Skip to main content

Misuse Attacks on Post-quantum Cryptosystems

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11477)


Many post-quantum cryptosystems which have been proposed in the National Institute of Standards and Technology (NIST) standardization process follow the same meta-algorithm, but in different algebras or different encoding methods. They usually propose two constructions, one being weaker and the other requiring a random oracle. We focus on the weak version of nine submissions to NIST. Submitters claim no security when the secret key is used several times. In this paper, we analyze how easy it is to run a key recovery under multiple key reuse. We mount a classical key recovery under plaintext checking attacks (i.e., with a plaintext checking oracle saying if a given ciphertext decrypts well to a given plaintext) and a quantum key recovery under chosen ciphertext attacks. In the latter case, we assume quantum access to the decryption oracle.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-17656-3_26
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-17656-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.
Fig. 10.


  1. 1.

    The AJOP attack was released after we submitted this paper. For completeness, we include its adaptation here.

  2. 2.

    We recall that we assume that decoding is defined over the entire \(S_V\) space.

  3. 3.

    In this computation, we took the worst case for ambiguous decoding (e.g. when both 01 and 10 decode to 00). If now 01 decode to 00 and 10 decode to 11, the distribution of \(\psi _U\) becomes \(\Pr [\psi _U=00]=\Pr [\psi _U=01]=\frac{1}{2}\) and we obtain \(p=\frac{1}{4}\).

  4. 4.

    For q prime, every nonzero f is regular. For \(q=2^n\), every f with at least one odd component is regular.


  1. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum Key Exchange - A New Hope.

  2. Alagic, G., Jeffery, S., Ozols, M., Poremba, A.: On Quantum Chosen Ciphertext Attacks and Learning with Errors.

  3. Ambainis, A., Magnin, L., Roetteler, M., Roland, J.: Symmetry-Assisted Adversaries for Quantum State Generation. CoRR, vol. abs/1012.2112 (2010).

  4. El Bansarkhani, R.: Kindi.

  5. Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resiience of NewHope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272–292. Springer, Cham (2019).

    CrossRef  Google Scholar 

  6. Bos, J., et al.: CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM. In: IEEE European Symposium on Security and Privacy EuroS&P’2018, London, UK, pp. 353–367. IEEE (2018)

  7. Bernstein, E., Vazirani, U.: Quantum complexity theory. SIAM J. Comput. 26(5), 1411–1473 (1997)

    MathSciNet  CrossRef  Google Scholar 

  8. Bos, J.W., et al.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE. In: 23rd ACM Conference on Computer and Communications Security, Vienna, Austria, pp. 1006–1018. ACM Press (2016).

  9. Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: cut off the tail! A practical post-quantum public-key encryption from LWE and LWR. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 160–177. Springer, Cham (2018).

    CrossRef  Google Scholar 

  10. Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S., Lin, X.: Leakage of signal function with reuse keys in RLWE key exchange. In: IEEE International Conference on Communications ICC 2017, Paris, France, pp. 1–6. IEEE (2017)

    Google Scholar 

  11. Fluhrer, S.: Cryptanalysis of Ring-LWE Based Key Exchange with Key Share Reuse.

  12. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999).

    CrossRef  Google Scholar 

  13. Fujisaki, E., Okamoto, T.: J. Cryptol. 26, 80–101 (2013)

    CrossRef  Google Scholar 

  14. Grilo, A.B., Kerenidis, I., Zijlstra, T.: Learning with Errors is Easy with Quantum Samples. CoRR, vol. abs/1702.08255 (2017).

  15. Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017).

    CrossRef  MATH  Google Scholar 

  16. Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement. Presented at the NIST Workshop on Cybersecurity in a Post-Quantum World (2015).

  17. Lepoint, T.: Algorithmic of LWE-Based Submissions to NIST Post-Quantum Standardization Effort. Presented at the Post-Scryptum Spring School (2018).

  18. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010).

    CrossRef  Google Scholar 

  19. Phong, L.T., Hayashi, T., Aono, Y., Moriai, S.: LOTUS.

  20. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)

    MathSciNet  CrossRef  Google Scholar 

  21. Seo, M., Park, J.H., Lee, D.H., Kim, S., Lee, S.-J.: Emblem.

  22. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th IEEE Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, pp. 124–134. IEEE (1994)

    Google Scholar 

  23. Smart, N.P., et al.: Lima 1.1: a PQC Encryption Scheme.

  24. Steinfeld, R., Sakzad, A., Zhao, R.K.: Titanium.

  25. Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016).

    CrossRef  MATH  Google Scholar 

  26. Yu, Y., Zhang, J.: Lepton: Key Encapsulation Mechanisms from a Variant of Learning Parity with Noise. NIST Round 1 submission to Post-Quantum Cryptography (2017).

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Ciprian Băetu .

Editor information

Editors and Affiliations

A Post-quantum Cryptosystems

A Post-quantum Cryptosystems

We list here several algorithms for which we could adapt our attacks. The algorithms are available from

For the KR-PCA attack, we estimate to \((\log _q\#S_V)\log _2(2\rho _++1)\) the number of oracle calls. For the GKZ-based attack, the probability of success is estimated to \(\frac{1}{(2\rho _+)^{\#I}}-\frac{1}{q^{\#I}}\). For the AJOP-based attack, the probability of success is \(p_{q,c}^{\#J}\).

EMBLEM. EMBLEM-CPA [21] works with \(S_A = \mathbb {Z}_q^{m\times n}\), \(S_\mathsf {sk} = \mathbb {Z}_q^{n\times k}\), \(S_B = \mathbb {Z}_q^{m\times k}\), \(S_t = \mathbb {Z}_q^{v\times m}\), \(S_U = \mathbb {Z}_q^{v\times n}\) and \(S_V = \mathbb {Z}_q^{v\times k}\). The bilinear mappings are matrix multiplications. The message space is \(\lbrace 0, 1 \rbrace ^\ell \) and a message is encoded by t-bit chunks. Each block of t-bits is padded with a 1 bit and 0 bits to match a length of \(\log _2(q)\) bits. Then, all \(\frac{\ell }{t}\) blocks are arranged in a \(v \times k\) matrix. Thus, for a message \(\mathsf {pt}\), each \(\log _2(q)\)-bits element of the matrix \(M = \mathsf {encode}(\mathsf {pt})\) is \(\mathsf {pt}_{i,j} \Vert 1 \Vert 00 \ldots 0\), where \(\mathsf {pt}_{i,j}\) is a t-bit block of the original message. Decoding takes the t most significant bits of each element and concatenate them to obtain the original message. Therefore, we have \(\rho _{-} = \rho _{+} = q2^{-t-1}\). Components of \(\mathsf {sk}, t\) are sampled in \([-B, B]\) uniformly at random and components of def are sampled from the discrete Gaussian distribution on \(\mathbb {Z}\) with standard deviation \(\sigma \). This is similar to Frodo. Hence, we have nk unknowns and each \(\delta \) gives vk equations. The GKZ-based attack with \(\#I=1\) recovers one column of n unknowns. The AJOP-based attack uses \(\varepsilon =0\), \(c=2^t\), and \(\#J=k\). For 128-bit security, the following parameters are used: \(m = 1\,003\), \(n = 770\), \(\ell = 256\), \(q = 2^{24}\), \(\sigma = 25\), \(t = 8\), \(B = 1\), v and k can be tuned such that \(v \times k \times t = \ell = 256\), typically \(v = 32, k = 1\). We compute \(p_{q,c}\approx 1\).

R.EMBLEM-CPA is a variant of EMBLEM where the variables are considered as polynomials in X modulo \(X^n + 1\) with coefficients in \(\mathbb {Z}_q\). It has \(S_\mathsf {sk} = S_{A} = S_B = S_t = S_U = \mathbb {Z}_q^n\) and \(S_V = \mathbb {Z}_q^{\ell /t}\) with \(L_\infty \) norm. The bilinear mappings are polynomial multiplications. A message \(m \in \lbrace 0, 1 \rbrace ^\ell \) is encoded as in EMBLEM-CPA, except that now the \(\frac{\ell }{t}\) encoded blocks are polynomial coefficients and not matrix entries. As before, we have \(\rho _{-} = \rho _{+} = q2^{-t-1}\). There is a small subtlety at encryption and decryption: since \(\mathsf {encode}(m) \in \mathbb {Z}_q^{\ell /t}\), we compute \(V = \mathsf {trunc}(t \times B + f, \ell /t) + \mathsf {encode}(m)\) and \(W = V - \mathsf {trunc}(U \times \mathsf {sk}, \ell /t)\), where \(\mathsf {trunc}(x, l)\) takes only the first \(\ell \) components of a vector x. Coefficients of \(\mathsf {sk}, t\) are sampled in \([-B, B]\) uniformly at random and coefficients of def are sampled from a discrete Gaussian distribution on \(\mathbb {Z}\) with standard deviation \(\sigma \). For 128-bit security, the following parameters are proposed: \(n = 463\), \(\ell = 256\), \(q = 2^{25}\), \(\sigma = 25\), \(t = 1\), \(B = 1\). We have n unknowns and each \(\delta \) give them all. The number of oracle calls is about \(n(\log _2q-t)\) in the classical attack. The probability of success in the quantum attack is \(\frac{2^t}{q}\) for the GKZ-based one, and \(p_{q,c}\) for the AJOP-based one.

KINDI. KINDI-CPA [4] works with the ring \(\mathcal {R}_q = \mathbb {Z}_q[X] / (X^n + 1)\). It has \(S_A = \mathcal {R}_q^{\ell ^2}\), \(S_{\mathsf {sk}} = S_B = S_t = S_U = \mathcal {R}_q^{\ell }\) and \(S_V = \mathcal {R}_q\). The norm is \(L_{\infty }\). The bilinear mappings are matrix multiplications and scalar product when the elements are vectors, where elements are considered as polynomials in \(\mathcal {R}_q\). The public key B is compressed by dropping the k least significant bits of all coefficients.

The encoding of a message \(\mathsf {pt}\) is more complex than in other LWE schemes. A random polynomial \(s_1\) with binary coefficients is uniformly sampled from \(\mathcal {R}_2\). This polynomial is used as a seed for a PRNG function (Shake) that returns a one time-pad \(\bar{u}\) and the value t. The message is encrypted into \(u=\bar{u}\oplus \mathsf {pt}\) by one-time pad and encoded in a value \(e \in \mathcal {R}_q^\ell \) and \(f \in \mathcal {R}_q\). The ciphertexts are computed as \((U,V) = (t \times A + e, t \times B + f + \mathsf {encode}(s_1) )\) where \(\mathsf {encode}(s_1)=L\cdot s_1\) with \(L=\frac{q}{2}\). Then, the decryption \(V - U \times \mathsf {sk}\) recovers \(s_1\) thus t then e and f, then u. The value of \(s_1\) also gives \(\bar{u}\) which decrypts u into \(\mathsf {pt}\). We have \(\rho _- = \rho _+ = \frac{q}{4}\). Elements of A are sampled uniformly at random from \(\mathcal {R}_q\), elements of \(\mathsf {sk}, d, t\) and the one-time pad are sampled uniformly at random from \(\mathcal {R}_q\) where the coefficients of the polynomials are in \([-p, p)\) and ef are derived from the message xored with the one-time pad. For KINDI256-CPA, the parameters used are \(n = 256, \ell = 3, p = 4, k = 2, q = 2^{14}\). In our KR-PCA attack, we have to be aware that tampering V results in having junk decryption in the last bits, so we must assume that the PCO oracle ignores those last bits. Adapting the quantum attacks may not be possible because they need \(s_1\) and we cannot recover \(s_1\) from \(\mathsf {pt}\). Surprisingly, the decryption in KINDI kindly returns \(s_1\) in addition to the plaintext. So, the quantum attacks work well, with \(\varepsilon =0\), \(c=2\), \(\#I=\#J=1\).

LIMA. LIMA-CPA [23] has \(S_{\mathsf {sk}} = S_A = S_B = S_t = S_U = S_V = \mathbb {Z}_q^n\) with the \(L_\infty \) norm. Elements are considered as polynomials in \(\mathbb {Z}_q[X] / \langle g \rangle \). LIMA-CPA comes in two variants, namely LIMA-2p and LIMA-sp. In LIMA-2p, the polynomial g is \(X^n + 1\) with \(q \equiv 1 \mod 2n\) and in LIMA-sp, g is a trinomial of degree \(n = p-1\) and p is a safe prime (i.e. \(p = 2q + 1\) for a prime q). Each bit of a message is encoded into a 0 or q/2. Therefore, we have \(\rho _- = \rho _+ = \frac{q}{4}\). The sparse elements \(\mathsf {sk}, d, t, e, f\) are sampled in \(\lbrace -B, \ldots , B \rbrace \) from an approximation of a centered discrete Gaussian distribution of standard deviation \(\sigma = \sqrt{(B+1)/2}\). A subtlety is that a pair (te) is accepted only if for \( y_i = t_i + e_i \), it has

