Quantum Misuse Attack on Frodo

Research on the security of lattice-based public-key encryption schemes against misuse attacks is an important part of the cryptographic assessment of the National Institute of Standards and Technology (NIST) post-quantum cryptography (PQC) standardization process. In particular, many NIST-PQC cryptosystems follow the same meta-cryptosystem. At EUROCRYPT 2019, Ba˘etu et al. mounted a classical key recovery under plaintext checking attacks (KR-PCA) and a quantum key recovery under chosen ciphertext attacks (KR-CCA). They analyzed the security of the weak version of nine submissions to NIST. In this paper, we focus on learning with error (LWE)-based FrodoPKE, whose IND-CPA security is tightly related to the hardness of plain LWE problems. We first review the meta-cryptosystem and quantum algorithm for solving quantum LWE problems. Then, we consider the case where the noise follows a discrete Gaussian distribution and recompute the success probability for quantum LWE by using Hoeffding bound. Finally, we give a quantum key recovery algorithm based on LWE under CCA attack and analyze the security of Frodo. Compared with the existing work of Ba˘etu et al., our method reduces the number of queries from 22 to 1 with the same success probability.


Introduction
Quantum computing exploits quantum mechanical properties to perform computations. It enables quantum parallelism and provides much more powerful data processing capabilities than classical computers [1]. In 1994, Peter Shor proposed an efficient quantum algorithm [2] that can break most of the current public-key cryptosystems, such as the Diffie-Hellman protocol [3] and RSA cryptosystem [4]. If large-scale quantum computers are realized, they would threaten the security of many public-key cryptosystems. In order to ensure the security of network information systems, NIST initiated a standardization process for post-quantum algorithms. In 2016, NIST called for proposals for post-quantum cryptosystems [5]. There are 69 candidates in the first round, based on a variety of hard problems considered to be intractable by quantum computers. After rigorous scrutiny by the cryptography community, 17 PKE and key encapsulation mechanisms (KEM) candidates were selected in the second round, where nine are lattice-based. In the third round, three of the four finalists are still lattice-based. In 2022, NIST has completed the third round of the PQC standardization process. A total of four candidate algorithms have been selected for standardization, and four additional algorithms will continue into the fourth round. The selected algorithms are mostly lattice-based cryptography [6]. Lattice-based cryptography is the use of conjectured hard problems on point lattices in R n as the foundation for secure cryptographic systems. Attractive features of lattice cryptography include apparent resistance to quantum attacks, high asymptotic efficiency and parallelism, security under worst-case intractability assumptions, and solutions to long-standing open problems in cryptography. Lattice cryptography has some attractive features, including (1) conjectured security against quantum attacks, (2) algorithmic simplicity, efficiency, and parallelism, (3) strong security guarantees from worst-case hardness, and (4) constructions of versatile and powerful cryptographic objects.
In general, most lattice-based NIST-chosen plaintext attack (CPA) secure candidates use the Fujisaki-Okamoto (FO) transformation [7] to achieve IND-CCA security. When the key is reused, the CPA-secure PKE is no security guarantee. Research on key reuse attacks against lattice-based CPA-secure schemes is an important topic in the post-quantum cryptography. Many key-recovery attacks have been proposed in [8][9][10][11][12][13]. In 1998, Bleichenbacher showed the security of IND-CPA secure public-key cryptosystems in the case of key reuse on RSA encryption standard PKCS#1 [14]. In 2010, Menezes et al. gave the key reuse attack on reusing ephemeral keys in Diffie-Hellman key agreement protocols [15]. In 2016, Fluhrer proposed a key reuse attack [16]. In 2017, Ding et al. expanded Fluhrer's attack to a class of key agreement protocols based on ring-LWE with signaling [17]. In 2019, Bauer et al. [18] gave a key-recovery attack on NewHope-CPA-PKE [19]. In 2021, Yue Qin et al. developed a systematic approach and analyzed key misuse attacks on lattice-based NIST candidates [20]. Although there have been a number of classical key misuse attacks on the lattice-based public key encryption schemes, quantum misuse attack algorithms are rarely studied. In 2019, Alagic et al. gave a quantum algorithm for learning rounding function and showed that this algorithm can recover the key of an IND-CPA-secure LWE-based encryption scheme with constant success probability [21]. At EUROCRYPT 2019, Bȃetu et al. analyzed the security of meta-cryptosystems under key reuse by mounting a quantum key recovery under the chosen-ciphertext attacks [22].
Although NIST did not select Frodo as the initial post-quantum algorithm in the process of post-quantum cryptography standardization, Frodo remains a post-quantum recommendation of Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) [23]. The FrodoPKE scheme is an instantiation and implementation of the Lindner-Peikert scheme [24] with some modifications, for example, more balanced key and ciphertext sizes and new LWE parameters. The IND-CPA security of FrodoPKE is tightly related to the hardness of a corresponding learning with errors problem. In 2005, Regev [25] defined the LWE problem, proved the hardness of LWE assuming the hardness of various worst-case lattice problems against quantum algorithms, and defined a PKE scheme whose IND-CPA security is based on the hardness of LWE. The LWE problem is a generalization of the learning parity with a noise problem [26] into large moduli q.
In this paper, we give an improved quantum algorithm for recovering the key of IND-CPA version of Frodo by using a quantum CCA attack. The security of Frodo's proposal is based on a plain LWE problem. In lattice-based cryptography, the plain LWE problem [25] is to solve a noisy linear system modulo as a known integer.
The main contributions of this paper are as follows: (1) Based on the improved quantum algorithm for solving the quantum LWE problem, we first recalculate the success probability when the error follows a discrete Gaussian distribution. Using Hoeffding bound, we give the success probability for solving quantum LWE by computing the expectation and variance of the error.
(2) Then, we present a quantum KR-CCA attack which is inspired by the quantum LWE solving algorithm. Based on the existing quantum LWE solving algorithm, we recompute the success probability by using a different method. We analyze the security of Frodo640, Frodo976 and Frodo1344. By computing the expectation and variance of the error term, we can recover the full key with fewer oracle queries. Compared with the work of Bȃetu et al. [22], our algorithm can reduce the number of oracle calls to 1 and meanwhile keep the same success probability as the AJOP-based quantum KR-CCA algorithm; see Table 1. Table 1. Three types of attacks on several lattice-based cryptosystems. P denotes the success probability, and O denotes the total number of oracle calls required to recover the full key with probability 1 by iterating the attack.

