LEDAcrypt: Low-dEnsity parity-check coDe-bAsed cryptographic systems Specification revision 3:0 { April, 2020 Name of the proposed cryptosystem LEDAcrypt (Low-dEnsity parity-check coDe-bAsed cryptographic systems) Submitters This submission is from the following team, listed in alphabetical order: • Marco Baldi, Universit`aPolitecnica delle Marche, Ancona, Italy • Alessandro Barenghi, Politecnico di Milano, Milano, Italy • Franco Chiaraluce, Universit`aPolitecnica delle Marche, Ancona, Italy • Gerardo Pelosi, Politecnico di Milano, Milano, Italy • Paolo Santini, Universit`aPolitecnica delle Marche, Ancona, Italy E-mail addresses: [email protected], [email protected], [email protected], [email protected], [email protected]. Contact telephone and address Marco Baldi (phone: +39 071 220 4894), Universit`aPolitecnica delle Marche, Dipartimento di Ingegneria dell'Informazione (DII), Via Brecce Bianche 12, I-60131, Ancona, Italy. Names of auxiliary submitters There are no auxiliary submitters. The principal submitter is the team listed above. Name of the inventors/developers of the cryptosystem Same as submitters. Name of the owner, if any, of the cryptosystem Same as submitters. Backup contact telephone and address Gerardo Pelosi (phone: +39 02 2399 3476), Politecnico di Milano, Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB), Via G. Ponzio 34/5, I-20133, Milano, Italy. Signature of the submitter1 × 1See also printed version of \Statement by Each Submitter". LEDAcrypt Page 3 Contents Foreword 9 1 Complete written specification 11 1.1 Preliminaries . 11 1.1.1 Finite fields and circulant matrix algebra . 11 1.1.2 Quasi-cyclic low-density parity-check codes and their efficient decoding . 15 1.1.3 Classic code-based cryptosystems . 19 1.2 QC-LDPC code-based McEliece and Niederreiter cryptosystems . 21 1.3 Description of LEDAcrypt Key Encapsulation Methods . 27 1.3.1 LEDAcrypt-KEM: encapsulation and decapsulation algorithms . 27 1.3.2 LEDAcrypt-KEM-CPA: encapsulation and decapsulation algorithms . 30 1.4 Description of LEDAcrypt Public Key Cryptosystem . 32 1.4.1 LEDAcrypt-PKC: encryption and decryption transformations . 32 1.4.2 Constant weight encoding/decoding . 36 2 Security analysis of LEDAcrypt 37 2.1 Quantitative security level goals . 37 2.2 Hardness of the underlying problem . 39 2.3 Attacks based on information set decoding . 40 2.3.1 Key recovery attacks via codeword finding . 41 2.4 Attacks based on weak keys . 43 2.5 Attacks based on exhaustive key search . 43 2.6 Attacks based on the receiver's reactions . 44 2.7 Side channel attacks . 45 4 LEDAcrypt 3 Decoders for LEDAcrypt 46 3.1 Preliminary analyses . 50 3.2 Residual distribution of the mis-matches between the sought error vector and the input estimated one after the execution of a single in-place iteration function . 53 3.3 Residual distribution of the mis-matches between the sought error vector and the input estimated one after the execution of a single out-of-place iteration function . 60 3.4 Maximum number of mismatches corrected with certainty by executing either an in-place or an out-of-place iteration function . 64 3.4.1 Efficient computation of Γ and µ(t)........................ 66 3.5 Efficient choice of out-of place decoder thresholds for the numerically simulated DFR of LEDAcrypt-KEM-CPA . 69 4 LEDAcrypt code parameters from a security standpoint 72 4.1 Parameters for LEDAcrypt-KEM and LEDAcrypt-PKC . 76 4.2 Parameters for LEDAcrypt-KEM-CPA . 82 5 Optimized LEDAcrypt Implementation 84 5.1 Selection of the LEDAdecoder strategy . 85 5.2 Binary Polynomial Multiplications . 88 5.2.1 Selection of Polynomial Multiplication Algorithms . 90 5.3 Optimized Out-Of-Place Iteration Function . 93 5.4 Binary Polynomial Inversion . 96 5.4.1 Schoolbook Euclid's Algorithm . 96 5.4.2 Optimized Polynomial Inversions . 98 5.4.3 Experimental Evaluation . 105 5.5 Parameter Tuning for LEDAcrypt-KEM-CPA . 108 6 LEDAcrypt performance evaluation and recommended parameters 111 6.1 Key-lengths, ciphertext and transmitted data sizes . 111 6.2 Performance evaluation considering execution times in milliseconds . 115 6.3 Performance evaluation considering execution times in clock cycles and their combi- nation with the size of transmitted data . 118 6.4 Recommended parameters . 121 Page 5 LEDAcrypt 6.4.1 Recommended parameters for LEDAcrypt-KEM-CPA . 121 6.4.2 Recommended parameters for the IND-CCA2 LEDAcrypt-KEM and LEDAcrypt-PKC systems . 