Misuse Attacks on Post-quantum Cryptosystems

Băetu, Ciprian; Durak, F. Betül; Huguenin-Dumittan, Loïs; Talayhan, Abdullah; Vaudenay, Serge

doi:10.1007/978-3-030-17656-3_26

Cited by 24 publications

(12 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some lattice-based KEM of the NIST competition were analysed in the key reused context using a key mismatch oracle. In [3], Baetu et al proposed a generic attack for several algorithms using the same structure called meta-algorithm. However, most of the algorithms attacked in [3] did not pass the rst round of the submission, except Frodo-640 and NewHope512.…”

Section: Previous Workmentioning

confidence: 99%

“…In [3], Baetu et al proposed a generic attack for several algorithms using the same structure called meta-algorithm. However, most of the algorithms attacked in [3] did not pass the rst round of the submission, except Frodo-640 and NewHope512. However in [10], Huguenin-Dumittan et al pursue the work of generic attack for round 2 candidates.…”

Section: Previous Workmentioning

confidence: 99%

See 1 more Smart Citation

Attack on LAC Key Exchange in Misuse Situation

Greuet¹,

Montoya

Renault

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Section: Previous Workmentioning

confidence: 99%

Section: Previous Workmentioning

confidence: 99%

Attack on LAC Key Exchange in Misuse Situation

Greuet¹,

Montoya

Renault

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

“…By computing the expectation and variance of the error term, we can recover the full key with fewer oracle queries. Compared with the work of B

etu et al [ 22 ], our algorithm can reduce the number of oracle calls to 1 and meanwhile keep the same success probability as the AJOP-based quantum KR-CCA algorithm; see Table 1 .…”

Section: Introductionmentioning

confidence: 98%

“…In 2019, Alagic et al gave a quantum algorithm for learning rounding function and showed that this algorithm can recover the key of an IND-CPA-secure LWE-based encryption scheme with constant success probability [ 21 ]. At EUROCRYPT 2019, B

etu et al analyzed the security of meta-cryptosystems under key reuse by mounting a quantum key recovery under the chosen-ciphertext attacks [ 22 ].…”

Section: Introductionmentioning

confidence: 99%

Quantum Misuse Attack on Frodo

Wang¹,

Jiang²,

Ma³

2022

Entropy

View full text Add to dashboard Cite

Research on the security of lattice-based public-key encryption schemes against misuse attacks is an important part of the cryptographic assessment of the National Institute of Standards and Technology (NIST) post-quantum cryptography (PQC) standardization process. In particular, many NIST-PQC cryptosystems follow the same meta-cryptosystem. At EUROCRYPT 2019, Ba˘etu et al. mounted a classical key recovery under plaintext checking attacks (KR-PCA) and a quantum key recovery under chosen ciphertext attacks (KR-CCA). They analyzed the security of the weak version of nine submissions to NIST. In this paper, we focus on learning with error (LWE)-based FrodoPKE, whose IND-CPA security is tightly related to the hardness of plain LWE problems. We first review the meta-cryptosystem and quantum algorithm for solving quantum LWE problems. Then, we consider the case where the noise follows a discrete Gaussian distribution and recompute the success probability for quantum LWE by using Hoeffding bound. Finally, we give a quantum key recovery algorithm based on LWE under CCA attack and analyze the security of Frodo. Compared with the existing work of Ba˘etu et al., our method reduces the number of queries from 22 to 1 with the same success probability.

show abstract

“…A similar attack on Ring-LWE based schemes was later presented by Fluhrer [22] and extended by Bȃetu et. al [5].…”

Section: Introductionmentioning

confidence: 98%

(One) Failure Is Not an Option: Bootstrapping the Search for Failures in Lattice-Based Encryption Schemes

D’Anvers

Rossi

Virdia

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Lattice-based encryption schemes are often subject to the possibility of decryption failures, in which valid encryptions are decrypted incorrectly. Such failures, in large number, leak information about the secret key, enabling an attack strategy alternative to pure lattice reduction. Extending the "failure boosting" technique of D'Anvers et al. in PKC 2019, we propose an approach that we call "directional failure boosting" that uses previously found "failing ciphertexts" to accelerate the search for new ones. We analyse in detail the case where the lattice is defined over polynomial ring modules quotiented by X N + 1 and demonstrate it on a simple Mod-LWE-based scheme parametrizedà la Kyber768/Saber. We show that for a given secret key (single-target setting), the cost of searching for additional failing ciphertexts after one or more have already been found, can be sped up dramatically. We thus demonstrate that, in this single-target model, these schemes should be designed so that it is hard to even obtain one decryption failure. Besides, in a wider security model where there are many target secret keys (multi-target setting), our attack greatly improves over the state of the art.

show abstract

Misuse Attacks on Post-quantum Cryptosystems

Cited by 24 publications

References 19 publications

Attack on LAC Key Exchange in Misuse Situation

Attack on LAC Key Exchange in Misuse Situation

Quantum Misuse Attack on Frodo

(One) Failure Is Not an Option: Bootstrapping the Search for Failures in Lattice-Based Encryption Schemes

Contact Info

Product

Resources

About