(One) Failure Is Not an Option: Bootstrapping the Search for Failures in Lattice-Based Encryption Schemes

D’Anvers, Jan-Pieter; Rossi, Mélissa; Virdia, Fernando

doi:10.1007/978-3-030-45727-3_1

Cited by 24 publications

(30 citation statements)

References 37 publications

(50 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Techniques such as failure boosting [9], which increase the failure probability of ciphertexts and which have been applied to encryption schemes based on the learning with errors problem, might reduce the number of required decryption queries. Moreover, recent results [11] for these schemes show that information about previous failures can be used to bootstrap the search for new failures. We did not investigate if these techniques are applicable to Mersenne prime schemes.…”

Section: Resultsmentioning

confidence: 99%

“…These attacks are countered by schemes that obtain IND-CCA security using an appropriate transformation. D'Anvers et al [9] provided a technique to increase the failure probability and subsequently recover the secret key of IND-CCA secure LWE based schemes, a technique which was extended in subsequent works [12] [17] [11]. Guo, Johansson and Stankovski [16] provided a similar attack on IND-CCA secure code based schemes.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Exploiting Decryption Failures in Mersenne Number Cryptosystems

Tiepelt

D’Anvers

2020

Proceedings of the 7th ACM Workshop on ASIA Public-Key Cryptography

View full text Add to dashboard Cite

Mersenne number schemes are a new strain of potentially quantumsafe cryptosystems that use sparse integer arithmetic modulo a Mersenne prime to encrypt messages. Two Mersenne number based schemes were submitted to the NIST post-quantum standardization process: Ramstake and Mersenne-756839. Typically, these schemes admit a low but non-zero probability that ciphertexts fail to decrypt correctly. In this work we show that the information leaked from failing ciphertexts can be used to gain information about the secret key. We present an attack exploiting this information to break the IND-CCA security of Ramstake. First, we introduce an estimator for the bits of the secret key using decryption failures. Then, our estimates can be used to apply the Slice-and-Dice attack due to Beunardeau et al. at significantly reduced complexity to recover the full secret. We implemented our attack on a simplified version of the code submitted to the NIST competition. Our attack is able to extract a good estimate of the secrets using 2 12 decryption failures, corresponding to 2 74 failing ciphertexts in the original scheme. Subsequently the exact secrets can be extracted in (2 46) quantum computational steps. CCS CONCEPTS • Security and privacy → Cryptanalysis and other attacks.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Exploiting Decryption Failures in Mersenne Number Cryptosystems

Tiepelt

D’Anvers

2020

Proceedings of the 7th ACM Workshop on ASIA Public-Key Cryptography

View full text Add to dashboard Cite

show abstract

“…Therefore the attack remains completely unpractical. We refer to [ABD + 21] for a discussion on the more recent attacks based on decryption failure [BS20,DRV20]; their overall running time for Kyber are no better than the above attack. In particular, the multi-target attack considered in [DGJ + 19] is prevented in Kyber by hashing the public key pk into r and e 1 .…”

Section: Security Impact For Ring-lwe Ind-cca Encryptionmentioning

confidence: 99%

High-order Table-based Conversion Algorithms and Masking Lattice-based Encryption

Coron

Gérard

Montoya

et al. 2022

TCHES

View full text Add to dashboard Cite

Masking is the main countermeasure against side-channel attacks on embedded devices. For cryptographic algorithms that combine Boolean and arithmetic masking, one must therefore convert between the two types of masking, without leaking additional information to the attacker. In this paper we describe a new high-order conversion algorithm between Boolean and arithmetic masking, based on table recomputation, and provably secure in the ISW probing model. We show that our technique is particularly efficient for masking structured LWE encryption schemes such as Kyber and Saber. In particular, for Kyber IND-CPA decryption, we obtain an order of magnitude improvement compared to existing techniques.

show abstract

“…Once a decryption failure occurs, the corresponding ciphertext would leak a little bit information of the secret. Therefore, a CCA attacker is able to exploit the leakage in the failing ciphertexts and mount more efficient attacks [26,76,77,144,145]. To prevent such attacks, lattice-based KEMs usually set the decryption failure probability sufficiently low even zero by using larger parameters.…”

Section: Decryption Failure Attacksmentioning

confidence: 99%

Lattice‐based cryptosystems in standardisation processes: A survey

Wang

Xiao

2022

IET Information Security

View full text Add to dashboard Cite

The current widely used public‐key cryptosystems are vulnerable to quantum attacks. To prepare for cybersecurity in the quantum era, some projects have been launched to call for post‐quantum alternatives. Due to solid security and desirable performance, lattice‐based cryptosystems are viewed as promising candidates in the upcoming standardisation of post‐quantum cryptography. This study surveys the lattice‐based cryptosystems in the post‐quantum standardisation processes including the NIST Post‐Quantum Cryptography Standardisation and the Chinese Cryptographic Algorithm Design Competition, from both design and security aspects. We present generic design paradigms of lattice‐based schemes and describe several representative proposals and recent progress. We also recap some main cryptanalytic results and methods for estimating the concrete security of lattice‐based schemes.

show abstract

(One) Failure Is Not an Option: Bootstrapping the Search for Failures in Lattice-Based Encryption Schemes

Cited by 24 publications

References 37 publications

Exploiting Decryption Failures in Mersenne Number Cryptosystems

Exploiting Decryption Failures in Mersenne Number Cryptosystems

High-order Table-based Conversion Algorithms and Masking Lattice-based Encryption

Lattice‐based cryptosystems in standardisation processes: A survey

Contact Info

Product

Resources

About