Abstract
Quantum computing capability outperforms that of the classic computers overwhelmingly, which seriously threatens modern public-key cryptography. For this reason, the National Institute of Standards and Technology (NIST) and several other standards organizations are progressing the standardization for post-quantum cryptography (PQC). There are two contenders among those candidates, CRYSTALS-KYBER and SABER, lattice-based encryption algorithms in the third round finalists of NIST’s PQC standardization project. At the current phase, it is important to evaluate their security, which is based on the hardness of the variants of Ring Learning With Errors (Ring-LWE) problem. In ProvSec 2020, Wang et al. introduced a notion of “meta-PK” for Ring-LWE crypto mechanism. They further proposed randomness reuse attacks on NewHope and LAC cryptosystems which meet the meta-PKE model. In their attacks, the encryptor Bob’s partial (or even all) randomness can be recovered if it is reused. In this paper, we propose attacks against CRYSTALS-KYBER and SABER crypto schemes by adapting the meta-PKE model and improving Wang et al.’s methods. Then, we show that our proposed attacks cost at most 4, 3, and 4 queries to recover Bob’s randomness for any security levels of I (AES-128), III (AES-192), and V (AES-256), respectively in CRYSTALS-KYBER. Simultaneously, no more than 6, 6, and 4 queries are required to recover Bob’s secret for security levels I, III, and V in SABER.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
US Department of Commerce: National Institute of Standards and Technology. Post-Quantum Cryptography (2019). http://csrc.nist.gov/projects/post-quantum-cryptography/
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Proceedings pf the 25th USENIX Security Symposium, USENIX Security 16, August 10–12 2016, pp. 327–343 (2016)
Băetu, C., Durak, F.B., Huguenin-Dumittan, L., Talayhan, A., Vaudenay, S.: Misuse attacks on post-quantum cryptosystems. In: Proceedings of the EUROCRYPT 2019, May 19–23, 2019 , Part II, pp. 747–776 (2019)
Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resilience of NewHope. In: Proceedings of the The Cryptographers’ Track at the RSA Conference 2019 (CT-RSA 2019), March 4–8 2019, pp. 272–292 (2019)
Bindel, N., Stebila, D., Veitch, S.: Improved attacks against key reuse in learning with errors key exchange. Cryptology ePrint Archive, Report 2020/1288 (2020). https://eprint.iacr.org/2020/1288
Bos, J.W., et al.: CRYSTALS - kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P 2018), London, UK, April 24–26 2018, pp. 353–367. IEEE (2018)
D’Anvers, J., Karmakar, A., Roy, S.S., Vercauteren, F.: Saber: module-IWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) Proceedings of the Progress in Cryptology - AFRICACRYPT 2018–10th International Conference on Cryptology in Africa, Marrakesh, Morocco, May 7–9 2018, vol. 10831, LNCS, pp. 282–305. Springer (2018)
Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S.R., Lin, X.: Leakage of signal function with reused keys in RLWE key exchange. In: Proceedings of the IEEE International Conference on Communications (ICC 2017), May 21–25 2017, pp. 1–6 (2017)
Ding, J., Fluhrer, S.R., Saraswathy, R.V.: Complete attack on RLWE key exchange with reused keys, without signal leakage. In: Proceedings of the Information Security and Privacy - 23rd Australasian Conference (ACISP 2018), July 11–13 2018, pp. 467–486 (2018)
Fluhrer, S.R.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptology ePrint Archive, 2016:85 (2016). http://eprint.iacr.org/2016/085
Greuet, A., Montoya, S., Renault, G.: Attack on LAC key exchange in misuse situation. IACR Cryptology ePrint Archive, 2020:63 (2020). http://eprint.iacr.org/2020/063
Liu, C., Zheng, Z., Zou, G.: Key reuse attack on NewHope key exchange protocol. In: Information Security and Cryptology (ICISC 2018), November 28–30, 2018, Revised Selected Papers, pp. 163–176 (2018)
Lu, X., et al.: LAC: practical ring-lwe based public-key encryption with byte-level modulus. IACR Cryptol. ePrint Arch. 2018, 1009 (2018)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Proceedings EUROCRYPT 2010, May 30–June 3 2010, pp. 1–23 (2010)
Okada, S., Wang, Y., Takagi, T.: Improving key mismatch attack on NewHope with fewer queries. In: Liu, J.K., Cui, H. (eds.) ACISP 2020. LNCS, vol. 12248, pp. 505–524. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-55304-3_26
Qin, Y., Cheng, C., Ding. J.: A complete and optimized key mismatch attack on NIST candidate newhope. In: Proceedings of the 4th European Symposium on Research in Computer Security (ESORICS 2019), September 23–27 2019, Part II, pp. 504–520 (2019)
Cin, Y., Cheng, C., Din, J.: An efficient key mismatch attack on the NIST second round candidate Kyber. IACR Cryptology ePrint Archive. 2019:1343 (2019). http://eprint.iacr.org/2019/1343
Rescorla, E.: The transport layer security (TLS) protocol version 1.3. Technical report. http://www.rfc-editor.org/info/rfc8446
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Vacek, J., Václavek, J.: Key mismatch attack on newhope revisited. IACR Cryptol. ePrint Arch. 2020, 1389 (2020)
Wang, K., Zhang, Z., Jiang, H.: Security of two NIST candidates in the presence of randomness reuse. In: Proceedings of the Provable and Practical Security - 14th International Conference (ProvSec 2020), Singapore, November 29–December 1, 2020, pp. 402–421 (2020)
Acknowledgement
This work was supported by JSPS KAKENHI Grant Number JP20K23322 and JP21K11751, Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix a Plots of Experimental Results
Appendix a Plots of Experimental Results
We show the relationships between the number of queries and the rate of recovered Bob’s randomness from Fig. 4, 5, 6, 7, 8, 9. Figure 4 shows that the whole randomness can be recovered with at most 4 queries (at least 2 queries) in the attack on KYBER-512, and Fig. 5 and 6 show it requires 3 and 4 queries in the attacks on KYBER-768 and KYBER-1024, respectively. Simultaneously, Fig. 7 and 8 show it requires at most 6 queries (at least 4 and 3 queries) to recover the whole randomness in LightSaber and Saber, while just 4 queries is needed in the key recovery attack on FireSaber (Fig. 9).
KYBER-512.
KYBER-768.
KYBER-1024.
LightSaber.
Saber
FireSaber
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Okada, S., Wang, Y. (2021). Recovery Attack on Bob’s Reused Randomness in CRYSTALS-KYBER and SABER. In: Huang, Q., Yu, Y. (eds) Provable and Practical Security. ProvSec 2021. Lecture Notes in Computer Science(), vol 13059. Springer, Cham. https://doi.org/10.1007/978-3-030-90402-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-90402-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90401-2
Online ISBN: 978-3-030-90402-9
eBook Packages: Computer ScienceComputer Science (R0)