Improving Key Mismatch Attack on NewHope with Fewer Queries

NewHope is a lattice cryptoscheme based on the Ring Learning With Errors (Ring-LWE) problem, and it has received much attention among the candidates of the NIST post-quantum cryptography standardization project. Recently, there have been key mismatch attacks on NewHope, where the adversary tries to recover the server’s secret key by observing the mismatch of the shared key from chosen queries. At CT-RSA 2019, Bauer et al. first proposed a key mismatch attack on NewHope, and then at ESORICS 2019, Qin et al. proposed an improved version with a success probability of 96.9% using about 880,000 queries. In this paper, we further improve their key mismatch attack on NewHope. First, we reduce the number of queries by adapting the terminating condition to the response from the server using an early abort technique. Next, the success rate of recovering the secret key polynomial is raised by considering the deterministic condition judging its coefficients. Furthermore, the search range of the secret key in Qin et al.’s attack is extended without increasing the number of queries. With the above improvements, to achieve an almost success rate of 97%, about 73% of queries can be reduced compared with Qin et al.’s method. Additionally, the success rate can be improved to 100.0%. In particular, we analyze the trade-off between the cost of queries and the success rate. We show that a lower success rate of 20.9% is available by further reduced queries of 135,000 simultaneously

Separarea şi caracterizarea principalelor fracţiuni de proantocianidine din seminţele de struguri

Grape seeds, as waste products of the winemaking industry, contain large amounts of monomers, oligomers and more highly polymerised proanthocyanidins (PA), being a good source of phytochemicals for the production of antioxidative dietary supplements. PA from defatted grape seeds were extracted by precipitation with diethyl ether from the crude alcoholic extract and fractionated into monomers (FI), oligomers (FII) and polymers (FIII) of flavan-3-ols by their separation on C18 Sep-Pak cartridges. FIII was the predominant class of proanthocyanidins (82.22%), while monomeric PA has only 5.71% of total. The ratio PA (by vanillin assay) / tannins (Bate-Smith assay) indicates the highest degree of polymerisation (DP) in FIII fraction (1.28). Thin layer chromatography (TLC) confirmed the presence of monomers in FI, the DP increasing significantly for the next two fractions. Oligomeric and polymeric PA showed the highest antioxidant activity (% scavenged DPPH), but the synergic antioxidant effect of PA classes was also observed

(One) Failure Is Not an Option:Bootstrapping the Search for Failures in Lattice-Based Encryption Schemes

Lattice-based encryption schemes are often subject to the possibility of decryption failures, in which valid encryptions are decrypted incorrectly. Such failures, in large number, leak information about the secret key, enabling an attack strategy alternative to pure lattice reduction. Extending the failure boosting\u27\u27 technique of D\u27Anvers et al. in PKC 2019, we propose an approach that we call directional failure boosting\u27\u27 that uses previously found failing ciphertexts\u27\u27 to accelerate the search for new ones. We analyse in detail the case where the lattice is defined over polynomial ring modules quotiented by and demonstrate it on a simple Mod-LWE-based scheme parametrized à la Kyber768/Saber. We show that, using our technique, for a given secret key (single-target setting), the cost of searching for additional failing ciphertexts after one or more have already been found, can be sped up dramatically. We thus demonstrate that, in this single-target model, these schemes should be designed so that it is hard to even obtain one decryption failure. Besides, in a wider security model where there are many target secret keys (multi-target setting), our attack greatly improves over the state of the art

Attack on LAC Key Exchange in Misuse Situation

International audienceLAC is a Ring Learning With Error based cryptosystem that has been proposed to the NIST call for post-quantum standardization and passed the rst round of the submission process. The particularity of LAC is to use an error-correction code ensuring a high security level with small key sizes and small ciphertext sizes. LAC team proposes a CPA secure cryptosystem, LAC.CPA, and a CCA secure one, LAC.CCA, obtained by applying the Fujisaki-Okamoto transformation on LAC.CPA. In this paper, we study the security of LAC Key Exchange (KE) mechanism, using LAC.CPA, in a misuse context: when the same secret key is reused for several key exchanges and an active adversary has access to a mismatch oracle. This oracle indicates information on the possible mismatch at the end of the KE protocol. In this context, we show that an attacker needs at most 8 queries to the oracle to retrieve one coecient of a static secret key. This result has been experimentally conrmed using the reference and optimized implementations of LAC. Since our attack can break the CPA version in a misuse context, the Authenticated KE protocol, based on the CCA version, is not impacted. However, this research provides a tight estimation of LAC resilience against this type of attacks

Evaluarea rezistenţei la desprindere şi compresiune a bacelor unor soiuri noi Vitis vinifera L. pentru struguri de masă

Since quality requirements for table grapes are closely relatedto their mechanical characteristics, the aim ofthis work was the assessment of berry resistance to detachment from the pedicel and its resistance to compression at five new Vitis vinifera L. cultivars for table grapes: Gelu, Milcov, Napoca, Splendid and Transilvania. The determinations made on the mature berries consisted in the analysis of the normal pressing force and the deformation under its influence, as well as the force required for the detachment of berries from the pedicels, using a CETR UMT-2 tribometer. Grape berries with higher weight and volume and larger diameter (Transilvania cv.) incurred a higher mechanical deformation, while long berries (Gelu cv.) showed higher resistance to detachment from the pedicel probably due to a more pronounced development of vascular bundles, indicating a higher resistance of grapes to handling, packing, transport and storage

Classical Misuse Attacks on NIST Round 2 PQC: The Power of Rank-Based Schemes

The US National Institute of Standards and Technology (NIST) recently announced the public-key cryptosystems (PKC) that have passed to the second round of the post-quantum standardization process. Most of these PKC come in two flavours: a weak IND-CPA version and a strongly secure IND-CCA construction. For the weaker scheme, no level of security is claimed in the plaintext-checking attack (PCA) model. However, previous works showed that, for several NIST candidates, only a few PCA queries are sufficient to recover the secret key. In order to create a more complete picture, we design new key-recovery PCA against several round 2 candidates. Our attacks against CRYSTALS-Kyber, HQC, LAC and SABER are all practical and require only a few thousand queries to recover the full secret key. In addition, we present another KR-PCA attack against the rank-based scheme RQC, which needs roughly O(238) queries. Hence, this type of scheme seems to resist better than others to key recovery. Motivated by this observation, we prove an interesting result on the rank metric. Namely, that the learning problem with the rank distance is hard for some parameters, thus invalidating a common strategy for reaction attacks

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM

In the implementation of post-quantum primitives, it is well known that all computations that handle secret information need to be implemented to run in constant time. Using the Fujisaki-Okamoto transformation or any of its different variants, a CPA-secure primitive can be converted into an IND-CCA secure KEM. In this paper we show that although the transformation does not handle secret information apart from calls to the CPA-secure primitive, it has to be implemented in constant time. Namely, if the ciphertext comparison step in the transformation is leaking side-channel information, we can launch a key-recovery attack. Several proposed schemes in round 2 of the NIST post-quantum standardization project are susceptible to the proposed attack and we develop and show the details of the attack on one of them, being FrodoKEM. It is implemented on the reference implementation of FrodoKEM, which is claimed to be secure against all timing attacks. Experiments show that the attack code is able to extract the secret key for all security levels using about $2^{30}$ decapsulation calls