SMAUG-T: Post-Quantum Key Encapsulation Mechanism

SMAUG-T is an efficient post-quantum key encapsulation mechanism (KEM) whose security is based on the hardness of the lattice problems, Module-Learning-with-Errors (MLWE) and Module Learning-with-Roundings (MLWR). SMAUG-T enjoys a conservative secret key security relying on the MLWE problem and an efficient ephemeral key generation relying its security on the MLWR problem. SMAUG-T follows the recent approaches in designing the post-quantum-secure KEMs in the Quantum Random Oracle Model (QROM) while maintaining efficiency. An additional parameter set, TiMER (Tiny sMaug using Error Reconciliation), is a newly proposed targetting security level 1, which exploits D2 encoding for lower decryption failure probability (DFP).

As a heads up, SMAUG-T will be updated in September with smaller sizes and lower DFPs. New samplers and secret distributions will be introduced to guarantee efficient and timing-secure implementation. We are almost at the final review stage before making the codes public.

Design rationale

Fujisaki-Okamoto transform

SMAUG-T achieves its quantum security based on the Fujisaki-Okamoto (FO) transform applied to the IND-CPA secure PKE SMAUG-T.PKE. SMAUG-T follows an efficient FO transform with decryption failures, recently introduced [HHM22].

Advantages from MLWE + MLWR

SMAUG-T conservatively bases its secret key security on the MLWE problem for its long-term security, while the ephemeral key is delivered via a more efficient MLWR-based method. This can be viewed as an adaptation of (R)Lizard to modules.

Sparse secret over modules

By using the module structure (as in Kyber and Saber) and sparse secret (as in homomorphic encryptions), SMAUG-T simultaneously achieves faster running time with a smaller ciphertext size.

Resources

The most up-to-date resource files can be found here, the public GitHub repository for SMAUG.

Specifications and Implementations

2024.10.04. v4.0 [spec] [code]
2024.02.23. v3.0 [spec] [code] (including AVX2 implementation)
2023.10.30. v2.0 [spec] [code] (including constant-time implementation)

2023.05.23. v1.0 [spec] [code]
2022.11.22. v0.9 [spec] [code] (from KpqC round 1 submission package)

Papers

SMAUG: Pushing Lattice-based Key Encapsulation Mechanisms to the Limits

Jung Hee Cheon, Hyeongmin Choe, Dongyeon Hong, MinJune Yi, In Selected Areas in Cryptography – SAC 2023. SAC 2023. [doi] [eprint]

TiGER: Tiny bandwidth key encapsulation mechanism for easy miGration based on RLWE(R)

Seunghwan Park, Chi-Gon Jung, Aesun Park, Joongeun Choi, Honggoo Kang [eprint]

Team SMAUG-T

Team SMAUG-T consists of the members of Team SMAUG and Team TiGER from KpqC Round 1, and some new members.

Jung Hee Cheon (Seoul National University (SNU) & CryptoLab Inc.)
Hyeongmin Choe (SNU)
Joongeun Choi (Defense Counter-intelligence Command (DCC))
Dongyeon Hong (Samsung Electronics)
Jeongdae Hong (Ministry of National Defense)
Chi-Gon Jung (DCC)
Honggoo Kang (DCC)

Janghyun Lee (DCC) **
Seonghyuck Lim (DCC) **
Aesun Park (DCC)
Seunghwan Park (DCC)
Jungjoo Seo (CryptoLab Inc.) ***
Hyoeun Seong (CryptoLab Inc.)
Junbum Shin (CryptoLab Inc.)

*In KpqC round 1, MineJune Yi (SNU, CryptoLab Inc.) was also in Team SMAUG.

**From KpqC round 2, Janghyun Lee and Seonghyuck Lim joined Team SMAUG-T.

***During KpqC round 2, Jungjoo Seo also joined Team SMAUG-T.