International Association for Cryptologic Research

International Association
for Cryptologic Research


(One) failure is not an option: Bootstrapping the search for failures in lattice-based encryption schemes

Jan-Pieter D’Anvers , imec-COSIC, KU Leuven, Belgium
Mélissa Rossi , ANSSI, ENS Paris, Thales, France, and INRIA
Fernando Virdia , Information Security Group, Royal Holloway, University of London, UK
DOI: 10.1007/978-3-030-45727-3_1 (login may be required)
Search ePrint
Search Google
Conference: EUROCRYPT 2020
Abstract: Lattice-based encryption schemes are often subject to the possibility of decryption failures, in which valid encryptions are decrypted incorrectly. Such failures, in large number, leak information about the secret key, enabling an attack strategy alternative to pure lattice reduction. Extending the "failure boosting" technique of D'Anvers et al. in PKC 2019, we propose an approach that we call "directional failure boosting" that uses previously found "failing ciphertexts" to accelerate the search for new ones. We analyse in detail the case where the lattice is defined over polynomial ring modules quotiented by <X^N + 1> and demonstrate it on a simple Mod-LWE-based scheme parametrized à la Kyber768/Saber. We show that, using our technique, for a given secret key (single-target setting), the cost of searching for additional failing ciphertexts after one or more have already been found, can be sped up dramatically. We thus demonstrate that, in this single-target model, these schemes should be designed so that it is hard to even obtain one decryption failure. Besides, in a wider security model where there are many target secret keys (multi-target setting), our attack greatly improves over the state of the art.
Video from EUROCRYPT 2020
  title={(One) failure is not an option: Bootstrapping the search for failures in lattice-based encryption schemes},
  booktitle={39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings},
  series={Lecture Notes in Computer Science},
  keywords={cryptanalysis;lattice-based cryptography;reaction attacks;decryption errors},
  author={Jan-Pieter D’Anvers and Mélissa Rossi and Fernando Virdia},