Abstract
The National Institute of Standards and Technology (NIST) is working on the standardization of post-quantum algorithms. In February 2019, NIST announced 26 candidate post-quantum cryptosystems had entered the Round 2. Prior work has shown how to mount key recovery attacks on several candidates like FrodoKEM, NewHope, and Kyber, but their methods do not work for LAC, which uses a different encoding scheme and rounding method. To address this gap, we describe a powerful new attack on LAC. In particular, we propose a simple and effective method to recover the reused secret key of LAC.CPA. Following the method we show that, using the recommended parameters, thousands of queries are sufficient to recover the full secret key with a 100% probability, which is verified by experiments. Since LAC.KE is based on LAC.CPA, our method can be used to assess the key-reuse resilience of LAC.KE. In particular, if Alice reuses a secret key, Bob can recover it by communicating with Alice thousands of times. Since LAC is a Round 2 candidate in the NIST PQ process, the presented result may well have a high impact on the understanding of this important cryptosystem.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
B\(\breve{\text {a}}\)etu et al. also recovered the reused secret keys of the other 8 IND-CPA PKEs, but these schemes did not advance to the second round.
- 2.
In implementation of LAC, in order to minimize the size of the ciphertext, the lower 4 bits for each coefficient in \(\mathbf{v} \) are discarded, and each coefficient is enlarged by shifting 4 bits to the left when decrypting.
- 3.
In the paper, they recovered the reused secret key of NewHope-CPA-KEM by querying a key mismatch oracle, which can be regarded as an adaptive variant of the plaintext checking oracle in KEM or key exchange.
- 4.
In the paper, they proposed an efficient key mismatch attack on Kyber.CCAKEM. However, they replaced oracle \(\mathcal {O}\) with oracle \(\mathcal {O}_m\) in the attack, where these two oracles are not equivalent. In fact, they presented a new method to recover the reused secret key of Kyber.CPAPKE.
- 5.
ECCEnc(m) is chosen to be \(0^{l_v}\) for ease of explanation. In fact, it’s ok to randomly choose m and generate ECCEnc(m), which will be explained further later.
- 6.
Recall that in KR-PCA game, when querying the oracle PCO, the oracle return \(1_{m'=m}\) or \(0_{m'\ne m}\).
- 7.
In LAC.KE, shared secret is usually used to generate symmetric keys that Alice and Bob would use to communicate. Bob can generate his symmetric keys based on his shared secret K; if Alice is able to decrypt (and respond) based on those keys, then (with high probability) Bob’s shared key K matches Alice’s shared key \(K'\); if Alice rejects, then Bob’s shared key K mismatches Alice’s shared key \(K'\), which is why the attack is called key mismatch attack [2, 12, 18].
References
Fluhrer, S.R.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptol. ePrint Arch. 2016, 85 (2016)
Qin, Y., Cheng, C., Ding, J.: A complete and optimized key mismatch attack on NIST candidate NewHope. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 504–520. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_24
Ding, J., Fluhrer, S., Rv, S.: Complete attack on RLWE key exchange with reused keys, without signal leakage. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 467–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_27
Ding, J., Alsayigh, S., Saraswathy, R.V., et al.: Leakage of signal function with reused keys in RLWE key exchange. In: 2017 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2017)
Shor, P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)
Băetu, C., Durak, F.B., Huguenin-Dumittan, L., Talayhan, A., Vaudenay, S.: Misuse attacks on post-quantum cryptosystems. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 747–776. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_26
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Micciancio, D.: Lattice-based cryptography. In: Tilborg, H.C.V., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, pp. 713–715. Springer, Boston (2011). https://doi.org/10.1007/978-3-540-88702-7_5
Regev, O.: Lattice-based cryptography. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 131–141. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_8
Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptol. EPrint Arch. 2012, 688 (2012)
Bos, J., Ducas, L., Kiltz, E., et al.: CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM. In: IEEE European Symposium on Security and Privacy (EuroS&P), pp. 353–367. IEEE (2018)
Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the Key-Reuse Resilience of NewHope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272–292. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_14
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2014). https://doi.org/10.1007/s10623-014-9938-4
National institute of standards and technology: post-quantum cryptography round 1 submissions (2018). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
National institute of standards and technology: post-quantum cryptography round 2 submissions (2018). https://csrc.nist.gov/Projects/post-quantum-cryptography/round-2-submissions
Guo, Q., Johansson, T., Yang, J.: A novel CCA attack using decryption errors against LAC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 82–111. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_4
Kirkwood, D., Lackey, B.C., McVey, J., et al.: Failure is not an option: standardization issues for post-quantum key agreement. Talk at NIST workshop on cybersecurity in a post-quantum world (2015). http://www.nist.gov/itl/csd/ct/post-quantum-crypto-workshop-2015.cfm
Qin, Y., Cheng, C., Ding, J.: An efficient key mismatch attack on the NIST second round candidate Kyber. IACR Cryptol. ePrint Arch. 2019, 1343 (2019)
Saarinen, M.-J.O.: HILA5: on reliability, reconciliation, and error correction for ring-LWE encryption. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 192–212. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_10
Alkim, E., et al.: NewHope: algorithm specifcations and supporting documentation (2017). https://newhopecrypto.org/data/NewHope2018_12_02.pdf
Gao, X., Ding, J., Li, L., et al.: Practical randomized RLWE-based key exchange against signal leakage attack. IEEE Trans. Comput. 1, 1–1 (2018)
Liu, C., Zheng, Z., Zou, G.: Key reuse attack on NewHope key exchange protocol. In: Lee, K. (ed.) ICISC 2018. LNCS, vol. 11396, pp. 163–176. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12146-4_11
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)
Bernstein, D.J., Groot Bruinderink, L., Lange, T., Panny, L.: HILA5 Pindakaas: on the CCA security of lattice-based encryption with error correction. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 203–216. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_12
Alkim, E., Ducas, L., P\(\rm \ddot{o}\)ppelmann, T., et al.: Post-quantum key exchange-a new hope. In: USENIX Security Symposium (2016)
Bernstein, D.J.: Introduction to post-quantum cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 1–14. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_1
National institute of standards and technology: announcing request for nominations for public-key post-quantum cryptographic algorithms (2016). https://csrc:nist:gov/news/2016/public-key-post-quantum-cryptographic-algorithms
Buchmann, J., Ding J.: PQCrypto, Post-quantum cryptography. In: Second International Workshop, pp. 17–19 (2008)
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Wang, K., Jiang, H.: Analysis of two countermeasures against the signal leakage attack. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2019. LNCS, vol. 11627, pp. 370–388. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23696-0_19
D’Anvers, J.-P., Guo, Q., Johansson, T., Nilsson, A., Vercauteren, F., Verbauwhede, I.: Decryption failure attacks on IND-CCA secure lattice-based schemes. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 565–598. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_19
Hall, C., Goldberg, I., Schneier, B.: Reaction attacks against several public-key cryptosystem. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 2–12. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-540-47942-0_2
Verheul, E.R., Doumen, J.M., van Tilborg, H.C.A.: Sloppy Alice attacks! Adaptive chosen ciphertext attacks on the McEliece public-key cryptosystem. In: Blaum, M., Farrell, P.G., van Tilborg, H.C.A. (eds.) Information, Coding and Mathematics, pp. 99–119. Springer, Boston (2002). https://doi.org/10.1007/978-1-4757-3585-7_7
D’Anvers, J.-P., Vercauteren, F., Verbauwhede, I.: The impact of error dependencies on ring/Mod-LWE/LWR based schemes. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 103–115. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_6
Ding, J., Cheng, C., Qin, Y.: A simple key reuse attack on LWE and ring LWE encryption schemes as key encapsulation mechanisms (KEMs). IACR Cryptol. ePrint Arch. 2019, 271 (2019)
Greuet, A., Montoya, S., Renault, G.: Attack on LAC key exchange in misuse situation. IACR Cryptol. ePrint Arch. 2020, 063 (2020)
Dumittan, L.H., Vaudenay, S.: Classical misuse attacks on NIST round 2 PQC: the power of rank-based schemes. IACR Cryptol. ePrint Arch. 2020, 409 (2020)
Okada, S., Wang, Y., Takagi, T.: Improving key mismatch attack on NewHope with fewer queries. IACR Cryptol. ePrint Arch. 2020, 585 (2020)
Acknowledgements
This work is supported by the National Key Research and Development Program of China (No. 2017YFB0802000), the National Natural Science Foundation of China (No. U1536205, 61802376).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A
Appendix A
A.1 RLWE Problems
Decisional Ring Learning with Errors (RLWE) [7]. Let n, q be positive integers, and \(\chi _s,\chi _e\) be distributions over R. Distinguish the following two distributions: \(D_0\): \((\mathbf{a} ,\mathbf{b} )\) and \(D_1\): \((\mathbf{a} ,\mathbf{u} )\), where \(\mathbf{b} =\mathbf{as} +\mathbf{e} \) for \(\mathbf{a} \xleftarrow {\$}R_q\), \(\mathbf{s} \xleftarrow {\$}\chi _s\) and \(\mathbf{e} \xleftarrow {\$}\chi _e\), and \(\mathbf{u} \xleftarrow {\$}R_q\).
A.2 Cryptographic Definitions
A public key encryption scheme PKE is a tuple of algorithms (KeyGen, Enc, Dec):
-
KeyGen() \( \rightarrow \) (pk, sk): A probabilistic key generation algorithm that outputs a public key pk and a secret key sk.
-
Enc(m , pk) \(\rightarrow \) ct: A probabilistic encryption algorithm that takes as input a message m and public key pk, and outputs a ciphertext ct. The deterministic form is denoted as Enc(m , pk, r) \(\rightarrow \) ct, where the randomness r is passed as an explicit input.
-
Dec(ct, sk) \(\rightarrow \) \(m'\): A deterministic decryption algorithm that takes as input a ciphertext ct and secret key sk, and outputs a message \(m'\).
We use the notion of indistinguishability under chosen plaintext attacks (IND-CPA) to define the advantage of an adversary A by:
A.3 Notations
Samp is an abstract algorithm which samples a random variable according to a distribution with a given seed: \(x \xleftarrow {} \textsf {Samp}(D,\textsf {seed})\), where D is a distribution, and seed is the random seed used to sample x. For an empty seed \(\epsilon \), the process \(x \xleftarrow {} \textsf {Samp}(D,\epsilon )\) is the same as \(x \xleftarrow {\$} D\). \(B_{\eta }^h\) is a n-ary centered binomial distribution with fixed Hamming weight. For a random variable according to the distribution, its Hamming weight is fixed to the expectation h, and the numbers of both 1’s and −1’s are h/2, the number of 0 is \(n - h\). ECCEnc and ECCDec are the encoding and decoding of the error correction codes, which switch between a message \(m \in \{0,1\}^{l_m}\) and its encoding \(\widehat{m} \in \{0,1\}^{l_v}\), where \(l_v\) is a positive integer denoting the length of the encoding. \((\cdot )_{l_v}\) is a function that inputs a polynomial and outputs the first \(l_v\) coefficients of the polynomial. For an element \(x \in \mathbb {Q}\) we denote by \(\lfloor x \rceil \) rounding of x to the closest integer with ties being rounded up.
A.4 Parameters
The main parameters of the LAC.CPA are integers \(n, q, \eta , l_m, l_v, l_t,h\), where n, q are the parameters of the polynomial ring \(R_q\), \(\eta \) is the parameter of the centered binomial distribution \(B_{\eta }\), \(l_m\) and \(l_v\) are the length of the message and the encoding, respectively, \(l_t\) is the maximum number of errors that can be corrected by error correcting code, h is the hamming weight of the centered binomial distribution. LAC.CPA recommends 3 parameter sets: LAC-128, LAC-192, LAC-256. Throughout these parameter sets q is always 251, \(l_m\) is always 256. The values of n, \(\eta \), \(l_v\) and h vary for different security levels. In particular,
-
In LAC-128, \(n=512\), \(\eta =1\), \(l_v=l_m+18\times 8\), \(h=\frac{n}{2}\).
-
In LAC-192, \(n=1024\), \(\eta =\frac{1}{2}\), \(l_v=l_m+9\times 8\), \(h=\frac{n}{4}\).
-
In LAC-256, \(n=1024\), \(\eta =1\), \(l_v=l_m+18\times 8\), \(h=\frac{n}{2}\).
The centered binomial distribution \(B_{\eta }\) with \(\eta = \frac{1}{2}\) is defined as follows: \(\text {sample}\ (a,b)\leftarrow (B_{1},B_{1})\ \text {and output} \ a\times b,\) and the samples are in the interval \([-1, 1]\).
A.5 Discarding the Lower 4 Bits of Each Coefficient of v in LAC-256.
When the lower 4 bits for each coefficient in \(\mathbf{v} \) are discarded in the algorithm of LAC.CPA.Enc, \(\mathbf{v} _j\) has 16 possible values and they are \(k, k=0,1,...,15.\) In order to carry out the attack, the attacker constructs \(\mathbf{v} _3\sim \mathbf{v} _8\) as follows:
The attacker queries the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{q}{16},\mathbf{v} ^3), m)\) to determine that \(\mathbf{s} _0 + \mathbf{s} _{l_v} = -2\), and queries the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{2q}{17},\mathbf{v} ^4), m)\) to further determine that \(\mathbf{s} _0 + \mathbf{s} _{l_v} = -1\). When he queries the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{q}{34},\mathbf{v} ^5), m)\), he can further determine that \(\mathbf{s} _0 + \mathbf{s} _{l_v} = 2\). When he queries the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{2q}{17},\mathbf{v} ^6), m)\), he can further determine that \(\mathbf{s} _0 + \mathbf{s} _{l_v} = 1\). When querying the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{q}{16},\mathbf{v} ^7), m)\), he can determine if \(\mathbf{s} _0 - \mathbf{s} _{l_v} = 1\) or \(-1\), and if \(\mathbf{s} _0 - \mathbf{s} _{l_v} = 2\) or \(-2 (0)\). When querying the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{q}{16},\mathbf{v} ^8), m)\), he can determine if \(\mathbf{s} _0 - \mathbf{s} _{l_v} = -2\) or 0.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, K., Zhang, Z., Jiang, H. (2020). Key Recovery Under Plaintext Checking Attack on LAC. In: Nguyen, K., Wu, W., Lam, K.Y., Wang, H. (eds) Provable and Practical Security. ProvSec 2020. Lecture Notes in Computer Science(), vol 12505. Springer, Cham. https://doi.org/10.1007/978-3-030-62576-4_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-62576-4_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62575-7
Online ISBN: 978-3-030-62576-4
eBook Packages: Computer ScienceComputer Science (R0)