Advertisement

Decryption Failure Attacks on IND-CCA Secure Lattice-Based Schemes

  • Jan-Pieter D’AnversEmail author
  • Qian Guo
  • Thomas Johansson
  • Alexander Nilsson
  • Frederik Vercauteren
  • Ingrid Verbauwhede
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11443)

Abstract

In this paper we investigate the impact of decryption failures on the chosen-ciphertext security of lattice-based primitives. We discuss a generic framework for secret key recovery based on decryption failures and present an attack on the NIST Post-Quantum Proposal ss-ntru-pke. Our framework is split in three parts: First, we use a technique to increase the failure rate of lattice-based schemes called failure boosting. Based on this technique we investigate the minimal effort for an adversary to obtain a failure in three cases: when he has access to a quantum computer, when he mounts a multi-target attack or when he can only perform a limited number of oracle queries. Secondly, we examine the amount of information that an adversary can derive from failing ciphertexts. Finally, these techniques are combined in an overall analysis of the security of lattice based schemes under a decryption failure attack. We show that an attacker could significantly reduce the security of lattice based schemes that have a relatively high failure rate. However, for most of the NIST Post-Quantum Proposals, the number of required oracle queries is above practical limits. Furthermore, a new generic weak-key (multi-target) model on lattice-based schemes, which can be viewed as a variant of the previous framework, is proposed. This model further takes into consideration the weak-key phenomenon that a small fraction of keys can have much larger decoding error probability for ciphertexts with certain key-related properties. We apply this model and present an attack in detail on the NIST Post-Quantum Proposal – ss-ntru-pke – with complexity below the claimed security level.

Keywords

Lattice-based cryptography NIST post-quantum standardization Decryption failure LWE NTRU Reaction attack 

Notes

Acknowledgements

The authors would like to thank Tancrède Lepoint and the anonymous reviewers for their helpful comments. They would also like to thank Andreas Hülsing for interesting discussions. This work was supported in part by the Research Council KU Leuven: C16/15/058, by the European Commission through the Horizon 2020 research and innovation programme Cathedral ERC Advanced Grant 695305, by the Research Council KU Leuven grants C14/18/067 and STG/17/019, by the Norwegian Research Council (Grant No. 247742/070), by the Swedish Research Council (Grant No. 2015-04528), by the Wallenberg AI, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice Wallenberg Foundation, and by the Swedish Foundation for Strategic Research (SSF) project RIT17-0005.