$$ \left| \sum _{i = 0}^{n-1} y_i \right| \le 11 \times \sqrt{2 \times n} \times \sigma $$

for LIMA-2p and

$$ \left| \sum _{i = 0}^{k} y_i + \sum _{i = 1}^{n-1} y_i + \sum _{i = k+2}^{n-1} y_i\right| \le 11 \times \sqrt{4 \times n} \times \sigma $$

for LIMA-sp and any \(k \in \lbrace 0, \ldots , n-1 \rbrace \). For a classical 227-bit security LIMA-2p-CPA, the parameters used are \(B = 19, n = 1\,024, q = 133\,121\). For a classical 152-bit security, LIMA-sp-CPA uses \(B = 19, n = 1\,018\) and \(q = 12\,521\,473\). The quantum attacks work with \(c=2\), \(\#I=\#J=1\), and \(p_{q,c}=41\%\).

Lizard. Lizard-CPA [9] has \(S_A = \mathbb {Z}_q^{m\times n}\), \(S_{\mathsf {sk}} = \lbrace -1, 0, 1 \rbrace ^{n\times \ell }\), \(S_B = \mathbb {Z}_q^{m\times \ell }\), \(S_t = \lbrace -1, 0, 1 \rbrace ^m\), \(S_U = \mathbb {Z}_p^n\), and \(S_V = \mathbb {Z}_p^\ell \). The norm is \(L_\infty \). Bilinear mappings are matrix multiplications in these structures. Each bit of a message is encoded into 0 or q/2 but UV are scaled by a p / q factor, then \(\mathsf {pt}\in \{0,1\}^\ell \) is encoded into 0 or p/2. Therefore, we have \(\rho _- = \rho _+ = p/4\). Actually, encryption is based on the LWR problem, hence with deterministic e and f. Decryption has form \(\mathsf {Dec}(\mathsf {sk},U,V)= \lceil \frac{2}{p}(V-U\times \mathsf {sk})\rfloor \), which fits the quantum attacks. Elements of \(\mathsf {sk}\) are sampled from the distribution \(\Pr [x = 1] = \Pr [x = -1] = \gamma /2\), \(\Pr [x = 0] = 1 - \gamma \), elements of d are sampled in \(\mathbb {Z}_q\) from a discrete Gaussian distribution of parameter \(\sigma =\alpha q\), t is sampled uniformly at random in \(\lbrace x \in \lbrace -1, 0, 1 \rbrace ^m : \mathsf {HW}(x) = h \rbrace \), where \(\mathsf {HW}(x)\) counts the number of non-zero elements of x, and e, f are zero. Proposed parameters are \(n = 544\), \(m = 840\), \(q = 1\,024\), \(p = 256\), \(\ell = 256\), \(\gamma = \frac{1}{2}\), \(\alpha =\frac{1}{171}\), and \(h = 128\). The quantum attacks work with \(\varepsilon =0\), \(c=2\), \(\#I=\#J=1\).

RLizard-CPA is a variant of Lizard which works with rings. It has \(S_A = S_B = \mathbb {Z}_q^n, S_U = S_V = \mathbb {Z}_p^n\), and \(S_{\mathsf {sk}} = S_t = \lbrace -1, 0, 1 \rbrace ^n\). Elements are considered as polynomials in these structures and bilinear mappings are polynomial multiplications in the corresponding ring. Messages are encoded similarly as in Lizard-CPA. Elements \(\mathsf {sk}, t\) are sampled uniformly at random in \( \lbrace x \in \lbrace -1, 0, 1 \rbrace ^m : \mathsf {HW}(x) = h \rbrace \) with \(h = h_{\mathsf {sk}}\) and \(h = h_t\), respectively. Coefficients of d are sampled according to a discrete Gaussian distribution of parameter \(\sigma \) in \(Z_q\). Proposed parameters are \(n = 1\,024\), \(q = 1\,024\), \(p = 256\), \(\alpha = \frac{1}{154}\) and \(h_{\mathsf {sk}} = h_t = 128\).

