strategy work. Backup strategies: Clean up

• proofs. Check proofs by hand.

Track bug categories, as in code. Why call this “oversimplified”? What “security pro is not actually securit

4

roofs— mistakes. rtant: way in 2018.

• f error.

verification!) rems round5n1, wrong theorem.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.
• Progress is painful and slow.

Will we even reach 1% before post-quantum standardization?

• Easier-to-use proof tools

could make strategy work. Backup strategies: Clean up

• proofs. Check proofs by hand.

Track bug categories, as in code. Why call this “oversimplified”? What “security proofs” prove is not actually security.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.
• Progress is painful and slow.

Will we even reach 1% before post-quantum standardization?

• Easier-to-use proof tools

could make strategy work. Backup strategies: Clean up

• proofs. Check proofs by hand.

Track bug categories, as in code.

6

Why call this “oversimplified”? What “security proofs” prove is not actually security.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.
• Progress is painful and slow.

Will we even reach 1% before post-quantum standardization?

• Easier-to-use proof tools

could make strategy work. Backup strategies: Clean up

• proofs. Check proofs by hand.

Track bug categories, as in code.

6

Why call this “oversimplified”? What “security proofs” prove is not actually security. Even with correct proofs, there are still risks of attacks. We all rely on cryptanalysis for analyzing remaining risks.

5

Strategy to eliminate proof errors: explain all of the target proofs to a thoroughly audited program that completely verifies proofs. My assessment of this strategy:

• Status today: ≈0% completed.
• Progress is painful and slow.

Will we even reach 1% before post-quantum standardization?

• Easier-to-use proof tools

could make strategy work. Backup strategies: Clean up

• proofs. Check proofs by hand.

Track bug categories, as in code.

6

Why call this “oversimplified”? What “security proofs” prove is not actually security. Even with correct proofs, there are still risks of attacks. We all rely on cryptanalysis for analyzing remaining risks. Revised plan:

• 1. Verify the “security proofs”.
• 2. Verify the cryptanalysis
• f the risks left by the proofs.

Again clean up; check by hand; track failure categories.

5

Strategy to eliminate proof errors: all of the target proofs thoroughly audited program completely verifies proofs. assessment of this strategy: Status today: ≈0% completed. Progress is painful and slow. we even reach 1% before

• st-quantum standardization?

Easier-to-use proof tools could make strategy work. Backup strategies: Clean up

• fs. Check proofs by hand.

bug categories, as in code.

6

Why call this “oversimplified”? What “security proofs” prove is not actually security. Even with correct proofs, there are still risks of attacks. We all rely on cryptanalysis for analyzing remaining risks. Revised plan:

• 1. Verify the “security proofs”.
• 2. Verify the cryptanalysis
• f the risks left by the proofs.

Again clean up; check by hand; track failure categories. Are attack-cost How tho

• f space

How tho claimed that work Do the cryptanalytic match the Long histo NSA overstated L(1=2) optimalit for facto TLS Triple-DES-CBC without

5

eliminate proof errors: target proofs audited program verifies proofs.

• f this strategy:

≈0% completed. painful and slow. reach 1% before standardization? roof tools strategy work. strategies: Clean up roofs by hand. categories, as in code.

6

Why call this “oversimplified”? What “security proofs” prove is not actually security. Even with correct proofs, there are still risks of attacks. We all rely on cryptanalysis for analyzing remaining risks. Revised plan:

• 1. Verify the “security proofs”.
• 2. Verify the cryptanalysis
• f the risks left by the proofs.

Again clean up; check by hand; track failure categories. Are attack-cost analyses How thorough is explo

• f space of optimizations?

How thorough is the claimed barriers to that work for simila Do the cryptanalytic match the proof risks? Long history of failures: NSA overstated DES L(1=2) optimality for factorization was TLS Triple-DES-CBC without Triple-DES

5

• f errors:

roofs rogram roofs. strategy: completed. slow. efore rdization? rk. up hand. code.

6

Why call this “oversimplified”? What “security proofs” prove is not actually security. Even with correct proofs, there are still risks of attacks. We all rely on cryptanalysis for analyzing remaining risks. Revised plan:

• 1. Verify the “security proofs”.
• 2. Verify the cryptanalysis
• f the risks left by the proofs.

Again clean up; check by hand; track failure categories. Are attack-cost analyses correct? How thorough is exploration

• f space of optimizations?

How thorough is the study of claimed barriers to speedups that work for similar problems? Do the cryptanalytic targets match the proof risks? etc. Long history of failures: e.g., NSA overstated DES attack L(1=2) optimality conjecture for factorization was wrong; TLS Triple-DES-CBC was brok without Triple-DES attack; etc.

6

Why call this “oversimplified”? What “security proofs” prove is not actually security. Even with correct proofs, there are still risks of attacks. We all rely on cryptanalysis for analyzing remaining risks. Revised plan:

• 1. Verify the “security proofs”.
• 2. Verify the cryptanalysis
• f the risks left by the proofs.

Again clean up; check by hand; track failure categories.

7

Are attack-cost analyses correct? How thorough is exploration

• f space of optimizations?

How thorough is the study of claimed barriers to speedups that work for similar problems? Do the cryptanalytic targets match the proof risks? etc. Long history of failures: e.g., NSA overstated DES attack cost; L(1=2) optimality conjecture for factorization was wrong; TLS Triple-DES-CBC was broken without Triple-DES attack; etc.

6

call this “oversimplified”? “security proofs” prove actually security. with correct proofs, are still risks of attacks. rely on cryptanalysis analyzing remaining risks. Revised plan: erify the “security proofs”. erify the cryptanalysis risks left by the proofs. clean up; check by hand; failure categories.

7

Are attack-cost analyses correct? How thorough is exploration

• f space of optimizations?

How thorough is the study of claimed barriers to speedups that work for similar problems? Do the cryptanalytic targets match the proof risks? etc. Long history of failures: e.g., NSA overstated DES attack cost; L(1=2) optimality conjecture for factorization was wrong; TLS Triple-DES-CBC was broken without Triple-DES attack; etc. Why bother Plan without Verify crypta

6

“oversimplified”? proofs” prove security. rrect proofs, risks of attacks. cryptanalysis remaining risks. “security proofs”. cryptanalysis by the proofs. check by hand; categories.

7

Are attack-cost analyses correct? How thorough is exploration

• f space of optimizations?

How thorough is the study of claimed barriers to speedups that work for similar problems? Do the cryptanalytic targets match the proof risks? etc. Long history of failures: e.g., NSA overstated DES attack cost; L(1=2) optimality conjecture for factorization was wrong; TLS Triple-DES-CBC was broken without Triple-DES attack; etc. Why bother with p Plan without proofs Verify cryptanalysis

6

“oversimplified”? rove attacks. cryptanalysis risks.

• fs”.
• fs.

hand;

7

Are attack-cost analyses correct? How thorough is exploration

• f space of optimizations?

How thorough is the study of claimed barriers to speedups that work for similar problems? Do the cryptanalytic targets match the proof risks? etc. Long history of failures: e.g., NSA overstated DES attack cost; L(1=2) optimality conjecture for factorization was wrong; TLS Triple-DES-CBC was broken without Triple-DES attack; etc. Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs.

7

Are attack-cost analyses correct? How thorough is exploration

• f space of optimizations?

How thorough is the study of claimed barriers to speedups that work for similar problems? Do the cryptanalytic targets match the proof risks? etc. Long history of failures: e.g., NSA overstated DES attack cost; L(1=2) optimality conjecture for factorization was wrong; TLS Triple-DES-CBC was broken without Triple-DES attack; etc.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs.

7

Are attack-cost analyses correct? How thorough is exploration

• f space of optimizations?

How thorough is the study of claimed barriers to speedups that work for similar problems? Do the cryptanalytic targets match the proof risks? etc. Long history of failures: e.g., NSA overstated DES attack cost; L(1=2) optimality conjecture for factorization was wrong; TLS Triple-DES-CBC was broken without Triple-DES attack; etc.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis.

7

Are attack-cost analyses correct? How thorough is exploration

• f space of optimizations?

How thorough is the study of claimed barriers to speedups that work for similar problems? Do the cryptanalytic targets match the proof risks? etc. Long history of failures: e.g., NSA overstated DES attack cost; L(1=2) optimality conjecture for factorization was wrong; TLS Triple-DES-CBC was broken without Triple-DES attack; etc.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster.

7

Are attack-cost analyses correct? How thorough is exploration

• f space of optimizations?

How thorough is the study of claimed barriers to speedups that work for similar problems? Do the cryptanalytic targets match the proof risks? etc. Long history of failures: e.g., NSA overstated DES attack cost; L(1=2) optimality conjecture for factorization was wrong; TLS Triple-DES-CBC was broken without Triple-DES attack; etc.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster. This paper’s verification plan skips proofs that clearly fail to reduce cost of cryptanalysis: e.g., frodo seed “reduction”.

7

attack-cost analyses correct? thorough is exploration space of optimizations? thorough is the study of claimed barriers to speedups

• rk for similar problems?

the cryptanalytic targets the proof risks? etc. history of failures: e.g.,

• verstated DES attack cost;

2) optimality conjecture factorization was wrong; riple-DES-CBC was broken without Triple-DES attack; etc.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster. This paper’s verification plan skips proofs that clearly fail to reduce cost of cryptanalysis: e.g., frodo seed “reduction”. Risks not A “securit security against all assuming for underlying

7

analyses correct? exploration

• ptimizations?

the study of to speedups imilar problems? cryptanalytic targets risks? etc. failures: e.g., DES attack cost;

• ptimality conjecture

was wrong; riple-DES-CBC was broken riple-DES attack; etc.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster. This paper’s verification plan skips proofs that clearly fail to reduce cost of cryptanalysis: e.g., frodo seed “reduction”. Risks not ruled out A “security proof” security level – for against all attacks assuming security for underlying problem

