16 research outputs found
Lattice Reduction Meets Key-Mismatch: New Misuse Attack on Lattice-Based NIST Candidate KEMs
Resistance to key misuse attacks is a vital property for key encapsulation mechanismsïŒKEMsïŒin NIST-PQC standardization process. In key mismatch attack, the adversary recovers reused secret key with the help of an oracle that indicates whether the shared key matches or not. Key mismatch attack is more powerful when fewer oracle queries are required. A series of works tried to reduce query times, Qin et al. [AISACRYPT 2021] gave a systematic approach to finding lower bound of oracle queries for a category of KEMs, including NISTâs third-round candidate Kyber and Saber.
In this paper, we found the aforementioned bound can be bypassed by combining Qin et al. (AISACRYPT 2021)âs key mismatch attack with a standard lattice attack.
In particular, we explicitly build the relationship between the number of queries to the oracle and the bit security of the lattice-based KEMs. Our attack is inspired by the fact that each oracle query reveals partial information of reused secrets, and affects the mean and the covariance parameter of secrets, making the attack on lattice easier. In addition, We quantify such effect in theory and estimate the security loss for all NIST second-round candidate KEMs.Specifically, Our improved attack reduces the number of queries for Kyber512 by 34% from 1312 queries with bit security 107 to 865 with bit security 32. For Kyber768 and Kyber1024, our improved attack reduces the number of queries by 29% and 27% with bit security is 32
Light the Signal: Optimization of Signal Leakage Attacks against LWE-Based Key Exchange
Key exchange protocols from the learning with errors (LWE) problem share many similarities with the DiffieâHellmanâMerkle (DHM) protocol, which plays a central role in securing our Internet. Therefore, there has been a long time effort in designing authenticated key exchange directly from LWE to mirror the advantages of DHM-based protocols. In this paper, we revisit signal leakage attacks and show that the severity of these attacks against LWE-based (authenticated) key exchange is still underestimated.
In particular, by converting the problem of launching a signal leakage attack into a coding problem, we can significantly reduce the needed number of queries to reveal the secret key. Specifically, for DXL-KE we reduce the queries from 1,266 to only 29, while for DBS-KE, we need only 748 queries, a great improvement over the previous 1,074,434 queries. Moreover, our new view of signals as binary codes enables recognizing vulnerable schemes more easily. As such we completely recover the secret key of a password-based authenticated key exchange scheme by Dabra et al. with only 757 queries and partially reveal the secret used in a two-factor authentication by Wang et al. with only one query. The experimental evaluation supports our theoretical analysis and demonstrates the efficiency and effectiveness of our attacks. Our results caution against underestimating the power of signal leakage attacks as they are applicable even in settings with a very restricted number of interactions between adversary and victim
Do Not Bound to a Single Position: Near-Optimal Multi-Positional Mismatch Attacks Against Kyber and Saber
Misuse resilience is an important security criterion in the evaluation of the NIST Post-quantum cryptography standardization process. In this paper, we propose new key mismatch attacks against Kyber and Saber, NIST\u27s selected scheme for encryption and one of the finalists in the third round of the NIST competition, respectively. Our novel idea is to recover partial information of multiple secret entries in each mismatch oracle call. These multi-positional attacks greatly reduce the expected number of oracle calls needed to fully recover the secret key. They also have significance in side-channel analysis.
