Misuse Attacks on Post-quantum Cryptosystems

Abstract

Many post-quantum cryptosystems which have been proposed in the National Institute of Standards and Technology (NIST) standardization process follow the same meta-algorithm, but in different algebras or different encoding methods. They usually propose two constructions, one being weaker and the other requiring a random oracle. We focus on the weak version of nine submissions to NIST. Submitters claim no security when the secret key is used several times. In this paper, we analyze how easy it is to run a key recovery under multiple key reuse. We mount a classical key recovery under plaintext checking attacks (i.e., with a plaintext checking oracle saying if a given ciphertext decrypts well to a given plaintext) and a quantum key recovery under chosen ciphertext attacks. In the latter case, we assume quantum access to the decryption oracle.

A Post-quantum Cryptosystems

We list here several algorithms for which we could adapt our attacks. The algorithms are available from

https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions

For the KR-PCA attack, we estimate to \((\log _q\#S_V)\log _2(2\rho _++1)\) the number of oracle calls. For the GKZ-based attack, the probability of success is estimated to \(\frac{1}{(2\rho _+)^{\#I}}-\frac{1}{q^{\#I}}\). For the AJOP-based attack, the probability of success is \(p_{q,c}^{\#J}\).

EMBLEM. EMBLEM-CPA [21] works with \(S_A = \mathbb {Z}_q^{m\times n}\), \(S_\mathsf {sk} = \mathbb {Z}_q^{n\times k}\), \(S_B = \mathbb {Z}_q^{m\times k}\), \(S_t = \mathbb {Z}_q^{v\times m}\), \(S_U = \mathbb {Z}_q^{v\times n}\) and \(S_V = \mathbb {Z}_q^{v\times k}\). The bilinear mappings are matrix multiplications. The message space is \(\lbrace 0, 1 \rbrace ^\ell \) and a message is encoded by t-bit chunks. Each block of t-bits is padded with a 1 bit and 0 bits to match a length of \(\log _2(q)\) bits. Then, all \(\frac{\ell }{t}\) blocks are arranged in a \(v \times k\) matrix. Thus, for a message \(\mathsf {pt}\), each \(\log _2(q)\)-bits element of the matrix \(M = \mathsf {encode}(\mathsf {pt})\) is \(\mathsf {pt}_{i,j} \Vert 1 \Vert 00 \ldots 0\), where \(\mathsf {pt}_{i,j}\) is a t-bit block of the original message. Decoding takes the t most significant bits of each element and concatenate them to obtain the original message. Therefore, we have \(\rho _{-} = \rho _{+} = q2^{-t-1}\). Components of \(\mathsf {sk}, t\) are sampled in \([-B, B]\) uniformly at random and components of d, e, f are sampled from the discrete Gaussian distribution on \(\mathbb {Z}\) with standard deviation \(\sigma \). This is similar to Frodo. Hence, we have nk unknowns and each \(\delta \) gives vk equations. The GKZ-based attack with \(\#I=1\) recovers one column of n unknowns. The AJOP-based attack uses \(\varepsilon =0\), \(c=2^t\), and \(\#J=k\). For 128-bit security, the following parameters are used: \(m = 1\,003\), \(n = 770\), \(\ell = 256\), \(q = 2^{24}\), \(\sigma = 25\), \(t = 8\), \(B = 1\), v and k can be tuned such that \(v \times k \times t = \ell = 256\), typically \(v = 32, k = 1\). We compute \(p_{q,c}\approx 1\).

