Cryptology ePrint Archive: Report 2020/585

Improving Key Mismatch Attack on NewHope with Fewer Queries

Satoshi Okada and Yuntao Wang and Tsuyoshi Takagi

Abstract: NewHope is a lattice cryptoscheme based on the Ring Learning With Errors (Ring-LWE) problem, and it has received much attention among the candidates of the NIST post-quantum cryptography standardization project. Recently, there have been key mismatch attacks on NewHope, where the adversary tries to recover the serverís secret key by observing the mismatch of the shared key from chosen queries. At CT-RSA 2019, Bauer et al. first proposed a key mismatch attack on NewHope, and then at ESORICS 2019, Qin et al. proposed an improved version with a success probability of 96.9% using about 880,000 queries. In this paper, we further improve their key mismatch attack on NewHope. First, we reduce the number of queries by adapting the terminating condition to the response from the server using an early abort technique. Next, the success rate of recovering the secret key polynomial is raised by considering the deterministic condition judging its coefficients. Furthermore, the search range of the secret key in Qin et al.ís attack is extended without increasing the number of queries. With the above improvements, to achieve an almost success rate of 97%, about 73% of queries can be reduced compared with Qin et al.ís method. Additionally, the success rate can be improved to 100.0%. In particular, we analyze the trade-off between the cost of queries and the success rate. We show that a lower success rate of 20.9% is available by further reduced queries of 135,000 simultaneously.

Category / Keywords: public-key cryptography / PQC, Ring-LWE, Key Mismatch Attack, NewHope

Original Publication (in the same form): 25th Australasian Conference on Information Security and Privacy (ACISP 2020)

Date: received 18 May 2020

Contact author: okada-satoshi323 at g ecc u-tokyo ac jp,y-wang@jaist ac jp,takagi@mist i u-tokyo ac jp

Available format(s): PDF | BibTeX Citation

Version: 20200522:150238 (All versions of this report)

Short URL: ia.cr/2020/585


[ Cryptology ePrint archive ]