Abstract
Many lattice-based encryption schemes are subject to a very small probability of decryption failures. It has been shown that an adversary can efficiently recover the secret key using a number of ciphertexts that cause such a decryption failure. In PKC 2019, D’Anvers et al. introduced ‘failure boosting’, a technique to speed up the search for decryption failures. In this work we first improve the state-of-the-art multitarget failure boosting attacks. We then improve the cost calculation of failure boosting and extend the applicability of these calculations to permit cost calculations of real-world schemes. Using our newly developed methodologies we determine the multitarget decryption failure attack cost for all parameter sets of Saber and Kyber, showing among others that the quantum security of Saber can theoretically be reduced from 172 bits to 145 bits in specific circumstances. We then discuss the applicability of decryption failure attacks in real-world scenarios, showing that an attack might not be practical to execute.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Saber has slightly different rounding methods, but this does not impact our study as the failure condition remains the same.
- 2.
Guo et al. [18] have used the terminology (‘weak keys’) in their attack, but this refers to public keys that are vulnerable against specific types of ciphertexts.
References
Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf
Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes!. In: SCN 18, LNCS (2018)
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (eds.) Topics in Cryptology. LNCS, vol. 8366. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_2
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Basso, A., et al.: SABER. Technical report, national institute of standards and technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Bindel, N., Schanck, J.M.: Decryption failure is more likely after success. In: Ding, J., Tillich, J.P. (eds.) Post-Quantum Cryptography. PQCrypto 2020. LNCS, vol. 12100. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_12
Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. IACR ePrint, 634 (2020)
Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: CRYPTO 2020, Part II, LNCS (2020)
D‘Anvers, J.P., Karmakar, A., Sinha Roy, S., Vercauteren, F.: Saber: module-LWR based key exchange, CPA-Secure encryption and CCA-Secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) Progress in Cryptology. LNCS, vol. 10831. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_16
D‘Anvers, J.P., Rossi, M., Virdia, F.: (One) Failure is not an option: bootstrapping the search for failures in lattice-based encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) Advances in Cryptology. LNCS, vol. 12107. Springer, Cham. https://doi.org/10.1007/978-3-030-45727-3_1
D’Anvers, J.-P., Vercauteren, F., Verbauwhede, I.: On the impact of decryption failures on the security of LWE/LWR based schemes. Cryptology ePrint Archive, Report 2018/1089 (2018). https://eprint.iacr.org/2018/1089
D’Anvers, J.-P., Vercauteren, F., Verbauwhede, I.: The impact of error dependencies on ring/mod-LWE/LWR based schemes. In: Post-Quantum Cryptography - 10th International Conference, PQCrypto 2019 (2019)
Dent, A.W.: A Designer‘s guide to KEMs. In: Paterson, K.G. (eds.) Cryptography and Coding. Cryptography and Coding 2003. LNCS, vol. 2898. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. (1) (2013)
Gentry, C., Boneh, D.: A fully homomorphic encryption scheme. Stanford University Stanford (2009)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008. ACM (2008)
Guo, Q., Johansson, T., Nilsson, A.: A generic attack on lattice-based schemes using decryption errors with application to ss-ntru-pke. Cryptology ePrint Archive, Report 2019/043 (2019). https://eprint.iacr.org/2019/043
Guo, Q., Johansson, T., Yang, J.: A novel CCA attack using decryption errors against LAC. In: Galbraith, S., Moriai, S. (eds.) Advances in Cryptology. LNCS, vol. 11921. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_4
Hofheinz, D., Hovelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) Theory of Cryptography. TCC 2017. LNCS, vol. 10677. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Jaulmes, É., Joux, A.: A chosen-ciphertext attack against NTRU. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 20–35. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_2
Langlois, A., Stehle, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75, 565–599 (2015). https://doi.org/10.1007/s10623-014-9938-4
Lyubashevsky, V.: Fiat-shamir with aborts: applications to lattice and factoring-based signatures. In: ASIACRYPT (2009)
Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Naehrig, M., et al.: Technical report, NIST (2017)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. ACM, In: STOC (2005)
Schwabe, P., et al.: CRYSTALS-KYBER. technical report, national institute of standards and technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) Theory of Cryptography. TCC 2016. LNCS, vol. 9986. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
D’Anvers, JP., Batsleer, S. (2022). Multitarget Decryption Failure Attacks and Their Application to Saber and Kyber. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13177. Springer, Cham. https://doi.org/10.1007/978-3-030-97121-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-97121-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-97120-5
Online ISBN: 978-3-030-97121-2
eBook Packages: Computer ScienceComputer Science (R0)