PALOMA: Binary Separable Goppa-based KEM

Kim Dong-Chan, Jeon Chang-Yeol, Kim Minji, Park Dong Hyun, Kim Dong Hyeon, Kim Yeonghyo

Future cryptography Design Lab., Kookmin University

(last updated: 2024.10.21.)

About PALOMA

We propose PALOMA, a new code-based KEM(Key Encapsulation Mechanism), which has the following features:

Trapdoor based on SDP(Syndrome Decoding Problem) with a binary separable (not irreducible) Goppa code.
IND-CCA2-secure KEM based on FO(Fujisaki-Okamoto) transformation.

Parameter sets

PALOMA provides three parameter sets: PALOMA-128, PALOMA-192, and PALOMA-256, corresponding to security strength levels of 128-bit, 192-bit, and 256-bit, respectively.

	Security Level	n	t	k(=n-mt)	m
PALOMA-128	128	3,904	64	3,072	13
PALOMA-192	192	5,568	128	3,904	13
PALOMA-256	256	6,592	128	4,928	13

Each parameter set was carefully chosen to meet the following conditions, ensuring efficient implementation.

Binary separable Goppa codes are defined in $F_{2^{13}}$ which can be used for PALOMA-128, PALOMA-192, and PALOMA-256 simultaneously,
$n + t \leq 2^{13}$ to define a support set and a Goppa polynomial,
$n \equiv k \equiv t \equiv 0 \pmod {64}$ for 64-bit word-aligned implementation, and
$k/n > 0.7$ to reduce the size of a public key, and
Enough security margin.

About PALOMA

Parameter sets

Performance

Data size (in bytes)