7

correct? ration

• f

eedups roblems? rgets etc. e.g., attack cost; conjecture wrong; broken attack; etc.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster. This paper’s verification plan skips proofs that clearly fail to reduce cost of cryptanalysis: e.g., frodo seed “reduction”. Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster. This paper’s verification plan skips proofs that clearly fail to reduce cost of cryptanalysis: e.g., frodo seed “reduction”.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster. This paper’s verification plan skips proofs that clearly fail to reduce cost of cryptanalysis: e.g., frodo seed “reduction”.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster. This paper’s verification plan skips proofs that clearly fail to reduce cost of cryptanalysis: e.g., frodo seed “reduction”.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster. This paper’s verification plan skips proofs that clearly fail to reduce cost of cryptanalysis: e.g., frodo seed “reduction”.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T.

8

Why bother with proofs? Plan without proofs is simpler: Verify cryptanalysis of the KEMs. But sometimes the proofs reduce cost of cryptanalysis. Sometimes this outweighs cost to verify proofs: reduces cost of thorough security review. Hopefully less chance of disaster. This paper’s verification plan skips proofs that clearly fail to reduce cost of cryptanalysis: e.g., frodo seed “reduction”.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect.

8

• ther with proofs?

without proofs is simpler: cryptanalysis of the KEMs. sometimes the proofs cost of cryptanalysis. Sometimes this outweighs verify proofs: reduces

• f thorough security review.

efully less chance of disaster. paper’s verification plan roofs that clearly fail reduce cost of cryptanalysis: frodo seed “reduction”.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect. Targets fo Attack O security

8

with proofs?

• fs is simpler:

nalysis of the KEMs. the proofs cryptanalysis.

• utweighs

roofs: reduces security review. hance of disaster. verification plan that clearly fail

• f cryptanalysis:

“reduction”.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect. Targets for lattice Attack OW-Passive security of the 36 co

8

simpler: KEMs. cryptanalysis. reduces review. disaster. plan fail cryptanalysis: “reduction”.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect. Targets for lattice cryptanalysis Attack OW-Passive (“OW-CP security of the 36 core PKEs.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks. Also, some KEM “proofs” rely on unproven conjectures.

9

Risks not ruled out by proofs A “security proof” guarantees security level – for system X against all attacks of type T assuming security level –′ for underlying problem P. Risk #1: P does not reach security level –′. Risk #2 (looseness): – is below claimed security level of X. Risk #3: There are faster attacks outside type T. Risk #4: Proof is incorrect.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks. Also, some KEM “proofs” rely on unproven conjectures. For all targets: KEM proofs allow non-ROM attacks.

9

not ruled out by proofs “security proof” guarantees y level – for system X against all attacks of type T assuming security level –′ underlying problem P. #1: P does not reach y level –′. #2 (looseness): – is below claimed security level of X. #3: There are faster attacks outside type T. #4: Proof is incorrect.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks. Also, some KEM “proofs” rely on unproven conjectures. For all targets: KEM proofs allow non-ROM attacks. The core Key gene

• Table 8.6:
• Table 8.7:
• Table 8.8:

9

• ut by proofs
• f” guarantees

for system X ttacks of type T y level –′ roblem P. es not reach eness): – is below level of X. are faster type T. is incorrect.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks. Also, some KEM “proofs” rely on unproven conjectures. For all targets: KEM proofs allow non-ROM attacks. The core PKEs (“P Key generation:

• Table 8.6: Public
• Table 8.7: Short
• Table 8.8: Public

9

• fs

rantees X T reach below . rrect.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks. Also, some KEM “proofs” rely on unproven conjectures. For all targets: KEM proofs allow non-ROM attacks. The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks. Also, some KEM “proofs” rely on unproven conjectures. For all targets: KEM proofs allow non-ROM attacks.

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks. Also, some KEM “proofs” rely on unproven conjectures. For all targets: KEM proofs allow non-ROM attacks.

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

Encryption: Short secret b; public ciphertext B ≈ Gb (or B ≈ Gb=3 or B ≈ 3Gb).

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks. Also, some KEM “proofs” rely on unproven conjectures. For all targets: KEM proofs allow non-ROM attacks.

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

Encryption: Short secret b; public ciphertext B ≈ Gb (or B ≈ Gb=3 or B ≈ 3Gb). That’s it for Quotient NTRU.

10

Targets for lattice cryptanalysis Attack OW-Passive (“OW-CPA”) security of the 36 core PKEs. For some targets: Attack IND-CPA security of core PKEs. For some targets: Attack pseudorandom multipliers. For some targets: KEM proofs are loose. Find faster attacks. Also, some KEM “proofs” rely on unproven conjectures. For all targets: KEM proofs allow non-ROM attacks.

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

Encryption: Short secret b; public ciphertext B ≈ Gb (or B ≈ Gb=3 or B ≈ 3Gb). That’s it for Quotient NTRU. More for Product NTRU:

• Table 8.9: Public C ≈ Ab + M.
• Table 8.10: Secret M.

