Cryptanalysis of ITRU

ITRU cryptosystem is a public key cryptosystem and one of the known variants of NTRU cryptosystem. Instead of working in a truncated polynomial ring, ITRU cryptosystem is based on the ring of integers. The authors claimed that ITRU has better features comparing to the classical NTRU, such as having a simple parameter selection algorithm, invertibility, and successful message decryption, and better security. In this paper, we present an attack technique against the ITRU cryptosystem, and it is mainly based on a simple frequency analysis on the letters of ciphertexts

Decryption Failure Attacks on Post-Quantum Cryptography

This dissertation discusses mainly new cryptanalytical results related to issues of securely implementing the next generation of asymmetric cryptography, or Public-Key Cryptography (PKC).PKC, as it has been deployed until today, depends heavily on the integer factorization and the discrete logarithm problems.Unfortunately, it has been well-known since the mid-90s, that these mathematical problems can be solved due to Peter Shor's algorithm for quantum computers, which achieves the answers in polynomial time.The recently accelerated pace of R&D towards quantum computers, eventually of sufficient size and power to threaten cryptography, has led the crypto research community towards a major shift of focus.A project towards standardization of Post-quantum Cryptography (PQC) was launched by the US-based standardization organization, NIST. PQC is the name given to algorithms designed for running on classical hardware/software whilst being resistant to attacks from quantum computers.PQC is well suited for replacing the current asymmetric schemes.A primary motivation for the project is to guide publicly available research toward the singular goal of finding weaknesses in the proposed next generation of PKC.For public key encryption (PKE) or digital signature (DS) schemes to be considered secure they must be shown to rely heavily on well-known mathematical problems with theoretical proofs of security under established models, such as indistinguishability under chosen ciphertext attack (IND-CCA).Also, they must withstand serious attack attempts by well-renowned cryptographers both concerning theoretical security and the actual software/hardware instantiations.It is well-known that security models, such as IND-CCA, are not designed to capture the intricacies of inner-state leakages.Such leakages are named side-channels, which is currently a major topic of interest in the NIST PQC project.This dissertation focuses on two things, in general:1) how does the low but non-zero probability of decryption failures affect the cryptanalysis of these new PQC candidates?And 2) how might side-channel vulnerabilities inadvertently be introduced when going from theory to the practice of software/hardware implementations?Of main concern are PQC algorithms based on lattice theory and coding theory.The primary contributions are the discovery of novel decryption failure side-channel attacks, improvements on existing attacks, an alternative implementation to a part of a PQC scheme, and some more theoretical cryptanalytical results

Using quantum key distribution for cryptographic purposes: a survey

The appealing feature of quantum key distribution (QKD), from a cryptographic viewpoint, is the ability to prove the information-theoretic security (ITS) of the established keys. As a key establishment primitive, QKD however does not provide a standalone security service in its own: the secret keys established by QKD are in general then used by a subsequent cryptographic applications for which the requirements, the context of use and the security properties can vary. It is therefore important, in the perspective of integrating QKD in security infrastructures, to analyze how QKD can be combined with other cryptographic primitives. The purpose of this survey article, which is mostly centered on European research results, is to contribute to such an analysis. We first review and compare the properties of the existing key establishment techniques, QKD being one of them. We then study more specifically two generic scenarios related to the practical use of QKD in cryptographic infrastructures: 1) using QKD as a key renewal technique for a symmetric cipher over a point-to-point link; 2) using QKD in a network containing many users with the objective of offering any-to-any key establishment service. We discuss the constraints as well as the potential interest of using QKD in these contexts. We finally give an overview of challenges relative to the development of QKD technology that also constitute potential avenues for cryptographic research.Comment: Revised version of the SECOQC White Paper. Published in the special issue on QKD of TCS, Theoretical Computer Science (2014), pp. 62-8

Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3

We present, for the first time, an algorithm to choose parameter sets for NTRUEncrypt that give a desired level of security. Note: This is an expanded version of a paper presented at CT-RSA 2005

Оценки вероятности ошибочного расшифрования сообщений в шифросистеме NTRUEncrypt при фиксированном ключе

Асиметрична система шифрування NTRUEncrypt є однією з найшвидших постквантових шифросистем. На сьогодні відомо декілька версій цієї шифросистеми, проте усі вони володіють небажаною властивістю припускатися помилок розшифрування, що, поряд з незручностями для законних користувачів, приводить до  специфічних атак на шифросистему і, як наслідок, зменшує її стійкість. При традиційному підході до оцінювання ймовірності помилкового розшифрування вважається, що ця ймовірність визначається відносно випадкового вибору всіх елементів, які використовуються для формування шифротексту: відкритого тексту, ключа та так званого рандомізуючого полінома. Поряд з тим, з практичного погляду більш адекватним показником частоти виникнення помилок є набір ймовірностей, обчислених для кожного фіксованого значення секретного ключа. У даній статті отримано верхні оцінки ймовірності помилкового розшифрування повідомлень при фіксованому ключі для однієї з найпоширеніших версій шифросистеми NTRUEncrypt. Перша з двох отриманих оцінок є наближеною в тому сенсі, що при її доведенні здійснюється заміна розподілу ймовірностей суми певних незалежних випадкових величин граничним (нормальним) розподілом. Друга отримана оцінка доводиться за допомогою нерівності Гефдінга та не базується на жодних евристичних припущеннях. В цілому, отримані результати надають більш адекватну інформацію про частоту виникнення помилок при розшифруванні для розглянутої версії NTRUEncrypt та можуть бути використані в подальшому при виборі параметрів цієї шифросистеми для її оптимізації за стійкістю або практичністю.  The asymmetric encryption scheme NTRUEncrypt is one of the fastest post-quantum encryption schemes. To date, there are several versions of this encryption scheme but all of them have an unwanted feature that assumes decryption failure. Besides the inconvenience for authorized users, this feature leads to specific attacks on the encryption scheme and consequently reduces its security. The traditional approach to estimating the decryption failure probability assumes that this probability is determined by random selection of all elements used to form the encrypted message: the plain text, the key and so-called randomizing polynomial. At the same time, from a practical point of view, a more adequate indicator of the failure frequency is the set of probabilities calculated for each fixed value of the secret key. In this article, we get upper bounds for the decryption failure probability for a fixed key for one of the most extensive versions of the NTRUEncrypt encryption scheme. The first of two obtained bounds is approximate in the sense that, when it is proved, the replacement of the probability distribution of certain independent random variables sum by the limit (normal) distribution is carried out. The second obtained bound is due to Hoeffding's inequality and it is not based on any heuristic assumptions. In general, the obtained results provide more adequate information about the frequency of decryption failure for the considered version of NTRUEncrypt and can be used later in choosing the parameters of this encryption scheme to optimize it for security or practicality.Асимметричная система шифрования NTRUEncrypt является одной из самых быстрых постквантових шифрсистем. В настоящее время известно несколько версий этой шифрсистемы, однако все они обладают нежелательным свойством допускать ошибки расшифрования, что, наряду с неудобствами для законных пользователей, приводит к специфическим атакам на шифрсистему и, как следствие, уменьшает её стойкость. При традиционном подходе к оценке вероятности ошибочного расшифрования предполагается, что эта вероятность определяется относительно случайного выбора всех элементов, используемых для формирования шифртекста: открытого текста, ключа и так называемого рандомизирующего полинома. Вместе с тем, с практической точки зрения более адекватным показателем частоты появления ошибок является набор вероятностей, вычисленных для каждого фиксированного значения секретного ключа. В данной статье получены верхние оценки вероятности ошибочного расшифрования сообщений при фиксированном ключе для одной из наиболее распространённых версий шифросистемы NTRUEncrypt. Первая из двух полученных оценок является приближенной в том смысле, что при ее обосновании производится замена распределения вероятностей суммы определенных независимых случайных величин предельным (нормальным) распределением. Вторая полученная оценка доказывается с помощью неравенства Гефдинга и не базируется на каких-либо эвристических предположениях. В целом, полученные результаты дают более адекватную информацию о частоте возникновения ошибок при расшифровании для рассмотренной версии NTRUEncrypt и могут быть использованы в дальнейшем при выборе параметров этой шифрсистемы для ее оптимизации по стойкости или практичности

Find the Bad Apples: An efficient method for perfect key recovery under imperfect SCA oracles – A case study of Kyber

Side-channel resilience is a crucial feature when assessing whether a postquantum cryptographic proposal is sufficiently mature to be deployed. In this paper, we propose a generic and efficient adaptive approach to improve the sample complexity (i.e., the required number of traces) of plaintext-checking (PC) oracle-based sidechannel attacks (SCAs), a major class of key recovery chosen-ciphertext SCAs on lattice-based key encapsulation mechanisms (KEMs). This new approach is preferable when the constructed PC oracle is imperfect, which is common in practice, and its basic idea is to design new detection codes that can determine erroneous positions in the initially recovered secret key. These secret entries are further corrected with a small number of additional traces. This work benefits from the generality of PC oracle and thus is applicable to various schemes and implementations. Our main target is Kyber since it has been selected by NIST as the KEM algorithm for standardization. We instantiated the proposed generic attack on Kyber512 and then conducted extensive computer simulations against Kyber512 and FireSaber. We further mounted an electromagnetic (EM) attack against an optimized implementation of Kyber512 in the pqm4 library running on an STM32F407G board with an ARM Cortex-M4 microcontroller. These simulations and real-world experiments demonstrate that the newly proposed attack could greatly improve the state-of-the-art in terms of the required number of traces. For instance, the new attack requires only 41% of the EM traces needed in a majority-voting attack in our experiments, where the raw oracle accuracy is fixed

Multiple-Valued Plaintext-Checking Side-Channel Attacks on Post-Quantum KEMs

In this paper, we present a side-channel analysis (SCA) on key encapsulation mechanisms (KEMs) based on the Fujisaki–Okamoto (FO) transformation and its variants. Many post-quantum KEMs usually perform re-encryption during key decapsulation to achieve chosen-ciphertext attack (CCA) security. The side-channel leakage of re-encryption can be exploited to mount a key-recovery plaintext-checking attack (KR-PCA), even if the chosen-plaintext attack (CCA) secure decryption constructing the KEM is securely implemented. Herein, we propose an efficient side-channel-assisted KR-PCA on post-quantum KEMs, and achieve a key recovery with significantly fewer attack traces than existing ones in TCHES 2022 and 2023. The basic concept of the proposed attack is to introduce a new KR-PCA based on a multiple-valued (MV-)PC oracle and then implement a dedicated MV-PC oracle based on a multi-classification neural network (NN). The proposed attack is applicable to the NIST PQC selected algorithm Kyber and the similar lattice-based Saber, FrodoKEM and NTRU Prime, as well as SIKE. We also present how to realize a sufficiently reliable MV-PC oracle from NN model outputs that are not 100% accurate, and analyze the tradeoff between the key recovery success rate and the number of attack traces. We assess the feasibility of the proposed attack through attack experiments on three typical symmetric primitives to instantiate a random oracle (SHAKE, SHA3, and AES software). The proposed attack reduces the number of attack traces required for a reliable key recovery by up to 87% compared to the existing attacks against Kyber and other lattice-based KEMs, under the condition of 99.9999% success rate for key recovery. The proposed attack can also reduce the number of attack traces by 85% for SIKE

Practical Lattice Cryptosystems: NTRUEncrypt and NTRUMLS

Public key cryptography, as deployed on the internet today, stands on shaky ground. For over twenty years now it has been known that the systems in widespread use are insecure against adversaries equipped with quantum computers -- a fact that has largely been discounted due to the enormous challenge of building such devices. However, research into the development of quantum computers is accelerating and is producing an abundance of positive results that indicate quantum computers could be built in the near future. As a result, individuals, corporations and government entities are calling for the deployment of new cryptography to replace systems that are vulnerable to quantum cryptanalysis. Few satisfying schemes are to be found. This work examines the design, parameter selection, and cryptanalysis of a post-quantum public key encryption scheme, NTRUEncrypt, and a related signature scheme, NTRUMLS. It is hoped that this analysis will prove useful in comparing these schemes against other candidates that have been proposed to replace existing infrastructure