Abstract
The National Institute of Standards and Technology (NIST) is working on the standardization of post-quantum algorithms. In February 2019, NIST announced 26 candidate post-quantum cryptosystems, including NewHope and LAC, had entered the second round. In order to investigate the resilience of various candidate algorithms in key reuse situations, a series of work has been carried out.
In fact, randomness also has the risk of reuse, and in the real word random number generators (RNGs) frequently fail and produce bad randomness. In this work, we assess the resilience of candidate NewHope-CPA-KEM and LAC.KE in randomness reuse situations. In particular, we propose a method, which can recover the reused randomness after several communications. NewHope-CPA-KEM and LAC.KE are based on NewHope-CPA-PKE and LAC.CPA, respectively. The key to our method is that they share a common feature: if public key satisfies certain conditions, the ciphertext will reveal information about the randomness of encryption. The recovered randomness can be used to attack another session where the same randomness is used.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
In Sect. 5, we define a reused randomness recovery game and simulate communication by querying the game.
- 3.
In order to reduce the bandwidth, the public key \(\textsf {pk}\) usually contains only a seed \(\textsf {seed}_\mathbf{a} \), and then generates a through an expansion algorithm.
- 4.
NewHope recommends 2 parameter sets and they adopt different coding methods.
- 5.
For ease of understanding and explanation, we consider the modular reductions in \([-\lfloor \frac{q}{2}\rfloor ,\lfloor \frac{q}{2}\rfloor ]\), which corresponds to \([0,q-1]\) one by one. In particular, \(r'=r \ \text {mod}^{\pm } q\) is the unique element in range \([-\lfloor \frac{q}{2}\rfloor ,\lfloor \frac{q}{2}\rfloor ]\) such that \(r'=r \ \text {mod} \ q\).
- 6.
If the lower 4 bits for each coefficient in V aren’t discarded, V will reveal t, f, Y completely.
- 7.
- 8.
We consider that \(\mathbf{e} , \mathbf{f} \) are also reused. In fact, whether they are reused or not does not affect our analysis.
References
Alkim, E., et al.: Newhope: algorithm specifications and supporting documentation (2019). https://csrc.nist.gov/Projects/post-quantum-cryptography/round-2-submissions
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Newhope without reconciliation. IACR Cryptol. ePrint Arch. 2016:1157 (2016)
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange–a new hope. In: 25th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 16), pp. 327–343 (2016)
Băetu, C., Durak, F.B., Huguenin-Dumittan, L., Talayhan, A., Vaudenay, S.: Misuse attacks on post-quantum cryptosystems. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 747–776. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_26
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resilience of newhope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272–292. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_14
Bernstein, D.J., Groot Bruinderink, L., Lange, T., Panny, L.: HILA5 pindakaas: on the CCA security of lattice-based encryption with error correction. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 203–216. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_12
D’Anvers, J.-P., Guo, Q., Johansson, T., Nilsson, A., Vercauteren, F., Verbauwhede, I.: Decryption failure attacks on IND-CCA secure lattice-based schemes. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 565–598. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_19
D’Anvers, J.-P., Rossi, M., Virdia, F.: (One) failure is not an option: bootstrapping the search for failures in lattice-based encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 3–33. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_1
D’Anvers, J.-P., Vercauteren, F., Verbauwhede, I.: The impact of error dependencies on ring/Mod-LWE/LWR based schemes. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 103–115. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_6
Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S., Lin, X.: Leakage of signal function with reused keys in RLWE key exchange. In: 2017 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2017)
Ding, J., Cheng, C., Qin, Y.: A simple key reuse attack on LWE and ring LWE encryption schemes as key encapsulation mechanisms (KEMs). IACR Cryptol. ePrint Arch. 2019:271 (2019)
Ding, J., Fluhrer, S., Rv, S.: Complete attack on RLWE key exchange with reused keys, without signal leakage. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 467–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_27
Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptol. ePrint Arch. 2012:688 (2012)
Fluhrer, S.R.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptol. ePrint Arch. 2016:85 (2016)
Fujisaki, E., Okamoto, T.: How to enhance the security of public-key encryption at minimum cost. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 53–68. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49162-7_5
Gao, X., Ding, J., Li, L., Liu, J.: Practical randomized RLWE-based key exchange against signal leakage attack. IEEE Trans. Comput. 67(11), 1584–1593 (2018)
Greuet, A., Montoya, S., Renault, G.: Attack on lac key exchange in misuse situation. IACR Cryptol. ePrint Arch. 2020:63 (2020)
Guo, Q., Johansson, T., Yang, J.: A novel CCA attack using decryption errors against LAC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 82–111. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_4