10

rgets for lattice cryptanalysis OW-Passive (“OW-CPA”) y of the 36 core PKEs. some targets: Attack IND-CPA security of core PKEs. some targets: Attack random multipliers. some targets: KEM proofs

• se. Find faster attacks.

some KEM “proofs” unproven conjectures. targets: KEM proofs non-ROM attacks.

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

Encryption: Short secret b; public ciphertext B ≈ Gb (or B ≈ Gb=3 or B ≈ 3Gb). That’s it for Quotient NTRU. More for Product NTRU:

• Table 8.9: Public C ≈ Ab + M.
• Table 8.10: Secret M.

OW-Pass Quotient asks for 2003 Nao

10

lattice cryptanalysis assive (“OW-CPA”) 36 core PKEs. rgets: Attack security of core PKEs. rgets: Attack ultipliers. rgets: KEM proofs faster attacks. “proofs” conjectures. KEM proofs attacks.

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

Encryption: Short secret b; public ciphertext B ≈ Gb (or B ≈ Gb=3 or B ≈ 3Gb). That’s it for Quotient NTRU. More for Product NTRU:

• Table 8.9: Public C ≈ Ab + M.
• Table 8.10: Secret M.

OW-Passive vs. IND-CP Quotient NTRU (ntru asks for OW-Passive 2003 Naor: this is

10

cryptanalysis W-CPA”) PKEs. PKEs. roofs attacks. conjectures.

• fs

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

Encryption: Short secret b; public ciphertext B ≈ Gb (or B ≈ Gb=3 or B ≈ 3Gb). That’s it for Quotient NTRU. More for Product NTRU:

• Table 8.9: Public C ≈ Ab + M.
• Table 8.10: Secret M.

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”.

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

Encryption: Short secret b; public ciphertext B ≈ Gb (or B ≈ Gb=3 or B ≈ 3Gb). That’s it for Quotient NTRU. More for Product NTRU:

• Table 8.9: Public C ≈ Ab + M.
• Table 8.10: Secret M.

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”.

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

Encryption: Short secret b; public ciphertext B ≈ Gb (or B ≈ Gb=3 or B ≈ 3Gb). That’s it for Quotient NTRU. More for Product NTRU:

• Table 8.9: Public C ≈ Ab + M.
• Table 8.10: Secret M.

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”. Product NTRU (ntrulpr and systems not named after NTRU) asks for IND-CPA cryptanalysis. Lower security than OW-Passive? Only “somewhat falsifiable”.

11

The core PKEs (“P”) Key generation:

• Table 8.6: Public multiplier G.
• Table 8.7: Short secret a.
• Table 8.8: Public A ≈ aG.

Encryption: Short secret b; public ciphertext B ≈ Gb (or B ≈ Gb=3 or B ≈ 3Gb). That’s it for Quotient NTRU. More for Product NTRU:

• Table 8.9: Public C ≈ Ab + M.
• Table 8.10: Secret M.

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”. Product NTRU (ntrulpr and systems not named after NTRU) asks for IND-CPA cryptanalysis. Lower security than OW-Passive? Only “somewhat falsifiable”. Compare 2006 Goldreich: “What concerns us about” DDH is that “DDH is less simple than DH” making it “harder to evaluate.”

11

re PKEs (“P”) generation: able 8.6: Public multiplier G. able 8.7: Short secret a. able 8.8: Public A ≈ aG. Encryption: Short secret b; ciphertext B ≈ Gb ≈ Gb=3 or B ≈ 3Gb). it for Quotient NTRU. for Product NTRU: able 8.9: Public C ≈ Ab + M. able 8.10: Secret M.

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”. Product NTRU (ntrulpr and systems not named after NTRU) asks for IND-CPA cryptanalysis. Lower security than OW-Passive? Only “somewhat falsifiable”. Compare 2006 Goldreich: “What concerns us about” DDH is that “DDH is less simple than DH” making it “harder to evaluate.” Pseudorandom Product into PKE pseudorandomly

11

(“P”) Public multiplier G. rt secret a. Public A ≈ aG. rt secret b; B ≈ Gb r B ≈ 3Gb). Quotient NTRU. duct NTRU: Public C ≈ Ab + M. Secret M.

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”. Product NTRU (ntrulpr and systems not named after NTRU) asks for IND-CPA cryptanalysis. Lower security than OW-Passive? Only “somewhat falsifiable”. Compare 2006 Goldreich: “What concerns us about” DDH is that “DDH is less simple than DH” making it “harder to evaluate.” Pseudorandom mul Product NTRU: convert into PKE that builds pseudorandomly from

11

multiplier G. a. G. ; ). NTRU. Ab + M.

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”. Product NTRU (ntrulpr and systems not named after NTRU) asks for IND-CPA cryptanalysis. Lower security than OW-Passive? Only “somewhat falsifiable”. Compare 2006 Goldreich: “What concerns us about” DDH is that “DDH is less simple than DH” making it “harder to evaluate.” Pseudorandom multipliers (“ROM2”) Product NTRU: convert core into PKE that builds multiplier pseudorandomly from public

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”. Product NTRU (ntrulpr and systems not named after NTRU) asks for IND-CPA cryptanalysis. Lower security than OW-Passive? Only “somewhat falsifiable”. Compare 2006 Goldreich: “What concerns us about” DDH is that “DDH is less simple than DH” making it “harder to evaluate.”

13

Pseudorandom multipliers (“ROM2”) Product NTRU: convert core PKE into PKE that builds multiplier G pseudorandomly from public seed.

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”. Product NTRU (ntrulpr and systems not named after NTRU) asks for IND-CPA cryptanalysis. Lower security than OW-Passive? Only “somewhat falsifiable”. Compare 2006 Goldreich: “What concerns us about” DDH is that “DDH is less simple than DH” making it “harder to evaluate.”

13

Pseudorandom multipliers (“ROM2”) Product NTRU: convert core PKE into PKE that builds multiplier G pseudorandomly from public seed. saber, round5n1, round5nd claim that this provably preserves security assuming PRG/PRF.

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”. Product NTRU (ntrulpr and systems not named after NTRU) asks for IND-CPA cryptanalysis. Lower security than OW-Passive? Only “somewhat falsifiable”. Compare 2006 Goldreich: “What concerns us about” DDH is that “DDH is less simple than DH” making it “harder to evaluate.”

13

Pseudorandom multipliers (“ROM2”) Product NTRU: convert core PKE into PKE that builds multiplier G pseudorandomly from public seed. saber, round5n1, round5nd claim that this provably preserves security assuming PRG/PRF. I dispute this. Need non-ROM cryptanalysis for all these PKEs. Proofs cover only ROM attacks. Must modify theorem statements.

12

OW-Passive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) asks for OW-Passive cryptanalysis. 2003 Naor: this is “falsifiable”. Product NTRU (ntrulpr and systems not named after NTRU) asks for IND-CPA cryptanalysis. Lower security than OW-Passive? Only “somewhat falsifiable”. Compare 2006 Goldreich: “What concerns us about” DDH is that “DDH is less simple than DH” making it “harder to evaluate.”

13

Pseudorandom multipliers (“ROM2”) Product NTRU: convert core PKE into PKE that builds multiplier G pseudorandomly from public seed. saber, round5n1, round5nd claim that this provably preserves security assuming PRG/PRF. I dispute this. Need non-ROM cryptanalysis for all these PKEs. Proofs cover only ROM attacks. Must modify theorem statements. frodo seed “reduction”: Useless. Still need non-ROM cryptanalysis.

12

assive vs. IND-CPA (“dist”) Quotient NTRU (ntru, sntrup) r OW-Passive cryptanalysis. Naor: this is “falsifiable”. duct NTRU (ntrulpr and systems not named after NTRU) r IND-CPA cryptanalysis. security than OW-Passive? “somewhat falsifiable”. Compare 2006 Goldreich: “What concerns us about” DDH is that is less simple than DH” making it “harder to evaluate.”

13

Pseudorandom multipliers (“ROM2”) Product NTRU: convert core PKE into PKE that builds multiplier G pseudorandomly from public seed. saber, round5n1, round5nd claim that this provably preserves security assuming PRG/PRF. I dispute this. Need non-ROM cryptanalysis for all these PKEs. Proofs cover only ROM attacks. Must modify theorem statements. frodo seed “reduction”: Useless. Still need non-ROM cryptanalysis. More hashin Want the to provid The proofs even assuming

• f the underlying

The proofs ROM IND-CCA2 Issue for and for Quotient

12

IND-CPA (“dist”) (ntru, sntrup) assive cryptanalysis. is “falsifiable”. (ntrulpr and named after NTRU) A cryptanalysis. than OW-Passive? “somewhat falsifiable”. Goldreich: “What

• ut” DDH is that

simple than DH” rder to evaluate.”

13

Pseudorandom multipliers (“ROM2”) Product NTRU: convert core PKE into PKE that builds multiplier G pseudorandomly from public seed. saber, round5n1, round5nd claim that this provably preserves security assuming PRG/PRF. I dispute this. Need non-ROM cryptanalysis for all these PKEs. Proofs cover only ROM attacks. Must modify theorem statements. frodo seed “reduction”: Useless. Still need non-ROM cryptanalysis. More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 The proofs don’t give even assuming securit

• f the underlying PKEs.

The proofs are limited ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU.

12

(“dist”) sntrup) cryptanalysis. “falsifiable”. and NTRU) cryptanalysis. assive? falsifiable”. “What is that DH” evaluate.”

13

Pseudorandom multipliers (“ROM2”) Product NTRU: convert core PKE into PKE that builds multiplier G pseudorandomly from public seed. saber, round5n1, round5nd claim that this provably preserves security assuming PRG/PRF. I dispute this. Need non-ROM cryptanalysis for all these PKEs. Proofs cover only ROM attacks. Must modify theorem statements. frodo seed “reduction”: Useless. Still need non-ROM cryptanalysis. More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 securit The proofs don’t give this, even assuming security

• f the underlying PKEs.

The proofs are limited to ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU.

13

Pseudorandom multipliers (“ROM2”) Product NTRU: convert core PKE into PKE that builds multiplier G pseudorandomly from public seed. saber, round5n1, round5nd claim that this provably preserves security assuming PRG/PRF. I dispute this. Need non-ROM cryptanalysis for all these PKEs. Proofs cover only ROM attacks. Must modify theorem statements. frodo seed “reduction”: Useless. Still need non-ROM cryptanalysis.

14

More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 security. The proofs don’t give this, even assuming security

• f the underlying PKEs.

The proofs are limited to ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU.

13

Pseudorandom multipliers (“ROM2”) Product NTRU: convert core PKE into PKE that builds multiplier G pseudorandomly from public seed. saber, round5n1, round5nd claim that this provably preserves security assuming PRG/PRF. I dispute this. Need non-ROM cryptanalysis for all these PKEs. Proofs cover only ROM attacks. Must modify theorem statements. frodo seed “reduction”: Useless. Still need non-ROM cryptanalysis.

14

More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 security. The proofs don’t give this, even assuming security

• f the underlying PKEs.

The proofs are limited to ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU. For all target KEMs, need non- ROM IND-CCA2 cryptanalysis.

13

Pseudorandom multipliers (“ROM2”) duct NTRU: convert core PKE PKE that builds multiplier G randomly from public seed. , round5n1, round5nd that this provably preserves y assuming PRG/PRF. dispute this. Need non-ROM cryptanalysis for all these PKEs. cover only ROM attacks. modify theorem statements. seed “reduction”: Useless. need non-ROM cryptanalysis.

14

More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 security. The proofs don’t give this, even assuming security

• f the underlying PKEs.

The proofs are limited to ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU. For all target KEMs, need non- ROM IND-CCA2 cryptanalysis. Decryption 2017 Hofheinz–H¨ proofs do CCA2 attacks even if the Q: numb ‹: failure

13

ultipliers (“ROM2”) convert core PKE builds multiplier G from public seed. , round5nd rovably preserves assuming PRG/PRF. Need non-ROM all these PKEs.

• nly ROM attacks.

theorem statements. “reduction”: Useless. non-ROM cryptanalysis.

14

More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 security. The proofs don’t give this, even assuming security

• f the underlying PKEs.

The proofs are limited to ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU. For all target KEMs, need non- ROM IND-CCA2 cryptanalysis. Decryption failures 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule CCA2 attacks with even if the PKEs a Q: number of hash ‹: failure probabilit

13

(“ROM2”) core PKE multiplier G public seed. round5nd reserves PRG/PRF. non-ROM PKEs. attacks. statements. Useless. cryptanalysis.

14

More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 security. The proofs don’t give this, even assuming security

• f the underlying PKEs.

The proofs are limited to ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU. For all target KEMs, need non- ROM IND-CCA2 cryptanalysis. Decryption failures (“fail”/“c 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM CCA2 attacks with probabilit even if the PKEs are secure. Q: number of hash calls. ‹: failure probability.

14

More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 security. The proofs don’t give this, even assuming security

• f the underlying PKEs.

The proofs are limited to ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU. For all target KEMs, need non- ROM IND-CCA2 cryptanalysis.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability.

14

More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 security. The proofs don’t give this, even assuming security

• f the underlying PKEs.

The proofs are limited to ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU. For all target KEMs, need non- ROM IND-CCA2 cryptanalysis.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability. ‹ = 0 proven for 10 KEMs: ntru, ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.)

14

More hashing (“ROM”) Want the target KEMs to provide IND-CCA2 security. The proofs don’t give this, even assuming security

• f the underlying PKEs.

The proofs are limited to ROM IND-CCA2 attacks. Issue for Product NTRU and for Quotient NTRU. For all target KEMs, need non- ROM IND-CCA2 cryptanalysis.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability. ‹ = 0 proven for 10 KEMs: ntru, ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.) frodo640, kyber512 prove ‹ ≤ 2−128 with security goal 2128. frodo976 proves ‹ ≤ 2−192.

14

hashing (“ROM”) the target KEMs rovide IND-CCA2 security. roofs don’t give this, assuming security underlying PKEs. roofs are limited to IND-CCA2 attacks. for Product NTRU r Quotient NTRU. target KEMs, need non- IND-CCA2 cryptanalysis.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability. ‹ = 0 proven for 10 KEMs: ntru, ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.) frodo640, kyber512 prove ‹ ≤ 2−128 with security goal 2128. frodo976 proves ‹ ≤ 2−192. The other Security without So need

14

(“ROM”) KEMs IND-CCA2 security. ’t give this, security underlying PKEs. limited to attacks. duct NTRU Quotient NTRU. KEMs, need non- cryptanalysis.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability. ‹ = 0 proven for 10 KEMs: ntru, ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.) frodo640, kyber512 prove ‹ ≤ 2−128 with security goal 2128. frodo976 proves ‹ ≤ 2−192. The other 23 KEMs: Security goal 2k without proof that So need CCA cryptanalysis.

