Chosen ciphertext attacks on lattice-based public key encryption and modern (non-quantum) cryptography in a quantum environment

Modern cryptography is based on various building blocks such as one way functions with or without trapdoors, pseudo-random functions, one way permutations with or without trapdoors, etc. In a quantum world some of the main candidates for these building blocks are broken. For instance, the security of the most popular public-key cryptosystem-RSA-is related to the difficulty of factoring large numbers, and is broken (in principle) by a quantum computer. We investigate some of the remaining candidates, and discuss the resulting ''Post-Quantum Cryptography'' (namely, the resulting ''modern cryptography in a quantum environment''). About half a decade ago Ajtai and Dwork (and later on, also Goldreich, Goldwasser and Halevi) proposed a public key cryptosystem that has a proven security under a plausible complexity assumption. The plausible assumption is that the so-called unique shortest vector problem (u-SVP) is hard on the worst case. This problem is potentially still hard also in a quantum environment. Recently, Regev introduced a new (and much simpler) public key cryptosystem, based on the same u-SVP hardness assumption, but with improved parameters. In this paper we present chosen ciphertext attacks (CCA) against all three cryptosystems. Our attack shows that these cryptosystems are totally insecure against CCA, because the private keys can be recovered in polynomial time. We then discuss the possibility of making public key encryption (PKE) secure against CCA, without adding stronger assumptions than the assumption that u-SVP is hard. We conclude that the current understanding of modern cryptography in a quantum environment can only suggest CCA-secure interactive-PKE, which is obviously weaker than CCA-secure PKE. Finally, we discuss the relation of our attack to the reaction attack of Hall, Goldberg and Schneier, which we only recently became aware of.

[1]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.

[2]  Marc Fischlin,et al.  On the Impossibility of Constructing Non-interactive Statistically-Secret Protocols from Any Trapdoor One-Way Function , 2002, CT-RSA.

[3]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[4]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[5]  Oded Goldreich,et al.  Eliminating Decryption Errors in the Ajtai-Dwork Cryptosystem , 1997, Electron. Colloquium Comput. Complex..

[6]  Joe Kilian,et al.  An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions , 1998, Journal of Cryptology.

[7]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[8]  Bruce Schneier,et al.  Reaction Attacks against several Public-Key Cryptosystems , 1999, ICICS.

[9]  Peter W. Shor,et al.  Algorithms for Quantum Computation: Discrete Log and Factoring (Extended Abstract) , 1994, FOCS 1994.

[10]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[11]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[12]  Daniele Micciancio The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant , 2000, SIAM J. Comput..

[13]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[14]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[15]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[16]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[17]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[18]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[19]  Jacques Stern,et al.  Cryptanalysis of the Ajtai-Dwork Cryptosystem , 1998, CRYPTO.

[20]  Ronald L. Rivest,et al.  A knapsack-type public key cryptosystem based on arithmetic in finite fields , 1988, IEEE Trans. Inf. Theory.

[21]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[22]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[23]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[24]  Oded Regev Quantum Computation and Lattice Problems , 2004, SIAM J. Comput..

[25]  Yehuda Lindell,et al.  A Simpler Construction of CCA2-Secure Public-Key Encryption under General Assumptions , 2003, EUROCRYPT.

[26]  David Pointcheval,et al.  Chosen-Ciphertext Security for Any One-Way Cryptosystem , 2000, Public Key Cryptography.

[27]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in high L/sub p/ norms , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[28]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[29]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[30]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[31]  Subhash Khot Hardness of approximating the Shortest Vector Problem in high lp norms , 2006, J. Comput. Syst. Sci..

[32]  Serge Vaudenay,et al.  Cryptanalysis of the Chor-Rivest Cryptosystem , 1998, CRYPTO.