HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction

Similar documents
Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Cryptanalysis of NISTPQC submissions

Message Authentication Codes (MACs)

Elliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein

Public Key Cryptography

ECS 189A Final Cryptography Spring 2011

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Cryptography and Security Final Exam

Modern Cryptography Lecture 4

MATH 158 FINAL EXAM 20 DECEMBER 2016

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Markku-Juhani O. Saarinen

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Notes 10: Public-key cryptography

From NewHope to Kyber. Peter Schwabe April 7, 2017

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Historical cryptography. cryptography encryption main applications: military and diplomacy

CRYPTANALYSIS OF COMPACT-LWE

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Public-key Cryptography and elliptic curves

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Applied cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Attacking and defending the McEliece cryptosystem

CS 6260 Applied Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

Practice Assignment 2 Discussion 24/02/ /02/2018

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

RSA-OAEP and Cramer-Shoup

Tanja Lange Technische Universiteit Eindhoven

RSA RSA public key cryptosystem

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Akelarre. Akelarre 1

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Simple SK-ID-KEM 1. 1 Introduction

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Lecture 5, CPA Secure Encryption from PRFs

Asymmetric Encryption

1 Number Theory Basics

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Computing on Encrypted Data

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

ASYMMETRIC ENCRYPTION

Cryptography and Security Midterm Exam

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Leakage Resilient ElGamal Encryption

Lecture Note 3 Date:

Homework 4 for Modular Arithmetic: The RSA Cipher

Open problems in lattice-based cryptography

Other Public-Key Cryptosystems

Public Key Cryptography

The Cramer-Shoup Cryptosystem

Block ciphers And modes of operation. Table of contents

Noisy Diffie-Hellman protocols

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

CS 6260 Applied Cryptography

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Lecture 11: Key Agreement

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Public-key Cryptography and elliptic curves

Question: Total Points: Score:

A New Paradigm of Hybrid Encryption Scheme

Advanced Topics in Cryptography

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 22: RSA Encryption. RSA Encryption

Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven. Tanja Lange Technische Universiteit Eindhoven

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Public-Key Cryptosystems CHAPTER 4

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Public Key Cryptography

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

14 Diffie-Hellman Key Agreement

On Homomorphic Encryption and Secure Computation

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

arxiv: v2 [cs.cr] 14 Feb 2018

Post-Quantum Cryptography

On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Introduction to Cryptography. Lecture 8

True & Deterministic Random Number Generators

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Overview. Public Key Algorithms II

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Transcription:

HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction Daniel J. Bernstein 1 Leon Groot Bruinderink 2 Tanja Lange 2 Lorenz Panny 2 1 University of Illinois at Chicago 2 Technische Universiteit Eindhoven Marrakesh, 07 May 2018 1 / 20

Motivation HILA5 is a RLWE-based KEM submitted to NISTPQC. This design also provides IND-CCA secure KEM-DEM public key encryption if used in conjunction with an appropriate AEAD such as NIST approved AES256-GCM. HILA5 NIST submission document (v1.0) Decapsulation much faster than encapsulation (and faster than any other scheme). No mention of a CCA transform (e.g. Fujisaki Okamoto). 2 / 20

Noisy Diffie Hellman degree n Have a ring R = Z[x]/(q, ϕ) where q Z and ϕ Z[x]. 1 Let χ be a narrow distribution around 0 R. Fix some random element g R. a, e χ n b, e χ n A = ga + e B = gb + e S = Ba = gab + e a S = Ab = gab + eb = S S = e a eb 0 χ small 1 There exist other rings that work. 3 / 20

Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q 3q/4 q/4 q/2 4 / 20

Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 q/4 0 q/2 4 / 20

Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/4 Alice: 1 Bob: 1 q/2 4 / 20

Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/4 Alice: 0 Bob: 0 q/2 4 / 20

Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/4 Alice: 1 Bob: 0 q/2 4 / 20

Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/2 q/4 Alice: 1 Bob: 0 oops! 4 / 20

Reconciliation Mapping coefficients to bits using fixed intervals is bad. 5 / 20

Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 5 / 20

Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 5 / 20

Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 1 0 5 / 20

Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 1 0 0 1 5 / 20

Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 1 0 0 1 5 / 20

Fluhrer s attack https://ia.cr/2016/085 Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. 6 / 20

Fluhrer s attack https://ia.cr/2016/085 Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. 6 / 20

Fluhrer s attack https://ia.cr/2016/085 Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. 1 1 0 0 Alice: 0 Alice: 1 6 / 20

Fluhrer s attack https://ia.cr/2016/085 Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. 1 1 0 0 Alice: 0 Alice: 1 Evil Bob can distinguish these cases! (He knows all the other key bits.) 6 / 20

Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. Alice Evil Bob 7 / 20

Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 0, "GET / HTTP/1.1") Alice Evil Bob 7 / 20

Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 0, "GET / HTTP/1.1") I don t understand! Aborting. Alice Evil Bob 7 / 20

Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Alice Evil Bob 7 / 20

Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Here s your webpage! Alice Evil Bob 7 / 20

Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Here s your webpage! Alice Evil Bob = Bob learns that k = k 1. 7 / 20

Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 0, "GET / HTTP/1.1") Decryption failure! Aborting. Alice Evil Bob = Bob learns that k = k 1. This still works if Enc is an authenticated symmetric cipher! 7 / 20

Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Here s your webpage! Alice Evil Bob = Bob learns that k = k 1. This still works if Enc is an authenticated symmetric cipher! 7 / 20

Fluhrer s attack https://ia.cr/2016/085 Adaptive chosen-ciphertext attack against static keys. 8 / 20

Fluhrer s attack https://ia.cr/2016/085 Adaptive chosen-ciphertext attack against static keys. Recall that Alice s shared secret is gab + e a. 8 / 20

Fluhrer s attack https://ia.cr/2016/085 Adaptive chosen-ciphertext attack against static keys. Recall that Alice s shared secret is gab + e a. edge Suppose Evil Bob knows b δ such that gab δ [0] = M + δ. = Querying Alice with b = b δ leaks whether e a[0] > δ. 8 / 20

Fluhrer s attack https://ia.cr/2016/085 Adaptive chosen-ciphertext attack against static keys. Recall that Alice s shared secret is gab + e a. edge Suppose Evil Bob knows b δ such that gab δ [0] = M + δ. = Querying Alice with b = b δ leaks whether e a[0] > δ. Structure of R Can choose e such that e a[0] = a[i] to recover all of a. 8 / 20

Fluhrer s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M 0 9 / 20

Fluhrer s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: 0 Alice: 1 0 9 / 20

Fluhrer s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -8 Alice: 0 0 9 / 20

Fluhrer s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -4 Alice: 1 0 9 / 20

Fluhrer s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -6 Alice: 0 0 9 / 20

Fluhrer s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -5 Alice: 1 0 9 / 20

Fluhrer s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -5 Alice: 1 0 = Evil Bob learns that a[0] = 5. 9 / 20

Our work Adaption of Fluhrer s attack to HILA5 and analysis 10 / 20

HILA5 https://ia.cr/2017/424 https://github.com/mjosaarinen/hila5 Standard noisy Diffie Hellman with new reconciliation. 11 / 20

HILA5 https://ia.cr/2017/424 https://github.com/mjosaarinen/hila5 Standard noisy Diffie Hellman with new reconciliation. Ring: Z[x]/(q, x 1024 + 1) where q = 12289. 1 Noise distribution χ: Ψ 16. 1 on { 16,..., 16} 1 same as New Hope. 11 / 20

HILA5 https://ia.cr/2017/424 https://github.com/mjosaarinen/hila5 Standard noisy Diffie Hellman with new reconciliation. Ring: Z[x]/(q, x 1024 + 1) where q = 12289. 1 Noise distribution χ: Ψ 16. 1 on { 16,..., 16} New reconciliation mechanism: Only use safe bits that are far from an edge. Additionally apply an error-correcting code. 1 same as New Hope. 11 / 20

HILA5 s reconciliation For each coefficient: d = 0: Discard coefficient. d = 1: Send reconciliation information c; use for key bit k. Edges: c = 0: 3q/8... 7q/8 k = 0. 7q/8... 3q/8 k = 1. c = 1: q/8... 5q/8 k = 0. 5q/8... q/8 k = 1. (picture: HILA5 documentation) 12 / 20

HILA5 s packet format bits d 0...d 1023 select 496 coefficients bits r 0...r 239 correct errors Bob s public key safe bits reconciliation error correction gb + e bits c 0...c 495 select an edge 13 / 20

HILA5 s packet format bits d 0...d 1023 select 496 coefficients bits r 0...r 239 correct errors Bob s public key safe bits reconciliation error correction gb + e bits c 0...c 495 select an edge We re going to manipulate each of these parts. 13 / 20

Unsafe bits gb + e safe bits reconciliation error correction We want to attack the first coefficient. 14 / 20

Unsafe bits gb + e safe bits reconciliation error correction We want to attack the first coefficient. = Force d 0 = 1 to make Alice use it. 14 / 20

Living on the edge gb + e safe bits reconciliation error correction We want to attack the edge at M = q/8. 15 / 20

Living on the edge gb + e safe bits reconciliation error correction We want to attack the edge at M = q/8. = Force c 0 = 1. 15 / 20

Making errors gb + e safe bits reconciliation error correction HILA5 uses a custom linear error-correcting code XE5. Encrypted (XOR) using part of Bob s shared secret S. Ten variable-length codewords R 0...R 9. Alice corrects S[0] using the first bit of each R i. Capable of correcting (at least) 5-bit errors. We want to keep errors in S[0]. 16 / 20

Making errors gb + e safe bits reconciliation error correction HILA5 uses a custom linear error-correcting code XE5. Encrypted (XOR) using part of Bob s shared secret S. Ten variable-length codewords R 0...R 9. Alice corrects S[0] using the first bit of each R i. Capable of correcting (at least) 5-bit errors. We want to keep errors in S[0]. = Flip the first bit of R 0...R 4! 16 / 20

All coefficients for the price of one gb + e safe bits reconciliation error correction Our binary search recovers e a[0] from gab δ + e a by varying δ. How to get a[1], a[2],..? 17 / 20

All coefficients for the price of one gb + e safe bits reconciliation error correction Our binary search recovers e a[0] from gab δ + e a by varying δ. How to get a[1], a[2],..? By construction of R = Z[x]/(q, x 1024 + 1), Evil Bob can rotate a[i] into e a[0] by setting e = x 1024 i. Running the search for all i yields all coefficients of a. 17 / 20

Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? 18 / 20

Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: 18 / 20

Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: If b 0 has two entries ±1 and (Ab 0 )[0] = M, then Pr [gab 0[0] = M] = Pr [x + y = 0] 9.9%. e χ n x,y Ψ 16 18 / 20

Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: If b 0 has two entries ±1 and (Ab 0 )[0] = M, then Pr [gab 0[0] = M] = Pr [x + y = 0] 9.9%. e χ n x,y Ψ 16 For all other δ, set b δ := (1 + δm 1 mod q) b 0. This works because M 1 mod q = 8 is small here. 18 / 20

Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: If b 0 has two entries ±1 and (Ab 0 )[0] = M, then Pr [gab 0[0] = M] = Pr [x + y = 0] 9.9%. e χ n x,y Ψ 16 For all other δ, set b δ := (1 + δm 1 mod q) b 0. This works because M 1 mod q = 8 is small here. If b 0 was wrong, the recovered coefficients are all 0 or 1. = easily detectable. 18 / 20

Implementation Our code 2 attacks the HILA5 reference implementation. 100% success rate in our experiments. Less than 6000 queries (virtually always). (Note: Evil Bob could recover fewer coefficients and compute the rest by solving a lattice problem of reduced dimension.) 2 https://helaas.org/hila5-20171218.tar.gz 19 / 20

Thank you! 20 / 20

Bonus slide in case somebody asks...

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback