SMAUG-T: Post-Quantum Key Encapsulation Mechanism

SMAUG-T is an efficient post-quantum key encapsulation mechanism (KEM) whose security is based on the hardness of the lattice problems, Module-Learning-with-Errors (MLWE) and Module Learning-with-Roundings (MLWR). SMAUG-T enjoys a conservative secret key security relying on the MLWE problem and an efficient ephemeral key generation relying its security on the MLWR problem. SMAUG-T follows the recent approaches in designing the post-quantum-secure KEMs in the Quantum Random Oracle Model (QROM) while maintaining efficiency. An additional parameter set, TiMER (Tiny sMaug using Error Reconciliation), is a newly proposed targetting security level 1, which exploits D2 encoding for lower decryption failure probability (DFP).

As a heads up, SMAUG-T will be updated in September with smaller sizes and lower DFPs. New samplers and secret distributions will be introduced to guarantee efficient and timing-secure implementation. We are almost at the final review stage before making the codes public.

Design rationale

Fujisaki-Okamoto transform

SMAUG-T achieves its quantum security based on the Fujisaki-Okamoto (FO) transform applied to the IND-CPA secure PKE SMAUG-T.PKE. SMAUG-T follows an efficient FO transform with decryption failures, recently introduced [HHM22].

Advantages from MLWE + MLWR

SMAUG-T conservatively bases its secret key security on the MLWE problem for its long-term security, while the ephemeral key is delivered via a more efficient MLWR-based method. This can be viewed as an adaptation of (R)Lizard to modules.

Sparse secret over modules

By using the module structure (as in Kyber and Saber) and sparse secret (as in homomorphic encryptions), SMAUG-T simultaneously achieves faster running time with a smaller ciphertext size.

Resources

The most up-to-date resource files can be found here, the public GitHub repository for SMAUG.

Specifications and Implementations

2024.10.04. v4.0 [spec] [code]
2024.02.23. v3.0 [spec] [code] (including AVX2 implementation)
2023.10.30. v2.0 [spec] [code] (including constant-time implementation)

2023.05.23. v1.0 [spec] [code]
2022.11.22. v0.9 [spec] [code] (from KpqC round 1 submission package)

Papers

SMAUG: Pushing Lattice-based Key Encapsulation Mechanisms to the Limits

Jung Hee Cheon, Hyeongmin Choe, Dongyeon Hong, MinJune Yi, In Selected Areas in Cryptography – SAC 2023. SAC 2023. [doi] [eprint]

TiGER: Tiny bandwidth key encapsulation mechanism for easy miGration based on RLWE(R)

Seunghwan Park, Chi-Gon Jung, Aesun Park, Joongeun Choi, Honggoo Kang [eprint]

Team SMAUG-T

Team SMAUG-T consists of the members of Team SMAUG and Team TiGER from KpqC Round 1, and some additional members:

Seoul National Univ. (KR)

Jung Hee Cheon

Hyeongmin Choe

CryptoLab Inc. (KR)

Jung Hee Cheon

Hyoeun Seong

Junbum Shin

Jungjoo Seo (from KpqC round2)

Ministry of National Defense (KR)

Jeongdae Hong

Defense Counter-intelligence Command (KR)

Joongeun Choi

Chi-Gon Jung

Honggoo Kang

Janghyun Lee (from KpqC round 2)

Seonghyuck Lim (from KpqC round 2)

Aesun Park

Seunghwan Park

The Affiliated Institute of ETRI (KR)

Dongyeon Hong

In KpqC round 1, MineJune Yi was also in Team SMAUG.