Cryptology ePrint Archive: Report 2020/1578

An IND-CCA2 Attack Against the 1st- and 2nd-round Versions of NTS-KEM

Tung Chou

Abstract: This paper presents an IND-CCA2 attack against the 1st- and 2nd-round versions of NTS-KEM, i.e., the versions before the update in December 2019. Our attack works against the 1st- and 2nd-round specifications, with a number of decapsulation queries upper-bounded by n − k and an advantage lower-bounded by roughly 0.5(n − k)t/n^2 , where n, k, and t stand for the code length, code dimension, and the designed decoding capacity, for all the three parameter sets of NTS-KEM. We found that the non-reference implementations are also vulnerable to our attack, even though there are bugs. There are also bugs in the reference implementations, but in a way invulnerable to our attack.

Category / Keywords: public-key cryptography / NIST PQC standardization, Post-quantum cryptogrphy, Code-based cryptography, IND-CCA2

Original Publication (in the same form): SECITC 2020 (to appear)

Date: received 17 Dec 2020

Contact author: blueprint at crypto tw

Available format(s): PDF | BibTeX Citation

Version: 20201221:074117 (All versions of this report)

Short URL: ia.cr/2020/1578


[ Cryptology ePrint archive ]