Abstract
Kyber is a candidate in the third round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) Standardization. However, because of the protocol’s independence assumption, the bound on the decapsulation failure probability resulting from the original analysis is not tight. In this work, we give a rigorous mathematical analysis of the actual failure probability calculation, and provides the Kyber security estimation in reality rather than only in a statistical sense. Our analysis does not make independency assumptions on errors, and is with respect to concrete public keys in reality. Through sample test and experiments, we also illustrate the difference between the actual failure probability and the result given in the proposal of Kyber. The experiments show that, for Kyber-512 and 768, the failure probability resulting from the original paper is relatively conservative, but for Kyber-1024, the failure probability of some public keys is worse than claimed. This failure probability calculation for concrete public keys can also guide the selection of public keys in the actual application scenarios. What’s more, we measure the gap between the upper bound of the failure probability and the actual failure probability, then give a tight estimate. Our work can also re-evaluate the traditional \(1-\delta \) correctness in the literature, which will help re-evaluate some candidates’ security in NIST post-quantum cryptographic standardization.
Keywords
- Post-quantum cryptography
- Learning with errors
- Key encapsulation mechanism
- Decryption failure
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bindel, N., Schanck, J.M.: Decryption failure is more likely after success. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 206–225. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_12
Bos, J., Ducas, L., Kiltz, E., et al.: CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 353–367 (2018). https://doi.org/10.1109/EuroSP.2018.00032
Bos, J.W., Friedberger, S., Martinoli, M., et al.: Assessing the feasibility of single trace power analysis of Frodo. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 216–234. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10970-7_10
Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_12
D’Anvers, J.-P., Rossi, M., Virdia, F.: (One) failure is not an option: bootstrapping the search for failures in lattice-based encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 3–33. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_1
D’Anvers, J.-P., Guo, Q., Johansson, T., Nilsson, A., Vercauteren, F., Verbauwhede, I.: Decryption failure attacks on IND-CCA secure lattice-based schemes. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 565–598. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_19
D’Anvers, J.-P., Vercauteren, F., Verbauwhede, I.: The impact of error dependencies on Ring/Mod-LWE/LWR based schemes. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 103–115. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_6
Guo, Q., Johansson, T., Yang, J.: A novel CCA attack using decryption errors against LAC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 82–111. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_4
Parzen, E.: On estimation of a probability density function and mode. Ann. Math. Stat. 33(3), 1065 (1962). https://doi.org/10.1214/aoms/1177704472
Rosenblatt, M.: Remarks on some nonparametric estimates of a density function. In: Davis, R., Lii, KS., Politis, D. (eds.) Selected Works of Murray Rosenblatt. Selected Works in Probability and Statistics. pp. 832–837. Springer, New York (1956). https://doi.org/10.1007/978-1-4419-8339-8_13
Wishart, J., Bartlett, M.S.: The distribution of second order moment statistics in a normal system. In: Mathematical Proceedings of the Cambridge Philosophical Society, vol. 28, no. 4, pp. 455–459. Cambridge University Press, Cambridge (1932). https://doi.org/10.1017/S0305004100010690
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Fang, B., Wang, W., Zhao, Y. (2022). Tight Analysis of Decryption Failure Probability of Kyber in Reality. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham. https://doi.org/10.1007/978-3-031-15777-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-15777-6_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15776-9
Online ISBN: 978-3-031-15777-6
eBook Packages: Computer ScienceComputer Science (R0)