SMAUG: Post-Quantum Key Encapsulation Mechanism

SMAUG is an efficient post-quantum key encapsulation mechanism (KEM), whose security is based on the hardness of the lattice problems, Module-Learning-with-Errors (MLWE) and Module-Learning-with-Roundings (MLWR). SMAUG enjoys a conservative secret key security relying on the MLWE problem and an efficient ephemeral key generation relying its security on the MLWR problem. SMAUG follows the recent approaches in designing the post-quantum-secure KEMs in the Quantum Random Oracle Model (QROM) while maintaining its efficiency.

Design rationale

Fujisaki-Okamoto transform

SMAUG achieves its quantum security based on the Fujisaki-Okamoto (FO) transform applied to the IND-CPA secure PKE SMAUG.PKE. SMAUG follows an efficient FO transform with decryption failures, recently introduced [HHM22].

Advantages from MLWE + MLWR

SMAUG conservatively bases its secret key security on the MLWE problem for its long-term security, while the ephemeral key is delivered via a more efficient MLWR-based method. This can be viewed as an adaptation of (R)Lizard to modules.

Sparse secret over modules

By using the module structure (as in Kyber and Saber) and sparse secret (as in homomorphic encryptions), SMAUG achieves faster running time with a smaller ciphertext size simultaneously.

Performance

All benchmarks were obtained on one core of an Intel Core i7-10700k, with TurboBoost and hyperthreading disabled. All cycle counts reported are the median of the cycle counts of 1,000 executions of the respective functions.

The decryption failure probability (DFP) of the underlying PKE is given in logarithm base two.

SMAUG-128

SMAUG-192

SMAUG-256

Resources

The resource files can be found here, the public GitHub repository for SMAUG.

Specifications and Implementations

2023.10.30. v2.0 [spec] [code]

2023.05.23. v1.0 [spec] [code]
2022.11.22. v0.9 [spec] [code] (from KpqC round 1 submission package)

Papers

SMAUG: Pushing Lattice-based Key Encapsulation Mechanisms to the Limits

Jung Hee Cheon, Hyeongmin Choe, Dongyeon Hong, MinJune Yi, In Selected Areas in Cryptography 2023. [eprint]

Team SMAUG

The SMAUG team consists of the following members (KpqC 1st round).

Seoul National Univ. (KR)

Jung Hee Cheon

Hyeongmin Choe

CryptoLab Inc. (KR)

Jung Hee Cheon

Dongyeon Hong

Hyoeun Seong

Junbum Shin

MineJune Yi

Ministry of National Defense (KR)

Jeongdae Hong