A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke

Qian Guo; Thomas Johansson; Alexander Nilsson

A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke

Qian Guo, Thomas Johansson, Alexander Nilsson

Research output: Working paper/Preprint › Preprint (in preprint archive)

Abstract

Hard learning problems are central topics in recent cryptographic research. Many cryptographic primitives relate their security to difficult problems in lattices, such as the shortest vector problem. Such schemes include the possibility of decryption errors with some very small probability. In this paper we propose and discuss a generic attack for secret key recovery based on generating decryption errors. In a standard PKC setting, the model first consists of a precomputation phase where
special messages and their corresponding error vectors are generated. Secondly, the messages are submitted for decryption and some decryption errors are observed. Finally, a phase with a statistical analysis of the messages/errors causing the decryption errors reveals the secret key. The idea is that conditioned on certain secret keys, the decryption error probability is significantly higher than the average case used in the error probability estimation. The attack is demonstrated in detail on one
NIST Post-Quantum Proposal, ss-ntru-pke, that is attacked with complexity below the claimed security level.

Original language	English
Publication status	Published - 2019 Jan 18

Subject classification (UKÄ)

Computational Mathematics

Access to Document

https://eprint.iacr.org/2019/043Licence: CC BY

Side channels on software implementations of post-quantum cryptographic algorithms
Nilsson, A., Johansson, T. & Stankovski Wagner, P.
2017/09/01 → 2023/12/31
Project: Dissertation

Cite this

@techreport{a448fb8c873a40809fa9687015fc93f7,

title = "A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke",

abstract = "Hard learning problems are central topics in recent cryptographic research. Many cryptographic primitives relate their security to difficult problems in lattices, such as the shortest vector problem. Such schemes include the possibility of decryption errors with some very small probability. In this paper we propose and discuss a generic attack for secret key recovery based on generating decryption errors. In a standard PKC setting, the model first consists of a precomputation phase wherespecial messages and their corresponding error vectors are generated. Secondly, the messages are submitted for decryption and some decryption errors are observed. Finally, a phase with a statistical analysis of the messages/errors causing the decryption errors reveals the secret key. The idea is that conditioned on certain secret keys, the decryption error probability is significantly higher than the average case used in the error probability estimation. The attack is demonstrated in detail on oneNIST Post-Quantum Proposal, ss-ntru-pke, that is attacked with complexity below the claimed security level.",

author = "Qian Guo and Thomas Johansson and Alexander Nilsson",

year = "2019",

month = jan,

day = "18",

language = "English",

type = "WorkingPaper",

}

TY - UNPB

T1 - A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke

AU - Guo, Qian

AU - Johansson, Thomas

AU - Nilsson, Alexander

PY - 2019/1/18

Y1 - 2019/1/18

N2 - Hard learning problems are central topics in recent cryptographic research. Many cryptographic primitives relate their security to difficult problems in lattices, such as the shortest vector problem. Such schemes include the possibility of decryption errors with some very small probability. In this paper we propose and discuss a generic attack for secret key recovery based on generating decryption errors. In a standard PKC setting, the model first consists of a precomputation phase wherespecial messages and their corresponding error vectors are generated. Secondly, the messages are submitted for decryption and some decryption errors are observed. Finally, a phase with a statistical analysis of the messages/errors causing the decryption errors reveals the secret key. The idea is that conditioned on certain secret keys, the decryption error probability is significantly higher than the average case used in the error probability estimation. The attack is demonstrated in detail on oneNIST Post-Quantum Proposal, ss-ntru-pke, that is attacked with complexity below the claimed security level.

AB - Hard learning problems are central topics in recent cryptographic research. Many cryptographic primitives relate their security to difficult problems in lattices, such as the shortest vector problem. Such schemes include the possibility of decryption errors with some very small probability. In this paper we propose and discuss a generic attack for secret key recovery based on generating decryption errors. In a standard PKC setting, the model first consists of a precomputation phase wherespecial messages and their corresponding error vectors are generated. Secondly, the messages are submitted for decryption and some decryption errors are observed. Finally, a phase with a statistical analysis of the messages/errors causing the decryption errors reveals the secret key. The idea is that conditioned on certain secret keys, the decryption error probability is significantly higher than the average case used in the error probability estimation. The attack is demonstrated in detail on oneNIST Post-Quantum Proposal, ss-ntru-pke, that is attacked with complexity below the claimed security level.

M3 - Preprint (in preprint archive)

BT - A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke

ER -

A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke

Abstract

Subject classification (UKÄ)

Access to Document

Fingerprint

Projects

Side channels on software implementations of post-quantum cryptographic algorithms

Cite this