14

security. this, non- cryptanalysis.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability. ‹ = 0 proven for 10 KEMs: ntru, ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.) frodo640, kyber512 prove ‹ ≤ 2−128 with security goal 2128. frodo976 proves ‹ ≤ 2−192. The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability. ‹ = 0 proven for 10 KEMs: ntru, ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.) frodo640, kyber512 prove ‹ ≤ 2−128 with security goal 2128. frodo976 proves ‹ ≤ 2−192.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability. ‹ = 0 proven for 10 KEMs: ntru, ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.) frodo640, kyber512 prove ‹ ≤ 2−128 with security goal 2128. frodo976 proves ‹ ≤ 2−192.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis. Main issues in these 23 KEMs:

• 14 KEMs do not claim

that ‹ is small enough.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability. ‹ = 0 proven for 10 KEMs: ntru, ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.) frodo640, kyber512 prove ‹ ≤ 2−128 with security goal 2128. frodo976 proves ‹ ≤ 2−192.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis. Main issues in these 23 KEMs:

• 14 KEMs do not claim

that ‹ is small enough.

• 15 KEMs conjecture ‹ ≤ · · ·

without claiming proof.

15

Decryption failures (“fail”/“conj”) 2017 Hofheinz–H¨

• velmanns–Kiltz

proofs do not rule out ROM IND- CCA2 attacks with probability Q‹, even if the PKEs are secure. Q: number of hash calls. ‹: failure probability. ‹ = 0 proven for 10 KEMs: ntru, ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.) frodo640, kyber512 prove ‹ ≤ 2−128 with security goal 2128. frodo976 proves ‹ ≤ 2−192.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis. Main issues in these 23 KEMs:

• 14 KEMs do not claim

that ‹ is small enough.

• 15 KEMs conjecture ‹ ≤ · · ·

without claiming proof.

• 5 KEMs have proofs but do not

clearly use correct ‹ definition. (LEDA uses wrong definition.)

15

Decryption failures (“fail”/“conj”) Hofheinz–H¨

• velmanns–Kiltz

do not rule out ROM IND- attacks with probability Q‹, if the PKEs are secure. number of hash calls. failure probability. proven for 10 KEMs: ntrulpr, sntrup. (Also, simpler ROM IND-CCA2 proof.) frodo640, kyber512 prove

128 with security goal 2128.

frodo976 proves ‹ ≤ 2−192.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis. Main issues in these 23 KEMs:

• 14 KEMs do not claim

that ‹ is small enough.

• 15 KEMs conjecture ‹ ≤ · · ·

without claiming proof.

• 5 KEMs have proofs but do not

clearly use correct ‹ definition. (LEDA uses wrong definition.) What ab Consider for each

15

failures (“fail”/“conj”) Hofheinz–H¨

• velmanns–Kiltz

rule out ROM IND- with probability Q‹, PKEs are secure. hash calls. robability. 10 KEMs:

• sntrup. (Also,

IND-CCA2 proof.) kyber512 prove security goal 2128. roves ‹ ≤ 2−192.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis. Main issues in these 23 KEMs:

• 14 KEMs do not claim

that ‹ is small enough.

• 15 KEMs conjecture ‹ ≤ · · ·

without claiming proof.

• 5 KEMs have proofs but do not

clearly use correct ‹ definition. (LEDA uses wrong definition.) What about quantum Consider quantum for each cryptanalytic

15

”/“conj”)

• velmanns–Kiltz

ROM IND- robability Q‹, secure. KEMs: (Also, roof.) rove goal 2128.

192.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis. Main issues in these 23 KEMs:

• 14 KEMs do not claim

that ‹ is small enough.

• 15 KEMs conjecture ‹ ≤ · · ·

without claiming proof.

• 5 KEMs have proofs but do not

clearly use correct ‹ definition. (LEDA uses wrong definition.) What about quantum attacks? Consider quantum computers for each cryptanalytic target.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis. Main issues in these 23 KEMs:

• 14 KEMs do not claim

that ‹ is small enough.

• 15 KEMs conjecture ‹ ≤ · · ·

without claiming proof.

• 5 KEMs have proofs but do not

clearly use correct ‹ definition. (LEDA uses wrong definition.)

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis. Main issues in these 23 KEMs:

• 14 KEMs do not claim

that ‹ is small enough.

• 15 KEMs conjecture ‹ ≤ · · ·

without claiming proof.

• 5 KEMs have proofs but do not

clearly use correct ‹ definition. (LEDA uses wrong definition.)

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target. When hashing is involved, analyze three types of attacks: (1) ROM attacks. (2) Non-ROM QROM attacks. (3) Non-QROM attacks.

