How Dangerous are Decryp- tion Failures in Lattice-based - PowerPoint PPT Presentation

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter D’Anvers 20 november 2019

1 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 1

1 LWE hard problem ◮ LWE problem ◮ A A ← U ( Z n × n A ) q ◮ s e ← small ( Z n × k s s,e e ) q 2

1 LWE hard problem ◮ LWE problem ◮ A A ← U ( Z n × n A ) q ◮ s e ← small ( Z n × k s s,e e ) q ◮ ( A A A,b b b = A A A · s s s + e e e ) 2

1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e e ← small ( Z n × k s,e s ) q b A b b,A A b b = A b A · s A s + e s e e ✲ 3

1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e e ← small ( Z n × k s,e s ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A · s A s + e s e e s s s ′ ,e e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b b b ′ , v ′ ✛ 3

1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e ← small ( Z n × k e s,e s ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A · s A s + e s e e s ′ ,e s s e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b b b ′ , v ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q b s e 2 ⌉ m ✛ 3

1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e ← small ( Z n × k e s s,e ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A · s A s + e s e e s s s ′ ,e e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b ′ T · s b b b ′ , v ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q v = b b s s b s e 2 ⌉ m ✛ m ′ = ⌊⌊ 2 q ⌉ ( v ′ − v ) ⌉ 3

1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e e ← small ( Z n × k s s,e ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A A · s s s + e e e s s s ′ ,e e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b ′ T · s b b b ′ , v ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q v = b b s s b s e 2 ⌉ m ✛ m ′ = ⌊⌊ 2 q ⌉ ( v ′ − v ) ⌉ m ′ = ⌊ 2 e ′′ + ⌊ q s ′ + e s ′ T A e T s s ′ T A e ′ T s q ( s s A As s s + e e s e 2 ⌉ m − s s As A s s − e e s s ) ⌉ 3

1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e e ← small ( Z n × k s s,e ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A A · s s s + e e e s s s ′ ,e e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b ′ T · s b b b ′ , v ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q v = b b s s b s e 2 ⌉ m ✛ m ′ = ⌊⌊ 2 q ⌉ ( v ′ − v ) ⌉ m ′ = ⌊ 2 e ′′ + ⌊ q s ′ + e s ′ T A e T s s ′ T A e ′ T s q ( ✘✘ ❳❳ s s A As ✘ s s + e e s e 2 ⌉ m − ✘✘ s ❳❳ s A As ✘ s s − e e s s ) ⌉ ❳ ❳ 3

1 Failures s ′ + e e ′′ − e s || ∞ ≥ q ◮ failure if: || e e T s e ′ T s e s e e s 4 ◮ typically small failure probability δ ≈ 2 − 128 4

1 How calculated ◮ calculate some bounds ◮ assume Gaussian and calculate σ and µ ◮ calculate pdf exhaustively 5

1 Variations ◮ polynomials, vectors/matrices of polynomials Z q [ X ] / ( X n + 1) ◮ learning with rounding ◮ NTRU version, Mersenne prime, Threebears 6

1 Chosen ciphertext attacks ◮ Easy to attack with chosen ciphertexts ◮ We can not check the adversary 7

1 FO-transform Alice Bob A ← U ( Z n × n A A ) q e ← small ( Z n × k m ← U ( { 0 , 1 } 256 ) s,e s s e ) q b b,A b A A b b b = A A A · s s s + e e e ✲ 8

1 FO-transform Alice Bob A ← U ( Z n × n A A ) q e ← small ( Z n × k m ← U ( { 0 , 1 } 256 ) s s s,e e ) q b b,A b A A e ′′ ← small ( Z n × k b b b = A A · s A s s + e e e s s s ′ ,e e e ′ ,e e ; H ( m )) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b b b ′ , v ′ ✛ 8

1 FO-transform Alice Bob A ← U ( Z n × n A A ) q e ← small ( Z n × k m ← U ( { 0 , 1 } 256 ) s s,e s e ) q b b,A b A A e ′′ ← small ( Z n × k b b b = A A A · s s s + e e e s s s ′ ,e e e ′ ,e e ; H ( m )) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q b b b ′ , v ′ b s e 2 ⌉ m ✛ 8

1 FO-transform Alice Bob A ← U ( Z n × n A A ) q e ← small ( Z n × k m ← U ( { 0 , 1 } 256 ) s s s,e e ) q b b,A b A A e ′′ ← small ( Z n × k b b b = A A A · s s + e s e e s s s ′ ,e e e ′ ,e e ; H ( m )) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b ′ T · s v ′ = b b T · s s ′ + e e ′′ + ⌊ q b b b ′ , v ′ v = b b s s b s e 2 ⌉ m ✛ m ′ = ⌊⌊ 2 q ⌉ ( v ′ − v ) ⌉ check ( m ′ ,b b b ′ , v ′ ) 8

