Key Recovery Under Plaintext Checking Attack on LAC

Abstract

The National Institute of Standards and Technology (NIST) is working on the standardization of post-quantum algorithms. In February 2019, NIST announced 26 candidate post-quantum cryptosystems had entered the Round 2. Prior work has shown how to mount key recovery attacks on several candidates like FrodoKEM, NewHope, and Kyber, but their methods do not work for LAC, which uses a different encoding scheme and rounding method. To address this gap, we describe a powerful new attack on LAC. In particular, we propose a simple and effective method to recover the reused secret key of LAC.CPA. Following the method we show that, using the recommended parameters, thousands of queries are sufficient to recover the full secret key with a 100% probability, which is verified by experiments. Since LAC.KE is based on LAC.CPA, our method can be used to assess the key-reuse resilience of LAC.KE. In particular, if Alice reuses a secret key, Bob can recover it by communicating with Alice thousands of times. Since LAC is a Round 2 candidate in the NIST PQ process, the presented result may well have a high impact on the understanding of this important cryptosystem.

Appendix A

A.1 RLWE Problems

Decisional Ring Learning with Errors (RLWE)  [7]. Let n, q be positive integers, and \(\chi _s,\chi _e\) be distributions over R. Distinguish the following two distributions: \(D_0\): \((\mathbf{a} ,\mathbf{b} )\) and \(D_1\): \((\mathbf{a} ,\mathbf{u} )\), where \(\mathbf{b} =\mathbf{as} +\mathbf{e} \) for \(\mathbf{a} \xleftarrow {\$}R_q\), \(\mathbf{s} \xleftarrow {\$}\chi _s\) and \(\mathbf{e} \xleftarrow {\$}\chi _e\), and \(\mathbf{u} \xleftarrow {\$}R_q\).

A.2 Cryptographic Definitions

A public key encryption scheme PKE is a tuple of algorithms (KeyGen, Enc, Dec):

• KeyGen() \( \rightarrow \) (pk, sk): A probabilistic key generation algorithm that outputs a public key pk and a secret key sk.

• Enc(m , pk) \(\rightarrow \) ct: A probabilistic encryption algorithm that takes as input a message m and public key pk, and outputs a ciphertext ct. The deterministic form is denoted as Enc(m , pk, r) \(\rightarrow \) ct, where the randomness r is passed as an explicit input.

• Dec(ct, sk) \(\rightarrow \) \(m'\): A deterministic decryption algorithm that takes as input a ciphertext ct and secret key sk, and outputs a message \(m'\).

We use the notion of indistinguishability under chosen plaintext attacks (IND-CPA) to define the advantage of an adversary A by:

A.3 Notations

Samp is an abstract algorithm which samples a random variable according to a distribution with a given seed: \(x \xleftarrow {} \textsf {Samp}(D,\textsf {seed})\), where D is a distribution, and seed is the random seed used to sample x. For an empty seed \(\epsilon \), the process \(x \xleftarrow {} \textsf {Samp}(D,\epsilon )\) is the same as \(x \xleftarrow {\$} D\). \(B_{\eta }^h\) is a n-ary centered binomial distribution with fixed Hamming weight. For a random variable according to the distribution, its Hamming weight is fixed to the expectation h, and the numbers of both 1’s and −1’s are h/2, the number of 0 is \(n - h\). ECCEnc and ECCDec are the encoding and decoding of the error correction codes, which switch between a message \(m \in \{0,1\}^{l_m}\) and its encoding \(\widehat{m} \in \{0,1\}^{l_v}\), where \(l_v\) is a positive integer denoting the length of the encoding. \((\cdot )_{l_v}\) is a function that inputs a polynomial and outputs the first \(l_v\) coefficients of the polynomial. For an element \(x \in \mathbb {Q}\) we denote by \(\lfloor x \rceil \) rounding of x to the closest integer with ties being rounded up.

A.4 Parameters

The main parameters of the LAC.CPA are integers \(n, q, \eta , l_m, l_v, l_t,h\), where n, q are the parameters of the polynomial ring \(R_q\), \(\eta \) is the parameter of the centered binomial distribution \(B_{\eta }\), \(l_m\) and \(l_v\) are the length of the message and the encoding, respectively, \(l_t\) is the maximum number of errors that can be corrected by error correcting code, h is the hamming weight of the centered binomial distribution. LAC.CPA recommends 3 parameter sets: LAC-128, LAC-192, LAC-256. Throughout these parameter sets q is always 251, \(l_m\) is always 256. The values of n, \(\eta \), \(l_v\) and h vary for different security levels. In particular,

• In LAC-128, \(n=512\), \(\eta =1\), \(l_v=l_m+18\times 8\), \(h=\frac{n}{2}\).

• In LAC-192, \(n=1024\), \(\eta =\frac{1}{2}\), \(l_v=l_m+9\times 8\), \(h=\frac{n}{4}\).

• In LAC-256, \(n=1024\), \(\eta =1\), \(l_v=l_m+18\times 8\), \(h=\frac{n}{2}\).

The centered binomial distribution \(B_{\eta }\) with \(\eta = \frac{1}{2}\) is defined as follows: \(\text {sample}\ (a,b)\leftarrow (B_{1},B_{1})\ \text {and output} \ a\times b,\) and the samples are in the interval \([-1, 1]\).

A.5 Discarding the Lower 4 Bits of Each Coefficient of v in LAC-256.

When the lower 4 bits for each coefficient in \(\mathbf{v} \) are discarded in the algorithm of LAC.CPA.Enc, \(\mathbf{v} _j\) has 16 possible values and they are \(k, k=0,1,...,15.\) In order to carry out the attack, the attacker constructs \(\mathbf{v} _3\sim \mathbf{v} _8\) as follows:

$$ \mathbf{v} ^3_j = \left\{ \begin{array}{rcl} 3, &{} &{} j = 0,l_v\\ 2, &{} &{} j \in \bar{I_0}\\ 10, &{} &{} j \in \hat{I_0}\\ 10, &{} &{} j \in \bar{I_1}\\ 2, &{} &{} j \in \hat{I_1},\\ \end{array} \right. \ \ \ \ \ \mathbf{v} ^4_j = \left\{ \begin{array}{rcl} 3, &{} &{} j = 0,l_v\\ 2, &{} &{} j \in \bar{I_0}\\ 10, &{} &{} j \in \hat{I_0}\\ 10, &{} &{} j \in \bar{I_1}\\ 2, &{} &{} j \in \hat{I_1},\\ \end{array} \right. \ \ \ \ \ \mathbf{v} ^5_j = \left\{ \begin{array}{rcl} 12, &{} &{} j = 0,l_v\\ 2, &{} &{} j \in \bar{I_0}\\ 10, &{} &{} j \in \hat{I_0}\\ 10, &{} &{} j \in \bar{I_1}\\ 2, &{} &{} j \in \hat{I_1},\\ \end{array} \right. $$

$$\mathbf{v} ^6_j = \left\{ \begin{array}{rcl} 12, &{} &{} j = 0,l_v\\ 2, &{} &{} j \in \bar{I_0}\\ 10, &{} &{} j \in \hat{I_0}\\ 10, &{} &{} j \in \bar{I_1}\\ 2, &{} &{} j \in \hat{I_1},\\ \end{array} \right. \ \ \ \ \ \mathbf{v} ^7_j = \left\{ \begin{array}{rcl} 12, &{} &{} j = 0\\ 4, &{} &{} j = l_v\\ 2, &{} &{} j \in \bar{I_0}\\ 10, &{} &{} j \in \hat{I_0}\\ 10, &{} &{} j \in \bar{I_1}\\ 2, &{} &{} j \in \hat{I_1},\\ \end{array} \right. \ \ \ \ \ \mathbf{v} ^8_j = \left\{ \begin{array}{rcl} 11, &{} &{} j = 0\\ 4, &{} &{} j = l_v\\ 2, &{} &{} j \in \bar{I_0}\\ 10, &{} &{} j \in \hat{I_0}\\ 10, &{} &{} j \in \bar{I_1}\\ 2, &{} &{} j \in \hat{I_1}.\\ \end{array} \right. $$

The attacker queries the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{q}{16},\mathbf{v} ^3), m)\) to determine that \(\mathbf{s} _0 + \mathbf{s} _{l_v} = -2\), and queries the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{2q}{17},\mathbf{v} ^4), m)\) to further determine that \(\mathbf{s} _0 + \mathbf{s} _{l_v} = -1\). When he queries the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{q}{34},\mathbf{v} ^5), m)\), he can further determine that \(\mathbf{s} _0 + \mathbf{s} _{l_v} = 2\). When he queries the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{2q}{17},\mathbf{v} ^6), m)\), he can further determine that \(\mathbf{s} _0 + \mathbf{s} _{l_v} = 1\). When querying the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{q}{16},\mathbf{v} ^7), m)\), he can determine if \(\mathbf{s} _0 - \mathbf{s} _{l_v} = 1\) or \(-1\), and if \(\mathbf{s} _0 - \mathbf{s} _{l_v} = 2\) or \(-2 (0)\). When querying the oracle \(\textsf {PCO}\) with (\(\textsf {ct}=(\frac{q}{16},\mathbf{v} ^8), m)\), he can determine if \(\mathbf{s} _0 - \mathbf{s} _{l_v} = -2\) or 0.