122 Bibliography 124 A Deriving the bit-flipping probabilities for the in-place iteration function of the LEDAdecoder 130 Page 6 Acronyms ASIC Application-Specific Integrated Circuit BF Bit Flipping BQP Bounded-error Quantum Polynomial CFP Codeword Finding Problem DFR Decoding Failure Rate DRBG Deterministic Random Bit Generator GE Gate Equivalent GRS Generalized Reed-Solomon IND-CCA2 Indistinguishability Under Adaptive Chosen Ciphertext Attack IND-CPA Indistinguishability Under Chosen Plaintext Attack ISD Information Set Decoding KDF Key Derivation Function KEM Key Encapsulation Module KEM+DEM Key Encapsulation Module + Data Encapsulation Mechanism KI Kobara-Imai LDPC Low-Density Parity-Check NP Nondeterministic-Polynomial OW-CPA One Wayness against Chosen Plaintext Attack PFS Perfect Forward Secrecy PKE Public-Key Encryption PRNG Pseudo Random Number Generator QC Quasi-Cyclic QC-LDPC Quasi-Cyclic Low-Density Parity-Check 7 LEDAcrypt ROM Random Oracle Model SDP Syndrome Decoding Problem TM Turing Machine TRNG True Random Number Generator XOF Extensible Output Function Page 8 Foreword This document provides a complete and detailed specification of the post-quantum cryptographic primitives named LEDAcrypt (Low-dEnsity parity-check coDe-bAsed cryptographic systems), sub- mitted to the 2nd round of the NIST post-quantum contest [1] and resulting from the merger between the LEDAkem and LEDApkc proposals submitted to the 1st round of the contest [54]. LEDAcrypt provides a set of cryptographic primitives based on binary linear error-correcting codes. In particular, the following cryptographic primitives are proposed: i. An IND-CCA2 key encapsulation method, named LEDAcrypt-KEM. ii. An IND-CCA2 public key encryption scheme, named LEDAcrypt-PKC. iii. An IND-CPA key encapsulation method optimized for use in an ephemeral key scenario, while providing resistance against accidental key reuse, named LEDAcrypt-KEM-CPA. LEDAcrypt exploits the advantages of relying on Quasi-Cyclic Low-Density Parity-Check (QC-LDPC) codes to provide high decoding speeds and compact key pairs [6]. In particular: i. We present a theoretical model to provide sound upper bounds to the probability of a de- cryption failure of the underlying Niederreiter/McEliece encryption schemes, when employing QC-LDPC codes as the code family of choice. ii. We employ the constructions provided by [39, 45] to attain provable IND-CCA2 guarantees in the proposed LEDAcrypt-KEM and LEDAcrypt-PKC primitives, respectively. iii. We propose a method to allow the use of the classic definition of Decoding Failure Rate (DFR) from coding theory as a proxy for the notion of δ-correctness required by the construction in [39] for IND-CCA2 KEMs, under the assumption of a preimage resistant extensible output function (XOF) being available. iv. We provide three choices for the rate of the underlying QC-LDPC codes, and two choices of DFR for each security category specified by NIST. We highlight the engineering tradeoffs between key size, overall transmitted data, and execution time. v. We employ a reproducible parameter design procedure relying on finite-regime estimates of the computational effort required to carry out attacks against LEDAcrypt and jointly optimize the parameters for security and DFR. vi. We provide a constant time software implementation for the proposed LEDAcrypt-KEM and LEDAcrypt-PKC, optimized for the Intel Haswell Instruction Set Architecture, which exploits the presence of the Intel AVX2 instruction set extension. 9 LEDAcrypt The main innovations with respect to the second round specification are as follows: • We propose, and analyze from the DFR standpoint two decoding strategies, namely in-place and out-of-place Bit Flipping (BF) decoding. We provide closed form worst case estimates for the DFR of both of them, under consolidated assumptions from the literature on iteratively decoded codes. Our worst-case estimates for the DFR allow us to match the requirements for an IND-CCA2 construction with the choice of either one of the decoding strategies. Our models for the worst case behaviour of the DFR consider a finite number of decoder iterations, enabling the constant time implementation of the decoder. In particular, we choose to consider BF decoders with two iterations for performance reasons. • We provide an IND-CCA2 construction for LEDAcrypt-KEM which allows employing the common DFR notion from the coding theory lexicon, matching it with the requirement of the δ-correctness from the [39] proofs, and we provide a proof of its IND-CCA2 guarantees, under the (provided) bounded DFR of the employed QC-LDPC code. • A recent attack [2] highlighted that the product structure of the secret key matrix, HQ, can be exploited to lower the security margin provided by LEDAcrypt. We adopt a conservative solution, that is consider Q = I, removing the effects of the product structure altogether. A brief justification of this rationale is provided in Section 2.4, from which the current specifica- tion assumes that the secret key is a randomly drawn block circulant matrix H. While making this choice reduces the speed advantages coming from the performance-oriented criterion of using of a product-based secret key, we consider the importance of the security of the scheme paramount with respect to the speed gains. • New parameterizations for LEDAcrypt instances considering the case Q = I are provided. In addition to the previous specification, we also provide parameters for all the code rates 1 2 3 ( 2 ; 3 ; 4 ) also for the case of IND-CCA2 primitives. The parameters are obtained through a joint optimization of the circulant matrix size p, the error weight t and the column weight of the parity-check matrix v.