Cryptology ePrint Archive: Report 2019/435

A Complete and Optimized Key Mismatch Attack on NIST Candidate NewHope

Yue Qin and Chi Cheng and Jintai Ding

Abstract: In CT-RSA 2019, Bauer et al. have analyzed the case when the public key is reused for the NewHope key encapsulation mechanism (KEM), a second-round candidate in the NIST Post-quantum Standard process. They proposed an elegant method to recover coefficients ranging from -6 to 4 in the secret key. We repeat their experiments but there are two fundamental problems. First, even for coefficients in [-6,4] we cannot recover at least 262 of them in each secret key with 1024 coefficients. Second, for the coefficient outside [-6,4], they suggested an exhaustive search. But for each secret key on average there are 10 coefficients that need to be exhaustively searched, and each of them has 6 possibilities. This makes Bauer et al.'s method highly inefficient. We propose an improved method, which with 99.22% probability can recover all the elements ranging from -6 to 4 in the secret key. Then, inspired by Ding et al.'s key mismatch attack, we propose an efficient strategy which with a probability of 96.88% succeeds in recovering all the coefficients in the secret key. Experiments show that our proposed method is very efficient, which completes the attack in about 137.56 ms using the NewHope parameters.

Category / Keywords: public-key cryptography / Post-quantum cryptography; Key exchange; Ring learning with errors; Key mismatch attack

Original Publication (with minor differences): ESORICS 2019

Date: received 27 Apr 2019, last revised 21 Jun 2020

Contact author: chengchi at cug edu cn

Available format(s): PDF | BibTeX Citation

Version: 20200621:070141 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]