SMAUG-T: Post-Quantum Key Encapsulation Mechanism

SMAUG-T is an efficient post-quantum key encapsulation mechanism (KEM) whose security is based on the hardness of the lattice problems, Module-Learning-with-Errors (MLWE) and Module-Learning-with-Roundings (MLWR). SMAUG-T enjoys a conservative secret key security relying on the MLWE problem and an efficient ephemeral key generation relying its security on the MLWR problem. SMAUG-T follows the recent approaches in designing the post-quantum-secure KEMs in the Quantum Random Oracle Model (QROM) while maintaining efficiency. An additional parameter set TiMER (Tiny sMaug using Error Reconciliation) is newly proposed targetting security level 1, which exploits D2 encoding for lower decryption failure probability. 

Design rationale

Fujisaki-Okamoto transform

SMAUG-T achieves its quantum security based on the Fujisaki-Okamoto (FO) transform applied to the IND-CPA secure PKE SMAUG-T.PKE. SMAUG-T follows an efficient FO transform with decryption failures, recently introduced [HHM22].  

Advantages from MLWE + MLWR

SMAUG-T conservatively bases its secret key security on the MLWE problem for its long-term security, while the ephemeral key is delivered via a more efficient MLWR-based method. This can be viewed as an adaptation of (R)Lizard to modules. 

Sparse secret over modules

By using the module structure (as in Kyber and Saber) and sparse secret (as in homomorphic encryptions), SMAUG-T achieves faster running time with a smaller ciphertext size simultaneously. 


The performance of reference implementation is given as follows. All benchmarks were obtained on one core of an Intel Core i7-10700k (3.80GHz), with TurboBoost and hyperthreading disabled. All cycle counts reported are the median of the cycle counts of 1,000 executions of the respective functions. 

The decryption failure probability (DFP) of the underlying PKE is given in logarithm base two. 

TiMER (for IoT)





The most up-to-date resource files can be found here, the public GitHub repository for SMAUG. 

Specifications and Implementations


Jung Hee Cheon, Hyeongmin Choe, Dongyeon Hong, MinJune Yi, In Selected Areas in Cryptography – SAC 2023. SAC 2023. [eprint] [doi]

Seunghwan Park, Chi-Gon Jung, Aesun Park, Joongeun Choi, Honggoo Kang [eprint]


Team SMAUG-T consists of the members of Team SMAUG and Team TiGER from KpqC Round 1, and some additional members:

Seoul National Univ. (KR)

CryptoLab Inc. (KR)

Jung Hee Cheon

Hyoeun Seong

Junbum Shin

Ministry of National Defense (KR)

Jeongdae Hong

Defense Counter-intelligence Command (KR)

 Joongeun Choi

Chi-Gon Jung

Honggoo Kang

Janghyun Lee (from KpqC round 2)

Seonghyuck Lim (from KpqC round 2)

Aesun Park

Seunghwan Park

The Affiliated Institute of ETRI (KR)

Dongyeon Hong

In KpqC round 1, MineJune Yi was also in Team SMAUG.