Formally Verified Correctness Bounds for Lattice-Based Cryptography

Manuel Barbosa; Matthias J. Kannwischer; Thing Han Lim; Peter Schwabe; Pierre Yves Strub

doi:10.1145/3719027.3765218

Formally Verified Correctness Bounds for Lattice-Based Cryptography

Manuel Barbosa
, Matthias J. Kannwischer
, Thing Han Lim
, Peter Schwabe
, Pierre Yves Strub

Ipatimup Diagnósticos
University of Porto
Chelpis Quantum Corp
Academia Sinica Taiwan
MPI-SP
Radboud University
PQShield Ltd

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Decryption errors play a crucial role in the security of KEMs based on Fujisaki-Okamoto because the concrete security guarantees provided by this transformation directly depend on the probability of such an event being bounded by a small real number. In this paper we present an approach to formally verify the claims of statistical probabilistic bounds for incorrect decryption in lattice-based KEM constructions. Our main motivating example is the PKE encryption scheme underlying ML-KEM. We formalize the statistical event that is used in the literature to heuristically approximate ML-KEM decryption errors and confirm that the upper bounds given in the literature for this event are correct. We consider FrodoKEM as an additional example, to demonstrate the wider applicability of the approach and the verification of a correctness bound without heuristic approximations. We also discuss other (non-approximate) approaches to bounding the probability of ML-KEM decryption.

Original language	English
Title of host publication	CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery, Inc
Pages	156-169
Number of pages	14
ISBN (Electronic)	9798400715259
DOIs	https://doi.org/10.1145/3719027.3765218
Publication status	Published - 22 Nov 2025
Externally published	Yes
Event	32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025 - Taipei, Taiwan, Province of China Duration: 13 Oct 2025 → 17 Oct 2025

Publication series

Name	CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

Conference

Conference	32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025
Country/Territory	Taiwan, Province of China
City	Taipei
Period	13/10/25 → 17/10/25

Keywords

Computer-Aided Cryptography
EasyCrypt
Formal Verification

Access to Document

10.1145/3719027.3765218

Cite this

Barbosa, M., Kannwischer, M. J., Lim, T. H., Schwabe, P., & Strub, P. Y. (2025). Formally Verified Correctness Bounds for Lattice-Based Cryptography. In CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (pp. 156-169). (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3719027.3765218

Barbosa, Manuel ; Kannwischer, Matthias J. ; Lim, Thing Han et al. / Formally Verified Correctness Bounds for Lattice-Based Cryptography. CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2025. pp. 156-169 (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security).

@inproceedings{39c61b61972c43f3ba3c43778c8cae75,

title = "Formally Verified Correctness Bounds for Lattice-Based Cryptography",

abstract = "Decryption errors play a crucial role in the security of KEMs based on Fujisaki-Okamoto because the concrete security guarantees provided by this transformation directly depend on the probability of such an event being bounded by a small real number. In this paper we present an approach to formally verify the claims of statistical probabilistic bounds for incorrect decryption in lattice-based KEM constructions. Our main motivating example is the PKE encryption scheme underlying ML-KEM. We formalize the statistical event that is used in the literature to heuristically approximate ML-KEM decryption errors and confirm that the upper bounds given in the literature for this event are correct. We consider FrodoKEM as an additional example, to demonstrate the wider applicability of the approach and the verification of a correctness bound without heuristic approximations. We also discuss other (non-approximate) approaches to bounding the probability of ML-KEM decryption.",

keywords = "Computer-Aided Cryptography, EasyCrypt, Formal Verification",

author = "Manuel Barbosa and Kannwischer, \{Matthias J.\} and Lim, \{Thing Han\} and Peter Schwabe and Strub, \{Pierre Yves\}",

note = "Publisher Copyright: {\textcopyright} 2025 Copyright held by the owner/author(s).; 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025 ; Conference date: 13-10-2025 Through 17-10-2025",

year = "2025",

month = nov,

day = "22",

doi = "10.1145/3719027.3765218",

language = "English",

series = "CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

pages = "156--169",

booktitle = "CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security",

}

Barbosa, M, Kannwischer, MJ, Lim, TH, Schwabe, P & Strub, PY 2025, Formally Verified Correctness Bounds for Lattice-Based Cryptography. in CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 156-169, 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025, Taipei, Taiwan, Province of China, 13/10/25. https://doi.org/10.1145/3719027.3765218

Formally Verified Correctness Bounds for Lattice-Based Cryptography. / Barbosa, Manuel; Kannwischer, Matthias J.; Lim, Thing Han et al.
CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2025. p. 156-169 (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Formally Verified Correctness Bounds for Lattice-Based Cryptography

AU - Barbosa, Manuel

AU - Kannwischer, Matthias J.

AU - Lim, Thing Han

AU - Schwabe, Peter

AU - Strub, Pierre Yves

PY - 2025/11/22

Y1 - 2025/11/22

N2 - Decryption errors play a crucial role in the security of KEMs based on Fujisaki-Okamoto because the concrete security guarantees provided by this transformation directly depend on the probability of such an event being bounded by a small real number. In this paper we present an approach to formally verify the claims of statistical probabilistic bounds for incorrect decryption in lattice-based KEM constructions. Our main motivating example is the PKE encryption scheme underlying ML-KEM. We formalize the statistical event that is used in the literature to heuristically approximate ML-KEM decryption errors and confirm that the upper bounds given in the literature for this event are correct. We consider FrodoKEM as an additional example, to demonstrate the wider applicability of the approach and the verification of a correctness bound without heuristic approximations. We also discuss other (non-approximate) approaches to bounding the probability of ML-KEM decryption.

AB - Decryption errors play a crucial role in the security of KEMs based on Fujisaki-Okamoto because the concrete security guarantees provided by this transformation directly depend on the probability of such an event being bounded by a small real number. In this paper we present an approach to formally verify the claims of statistical probabilistic bounds for incorrect decryption in lattice-based KEM constructions. Our main motivating example is the PKE encryption scheme underlying ML-KEM. We formalize the statistical event that is used in the literature to heuristically approximate ML-KEM decryption errors and confirm that the upper bounds given in the literature for this event are correct. We consider FrodoKEM as an additional example, to demonstrate the wider applicability of the approach and the verification of a correctness bound without heuristic approximations. We also discuss other (non-approximate) approaches to bounding the probability of ML-KEM decryption.

KW - Computer-Aided Cryptography

KW - EasyCrypt

KW - Formal Verification

UR - https://www.scopus.com/pages/publications/105023836759

U2 - 10.1145/3719027.3765218

DO - 10.1145/3719027.3765218

M3 - Conference contribution

AN - SCOPUS:105023836759

T3 - CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

SP - 156

EP - 169

BT - CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

T2 - 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025

Y2 - 13 October 2025 through 17 October 2025

ER -

Barbosa M, Kannwischer MJ, Lim TH, Schwabe P, Strub PY. Formally Verified Correctness Bounds for Lattice-Based Cryptography. In CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2025. p. 156-169. (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security). doi: 10.1145/3719027.3765218

Formally Verified Correctness Bounds for Lattice-Based Cryptography

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this