Decryption Failure Is More Likely After Success

Abstract

The user of an imperfectly correct lattice-based public-key encryption scheme leaks information about their secret key with each decryption query that they answer—even if they answer all queries successfully. Through a refinement of the D’Anvers–Guo–Johansson–Nilsson–Vercauteren–Verbauwhede failure boosting attack, we show that an adversary can use this information to improve his odds of finding a decryption failure. We also propose a new definition of \(\delta \)-correctness, and we re-assess the correctness of several submissions to NIST’s post-quantum standardization effort.

A Details of Our Analysis for Each Scheme

1.1 A.1 Secret and Error Distributions

Definition 3

(Modulus switching function). The modulus switching function is defined by \(\left[ \!\left[ x\right] \!\right] ^{r}_{q} = \lfloor x\tfrac{r}{q} \rceil \bmod {r}\) with \(\lfloor x \frac{r}{q} \rceil \) computed over \(\mathbb {R}\). It is also extended component-wise to vectors and matrices.

Definition 4

(Compression artifact distribution). The compression artifact distribution with parameters r and q is the distribution of \(y - \left[ \!\left[ z\right] \!\right] ^{q}_{r}\) when y is drawn uniformly from \(\mathbb {Z}/q\) and \(z = \left[ \!\left[ y\right] \!\right] ^{r}_{q}\).

Definition 5

(Centered binomial distribution). The centered binomial distribution of parameter w assigns probability \(\frac{1}{2^{2w}} \left( {\begin{array}{c}2w\\ x+w\end{array}}\right) \) to \(x \in \mathbb {Z}\).

Definition 6

(Fixed weight distribution). The fixed weight trinary distribution of parameter w in dimension d is the uniform distribution on all \(2^w\left( {\begin{array}{c}d\\ w\end{array}}\right) \) vectors in \(\mathbb {Z}^d\) that have exactly \(\lceil w/2 \rceil \) coefficients equal to \(+1\), exactly \(\lfloor w/2 \rfloor \) coefficients equal to \(-1\), and the remaining \(d-w\) coefficients equal to 0.

1.2 A.2 Compression and Learning with Rounding

Some variants of the Lindner–Peikert scheme have additional rounding parameters \(r_0\), \(r_1\), and \(r_2\). They compress the public key to \((A,\,\left[ \!\left[ b\right] \!\right] ^{r_0}_{q})\) and the ciphertext to \((\left[ \!\left[ c_1\right] \!\right] ^{r_1}_{q},\,\left[ \!\left[ c_2\right] \!\right] ^{r_2}_{q})\). Note that if \(r_i = q\) then no compression occurs in the corresponding component. If \(b' = \left[ \!\left[ b\right] \!\right] ^{r_0}_{q}\) then there is some \(v_1 \in \mathbb {Z}/q\) such that \(\left[ \!\left[ b'\right] \!\right] ^{q}_{r_0} = (v_1 - As_2) \bmod {q}\). Likewise, if \(c_1' = \left[ \!\left[ c_1\right] \!\right] ^{r_1}_{q}\) then there is some \(v_2 \in \mathbb {Z}/q\) such that \(\left[ \!\left[ c_1'\right] \!\right] ^{q}_{r_1} = (e_1 A + v_2) \bmod {q}\), and if \(c_2' = \left[ \!\left[ c_2\right] \!\right] ^{r_1}_{q}\) then there is some \(v_3 \in \mathbb {Z}/q\) such that \(\left[ \!\left[ c_2'\right] \!\right] ^{q}_{r_2} = (e_1 A + v_3 + \mathsf {encode}(\text {msg})) \bmod {q}\). Variants that use well chosen rounding parameters can omit the \(s_1\), \(e_2\), and \(e_3\) terms in key generation and encryption; the compression artifacts \(v_1\), \(v_2\), and \(v_3\) take their place. Such schemes are said to be based on the Learning With Rounding problem (LWR). The difference between LWE and LWR is immaterial for our purposes; we simply incorporate the compression artifact noise into the distributions of \(s_1\), \(e_2\), and \(e_3\).

1.3 A.3 Frodo

Frodo is an instantiation of the Lindner–Peikert scheme with \(R=\mathbb {Z}\). The FrodoKEM NIST submission [20] defines three parameter sets frodo640 (\(n=670\), \(q=2^{15}\), \(t=2^{12}\)), frodo976 (\(n=976\), \(q=2^{16}\), \(t=2^{12}\)), and frodo1344 (\(n=1344\), \(q=2^{16}\), \(t=2^{11}\)). All three use the standard b-bit encoding, and therefore have an error threshold of \(t=q/2^{b+1}\). Each parameter set takes \(\chi _s = \chi _e = \chi ^{\times n}\) where \(\chi \) is an approximation to a discrete Gaussian distribution on \(\mathbb {Z}\). We refer to [20, Table 2] for the exact definition of \(\chi \). Our analysis is as described in Sect. 5.1.

