Skip to main content
Springer Nature Link
Log in

FuLeakage: Breaking FuLeeca by Learning Attacks

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2024 (CRYPTO 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14925))

Included in the following conference series:

  • 697 Accesses

Abstract

FuLeeca is a signature scheme submitted to the recent NIST call for additional signatures. It is an efficient hash-and-sign scheme based on quasi-cyclic codes in the Lee metric and resembles the lattice-based signature Falcon. FuLeeca proposes a so-called concentration step within the signing procedure to avoid leakage of secret-key information from the signatures. However, FuLeeca is still vulnerable to learning attacks, which were first observed for lattice-based schemes. We present three full key-recovery attacks by exploiting the proximity of the code-based FuLeeca scheme to lattice-based primitives.

More precisely, we use a few signatures to extract an n/2-dimensional circulant sublattice from the given length-n code, that still contains the exceptionally short secret-key vector. This significantly reduces the classical attack cost and, in addition, leads to a full key recovery in quantum-polynomial time. Furthermore, we exploit a bias in the concentration procedure to classically recover the full key for any security level with at most 175,000 signatures in less than an hour.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The meaning of a random lattice is a bit more complex than for codes, but can be made rigorous by considering the unique normalized Haar measure on the space of lattices.

  2. 2.

    There are significant differences between the specification and the reference implementation of FuLeeca. In particular, the order of the loop on line 21 within the concentration procedure is important for our attack but not properly defined in the specification. Whenever specification and reference implementation differ, we follow the implementation.

  3. 3.

    See the file estimates/estimate_reduction.sage available at https://github.com/WvanWoerden/FuLeakage/.

  4. 4.

    \({{\,\textrm{Log}\,}}(K^\times )\) is not full-rank in \(\mathbb {R}^{k-1}\) either, as the complex embeddings come in conjugate pairs. However, we are only concerned with the fact that \({{\,\textrm{Log}\,}}(\mathcal {O}_k^\times )\) is not full-rank in \({{\,\textrm{Log}\,}}(K^\times )\).

  5. 5.

    As discussed in [11], \(\boldsymbol{B}\) does not necessarily generate the full log-unit lattice but only a sublattice thereof. To still decode efficiently in the full lattice, we only need the index of the sublattice to be small, and that seems to be the case under reasonable heuristics. In particular, the index is less than 11 for all primes \(k \le 241\). If desired, a full basis for the log-unit lattice can efficiently be computed by a quantum algorithm.

  6. 6.

    See https://github.com/WvanWoerden/FuLeakage/ for the code and instructions.

References

  1. Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions: Cryptanalysis of some FHE and graded encoding schemes. Cryptology ePrint Archive, Report 2016/127 (2016). https://eprint.iacr.org/2016/127

  2. Albrecht, M., Ducas, L.: Lattice attacks on NTRU and LWE: a history of refinements. Cryptology ePrint Archive, Report 2021/799 (2021). https://eprint.iacr.org/2021/799

  3. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015). https://doi.org/10.1515/jmc-2015-0016

    Article  MathSciNet  Google Scholar 

  4. Banegas, G., et al.: Wave. Technical report, National Institute of Standards and Technology (2023). https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/wave-spec-web.pdf

  5. Bariffi, J., Bartz, H., Liva, G., Rosenthal, J.: On the properties of error patterns in the constant Lee weight channel. In: International Zurich Seminar on Information and Communication (IZS 2022). Proceedings, pp. 44–48. ETH Zurich (2022). https://doi.org/10.3929/ETHZ-B-000535277

  6. Biasse, J.F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Krauthgamer, R. (ed.) 27th SODA, Arlington, VA, USA, pp. 893–902. ACM-SIAM (2016). https://doi.org/10.1137/1.9781611974331.ch64

  7. Blanco-Chacón, I.: On the RLWE/PLWE equivalence for cyclotomic number fields. Appl. Algebra Eng. Commun. Comput. 33(1), 53–71 (2022). https://doi.org/10.1007/S00200-020-00433-Z

    Article  MathSciNet  Google Scholar 

  8. Bos, J.W., et al.: HAWK. Technical report, National Institute of Standards and Technology (2023). https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/hawk-spec-web.pdf

  9. Conway, J.H., Sloane, N.J.A.: Sphere Packings, Lattices and Groups, vol. 290. Springer, Heidelberg (2013). https://doi.org/10.1007/978-1-4757-6568-7

  10. Courtois, N.T., Finiasz, M., Sendrier, N.: How to achieve a McEliece-based digital signature scheme. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 157–174. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_10

    Chapter  Google Scholar 

  11. Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20

    Chapter  Google Scholar 

  12. Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_12

    Chapter  Google Scholar 

  13. Ducas, L., Nguyen, P.Q.: Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 433–450. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_27

    Chapter  Google Scholar 

  14. Ducas, L., Postlethwaite, E.W., Pulles, L.N., van Woerden, W.P.J.: Hawk: module LIP makes lattice signatures fast, compact and simple. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part IV. LNCS, vol. 13794, pp. 65–94. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22972-5_3

  15. Felderhoff, J., Pellet-Mary, A., Stehlé, D.: On module unique-SVP and NTRU. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part III. LNCS, vol. 13793, pp. 709–740. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22969-5_24

  16. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, Victoria, BC, Canada, pp. 197–206. ACM Press (2008). https://doi.org/10.1145/1374376.1374407

  17. Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_20

  18. Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski Jr., B.S. (ed.) CRYPTO’97. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052231

  19. Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_9

  20. Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign, pp. 349–390. ISC, Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1

  21. Hu, Y., Wang, B., He, W.: NTRUSign with a new perturbation. IEEE Trans. Inf. Theory 54(7), 3216–3221 (2008). https://doi.org/10.1109/TIT.2008.924662

    Article  MathSciNet  Google Scholar 

  22. Lin, X., et al.: Cryptanalysis of the Peregrine lattice-based signature scheme. IACR Cryptology ePrint Archive p. 1628 (2023), https://eprint.iacr.org/2023/1628

  23. MATZOV: Report on the security of LWE: Improved dual lattice attack (2022). https://doi.org/10.5281/zenodo.6412487

  24. National Institute of Standards and Technology: NIST post-quantum cryptography standardization process (2016). https://csrc.nist.gov/Projects/post-quantum-cryptography/round-4-submissions

  25. National Institute of Standards and Technology: NIST post-quantum cryptography standardization process: Additional signatures (2023). https://csrc.nist.gov/Projects/pqc-dig-sig/round-1-additional-signatures

  26. Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_17

    Chapter  Google Scholar 

  27. Plantard, T., Sipasseuth, A., Dumondelle, C., Susilo, W.: DRS. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-1-submissions

  28. Postlethwaite, E.W., Virdia, F.: On the success probability of solving unique SVP via BKZ. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 68–98. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_4

    Chapter  Google Scholar 

  29. Prest, T.: A key-recovery attack against Mitaka in the \(t\)-probing model. In: Boldyreva, A., Kolesnikov, V. (eds.) PKC 2023, Part I. LNCS, vol. 13940, pp. 205–220. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-31368-4_8

  30. Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022

  31. Ritterhoff, S., et al.: FuLeeca. Technical report, National Institute of Standards and Technology (2023). https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/FuLeeca-spec-web.pdf

  32. Ritterhoff, S., et al.: FuLeeca: a Lee-based signature scheme. In: Esser, A., Santini, P. (eds.) CBCrypto 2023. LNCS, vol. 14311, pp. 56–83. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-46495-9_4

  33. Schnorr, C., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994). https://doi.org/10.1007/BF01581144

    Article  MathSciNet  Google Scholar 

  34. Seo, E.Y., Kim, Y.S., Lee, J.W., No, J.S.: Peregrine: toward fastest FALCON based on GPV framework. Cryptology ePrint Archive, Report 2022/1495 (2022). https://eprint.iacr.org/2022/1495

  35. Sommer, N., Feder, M., Shalvi, O.: Finding the closest lattice point by iterative slicing. SIAM J. Discret. Math. 23(2), 715–731 (2009). https://doi.org/10.1137/060676362

    Article  MathSciNet  Google Scholar 

  36. Yu, Y., Ducas, L.: Learning strikes again: the case of the DRS signature scheme. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 525–543. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-030-03329-3_18

Download references

Acknowledgments

Experiments presented in this paper were carried out using the PlaFRIM experimental testbed, supported by Inria, CNRS (LABRI and IMB), Université de Bordeaux, Bordeaux INP and Conseil Régional d’Aquitaine. W. van Woerden was supported by the CHARM ANR-NSF grant (ANR-21-CE94-0003).

Author information

Authors and Affiliations

  1. Institute of Communications and Navigation, German Aerospace Center (DLR), Oberpfaffenhofen–Wessling, Germany

    Felicitas Hörmann

  2. School of Computer Science, University of St. Gallen, St. Gallen, Switzerland

    Felicitas Hörmann

  3. Univ. Bordeaux, CNRS, Inria, Bordeaux INP, IMB, Talence, France

    Wessel van Woerden

Authors
  1. Felicitas Hörmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wessel van Woerden
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Felicitas Hörmann .

Editor information

Editors and Affiliations

  1. Boston University, Boston, MA, USA

    Leonid Reyzin

  2. University of Waterloo, Waterloo, ON, Canada

    Douglas Stebila

Rights and permissions

Reprints and permissions

Copyright information

© 2024 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hörmann, F., van Woerden, W. (2024). FuLeakage: Breaking FuLeeca by Learning Attacks. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – CRYPTO 2024. CRYPTO 2024. Lecture Notes in Computer Science, vol 14925. Springer, Cham. https://doi.org/10.1007/978-3-031-68391-6_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-68391-6_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-68390-9

  • Online ISBN: 978-3-031-68391-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships