Analysis of Two Countermeasures Against the Signal Leakage Attack

  • Ke WangEmail author
  • Haodong Jiang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11627)


In 2017, a practical attack, referred to as signal leakage attack, against reconciliation-based RLWE key exchange protocols was proposed. In particular, this attack can recover a long-term private key if a key pair is reused.

Directly motivated by this attack, recently, Ding et al. proposed two countermeasures against the attack. One is the RLWE key exchange protocol with reusable keys (KERK), which is included in the Ding Key Exchange, a NIST submission; the other is the practical randomized RLWE key exchange (PRKE) (TOC’18). Meanwhile, there exits another key reuse attack on RLWE key exchange (ACISP’18 and Africacrypt’18), which is called key mismatch attack.

In this paper, we find that KERK and PRKE are vulnerable to key mismatch attack. In particular, we propose a simpler key mismatch attack and apply it to KERK and PRKE, respectively. In fact, key mismatch attack shares the same idea with the signal leakage attack, which is one of the communicators chooses a RLWE sample with special structure as his/her public key. In order to resist key mismatch attack, we extend KERK and give an improved one, where any party can construct a new “public key” of the other party. And we also extend PRKE by increasing randomization further. Finally, by comparison, we get that the improved PRKE is more practical.


RLWE Key exchange Post-quantum Key reuse Key mismatch Active attacks Countermeasures 



This work is supported by the National Key Research and Development Program of China (No. 2017YFB0802000), the National Natural Science Foundation of China (No. U1536205, 61802376).


  1. 1.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of 35th Annual Symposium on Foundations of Computer Science 1994, pp. 124–134. IEEE (1994)Google Scholar
  3. 3.
    National Institute of Standards and Technology: Round 1 Submissions (2017).
  4. 4.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). Scholar
  5. 5.
    Ding, J., Xie, X., Lin, X.: A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem. IACR Cryptology EPrint Archive, Report 2012/688 (2012)Google Scholar
  6. 6.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). Scholar
  7. 7.
    Bos, J.W., Costello, C., Naehrig, M., et al.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy (SP) 2015, pp. 553–570. IEEE (2015)Google Scholar
  8. 8.
    Zhang, J., Zhang, Z., Ding, J., Snook, M., Dagdelen, Ö.: Authenticated key exchange from ideal lattices. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 719–751. Springer, Heidelberg (2015). Scholar
  9. 9.
    Alkim, E., Ducas, L., P\(\rm \ddot{o}\)ppelmann, T., et al.: Post-quantum key exchange-a new hope. In: USENIX Security Symposium 2016 (2016)Google Scholar
  10. 10.
    Bos, J., Costello, C., Ducas, L., et al.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1006–1018. ACM (2016)Google Scholar
  11. 11.
    Alkim, E., Ducas, L., P\(\rm \ddot{o}\)ppelmann, T., et al.: NewHope without reconciliation. IACR Cryptology ePrint Archive Report 2016/1157 (2016)Google Scholar
  12. 12.
    Ding, J., Alsayigh, S., Lancrenon, J., RV, S., Snook, M.: Provably secure password authenticated key exchange based on rlwe for the post-quantum world. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 183–204. Springer, Cham (2017). Scholar
  13. 13.
    Ding, J., Alsayigh, S., Saraswathy, R.V., et al.: Leakage of signal function with reused keys in RLWE key exchange. In: 2017 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2017)Google Scholar
  14. 14.
    Rescorla, E.: The transport layer security (TLS) protocol version 1.3. (2018)Google Scholar
  15. 15.
    Gao, X., Ding, J., Li, L., et al.: Practical randomized RLWE-based key exchange against signal leakage attack. IEEE Trans. Comput. 1, 1–1 (2018)MathSciNetzbMATHGoogle Scholar
  16. 16.
    Kirkwood, D., Lackey, B.C., McVey, J., et al.: Failure is not an option: standardization issues for post-quantum key agreement. In: Talk at NIST Workshop on Cybersecurity in a Post-Quantum World, vol. 2 (2015).
  17. 17.
    Fluhrer, S.R.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptology ePrint Archive Report 2016/85 (2016)Google Scholar
  18. 18.
    Bernstein, D.J., Groot Bruinderink, L., Lange, T., Panny, L.: HILA5 pindakaas: on the CCA security of lattice-based encryption with error correction. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 203–216. Springer, Cham (2018). Scholar
  19. 19.
    Ding, J., Fluhrer, S., Rv, S.: Complete attack on RLWE key exchange with reused keys, without signal leakage. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 467–486. Springer, Cham (2018). Scholar
  20. 20.
    Gao, X., Ding, J., Liu, J., Li, L.: Post-quantum secure remote password protocol from RLWE problem. In: Chen, X., Lin, D., Yung, M. (eds.) Inscrypt 2017. LNCS, vol. 10726, pp. 99–116. Springer, Cham (2018). Scholar
  21. 21.
    Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (1996)Google Scholar
  22. 22.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 13 (2014)MathSciNetzbMATHGoogle Scholar
  23. 23.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). Scholar
  24. 24.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). Scholar
  25. 25.
    Gao, X., Ding, J., Li, L., et al.: Efficient Implementation of Password-Based Authenticated Key Exchange from RLWE and Post-Quantum TLS. Cryptology ePrint Archive, Report 2017/1192 (2017).
  26. 26.
    Saarinen, M.-J.O.: HILA5: on reliability, reconciliation, and error correction for ring-LWE encryption. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 192–212. Springer, Cham (2018). Scholar
  27. 27.
    Ding, J., Saraswathy, R.V., Alsayigh, S., et al.: How to validate the secret of a Ring Learning with Errors (RLWE) key. IACR Cryptology ePrint Archive, Report 2018/81 (2018)Google Scholar
  28. 28.
    D’Anvers, J.P., Vercauteren, F., Verbauwhede, I.: On the impact of decryption failures on the security of LWE/LWR based schemes. Cryptology ePrint Archive, Report 2018/1089 (2018).
  29. 29.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)MathSciNetCrossRefGoogle Scholar
  30. 30.
    Bauer, A, Gilbert, H., Renault, G., Rossi, M.: Assessment of the Key-Reuse Resilience of NewHope. Cryptology ePrint Archive, Report 2019/075 (2019). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.TCA Laboratory, State Key Laboratory of Computer ScienceInstitute of Software Chinese Academy of SciencesBeijingChina
  2. 2.University of Chinese Academy of SciencesBeijingChina
  3. 3.State Key Laboratory of Mathematical Engineering and Advanced ComputingZhengzhouChina

Personalised recommendations