Abstract
In 2017, a practical attack, referred to as signal leakage attack, against reconciliation-based RLWE key exchange protocols was proposed. In particular, this attack can recover a long-term private key if a key pair is reused.
Directly motivated by this attack, recently, Ding et al. proposed two countermeasures against the attack. One is the RLWE key exchange protocol with reusable keys (KERK), which is included in the Ding Key Exchange, a NIST submission; the other is the practical randomized RLWE key exchange (PRKE) (TOC’18). Meanwhile, there exits another key reuse attack on RLWE key exchange (ACISP’18 and Africacrypt’18), which is called key mismatch attack.
In this paper, we find that KERK and PRKE are vulnerable to key mismatch attack. In particular, we propose a simpler key mismatch attack and apply it to KERK and PRKE, respectively. In fact, key mismatch attack shares the same idea with the signal leakage attack, which is one of the communicators chooses a RLWE sample with special structure as his/her public key. In order to resist key mismatch attack, we extend KERK and give an improved one, where any party can construct a new “public key” of the other party. And we also extend PRKE by increasing randomization further. Finally, by comparison, we get that the improved PRKE is more practical.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
[17] proposed an off-line method to search for \(s_B\) and here we adopt the same method. in particular, Bob can do this by searching for values \(s_B\) such that \((s_B\overline{p_A})[0]\) is a small value, where \(s_B\) consists of at most three coefficients are [1, \(-1\)] and the rest 0. As \(s_B\overline{p_A} = s_B(a\overline{s_A} + 2e_A + 2e_B') = as_B\overline{s_A} + 2s_B(e_A + e_B')\) where \(e_A\) and \(e_B'\) are known to be small, such a \(s_B\) has a nontrivial probability of meeting the criteria. What’s more, \(p_A\) is Alice’s public key, this computation can be done off-line. In fact, \((as_B\overline{s_A})[0] = -1\) also works and we just consider the case \((as_B\overline{s_A})[0] = 1\).
- 2.
Specifically, he can choose \(e_B = x^{n - i} \), namely, \(e_B[t] = 0\) for all \(t = 0, ..., n - 1\) except \(t = n - i\) and \(e_B[n - i] = 1\).
- 3.
Since the addition of \(\frac{q - 1}{2}\) to a positive value will changes its parity by the representation of \(\mathbb {Z}_q\) to be \(\{-\frac{q - 1}{2}...\frac{q - 1}{2}\}\).
- 4.
The number of times is chosen to derive a reasonable number of samples for analyzing the distribution of \(\overline{s_A}[i]\) with a certain confidence level. For a confidence level of 95\(\%\), the number of samples is estimated to be 1000 with margin of error 3\(\%\).
- 5.
Since \(e_A'[i]\) is sampled from an error distribution (Discrete Gaussian) centered at 0, the obtained value of \(\overline{s_A}[i]\) with perturbation will be centered at \(\overline{s_A}[i]\).
- 6.
Since the addition of \(\frac{q - 1}{2}\) to a positive value will changes its parity by the representation of \(\mathbb {Z}_q\) to be \(\{-\frac{q - 1}{2}...\frac{q - 1}{2}\}\).
References
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of 35th Annual Symposium on Foundations of Computer Science 1994, pp. 124–134. IEEE (1994)
National Institute of Standards and Technology: Round 1 Submissions (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Ding, J., Xie, X., Lin, X.: A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem. IACR Cryptology EPrint Archive, Report 2012/688 (2012)
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12
Bos, J.W., Costello, C., Naehrig, M., et al.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy (SP) 2015, pp. 553–570. IEEE (2015)
Zhang, J., Zhang, Z., Ding, J., Snook, M., Dagdelen, Ö.: Authenticated key exchange from ideal lattices. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 719–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_24
Alkim, E., Ducas, L., P\(\rm \ddot{o}\)ppelmann, T., et al.: Post-quantum key exchange-a new hope. In: USENIX Security Symposium 2016 (2016)
Bos, J., Costello, C., Ducas, L., et al.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1006–1018. ACM (2016)
Alkim, E., Ducas, L., P\(\rm \ddot{o}\)ppelmann, T., et al.: NewHope without reconciliation. IACR Cryptology ePrint Archive Report 2016/1157 (2016)
Ding, J., Alsayigh, S., Lancrenon, J., RV, S., Snook, M.: Provably secure password authenticated key exchange based on rlwe for the post-quantum world. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 183–204. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_11
Ding, J., Alsayigh, S., Saraswathy, R.V., et al.: Leakage of signal function with reused keys in RLWE key exchange. In: 2017 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2017)
Rescorla, E.: The transport layer security (TLS) protocol version 1.3. (2018)
Gao, X., Ding, J., Li, L., et al.: Practical randomized RLWE-based key exchange against signal leakage attack. IEEE Trans. Comput. 1, 1–1 (2018)
Kirkwood, D., Lackey, B.C., McVey, J., et al.: Failure is not an option: standardization issues for post-quantum key agreement. In: Talk at NIST Workshop on Cybersecurity in a Post-Quantum World, vol. 2 (2015). http://www.nist.gov/itl/csd/ct/post-quantum-crypto-workshop-2015.cfm
Fluhrer, S.R.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptology ePrint Archive Report 2016/85 (2016)
Bernstein, D.J., Groot Bruinderink, L., Lange, T., Panny, L.: HILA5 pindakaas: on the CCA security of lattice-based encryption with error correction. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 203–216. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_12
Ding, J., Fluhrer, S., Rv, S.: Complete attack on RLWE key exchange with reused keys, without signal leakage. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 467–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_27
Gao, X., Ding, J., Liu, J., Li, L.: Post-quantum secure remote password protocol from RLWE problem. In: Chen, X., Lin, D., Yung, M. (eds.) Inscrypt 2017. LNCS, vol. 10726, pp. 99–116. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75160-3_8
Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (1996)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 13 (2014)
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_29
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Gao, X., Ding, J., Li, L., et al.: Efficient Implementation of Password-Based Authenticated Key Exchange from RLWE and Post-Quantum TLS. Cryptology ePrint Archive, Report 2017/1192 (2017). http://eprint.iacr.org/2017/1192
Saarinen, M.-J.O.: HILA5: on reliability, reconciliation, and error correction for ring-LWE encryption. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 192–212. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_10
Ding, J., Saraswathy, R.V., Alsayigh, S., et al.: How to validate the secret of a Ring Learning with Errors (RLWE) key. IACR Cryptology ePrint Archive, Report 2018/81 (2018)
D’Anvers, J.P., Vercauteren, F., Verbauwhede, I.: On the impact of decryption failures on the security of LWE/LWR based schemes. Cryptology ePrint Archive, Report 2018/1089 (2018). https://eprint.iacr.org/2018/1089
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Bauer, A, Gilbert, H., Renault, G., Rossi, M.: Assessment of the Key-Reuse Resilience of NewHope. Cryptology ePrint Archive, Report 2019/075 (2019). https://eprint.iacr.org/2019/075
Acknowledgements
This work is supported by the National Key Research and Development Program of China (No. 2017YFB0802000), the National Natural Science Foundation of China (No. U1536205, 61802376).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, K., Jiang, H. (2019). Analysis of Two Countermeasures Against the Signal Leakage Attack. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds) Progress in Cryptology – AFRICACRYPT 2019. AFRICACRYPT 2019. Lecture Notes in Computer Science(), vol 11627. Springer, Cham. https://doi.org/10.1007/978-3-030-23696-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-23696-0_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-23695-3
Online ISBN: 978-3-030-23696-0
eBook Packages: Computer ScienceComputer Science (R0)