## CryptoDB

### Paper: (One) failure is not an option: Bootstrapping the search for failures in lattice-based encryption schemes

Authors: Jan-Pieter D’Anvers , imec-COSIC, KU Leuven, Belgium Mélissa Rossi , ANSSI, ENS Paris, Thales, France, and INRIA Fernando Virdia , Information Security Group, Royal Holloway, University of London, UK DOI: 10.1007/978-3-030-45727-3_1 (login may be required) Search ePrint Search Google EUROCRYPT 2020 Lattice-based encryption schemes are often subject to the possibility of decryption failures, in which valid encryptions are decrypted incorrectly. Such failures, in large number, leak information about the secret key, enabling an attack strategy alternative to pure lattice reduction. Extending the "failure boosting" technique of D'Anvers et al. in PKC 2019, we propose an approach that we call "directional failure boosting" that uses previously found "failing ciphertexts" to accelerate the search for new ones. We analyse in detail the case where the lattice is defined over polynomial ring modules quotiented by and demonstrate it on a simple Mod-LWE-based scheme parametrized à la Kyber768/Saber. We show that, using our technique, for a given secret key (single-target setting), the cost of searching for additional failing ciphertexts after one or more have already been found, can be sped up dramatically. We thus demonstrate that, in this single-target model, these schemes should be designed so that it is hard to even obtain one decryption failure. Besides, in a wider security model where there are many target secret keys (multi-target setting), our attack greatly improves over the state of the art.
##### BibTeX
@inproceedings{eurocrypt-2020-30216,
title={(One) failure is not an option: Bootstrapping the search for failures in lattice-based encryption schemes},
booktitle={39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings},
series={Lecture Notes in Computer Science},
publisher={Springer},
keywords={cryptanalysis;lattice-based cryptography;reaction attacks;decryption errors},
volume={12105},
doi={10.1007/978-3-030-45727-3_1},
author={Jan-Pieter D’Anvers and Mélissa Rossi and Fernando Virdia},
year=2020
}