Analysis of Two Countermeasures against the Signal Leakage Attack
Ke Wang and Zhenfeng Zhang
In 2017, a practical attack, referred to as the signal leakage attack, against reconciliation-based RLWE key exchange protocols was proposed. In particular, this attack can recover a long-term private key if a key pair is reused. Directly motivated by this attack, recently, Ding et al. proposed two countermeasures against the attack. One is the RLWE key exchange protocol with reusable keys (KERK), which is included in the Ding Key Exchange, a NIST submission. The idea for this construction is using zero knowledge proof. The other is the practical randomized RLWE-based key exchange (PRKE) (TOC’18), which mixes more randomization. We found that the two countermeasures above can effectively prevent malicious Alice from recovering the private key of Bob when keys are reused. However, both countermeasures don’t consider the case where malicious Bob tries to recover the private key of Alice. In particular, malicious Bob can recover the private key of Alice by carefully choosing what he sends and observing whether shared keys match. By analyzing the complexities of these attacks, the results show these attacks are practical and effective. Notice that the key to carry out these attacks is that malicious Bob chooses a RLWE sample with the special structure as his public key. Therefore, other RLWE-based schemes, including KEM (or key exchange) and PKE, are also vulnerable to these attacks. In response to these attacks, we propose a mechanism where one party can construct a new ”public key” of the other party, and in order to illustrate the mechanism, we give an improved KERK.