A Key Recovery Reaction Attack on QC-MDPC

Guo, Qian; Johansson, Thomas; Wagner, Paul Stankovski

doi:10.1109/tit.2018.2877458

Cited by 16 publications

(9 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We list the basic key reconstruction algorithm from [GJS16] in Algorithm 13 for completeness. The advanced version that is capable of recovering keys from distance spectrum with errors is proposed in [GJW19].…”

Section: The Gjs Attackmentioning

confidence: 99%

“…7. The secret key can be recovered via the reconstruction method in [GJS16] or the improved reconstruction method in its extended version [GJW19] that can handle errors in the recovered distance spectrum.…”

Section: Determine If M ?mentioning

confidence: 99%

“…The reason is that after quite few steps, the wrong guesses will be rejected with high probability and only the correct guess path will continue. One could balance the costs of building the distance spectrum and recovering the secret key, as done in [GJW19], by allowing errors in the recovered distance spectrum. As our aim is to demonstrate the new attack method, for simplicity, we leave this optimization trick for future works.…”

Section: Empirical Evaluation Of the Attack On Bikementioning

confidence: 99%

See 2 more Smart Citations

Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE

Guo

Hlauschek

Johansson

et al. 2022

TCHES

View full text Add to dashboard Cite

Well before large-scale quantum computers will be available, traditional cryptosystems must be transitioned to post-quantum (PQ) secure schemes. The NIST PQC competition aims to standardize suitable cryptographic schemes. Candidates are evaluated not only on their formal security strengths, but are also judged based on the security with regard to resistance against side-channel attacks. Although round 3 candidates have already been intensively vetted with regard to such attacks, one important attack vector has hitherto been missed: PQ schemes often rely on rejection sampling techniques to obtain pseudorandomness from a specific distribution. In this paper, we reveal that rejection sampling routines that are seeded with secretdependent information and leak timing information result in practical key recovery attacks in the code-based key encapsulation mechanisms HQC and BIKE.Both HQC and BIKE have been selected as alternate candidates in the third round of the NIST competition, which puts them on track for getting standardized separately o the finalists. They have already been specifically hardened with constant-time decoders to avoid side-channel attacks. However, in this paper, we show novel timing vulnerabilities in both schemes: (1) Our secret key recovery attack on HQC requiresonly approx. 866,000 idealized decapsulation timing oracle queries in the 128-bit security setting. It is structurally different from previously identified attacks on the scheme: Previously, exploitable side-channel leakages have been identified in the BCH decoder of a previously submitted HQC version, in the ciphertext check as well as in the pseudorandom function of the Fujisaki-Okamoto transformation. In contrast, our attack uses the fact that the rejection sampling routine invoked during the deterministic re-encryption of the decapsulation leaks secret-dependent timing information, which can be efficiently exploited to recover the secret key when HQC is instantiated with the (now constant-time) BCH decoder, as well as with the RMRS decoder of the current submission. (2) From the timing information of the constant weight word sampler in the BIKE decapsulation, we demonstrate how to distinguish whether the decoding step is successful or not, and how this distinguisher is then used in the framework of the GJS attack to derive the distance spectrum of the secret key, using 5.8 x 107 idealized timing oracle queries. We provide details and analyses of the fully implemented attacks, as well as a discussion on possible countermeasures and their limits.

show abstract

Section: The Gjs Attackmentioning

confidence: 99%

Section: Determine If M ?mentioning

confidence: 99%

Section: Empirical Evaluation Of the Attack On Bikementioning

confidence: 99%

See 1 more Smart Citation

Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE

Guo

Hlauschek

Johansson

et al. 2022

TCHES

View full text Add to dashboard Cite

show abstract

“…In fact, whenever an attacker may gain access to a decryption oracle to which he may pose a large amount of queries, the so-called reaction attack becomes applicable. Reaction attacks recover the secret key by exploiting the inherent non-zero DFR of QC-LDPC codes [9,10,17]. In particular, these attacks exploit the correlation between the DFR of the code, the positions of the parity checks in the private matrix, and the erroneous positions in the error vector.…”

