Formally Verified Correctness Bounds for Lattice-Based Cryptography

Manuel Barbosa; Matthias J. Kannwischer; Thing Han Lim; Peter Schwabe; Pierre Yves Strub

doi:10.1145/3719027.3765218

Formally Verified Correctness Bounds for Lattice-Based Cryptography

Manuel Barbosa
, Matthias J. Kannwischer
, Thing Han Lim
, Peter Schwabe
, Pierre Yves Strub

Ipatimup Diagnósticos
University of Porto
Chelpis Quantum Corp
Academia Sinica Taiwan
MPI-SP
Radboud University
PQShield Ltd

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

Résumé

Decryption errors play a crucial role in the security of KEMs based on Fujisaki-Okamoto because the concrete security guarantees provided by this transformation directly depend on the probability of such an event being bounded by a small real number. In this paper we present an approach to formally verify the claims of statistical probabilistic bounds for incorrect decryption in lattice-based KEM constructions. Our main motivating example is the PKE encryption scheme underlying ML-KEM. We formalize the statistical event that is used in the literature to heuristically approximate ML-KEM decryption errors and confirm that the upper bounds given in the literature for this event are correct. We consider FrodoKEM as an additional example, to demonstrate the wider applicability of the approach and the verification of a correctness bound without heuristic approximations. We also discuss other (non-approximate) approaches to bounding the probability of ML-KEM decryption.

langue originale	Anglais
titre	CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security
Editeur	Association for Computing Machinery, Inc
Pages	156-169
Nombre de pages	14
ISBN (Electronique)	9798400715259
Les DOIs	https://doi.org/10.1145/3719027.3765218
état	Publié - 22 nov. 2025
Modification externe	Oui
Evénement	32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025 - Taipei, Taiwan Durée: 13 oct. 2025 → 17 oct. 2025

Série de publications

Nom	CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

Une conférence

Une conférence	32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025
Pays/Territoire	Taiwan
La ville	Taipei
période	13/10/25 → 17/10/25

Accès au document

10.1145/3719027.3765218

Autres fichiers et liens

Lien vers la publication dans Scopus

Contient cette citation

Barbosa, M., Kannwischer, M. J., Lim, T. H., Schwabe, P., & Strub, P. Y. (2025). Formally Verified Correctness Bounds for Lattice-Based Cryptography. Dans CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (p. 156-169). (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3719027.3765218

Barbosa, Manuel ; Kannwischer, Matthias J. ; Lim, Thing Han et al. / Formally Verified Correctness Bounds for Lattice-Based Cryptography. CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2025. p. 156-169 (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security).

@inproceedings{39c61b61972c43f3ba3c43778c8cae75,

title = "Formally Verified Correctness Bounds for Lattice-Based Cryptography",

abstract = "Decryption errors play a crucial role in the security of KEMs based on Fujisaki-Okamoto because the concrete security guarantees provided by this transformation directly depend on the probability of such an event being bounded by a small real number. In this paper we present an approach to formally verify the claims of statistical probabilistic bounds for incorrect decryption in lattice-based KEM constructions. Our main motivating example is the PKE encryption scheme underlying ML-KEM. We formalize the statistical event that is used in the literature to heuristically approximate ML-KEM decryption errors and confirm that the upper bounds given in the literature for this event are correct. We consider FrodoKEM as an additional example, to demonstrate the wider applicability of the approach and the verification of a correctness bound without heuristic approximations. We also discuss other (non-approximate) approaches to bounding the probability of ML-KEM decryption.",

keywords = "Computer-Aided Cryptography, EasyCrypt, Formal Verification",

author = "Manuel Barbosa and Kannwischer, \{Matthias J.\} and Lim, \{Thing Han\} and Peter Schwabe and Strub, \{Pierre Yves\}",

note = "Publisher Copyright: {\textcopyright} 2025 Copyright held by the owner/author(s).; 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025 ; Conference date: 13-10-2025 Through 17-10-2025",

year = "2025",

month = nov,

day = "22",

doi = "10.1145/3719027.3765218",

language = "English",

series = "CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

pages = "156--169",

booktitle = "CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security",

}

Barbosa, M, Kannwischer, MJ, Lim, TH, Schwabe, P & Strub, PY 2025, Formally Verified Correctness Bounds for Lattice-Based Cryptography. Dans CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, Inc, p. 156-169, 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025, Taipei, Taiwan, 13/10/25. https://doi.org/10.1145/3719027.3765218

Formally Verified Correctness Bounds for Lattice-Based Cryptography. / Barbosa, Manuel; Kannwischer, Matthias J.; Lim, Thing Han et al.
CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2025. p. 156-169 (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security).

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

TY - GEN

T1 - Formally Verified Correctness Bounds for Lattice-Based Cryptography

AU - Barbosa, Manuel

AU - Kannwischer, Matthias J.

AU - Lim, Thing Han

AU - Schwabe, Peter

AU - Strub, Pierre Yves

PY - 2025/11/22

Y1 - 2025/11/22

N2 - Decryption errors play a crucial role in the security of KEMs based on Fujisaki-Okamoto because the concrete security guarantees provided by this transformation directly depend on the probability of such an event being bounded by a small real number. In this paper we present an approach to formally verify the claims of statistical probabilistic bounds for incorrect decryption in lattice-based KEM constructions. Our main motivating example is the PKE encryption scheme underlying ML-KEM. We formalize the statistical event that is used in the literature to heuristically approximate ML-KEM decryption errors and confirm that the upper bounds given in the literature for this event are correct. We consider FrodoKEM as an additional example, to demonstrate the wider applicability of the approach and the verification of a correctness bound without heuristic approximations. We also discuss other (non-approximate) approaches to bounding the probability of ML-KEM decryption.

AB - Decryption errors play a crucial role in the security of KEMs based on Fujisaki-Okamoto because the concrete security guarantees provided by this transformation directly depend on the probability of such an event being bounded by a small real number. In this paper we present an approach to formally verify the claims of statistical probabilistic bounds for incorrect decryption in lattice-based KEM constructions. Our main motivating example is the PKE encryption scheme underlying ML-KEM. We formalize the statistical event that is used in the literature to heuristically approximate ML-KEM decryption errors and confirm that the upper bounds given in the literature for this event are correct. We consider FrodoKEM as an additional example, to demonstrate the wider applicability of the approach and the verification of a correctness bound without heuristic approximations. We also discuss other (non-approximate) approaches to bounding the probability of ML-KEM decryption.

KW - Computer-Aided Cryptography

KW - EasyCrypt

KW - Formal Verification

UR - https://www.scopus.com/pages/publications/105023836759

U2 - 10.1145/3719027.3765218

DO - 10.1145/3719027.3765218

M3 - Conference contribution

AN - SCOPUS:105023836759

T3 - CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

SP - 156

EP - 169

BT - CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

T2 - 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025

Y2 - 13 October 2025 through 17 October 2025

ER -

Barbosa M, Kannwischer MJ, Lim TH, Schwabe P, Strub PY. Formally Verified Correctness Bounds for Lattice-Based Cryptography. Dans CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2025. p. 156-169. (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security). doi: 10.1145/3719027.3765218

Formally Verified Correctness Bounds for Lattice-Based Cryptography

Résumé

Série de publications

Une conférence

Accès au document

Autres fichiers et liens

Empreinte digitale

Contient cette citation