An IND-CCA2 Attack Against the 1st- and 2nd-Round Versions of NTS-KEM

Abstract

This paper presents an IND-CCA2 attack against the 1st- and 2nd-round versions of NTS-KEM, i.e., the versions before the update in December 2019. Our attack works against the 1st- and 2nd-round specifications, with a number of decapsulation queries upper-bounded by \(n-k\) and an advantage lower-bounded by roughly \(0.5(n-k)t/n^2\), where n, k, and t stand for the code length, code dimension, and the designed decoding capacity, for all the three parameter sets of NTS-KEM. We found that the non-reference implementations are also vulnerable to our attack, even though there are bugs. There are also bugs in the reference implementations, but in a way invulnerable to our attack.

This work was supported by Taiwan Ministry of Science and Technology (MOST) Grant 109-2222-E-001-001-MY3. Permanent ID of this document: eb8cb246e2f1ea188ad29d70680e73f8. Date: 2020.12.8.

Appendices

A Paterson’s Message

“We have added a re-encapsulation step during decapsulation, in order to fix a subtle issue in the ROM security proof for NTS-KEM. This issue was identified by Varun Maram from ETH Zurich. This change necessitates the inclusion of the public key as part of the private key and increases the running time of decapsulation. Fortuitously, this change facilitates a QROM proof for NTS-KEM which we plan to make public soon.

[In more detail: our proof did not fully address the possibility that certain adversarially generated ciphertexts not output by encapsulation might decapsulate correctly. This is due to possible behaviour of the decoder, including the Berlekamp-Massey algorithm, when operating beyond its natural decoding capacity. Adding the re-encapsulation step ensures that only correctly generated ciphertexts lead to valid decapsulations; other ciphertexts are implicitly rejected. Our new security proof still tightly relates breaking IND-CCA security of (the new version of) NTS-KEM to breaking one-wayness of the McEliece scheme with the same parameters. We also stress that we are not aware of any concrete attack arising from the issue identified in our proof. Since re-encapsulation makes use of the public key, we now include the public key as part of the private key; an alternative whose cost can be amortised over many invocations of decapsulation is to regenerate the public key from the private key when needed.]”

B NTS-KEM’s Berlekamp-Massey Algorithm

C Attacking the Reference Implementations

We found the following bugs in the code for Algorithm 1 in the reference implementations.

• In each of the 2t iterations, R is updated in the same way as the pseudocode in Sect. 4.3.

• \(\sigma ^*(x)\) is computed as \(x^{\text {Deg}(\sigma (x))} \sigma (x^{-1})\).

We also found that after obtaining \((\sigma ^*(x), \xi )\), the reference implementations compute the error vector e as follows.

• Set \(e = 0 \in \mathbb {F}_{2}^n\).

• Set \(e_i = 1\) for all i such that \(\sigma ^*(\alpha _i)=0\) and \(\alpha _i \ne 0\).

• Set \(e_{\text {pos}(0)}=1\) if \(\xi =1\).

Note that this is different from what is described in Sect. 3.5.

Our attack relies on forcing the decoding algorithm to take an input vector which is the sum of a codeword and an error vector \(e'\) with \(|e'|=t-1\) and \(e'_{\text {pos}(0)}=0\). In this case, according to Theorem 1, Algorithm 1 computes

$$ \sigma (x) = \sigma _0 \prod _{e'_i = 1} (1 - \alpha _i x), $$

so the reference implementations compute

$$ \sigma ^*(x) = \sigma _0 \prod _{e'_i=1}(x - \alpha _i). $$

How about the value of \(\xi \)? It turns out that Algorithm 1 computes \(\sigma (x)\) in the first \(2t-2\) iteration; See [14] for discussions on the number of iterations required to compute the linear feedback shift register. This forces d to be 0 in the last 2 iterations, so we have \(R \ge 2\). As \(\text {Deg}(\sigma ) = t-1 \ge t-R/2\), the reference implementations computes \(\xi =0\). Therefore, the decoding algorithm returns the weight-(\(t-1\)) vector \(e'\), and the decapsulation oracle returns \(\perp \) or \(H_\ell (z, 1_a, c_b, c'_c)\) instead of the session key.

D Implementations

To demonstrate that our attack works against the non-reference implementations, We modified ntskem_test.c in the non-reference implementations included in the 1st-round and 2nd-round submission packages. The content of the modified file is available in Appendix F. The modified testkem_nts function keeps generating ciphertext-session-key pairs. For each ciphertext, it is checked whether flipping any of the last \(n-k\) bits will result in a ciphertext that decapsulates to the same session key. If this happens, a message

will be printed. One can replace the original ntskem_test.c by the modified one and compile each non-reference implementation using make. Then by running the executables ntskem-*-test, the user can see that the message usually shows after trying a several hundreds of ciphertext-session-key pairs.

To demonstrate that our attack works against the specifications, we fixed the bugs in berlekamp_massey.c and nts_kem.c in the reference implementations included in the 1st-round and 2nd-round submission packages. The content of the modified berlekamp_massey.c is available in Appendix E. The modified berlekamp_massey function updates R and computes \(\sigma ^*\) in the correct way. For nts_kem.c, we only change the code segment

in the nts_kem_decapsulate function into the following.

The modification changes the way the error vector e is computed from \(\sigma ^*\) and \(\xi \) to the way specified in Sect. 3.5 (which is equivalent to what is specified in NTS-KEM’s specifications). The user can replace ntskem_test.c by the modified one replace berlekamp_massey.c by the modified one, apply the same change to nts_kem.c, do make and execute ntskem-*-test. Then the user will again see that the message usually shows after trying a several hundreds of ciphertext-session-key pairs.

E The modified berlekamp_massey.c

F The modified ntskem_test.c