Partial Key Exposure Attacks on BIKE, Rainbow and NTRU

Andre Esser; Alexander May; Javier Verbel; Weiqiang Wen

doi:10.1007/978-3-031-15982-4_12

Partial Key Exposure Attacks on BIKE, Rainbow and NTRU

Andre Esser
, Alexander May
, Javier Verbel
, Weiqiang Wen

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In a so-called partial key exposure attack one obtains some information about the secret key, e.g. via some side-channel leakage. This information might be a certain fraction of the secret key bits (erasure model) or some erroneous version of the secret key (error model). The goal is to recover the secret key from the leaked information. There is a common belief that, as opposed to e.g. the RSA cryptosystem, most post-quantum cryptosystems are usually resistant against partial key exposure attacks. We strongly question this belief by constructing partial key exposure attacks on code-based, multivariate, and lattice-based schemes (BIKE, Rainbow and NTRU). Our attacks exploit the redundancy that modern PQ cryptosystems inherently use for efficiency reasons. The application and development of techniques from information set decoding plays a crucial role for achieving our results. On the theoretical side, we show non-trivial information leakage bounds that allow for a polynomial time key recovery attack. As an example, for all schemes the knowledge of a constant fraction of the secret key bits suffices to reconstruct the full key in polynomial time. Even if we no longer insist on polynomial time attacks, most of our attacks extend well and remain feasible up to large erasure and error rates. In the case of BIKE for example we obtain attack complexities around 60 bits when half of the secret key bits are erased, or a quarter of the secret key bits are faulty. Our results show that even highly error-prone key leakage of modern PQ cryptosystems may lead to full secret key recoveries.

Original language	English
Title of host publication	Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings
Editors	Yevgeniy Dodis, Thomas Shrimpton
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	346-375
Number of pages	30
ISBN (Print)	9783031159817
DOIs	https://doi.org/10.1007/978-3-031-15982-4_12
Publication status	Published - 1 Jan 2022
Externally published	Yes
Event	42nd Annual International Cryptology Conference, CRYPTO 2022 - Hybrid, Santa Barbara, United States Duration: 15 Aug 2022 → 18 Aug 2022

Publication series

Name	Lecture Notes in Computer Science
Volume	13509 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	42nd Annual International Cryptology Conference, CRYPTO 2022
Country/Territory	United States
City	Hybrid, Santa Barbara
Period	15/08/22 → 18/08/22

Keywords

Asymptotics
Cold Boot Key Recovery
Erasure/Error Model

Access to Document

10.1007/978-3-031-15982-4_12

Cite this

Esser, A., May, A., Verbel, J., & Wen, W. (2022). Partial Key Exposure Attacks on BIKE, Rainbow and NTRU. In Y. Dodis, & T. Shrimpton (Eds.), Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings (pp. 346-375). (Lecture Notes in Computer Science; Vol. 13509 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-15982-4_12

Esser, Andre ; May, Alexander ; Verbel, Javier et al. / Partial Key Exposure Attacks on BIKE, Rainbow and NTRU. Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. editor / Yevgeniy Dodis ; Thomas Shrimpton. Springer Science and Business Media Deutschland GmbH, 2022. pp. 346-375 (Lecture Notes in Computer Science).

@inproceedings{d06edd1ce39340f2b8c9f0e8c14de59d,

title = "Partial Key Exposure Attacks on BIKE, Rainbow and NTRU",

abstract = "In a so-called partial key exposure attack one obtains some information about the secret key, e.g. via some side-channel leakage. This information might be a certain fraction of the secret key bits (erasure model) or some erroneous version of the secret key (error model). The goal is to recover the secret key from the leaked information. There is a common belief that, as opposed to e.g. the RSA cryptosystem, most post-quantum cryptosystems are usually resistant against partial key exposure attacks. We strongly question this belief by constructing partial key exposure attacks on code-based, multivariate, and lattice-based schemes (BIKE, Rainbow and NTRU). Our attacks exploit the redundancy that modern PQ cryptosystems inherently use for efficiency reasons. The application and development of techniques from information set decoding plays a crucial role for achieving our results. On the theoretical side, we show non-trivial information leakage bounds that allow for a polynomial time key recovery attack. As an example, for all schemes the knowledge of a constant fraction of the secret key bits suffices to reconstruct the full key in polynomial time. Even if we no longer insist on polynomial time attacks, most of our attacks extend well and remain feasible up to large erasure and error rates. In the case of BIKE for example we obtain attack complexities around 60 bits when half of the secret key bits are erased, or a quarter of the secret key bits are faulty. Our results show that even highly error-prone key leakage of modern PQ cryptosystems may lead to full secret key recoveries.",

keywords = "Asymptotics, Cold Boot Key Recovery, Erasure/Error Model",

author = "Andre Esser and Alexander May and Javier Verbel and Weiqiang Wen",

note = "Publisher Copyright: {\textcopyright} 2022, International Association for Cryptologic Research.; 42nd Annual International Cryptology Conference, CRYPTO 2022 ; Conference date: 15-08-2022 Through 18-08-2022",

year = "2022",

month = jan,

day = "1",

doi = "10.1007/978-3-031-15982-4\_12",

language = "English",

isbn = "9783031159817",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "346--375",

editor = "Yevgeniy Dodis and Thomas Shrimpton",

booktitle = "Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings",

}

Esser, A, May, A, Verbel, J & Wen, W 2022, Partial Key Exposure Attacks on BIKE, Rainbow and NTRU. in Y Dodis & T Shrimpton (eds), Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. Lecture Notes in Computer Science, vol. 13509 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 346-375, 42nd Annual International Cryptology Conference, CRYPTO 2022, Hybrid, Santa Barbara, United States, 15/08/22. https://doi.org/10.1007/978-3-031-15982-4_12

Partial Key Exposure Attacks on BIKE, Rainbow and NTRU. / Esser, Andre; May, Alexander; Verbel, Javier et al.
Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. ed. / Yevgeniy Dodis; Thomas Shrimpton. Springer Science and Business Media Deutschland GmbH, 2022. p. 346-375 (Lecture Notes in Computer Science; Vol. 13509 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Partial Key Exposure Attacks on BIKE, Rainbow and NTRU

AU - Esser, Andre

AU - May, Alexander

AU - Verbel, Javier

AU - Wen, Weiqiang

PY - 2022/1/1

Y1 - 2022/1/1

N2 - In a so-called partial key exposure attack one obtains some information about the secret key, e.g. via some side-channel leakage. This information might be a certain fraction of the secret key bits (erasure model) or some erroneous version of the secret key (error model). The goal is to recover the secret key from the leaked information. There is a common belief that, as opposed to e.g. the RSA cryptosystem, most post-quantum cryptosystems are usually resistant against partial key exposure attacks. We strongly question this belief by constructing partial key exposure attacks on code-based, multivariate, and lattice-based schemes (BIKE, Rainbow and NTRU). Our attacks exploit the redundancy that modern PQ cryptosystems inherently use for efficiency reasons. The application and development of techniques from information set decoding plays a crucial role for achieving our results. On the theoretical side, we show non-trivial information leakage bounds that allow for a polynomial time key recovery attack. As an example, for all schemes the knowledge of a constant fraction of the secret key bits suffices to reconstruct the full key in polynomial time. Even if we no longer insist on polynomial time attacks, most of our attacks extend well and remain feasible up to large erasure and error rates. In the case of BIKE for example we obtain attack complexities around 60 bits when half of the secret key bits are erased, or a quarter of the secret key bits are faulty. Our results show that even highly error-prone key leakage of modern PQ cryptosystems may lead to full secret key recoveries.

AB - In a so-called partial key exposure attack one obtains some information about the secret key, e.g. via some side-channel leakage. This information might be a certain fraction of the secret key bits (erasure model) or some erroneous version of the secret key (error model). The goal is to recover the secret key from the leaked information. There is a common belief that, as opposed to e.g. the RSA cryptosystem, most post-quantum cryptosystems are usually resistant against partial key exposure attacks. We strongly question this belief by constructing partial key exposure attacks on code-based, multivariate, and lattice-based schemes (BIKE, Rainbow and NTRU). Our attacks exploit the redundancy that modern PQ cryptosystems inherently use for efficiency reasons. The application and development of techniques from information set decoding plays a crucial role for achieving our results. On the theoretical side, we show non-trivial information leakage bounds that allow for a polynomial time key recovery attack. As an example, for all schemes the knowledge of a constant fraction of the secret key bits suffices to reconstruct the full key in polynomial time. Even if we no longer insist on polynomial time attacks, most of our attacks extend well and remain feasible up to large erasure and error rates. In the case of BIKE for example we obtain attack complexities around 60 bits when half of the secret key bits are erased, or a quarter of the secret key bits are faulty. Our results show that even highly error-prone key leakage of modern PQ cryptosystems may lead to full secret key recoveries.

KW - Asymptotics

KW - Cold Boot Key Recovery

KW - Erasure/Error Model

UR - https://www.scopus.com/pages/publications/85141721481

U2 - 10.1007/978-3-031-15982-4_12

DO - 10.1007/978-3-031-15982-4_12

M3 - Conference contribution

AN - SCOPUS:85141721481

SN - 9783031159817

T3 - Lecture Notes in Computer Science

SP - 346

EP - 375

BT - Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings

A2 - Dodis, Yevgeniy

A2 - Shrimpton, Thomas

PB - Springer Science and Business Media Deutschland GmbH

T2 - 42nd Annual International Cryptology Conference, CRYPTO 2022

Y2 - 15 August 2022 through 18 August 2022

ER -

Esser A, May A, Verbel J, Wen W. Partial Key Exposure Attacks on BIKE, Rainbow and NTRU. In Dodis Y, Shrimpton T, editors, Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 346-375. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-15982-4_12