Cryptology ePrint Archive: Report 2019/043

A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke

Qian Guo and Thomas Johansson and Alexander Nilsson

Abstract: Hard learning problems are central topics in recent cryptographic research. Many cryptographic primitives relate their security to difficult problems in lattices, such as the shortest vector problem. Such schemes include the possibility of decryption errors with some very small probability. In this paper we propose and discuss a generic attack for secret key recovery based on generating decryption errors. In a standard PKC setting, the model first consists of a precomputation phase where special messages and their corresponding error vectors are generated. Secondly, the messages are submitted for decryption and some decryption errors are observed. Finally, a phase with a statistical analysis of the messages/errors causing the decryption errors reveals the secret key. The idea is that conditioned on certain secret keys, the decryption error probability is significantly higher than the average case used in the error probability estimation. The attack is demonstrated in detail on one NIST Post-Quantum Proposal, ss-ntru-pke, that is attacked with complexity below the claimed security level.

Category / Keywords: public-key cryptography / Lattice-based cryptography, NIST post-quantum standardization, decryption error, LWE, NTRU, Reaction attack.

Date: received 18 Jan 2019

Contact author: qian guo at uib no

Available format(s): PDF | BibTeX Citation

Version: 20190118:120008 (All versions of this report)

Short URL: ia.cr/2019/043


[ Cryptology ePrint archive ]