An Efficient Key Mismatch Attack on the NIST Second Round Candidate Kyber

Kyber is a KEM based their security on the Modular Learning with Errors problem and was selected in the second round of NIST Post-quantum standardization process. Before we put Kyber into practical application, it is very important to assess its security in hard practical conditions especially when the Fujisaki-Okamoto transformations are neglected. In this paper, we propose an efficient key mismatch attacks on Kyber, which can recover one participant’s secret key if the public key is reused. We first define the oracles in which the adversary is able to launch the attacks. Then, we show that by accessing the oracle multiple times, the adversary is able to recover the coefficients in the secret key. Furthermore, we propose two strategies to reduce the queries and time in recovering the secret key. It turns out that it is actually much easier to use key mismatch attacks to break Kyber than NewHope, another NIST second round candidate, due to their different design structures. Our implementations have demonstrated the efficiency of the proposed attacks and verified our findings. Another interesting observation from the attack is that in the most powerful Kyber-1024, it is easier to recover each coefficient compared with that in Kyber-512 and Kyber-768. Specifically, for Kyber-512 on average we recover each coefficient with 2.7 queries, while in Kyber-1024 and 768, we only need 2.4 queries. This demonstrates further that implementations of LWE based schemes in practice is very delicate.

[1]  Daniel Apon,et al.  Status report on the first round of the NIST post-quantum cryptography standardization process , 2019 .

[2]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[3]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[4]  Henri Gilbert,et al.  Assessment of the Key-Reuse Resilience of NewHope , 2019, IACR Cryptol. ePrint Arch..

[5]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[6]  Jintai Ding,et al.  A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem , 2012, IACR Cryptol. ePrint Arch..

[7]  Chi Cheng,et al.  A Complete and Optimized Key Mismatch Attack on NIST Candidate NewHope , 2019, IACR Cryptol. ePrint Arch..

[8]  Serge Vaudenay,et al.  Misuse Attacks on Post-quantum Cryptosystems , 2019, EUROCRYPT.

[9]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[10]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[11]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[12]  Scott R. Fluhrer,et al.  Cryptanalysis of ring-LWE based key exchange with key share reuse , 2016, IACR Cryptol. ePrint Arch..

[13]  Jintai Ding,et al.  Complete Attack on RLWE Key Exchange with reused keys, without Signal Leakage , 2018, IACR Cryptol. ePrint Arch..

[14]  Laszlo Gyongyosi,et al.  A Survey on quantum computing technology , 2019, Comput. Sci. Rev..

[15]  Yunlei Zhao,et al.  Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange , 2017, PQCrypto.

[16]  Damien Stehlé,et al.  CRYSTALS-Kyber Algorithm Specifications And Supporting Documentation , 2017 .

[17]  Chao Liu,et al.  Key Reuse Attack on NewHope Key Exchange Protocol , 2018, ICISC.

[18]  Martin R. Albrecht,et al.  NewHope Algorithm Specifications and Supporting Documentation , 2017 .

[19]  Jintai Ding,et al.  Leakage of signal function with reused keys in RLWE key exchange , 2017, 2017 IEEE International Conference on Communications (ICC).