%PDF-1.5 % 4 0 obj << /Type /XObject /Subtype /Form /BBox [0 0 100 100] /FormType 1 /Matrix [1 0 0 1 0 0] /Resources 5 0 R /Length 15 /Filter /FlateDecode >> stream xP( endstream endobj 5 0 obj << /Shading << /Sh << /ShadingType 2 /ColorSpace /DeviceRGB /Domain [0.0 100.00128] /Coords [0.0 0 100.00128 0] /Function << /FunctionType 3 /Domain [0.0 100.00128] /Functions [ << /FunctionType 2 /Domain [0.0 100.00128] /C0 [1 1 1] /C1 [1 1 1] /N 1 >> << /FunctionType 2 /Domain [0.0 100.00128] /C0 [1 1 1] /C1 [0 0 0] /N 1 >> << /FunctionType 2 /Domain [0.0 100.00128] /C0 [0 0 0] /C1 [0 0 0] /N 1 >> ] /Bounds [ 25.00032 75.00096] /Encode [0 1 0 1 0 1] >> /Extend [false false] >> >> /ProcSet [ /PDF ] >> endobj 6 0 obj << /Type /XObject /Subtype /Form /BBox [0 0 100 100] /FormType 1 /Matrix [1 0 0 1 0 0] /Resources 7 0 R /Length 15 /Filter /FlateDecode >> stream xP( endstream endobj 7 0 obj << /Shading << /Sh << /ShadingType 2 /ColorSpace /DeviceRGB /Domain [0.0 100.00128] /Coords [0.0 0 100.00128 0] /Function << /FunctionType 3 /Domain [0.0 100.00128] /Functions [ << /FunctionType 2 /Domain [0.0 100.00128] /C0 [0 0 0] /C1 [0 0 0] /N 1 >> << /FunctionType 2 /Domain [0.0 100.00128] /C0 [0 0 0] /C1 [1 1 1] /N 1 >> << /FunctionType 2 /Domain [0.0 100.00128] /C0 [1 1 1] /C1 [1 1 1] /N 1 >> ] /Bounds [ 25.00032 75.00096] /Encode [0 1 0 1 0 1] >> /Extend [false false] >> >> /ProcSet [ /PDF ] >> endobj 8 0 obj << /Type /XObject /Subtype /Form /BBox [0 0 100 100] /FormType 1 /Matrix [1 0 0 1 0 0] /Resources 9 0 R /Length 15 /Filter /FlateDecode >> stream xP( endstream endobj 9 0 obj << /Shading << /Sh << /ShadingType 2 /ColorSpace /DeviceRGB /Domain [0.0 100.00128] /Coords [0 0.0 0 100.00128] /Function << /FunctionType 3 /Domain [0.0 100.00128] /Functions [ << /FunctionType 2 /Domain [0.0 100.00128] /C0 [1 1 1] /C1 [1 1 1] /N 1 >> << /FunctionType 2 /Domain [0.0 100.00128] /C0 [1 1 1] /C1 [0 0 0] /N 1 >> << /FunctionType 2 /Domain [0.0 100.00128] /C0 [0 0 0] /C1 [0 0 0] /N 1 >> ] /Bounds [ 25.00032 75.00096] /Encode [0 1 0 1 0 1] >> /Extend [false false] >> >> /ProcSet [ /PDF ] >> endobj 10 0 obj << /Type /XObject /Subtype /Form /BBox [0 0 100 100] /FormType 1 /Matrix [1 0 0 1 0 0] /Resources 11 0 R /Length 15 /Filter /FlateDecode >> stream xP( endstream endobj 11 0 obj << /Shading << /Sh << /ShadingType 2 /ColorSpace /DeviceRGB /Domain [0.0 100.00128] /Coords [0 0.0 0 100.00128] /Function << /FunctionType 3 /Domain [0.0 100.00128] /Functions [ << /FunctionType 2 /Domain [0.0 100.00128] /C0 [0 0 0] /C1 [0 0 0] /N 1 >> << /FunctionType 2 /Domain [0.0 100.00128] /C0 [0 0 0] /C1 [1 1 1] /N 1 >> << /FunctionType 2 /Domain [0.0 100.00128] /C0 [1 1 1] /C1 [1 1 1] /N 1 >> ] /Bounds [ 25.00032 75.00096] /Encode [0 1 0 1 0 1] >> /Extend [false false] >> >> /ProcSet [ /PDF ] >> endobj 16 0 obj << /Type /XObject /Subtype /Form /BBox [0 0 100 100] /FormType 1 /Matrix [1 0 0 1 0 0] /Resources 17 0 R /Length 15 /Filter /FlateDecode >> stream xP( endstream endobj 17 0 obj << /Shading << /Sh << /ShadingType 3 /ColorSpace /DeviceRGB /Domain [0.0 50.00064] /Coords [50.00064 50.00064 0.0 50.00064 50.00064 50.00064] /Function << /FunctionType 3 /Domain [0.0 50.00064] /Functions [ << /FunctionType 2 /Domain [0.0 50.00064] /C0 [1 1 1] /C1 [1 1 1] /N 1 >> << /FunctionType 2 /Domain [0.0 50.00064] /C0 [1 1 1] /C1 [0 0 0] /N 1 >> << /FunctionType 2 /Domain [0.0 50.00064] /C0 [0 0 0] /C1 [0 0 0] /N 1 >> ] /Bounds [ 22.50027 25.00032] /Encode [0 1 0 1 0 1] >> /Extend [true false] >> >> /ProcSet [ /PDF ] >> endobj 19 0 obj << /Type /XObject /Subtype /Form /BBox [0 0 100 100] /FormType 1 /Matrix [1 0 0 1 0 0] /Resources 20 0 R /Length 15 /Filter /FlateDecode >> stream xP( endstream endobj 20 0 obj << /Shading << /Sh << /ShadingType 3 /ColorSpace /DeviceRGB /Domain [0.0 50.00064] /Coords [50.00064 50.00064 0.0 50.00064 50.00064 50.00064] /Function << /FunctionType 3 /Domain [0.0 50.00064] /Functions [ << /FunctionType 2 /Domain [0.0 50.00064] /C0 [1 1 1] /C1 [1 1 1] /N 1 >> << /FunctionType 2 /Domain [0.0 50.00064] /C0 [1 1 1] /C1 [0 0 0] /N 1 >> << /FunctionType 2 /Domain [0.0 50.00064] /C0 [0 0 0] /C1 [0 0 0] /N 1 >> ] /Bounds [ 21.25026 25.00032] /Encode [0 1 0 1 0 1] >> /Extend [true false] >> >> /ProcSet [ /PDF ] >> endobj 22 0 obj << /Type /XObject /Subtype /Form /BBox [0 0 100 100] /FormType 1 /Matrix [1 0 0 1 0 0] /Resources 23 0 R /Length 15 /Filter /FlateDecode >> stream xP( endstream endobj 23 0 obj << /Shading << /Sh << /ShadingType 3 /ColorSpace /DeviceRGB /Domain [0.0 50.00064] /Coords [50.00064 50.00064 0.0 50.00064 50.00064 50.00064] /Function << /FunctionType 3 /Domain [0.0 50.00064] /Functions [ << /FunctionType 2 /Domain [0.0 50.00064] /C0 [1 1 1] /C1 [1 1 1] /N 1 >> << /FunctionType 2 /Domain [0.0 50.00064] /C0 [1 1 1] /C1 [0 0 0] /N 1 >> << /FunctionType 2 /Domain [0.0 50.00064] /C0 [0 0 0] /C1 [0 0 0] /N 1 >> ] /Bounds [ 20.00024 25.00032] /Encode [0 1 0 1 0 1] >> /Extend [true false] >> >> /ProcSet [ /PDF ] >> endobj 25 0 obj << /Type /XObject /Subtype /Form /BBox [0 0 100 100] /FormType 1 /Matrix [1 0 0 1 0 0] /Resources 26 0 R /Length 15 /Filter /FlateDecode >> stream xP( endstream endobj 26 0 obj << /Shading << /Sh << /ShadingType 3 /ColorSpace /DeviceRGB /Domain [0.0 50.00064] /Coords [50.00064 50.00064 0.0 50.00064 50.00064 50.00064] /Function << /FunctionType 3 /Domain [0.0 50.00064] /Functions [ << /FunctionType 2 /Domain [0.0 50.00064] /C0 [0 0 0] /C1 [0 0 0] /N 1 >> << /FunctionType 2 /Domain [0.0 50.00064] /C0 [0 0 0] /C1 [1 1 1] /N 1 >> << /FunctionType 2 /Domain [0.0 50.00064] /C0 [1 1 1] /C1 [0 0 0] /N 1 >> << /FunctionType 2 /Domain [0.0 50.00064] /C0 [0 0 0] /C1 [0 0 0] /N 1 >> ] /Bounds [ 21.25026 23.12529 25.00032] /Encode [0 1 0 1 0 1 0 1] >> /Extend [true false] >> >> /ProcSet [ /PDF ] >> endobj 28 0 obj << /S /GoTo /D (section.1) >> endobj 31 0 obj (Introduction and design rationale) endobj 32 0 obj << /S /GoTo /D (subsection.1.1) >> endobj 35 0 obj (Pedigree) endobj 36 0 obj << /S /GoTo /D (subsection.1.2) >> endobj 39 0 obj (Design overview and rationale) endobj 40 0 obj << /S /GoTo /D (subsubsection.1.2.1) >> endobj 43 0 obj (Generic, algebraically unstructured