Skip to main content
SpringerLink
Log in

Multitarget Decryption Failure Attacks and Their Application to Saber and Kyber

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2022 (PKC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13177))

Included in the following conference series:

Abstract

Many lattice-based encryption schemes are subject to a very small probability of decryption failures. It has been shown that an adversary can efficiently recover the secret key using a number of ciphertexts that cause such a decryption failure. In PKC 2019, D’Anvers et al. introduced ‘failure boosting’, a technique to speed up the search for decryption failures. In this work we first improve the state-of-the-art multitarget failure boosting attacks. We then improve the cost calculation of failure boosting and extend the applicability of these calculations to permit cost calculations of real-world schemes. Using our newly developed methodologies we determine the multitarget decryption failure attack cost for all parameter sets of Saber and Kyber, showing among others that the quantum security of Saber can theoretically be reduced from 172 bits to 145 bits in specific circumstances. We then discuss the applicability of decryption failure attacks in real-world scenarios, showing that an attack might not be practical to execute.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Saber has slightly different rounding methods, but this does not impact our study as the failure condition remains the same.

  2. 2.

    Guo et al. [18] have used the terminology (‘weak keys’) in their attack, but this refers to public keys that are vulnerable against specific types of ciphertexts.

References

  1. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

  2. Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes!. In: SCN 18, LNCS (2018)

    Google Scholar 

  3. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)

    Google Scholar 

  4. Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (eds.) Topics in Cryptology. LNCS, vol. 8366. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_2

  5. Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42

  6. Basso, A., et al.: SABER. Technical report, national institute of standards and technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  7. Bindel, N., Schanck, J.M.: Decryption failure is more likely after success. In: Ding, J., Tillich, J.P. (eds.) Post-Quantum Cryptography. PQCrypto 2020. LNCS, vol. 12100. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_12

  8. Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. IACR ePrint, 634 (2020)

    Google Scholar 

  9. Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: CRYPTO 2020, Part II, LNCS (2020)

    Google Scholar 

  10. D‘Anvers, J.P., Karmakar, A., Sinha Roy, S., Vercauteren, F.: Saber: module-LWR based key exchange, CPA-Secure encryption and CCA-Secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) Progress in Cryptology. LNCS, vol. 10831. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_16

  11. D‘Anvers, J.P., Rossi, M., Virdia, F.: (One) Failure is not an option: bootstrapping the search for failures in lattice-based encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) Advances in Cryptology. LNCS, vol. 12107. Springer, Cham. https://doi.org/10.1007/978-3-030-45727-3_1

  12. D’Anvers, J.-P., Vercauteren, F., Verbauwhede, I.: On the impact of decryption failures on the security of LWE/LWR based schemes. Cryptology ePrint Archive, Report 2018/1089 (2018). https://eprint.iacr.org/2018/1089

  13. D’Anvers, J.-P., Vercauteren, F., Verbauwhede, I.: The impact of error dependencies on ring/mod-LWE/LWR based schemes. In: Post-Quantum Cryptography - 10th International Conference, PQCrypto 2019 (2019)

    Google Scholar 

  14. Dent, A.W.: A Designer‘s guide to KEMs. In: Paterson, K.G. (eds.) Cryptography and Coding. Cryptography and Coding 2003. LNCS, vol. 2898. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12

  15. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. (1) (2013)

    Google Scholar 

  16. Gentry, C., Boneh, D.: A fully homomorphic encryption scheme. Stanford University Stanford (2009)

    Google Scholar 

  17. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008. ACM (2008)

    Google Scholar 

  18. Guo, Q., Johansson, T., Nilsson, A.: A generic attack on lattice-based schemes using decryption errors with application to ss-ntru-pke. Cryptology ePrint Archive, Report 2019/043 (2019). https://eprint.iacr.org/2019/043

  19. Guo, Q., Johansson, T., Yang, J.: A novel CCA attack using decryption errors against LAC. In: Galbraith, S., Moriai, S. (eds.) Advances in Cryptology. LNCS, vol. 11921. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_4

  20. Hofheinz, D., Hovelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) Theory of Cryptography. TCC 2017. LNCS, vol. 10677. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12

  21. Jaulmes, É., Joux, A.: A chosen-ciphertext attack against NTRU. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 20–35. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_2

  22. Langlois, A., Stehle, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75, 565–599 (2015). https://doi.org/10.1007/s10623-014-9938-4

  23. Lyubashevsky, V.: Fiat-shamir with aborts: applications to lattice and factoring-based signatures. In: ASIACRYPT (2009)

    Google Scholar 

  24. Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    Chapter  Google Scholar 

  25. Naehrig, M., et al.: Technical report, NIST (2017)

    Google Scholar 

  26. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. ACM, In: STOC (2005)

    Google Scholar 

  27. Schwabe, P., et al.: CRYSTALS-KYBER. technical report, national institute of standards and technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  28. Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) Theory of Cryptography. TCC 2016. LNCS, vol. 9986. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8

Download references

Author information

Authors and Affiliations

  1. imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, Bus 2452, 3001, Leuven-Heverlee, Belgium

    Jan-Pieter D’Anvers & Senne Batsleer

Authors
  1. Jan-Pieter D’Anvers
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Senne Batsleer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jan-Pieter D’Anvers .

Editor information

Editors and Affiliations

  1. National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan

    Goichiro Hanaoka

  2. Yokohama National University, Yokohama, Japan

    Junji Shikata

  3. The University of Electro-Communications, Tokyo, Japan

    Yohei Watanabe

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

D’Anvers, JP., Batsleer, S. (2022). Multitarget Decryption Failure Attacks and Their Application to Saber and Kyber. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13177. Springer, Cham. https://doi.org/10.1007/978-3-030-97121-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-97121-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-97120-5

  • Online ISBN: 978-3-030-97121-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation