- 學位論文
CRYSTALS-Kyber不同參數下的失敗機率與安全性分析
Failure Probability and Security Analysis for Various Parameter Sets of CRYSTALS-Kyber
摘要
為了抵抗未來幾年內預期將出現的大規模量子電腦對現今公鑰密碼系統與數位簽章的威脅,美國國家標準暨技術研究院(National Institute of Standards and Technology)近年來推動足以抵抗量子電腦攻擊的新型密碼系統:後量子密碼學(post-quantum cryptography, PQC)的制定與標準化。其中CRYSTALS-Kyber是以晶格(lattice)為基礎的密鑰封裝機制(Key encapsulation mechanism)中,最被理論密碼學界看好的。CRYSTALS-Kyber算法的設計中,具有許多可以人為挑選的參數,設計者稱最後官方的參數選取,是為了平衡密鑰大小與安全強度,然而卻沒給出完整的論述與比較。在這篇論文中,我們將探討CRYSTALS-Kyber參數選取的合理性,研究不同的參數組對於密碼系統特性的影響,完整分析參數改變後對於公鑰大小、解密失敗率與安全強度的改變,並發掘出其他也可選用或可能更好的參數組。最後給出一個對這類晶格密碼系統的安全性分析的primal attack中,一個直接預測q型晶格BKZ約化後基底形狀的計算公式,使得在實作攻擊分析程式時有更佳的運算效率與更簡易的實作方式。
並列摘要
CRYSTALS-Kyber is an IND-CCA2-secure key-encapsulation mechanism based on the hardness of the learning-with-errors problem in module lattices. Besides the algorithm and design of Kyber itself, there are many parameters that can be chosen to result in a new variance of Kyber. Without further analysis, choosing these parameters as different values may seem somewhat equally reasonable. However, the specification documentation was lacking in the justification of the optimization of the parameters and only stated as a trade-off to balance the ciphertext size and security level. In this paper, we will explore the various parameter sets of Kyber and derive their features, including the failure probability of decryption, the ciphertext size, and the security level. Furthermore, we will give a new closed-form formula for predicting the shape of BKZ-$\beta$ reduced basis for a $q$-ary lattice used in the primal attack, which leads to the simpler implementation of the security analysis program.