References

  1. 1.
    NIST Post-Quantum Cryptography Forum. https://groups.google.com/a/list.nist.gov/forum/#!forum/pqc-forum. Accessed 11 Jan 2019
  2. 2.
    Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf
  3. 3.
    Albrecht, M., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9, 169–203 (2015)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes! Cryptology ePrint Archive, Report 2018/331 (2018). https://eprint.iacr.org/2018/331
  5. 5.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange \(-\) a new hope. In: USENIX Security 2016 (2016)Google Scholar
  6. 6.
    Baan, H., et al.: Round2: KEM and PKE based on GLWR. Cryptology ePrint Archive, Report 2017/1183 (2017). https://eprint.iacr.org/2017/1183
  7. 7.
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_42CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J., Bruinderink, L.G., Lange, T., Panny, L.: HILA5 pindakaas: on the CCA security of lattice-based encryption with error correction. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 203–216. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-89339-6_12CrossRefGoogle Scholar
  9. 9.
    Boldyreva, A., Degabriele, J.P., Paterson, K.G., Stam, M.: On symmetric encryption with distinguishable decryption failures. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 367–390. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_19CrossRefzbMATHGoogle Scholar
  10. 10.
    Bos, J., et al.: CRYSTALS \(-\) Kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634 (2017). http://eprint.iacr.org/2017/634
  11. 11.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, 1–4 June 2013, pp. 575–584. ACM Press, Palo Alto (2013)Google Scholar
  12. 12.
    Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: cut off the tail! Practical post-quantum public-key encryption from LWE and LWR. Cryptology ePrint Archive, Report 2016/1126 (2016). http://eprint.iacr.org/2016/1126
  13. 13.
    D’Anvers, J.P., Karmakar, A., Roy, S.S., Vercauteren, F.: Saber: module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 282–305. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-89339-6_16CrossRefGoogle Scholar
  14. 14.
    D’Anvers, J.P., Vercauteren, F., Verbauwhede, I.: On the impact of decryption failures on the security of LWE/LWR based schemes. Cryptology ePrint Archive, Report 2018/1089 (2018). https://eprint.iacr.org/2018/1089
  15. 15.
    Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S., Lin, X.: Leakage of signal function with reused keys in RLWE key exchange. Cryptology ePrint Archive, Report 2016/1176 (2016). http://eprint.iacr.org/2016/1176
  16. 16.
    Fabsic, T., Hromada, V., Stankovski, P., Zajac, P., Guo, Q., Johansson, T.: A reaction attack on the QC-LDPC McEliece cryptosystem. Cryptology ePrint Archive, Report 2017/494 (2017). http://eprint.iacr.org/2017/494
  17. 17.
    Fluhrer, S.: Cryptanalysis of ring-LWE based key exchange with key share reuse. Cryptology ePrint Archive, Report 2016/085 (2016). https://eprint.iacr.org/2016/085
  18. 18.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_34CrossRefGoogle Scholar
  19. 19.
    Gama, N., Nguyen, P.Q.: New chosen-ciphertext attacks on NTRU. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 89–106. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-71677-8_7CrossRefGoogle Scholar
  20. 20.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219. STOC 1996. ACM, New York (1996).  https://doi.org/10.1145/237814.237866
  21. 21.
    Guo, Q., Johansson, T., Nilsson, A.: A generic attack on lattice-based schemes using decryption errors with application to ss-ntru-pke. Cryptology ePrint Archive, Report 2019/043 (2019). https://eprint.iacr.org/2019/043
  22. 22.
    Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. Part I. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_29CrossRefGoogle Scholar
  23. 23.
    Hall, C., Goldberg, I., Schneier, B.: Reaction attacks against several public-key cryptosystem. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 2–12. Springer, Heidelberg (1999).  https://doi.org/10.1007/978-3-540-47942-0_2CrossRefGoogle Scholar
  24. 24.
    Hoffstein, J., Silverman, J.H.: NTRU Cryptosystems Technical Report Report# 016, Version 1 Title: Protecting NTRU Against Chosen Ciphertext and Reaction AttacksGoogle Scholar
  25. 25.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. Part I. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70500-2_12CrossRefzbMATHGoogle Scholar
  26. 26.
    Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_14CrossRefGoogle Scholar
  27. 27.
    Howgrave-Graham, N., Silverman, J.H., Singer, A., Whyte, W.: NAEP: provable security in the presence of decryption failures. Cryptology ePrint Archive, Report 2003/172 (2003). http://eprint.iacr.org/2003/172
  28. 28.
    Jaulmes, É., Joux, A.: A chosen-ciphertext attack against NTRU. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 20–35. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_2CrossRefGoogle Scholar
  29. 29.
    Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: Post-quantum IND-CCA-secure KEM without additional hash. Cryptology ePrint Archive, Report 2017/1096 (2017). https://eprint.iacr.org/2017/1096
  30. 30.
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2015).  https://doi.org/10.1007/s10623-014-9938-4MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Lu, X., Liu, Y., Jia, D., Xue, H., He, J., Zhang, Z.: LAC. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  32. 32.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_1CrossRefGoogle Scholar
  33. 33.
    Naehrig, M., et al.: Frodokem. Technical report, National Institute of Standards and Technology (2017). https://frodokem.org/files/FrodoKEM-specification-20171130.pdf
  34. 34.
    Nilsson, A., Johansson, T., Stankovski, P.: Error amplification in code-based cryptography. IACR Trans. Crypt. Hardw. Embed. Syst. 2019(1), 238–258 (2019).  https://doi.org/10.13154/tches.v2019.i1.238-258CrossRefGoogle Scholar
  35. 35.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing, pp. 333–342. STOC 2009. ACM, New York (2009).  https://doi.org/10.1145/1536414.1536461
  36. 36.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, 22–24 May 2005, pp. 84–93. ACM Press, Baltimore (2005)Google Scholar
  37. 37.
    Saarinen, M.J.O.: HILA5. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  38. 38.
    Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. Cryptology ePrint Archive, Report 2017/1005 (2017). https://eprint.iacr.org/2017/1005
  39. 39.
    Schanck, J.M., Hulsing, A., Rijneveld, J., Schwabe, P.: NTRU-HRSS-KEM. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  40. 40.
    Schwabe, P., et al.: CRYSTALS-Kyber. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  41. 41.
    Schwabe, P., et al.: Newhope. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  42. 42.
    Seo, M., Park, J.H., Lee, D.H., Kim, S., Lee., S.J.: Emblem and R.Emblem. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  43. 43.
    Smart, N.P., et al.: LIMA. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  44. 44.
    Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20465-4_4CrossRefGoogle Scholar
  45. 45.
    Szepieniec, A.: Ramstake. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  46. 46.
    Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53644-5_8CrossRefzbMATHGoogle Scholar
  47. 47.
    Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: NTRUEncrypt. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Jan-Pieter D’Anvers
    • 1
    Email author
  • Qian Guo
    • 2
    • 3
  • Thomas Johansson
    • 3
  • Alexander Nilsson
    • 3
  • Frederik Vercauteren
    • 1
  • Ingrid Verbauwhede
    • 1
  1. 1.imec-COSIC, KU LeuvenLeuven-HeverleeBelgium
  2. 2.Department of InformaticsUniversity of BergenBergenNorway
  3. 3.Department of Electrical and Information TechnologyLund UniversityLundSweden

Personalised recommendations