HILA5 Pindakaas: On the CCA Security of Lattice-Based Encryption with Error Correction

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10831)


We show that the NISTPQC submission HILA5 is not secure against chosen-ciphertext attacks. Specifically, we demonstrate a key-recovery attack on HILA5 using an active attack on reused keys. The attack works around the error correction in HILA5. The attack applies to the HILA5 key-encapsulation mechanism (KEM), and also to the public-key encryption mechanism (PKE) obtained by NIST’s procedure for combining the KEM with authenticated encryption. This contradicts the most natural interpretation of the IND-CCA security claim for HILA5.


Post-quantum cryptography KEM RLWE Reaction attack 


  1. 1.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: STOC, pp. 284–293. ACM (1997)Google Scholar
  2. 2.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX Security Symposium, pp. 327–343. USENIX Association (2016)Google Scholar
  3. 3.
    Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S.R., Lin, X.: Leakage of signal function with reused keys in RLWE key exchange. In: ICC, pp. 1–6. IEEE (2017)Google Scholar
  4. 4.
    Fluhrer, S.R.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptology ePrint Archive 2016/085 (2016). https://ia.cr/2016/085
  5. 5.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_34Google Scholar
  6. 6.
    Hall, C., Goldberg, I., Schneier, B.: Reaction attacks against several public-key cryptosystem. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 2–12. Springer, Heidelberg (1999).  https://doi.org/10.1007/978-3-540-47942-0_2CrossRefGoogle Scholar
  7. 7.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054868CrossRefGoogle Scholar
  8. 8.
    Hoffstein, J., Silverman, J.H.: Reaction attacks against the NTRU public key cryptosystem. NTRU Cryptosystems Technical report 015, version 2 (2000). https://web.archive.org/web/20000914041434/http://www.ntru.com:80/NTRUFTPDocsFolder/NTRUTech015.pdf
  9. 9.
    Howgrave-Graham, N., Nguyen, P.Q., Pointcheval, D., Proos, J., Silverman, J.H., Singer, A., Whyte, W.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_14CrossRefGoogle Scholar
  10. 10.
    National Institute of Standards and Technology: Announcing request for nominations for public-key post-quantum cryptographic algorithms (2016). https://csrc.nist.gov/news/2016/public-key-post-quantum-cryptographic-algorithms
  11. 11.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11659-4_12Google Scholar
  12. 12.
    Saarinen, M.-J.O.: HILA5: key encapsulation mechanism (KEM) and public key encryption algorithm (2017). Submission to NIST: https://github.com/mjosaarinen/hila5/blob/master/Supporting_Documentation/hila5spec.pdf
  13. 13.
    Saarinen, M.-J.O.: HILA5: on reliability, reconciliation, and error correction for ring-LWE encryption. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 192–212. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-72565-9_10CrossRefGoogle Scholar
  14. 14.
    Verheul, E.R., Doumen, J.M., van Tilborg, H.C.A.: Sloppy Alice attacks! Adaptive chosen ciphertext attacks on the McEliece public-key cryptosystem. In: Blaum, M., Farrell, P.G., van Tilborg, H.C.A. (eds.) Information, Coding and Mathematics. ECS(CIT), vol. 687, pp. 99–119. Springer, Boston (2002).  https://doi.org/10.1007/978-1-4757-3585-7_7CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands

Personalised recommendations