Cryptology ePrint Archive: Report 2017/1214

HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction

Daniel J. Bernstein and Leon Groot Bruinderink and Tanja Lange and Lorenz Panny

Abstract: We show that the NISTPQC submission HILA5 is not secure against chosen-ciphertext attacks. Specifically, we demonstrate a key-recovery attack on HILA5 using an active attack on reused keys. The attack works around the error correction in HILA5. The attack applies to the HILA5 key-encapsulation mechanism (KEM), and also to the public-key encryption mechanism (PKE) obtained by NIST's procedure for combining the KEM with authenticated encryption. This contradicts the most natural interpretation of the IND-CCA security claim for HILA5.

Category / Keywords: public-key cryptography / Post-quantum cryptography, KEM, RLWE, reaction attack.

Date: received 18 Dec 2017, last revised 8 Mar 2018

Contact author: authorcontact-helaas at box cr yp to

Available format(s): PDF | BibTeX Citation

Version: 20180309:004951 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]