# Misuse Attacks on Post-quantum Cryptosystems

## Abstract

Many post-quantum cryptosystems which have been proposed in the National Institute of Standards and Technology (NIST) standardization process follow the same meta-algorithm, but in different algebras or different encoding methods. They usually propose two constructions, one being weaker and the other requiring a random oracle. We focus on the weak version of nine submissions to NIST. Submitters claim no security when the secret key is used several times. In this paper, we analyze how easy it is to run a key recovery under multiple key reuse. We mount a classical key recovery under plaintext checking attacks (i.e., with a plaintext checking oracle saying if a given ciphertext decrypts well to a given plaintext) and a quantum key recovery under chosen ciphertext attacks. In the latter case, we assume quantum access to the decryption oracle.

## References

- 1.Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum Key Exchange - A New Hope. https://eprint.iacr.org/2015/1092
- 2.Alagic, G., Jeffery, S., Ozols, M., Poremba, A.: On Quantum Chosen Ciphertext Attacks and Learning with Errors. https://eprint.iacr.org/2018/1185
- 3.Ambainis, A., Magnin, L., Roetteler, M., Roland, J.: Symmetry-Assisted Adversaries for Quantum State Generation. CoRR, vol. abs/1012.2112 (2010). https://arxiv.org/pdf/1012.2112.pdf
- 4.El Bansarkhani, R.: Kindi. http://kindi-kem.de/
- 5.Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resiience of NewHope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272–292. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_14. https://eprint.iacr.org/2019/075CrossRefGoogle Scholar
- 6.Bos, J., et al.: CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM. In: IEEE European Symposium on Security and Privacy EuroS&P’2018, London, UK, pp. 353–367. IEEE (2018) https://eprint.iacr.org/2017/634
- 7.Bernstein, E., Vazirani, U.: Quantum complexity theory. SIAM J. Comput.
**26**(5), 1411–1473 (1997)MathSciNetCrossRefGoogle Scholar - 8.Bos, J.W., et al.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE. In: 23rd ACM Conference on Computer and Communications Security, Vienna, Austria, pp. 1006–1018. ACM Press (2016). https://eprint.iacr.org/2016/659
- 9.Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: cut off the tail! A practical post-quantum public-key encryption from LWE and LWR. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 160–177. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_9. https://eprint.iacr.org/2016/1126CrossRefGoogle Scholar
- 10.Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S., Lin, X.: Leakage of signal function with reuse keys in RLWE key exchange. In: IEEE International Conference on Communications ICC 2017, Paris, France, pp. 1–6. IEEE (2017)Google Scholar
- 11.Fluhrer, S.: Cryptanalysis of Ring-LWE Based Key Exchange with Key Share Reuse. https://eprint.iacr.org/2016/085
- 12.Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34CrossRefGoogle Scholar
- 13.Fujisaki, E., Okamoto, T.: J. Cryptol.
**26**, 80–101 (2013)CrossRefGoogle Scholar - 14.Grilo, A.B., Kerenidis, I., Zijlstra, T.: Learning with Errors is Easy with Quantum Samples. CoRR, vol. abs/1702.08255 (2017). https://arxiv.org/pdf/1702.08255.pdf
- 15.Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12. https://eprint.iacr.org/2017/604CrossRefzbMATHGoogle Scholar
- 16.Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement. Presented at the NIST Workshop on Cybersecurity in a Post-Quantum World (2015). https://www.nist.gov/news-events/events/2015/04/workshop-cybersecurity-post-quantum-world. https://csrc.nist.gov/csrc/media/events/workshop-on-cybersecurity-in-a-post-quantum-world/documents/presentations/session7-motley-mark.pdf
- 17.Lepoint, T.: Algorithmic of LWE-Based Submissions to NIST Post-Quantum Standardization Effort. Presented at the Post-Scryptum Spring School (2018). https://postscryptum.lip6.fr/. https://postscryptum.lip6.fr/tancrede.pdf
- 18.Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1CrossRefGoogle Scholar
- 19.Phong, L.T., Hayashi, T., Aono, Y., Moriai, S.: LOTUS. https://www2.nict.go.jp/security/lotus/index.html
- 20.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM
**56**(6), 34 (2009)MathSciNetCrossRefGoogle Scholar - 21.Seo, M., Park, J.H., Lee, D.H., Kim, S., Lee, S.-J.: Emblem. https://pqc-emblem.org
- 22.Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th IEEE Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, pp. 124–134. IEEE (1994)Google Scholar
- 23.Smart, N.P., et al.: Lima 1.1: a PQC Encryption Scheme. https://lima-pq.github.io
- 24.Steinfeld, R., Sakzad, A., Zhao, R.K.: Titanium. http://users.monash.edu.au/~rste/Titanium.html
- 25.Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8. https://eprint.iacr.org/2015/1210CrossRefzbMATHGoogle Scholar
- 26.Yu, Y., Zhang, J.: Lepton: Key Encapsulation Mechanisms from a Variant of Learning Parity with Noise. NIST Round 1 submission to Post-Quantum Cryptography (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions