Decryption Failure Attacks on IND-CCA Secure Lattice-Based Schemes

In this paper we investigate the impact of decryption failures on the chosen-ciphertext security of lattice-based primitives. We discuss a generic framework for secret key recovery based on decryption failures and present an attack on the NIST Post-Quantum Proposal ss-ntru-pke. Our framework is split in three parts: First, we use a technique to increase the failure rate of lattice-based schemes called failure boosting. Based on this technique we investigate the minimal effort for an adversary to obtain a failure in three cases: when he has access to a quantum computer, when he mounts a multi-target attack or when he can only perform a limited number of oracle queries. Secondly, we examine the amount of information that an adversary can derive from failing ciphertexts. Finally, these techniques are combined in an overall analysis of the security of lattice based schemes under a decryption failure attack. We show that an attacker could significantly reduce the security of lattice based schemes that have a relatively high failure rate. However, for most of the NIST Post-Quantum Proposals, the number of required oracle queries is above practical limits. Furthermore, a new generic weak-key (multi-target) model on lattice-based schemes, which can be viewed as a variant of the previous framework, is proposed. This model further takes into consideration the weak-key phenomenon that a small fraction of keys can have much larger decoding error probability for ciphertexts with certain key-related properties. We apply this model and present an attack in detail on the NIST Post-Quantum Proposal – ss-ntru-pke – with complexity below the claimed security level.

[1]  Pavol Zajac,et al.  A Reaction Attack on the QC-LDPC McEliece Cryptosystem , 2017, PQCrypto.

[2]  William Whyte,et al.  NAEP: Provable Security in the Presence of Decryption Failures , 2003, IACR Cryptol. ePrint Arch..

[3]  Bruce Schneier,et al.  Reaction Attacks against several Public-Key Cryptosystems , 1999, ICICS.

[4]  Scott R. Fluhrer,et al.  Cryptanalysis of ring-LWE based key exchange with key share reuse , 2016, IACR Cryptol. ePrint Arch..

[5]  Tanja Lange,et al.  HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction , 2018, IACR Cryptol. ePrint Arch..

[6]  Jung Hee Cheon,et al.  Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR , 2018, IACR Cryptol. ePrint Arch..

[7]  Óscar García-Morchón,et al.  Round2: KEM and PKE based on GLWR , 2017, IACR Cryptol. ePrint Arch..

[8]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[9]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[10]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[11]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[12]  Antoine Joux,et al.  A Chosen-Ciphertext Attack against NTRU , 2000, CRYPTO.

[13]  Fernando Virdia,et al.  Estimate all the {LWE, NTRU} schemes! , 2018, IACR Cryptol. ePrint Arch..

[14]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, CRYPTO.

[15]  Thomas Johansson,et al.  A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors , 2016, ASIACRYPT.

[16]  Takashi Yamakawa,et al.  (Tightly) QCCA-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[17]  Alexander Nilsson,et al.  A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke , 2019, IACR Cryptol. ePrint Arch..

[18]  Damien Stehlé,et al.  Worst-case to average-case reductions for module lattices , 2014, Designs, Codes and Cryptography.

[19]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[20]  Jintai Ding,et al.  Leakage of signal function with reused keys in RLWE key exchange , 2017, 2017 IEEE International Conference on Communications (ICC).

[21]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, EUROCRYPT.

[22]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[23]  Nicolas Gama,et al.  New Chosen-Ciphertext Attacks on NTRU , 2007, Public Key Cryptography.

[24]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[25]  Ron Steinfeld,et al.  Making NTRU as Secure as Worst-Case Problems over Ideal Lattices , 2011, EUROCRYPT.

[26]  Frederik Vercauteren,et al.  Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM , 2018, IACR Cryptol. ePrint Arch..

[27]  Dominique Unruh,et al.  Post-Quantum Security of the Fujisaki-Okamoto and OAEP Transforms , 2016, TCC.

[28]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[29]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[30]  Hong Wang,et al.  Post-quantum IND-CCA-secure KEM without Additional Hash , 2017, IACR Cryptol. ePrint Arch..

[31]  Alexander Nilsson,et al.  Error Amplification in Code-based Cryptography , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[32]  Frederik Vercauteren,et al.  On the impact of decryption failures on the security of LWE/LWR based schemes , 2018, IACR Cryptol. ePrint Arch..

[33]  David Pointcheval,et al.  The Impact of Decryption Failures on the Security of NTRU Encryption , 2003, CRYPTO.

[34]  Kenneth G. Paterson,et al.  On Symmetric Encryption with Distinguishable Decryption Failures , 2013, FSE.