Dong-Chan Kim, Chang-Yeol Jeon, Minji Kim, Dong Hyun Park, Dong Hyeon Kim, Yeonghyo Kim

Future cryptography Design Lab., Kookmin University

(last updated: 2024.03.16.)

About PALOMA

We propose PALOMA, a new code-based KEM(Key Encapsulation Mechanism), which has the following features:

• Trapdoor based on SDP(Syndrome Decoding Problem) with a binary separable (not irreducible) Goppa code.
• IND-CCA2-secure KEM based on FO(Fujisaki-Okamoto) transformation.

Parameter sets

PALOMA provides three parameter sets: PALOMA-128, PALOMA-192, and PALOMA-256, which correspond to security strength levels of 128-bit, 192-bit, and 256-bit, respectively.

Each parameter set was carefully chosen to meet the following conditions, ensuring efficient implementation.

1. Binary separable Goppa codes are defined in $F_{2^{13}}$ which can be used for PALOMA-128, PALOMA-192, and PALOMA-256 simultaneously,
2. $n + t \leq 2^{13}$ to define a support set and a Goppa polynomial,
3. $n \equiv k \equiv t \equiv 0 \pmod {64}$ for 64-bit word-aligned implementation, and
4. $k/n > 0.7$ to reduce the size of a public key, and
5. Enough security margin.

Performance

Data size (in bytes)

• Note that it is possible to compress the size of the secret key to 96 bytes.

Speed (in milliseconds(cycles))

PALOMA is implemented in ANSI C. A speed benchmark was performed on the following platform:

• Platform: MacBook Pro(Apple M3, 8GB RAM), Sonoma 14.2.1, Apple clang version 14.0.3 with the -O3 optimization option.
• DRBG: AES-256-CTR-based DRBG provided in OpenSSL.