R.EMBLEM-CPA is a variant of EMBLEM where the variables are considered as polynomials in X modulo \(X^n + 1\) with coefficients in \(\mathbb {Z}_q\). It has \(S_\mathsf {sk} = S_{A} = S_B = S_t = S_U = \mathbb {Z}_q^n\) and \(S_V = \mathbb {Z}_q^{\ell /t}\) with \(L_\infty \) norm. The bilinear mappings are polynomial multiplications. A message \(m \in \lbrace 0, 1 \rbrace ^\ell \) is encoded as in EMBLEM-CPA, except that now the \(\frac{\ell }{t}\) encoded blocks are polynomial coefficients and not matrix entries. As before, we have \(\rho _{-} = \rho _{+} = q2^{-t-1}\). There is a small subtlety at encryption and decryption: since \(\mathsf {encode}(m) \in \mathbb {Z}_q^{\ell /t}\), we compute \(V = \mathsf {trunc}(t \times B + f, \ell /t) + \mathsf {encode}(m)\) and \(W = V - \mathsf {trunc}(U \times \mathsf {sk}, \ell /t)\), where \(\mathsf {trunc}(x, l)\) takes only the first \(\ell \) components of a vector x. Coefficients of \(\mathsf {sk}, t\) are sampled in \([-B, B]\) uniformly at random and coefficients of d, e, f are sampled from a discrete Gaussian distribution on \(\mathbb {Z}\) with standard deviation \(\sigma \). For 128-bit security, the following parameters are proposed: \(n = 463\), \(\ell = 256\), \(q = 2^{25}\), \(\sigma = 25\), \(t = 1\), \(B = 1\). We have n unknowns and each \(\delta \) give them all. The number of oracle calls is about \(n(\log _2q-t)\) in the classical attack. The probability of success in the quantum attack is \(\frac{2^t}{q}\) for the GKZ-based one, and \(p_{q,c}\) for the AJOP-based one.

KINDI. KINDI-CPA [4] works with the ring \(\mathcal {R}_q = \mathbb {Z}_q[X] / (X^n + 1)\). It has \(S_A = \mathcal {R}_q^{\ell ^2}\), \(S_{\mathsf {sk}} = S_B = S_t = S_U = \mathcal {R}_q^{\ell }\) and \(S_V = \mathcal {R}_q\). The norm is \(L_{\infty }\). The bilinear mappings are matrix multiplications and scalar product when the elements are vectors, where elements are considered as polynomials in \(\mathcal {R}_q\). The public key B is compressed by dropping the k least significant bits of all coefficients.

The encoding of a message \(\mathsf {pt}\) is more complex than in other LWE schemes. A random polynomial \(s_1\) with binary coefficients is uniformly sampled from \(\mathcal {R}_2\). This polynomial is used as a seed for a PRNG function (Shake) that returns a one time-pad \(\bar{u}\) and the value t. The message is encrypted into \(u=\bar{u}\oplus \mathsf {pt}\) by one-time pad and encoded in a value \(e \in \mathcal {R}_q^\ell \) and \(f \in \mathcal {R}_q\). The ciphertexts are computed as \((U,V) = (t \times A + e, t \times B + f + \mathsf {encode}(s_1) )\) where \(\mathsf {encode}(s_1)=L\cdot s_1\) with \(L=\frac{q}{2}\). Then, the decryption \(V - U \times \mathsf {sk}\) recovers \(s_1\) thus t then e and f, then u. The value of \(s_1\) also gives \(\bar{u}\) which decrypts u into \(\mathsf {pt}\). We have \(\rho _- = \rho _+ = \frac{q}{4}\). Elements of A are sampled uniformly at random from \(\mathcal {R}_q\), elements of \(\mathsf {sk}, d, t\) and the one-time pad are sampled uniformly at random from \(\mathcal {R}_q\) where the coefficients of the polynomials are in \([-p, p)\) and e, f are derived from the message xored with the one-time pad. For KINDI256-CPA, the parameters used are \(n = 256, \ell = 3, p = 4, k = 2, q = 2^{14}\). In our KR-PCA attack, we have to be aware that tampering V results in having junk decryption in the last bits, so we must assume that the PCO oracle ignores those last bits. Adapting the quantum attacks may not be possible because they need \(s_1\) and we cannot recover \(s_1\) from \(\mathsf {pt}\). Surprisingly, the decryption in KINDI kindly returns \(s_1\) in addition to the plaintext. So, the quantum attacks work well, with \(\varepsilon =0\), \(c=2\), \(\#I=\#J=1\).

LIMA. LIMA-CPA [23] has \(S_{\mathsf {sk}} = S_A = S_B = S_t = S_U = S_V = \mathbb {Z}_q^n\) with the \(L_\infty \) norm. Elements are considered as polynomials in \(\mathbb {Z}_q[X] / \langle g \rangle \). LIMA-CPA comes in two variants, namely LIMA-2p and LIMA-sp. In LIMA-2p, the polynomial g is \(X^n + 1\) with \(q \equiv 1 \mod 2n\) and in LIMA-sp, g is a trinomial of degree \(n = p-1\) and p is a safe prime (i.e. \(p = 2q + 1\) for a prime q). Each bit of a message is encoded into a 0 or q/2. Therefore, we have \(\rho _- = \rho _+ = \frac{q}{4}\). The sparse elements \(\mathsf {sk}, d, t, e, f\) are sampled in \(\lbrace -B, \ldots , B \rbrace \) from an approximation of a centered discrete Gaussian distribution of standard deviation \(\sigma = \sqrt{(B+1)/2}\). A subtlety is that a pair (t, e) is accepted only if for \( y_i = t_i + e_i \), it has

$$ \left| \sum _{i = 0}^{n-1} y_i \right| \le 11 \times \sqrt{2 \times n} \times \sigma $$

for LIMA-2p and

$$ \left| \sum _{i = 0}^{k} y_i + \sum _{i = 1}^{n-1} y_i + \sum _{i = k+2}^{n-1} y_i\right| \le 11 \times \sqrt{4 \times n} \times \sigma $$

for LIMA-sp and any \(k \in \lbrace 0, \ldots , n-1 \rbrace \). For a classical 227-bit security LIMA-2p-CPA, the parameters used are \(B = 19, n = 1\,024, q = 133\,121\). For a classical 152-bit security, LIMA-sp-CPA uses \(B = 19, n = 1\,018\) and \(q = 12\,521\,473\). The quantum attacks work with \(c=2\), \(\#I=\#J=1\), and \(p_{q,c}=41\%\).

Lizard. Lizard-CPA [9] has \(S_A = \mathbb {Z}_q^{m\times n}\), \(S_{\mathsf {sk}} = \lbrace -1, 0, 1 \rbrace ^{n\times \ell }\), \(S_B = \mathbb {Z}_q^{m\times \ell }\), \(S_t = \lbrace -1, 0, 1 \rbrace ^m\), \(S_U = \mathbb {Z}_p^n\), and \(S_V = \mathbb {Z}_p^\ell \). The norm is \(L_\infty \). Bilinear mappings are matrix multiplications in these structures. Each bit of a message is encoded into 0 or q/2 but U, V are scaled by a p / q factor, then \(\mathsf {pt}\in \{0,1\}^\ell \) is encoded into 0 or p/2. Therefore, we have \(\rho _- = \rho _+ = p/4\). Actually, encryption is based on the LWR problem, hence with deterministic e and f. Decryption has form \(\mathsf {Dec}(\mathsf {sk},U,V)= \lceil \frac{2}{p}(V-U\times \mathsf {sk})\rfloor \), which fits the quantum attacks. Elements of \(\mathsf {sk}\) are sampled from the distribution \(\Pr [x = 1] = \Pr [x = -1] = \gamma /2\), \(\Pr [x = 0] = 1 - \gamma \), elements of d are sampled in \(\mathbb {Z}_q\) from a discrete Gaussian distribution of parameter \(\sigma =\alpha q\), t is sampled uniformly at random in \(\lbrace x \in \lbrace -1, 0, 1 \rbrace ^m : \mathsf {HW}(x) = h \rbrace \), where \(\mathsf {HW}(x)\) counts the number of non-zero elements of x, and e, f are zero. Proposed parameters are \(n = 544\), \(m = 840\), \(q = 1\,024\), \(p = 256\), \(\ell = 256\), \(\gamma = \frac{1}{2}\), \(\alpha =\frac{1}{171}\), and \(h = 128\). The quantum attacks work with \(\varepsilon =0\), \(c=2\), \(\#I=\#J=1\).

RLizard-CPA is a variant of Lizard which works with rings. It has \(S_A = S_B = \mathbb {Z}_q^n, S_U = S_V = \mathbb {Z}_p^n\), and \(S_{\mathsf {sk}} = S_t = \lbrace -1, 0, 1 \rbrace ^n\). Elements are considered as polynomials in these structures and bilinear mappings are polynomial multiplications in the corresponding ring. Messages are encoded similarly as in Lizard-CPA. Elements \(\mathsf {sk}, t\) are sampled uniformly at random in \( \lbrace x \in \lbrace -1, 0, 1 \rbrace ^m : \mathsf {HW}(x) = h \rbrace \) with \(h = h_{\mathsf {sk}}\) and \(h = h_t\), respectively. Coefficients of d are sampled according to a discrete Gaussian distribution of parameter \(\sigma \) in \(Z_q\). Proposed parameters are \(n = 1\,024\), \(q = 1\,024\), \(p = 256\), \(\alpha = \frac{1}{154}\) and \(h_{\mathsf {sk}} = h_t = 128\).