From the perspective of lower bounds, our new attacks falsify the Huffman bounds proposed in [Qin et al. ASIACRYPT 2021], where a one-
positional mismatch adversary is assumed. Our new attacks can be bounded by the Shannon lower bounds, i.e., the entropy of the distribution generating each secret coefficient times the number of secret entries. We call the new attacks near-optimal since their query complexities are close to the Shannon lower bounds
Sécurité étendue de la cryptographie fondée sur les réseaux euclidiens
Lattice-based cryptography is considered as a quantum-safe alternative for the replacement of currently deployed schemes based on RSA and discrete logarithm on prime fields or elliptic curves. It offers strong theoretical security guarantees, a large array of achievable primitives, and a competitive level of efficiency. Nowadays, in the context of the NIST post-quantum standardization process, future standards may ultimately be chosen and several new lattice-based schemes are high-profile candidates. The cryptographic research has been encouraged to analyze lattice-based cryptosystems, with a particular focus on practical aspects. This thesis is rooted in this effort.In addition to black-box cryptanalysis with classical computing resources, we investigate the extended security of these new lattice-based cryptosystems, employing a broad spectrum of attack models, e.g. quantum, misuse, timing or physical attacks. Accounting that these models have already been applied to a large variety of pre-quantum asymmetric and symmetric schemes before, we concentrate our efforts on leveraging and addressing the new features introduced by lattice structures. Our contribution is twofold: defensive, i.e. countermeasures for implementations of lattice-based schemes and offensive, i.e. cryptanalysis.On the defensive side, in view of the numerous recent timing and physical attacks, we wear our designerâs hat and investigate algorithmic protections. We introduce some new algorithmic and mathematical tools to construct provable algorithmic countermeasures in order to systematically prevent all timing and physical attacks. We thus participate in the actual provable protection of the GLP, BLISS, qTesla and Falcon lattice-based signatures schemes.On the offensive side, we estimate the applicability and complexity of novel attacks leveraging the lack of perfect correctness introduced in certain lattice-based encryption schemes to improve their performance. We show that such a compromise may enable decryption failures attacks in a misuse or quantum model. We finally introduce an algorithmic cryptanalysis tool that assesses the security of the mathematical problem underlying lattice-based schemes when partial knowledge of the secret is available. The usefulness of this new framework is demonstrated with the improvement and automation of several known classical, decryption-failure, and side-channel attacks.La cryptographie fondeÌe sur les reÌseaux euclidiens repreÌsente une alternative prometteuse aÌ la cryptographie asymeÌtrique utiliseÌe actuellement, en raison de sa reÌsistance preÌsumeÌe aÌ un ordinateur quantique universel. Cette nouvelle famille de scheÌmas asymeÌtriques dispose de plusieurs atouts parmi lesquels de fortes garanties theÌoriques de seÌcuriteÌ, un large choix de primitives et, pour certains de ses repreÌsentants, des performances comparables aux standards actuels. Une campagne de standardisation post-quantique organiseÌe par le NIST est en cours et plusieurs scheÌmas utilisant des reÌseaux euclidiens font partie des favoris. La communauteÌ scientifique a eÌteÌ encourageÌe aÌ les analyser car ils pourraient aÌ lâavenir eÌtre implanteÌs dans tous nos systeÌmes. Lâobjectif de cette theÌse est de contribuer aÌ cet effort.Nous eÌtudions la seÌcuriteÌ de ces nouveaux cryptosysteÌmes non seulement au sens de leur reÌsistance aÌ la cryptanalyse en âboiÌte noireâ aÌ lâaide de moyens de calcul classiques, mais aussi selon un spectre plus large de modeÌles de seÌcuriteÌ, comme les attaques quantiques, les attaques supposant des failles dâutilisation, ou encore les attaques par canaux auxiliaires. Ces diffeÌrents types dâattaques ont deÌjaÌ eÌteÌ largement formaliseÌs et eÌtudieÌs par le passeÌ pour des scheÌmas asymeÌtriques et symeÌtriques preÌ-quantiques. Dans ce meÌmoire, nous analysons leur application aux nouvelles structures induites par les reÌseaux euclidiens. Notre travail est diviseÌ en deux parties compleÌmentaires : les contremesures et les attaques.La premieÌre partie regroupe nos contributions aÌ lâeffort actuel de conception de nouvelles protections algorithmiques afin de reÌpondre aux nombreuses publications reÌcentes dâattaques par canaux auxiliaires. Les travaux reÌaliseÌs en eÌquipe auxquels nous avons pris part on abouti aÌ lâintroduction de nouveaux outils matheÌmatiques pour construire des contre-mesures algorithmiques, appuyeÌes sur des preuves formelles, qui permettent de preÌvenir systeÌmatiquement les attaques physiques et par analyse de temps dâexeÌcution. Nous avons ainsi participeÌ aÌ la protection de plusieurs scheÌmas de signature fondeÌs sur les reÌseaux euclidiens comme GLP, BLISS, qTesla ou encore Falcon.Dans une seconde partie consacreÌe aÌ la cryptanalyse, nous eÌtudions dans un premier temps de nouvelles attaques qui tirent parti du fait que certains scheÌmas de chiffrement aÌ cleÌ publique ou dâeÌtablissement de cleÌ peuvent eÌchouer avec une faible probabiliteÌ. Ces eÌchecs sont effectivement faiblement correÌleÌs au secret. Notre travail a permis dâexhiber des attaques dites « par eÌchec de deÌchiffrement » dans des modeÌles de failles dâutilisation ou des modeÌles quantiques. Nous avons dâautre part introduit un outil algorithmique de cryptanalyse permettant dâestimer la seÌcuriteÌ du probleÌme matheÌmatique sous-jacent lorsquâune information partielle sur le secret est donneÌe. Cet outil sâest aveÌreÌ utile pour automatiser et ameÌliorer plusieurs attaques connues comme des attaques par eÌchec de deÌchiffrement, des attaques classiques ou encore des attaques par canaux auxiliaires
Towards Post-Quantum Security for Signal's X3DH Handshake
Modern key exchange protocols are usually based on the DiffieâHellman (DH) primitive. The beauty of this primitive, among other things, is its potential reusage of key shares: DH shares can be either used a single time or in multiple runs. Since DH-based protocols are insecure against quantum adversaries, alternative solutions have to be found when moving to the post-quantum setting. However, most post-quantum candidates, including schemes based on lattices and even supersingular isogeny DH, are not known to be secure under key reuse. In particular, this means that they cannot be necessarily deployed as an immediate DH substitute in protocols.
