Decryption failure is more likely after success

The user of an imperfectly correct lattice-based public-key encryption scheme leaks information about their secret key with each decryption query that they answer—even if they answer all queries successfully. Through a refinement of the D’Anvers–Guo–Johansson–Nilsson–Vercauteren–Verbauwhede failure boosting attack, we show that an adversary can use this information to improve his odds of finding a decryption failure. We also propose a new definition of \(\delta \)-correctness, and we re-assess the correctness of several submissions to NIST’s post-quantum standardization effort.

[1]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[2]  Daniel J. Bernstein Visualizing size-security tradeoffs for lattice-based encryption , 2019, IACR Cryptol. ePrint Arch..

[3]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[4]  Shay Gueron,et al.  On constant-time QC-MDPC decoding with negligible failure rate , 2020, IACR Cryptol. ePrint Arch..

[5]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[6]  Fernando Virdia,et al.  (One) failure is not an option: Bootstrapping the search for failures in lattice-based encryption schemes , 2020, IACR Cryptol. ePrint Arch..

[7]  Daniel J. Bernstein,et al.  Towards KEM Unification , 2018, IACR Cryptol. ePrint Arch..

[8]  Frederik Vercauteren,et al.  The impact of error dependencies on Ring/Mod-LWE/LWR based schemes , 2018, IACR Cryptol. ePrint Arch..

[9]  Alexander Nilsson,et al.  A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke , 2019, IACR Cryptol. ePrint Arch..

[10]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[11]  Alexander W. Dent,et al.  A Designer's Guide to KEMs , 2003, IMACC.

[12]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[13]  Frederik Vercauteren,et al.  Decryption Failure Attacks on IND-CCA Secure Lattice-Based Schemes , 2019, Public Key Cryptography.

[14]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[15]  Frederik Vercauteren,et al.  On the impact of decryption failures on the security of LWE/LWR based schemes , 2018, IACR Cryptol. ePrint Arch..