Misuse Attacks on Post-quantum Cryptosystems

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11477)


Many post-quantum cryptosystems which have been proposed in the National Institute of Standards and Technology (NIST) standardization process follow the same meta-algorithm, but in different algebras or different encoding methods. They usually propose two constructions, one being weaker and the other requiring a random oracle. We focus on the weak version of nine submissions to NIST. Submitters claim no security when the secret key is used several times. In this paper, we analyze how easy it is to run a key recovery under multiple key reuse. We mount a classical key recovery under plaintext checking attacks (i.e., with a plaintext checking oracle saying if a given ciphertext decrypts well to a given plaintext) and a quantum key recovery under chosen ciphertext attacks. In the latter case, we assume quantum access to the decryption oracle.


  1. 1.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum Key Exchange - A New Hope.
  2. 2.
    Alagic, G., Jeffery, S., Ozols, M., Poremba, A.: On Quantum Chosen Ciphertext Attacks and Learning with Errors.
  3. 3.
    Ambainis, A., Magnin, L., Roetteler, M., Roland, J.: Symmetry-Assisted Adversaries for Quantum State Generation. CoRR, vol. abs/1012.2112 (2010).
  4. 4.
    El Bansarkhani, R.: Kindi.
  5. 5.
    Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resiience of NewHope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272–292. Springer, Cham (2019). Scholar
  6. 6.
    Bos, J., et al.: CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM. In: IEEE European Symposium on Security and Privacy EuroS&P’2018, London, UK, pp. 353–367. IEEE (2018)
  7. 7.
    Bernstein, E., Vazirani, U.: Quantum complexity theory. SIAM J. Comput. 26(5), 1411–1473 (1997)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Bos, J.W., et al.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE. In: 23rd ACM Conference on Computer and Communications Security, Vienna, Austria, pp. 1006–1018. ACM Press (2016).
  9. 9.
    Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: cut off the tail! A practical post-quantum public-key encryption from LWE and LWR. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 160–177. Springer, Cham (2018). Scholar
  10. 10.
    Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S., Lin, X.: Leakage of signal function with reuse keys in RLWE key exchange. In: IEEE International Conference on Communications ICC 2017, Paris, France, pp. 1–6. IEEE (2017)Google Scholar
  11. 11.
    Fluhrer, S.: Cryptanalysis of Ring-LWE Based Key Exchange with Key Share Reuse.
  12. 12.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). Scholar
  13. 13.
    Fujisaki, E., Okamoto, T.: J. Cryptol. 26, 80–101 (2013)CrossRefGoogle Scholar
  14. 14.
    Grilo, A.B., Kerenidis, I., Zijlstra, T.: Learning with Errors is Easy with Quantum Samples. CoRR, vol. abs/1702.08255 (2017).
  15. 15.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). Scholar
  16. 16.
    Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement. Presented at the NIST Workshop on Cybersecurity in a Post-Quantum World (2015).
  17. 17.
    Lepoint, T.: Algorithmic of LWE-Based Submissions to NIST Post-Quantum Standardization Effort. Presented at the Post-Scryptum Spring School (2018).
  18. 18.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). Scholar
  19. 19.
    Phong, L.T., Hayashi, T., Aono, Y., Moriai, S.: LOTUS.
  20. 20.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Seo, M., Park, J.H., Lee, D.H., Kim, S., Lee, S.-J.: Emblem.
  22. 22.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th IEEE Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, pp. 124–134. IEEE (1994)Google Scholar
  23. 23.
    Smart, N.P., et al.: Lima 1.1: a PQC Encryption Scheme.
  24. 24.
    Steinfeld, R., Sakzad, A., Zhao, R.K.: Titanium.
  25. 25.
    Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). Scholar
  26. 26.
    Yu, Y., Zhang, J.: Lepton: Key Encapsulation Mechanisms from a Variant of Learning Parity with Noise. NIST Round 1 submission to Post-Quantum Cryptography (2017).

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.EPFLLausanneSwitzerland

Personalised recommendations