SLIDE 1
1 Outline
1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion
1
How Dangerous are Decryp- tion Failures in Lattice-based - - PowerPoint PPT Presentation
How Dangerous are Decryp- tion Failures in Lattice-based - - PowerPoint PPT Presentation
How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20 november 2019 1 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 1 1 LWE hard
SLIDE 2
SLIDE 3
1 LWE hard problem
◮ LWE problem ◮ A A A ← U(Zn×n
q
) ◮ s s s,e e e ← small(Zn×k
q
)
2
SLIDE 4
1 LWE hard problem
◮ LWE problem ◮ A A A ← U(Zn×n
q
) ◮ s s s,e e e ← small(Zn×k
q
) ◮ (A A A,b b b = A A A · s s s + e e e)
2
SLIDE 5
1 LWE based encryption
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) b b b = A A A · s s s + e e e b b b,A A A ✲
3
SLIDE 6
1 LWE based encryption
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) b b b = A A A · s s s + e e e b b b,A A A ✲ s s s′,e e e′,e e e′′ ← small(Zn×k
q
) b b b′ = A A AT · s s s′ + e e e′ ✛ b b b′, v′
3
SLIDE 7
1 LWE based encryption
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) b b b = A A A · s s s + e e e b b b,A A A ✲ s s s′,e e e′,e e e′′ ← small(Zn×k
q
) b b b′ = A A AT · s s s′ + e e e′ ✛ b b b′, v′ v′ = b b bT · s s s′ + e e e′′ + ⌊ q
2⌉m
3
SLIDE 8
1 LWE based encryption
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) b b b = A A A · s s s + e e e b b b,A A A ✲ s s s′,e e e′,e e e′′ ← small(Zn×k
q
) b b b′ = A A AT · s s s′ + e e e′ v = b b b′T · s s s ✛ b b b′, v′ v′ = b b bT · s s s′ + e e e′′ + ⌊ q
2⌉m
m′ = ⌊⌊ 2
q⌉(v′ − v)⌉
3
SLIDE 9
1 LWE based encryption
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) b b b = A A A · s s s + e e e b b b,A A A ✲ s s s′,e e e′,e e e′′ ← small(Zn×k
q
) b b b′ = A A AT · s s s′ + e e e′ v = b b b′T · s s s ✛ b b b′, v′ v′ = b b bT · s s s′ + e e e′′ + ⌊ q
2⌉m
m′ = ⌊⌊ 2
q⌉(v′ − v)⌉
m′ = ⌊2 q (s s s′TA A As s s + e e eTs s s′ + e e e′′ + ⌊q 2⌉m − s s s′TA A As s s − e e e′Ts s s)⌉
3
SLIDE 10
1 LWE based encryption
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) b b b = A A A · s s s + e e e b b b,A A A ✲ s s s′,e e e′,e e e′′ ← small(Zn×k
q
) b b b′ = A A AT · s s s′ + e e e′ v = b b b′T · s s s ✛ b b b′, v′ v′ = b b bT · s s s′ + e e e′′ + ⌊ q
2⌉m
m′ = ⌊⌊ 2
q⌉(v′ − v)⌉
m′ = ⌊2 q (✘✘ ✘ ❳❳ ❳ s s s′TA A As s s + e e eTs s s′ + e e e′′ + ⌊q 2⌉m − ✘✘ ✘ ❳❳ ❳ s s s′TA A As s s − e e e′Ts s s)⌉
3
SLIDE 11
1 Failures
◮ failure if: ||e e eTs s s′ + e e e′′ − e e e′Ts s s||∞ ≥ q
4
◮ typically small failure probability δ ≈ 2−128
4
SLIDE 12
1 How calculated
◮ calculate some bounds ◮ assume Gaussian and calculate σ and µ ◮ calculate pdf exhaustively
5
SLIDE 13
1 Variations
