International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Peter Schwabe

Publications

Year
Venue
Title
2024
CIC
X-Wing
<p> X-Wing is a hybrid key-encapsulation mechanism based on X25519 and ML-KEM-768. It is designed to be the sensible choice for most applications. The concrete choice of X25519 and ML-KEM-768 allows X-Wing to achieve improved efficiency compared to using a generic KEM combiner. In this paper, we introduce the X-Wing hybrid KEM construction and provide a proof of security. We show (1) that X-Wing is a classically IND-CCA secure KEM if the strong Diffie-Hellman assumption holds in the X25519 nominal group, and (2) that X-Wing is a post-quantum IND-CCA secure KEM if ML-KEM-768 is itself an IND-CCA secure KEM and SHA3-256 is secure when used as a pseudorandom function. The first result is proved in the ROM, whereas the second one holds in the standard model. Loosely speaking, this means X-Wing is secure if either X25519 or ML-KEM-768 is secure. We stress that these security guarantees and optimizations are only possible due to the concrete choices that were made, and it may not apply in the general case. </p>
2024
CIC
Optimizations and Practicality of High-Security CSIDH
<p> In this work, we assess the real-world practicality of CSIDH, an isogeny-based non-interactive key exchange. We provide the first thorough assessment of the practicality of CSIDH in higher parameter sizes for conservative estimates of quantum security, and with protection against physical attacks.</p><p> This requires a three-fold analysis of CSIDH. First, we describe two approaches to efficient high-security CSIDH implementations, based on SQALE and CTIDH. Second, we optimize such high-security implementations, on a high level by improving several subroutines, and on a low level by improving the finite field arithmetic. Third, we benchmark the performance of high-security CSIDH. As a stand-alone primitive, our implementations outperform previous results by a factor up to 2.53×.</p><p> As a real-world use case considering network protocols, we use CSIDH in TLS variants that allow early authentication through a NIKE. Although our instantiations of CSIDH have smaller communication requirements than post-quantum KEM and signature schemes, even our highly-optimized implementations result in too-large handshake latency (tens of seconds), showing that CSIDH is only practical in niche cases. </p>
2024
CRYPTO
Formally Verifying Kyber Episode V: Machine-checked IND-CCA security and correctness of ML-KEM in EasyCrypt
We present a formally verified proof of the correctness and IND-CCA security of ML-KEM, the Kyber-based Key Encapsulation Mechanism (KEM) undergoing standardization by NIST. The proof is machine-checked in EasyCrypt and it includes: 1) A formalization of the correctness (decryption failure probability) and IND-CPA security of the Kyber base public-key encryption scheme, following Bos et al. at Euro S&P 2018; 2) A formalization of the relevant variant of the Fujisaki-Okamoto transform in the Random Oracle Model (ROM), which follows closely (but not exactly) Hofheinz, Hovelmanns and Kiltz at TCC 2017; 3) A proof that the IND-CCA security of the ML-KEM specification and its correctness as a KEM follows from the previous results; 4) Two formally verified implementations of ML-KEM written in Jasmin that are provably constant-time, functionally equivalent to the ML-KEM specification and, for this reason, inherit the provable security guarantees established in the previous points. The top-level theorems give self-contained concrete bounds for the correctness and security of ML-KEM down to (a variant of) Module-LWE. We discuss how they are built modularly by leveraging various EasyCrypt features.
2023
CHES
2023
TCHES
Formally verifying Kyber: Episode IV: Implementation correctness
In this paper we present the first formally verified implementations of Kyber and, to the best of our knowledge, the first such implementations of any post-quantum cryptosystem. We give a (readable) formal specification of Kyber in the EasyCrypt proof assistant, which is syntactically very close to the pseudocode description of the scheme as given in the most recent version of the NIST submission. We present high-assurance open-source implementations of Kyber written in the Jasmin language, along with machine-checked proofs that they are functionally correct with respect to the EasyCrypt specification. We describe a number of improvements to the EasyCrypt and Jasmin frameworks that were needed for this implementation and verification effort, and we present detailed benchmarks of our implementations, showing that our code achieves performance close to existing hand-optimized implementations in C and assembly.
2023
TCHES
High-assurance zeroization
In this paper we revisit the problem of erasing sensitive data from memory and registers during return from a cryptographic routine. While the problem and related attacker model is fairly easy to phrase, it turns out to be surprisingly hard to guarantee security in this model when implementing cryptography in common languages such as C/C++ or Rust. We revisit the issues surrounding zeroization and then present a principled solution in the sense that it guarantees that sensitive data is erased and it clearly defines when this happens. We implement our solution as extension to the formally verified Jasmin compiler and extend the correctness proof of the compiler to cover zeroization. We show that the approach seamlessly integrates with state-of-the-art protections against microarchitectural attacks by integrating zeroization into Libjade, a cryptographic library written in Jasmin with systematic protections against timing and Spectre-v1 attacks. We present benchmarks showing that in many cases the overhead of zeroization is barely measurable and that it stays below 2% except for highly optimized symmetric crypto routines on short inputs.
2022
TCHES
2022
TCHES
SoK: SCA-secure ECC in software – mission impossible?
This paper describes an ECC implementation computing the X25519 keyexchange protocol on the Arm Cortex-M4 microcontroller. For providing protections against various side-channel and fault attacks we first review known attacks and countermeasures, then we provide software implementations that come with extensive mitigations, and finally we present a preliminary side-channel evaluation. To our best knowledge, this is the first public software claiming affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to our baseline unprotected implementation is about 37% and 243%, respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is at least as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.
2018
PKC
SOFIA: $\mathcal {MQ}$MQ-Based Signatures in the QROM
We propose SOFIA, the first $$\mathcal {MQ}$$MQ-based signature scheme provably secure in the quantum-accessible random oracle model (QROM). Our construction relies on an extended version of Unruh’s transform for 5-pass identification schemes that we describe and prove secure both in the ROM and QROM.Based on a detailed security analysis, we provide concrete parameters for SOFIA that achieve 128-bit post-quantum security. The result is SOFIA-4-128 with parameters carefully optimized to minimize signature size and maximize performance. SOFIA-4-128 comes with an implementation targeting recent Intel processors with the AVX2 vector-instruction set; the implementation is fully protected against timing attacks.
2018
TCHES
CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme
In this paper, we present the lattice-based signature scheme Dilithium, which is a component of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite that was submitted to NIST’s call for post-quantum cryptographic standards. The design of the scheme avoids all uses of discrete Gaussian sampling and is easily implementable in constant-time. For the same security levels, our scheme has a public key that is 2.5X smaller than the previously most efficient lattice-based schemes that did not use Gaussians, while having essentially the same signature size. In addition to the new design, we significantly improve the running time of the main component of many lattice-based constructions – the number theoretic transform. Our AVX2-based implementation results in a speed-up of roughly a factor of 2 over the previously best algorithms that appear in the literature. The techniques for obtaining this speed-up also have applications to other lattice-based schemes.
2017
CHES
High-Speed Key Encapsulation from NTRU
This paper presents software demonstrating that the 20-year-old NTRU cryptosystem is competitive with more recent lattice-based cryptosystems in terms of speed, key size, and ciphertext size. We present a slightly simplified version of textbook NTRU, select parameters for this encryption scheme that target the 128-bit post-quantum security level, construct a KEM that is CCA2-secure in the quantum random oracle model, and present highly optimized software targeting Intel CPUs with the AVX2 vector instruction set. This software takes only 307 914 cycles for the generation of a keypair, 48 646 for encapsulation, and 67 338 for decapsulation. It is, to the best of our knowledge, the first NTRU software with full protection against timing attacks.
2017
CHES
Gimli : A Cross-Platform Permutation
This paper presents Gimli, a 384-bit permutation designed to achieve high security with high performance across a broad range of platforms, including 64-bit Intel/AMD server CPUs, 64-bit and 32-bit ARM smartphone CPUs, 32-bit ARM microcontrollers, 8-bit AVR microcontrollers, FPGAs, ASICs without side-channel protection, and ASICs with side-channel protection.
2016
PKC
2016
CHES
2016
ASIACRYPT
2015
EUROCRYPT
2015
CHES
2014
ASIACRYPT
2013
CHES
2012
CHES
2011
PKC
2011
CHES
2009
CHES
2009
CHES

Program Committees

Crypto 2024
Eurocrypt 2024
PKC 2023
Crypto 2021
CHES 2021
CHES 2021 (Program chair)
Eurocrypt 2020
CHES 2020
CHES 2019
CHES 2018
Asiacrypt 2017
PKC 2016
Eurocrypt 2016
Asiacrypt 2016
CHES 2015
PKC 2015
Asiacrypt 2015
CHES 2014
Asiacrypt 2013

Coauthors

José Bacelar Almeida (2)
Santiago Arranz Olmos (2)
Gerd Ascheid (1)
Dominik Auras (1)
Manuel Barbosa (3)
Gilles Barthe (3)
Lejla Batina (2)
Daniel J. Bernstein (7)
Fabio Campos (1)
Jorge Chavez-Saab (1)
Ming-Shing Chen (2)
Jesús-Javier Chi-Domínguez (1)
Łukasz Chmielewski (1)
Tung Chou (1)
Chitchanok Chuengsatiansup (1)
Deirdre Connolly (1)
João Diogo Duarte (1)
Léo Ducas (1)
Niels Duif (1)
François Dupressoir (1)
Ruben Gonzalez (1)
Benjamin Grégoire (3)
Björn Haase (1)
Daira Hopwood (1)
Andreas Hülsing (5)
Michael Hutter (1)
Aaron Kaiser (1)
David Kammler (1)
Emilia Käsper (1)
Eike Kiltz (1)
Stefan Kölbl (1)
Tanja Lange (4)
Markus Langenberg (1)
Vincent Laporte (3)
Jean-Christophe Léchenet (3)
Tancrède Lepoint (1)
Cameron Low (1)
Stefan Lucks (1)
Vadim Lyubashevsky (1)
Pedro Maat Costa Massolino (1)
Rudolf Mathar (1)
Florian Mendel (1)
Michael Meyer (1)
Elke De Mulder (1)
Kashif Nawaz (1)
Ruben Niederhagen (1)
Tiago Oliveira (3)
Hugo Pacheco (2)
Louiza Papachristodoulou (1)
Miguel Quaresma (2)
Krijn Reijnders (1)
Joost Renes (1)
Joost Rijneveld (4)
Francisco Rodríguez-Henríquez (1)
Simona Samardjiska (2)
Niels Samwel (1)
John M. Schanck (1)
Hanno Scharwächter (1)
Jürgen Schilling (1)
Tobias Schneider (1)
Michael Schneider (1)
Peter Schwabe (24)
Gregor Seiler (1)
Antoine Séré (1)
Benjamin Smith (1)
François-Xavier Standaert (1)
Damien Stehlé (1)
Pierre-Yves Strub (2)
Yosuke Todo (1)
Karolin Varner (1)
Benoît Viguier (1)
Bas Westerbaan (1)
Wolfgang Wieser (1)
Thom Wiggers (1)
Zooko Wilcox-O'Hearn (1)
Bo-Yin Yang (1)
Diandian Zhang (1)