Skip to main content
SpringerLink
Log in

Formal Verification of Saber’s Public-Key Encryption Scheme in EasyCrypt

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2022 (CRYPTO 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13507))

Included in the following conference series:

Abstract

In this work, we consider the formal verification of the public-key encryption scheme of Saber, one of the selected few post-quantum cipher suites currently considered for potential standardization. We formally verify this public-key encryption scheme’s security and \(\delta \)-correctness properties, i.e., the properties required to transform the public-key encryption scheme into an secure and \(\delta \)-correct key encapsulation mechanism, in EasyCrypt. To this end, we initially devise hand-written proofs for these properties that are significantly more detailed and meticulous than the presently existing proofs. Subsequently, these hand-written proofs serve as a guideline for the formal verification. The results of this endeavor comprise hand-written and computer-verified proofs which demonstrate that Saber’s public-key encryption scheme indeed satisfies the desired security and correctness properties.

Andreas Hülsing and Matthias Meijers are funded by an NWO VIDI grant (Project No. VI.Vidi.193.066). At the time of writing, Pierre-Yves Strub was at Institut Polytechnique de Paris, France, and was partially supported by the ERC Advanced Grant Procontra (ID: 885666). Date: 2022-07-31

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Although the original paper of Saber states that Saber’s KEM is constructed through this variant, the specification of Saber’s KEM shows that, technically, a subtly different transform has been used [10, 11].

  2. 2.

    Note that the message \(m \in \{0,1\}^{n}\) is implicitly encoded as an element of \(R_{2}\) by dedicating a separate coefficient to each bit.

  3. 3.

    However, since then, these features have been implemented and integrated into EasyCrypt, making the formal verification of the validity of the random oracle model proofs in the quantum setting a potential objective for future work [4].

  4. 4.

    Notice that in \(\textrm{Game}_{\mathcal {R}^{\mathcal {A}}}^{3}\), the explicit modular reduction in \(v' + (\lfloor {m_{u}}\rfloor {_{2 \rightarrow p^2 / q}} \bmod p)\) is merely used to accentuate the interpretation of \(\lfloor {m_{u}}\rfloor {_{2 \rightarrow p^2 / q}}\) as an element of \(R_{p}\); that is, the modular reduction does not affect the actual value of \(m_u\).

  5. 5.

    In EasyCrypt, an operator denotes a mathematical function.

  6. 6.

    Nevertheless, albeit customary in hand-written cryptographic proofs, EasyCrypt currently does not provide the possibility to restrict the space or time complexity of module types.

  7. 7.

    Remark that the considered parameters of \(\textrm{Game}_{\mathcal {A}, \textsf{gen}, l, \mu , q, p}^{\textrm{GMLWR}}(u)\) are the same as the similarly named (function and) parameters of Saber; hence, these are already formalized outside of the module, see the foregoing discussion concerning the fundamental specification.

  8. 8.

    Analogously, there is a separate module type that formalizes the class of adversaries against \(\textrm{Game}_{\mathcal {A}}^{3}\) and \(\textrm{Game}_{\mathcal {A}}^{4}\).

  9. 9.

    This alternative specification is based on the alternative specification of Saber’s key exchange scheme presented in [9].

  10. 10.

    Recall that \(0< \epsilon _{t}+ 1< \epsilon _{p}< \epsilon _{q}\) and, hence, \(2 \le 2\cdot t< p < q\); as a consequence, \(\lfloor {\cdot }\rfloor {_{2 \rightarrow q}}\), \(\lfloor {\cdot }\rfloor {_{2\cdot t \rightarrow q}}\), and \(\lfloor {\cdot }\rfloor {_{p \rightarrow q}}\) effectively constitute left bit-shifts.

  11. 11.

    Actually, the definition we present and use is slightly different from, yet trivially equivalent to, the definition provided in [12]. Namely, the definition we utilize considers the success probability instead of the failure probability; this is the only difference with the definition from [12].

  12. 12.

    Similarly to the specification of \(\mathrm {Saber.{\textrm{PKE}}A}\), the definitions of these error terms are inspired by the error terms provided in [9].

  13. 13.

    Remark that this implies the transpose reduces to the identity function.

  14. 14.

    This suggests that the script merely approximates the actual correctness value. Nevertheless, if \(\textsf{gen}\) is adequately instantiated, i.e., its output distribution (closely) resembles the uniform distribution, this approximation is (almost) accurate.

  15. 15.

    The in the return statement is a technical consequence of the fact that certain PKE schemes may explicitly indicate decryption failure; nevertheless, this is irrelevant to the current discussion and, thus, can be ignored. Alternatively stated, we can regard the return statement as being .

References

  1. Almeida, J.B., Barbosa, M., Barthe, G., Grégoire, B., Koutsos, A., Laporte, V., Oliveira, T., Strub, P.-Y.: The last mile: high-assurance and high-speed cryptographic implementations. In: 2020 IEEE Symposium on Security and Privacy, pp. 965–982. IEEE Computer Society Press, May 2020

    Google Scholar 

  2. Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42

    Chapter  Google Scholar 

  3. Barbosa, M., Barthe, G., Bhargavan, K., Blanchet, B., Cremers, C., Liao, K., Parno, B.: SoK: computer-aided cryptography. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 777–795. IEEE Computer Society, May 2021

    Google Scholar 

  4. Barbosa, M., Barthe, G., Fan, X., Grégoire, B., Hung, S.-H., Katz, J., Strub, P.-Y., Wu, X., Zhou, L.: EasyPQC: verifying post-quantum cryptography. Cryptology ePrint Archive, Report 2021/1253 (2021)

    Google Scholar 

  5. Barthe, G., Crespo, J.M., Grégoire, B., Kunz, C., Zanella Béguelin, S.: Computer-aided cryptographic proofs. In: Beringer, L., Felty, A. (eds.) ITP 2012. LNCS, vol. 7406, pp. 11–27. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32347-8_2

    Chapter  Google Scholar 

  6. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25

    Chapter  Google Scholar 

  7. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random Oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3

    Chapter  MATH  Google Scholar 

  8. Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1773–1788. ACM Press, October/November 2017

    Google Scholar 

  9. D’Anvers, J.-P.: Design and security analysis of lattice-based post-quantum encryption. Ph.D. dissertation, KU Leuven Arenberg Doctoral School, May 2021

    Google Scholar 

  10. D’Anvers, J.-P., Karmakar, A., Sinha Roy, S., Vercauteren, F.: Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 282–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_16

    Chapter  Google Scholar 

  11. Duman, J., Hövelmanns, K., Kiltz, E., Lyubashevsky, V., Seiler, G.: Faster Kyber and Saber via a generic Fujisaki-Okamoto transform for multi-user security in the QROM (2021)

    Google Scholar 

  12. Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12

    Chapter  MATH  Google Scholar 

  13. Hülsing, A., Meijers, M., Strub, P.-Y.: Formal verification of Saber’s public-key encryption scheme in EasyCrypt. Cryptology ePrint Archive, Paper 2022/351 (2022). https://eprint.iacr.org/2022/351

  14. Koblitz, N., Menezes, A.J.: Critical perspectives on provable security: fifteen years of “another look’’ papers. Adv. Math. Commun. 13(4), 517–558 (2019)

    Article  MathSciNet  Google Scholar 

  15. Lazar, D., Chen, H., Wang, X., Zeldovich, N.: Why does cryptographic software fail? A case study and open problems. In: Proceedings of 5th Asia-Pacific Workshop on Systems, APSys 2014, pp. 1–7. Association for Computing Machinery (2014)

    Google Scholar 

  16. Mosca, M.: Cybersecurity in an era with quantum computers: will we be ready? IEEE Security & Privacy 16(5), 38–41 (2018). https://doi.org/10.1109/MSP.2018.3761723

    Article  Google Scholar 

  17. Shor, P.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134 (1994)

    Google Scholar 

  18. Unruh, D.: Post-quantum verification of Fujisaki-Okamoto. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 321–352. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_11

    Chapter  Google Scholar 

  19. Yan, S.Y.: Quantum Attacks on Public-Key Cryptosystems, 1st edn. Springer, Boston (2013). https://doi.org/10.1007/978-1-4419-7722-9

    Book  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Eindhoven University of Technology, Eindhoven, The Netherlands

    Andreas Hülsing & Matthias Meijers

  2. Meta, Paris, France

    Pierre-Yves Strub

Authors
  1. Andreas Hülsing
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Matthias Meijers
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pierre-Yves Strub
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matthias Meijers .

Editor information

Editors and Affiliations

  1. New York University, New York, NY, USA

    Yevgeniy Dodis

  2. University of Florida, Gainesville, FL, USA

    Thomas Shrimpton

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hülsing, A., Meijers, M., Strub, PY. (2022). Formal Verification of Saber’s Public-Key Encryption Scheme in EasyCrypt. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13507. Springer, Cham. https://doi.org/10.1007/978-3-031-15802-5_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15802-5_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15801-8

  • Online ISBN: 978-3-031-15802-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation