Security of Two NIST Candidates in the Presence of Randomness Reuse

Abstract

The National Institute of Standards and Technology (NIST) is working on the standardization of post-quantum algorithms. In February 2019, NIST announced 26 candidate post-quantum cryptosystems, including NewHope and LAC, had entered the second round. In order to investigate the resilience of various candidate algorithms in key reuse situations, a series of work has been carried out.

In fact, randomness also has the risk of reuse, and in the real word random number generators (RNGs) frequently fail and produce bad randomness. In this work, we assess the resilience of candidate NewHope-CPA-KEM and LAC.KE in randomness reuse situations. In particular, we propose a method, which can recover the reused randomness after several communications. NewHope-CPA-KEM and LAC.KE are based on NewHope-CPA-PKE and LAC.CPA, respectively. The key to our method is that they share a common feature: if public key satisfies certain conditions, the ciphertext will reveal information about the randomness of encryption. The recovered randomness can be used to attack another session where the same randomness is used.

Appendix A

1.1 A.1 The Proof of Corollary 1

Proof

According to Theorem 1, when \(B < q/4D -1\), we have that \(V_i \in (-\frac{q}{4},\frac{q}{4})\) reveals \(Y_i = 0\), and \(V_i \in ((-\frac{q}{2},-\frac{q}{4}) \cup (\frac{q}{4},\frac{q}{2}))\) reveals \(Y_i = \lfloor \frac{q}{2}\rfloor \). Considering the function Compress performs coefficient-wise modulus switching between modulus q and modulus p, we have that \(\textsf {Compress}(V)_i \in (-\frac{p}{4},\frac{p}{4})\) reveals \(Y_i = 0\), and \(\textsf {Compress}(V)_i \in ((-\frac{p}{2},-\frac{p}{4}) \cup (\frac{p}{4},\frac{p}{2}))\) reveals \(Y_i = \lfloor \frac{q}{2}\rfloor \).

Further, if B satisfies \(p(8B-D)/q>1\) and \(p(7B+D)/q<1\), then \(\textsf {Compress}(V)_i = 1\) and \(-1\) will reveal \(t_i = 8\) and \(-8\), respectively; if \(p(7B-D)/q>1\) and \(p(6B+D)/q<1\), then \(\textsf {Compress}(V)_i = 1\) and \(-1\) will reveal \(t_i\) is in \(\{8, 7\}\) and \(\{-8, -7\}\), respectively; if \(p(6B-D)/q>1\) and \(p(5B+D)/q<1\), then \(\textsf {Compress}(V)_i = 1\) and \(-1\) will reveal \(t_i\) is in \(\{8, 7, 6\}\) and \(\{-8, -7, -6\}\), respectively; ...; if \(p(B-D)/q>1\), then \(\textsf {Compress}(V)_i = 1\) and \(-1\) will reveal \(t_i\) is in \(\{8, 7,..., 1\}\) and \(\{-8, -7,..., -1\}\), respectively.   \(\Box \)

1.2 A.2 The Proof of Corollary 2

Proof

Given that \(t_i, f_i \in \{-1,0,1\},Y_i \in \{0, 126\}\), \(V_i\) has at most 18 possible values when B is an integer in \(\mathbb {Z}_q\). In particular, each possible value corresponds to a set of values \(t_i\), \(f_i\) and \(Y_i\). After discarding the lower 4 bits of \(V_i\), adjacent integers in V are converted to the same integer in \(\overline{V}\), which makes it difficult to recover the value of \(f_i\) from \(\overline{V}_i\). However, if the public key \(B \in \mathbb {Z}_q\) is chosen so that the coefficient \(\overline{V}_i\) has at least 6 possibilities, \(\overline{V}_i\) can reveal the values of \(t_i\) and \(Y_i\). For example, if \(B = 175\), then \(\overline{V}_i = 4\) will reveal \(t_i = -1\) and \(Y_i=0\); \(\overline{V}_i = 12\) will reveal \(t_i = -1\) and \(Y_i=126\);..., as shown in Table 2.    \(\Box \)

Table 2. The values of \(t_i\) and \(Y_i\) revealed by \(\overline{V}_i\) when \(B=175\)