SMAUG-T (KPQC)
Korean Post-Quantum Lattice-based Key Encapsulation Mechanism
Overview
SMAUG-T is a lattice-based key encapsulation mechanism developed as part of the Korean Post-Quantum Cryptography (KPQC) competition. It is based on the Module Learning With Rounding (Module-LWR) problem, a variant of Module-LWE where the noise is generated deterministically by rounding rather than by explicit sampling. This simplifies the scheme and can improve performance while maintaining strong security guarantees.
SMAUG-T provides IND-CCA2-secure key encapsulation suitable for establishing shared secrets between two parties, resistant to both classical and quantum attacks.
Specifications
| Parameter Set | KPQC Level | Description |
|---|---|---|
| SMAUG-T1 | 1 | Targeting security equivalent to AES-128 against quantum adversaries |
| SMAUG-T3 | 3 | Targeting security equivalent to AES-192 against quantum adversaries |
| SMAUG-T5 | 5 | Targeting security equivalent to AES-256 against quantum adversaries |
Core operations:
KeyGen()— Generate an encapsulation key pairEncaps(pk)— Encapsulate a shared secret under the public keyDecaps(sk, ct)— Decapsulate the ciphertext to recover the shared secret
Underlying math: Module-LWR (Learning With Rounding) over polynomial rings. The rounding operation replaces explicit noise sampling, reducing implementation complexity compared to Module-LWE schemes.
Security
- Security notion: IND-CCA2 (indistinguishability under adaptive chosen-ciphertext attack)
- Hardness assumption: Module Learning With Rounding (Module-LWR)
- CCA transform: Fujisaki-Okamoto transform applied to a CPA-secure PKE
- Korean standardization: Developed and evaluated under the KPQC competition framework
Hardware Acceleration
SMAUG-T benefits from hardware acceleration for its polynomial arithmetic operations.
| Acceleration | Target | Description |
|---|---|---|
| Apple Metal | macOS/iOS GPU | GPU-accelerated polynomial operations |
| CUDA | NVIDIA GPU | GPU-accelerated polynomial operations |
GPU acceleration is particularly beneficial for batch key encapsulation/decapsulation workloads where many operations are performed in parallel.
Platform Support
SMAUG-T is implemented across all 10 platforms in the MetaMUI suite:
| Platform | Language | Implementation Path |
|---|---|---|
| Native | C | metamui-crypto-c/ |
| Systems | Rust | metamui-crypto-rust/ |
| Backend | Go | metamui-crypto-go/ |
| Data Science | Python | metamui-crypto-python/ |
| JVM | Java | metamui-crypto-java/ |
| JVM/Android | Kotlin | metamui-crypto-kotlin/ |
| .NET | C# | metamui-crypto-csharp/ |
| Apple | Swift | metamui-crypto-swift/ |
| Web | TypeScript | metamui-crypto-typescript/ |
| Browser/Edge | WASM | metamui-crypto-wasm/ |
API Example
// Key generation
let (pk, sk) = smaug_t3::keygen(&mut rng);
// Encapsulation (sender side)
let (ciphertext, shared_secret_sender) = smaug_t3::encapsulate(&pk, &mut rng);
// Decapsulation (receiver side)
let shared_secret_receiver = smaug_t3::decapsulate(&sk, &ciphertext);
assert_eq!(shared_secret_sender, shared_secret_receiver);
Test Vectors
- Location:
test-vectors/smaug-t/ - Format: KPQC KAT (Known Answer Test) vectors
- Coverage: KeyGen, Encapsulation, Decapsulation for all parameter sets
References
- KPQC Competition — Korean Post-Quantum Cryptography competition. Organized by the Korean government to standardize quantum-resistant algorithms for Korean national standards.
- SMAUG-T Specification — SMAUG-T Algorithm Specifications and Supporting Documentation. Submitted to the KPQC competition.
- Module-LWR — Banerjee, A., Peikert, C., Rosen, A. Pseudorandom Functions and Lattices. EUROCRYPT 2012.