1.4 A.4 Kyber (Second Round)

Kyber is an instantiation of the Lindner–Peikert scheme over \(R = \mathbb {Z}[x]/(x^{256}+1)\). The second round NIST submission [24] includes three parameter sets kyber512 (\(m=256\), \(k=2\), \(n=512\), \(q=3329\), \(r_0 = q\), \(r_1 = 2^{10}\), \(r_2 = 2^{3}\)), kyber768 (\(m=256\), \(k=3\), \(n=768\), \(q=3329\), \(r_0 = q\), \(r_1 = 2^{10}\), \(r_2 = 2^{4}\)), and kyber1024 (\(m=256\), \(k=4\), \(n=1024\), \(q=3329\), \(r_0 = q\), \(r_1 = 2^{11}\), \(r_2 = 2^{5}\)). All three use the standard 1-bit encoding. All three parameter sets sample \(s_1\), \(s_2\), \(e_1\), and \(e_2\) from \(\eta _2^{\times n}\), where \(\eta _2\) is the centered binomial distribution of parameter 2.

We write \(\rho _r\) for the compression artifact distribution with parameters r and q. We model \(e_1\) as being drawn from \(\eta _2^{\times n}\); we model \(e_2\) as being drawn from \({(\eta _2 *\rho _{r_1})}^{\times n}\); and we model \(e_3\) as being drawn from \({(\eta _2 *\rho _{r_2})}^{\times m}\). Due to the difference in size between the coefficients of \(e_1\) and \(e_2\), it seems unlikely that the spherical symmetry heuristic is reasonable. We adapt our analysis as follows.

Let \(\chi _1 \times \chi _2\) be the distribution from which the adversary draws \(e = (e_1, e_2)\). We will assume that \(\chi _1\) and \(\chi _2\) (viewed as distributions on the coefficient embedding of \(R^k\)) are invariant under permutations of the standard basis. Let \(z_1\) and \(z_2\) be the expected values of \(\Vert e_1 \Vert _2\) and \(\Vert e_2 \Vert _2\) respectively. Let \(w = \sqrt{z_2/z_1}\), \(e^* = (e_1\cdot w, e_2/w)\), \(s^* = (s_1/w, s_2\cdot w)\), and observe that \(\langle \bar{s^*}, e^*\rangle = \langle \bar{s}, e\rangle \). We apply the analysis of Sect. 5.1, but we take \(\alpha \) to be the expected value of \(\Vert s^* \Vert _2\) and we compute \({\text {Q}}_{\alpha }\) with respect to the scaled distributions \(\chi _1 \cdot w\) and \(\chi _2/w\). The expected values of \(\Vert e_1\cdot w \Vert _2\) and \(\Vert e_2/w \Vert _2\) are both \(\sqrt{z_1z_2}\). By assumption on \(\chi _1\) and \(\chi _2\), this implies that all 2n coefficients of \(e^*\) have the same expected size. While this does not imply that the distributions are spherically symmetric, it does make the assumption of spherical symmetry more plausible.

1.5 A.5 Saber

Saber is a learning with rounding variant of the Lindner–Peikert scheme that uses the base ring \(R = \mathbb {Z}[x]/(x^{256} + 1)\). The submission proposes three parameter sets lightsaber (\(m=256\), \(k=2\), \(q=2^{13}\), \(r_0=2^{10}\), \(r_1=2^{10}\), \(r_2=2^{3}\), \(w=10\)), saber (\(m=256\), \(k=3\), \(q=2^{13}\), \(r_0=2^{10}\), \(r_1=2^{10}\), \(r_2=2^{4}\), \(w=8\)), and firesaber (\(m=256\), \(k=4\), \(q=2^{13}\), \(r_0=2^{10}\), \(r_1=2^{10}\), \(r_2=2^{6}\)). All three parameter sets sample \(s_2\) and \(e_1\) from the centered binomial distribution of parameter \(\mu \), \(\eta _\mu ^{\times n}\), for the \(\mu \) listed in [6, Table 1]. Recall that \(s_1 = e_2 = e_3 = 0\) for learning with rounding variants.

We write \(\rho _r\) for the compression artifact distribution with parameters q and r. The correctness condition can be rewritten as an inner product between \((\bar{v_1}, \bar{s_2})\) and \((e_1, v_2)\), where \(v_1\) is drawn from \(\rho _{r_0}\) and \(v_2\) is drawn from \(\rho _{r_1}\). The distributions of \(v_1\) and \(s_2\) are invariant under taking adjoints. Note that \(r_0 = r_1\) for all of the proposed parameter sets. The coefficients of \((e_1, v_2)\) are not identically distributed, so the spherical symmetry assumption is suspect. However, the inner product is unchanged if we write \(\bar{s} = (\bar{v_1}, \bar{v_2})\) and \(e = (e_1, s_2)\). Moreover, unlike the original vectors, the coefficients of s and e are identically distributed. There is still a slight complication: the adversary has control over one component of s and one component of e. If the adversary chooses particularly large values of \(e_1\) and \(v_2\), then the spherical symmetry assumption will again be violated. We compensate for this by applying the same re-scaling trick from our analysis of Kyber.

1.6 A.6 Round5 (R5N1\(*\)PKE_0d)

Round5 is a collection of learning with rounding instantiations of the Lindner–Peikert scheme. The R5N1_\(*\)_PKE_0d parameter sets of Round5 take \(R=\mathbb {Z}\). The second round NIST submission includes three parameter sets [13, Table 13] r5n11pke0d (\(n=636\), \(q=2^{12}\), \(b=2\), \(r_0=2^9\), \(r_1=2^9\), \(r_3=2^6\), \(w=114\)), r5n13pke0d (\(n=876\), \(q=2^{15}\), \(b=3\), \(r_0=2^{11}\), \(r_1=2^{11}\), \(r_3=2^7\), \(w=446\)), and r5n15pke0d (\(n=1217\), \(q=2^{15}\), \(b=4\), \(r_0=2^{12}\), \(r_1=2^{12}\), \(r_3=2^9\), \(w=462\)). All three use fixed weight w vectors for \(e_1\) and \(s_2\). Since there are no large values of \(e_1\), the adversary will invest all of his effort in finding large values of \(v_2\), As with Saber, we swap components between vectors and apply the re-scaling trick from our analysis of Kyber. The only difference is that we compute \({\text {Q}}_{\alpha }\) with respect the honest distribution of \(e_1\) and the \(u^2\)-th quantile of \(\Vert v_2 \Vert \).

1.7 A.7 Round5 (R5ND\(*\)0d)

The R5ND_\(*\)_0d parameter sets of Round5 take \(R = \mathbb {Z}[x]/(1 + x + \cdots + x^m)\). The specification includes three parameter sets [13, Table 11] r5nd1pke0d (\(m=586\), \(q=2^{13}\), \(b=1\), \(r_0=2^9\), \(r_1=2^9\), \(r_3=2^4\), \(w=182\)), r5nd3pke0d (\(m=852\), \(q=2^{12}\), \(b=1\), \(r_0=2^{9}\), \(r_1=2^{9}\), \(r_3=2^5\), \(w=212\)), and r5nd5pke0d (\(m=1170\), \(q=2^{13}\), \(b=1\), \(r_0=2^{9}\), \(r_1=2^{9}\), \(r_3=2^5\), \(w=222\)). We apply essentially the same analysis as for R5N1_\(*\)_0d. However, the choice of ring presents a slight obstacle as the adjoint does not preserve spherical symmetry.

Multiplication by a fixed element of R, say \(a = a_0 + a_1x + a_2x^2 + \cdots + a_{m-1}x^{m-1}\), is a linear operation on the coefficient embedding. Specifically, it corresponds to left multiplication by the \(m\times m\) matrix \({\left[ a\right] }_{i,j} = a_{i-j} - a_{-(j+1)}\) where the index arithmetic is modulo \(m+1\) and \(a_m = 0\). It follows that the adjoint of multiplication by a is multiplication by \(\bar{ a}\) where \(\bar{ a} = a_0 + (a_m - a_{m-1})x + (a_{m-1} - a_{m-2})x^2 + \cdots + (a_1 - a_0)x^{m-1}\). Note that the \(x^{0}\) and \(x^{1}\) coefficients are expected to be smaller than the rest. Since only two out of m coefficients are affected, we simply ignore the issue. We re-write the correctness condition as an inner product between \((v_1, \bar{v_2})\) and \((\bar{e_1}, s_2)\). Since \(e_1\) and \(v_2\) have i.i.d. coefficients, we can easily compute the distributions of \(\bar{e_1}\) and \(\bar{v_2}\).