1 Error term ◮ let’s group secret and ciphertext terms: � � � � e ′ s e − s s e S C S = S C = C s ′ e e e s s 9

1 Error term ◮ let’s group secret and ciphertext terms: � � � � e ′ s e − s s e S C S S = C = C s ′ e e e s s ◮ failure if: e ′′ || ∞ ≥ q S T C || S S C C + e e 4 9

2 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 10

2 Attack model ◮ precomputation: Grover’s algorithm 11

2 Attack model ◮ precomputation: Grover’s algorithm ◮ only classical access to decryption oracle 11

2 Failure boosting ◮ find weak ciphertexts ◮ query weak ciphertexts 12

2 Failure boosting ◮ find weak ciphertexts • generate ciphertext • estimate failure probability • accept if higher than f t ◮ query weak ciphertexts 12

2 Failure boosting ◮ find weak ciphertexts α • generate ciphertext • estimate failure probability • accept if higher than f t ◮ query weak ciphertexts β 12

2 Failure boosting ◮ find weak ciphertexts α • generate ciphertext • estimate failure probability • accept if higher than f t ◮ query weak ciphertexts β ◮ general model for schemes with decryption failures ◮ works if: • can estimate failure probability of ciphertexts • estimated failure probability of ciphertexts is different 12

2 Failure boosting technical ◮ α = P [ p e ( c ) > f t ] ◮ probability of finding weak ciphertext 13

2 Failure boosting technical ◮ α = P [ p e ( c ) > f t ] ◮ probability of finding weak ciphertext ◮ β = P [ c fails | p e ( c ) > f t ] ◮ failure probability of weak ciphertext 13

2 Lattice based schemes: simple case e ′′ || ∞ ≥ q S T C ◮ || S S C C + e e 4 14

2 Lattice based schemes: simple case C | ≥ q S T C ◮ | S S C 4 S T || 2 || C C || 2 | cos( θ ) | ≥ q ◮ || S S C 4 14

2 Lattice based schemes: matrices C || ∞ ≥ q ◮ || S S T C S C 4 15

2 Lattice based schemes: matrices C || ∞ ≥ q ◮ || S S T C S C 4 ◮ Gaussian assumption ◮ µ = 0 ◮ σ S T C � V ar ( ( S S C C ) ij ) = V ar ( S S S kj C C C ki ) k C 2 � C S = C ki · V ar ( S S kj ) k C k : || 2 2 · σ 2 C = || C s 15

2 How to calculate C C l P [ || C C || 2 = l ] P [ fail ||| C C || 2 = l ] 2 − 30 2 − 100 100 2 − 30 2 − 99 101 2 − 29 2 − 98 102 2 − 29 2 − 97 103 16

2 How to calculate C C l P [ || C C || 2 = l ] P [ fail ||| C C || 2 = l ] 2 − 30 2 − 100 100 2 − 30 2 − 99 101 2 − 29 2 − 98 102 2 − 29 2 − 97 103 α β 16

2 How to calculate C C l P [ || C C || 2 = l ] P [ fail ||| C C || 2 = l ] 2 − 30 2 − 100 100 2 − 30 2 − 99 101 2 − 29 2 − 98 102 2 − 29 2 − 97 103 α β 16

2 272 ) 2 248 total work to generate a failure (1/ 2 224 2 200 2 176 2 152 Kyber768 2 128 FrodoKEM-976 LAC-256 2 104 Saber LizardCat3 2 0 2 18 2 36 2 54 2 72 2 90 2 108 2 126 2 144 work to generate one weak sample (1/ ) 17

Kyber768 2 411 FrodoKEM-976 LAC-256 ) 2 370 Saber LizardCat3 total work to generate a failure (1/ 2 329 2 288 2 247 2 206 2 165 2 124 2 83 2 190 2 168 2 146 2 124 2 102 2 80 2 58 2 36 weak ciphertext failure rate ( ) 18

3 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 19

3 Failure boosting S T C ◮ S S C C = || S S S || 2 · || C C C || 2 cos θ 20

δ 21

α

α β 22

23

23

3 Find next failures C | ≥ q S T C ◮ | S S C 4 ◮ E E E 24

3 Find next failures C | ≥ q S T C ◮ | S S C 4 ◮ E E E C � | ≥ q S T S T S T S T ◮ | S S C S C S C S C � C C � + S ⊥ C C ⊥ + S � C C ⊥ + S ⊥ C 4 24

3 Find next failures C | ≥ q S T C ◮ | S S C 4 ◮ E E E C � | ≥ q S T S T S T S T ◮ | S S C S C S C S C � C C � + S ⊥ C C ⊥ + S � C C ⊥ + S ⊥ C 4 C ⊥ | ≥ q ◮ | S S T S T S � C C C � + S S ⊥ C C 4 24