[Resource Topic] 2022/1580: Multi-ciphertext security degradation for lattices

Welcome to the resource topic for 2022/1580

Title:
Multi-ciphertext security degradation for lattices

Authors: Daniel J. Bernstein

Abstract:

Typical lattice-based cryptosystems are commonly believed to resist multi-target attacks. For example, the New Hope proposal stated that it avoids “all-for-the-price-of-one attacks”. An ACM CCS 2021 paper from Duman–Hövelmanns–Kiltz–Lyubashevsky–Seiler stated that "we can show that Adv_PKE^{IND-CPA} ≈ Adv_PKE^{(n,q_C)-IND-CPA} for “lattice-based schemes” such as Kyber, i.e. that one-out-of-many-target IND-CPA is as difficult to break as single-target IND-CPA, assuming “the hardness of MLWE as originally defined for the purpose of worst-case to average-case reductions”. Meanwhile NIST expressed concern regarding multi-target attacks against non-lattice cryptosystems.

This paper quantifies the asymptotic impact of multiple ciphertexts per public key upon existing heuristic analyses of known lattice attacks. The qualitative conclusions are that typical lattice PKEs asymptotically degrade in heuristic multi-ciphertext IND-CPA security as the number of ciphertexts increases. These PKE attacks also imply multi-ciphertext IND-CCA2 attacks against typical constructions of lattice KEMs. This shows a contradiction between (1) the existing heuristics and (2) the idea that multi-target security matches single-target security.

The asymptotic heuristic security degradation is exponential in Θ(n) for decrypting many ciphertexts, cutting a constant fraction out of the total number of bits of security, and exponential in Θ(n/log n) for decrypting one out of many ciphertexts, for conservative cryptosystem parameters. Furthermore, whether or not the existing heuristics are correct, (1) there are flaws in the claim of provable multi-target security based on MLWE, and (2) there is a 2^88-guess attack breaking one out of 2^40 ciphertexts for a FrodoKEM-640 public key.

ePrint: https://eprint.iacr.org/2022/1580

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .