![Page 2: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/2.jpg)
√q � {a, b, c, d} � q
Original Goal
G
sample a, b sample c, d
aG + b cG + d
KA = a(cG + d) ≈ c(aG + d) = KB
2/12
![Page 3: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/3.jpg)
Original Goal
G
sample a, b sample c, d
aG + b cG + d
KA = a(cG + d) ≈ c(aG + d) = KB
√ q � {a, b, c, d} � q
2/12
![Page 4: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/4.jpg)
Original AJPS Cryptology ePrint Archive: Report2017/481
Available versions in chronological order
20170530:001542 (posted 30-May-2017 00:15:42 UTC)A New Public-Key Cryptosystem via Mersenne NumbersDivesh Aggarwal and Antoine Joux and Anupam Prakash and Miklos Santa
20170530:071730 (posted 30-May-2017 07:17:30 UTC)A New Public-Key Cryptosystem via Mersenne NumbersDivesh Aggarwal and Antoine Joux and Anupam Prakash and Miklos Santha
20170530:072202 (posted 30-May-2017 07:22:02 UTC)A New Public-Key Cryptosystem via Mersenne NumbersDivesh Aggarwal and Antoine Joux and Anupam Prakash and Miklos Santha
20171206:004144 (posted 06-Dec-2017 00:41:44 UTC)A New Public-Key Cryptosystem via Mersenne NumbersDivesh Aggarwal and Antoine Joux and Anupam Prakash and Miklos Santha
20171206:004924 (posted 06-Dec-2017 00:49:24 UTC)A New Public-Key Cryptosystem via Mersenne NumbersDivesh Aggarwal and Antoine Joux and Anupam Prakash and Miklos Santha
Retrieve selected version Go to latest version
[ Cryptology ePrint archive ]
Cryptology ePrint Archive: Report 2017/481 https://eprint.iacr.org/eprint-bin/versions.pl?entr...
1 of 1 04/04/18 13:00
{
3/12
![Page 5: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/5.jpg)
• easy arithmetic• somewhat Hamming weight preserving
• KeyGen:• sample f, g of low Hamming weight• public key: f/gmod q• secret key: g
• Encrypt(m ∈ {0, 1}):• sample a, b of low Hamming weight• ciphertext: (−1)m × (pk× a+ b)
• Decrypt(c):• d← cg
• return
�1 if d has high Hamming weight0 if d has low Hamming weight
Original AJPS
• Mersenne prime modulus: q = 2n − 1 with n prime
4/12
![Page 6: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/6.jpg)
• KeyGen:• sample f, g of low Hamming weight• public key: f/gmod q• secret key: g
• Encrypt(m ∈ {0, 1}):• sample a, b of low Hamming weight• ciphertext: (−1)m × (pk× a+ b)
• Decrypt(c):• d← cg
• return
�1 if d has high Hamming weight0 if d has low Hamming weight
Original AJPS
• Mersenne prime modulus: q = 2n − 1 with n prime • easy arithmetic • somewhat Hamming weight preserving
4/12
![Page 7: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/7.jpg)
• Encrypt(m ∈ {0, 1}):• sample a, b of low Hamming weight• ciphertext: (−1)m × (pk× a+ b)
• Decrypt(c):• d← cg
• return
�1 if d has high Hamming weight0 if d has low Hamming weight
Original AJPS
• Mersenne prime modulus: q = 2n − 1 with n prime • easy arithmetic • somewhat Hamming weight preserving
• KeyGen: • sample f, g of low Hamming weight • public key: f/g mod q • secret key: g
4/12
![Page 8: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/8.jpg)
• Decrypt(c):• d← cg
• return
�1 if d has high Hamming weight0 if d has low Hamming weight
Original AJPS
• Mersenne prime modulus: q = 2n − 1 with n prime • easy arithmetic • somewhat Hamming weight preserving
• KeyGen: • sample f, g of low Hamming weight • public key: f/g mod q • secret key: g
• Encrypt(m ∈ {0, 1}): • sample a, b of low Hamming weight • ciphertext: (−1)m × (pk × a + b)
4/12
![Page 9: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/9.jpg)
Original AJPS
• Mersenne prime modulus: q = 2n − 1 with n prime • easy arithmetic • somewhat Hamming weight preserving
• KeyGen: • sample f, g of low Hamming weight • public key: f/g mod q • secret key: g
• Encrypt(m ∈ {0, 1}): • sample a, b of low Hamming weight • ciphertext: (−1)m × (pk × a + b)
• Decrypt(c): • d ← cg�
1 if d has high Hamming weight • return 0 if d has low Hamming weight
4/12
![Page 10: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/10.jpg)
PDF of a:
PDF of b:
PDF of a+ b:
PDF of a× b:
... mod p:
=
2n− small garbage
still sparse
Short-and-Sparse
5/12
![Page 11: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/11.jpg)
PDF of b:
PDF of a+ b:
PDF of a× b:
... mod p:
=
2n− small garbage
still sparse
Short-and-Sparse PDF of a:
5/12
![Page 12: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/12.jpg)
PDF of a+ b:
PDF of a× b:
... mod p:
=
2n− small garbage
still sparse
Short-and-Sparse PDF of a:
PDF of b:
5/12
![Page 13: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/13.jpg)
PDF of a× b:
... mod p:
=
2n− small garbage
still sparse
Short-and-Sparse PDF of a:
PDF of b:
PDF of a + b:
5/12
![Page 14: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/14.jpg)
... mod p:
=
2n− small garbage
still sparse
Short-and-Sparse PDF of a:
PDF of b:
PDF of a + b:
PDF of a × b:
5/12
![Page 15: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/15.jpg)
... mod p:
=
2n− small garbage
still sparse
Short-and-Sparse PDF of a:
PDF of b:
PDF of a + b:
PDF of a × b:
5/12
![Page 16: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/16.jpg)
still sparse
Short-and-Sparse PDF of a:
PDF of b:
PDF of a + b:
PDF of a × b:
... mod p:
=
2n− small garbage 5/12
![Page 17: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/17.jpg)
Short-and-Sparse PDF of a:
PDF of b:
PDF of a + b:
PDF of a × b:
still sparse
... mod p:
=
2n− small garbage 5/12
![Page 18: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/18.jpg)
Ramstake Key Agreement
• Hamming weight metric
• short-and-sparse integers • pseudo-Mersenne prime modulus
G
sample a, b sample c, d
aG + b cG + d
KA = a(cG + d) ≈ c(aG + d) = KB
6/12
![Page 19: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/19.jpg)
• DetEncaps(pk; s):• sample c, d• SB ← c(aG+ b) + d• ciphertext: (cG+ d,E(s)⊕ xSBy, H(s))
• key: K = H(pkk coins s)
• Encaps(pk):• sample seed s• return DetEncaps(pk, s)
• Decaps(sk, ctxt):• SA ← a(cG+ d)• s← D(E(s)⊕ xSBy⊕ xSAy)• ctxt’, K ← DetEncaps(pk; s)
• if ctxt’ 6= ctxt, return ⊥• else return K
• E ,D — error-correcting code• Reed-Solomon over GF(256) with design distance 223• capable of correcting 111 bit-errors• repeated ν times• used for functionality not security⇒ Ramstake is not a code-based cryptosystem
Ramstake KEM • KeyGen:
• sample seed for G • sample a, b • public key: (seed for
G, aG + b) • secret key: (a , b)
7/12
![Page 20: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/20.jpg)
• Decaps(sk, ctxt):• SA ← a(cG+ d)• s← D(E(s)⊕ xSBy⊕ xSAy)• ctxt’, K ← DetEncaps(pk; s)
• if ctxt’ 6= ctxt, return ⊥• else return K
• E ,D — error-correcting code• Reed-Solomon over GF(256) with design distance 223• capable of correcting 111 bit-errors• repeated ν times• used for functionality not security⇒ Ramstake is not a code-based cryptosystem
Ramstake KEM • KeyGen:
• sample seed for G • Encaps(pk):• sample a, b • sample seed s• public key: (seed for • return DetEncaps(pk, s)G, aG + b)
• secret key: (a , b)
• DetEncaps(pk; s): • sample c, d • SB ← c(aG + b) + d • ciphertext: (cG + d, E(s) ⊕ xSB y, H(s))
• key: K = H(pkk coins s)
7/12
![Page 21: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/21.jpg)
• E ,D — error-correcting code• Reed-Solomon over GF(256) with design distance 223• capable of correcting 111 bit-errors• repeated ν times• used for functionality not security⇒ Ramstake is not a code-based cryptosystem
• KeyGen: • sample seed for G • sample a, b • public key: (seed for
G, aG + b) • secret key: (a , b)
• DetEncaps(pk; s): • sample c, d • SB ← c(aG + b) + d • ciphertext: (cG + d, E(s) ⊕ xSB y, H(s))
• key: K = H(pkk coins s)
Ramstake KEM
• Encaps(pk): • sample seed s • return DetEncaps(pk, s)
• Decaps(sk, ctxt): • SA ← a(cG + d) • s ← D(E(s) ⊕ xSB y ⊕ xSAy) • ctxt’, K ← DetEncaps(pk; s) • if ctxt’ 6= ctxt, return ⊥ • else return K
7/12
![Page 22: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/22.jpg)
⇒ Ramstake is not a code-based cryptosystem
• KeyGen: • sample seed for G • sample a, b • public key: (seed for
G, aG + b) • secret key: (a , b)
• DetEncaps(pk; s): • sample c, d • SB ← c(aG + b) + d • ciphertext: (cG + d, E(s) ⊕ xSB y, H(s))
• key: K = H(pkk coins s)
Ramstake KEM
• Encaps(pk): • sample seed s • return DetEncaps(pk, s)
• Decaps(sk, ctxt): • SA ← a(cG + d) • s ← D(E(s) ⊕ xSB y ⊕ xSAy) • ctxt’, K ← DetEncaps(pk; s) • if ctxt’ 6= ctxt, return ⊥ • else return K
• E , D — error-correcting code • Reed-Solomon over GF(256) with design distance 223 • capable of correcting 111 bit-errors • repeated ν times • used for functionality not security
7/12
![Page 23: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/23.jpg)
• KeyGen: • sample seed for G • sample a, b • public key: (seed for
G, aG + b) • secret key: (a , b)
• DetEncaps(pk; s): • sample c, d • SB ← c(aG + b) + d • ciphertext: (cG + d, E(s) ⊕ xSB y, H(s))
• key: K = H(pkk coins s)
Ramstake KEM
• Encaps(pk): • sample seed s • return DetEncaps(pk, s)
• Decaps(sk, ctxt): • SA ← a(cG + d) • s ← D(E(s) ⊕ xSB y ⊕ xSAy) • ctxt’, K ← DetEncaps(pk; s) • if ctxt’ 6= ctxt, return ⊥ • else return K
• E , D — error-correcting code • Reed-Solomon over GF(256) with design distance 223 • capable of correcting 111 bit-errors • repeated ν times • used for functionality not security ⇒ Ramstake is not a code-based cryptosystem 7/12
![Page 24: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/24.jpg)
• Sage fix:2
def export(a):
return "".join(reversed([a[i:i+2] for
i in range(0, len(a), 2)]))
and use export(string) instead
• specs and C implementations are correct
Pitfall
• Pitfall1
SB
• don’t use most significant byte/chunk!
1credit: Jacob Alperin-Sheriff 2credit: Gustavo Banegas 8/12
![Page 25: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/25.jpg)
• specs and C implementations are correct
Pitfall
• Pitfall1
SB
• don’t use most significant byte/chunk!
• Sage fix:2
def export(a): return "".join(reversed([a[i:i+2] for
i in range(0, len(a), 2)])) and use export(string) instead
1credit: Jacob Alperin-Sheriff 2credit: Gustavo Banegas 8/12
![Page 26: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/26.jpg)
Pitfall
• Pitfall1
SB
• don’t use most significant byte/chunk!
• Sage fix:2
def export(a): return "".join(reversed([a[i:i+2] for
i in range(0, len(a), 2)])) and use export(string) instead
• specs and C implementations are correct
1credit: Jacob Alperin-Sheriff 2credit: Gustavo Banegas 8/12
![Page 27: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/27.jpg)
• not lattice reduction
⇒ Ramstake is not a lattice-based cryptosystem
Slice-and-Dice Attack3
• find (a, b) from (G, aG + b) • slice and dice • label randomly • pray • run LLL
1 1 1
• bottleneck: guessing labels
11 sparse integer
partition
successful labeling
3Beunardeau et al. Assumption” “On the Hardness of the Mersenne Low Hamming Ratio 9/12
![Page 28: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/28.jpg)
⇒ Ramstake is not a lattice-based cryptosystem
Slice-and-Dice Attack3
• find (a, b) from (G, aG + b) • slice and dice • label randomly • pray • run LLL
1 1 1
• bottleneck: guessing labels
• not lattice reduction
11 sparse integer
partition
successful labeling
3Beunardeau et al. Assumption” “On the Hardness of the Mersenne Low Hamming Ratio 9/12
![Page 29: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/29.jpg)
Slice-and-Dice Attack3
• find (a, b) from (G, aG + b) • slice and dice • label randomly • pray • run LLL
1 1 1 11 sparse integer
• bottleneck: guessing labels
• not lattice reduction
⇒ Ramstake is not a lattice-based cryptosystem
partition
successful labeling
3Beunardeau et al. Assumption” “On the Hardness of the Mersenne Low Hamming Ratio 9/12
![Page 30: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/30.jpg)
Comparison: Mersenne-756839
Ramstake
• pk = (seed, aG + b)
• sk = (a, b)
• RS ECC + repetition • IND-CCA
• error prob.: ≤ 2−64
?• ctxt’ = ctxt • ctxt contains H(s)
• really simple
Mersenne-756839
• pk = (R, fR + g)
• sk = seed
• bit-by-bit repetition • IND-CCA
• error prob.: ≤ 2−239
?• ctxt’ = ctxt • no H(s)
• even simpler
10/12
![Page 31: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/31.jpg)
Comparison: Other KEMs
Ramstake + Mersenne-756839
• |ctxt| ≈ |pk| ∼ 100 kB • hard problem:
• sparse integers
• simple
Other KEMs
• |ctxt| ≈ |pk| ∼ 1 kB • hard problem:
• lattices • coding theory • supersingular isogeny
• less simple
11/12
![Page 32: Ramstake - NIST · Decaps(sk, ctxt): • S. A ←a(cG+d) • s←D (E )⊕xS. B. y. A • ctxt’, K←DetEncaps(pk; s) • if ctxt’ 6=ctxt, return ⊥ • else return K • E,D—](https://reader034.vdocuments.mx/reader034/viewer/2022050507/5f9894e7fcd3a1638d6ffbcb/html5/thumbnails/32.jpg)
12/12