## Cryptology ePrint Archive: Report 2019/1392

Decryption failure is more likely after success

Nina Bindel and John M. Schanck

Abstract: The user of an imperfectly correct lattice-based public-key encryption scheme leaks information about their secret key with each decryption query that they answer---even if they answer all queries successfully. Through a refinement of the D'Anvers--Guo--Johansson--Nilsson--Vercauteren--Verbauwhede failure boosting attack, we show that an adversary can use this information to improve his odds of finding a decryption failure. We also propose a new definition of $\delta$-correctness, and we re-assess the correctness of several submissions to NIST's post-quantum standardization effort.

Category / Keywords: public-key cryptography / public-key cryptography, lattice-based cryptography, decryption failure