The in-depth study of quantum computers has threatened the traditional public key cryptography based on the discrete logarithm or large integer factor problem. National Institute of Standards and Technology (NIST) has announced a competition for the post-quantum cryptography from 2017, which hopes to select the post-quantum public key cryptography standard which can replace the traditional public key cryptography from the algorithms submitted worldwide. The lattice-based cryptography algorithms account for the largest proportion among the collected post-quantum cryptography algorithms. Lattice-based cryptography is one of the most promising post-quantum cryptography algorithms because of its advantages of resisting attacks from quantum algorithms, security reduction from "worst-case" to "average-case" for difficult problems, and simplicity of calculation. However, up to now, these lattice-based key encapsulation algorithms need de-randomization and error sampling. De-randomization refers to the conversion of the underlying probabilistic encryption algorithm into a deterministic algorithm by introducing the random oracle model, so as to realize the security reduction under the quantum random oracle model. Error sampling refers to discrete Gaussian sampling in modular space. In the lattice-based public key encryption, special algorithm design is usually required to meet the performance and security requirements of encryption algorithm. These two operations not only reduce the efficiency of the algorithm, but also increase the risk of the side channel attack. In this paper, we design and implement an efficient key encapsulation algorithm, which avoids the de-randomization and error sampling, from the lattice-based one-way trapdoor function. Then, we improve the efficiency of our key encapsulation mechanism (KEM) from the algorithm design. Concretely, we first optimize the lattice-based one-way trapdoor function for designing the KEM. Then, we construct the efficient KEM, which satisfies the indistinguishability security against chosen ciphertext attack (IND-CCA) in the quantum random oracle model (QROM), based on the optimizing one-way trapdoor function. Finally, we analyze the security of the KEM by attack methods, propose the practical parameters for the scheme, give a reference implementation and analyze the performance of our scheme.

• 单位
  信息安全国家重点实验室; 中国科学院大学