lattices) endobj 44 0 obj << /S /GoTo /D (subsubsection.1.2.2) >> endobj 47 0 obj (Parameters from worst-case reductions and conservative cryptanalysis) endobj 48 0 obj << /S /GoTo /D (subsubsection.1.2.3) >> endobj 51 0 obj (Simplicity of design and implementation) endobj 52 0 obj << /S /GoTo /D (subsection.1.3) >> endobj 55 0 obj (Other features) endobj 56 0 obj << /S /GoTo /D (section.2) >> endobj 59 0 obj (Written specification) endobj 60 0 obj << /S /GoTo /D (subsection.2.1) >> endobj 63 0 obj (Background) endobj 64 0 obj << /S /GoTo /D (subsubsection.2.1.1) >> endobj 67 0 obj (Notation) endobj 68 0 obj << /S /GoTo /D (subsubsection.2.1.2) >> endobj 71 0 obj (Cryptographic definitions) endobj 72 0 obj << /S /GoTo /D (subsubsection.2.1.3) >> endobj 75 0 obj (Learning With Errors) endobj 76 0 obj << /S /GoTo /D (subsubsection.2.1.4) >> endobj 79 0 obj (Gaussians) endobj 80 0 obj << /S /GoTo /D (subsubsection.2.1.5) >> endobj 83 0 obj (Lattices) endobj 84 0 obj << /S /GoTo /D (subsection.2.2) >> endobj 87 0 obj (Algorithm description) endobj 88 0 obj << /S /GoTo /D (subsubsection.2.2.1) >> endobj 91 0 obj (Matrix encoding of bit strings) endobj 92 0 obj << /S /GoTo /D (subsubsection.2.2.2) >> endobj 95 0 obj (Packing matrices modulo q) endobj 96 0 obj << /S /GoTo /D (subsubsection.2.2.3) >> endobj 99 0 obj (Deterministic random bit generation) endobj 100 0 obj << /S /GoTo /D (subsubsection.2.2.4) >> endobj 103 0 obj (Sampling from the error distribution) endobj 104 0 obj << /S /GoTo /D (subsubsection.2.2.5) >> endobj 107 0 obj (Pseudorandom matrix generation) endobj 108 0 obj << /S /GoTo /D (subsubsection.2.2.6) >> endobj 111 0 obj (FrodoPKE: IND-CPA-secure public key encryption scheme) endobj 112 0 obj << /S /GoTo /D (subsubsection.2.2.7) >> endobj 115 0 obj (Correctness of IND-CPA PKE) endobj 116 0 obj << /S /GoTo /D (subsubsection.2.2.8) >> endobj 119 0 obj (Transform from IND-CPA PKE to IND-CCA KEM) endobj 120 0 obj << /S /GoTo /D (subsubsection.2.2.9) >> endobj 123 0 obj (FrodoKEM: IND-CCA-secure key encapsulation mechanism) endobj 124 0 obj << /S /GoTo /D (subsubsection.2.2.10) >> endobj 127 0 obj (Correctness of IND-CCA KEM) endobj 128 0 obj << /S /GoTo /D (subsubsection.2.2.11) >> endobj 131 0 obj (Interconversion to IND-CCA PKE) endobj 132 0 obj << /S /GoTo /D (subsection.2.3) >> endobj 135 0 obj (Cryptographic primitives) endobj 136 0 obj << /S /GoTo /D (subsection.2.4) >> endobj 139 0 obj (Parameters) endobj 140 0 obj << /S /GoTo /D (subsubsection.2.4.1) >> endobj 143 0 obj (High-level overview) endobj 144 0 obj << /S /GoTo /D (subsubsection.2.4.2) >> endobj 147 0 obj (Parameter constraints) endobj 148 0 obj << /S /GoTo /D (subsubsection.2.4.3) >> endobj 151 0 obj (Selected parameter sets) endobj 152 0 obj << /S /GoTo /D (subsection.2.5) >> endobj 155 0 obj (Summary of parameters) endobj 156 0 obj << /S /GoTo /D (subsection.2.6) >> endobj 159 0 obj (Provenance of constants and tables) endobj 160 0 obj << /S /GoTo /D (section.3) >> endobj 163 0 obj (Performance analysis) endobj 164 0 obj << /S /GoTo /D (subsection.3.1) >> endobj 