Abstract
After the Snowden incident, cryptographic subversion attack has attracted widespread attentions. Subversion attack is an unconventional attack inside machines, which has strong concealment. It will threaten the security of existing cryptography systems and seriously damage the confidentiality and integrity of communication. In this paper, we construct a subversion attack scheme on the multi-bit version of the learning with errors (LWE) encryption scheme proposed by Peikert, Vaikuntanathan and Waters, which is similar to the construction over the single-bit LWE encryption scheme. During the construction, the NTRU encryption scheme proposed by Zhang et al., is used to encrypt and decrypt the underlying message. In addition, the process of embedding underlying message into LWE ciphertext can be transformed into solving the ISIS problem. Therefore, a subversion attack scheme on the multi-bit version of LWE encryption scheme can be constructed by solving the ISIS problem successfully. With proper parameters selection, we use BKZ algorithm, BKZ algorithm and segment-LLL combined reduction algorithm to solve the ISIS problem, respectively. Finally, our experiments show that the combination reduction algorithm can improve the success rate of solving ISIS problem, and then promote the attack effect of subversion attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) Advances in Cryptology 1983, pp. 51–67. Springer, MA (1984). https://doi.org/10.1007/978-1-4684-4730-9_5
Young, A., Yung, M.: The dark side of Black-Box cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_8
Ball, J., Borger, J., Greenwald, G., et al.: Revealed: how US and UK spy agencies defeat internet privacy and security. Know Your Neighborhood 6, 1–10 (2013)
Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_1
Mironov, I., Stephens-Davidowitz, N.: Cryptographic reverse firewalls. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 657–686. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_22
Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Ray, I., Li, N., Kruegel, C. (eds.) CCS 2015, pp. 364–375. New York, NY, USA (2015). https://doi.org/10.1145/2810103.2813635
Liu, C., Chen, R., Wang, Y., Wang, Y.: Asymmetric Subversion Attacks on Signature Schemes. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 376–395. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_22
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Regev, Oded.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM. 56(6), 1–40 (2009)
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_6
Young, A., Yung, M.: Malicious cryptography: Exposing Cryptovirology. Wiley, J., and Sons, Indiana (2004)
Kwant, R., Lange, T., Thissen, K.: Lattice klepto. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 336–354. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_17
Xiao, D., Yu, Y.: Klepto for ring-LWE encryption. Comput. J. 61(8), 1228–1239 (2018)
Yang, Z., Chen, R., Li, C., et al.: On the security of LWE cryptosystem against subversion attacks. Comput. J. 63(4), 495–507 (2020)
Lenstra, A.K., Lenstra, H.W.,Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen. 261, 515–534 (1982)
Schnorr, C.P.: A more efficient algorithm for lattice basis reduction. J. Algor. 9(1), 47–62 (1988)
Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994)
Koy, H., Schnorr, C.P.: Segment LLL-reduction of lattice bases. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 67–80. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_7
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_30
Lu, L., Liu, W., Li, J.: An effective LLL reduction algorithm. J. Wuhan Univ. Natl. Sci. Ed. 41(8), 1118–1124 (2016)
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. In: Proceedings of the 45th Symposium on Foundations of Computer Science. (eds.) FOCS 2004, pp. 372–381. IEEE (2004). https://doi.org/10.1109/FOCS.2004.72
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_10
Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_14
Chen, C., Hoffstein, J., Whyte, W., et al.: NIST PQ Submission: NTRUEncrypt A lattice based encryption algorithm. https://csrc.nist.gov/Projects/PostQuantum-Cryptography/Round-1-Submissions. Accessed 23Jan 2018
Stehlé, D., Steinfeld, R.: Making NTRU as Secure as Worst-Case Problems over Ideal Lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_4
Yu, Y., Xu, G., Wang, X.: Provably secure NTRU instances over prime cyclotomic rings. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 409–434. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_17
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R., Chair, P. (eds.) STOC 2008, pp. 197–206. New York, NY, USA (2008). https://doi.org/10.1145/1374376.1374407
Bai, J., Liu, N., Li, Z.: New lattice reduction algorithm based on Gauss and LLL reduction. J. Comput. Eng. 39(11), 147–149 (2013)
Peng, L., Hu, L., Huang, Z., et al.: Actual complexity of modular knapsack vector problem and practical security of a lattice based public key cryptosystem. J. Cryptol. Res. 1(3), 225–234 (2014)
Cohen, H.: A Course in Computational Algebraic Number Theory. Springer-Verlag, Berlin (1993)
Shoup, V.: N.T.L A library for doing number theory. http://www.shoup.net/ntl/26-8-2018. Accessed 23 Jun 2021
Acknowledgements
The authors would like to thank anonymous reviewers for their helpful comments. This work is supported by National Natural Science Foundation of China (62032005, 62172096), Natural Science Foundation of Fujian Province (2019J01428, 2020J02016) and Open Fund of State Key Laboratory of Cryptology (MMKFKT202008).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Proof
In game \(\textrm{G}_{i}\), \(S_{i}\) denotes \(b=b^{'}\), \(\mathcal {A}\) is an adversary, the game is described in Table 6.
Game \(\textrm{G}_{1}\) and \(\textrm{G}_{2}\) differ only in the encryption stage: In game \(\textrm{G}_{1}\), the vector \(\textbf{c}_{1} \leftarrow _{\$} \mathbf {Enc_{ntru}}(\textbf{m}^{'},\textrm{spk})\), while in game \(\textrm{G}_{2}\), \(\textbf{c}_{1} \leftarrow _{\$} \mathbb {Z}_{q}^{N}\). \(\epsilon _{1}=|\Pr [S_{2}]- \Pr [S_{1}] |\) is negligible, since the \(\mathrm {IND\$-CPA}\) security of NTRU encryption scheme.
Game \(\textrm{G}_{2}\) and \(\textrm{G}_{3}\) differ only in the \(\textbf{LatticeSolve}\) stage: In game \(\textrm{G}_{2}\), the vector \(\textbf{e}_{1}\leftarrow _{\$}\textbf{LatticeSolve}(\textbf{A},\mathbf {c_{1}}\)), while in Game \(\textrm{G}_{3}\), \(\textbf{e}_{1}\leftarrow _{\$} \mathbb {Z}^{m}\). In game \(\textrm{G}_{2}\), \(\textbf{c}_{1}\) is sampled from \(\mathbb {Z}_{q}^{N}\) randomly, and \(\mathbf {Ae_{1}\equiv c_{1}} \pmod {q^{'}}\). When matrix \(\textbf{A}\) is fixed, it is hard to distinguish between \(\textbf{e}_{1}\leftarrow _{\$}\textbf{LatticeSolve}(\textbf{A},\textbf{c}_{1})\) and \(\textbf{e}_{1}\leftarrow _{\$} \mathbb {Z}^{m}\). Thus \(\epsilon _{2}=|\Pr [S_{3}]- \Pr [S_{2}] |\) is negligible.
In game \(\textrm{G}_{3}\), the vector \(\textbf{e}_{1}\) is sampled from \(\mathbb {Z}^{m}\) randomly and the algorithm \(\mathbf {\widetilde{Enc}}\) is consistent with the algorithm in the original LWE encryption scheme. Therefore,
Let \(\epsilon = 2\epsilon _{1}+ 2\epsilon _{2} +\epsilon _{3}\), the advantage of \(\mathcal {D}\) to detect SA satifies:
Because NTRU and LWE encryption scheme are both post-quantum cryptograph, this conclusion still holds even though adversy has quantum computing capabilities.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Yang, W., Yang, S., Wu, W., Zhao, Y. (2022). A Combination Reduction Algorithm and Its Application. In: Yuan, X., Bai, G., Alcaraz, C., Majumdar, S. (eds) Network and System Security. NSS 2022. Lecture Notes in Computer Science, vol 13787. Springer, Cham. https://doi.org/10.1007/978-3-031-23020-2_38
Download citation
DOI: https://doi.org/10.1007/978-3-031-23020-2_38
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23019-6
Online ISBN: 978-3-031-23020-2
eBook Packages: Computer ScienceComputer Science (R0)