16

The other 23 KEMs: Security goal 2k without proof that ‹ ≤ 2−k. So need CCA cryptanalysis. Main issues in these 23 KEMs:

• 14 KEMs do not claim

that ‹ is small enough.

• 15 KEMs conjecture ‹ ≤ · · ·

without claiming proof.

• 5 KEMs have proofs but do not

clearly use correct ‹ definition. (LEDA uses wrong definition.)

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target. When hashing is involved, analyze three types of attacks: (1) ROM attacks. (2) Non-ROM QROM attacks. (3) Non-QROM attacks. Sometimes proofs eliminate #1. Ongoing efforts to extend proofs to similarly eliminate #2. Most QROM proofs are loose, but see 2019 Bindel–Hamburg– H¨ ulsing–Persichetti.

16

• ther 23 KEMs:

Security goal 2k without proof that ‹ ≤ 2−k. need CCA cryptanalysis. issues in these 23 KEMs: KEMs do not claim ‹ is small enough. KEMs conjecture ‹ ≤ · · · without claiming proof. KEMs have proofs but do not rly use correct ‹ definition. A uses wrong definition.)

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target. When hashing is involved, analyze three types of attacks: (1) ROM attacks. (2) Non-ROM QROM attacks. (3) Non-QROM attacks. Sometimes proofs eliminate #1. Ongoing efforts to extend proofs to similarly eliminate #2. Most QROM proofs are loose, but see 2019 Bindel–Hamburg– H¨ ulsing–Persichetti. What ab Each KEM

• f single-user

16

KEMs: that ‹ ≤ 2−k. cryptanalysis. these 23 KEMs: not claim enough. conjecture ‹ ≤ · · · claiming proof. proofs but do not rrect ‹ definition. wrong definition.)

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target. When hashing is involved, analyze three types of attacks: (1) ROM attacks. (2) Non-ROM QROM attacks. (3) Non-QROM attacks. Sometimes proofs eliminate #1. Ongoing efforts to extend proofs to similarly eliminate #2. Most QROM proofs are loose, but see 2019 Bindel–Hamburg– H¨ ulsing–Persichetti. What about multi-user Each KEM has quantitative

• f single-user securit

16

k.

cryptanalysis. KEMs: · · · do not definition. definition.)

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target. When hashing is involved, analyze three types of attacks: (1) ROM attacks. (2) Non-ROM QROM attacks. (3) Non-QROM attacks. Sometimes proofs eliminate #1. Ongoing efforts to extend proofs to similarly eliminate #2. Most QROM proofs are loose, but see 2019 Bindel–Hamburg– H¨ ulsing–Persichetti. What about multi-user attacks? Each KEM has quantitative

• f single-user security level –

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target. When hashing is involved, analyze three types of attacks: (1) ROM attacks. (2) Non-ROM QROM attacks. (3) Non-QROM attacks. Sometimes proofs eliminate #1. Ongoing efforts to extend proofs to similarly eliminate #2. Most QROM proofs are loose, but see 2019 Bindel–Hamburg– H¨ ulsing–Persichetti.

18

What about multi-user attacks? Each KEM has quantitative claim

• f single-user security level –.

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target. When hashing is involved, analyze three types of attacks: (1) ROM attacks. (2) Non-ROM QROM attacks. (3) Non-QROM attacks. Sometimes proofs eliminate #1. Ongoing efforts to extend proofs to similarly eliminate #2. Most QROM proofs are loose, but see 2019 Bindel–Hamburg– H¨ ulsing–Persichetti.

18

What about multi-user attacks? Each KEM has quantitative claim

• f single-user security level –.

This claim implies quantitative claim –′ of U-user security. –′ vs. –: looseness factor U.

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target. When hashing is involved, analyze three types of attacks: (1) ROM attacks. (2) Non-ROM QROM attacks. (3) Non-QROM attacks. Sometimes proofs eliminate #1. Ongoing efforts to extend proofs to similarly eliminate #2. Most QROM proofs are loose, but see 2019 Bindel–Hamburg– H¨ ulsing–Persichetti.

18

What about multi-user attacks? Each KEM has quantitative claim

• f single-user security level –.

This claim implies quantitative claim –′ of U-user security. –′ vs. –: looseness factor U. The only risks of this U-user security claim being broken come from the single-user security claim – being broken.

17

What about quantum attacks? Consider quantum computers for each cryptanalytic target. When hashing is involved, analyze three types of attacks: (1) ROM attacks. (2) Non-ROM QROM attacks. (3) Non-QROM attacks. Sometimes proofs eliminate #1. Ongoing efforts to extend proofs to similarly eliminate #2. Most QROM proofs are loose, but see 2019 Bindel–Hamburg– H¨ ulsing–Persichetti.

18

What about multi-user attacks? Each KEM has quantitative claim

• f single-user security level –.

This claim implies quantitative claim –′ of U-user security. –′ vs. –: looseness factor U. The only risks of this U-user security claim being broken come from the single-user security claim – being broken. As far as I can tell, none of the target KEMs claim higher U-user security.