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Huguenin-Dumittan, L., Vaudenay, S.: Classical misuse attacks on NIST round 2 PQC. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12146, pp. 208–227. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57808-4_11
Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas Jerome A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement (2015). https://csrc.nist.gov/csrc/media/events/workshop-on-cybersecurity-in-a-post-quantum-world/documents/presentations/session7-motley-mark.pdf
Liu, C., Zheng, Z., Zou, G.: Key reuse attack on newhope key exchange protocol. In: Lee, K. (ed.) ICISC 2018. LNCS, vol. 11396, pp. 163–176. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12146-4_11
Lu, X., et al.: LAC: algorithm specifications and supporting documentation (2019). https://csrc.nist.gov/Projects/post-quantum-cryptography/round-2-submissions
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
National Institute of Standards and Technology. Post-quantum cryptography standardization (2016). https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization
Okada, S., Wang, Y., Takagi, T.: Improving key mismatch attack on newhope with fewer queries. IACR Cryptol. ePrint Arch. 2020:585 (2020)
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing, pp. 333–342 (2009)
Pöppelmann, T., Güneysu, T.: Towards practical lattice-based public-key encryption on reconfigurable hardware. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 68–85. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_4
Qin, Y., Cheng, C., Ding, J.: A complete and optimized key mismatch attack on NIST candidate newhope. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 504–520. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_24
Qin, Y., Cheng, C., Ding, J.: An efficient key mismatch attack on the NIST second round candidate kyber. IACR Cryptol. ePrint Arch. 2019:1343 (2019)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 1–40 (2009)
Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: NDSS (2010)
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)
Wang, K., Jiang, H.: Analysis of two countermeasures against the signal leakage attack. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2019. LNCS, vol. 11627, pp. 370–388. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23696-0_19
Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement, pp. 15–27 (2009)
Acknowledgements
This work is supported by the National Key Research and Development Program of China (No. 2017YFB0802000), the National Natural Science Foundation of China (No. U1536205, 61802376).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A
Appendix A
1.1 A.1 The Proof of Corollary 1
Proof
According to Theorem 1, when \(B < q/4D -1\), we have that \(V_i \in (-\frac{q}{4},\frac{q}{4})\) reveals \(Y_i = 0\), and \(V_i \in ((-\frac{q}{2},-\frac{q}{4}) \cup (\frac{q}{4},\frac{q}{2}))\) reveals \(Y_i = \lfloor \frac{q}{2}\rfloor \). Considering the function Compress performs coefficient-wise modulus switching between modulus q and modulus p, we have that \(\textsf {Compress}(V)_i \in (-\frac{p}{4},\frac{p}{4})\) reveals \(Y_i = 0\), and \(\textsf {Compress}(V)_i \in ((-\frac{p}{2},-\frac{p}{4}) \cup (\frac{p}{4},\frac{p}{2}))\) reveals \(Y_i = \lfloor \frac{q}{2}\rfloor \).
Further, if B satisfies \(p(8B-D)/q>1\) and \(p(7B+D)/q<1\), then \(\textsf {Compress}(V)_i = 1\) and \(-1\) will reveal \(t_i = 8\) and \(-8\), respectively; if \(p(7B-D)/q>1\) and \(p(6B+D)/q<1\), then \(\textsf {Compress}(V)_i = 1\) and \(-1\) will reveal \(t_i\) is in \(\{8, 7\}\) and \(\{-8, -7\}\), respectively; if \(p(6B-D)/q>1\) and \(p(5B+D)/q<1\), then \(\textsf {Compress}(V)_i = 1\) and \(-1\) will reveal \(t_i\) is in \(\{8, 7, 6\}\) and \(\{-8, -7, -6\}\), respectively; ...; if \(p(B-D)/q>1\), then \(\textsf {Compress}(V)_i = 1\) and \(-1\) will reveal \(t_i\) is in \(\{8, 7,..., 1\}\) and \(\{-8, -7,..., -1\}\), respectively.   \(\Box \)
1.2 A.2 The Proof of Corollary 2
Proof
Given that \(t_i, f_i \in \{-1,0,1\},Y_i \in \{0, 126\}\), \(V_i\) has at most 18 possible values when B is an integer in \(\mathbb {Z}_q\). In particular, each possible value corresponds to a set of values \(t_i\), \(f_i\) and \(Y_i\). After discarding the lower 4 bits of \(V_i\), adjacent integers in V are converted to the same integer in \(\overline{V}\), which makes it difficult to recover the value of \(f_i\) from \(\overline{V}_i\). However, if the public key \(B \in \mathbb {Z}_q\) is chosen so that the coefficient \(\overline{V}_i\) has at least 6 possibilities, \(\overline{V}_i\) can reveal the values of \(t_i\) and \(Y_i\). For example, if \(B = 175\), then \(\overline{V}_i = 4\) will reveal \(t_i = -1\) and \(Y_i=0\); \(\overline{V}_i = 12\) will reveal \(t_i = -1\) and \(Y_i=126\);..., as shown in Table 2.    \(\Box \)
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, K., Zhang, Z., Jiang, H. (2020). Security of Two NIST Candidates in the Presence of Randomness Reuse. In: Nguyen, K., Wu, W., Lam, K.Y., Wang, H. (eds) Provable and Practical Security. ProvSec 2020. Lecture Notes in Computer Science(), vol 12505. Springer, Cham. https://doi.org/10.1007/978-3-030-62576-4_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-62576-4_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62575-7
Online ISBN: 978-3-030-62576-4
eBook Packages: Computer ScienceComputer Science (R0)