GKZ-Based
Quantum KR-CCA Attack [22] AJOP-Based Quantum KR-CCA Attack [22] Improved Quantum KR-CCA Attack The organization of our paper is as follows. In Section 2, we give basic definitions and the meta-cryptosystem defined in the algorithm. In Section 3, we review the quantum algorithm for solving quantum LWE. Then, we recalculate the success probability for solving quantum LWE problems when the noise follows a discrete Gaussian distribution. In Section 4, we propose an improved quantum key-recovery attack on LWE-based IND-CPA schemes and analyze the security of Frodo. We conclude the paper in Section 5. In addition, we give a table with the acronyms and their meaning in Abbreviations.

Notation and Definitions
For an integer q ≥ 1, let Z q be the residue class group modulo q such that Z q = {0, 1, · · ·, q − 1}. Let x → X denote an element x is chosen according to uniform distribution from a finite set X. x χ → X denotes an element x is chosen according to χ distribution from a finite set X. For a random variable y, E[y] denotes the expectation value of y, Var[y] denotes the variance of y. Given a matrix A, A T will denote the transpose of A.
Definition 1 ((LWE) [25]). Let n, q be positive integers, χ be a probability distribution on Z and s be a secret element in Z n q . We denote by L the probability distribution on Z n q × Z q obtained by choosing a ∈ Z n q uniformly at random, choosing e ∈ Z q by sampling each of its coefficients according to χ, and returning (a, b) = (a, a · s + e) ∈ Z n q × Z q . Decision-LWE is the problem of deciding whether pairs (a, b) ∈ Z n q × Z q are sampled according to L or the uniform distribution on Z n q × Z q . Search-LWE is the problem of recovering s from (a, b) = (a, a · s + e) ∈ Z n q × Z q sampled according to L. Definition 2 ((Quantum LWE) [27]). The samples are given in the form of a uniform quantum superposition state 1 √ q n ∑ a∈Z n q |a |a · s + e a (mod q) by querying a quantum oracle, where e a are independent identical distribution random variables from some distribution χ. The goal is to output s.

Definition 3 (Public key encryption).
A public key encryption scheme is a triple of randomized algorithms as follows: (1) The key generator: given the security parameter, it outputs a public key and secret key.
(2) The encryption algorithm: takes a public key and a message (from some known set of valid messages) and outputs a ciphertext.
(3) The decryption algorithm takes a secret key and a ciphertext and outputs either a message or a distinguished "failure" symbol.
The scheme is said to be correct if generating a key pair, then encrypting a valid message using the public key, and then decrypting the resulting ciphertext using the secret key yields the original message (perhaps with all but negligible probability).

Definition 4 (Quantum Fourier transform).
For any positive integer q, the quantum Fourier transform over Z q is defined by the operation where ω q = e 2πi q .
Definition 5 (Hoeffding's bound). Consider a set of k independent random variables X i , such . Then, it follows that for any δ > 0,

The Meta-Cryptosystem Defined on the Algebra
The meta-cryptosystem defined on the algebra was given by Bȃetu et al. [22] in 2019. Bȃetu et al. considered six additive Abelian groups S sk , S A , S B , S t , S U , S V and its four bilinear mappings: For any plaintext pt ∈ M, we first define two functions: encode function M → S V and decode function S V → M such that encode function is injective. As shown in Table 2, then W = δ + encode(pt) with δ = t × d − e × sk + f , where δ denotes the error introduced by encoding/decoding. In fact, in many cryptosystems, the encode and decode functions are different. In particular, we give the encode and decode functions on Frodo in Section 4.2. Table 2. The meta-cryptosystem defined on the algebra.

Algorithm setup(1 λ ):
Algorithm enc(pp, pk, pt; coinB): 1: set up the algebra and define pp 1: parse pk = (A, B) 2: return pp 2: pick random sparse t ∈ S t , e ∈ S U and f ∈ S V by using coinB Algorithm gen(pp; coinA): 3: U = t × A + e 1: pick a random A ∈ S A and random sparse 4: sk ∈ S sk and d ∈ S B by using coinA 5: return ct = (U, V) 2: B = A × sk + d Lemma 1 ([27]). Let u, sk ∈ Z n q , e u ∈ [−k, k], k < q 4 , q be subexponential in the dimension n. The algorithm can recover the secret key sk with the probability of at least 1 From the algorithm process in Algorithm 1, the probability of outputting the key sk is Since E(∑ u∈Z n q sin −2πe u q ) → 0, the first inequality holds.
Algorithm 1: Improved quantum algorithm for solving the quantum LWE problem.

New Method
As shown in Equation (4), Wang et al. can obtain the success probability for solving the quantum LWE problem by using the method of enlarging and reducing, where the error e u ∈ [−k, k]. In some lattice-based cryptosystems, the noise follows a discrete Gaussian distribution, such as Frodo. In this subsection, we recompute the success probability that the noise follows a discrete Gaussian distribution. The new method is explained as follows: by using Hoeffding bound in Equation (4), we can obtain the success probability with expectation value and variance. Then, we consider the case where the error e u follows the discrete Gaussian distribution and compute the expectation value and variance of e u . The details are listed as follows.

Quantum Misuse Attack
In this section, we first give a KR-CCA attack based on an improved quantum algorithm for solving quantum LWE. Then, we discuss the security of Frodo. In this attack, we consider an adversary with quantum access to a decryption oracle.
We consider the meta-PKC construction in Section 2.2, let S sk = Z n sk δ U denotes the error introduced by encoding/decoding and δ U follows the uniform distribution. Then, the decryption oracle can make the following mapping: Table 2, the decryption algorithm returns plaintext pt , so the Z U can be obtained.

Key Recovery Algorithm
The bilinear mappings are matrix multiplications; let q is the ith row of U, and for j ∈ [m], sk j ∈ Z n q is the jth column of sk. In the following, we give the quantum key recovery attack algorithm based on LWE encryption schemes in Algorithm 2. This algorithm can recover the key with constant success probability.
Make a quantum Fourier transform on the first and third registers. 3: Make a quantum oracle query and obtain (by writing Z = Z + Z U ).
4: Discard the last two registers and apply the quantum Fourier transform. 5: Measure the first register and output α. Theorem 1. Let U ∈ Z mn q , Z U ij = (U × sk) ij + δ U ij , let the expectation value of the error δ U ij be µ and the variance of the error δ U ij be σ 2 . Then, the algorithm of Algorithm 2 can recover the full key sk with constant probability β.
Proof. Prepare the state |0 V (1 ij ) i=j ∈ Z mn q × Z m 2 q × Z m 2 q . By making a quantum Fourier transform on the first and third registers, we obtain After querying a quantum oracle and letting Z = Z + Z U , we have If we discard the last two registers and apply quantum Fourier transform, we obtain Then, we perform a complete measurement in the computational basis. The probability of obtaining Pr[α] is given by where α is a matrix of m blocks, and the size of each block is n for α such that U i · α j = 0 (i.e., α j = 0) for i = j and α j = sk j for i = j.
Using (9), we obtain We can further reduce the number of oracle calls with the same success probability. The specific analysis is as follows.
We can see that the success probability of obtaining one column of sk is p = (1 − 2π 2 Suppose we can fully recover sk with constant probability Pr[α] = β by k queries. Then, the probability of recovering the first column of sk at least once in k queries is 1 − (1 − p) k . So, we can fully recover secret sk with probability and then we can obtain the value of k. We will analyze it in detail in the following Section 4.2, using Frodo as the example.

Application to Post-Quantum Cryptosystem Frodo
We consider the IND-CPA secure public key encryption scheme FrodoPKE, which is based on the public-key encryption scheme presented by Lindner and Peikert in [24]. FrodoPKE is a family of conservative yet practical post-quantum public key encryptions with security based on the hardness of the LWE problem.
Before giving the public-key encryption scheme of Frodo, we first describe how bit strings are encoded as mod-q integer matrices. Let D denote the number of bits used for encoding. The encoding function ec(·) encodes an integer 0 ≤ pt < 2 D as an element in Z q by multiplying it by By applying ec(·) to D-bit sub-strings sequentially and filling the matrix row by row entry-wise, the function Frodo.Encode encodes bit strings of length l = D · m ·n as m ·n matrices with entries in Z q in left column of Table 3. The corresponding decoding function Frodo.Decode is defined as shown in right column of Table 3. It decodes the m ·n matrix M into a bit string of length l = D · m ·n and extracts B bits from each entry by applying the function de(c): output: bit string pt ∈ {0, 1} l , l = D · m ·n 1: for (i = 0; i < m; i ← i + 1) do 1: for (i = 0; i < m; i ← i + 1) do 2: for (j = 0; j <n; j ← j + 1) do 2: for (j = 0; j <n; j ← j + 1) do 3: 5: for (l = 0; l < D; l ← l + 1) do 6: pt (i·n+j)·D+l ← pt l 7: return pt Let m, n,n be integer parameters and q ≥ 2 be an integer power of 2. In Table 4, we depict the public-key encryption scheme of Frodo. The symbol χ ← denotes a sample is chosen according to χ. FrodoPKE works with S sk = S B = Z nn q , S A = Z n 2 q , S t = S U = Z mn q , and  In FrodoPKE, χ is a discrete Gaussian distribution, and the error δ U introduced by encoding/decoding is chosen according to uniform distribution with range [−ρ + , ρ + ]. In Table 5, we give the other parameters of Frodo.

Conclusions and Discussion
In this paper, we developed a quantum algorithm to recover the key against LWEbased NIST candidates PKEs. Based on the improved quantum algorithm for solving LWE, we considered the success probability for solving the quantum LWE problem when the noise follows a discrete Gaussian distribution. Then, we proposed a new quantum key-recovery attack algorithm and gave a specific analysis for FrodoPKE. Compared with the existing algorithm [22], our algorithm can reduce the number of oracle calls with the same success probability.
In reality, the key is usually misused in a very short time, which leads to the number of queries being taken as the prime optimization goal with respect to misuse attack. During this short time, if an adversary can only make one oracle query, the misuse attack that requires four queries does not work for an adversary. However, our algorithm only needs one query to recover the key with probability 1. Therefore, the fewer oracle queries required, the greater the advantage for an adversary.