In this paper, we introduce the notion of a split key encapsulation mechanism (split KEM) to translate the desired key-reusability of a DH-based protocol to a KEM-based flow. We provide the relevant security notions of split KEMs and show how the formalism lends itself to lifting Signalâs X3DH handshake to the post-quantum KEM setting without additional message flows.
Although the proposed framework conceptually solves the raised issues, instantiating it securely from post-quantum assumptions proved to be non-trivial. We give passively secure instantiations from (R)LWE, yet overcoming the above-mentioned insecurities under key reuse in the presence of active adversaries remains an open problem. Approaching one- sided key reuse, we provide a split KEM instantiation that allows such reuse based on the KEM introduced by Kiltz (PKC 2007), which may serve as a post-quantum blueprint if the underlying hardness assumption (gap hashed DiffieâHellman) holds for the commutative group action of CSIDH (Asiacrypt 2018).
The intention of this paper hence is to raise awareness of the challenges arising when moving to KEM-based key exchange protocols with key-reusability, and to propose split KEMs as a specific target for instantiation in future research
Belief Propagation Meets Lattice Reduction: Security Estimates for Error-Tolerant Key Recovery from Decryption Errors
In LWE-based KEMs, observed decryption errors leak information about the secret key in the form of equations or inequalities. Several practical fault attacks have already exploited such leakage by either directly applying a fault or enabling a chosen-ciphertext attack using a fault. When the leaked information is in the form of inequalities, the recovery of the secret key is not trivial. Recent methods use either statistical or algebraic methods (but not both), with some being able to handle incorrect information. Having in mind that integration of the side-channel information is a crucial part of several classes of implementation attacks on LWE-based schemes, it is an important question whether statistically processed information can be successfully integrated in lattice reduction algorithms.
We answer this question positively by proposing an error-tolerant combination of statistical and algebraic methods that make use of the advantages of both approaches. The combination enables us to improve upon existing methods -- we use both fewer inequalities and are more resistant to errors. We further provide precise security estimates based on the number of available inequalities.
Our recovery method applies to several types of implementation attacks in which decryption errors are used in a chosen-ciphertext attack. We practically demonstrate the improved performance of our approach in a key-recovery attack against Kyber with fault-induced decryption errors
Decryption Failure Attacks on Post-Quantum Cryptography
This dissertation discusses mainly new cryptanalytical results related to issues of securely implementing the next generation of asymmetric cryptography, or Public-Key Cryptography (PKC).PKC, as it has been deployed until today, depends heavily on the integer factorization and the discrete logarithm problems.Unfortunately, it has been well-known since the mid-90s, that these mathematical problems can be solved due to Peter Shor's algorithm for quantum computers, which achieves the answers in polynomial time.The recently accelerated pace of R&D towards quantum computers, eventually of sufficient size and power to threaten cryptography, has led the crypto research community towards a major shift of focus.A project towards standardization of Post-quantum Cryptography (PQC) was launched by the US-based standardization organization, NIST. PQC is the name given to algorithms designed for running on classical hardware/software whilst being resistant to attacks from quantum computers.PQC is well suited for replacing the current asymmetric schemes.A primary motivation for the project is to guide publicly available research toward the singular goal of finding weaknesses in the proposed next generation of PKC.For public key encryption (PKE) or digital signature (DS) schemes to be considered secure they must be shown to rely heavily on well-known mathematical problems with theoretical proofs of security under established models, such as indistinguishability under chosen ciphertext attack (IND-CCA).Also, they must withstand serious attack attempts by well-renowned cryptographers both concerning theoretical security and the actual software/hardware instantiations.It is well-known that security models, such as IND-CCA, are not designed to capture the intricacies of inner-state leakages.Such leakages are named side-channels, which is currently a major topic of interest in the NIST PQC project.This dissertation focuses on two things, in general:1) how does the low but non-zero probability of decryption failures affect the cryptanalysis of these new PQC candidates?And 2) how might side-channel vulnerabilities inadvertently be introduced when going from theory to the practice of software/hardware implementations?Of main concern are PQC algorithms based on lattice theory and coding theory.The primary contributions are the discovery of novel decryption failure side-channel attacks, improvements on existing attacks, an alternative implementation to a part of a PQC scheme, and some more theoretical cryptanalytical results
Post-quantum WireGuard
In this paper we present PQ-WireGuard, a post-quantum variant of the handshake in the WireGuard VPN protocol (NDSS 2017). Unlike most previous work on post-quantum security for real-world protocols, this variant does not only consider post-quantum confidentiality (or forward secrecy) but also post-quantum authentication. To achieve this, we replace the Diffie-Hellman-based handshake by a more generic approach only using key-encapsulation mechanisms (KEMs). We establish security of PQ-WireGuard, adapting the security proofs for WireGuard in the symbolic model and in the standard model to our construction.
We then instantiate this generic construction with concrete post-quantum secure KEMs, which we carefully select to achieve high security and speed. We demonstrate competitiveness of PQ-WireGuard presenting extensive benchmarking results comparing to widely deployed VPN solutions
Leg Ulcer Outcomes
Background
Venous disease is the most common cause of leg ulceration. Treatment of superficial venous
reflux has been shown to reduce the rate of ulcer recurrence but the effect of early
endovenous ablation of superficial venous reflux on ulcer healing remains unclear. It is
generally accepted that there is considerable global variation in the management of leg ulcers.
Objectives
To determine: the clinical and cost-effectiveness of early endovenous treatment of superficialvenous reflux in addition to standard care compared to standard care alone in patients with venous ulceration; the current standards of global management of venous leg management and the impact on these following the results of the randomised controlled trial.
Methods
i. The Early Venous Reflux Ablation Trial (EVRA) multi-centre randomised clinical trial of
450 participants compared early versus deferred intervention at 12 months and at 3.5 years.
ii. Health professionals treating patients with leg ulcers globally were surveyed before and
after the publication of the RCT results to gain insight on the management of venous leg
ulceration, and subsequent impact on practice.
Results
i. EVRA:
i. time to ulcer healing was shorter in the early group at 12 months; no clear
difference in time to first ulcer recurrence at 3.5 years; early intervention at 3 years is 91%
likely to be cost-effective at ÂŁ20,000/QALY.
ii. Surveys: â Pre/post-EVRA UK primary care: 90/643 responses received; Pre/post-EVRA
global clinicians: 799/644 responses were received.
Conclusions
The EVRA RCT showed that early intervention reduces the time to healing of venous leg
ulcers, does not affect the time to recurrent ulceration but is highly likely to be cost-effective
and therefore is beneficial for both patients and healthcare providers. The surveys
demonstrated that the management of venous ulceration is disparate globally. It is likely that
the EVRA RCT results influenced the timing of intervention worldwide.Open Acces
Recommended from our members
The Cost of Domestic Violence
Domestic violence has devastating consequences for both the individual victim and wider society. It drains the resources of public and voluntary services and of employers and causes untold pain and suffering to those who are abused. This report addresses one aspect of domestic violence, the cost, for a range of people and social institutions. While considerations of justice and fairness provide a sufficient basis for public intervention into domestic violence, a better understanding of the full cost of domestic violence provides the basis for action within an additional policy framework, that of finance. Adding a financial dimension increases the range of ways in which policy interventions can be articulated, measured and evaluated. In particular, it may assist in addressing spending priorities. This is complementary to policy frameworks based on need and justice