LOTUS. LOTUS-PKE-CPA [19] is the same as Lindner-Peikert scheme. We have \(S_A = \mathbb {Z}_q^{n\times n}\), \(S_{\mathsf {sk}} = S_B = \mathbb {Z}_q^{n\times \ell }\), \(S_t = S_U = \mathbb {Z}_q^n\), and \(S_v = \mathbb {Z}_q^\ell \) with the \(L_\infty \) norm. Each bit of a message is multiplied by \(\lfloor \frac{q}{2} \rfloor \). Elements of \(\mathsf {sk}, d, t, e, f\) are sampled from a centered discrete Gaussian distribution of standard deviation \(\sigma \). Therefore, we have \(\rho _+ = \rho _- = \lfloor \frac{q}{4} \rfloor \). For LOTUS128-CPA, we have \(n = 576\), \(q = 8\,192\), \(\ell = 128\), \(\sigma = 3\). For key recovery, we have \(n \times \ell \) unknowns and \(\ell \) equations for each sample \(\delta _i\), hence we need n samples. The quantum attacks work with \(\varepsilon =0\), \(c=2\), \(\#I=\#J=1\).

Titanium. Let \(\mathcal {R}_{q,n}\) be the set of polynomials in X with degree less than n and coefficients in \(\mathbb {Z}_q\). Titanium has \(S_A = \mathcal {R}_{q,n}^m\), \(S_{\mathsf {sk}} = \mathcal {R}_{q,n+d+k-1}\), \(S_{B} = \mathcal {R}_{q,d+k}^m\), \(S_t = \mathcal {R}_{q,k+1}^m\), \(S_U = \mathcal {R}_{q,n+k}\) and \(S_V = \mathcal {R}_{q,d}\) with the \(L_\infty \) norm. The bilinear mappings use the middle product \(\odot \) defined as follows: Let \(a \in \mathcal {R}_{q,d_a}\) and \(b \in \mathcal {R}_{q,d_b}\) s.t. \(d_a + d_b - 1 = d + 2k\) for some integers \(d_a, d_b, d, k\). The middle product \(\odot _d: \mathcal {R}_{q,d_a} \times \mathcal {R}_{q,d_b} \rightarrow \mathcal {R}_{q,d}\) is the map

$$ a \odot _d b = \left\lfloor \frac{(a \times b) \mod X^{k+d}}{X^k} \right\rfloor $$

i.e. we take the d terms of \(a\times b\) of degree \(k,k+1,\ldots ,k+d-1\) and divide by \(X^k\). Titanium extends it to vector multiplication as the dot product with \(\odot _d\) for component multiplications and to polynomial-vector multiplication as the component-wise middle product with the polynomial. All bilinear mappings are middle products as described above, except for the \(S_t \times S_A \rightarrow S_U\), which is the dot product with polynomial multiplication in \(\mathbb {Z}_q[X]\). A message \(\mathsf {pt}\) is encoded as a polynomial in \(\mathcal {R}_{2,d}\) with each coefficient scaled by \(\lfloor \frac{q}{p} \rfloor \). Therefore, we have \(\rho _- = \rho _+ = \lfloor \frac{q}{p} \rfloor / 2\). The secret key \(\mathsf {sk}\) is sampled uniformly at random in \(S_t\) and d is sampled by taking the difference of the Hamming weight of two uniformly distributed \(\eta \)-bits values, this approximates a discrete Gaussian distribution. For t, \(N_t = (k+1)\times m\) coefficients need to be sampled in \(\mathbb {Z}_q\). In order to tune the variance, \(N_1\) of them are sampled uniformly in \(\lbrace -B_1/2, \ldots , B_1/2 \rbrace \setminus \lbrace 0 \rbrace \) and \(N_t - N_1\) of them are sampled uniformly in \(\lbrace -B_2/2, \ldots , B_2/2 \rbrace \setminus \lbrace 0 \rbrace \). The elements ef are null. For TitaniumStd128-CPA [24] with NIST security level I, the parameters are \(n = 1\,024\), \(k = 511\), \(d = 256\), \(m = 9\), \(q = 86\,017\), \(p = 2\), \(\eta = 4\), \(N_1 = 3\,816\), \(B_1 = 2^6\), \(B_2 = 2^7\). The quantum attacks work with \(c=p\) and \(\#I=\#J=1\).

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Băetu, C., Durak, F.B., Huguenin-Dumittan, L., Talayhan, A., Vaudenay, S. (2019). Misuse Attacks on Post-quantum Cryptosystems. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11477. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17655-6

  • Online ISBN: 978-3-030-17656-3

  • eBook Packages: Computer ScienceComputer Science (R0)