◮ polynomials, vectors/matrices of polynomials Zq[X]/(Xn + 1) ◮ learning with rounding ◮ NTRU version, Mersenne prime, Threebears
6
SLIDE 14
1 Chosen ciphertext attacks
◮ Easy to attack with chosen ciphertexts ◮ We can not check the adversary
7
SLIDE 15
1 FO-transform
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) m ← U({0, 1}256) b b b = A A A · s s s + e e e b b b,A A A ✲
8
SLIDE 16
1 FO-transform
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) m ← U({0, 1}256) b b b = A A A · s s s + e e e b b b,A A A ✲ s s s′,e e e′,e e e′′ ← small(Zn×k
q
; H(m)) b b b′ = A A AT · s s s′ + e e e′ ✛ b b b′, v′
8
SLIDE 17
1 FO-transform
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) m ← U({0, 1}256) b b b = A A A · s s s + e e e b b b,A A A ✲ s s s′,e e e′,e e e′′ ← small(Zn×k
q
; H(m)) b b b′ = A A AT · s s s′ + e e e′ ✛ b b b′, v′ v′ = b b bT · s s s′ + e e e′′ + ⌊ q
2⌉m
8
SLIDE 18
1 FO-transform
Alice Bob A A A ← U(Zn×n
q
) s s s,e e e ← small(Zn×k
q
) m ← U({0, 1}256) b b b = A A A · s s s + e e e b b b,A A A ✲ s s s′,e e e′,e e e′′ ← small(Zn×k
q
; H(m)) b b b′ = A A AT · s s s′ + e e e′ v = b b b′T · s s s ✛ b b b′, v′ v′ = b b bT · s s s′ + e e e′′ + ⌊ q
2⌉m
m′ = ⌊⌊ 2
q⌉(v′ − v)⌉
check(m′,b b b′, v′)
8
SLIDE 19
1 Error term
◮ let’s group secret and ciphertext terms: S S S =
- −s
s s e e e
- C
C C =
- e
e e′ s s s′
- 9
SLIDE 20
1 Error term
◮ let’s group secret and ciphertext terms: S S S =
- −s
s s e e e
- C
C C =
- e
e e′ s s s′
- ◮ failure if:
||S S STC C C + e e e′′||∞ ≥ q
4 9
SLIDE 21
2 Outline
1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion
10
SLIDE 22
2 Attack model
◮ precomputation: Grover’s algorithm
11
SLIDE 23
2 Attack model
◮ precomputation: Grover’s algorithm ◮ only classical access to decryption oracle
11
SLIDE 24
2 Failure boosting
◮ find weak ciphertexts ◮ query weak ciphertexts
12
SLIDE 25
2 Failure boosting
◮ find weak ciphertexts
- generate ciphertext
- estimate failure probability
- accept if higher than ft
◮ query weak ciphertexts
12
SLIDE 26
2 Failure boosting
◮ find weak ciphertexts α
- generate ciphertext
- estimate failure probability
- accept if higher than ft
◮ query weak ciphertexts β
12
SLIDE 27
2 Failure boosting
◮ find weak ciphertexts α
- generate ciphertext
- estimate failure probability
- accept if higher than ft
◮ query weak ciphertexts β ◮ general model for schemes with decryption failures ◮ works if:
- can estimate failure probability of ciphertexts
- estimated failure probability of ciphertexts is different
12
SLIDE 28
2 Failure boosting technical
◮ α = P[pe(c) > ft] ◮ probability of finding weak ciphertext
13
SLIDE 29
2 Failure boosting technical
◮ α = P[pe(c) > ft] ◮ probability of finding weak ciphertext ◮ β = P[c fails|pe(c) > ft] ◮ failure probability of weak ciphertext
13
SLIDE 30
2 Lattice based schemes: simple case
◮ ||S S STC C C + e e e′′||∞ ≥ q
4 14
SLIDE 31
2 Lattice based schemes: simple case
◮ |S S STC C C| ≥ q
4
◮ ||S S ST ||2||C C C||2| cos(θ)| ≥ q
4 14
SLIDE 32
2 Lattice based schemes: matrices
◮ ||S S STC C C||∞ ≥ q
4 15
SLIDE 33
2 Lattice based schemes: matrices
◮ ||S S STC C C||∞ ≥ q
4
◮ Gaussian assumption ◮ µ = 0 ◮ σ V ar( (S S STC C C)ij ) = V ar(
- k
S S SkjC C Cki ) =
- k
C C C2
ki · V ar(S
S Skj) = ||C C Ck:||2
2 · σ2 s 15
SLIDE 34
2 How to calculate
l P[||C C C||2 = l] P[fail|||C C C||2 = l] 100 2−30 2−100 101 2−30 2−99 102 2−29 2−98 103 2−29 2−97
16
SLIDE 35
2 How to calculate
l P[||C C C||2 = l] P[fail|||C C C||2 = l] 100 2−30 2−100 101 2−30 2−99 102 2−29 2−98 103 2−29 2−97 α β
16
SLIDE 36
2 How to calculate
l P[||C C C||2 = l] P[fail|||C C C||2 = l] 100 2−30 2−100 101 2−30 2−99 102 2−29 2−98 103 2−29 2−97 α β
16
SLIDE 37
20 218 236 254 272 290 2108 2126 2144 work to generate one weak sample (1/ ) 2104 2128 2152 2176 2200 2224 2248 2272 total work to generate a failure (1/ ) Kyber768 FrodoKEM-976 LAC-256 Saber LizardCat3
17
SLIDE 38
2
190
2
168
2
146
2
124
2
102
2
80
2
58
2
36
weak ciphertext failure rate ( ) 283 2124 2165 2206 2247 2288 2329 2370 2411 total work to generate a failure (1/ ) Kyber768 FrodoKEM-976 LAC-256 Saber LizardCat3
18
SLIDE 39
3 Outline
1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion
19
SLIDE 40
3 Failure boosting
◮ S S STC C C = ||S S S||2 · ||C C C||2 cos θ
20
SLIDE 41
SLIDE 42
SLIDE 43
δ
21
SLIDE 44
α
SLIDE 45
α β
22
SLIDE 46
23
SLIDE 47
23
SLIDE 48
3 Find next failures
◮ |S S STC C C| ≥ q
4
◮ E E E
24
SLIDE 49
3 Find next failures
◮ |S S STC C C| ≥ q
4
◮ E E E ◮ |S S ST
C
C C + S S ST
⊥C
C C⊥ + S S ST
C
C C⊥ + S S ST
⊥C
C C| ≥ q
4 24
SLIDE 50
3 Find next failures
◮ |S S STC C C| ≥ q
4
◮ E E E ◮ |S S ST
C
C C + S S ST
⊥C
C C⊥ + S S ST
C
C C⊥ + S S ST
⊥C
C C| ≥ q
4
◮ |S S ST
C
C C + S S ST
⊥C
C C⊥| ≥ q
4 24
SLIDE 51
3 Find next failures
◮ |S S STC C C| ≥ q
4
◮ E E E ◮ |S S ST
C
C C + S S ST
⊥C
C C⊥ + S S ST
C
C C⊥ + S S ST
⊥C
C C| ≥ q
4
◮ |S S ST
C
C C + S S ST
⊥C
C C⊥| ≥ q
4
◮
- ||S
S S||2 · ||C C C||2+ ||S S S⊥||2 · ||C C C⊥||2 cos(t)
- ≥ q
4 24
SLIDE 52
3 Find next failures
◮ |S S STC C C| ≥ q
4
◮ E E E ◮ |S S ST
C
C C + S S ST
⊥C
C C⊥ + S S ST
C
C C⊥ + S S ST
⊥C
C C| ≥ q
4
◮ |S S ST
C
C C + S S ST
⊥C
C C⊥| ≥ q
4
◮
- ||S
S S||2 · ||C C C||2+ ||S S S⊥||2 · ||C C C⊥||2 cos(t)
- ≥ q
4
◮
- ||S
S S||2 · ||C C C||2 cos(θSE) cos(θCE)+ ||S S S||2 · ||C C C||2 sin(θSE) sin(θCE) cos(t)
- ≥ q
4 24
SLIDE 53
3 Find next failures
◮
- ||S
S S||2 · ||C C C||2 cos(θSE) cos(θCE)+ ||S S S||2 · ||C C C||2 sin(θSE) sin(θCE) cos(t)
- ≥ q
4
◮ P[cos(t) ≥ q/4−||S
S S||2·||C C C||2 cos(θSE) cos(θCE) ||S S S||2·||C C C||2 sin(θSE) sin(θCE)
]
24
SLIDE 54
3 Find next failures
◮ P[cos(t) ≥ q/4−||S
S S||2·||C C C||2 cos(θSE) cos(θCE) ||S S S||2·||C C C||2 sin(θSE) sin(θCE)
] ◮ ||S S S||2: independent of ciphertext
24
SLIDE 55
3 Find next failures
◮ P[cos(t) ≥ q/4−||S
S S||2·||C C C||2 cos(θSE) cos(θCE) ||S S S||2·||C C C||2 sin(θSE) sin(θCE)
] ◮ ||S S S||2: independent of ciphertext ◮ cos(θSE): independent of ciphertext, depends on how good E E E is
24
SLIDE 56
3 Find next failures
◮ P[cos(t) ≥ q/4−||S
S S||2·||C C C||2 cos(θSE) cos(θCE) ||S S S||2·||C C C||2 sin(θSE) sin(θCE)
] ◮ ||S S S||2: independent of ciphertext ◮ cos(θSE): independent of ciphertext, depends on how good E E E is ◮ cos(t): independent of ciphertext
24
SLIDE 57
3 Find next failures
◮ P[cos(t) ≥ q/4−||S
S S||2·||C C C||2 cos(θSE) cos(θCE) ||S S S||2·||C C C||2 sin(θSE) sin(θCE)
] ◮ ||S S S||2: independent of ciphertext ◮ cos(θSE): independent of ciphertext, depends on how good E E E is ◮ cos(t): independent of ciphertext ◮ ||C C C||2, cos(θCE): ciphertext dependent
24
SLIDE 58
40 60 80 100 120 140 ||C|| 0.6 0.4 0.2 0.0 0.2 0.4 0.6 cos( _CE) 2^-240 2 ^
- 2
2^-160 2^-120 2 ^
- 1
2^-80 2 ^
- 6
2 ^
- 4
2^-20 2^-20
failure probability of ciphertexts
25
SLIDE 59
75 80 85 ||C||2 0.15 0.10 0.05 0.00 0.05 0.10 0.15 cos(
CE)
experimental failure probability
135 130 125 120 115 110 105 100 95
26
SLIDE 60
3 problem with matrices/polynomials
◮ ||S S STC C C||∞ ≥ q
4
◮ how to use this vector notation? ◮ what coefficient/position failed?
27
SLIDE 61
3 problem with matrices/polynomials
◮ ||S S STC C C||∞ ≥ q
4
◮ how to use this vector notation? ◮ what coefficient/position failed?
27
SLIDE 62
3 problem with matrices/polynomials
S S S =
- s0,0 + s0,1X + s0,2X2
s1,0 + s1,1X + s1,2X2
- ,
C C C =
- c0,0 + c0,1X + c0,2X2
c1,0 + c1,1X + c1,2X2
- (1)
for a ring Zq[X]/(Xn + 1)
28
SLIDE 63
3 problem with matrices/polynomials
S S S =
- s0,0 + s0,1X + s0,2X2
s1,0 + s1,1X + s1,2X2
- ,
C C C =
- c0,0 + c0,1X + c0,2X2
c1,0 + c1,1X + c1,2X2
- (1)
for a ring Zq[X]/(Xn + 1) S S S =
s0,0 s0,1 s0,2 s1,0 s1,1 s1,2
, C C C(0) =
c0,0 −c0,2 −c0,1 c1,0 −c1,2 −c1,1
C C C(1) =
c0,1 c0,0 −c0,2 c1,1 c1,0 −c1,2
C C C(3) =
−c0,0 c0,2 c0,1 −c1,0 c1,2 c1,1
C → XrC(X−1)
28
SLIDE 64
3 problem with matrices/polynomials
◮ S S S
TC
C C(r) ≥ q/4 ◮ for r ∈ [0, 2N − 1]
29
SLIDE 65
3 problem with matrices/polynomials
◮ S S S
TC
C C(r) ≥ q/4 ◮ for r ∈ [0, 2N − 1] ◮ what r value is responsible for the failure ◮ how to construct E E E?
29
SLIDE 66
3 problem with matrices/polynomials
◮ S S S
TC
C C(r) ≥ q/4 ◮ for r ∈ [0, 2N − 1] ◮ what r value is responsible for the failure ◮ how to construct E E E? ◮ for 1 ciphertext: does not matter
- C
C C fails at r = 5
- we think r = 0
- now we find a C
C C such that:
- C
C C(0) is aligned with C C C(0)
∗
29
SLIDE 67
3 problem with matrices/polynomials
◮ S S S
TC
C C(r) ≥ q/4 ◮ for r ∈ [0, 2N − 1] ◮ what r value is responsible for the failure ◮ how to construct E E E? ◮ for 2 ciphertexts: does matter!
- we need relative position
29
SLIDE 68
3 finding relative positions
◮ fix r1 = 0 and thus C C C(0)
1 30
SLIDE 69
3 finding relative positions
◮ fix r1 = 0 and thus C C C(0)
1
◮ we know S S S
TC
C C(0)
1
≥ q/4 ◮ and S S S
TC
C C(r2)
2
≥ q/4
30
SLIDE 70
3 finding relative positions
◮ fix r1 = 0 and thus C C C(0)
1
◮ we know S S S
TC
C C(0)
1
≥ q/4 ◮ and S S S
TC
C C(r2)
2
≥ q/4 ◮ both C C C(0)
1
and C C C(r2)
2
are correlated with S S S
30
SLIDE 71
3 finding relative positions
0.2 0.1 0.0 0.1 0.2 C(r) 10 20 30 40 pdf C( , ) C( , + N) C(r); r ( , mod N) max C(r); r ( , mod N)
31
SLIDE 72
3 finding relative positions
C0 C1 C2
b1(r = 0) = 0.1 b1(r = 1) = 0.4 b1(r = 2) = 0.3 b1(r = 3) = 0 b1(r = 4) = 0.2 b1(r = 5) = 0 b2(r = 0) = 0.1 b2(r = 1) = 0.1 b2(r = 2) = 0.2 b2(r = 3) = 0.4 b2(r = 4) = 0.1 b2(r = 5) = 0.1 m1,2(1,3) = 0.2 m1,2(2,3) = 0.4 b0(r = 0) = 1 b0(r = 1) = 0 b0(r = 2) = 0 b0(r = 3) = 0 b0(r = 4) = 0 b0(r = 5) = 0 m0,1(0,1) = 0.4 m0,1(0,2) = 0.3 m0,2(0,3) = 0.4 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮
32
SLIDE 73
3 finding relative positions
2 ciphertexts 3 ciphertexts 4 ciphertexts 5 ciphertexts P[success] 84.0% 95.6% > 99.0% > 99.0%
33
SLIDE 74
20 21 22 23 24 25 available failing ciphertexts 25 219 233 247 261 275 289 2103 2117 total work/queries
work/queries to obtain next ciphertexts
work query
34
SLIDE 75
20 21 22 23 24 25 ciphertexts 2113 2114 2115 2116 2117 total work
work to obtain n ciphertexts
work work - traditional
35
SLIDE 76
2
107
2
89
2
71
2
53
2
35
2
17
weak ciphertext failure rate ( ) 2106 2122 2138 2154 2170 2186 2202 total work to generate a failure (1/ ) no extra info 1 ciphertext 2 ciphertext 3 ciphertext
36
SLIDE 77
20 21 22 23 24 25 available failing ciphertexts 221 231 241 251 261 271 281 291 total work/queries
work/queries to obtain next ciphertexts
work query
37
SLIDE 78
4 Outline
1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion
38
SLIDE 79
4 Recovering the secret
◮ we have an estimate E E E of S S S ◮ E E E =
- −s
s s∗ e e e∗
- 39
SLIDE 80
4 Recovering the secret
◮ we have an estimate E E E of S S S ◮ E E E =
- −s
s s∗ e e e∗
- ◮ LWE problem (A
A A,b b b = A A A · s s s + e e e) ◮ simplify b b b∗ = (A A A · s s s + e e e) − (A A A · s s s∗ + e e e∗) ◮ b b b∗ = A A A · (s s s − s s s∗) + (e e e − e e e∗)
39
SLIDE 81
5 Outline
1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion
40