Section: Reaction Attacksmentioning

confidence: 99%

“…Therefore, in the loop body the value of m is assumed asd v dv(line 13) and subsequently checked to derive the mentioned partition in n 0 integers. The loop (lines 11-15) ends when either a valid partition of m is found or m turns out to be smaller than the number of blocks n 0 (as finding a partition in this case would be not possible increasing only the value of d v ).Algorithm 3 proceeds to test for the security of the cryptosystem against key recovery attacks and key enumeration attacks on both classical and quantum computers (lines[16][17][18]. If a legitimate value for m has not been found, the current parameters of the cryptoystem are deemed insecure (line 20).…”

mentioning

confidence: 99%

LEDAcrypt: QC-LDPC Code-Based Cryptosystems with Bounded Decryption Failure Rate

Baldi

Barenghi

Chiaraluce

et al. 2019

Code-Based Cryptography

View full text Add to dashboard Cite

We consider the QC-LDPC code-based cryptosystems named LEDAcrypt, which are under consideration by NIST for the second round of the post-quantum cryptography standardization initiative. LEDAcrypt is the result of the merger of the key encapsulation mechanism LEDAkem and the public-key cryptosystem LEDApkc, which were submitted to the first round of the same competition. We provide a detailed quantification of the quantum and classical computational efforts needed to foil the cryptographic guarantees of these systems. To this end, we take into account the best known attacks that can be mounted against them employing both classical and quantum computers, and compare their computational complexities with the ones required to break AES, coherently with the NIST requirements. Assuming the original LEDAkem and LEDApkc parameters as a reference, we introduce an algorithmic optimization procedure to design new sets of parameters for LEDAcrypt. These novel sets match the security levels in the NIST call and make the C99 reference implementation of the systems exhibit significantly improved figures of merit, in terms of both running times and key sizes. As a further contribution, we develop a theoretical characterization of the decryption failure rate (DFR) of LEDAcrypt cryptosystems, which allows new instances of the systems with guaranteed low DFR to be designed. Such a characterization is crucial to withstand recent attacks exploiting the reactions of the legitimate recipient upon decrypting multiple ciphertexts with the same private key, and consequentially it is able to ensure a lifecycle of the corresponding key pairs which can be sufficient for the wide majority of practical purposes.

show abstract

A Novel CCA Attack Using Decryption Errors Against LAC

Guo

Johansson

Yang

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Cryptosystems based on Learning with Errors or related problems are central topics in recent cryptographic research. One main witness to this is the NIST Post-Quantum Cryptography Standardization effort. Many submitted proposals rely on problems related to Learning with Errors. Such schemes often include the possibility of decryption errors with some very small probability. Some of them have a somewhat larger error probability in each coordinate, but use an error correcting code to get rid of errors. In this paper we propose and discuss an attack for secret key recovery based on generating decryption errors, for schemes using error correcting codes. In particular we show an attack on the scheme LAC, a proposal to the NIST Post-Quantum Cryptography Standardization that has advanced to round 2.In a standard setting with CCA security, the attack first consists of a precomputation of special messages and their corresponding error vectors. This set of messages are submitted for decryption and a few decryption errors are observed. In a statistical analysis step, these vectors causing the decryption errors are processed and the result reveals the secret key. The attack only works for a fraction of the secret keys. To be specific, regarding LAC256, the version for achieving the 256-bit classical security level, we recover one key among approximately 2 64 public keys with complexity 2 79 , if the precomputation cost of 2 162 is excluded. We also show the possibility to attack a more probable key (say with probability 2 −16 ). This attack is verified via extensive simulation.We further apply this attack to LAC256-v2, a new version of LAC256 in round 2 of the NIST PQ-project and obtain a multi-target attack with slightly increased precomputation complexity (from 2 162 to 2 171 ). One can also explain this attack in the single-key setting as an attack with precomputation complexity of 2 171 and success probability of 2 −64 .

show abstract

A Key Recovery Reaction Attack on QC-MDPC

Cited by 16 publications

References 24 publications

Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE

Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE

LEDAcrypt: QC-LDPC Code-Based Cryptosystems with Bounded Decryption Failure Rate

A Novel CCA Attack Using Decryption Errors Against LAC

Contact Info

Product

Resources

About