Complete attack on RLWE key exchange with reused keys, without signal leakage

Jintai Ding, Scott Fluhrer, Saraswathy Rv*

*Corresponding author for this work

Research output: Chapter in Book or Report/Conference proceedingConference Proceedingpeer-review

46 Citations (Scopus)

Abstract

Key Exchange (KE) from RLWE (Ring-Learning with Errors) is a potential alternative to Diffie-Hellman (DH) in a post quantum setting. Key leakage with RLWE key exchange protocols in the context of key reuse has already been pointed out in previous work. The initial attack described by Fluhrer is designed in such a way that it only works on Peikert’s KE protocol and its variants that derives the shared secret from the most significant bits of the approximately equal keys computed by both parties. It does not work on Ding’s key exchange that uses the least significant bits to derive a shared key. The Signal leakage attack relies on changes in the signal sent by the responder reusing his key, in a sequence of key exchange sessions initiated by an attacker with a malformed key. A possible defense against this attack would be to require the initiator of a key exchange to send the signal, which is the one pass case of the KE protocol. In this work, we describe a new attack on Ding’s one pass case without relying on the signal function output but using only the information of whether the final key of both parties agree. We also use LLL reduction to create the adversary’s keys in such a way that the party being compromised cannot identify the attack in trivial ways. This completes the series of attacks on RLWE key exchange with key reuse for all variants in both cases of the initiator and responder sending the signal. Moreover, we show that the previous Signal leakage attack can be made more efficient with fewer queries and how it can be extended to Peikert’s key exchange, which was used in the BCNS implementation and integrated with TLS and a variant used in the New Hope implementation.

Original languageEnglish
Title of host publicationInformation Security and Privacy - 23rd Australasian Conference, ACISP 2018, Proceedings
EditorsWilly Susilo, Guomin Yang
PublisherSpringer Verlag
Pages467-486
Number of pages20
ISBN (Print)9783319936376
DOIs
Publication statusPublished - 2018
Externally publishedYes
Event23rd Australasian Conference on Information Security and Privacy, ACISP 2018 - Wollongong, Australia
Duration: 11 Jul 201813 Jul 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10946 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference23rd Australasian Conference on Information Security and Privacy, ACISP 2018
Country/TerritoryAustralia
CityWollongong
Period11/07/1813/07/18

Keywords

  • Active attacks
  • Key exchange
  • Key reuse
  • Post quantum
  • RLWE

Fingerprint

Dive into the research topics of 'Complete attack on RLWE key exchange with reused keys, without signal leakage'. Together they form a unique fingerprint.

Cite this