167 0 obj (Associated implementations) endobj 168 0 obj << /S /GoTo /D (subsection.3.2) >> endobj 171 0 obj (Performance analysis on x64 Intel) endobj 172 0 obj << /S /GoTo /D (subsubsection.3.2.1) >> endobj 175 0 obj (Performance using AES128) endobj 176 0 obj << /S /GoTo /D (subsubsection.3.2.2) >> endobj 179 0 obj (Performance using cSHAKE128) endobj 180 0 obj << /S /GoTo /D (subsubsection.3.2.3) >> endobj 183 0 obj (Memory analysis) endobj 184 0 obj << /S /GoTo /D (subsection.3.3) >> endobj 187 0 obj (Performance analysis on ARM) endobj 188 0 obj << /S /GoTo /D (section.4) >> endobj 191 0 obj (Known Answer Test \(KAT\) values) endobj 192 0 obj << /S /GoTo /D (section.5) >> endobj 195 0 obj (Justification of security strength) endobj 196 0 obj << /S /GoTo /D (subsection.5.1) >> endobj 199 0 obj (Security reductions) endobj 200 0 obj << /S /GoTo /D (subsubsection.5.1.1) >> endobj 203 0 obj (IND-CCA Security of KEM) endobj 204 0 obj << /S /GoTo /D (subsubsection.5.1.2) >> endobj 207 0 obj (IND-CPA Security of PKE) endobj 208 0 obj << /S /GoTo /D (subsubsection.5.1.3) >> endobj 211 0 obj (Approximating the error distribution) endobj 212 0 obj << /S /GoTo /D (subsubsection.5.1.4) >> endobj 215 0 obj (Deterministic generation of A) endobj 216 0 obj << /S /GoTo /D (subsubsection.5.1.5) >> endobj 219 0 obj (Reductions from worst-case lattice problems) endobj 220 0 obj << /S /GoTo /D (subsection.5.2) >> endobj 223 0 obj (Cryptanalytic attacks) endobj 224 0 obj << /S /GoTo /D (subsubsection.5.2.1) >> endobj 227 0 obj (Methodology: the core-SVP hardness) endobj 228 0 obj << /S /GoTo /D (subsubsection.5.2.2) >> endobj 231 0 obj (Primal attack) endobj 232 0 obj << /S /GoTo /D (subsubsection.5.2.3) >> endobj 235 0 obj (Dual attack) endobj 236 0 obj << /S /GoTo /D (section.6) >> endobj 239 0 obj (Advantages and limitations) endobj 240 0 obj << /S /GoTo /D (subsection.6.1) >> endobj 243 0 obj (Ease of implementation) endobj 244 0 obj << /S /GoTo /D (subsection.6.2) >> endobj 247 0 obj (Compatibility with existing deployments and hybrid schemes) endobj 248 0 obj << /S /GoTo /D (subsection.6.3) >> endobj 251 0 obj (Hardware implementations) endobj 252 0 obj << /S /GoTo /D (subsection.6.4) >> endobj 255 0 obj (Side-channel resistance) endobj 256 0 obj << /S /GoTo /D [257 0 R /Fit] >> endobj 259 0 obj << /Length 291 /Filter /FlateDecode >> stream xڅ1O0 D\9: CICƕ 9j'wd;&LSoټB``.Xɰ:Jਵeʰg9_-a^AYhY 4nB,WFu7~%!Usn8La
@x6ݛ9t71aLylCDžNj caFI1}ǣ=dhHSU&0,sXFv0j`Y~t
endstream
endobj
257 0 obj <<
/Type /Page
/Contents 259 0 R
/Resources 258 0 R
/MediaBox [0 0 612 792]
/Parent 267 0 R
>> endobj
260 0 obj <<
/D [257 0 R /XYZ 71 757.862 null]
>> endobj
261 0 obj <<
/D [257 0 R /XYZ 72 720 null]
>> endobj
258 0 obj <<
/ColorSpace 3 0 R /Pattern 2 0 R /ExtGState 1 0 R
/Font << /F21 262 0 R /F19 263 0 R /F18 264 0 R /F22 265 0 R /F8 266 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
320 0 obj <<
/Length 2070
/Filter /FlateDecode
>>
stream
x[[s8}#Y(-nL} Xu
$~%$aHlڞ>q.G?zW/߀h0Q G=l9*1Nԡ3 ^ȈǨߊGa:B*\AρNŋ+UR
.
3;3Vs}xG_]:o0@P&O
:c:l9D@xcp=AP7b4'NP{maYKL٥