LOTUS. LOTUS-PKE-CPA [19] is the same as Lindner-Peikert scheme. We have \(S_A = \mathbb {Z}_q^{n\times n}\), \(S_{\mathsf {sk}} = S_B = \mathbb {Z}_q^{n\times \ell }\), \(S_t = S_U = \mathbb {Z}_q^n\), and \(S_v = \mathbb {Z}_q^\ell \) with the \(L_\infty \) norm. Each bit of a message is multiplied by \(\lfloor \frac{q}{2} \rfloor \). Elements of \(\mathsf {sk}, d, t, e, f\) are sampled from a centered discrete Gaussian distribution of standard deviation \(\sigma \). Therefore, we have \(\rho _+ = \rho _- = \lfloor \frac{q}{4} \rfloor \). For LOTUS128-CPA, we have \(n = 576\), \(q = 8\,192\), \(\ell = 128\), \(\sigma = 3\). For key recovery, we have \(n \times \ell \) unknowns and \(\ell \) equations for each sample \(\delta _i\), hence we need n samples. The quantum attacks work with \(\varepsilon =0\), \(c=2\), \(\#I=\#J=1\).

Titanium. Let \(\mathcal {R}_{q,n}\) be the set of polynomials in X with degree less than n and coefficients in \(\mathbb {Z}_q\). Titanium has \(S_A = \mathcal {R}_{q,n}^m\), \(S_{\mathsf {sk}} = \mathcal {R}_{q,n+d+k-1}\), \(S_{B} = \mathcal {R}_{q,d+k}^m\), \(S_t = \mathcal {R}_{q,k+1}^m\), \(S_U = \mathcal {R}_{q,n+k}\) and \(S_V = \mathcal {R}_{q,d}\) with the \(L_\infty \) norm. The bilinear mappings use the middle product \(\odot \) defined as follows: Let \(a \in \mathcal {R}_{q,d_a}\) and \(b \in \mathcal {R}_{q,d_b}\) s.t. \(d_a + d_b - 1 = d + 2k\) for some integers \(d_a, d_b, d, k\). The middle product \(\odot _d: \mathcal {R}_{q,d_a} \times \mathcal {R}_{q,d_b} \rightarrow \mathcal {R}_{q,d}\) is the map

$$ a \odot _d b = \left\lfloor \frac{(a \times b) \mod X^{k+d}}{X^k} \right\rfloor $$

i.e. we take the d terms of \(a\times b\) of degree \(k,k+1,\ldots ,k+d-1\) and divide by \(X^k\). Titanium extends it to vector multiplication as the dot product with \(\odot _d\) for component multiplications and to polynomial-vector multiplication as the component-wise middle product with the polynomial. All bilinear mappings are middle products as described above, except for the \(S_t \times S_A \rightarrow S_U\), which is the dot product with polynomial multiplication in \(\mathbb {Z}_q[X]\). A message \(\mathsf {pt}\) is encoded as a polynomial in \(\mathcal {R}_{2,d}\) with each coefficient scaled by \(\lfloor \frac{q}{p} \rfloor \). Therefore, we have \(\rho _- = \rho _+ = \lfloor \frac{q}{p} \rfloor / 2\). The secret key \(\mathsf {sk}\) is sampled uniformly at random in \(S_t\) and d is sampled by taking the difference of the Hamming weight of two uniformly distributed \(\eta \)-bits values, this approximates a discrete Gaussian distribution. For t, \(N_t = (k+1)\times m\) coefficients need to be sampled in \(\mathbb {Z}_q\). In order to tune the variance, \(N_1\) of them are sampled uniformly in \(\lbrace -B_1/2, \ldots , B_1/2 \rbrace \setminus \lbrace 0 \rbrace \) and \(N_t - N_1\) of them are sampled uniformly in \(\lbrace -B_2/2, \ldots , B_2/2 \rbrace \setminus \lbrace 0 \rbrace \). The elements e, f are null. For TitaniumStd128-CPA [24] with NIST security level I, the parameters are \(n = 1\,024\), \(k = 511\), \(d = 256\), \(m = 9\), \(q = 86\,017\), \(p = 2\), \(\eta = 4\), \(N_1 = 3\,816\), \(B_1 = 2^6\), \(B_2 = 2^7\). The quantum attacks work with \(c=p\) and \(\#I=\#J=1\).