 Hello, Ian Peter Mellis and I will be presenting One Failure is not an option, but strapping the search for failures in lattice-based encryption schemes. In 2017, the National Institute of Standards and Technology started a process to standardize post-quantum cryptographic primitives. Nine of the remaining candidates for public encryption are lattice-based. Lattice-based schemes are not necessarily perfectly correct. Sometimes, an honestly generated ciphertext can fail to decrypt to the correct message. We refer to this as failing ciphertext or as decryption failures. Out of these nine candidates, seven do present a small failure probability. Parametrizing a scheme such that it presents a non-zero failure probability is a design choice. In general, it's easier to find parameters with some low failure probability, allowing for more flexibility. For example, it can allow for schemes with smaller ciphertexts and or public keys, with smaller sizes sometimes resulting in faster implementations. On the other hand, decryption failures leak information about the secret key. In the non-ephemeral setting, observing a decryption failure can greatly aid an attacker, facilitating lattice reduction attacks. Hence, it is crucial to have a good understanding of how hard it is to find decryption failures in a chosen ciphertext scenario. In order to break a scheme using decryption failures, usually more than one failing ciphertext are required. In previous work, approaches to accelerate the search for decryption failures, such as failure boosting, treated each failing ciphertext search independently. In the single target setting, this resulted in the overall cost of the attack being linear in the number of failing ciphertexts required. In our work, we introduce a new approach called directional failure boosting, that results in the total cost of the single target attack being dominated by the cost of finding the first failing ciphertext. Before introducing directional failure boosting, we now cover some preliminaries. Let RQ be a power of two-cycle atomic ring, with polynomials having coefficients in ZQ. Let A be an L by L matrix of polynomials sampled uniformly random from RQ. Let S and E be vectors of dimension L over RQ, whose coefficients are sampled around zero. We say such vectors are short. Let B be the result of A times S plus E. We call the pair A and B a module learning with errors sample. From these, we can define two computationally hard problems. The search module learning with errors problem requires finding S from the pair A and B. While the decision module learning with errors problem requires deciding whether a pair A, B comes from the distribution above or whether it was uniformly sampled. From these problems, we can construct a public key encryption scheme using the following protocol. Let A and B be Alice's public key. If Bob wants to encrypt a message M to Alice, he can use her public key and some freshly generated short vectors as prime, E prime and E double prime to generate new module learning with errors samples B prime and V prime. The latter contains an encoding of his message on the high-order bits of each of the polynomials coefficients. Alice can then use her secret vector S to recover an approximation of the message M by exploiting the fact that the terms in red and blue are small. She does this by rounding the approximation to recover the message from the high-order bits. In our work, we take inspiration from two NIST candidates, Kyber and Saber. We looked at the rank 3 parameter sets to design a similarly specced module learning with errors scheme. This scheme should provide similar resistance to known classical and quantum cryptanalytic attacks while being simpler to analyze due to the lack of error-correcting codes on the message and compression on the ciphertext. We can see that also the failure probability is low in the order of 2 to the minus 119. Looking now in detail at the decryption step in the public key encryption protocol, we can see that successful decryption depends on the small additive term staying small enough to be rounded away. By defining new vectors capital S for secret key and capital C for ciphertext as concatenation of the long-term and ephemeral short vectors S, E, E prime and S prime and by noticing that the ephemeral term E double prime is much smaller than the other two additive terms we can analyze the failure condition as a geometric one. A ciphertext will fail to the crypt if its corresponding inner product with the long-term secret key is larger than Q divided by 4. In the chosen plaintext setting, attackers are allowed to precisely craft their ciphertext to maximize the probability of causing a decryption failure. Yet we work in the chosen ciphertext setting where designers usually use an off-the-shelf transform that forces the adversary to honestly follow the encryption procedure preventing them from ciphertext crafting. Melissa Rossi will enter into the details of failure boosting attacks. I will now present our attack starting by the failure boosting technique. It has been introduced by Jan-Peter and his co-authors in a previous paper and we give here a geometric interpretation. For simplicity, we will represent everything in dimension 2. Let's consider our failure condition as the norm of a scalar product as presented by Fernando. This scalar product can be expanded as a product of the norm of S, the norm of C and the absolute value of the cosine of the angle between S and C. Here only the norm of C can be known. Let us see this condition in more details. There is this unknown secret vector S. If by chance our vector C is aligned to it, the scalar product is large. This scalar product gets smaller depending on the orientation of C. If it is orthogonal, we get 0. The norm of C also has an effect. The larger it gets, the larger the scalar product is. Knowing the threshold of Q over 4, we can draw on the plane the zone where the failures happen. We present this zone in gold here and this is where we want our C to end up. But we have a twofold problem here. First, we don't know where the gold zone is because it depends on the secret S. And secondly, even if we knew where the gold zone was, as Fernando was explaining in this attack, we have no choice but to generate random ciphertext C following the honest distribution. It is presented in green here. The very slight proportion of honestly generated failing ciphertext is in the intersection of the green and the gold. We see that it only concerns a fraction of the ciphertext that are not too small. In the failure boosting attack, in a pre-computation phase, we first generate many random ciphertext following the protocol. Once we have them, we filter them and we keep the ones that have good chances of giving a failure for an average S. This means that we keep the larger ones. We end up with the original distribution without its center part. This pre-computation is expensive and we define the cost of finding one weak ciphertext as W pre-calc. In this example, we have found three weak ciphertexts. Now we submit our shortlist for decryption. Some of the ciphertexts may end up in the gold zone which gives the desired failure. Not all of them do and we denote the probability of being a failure while shortlisted as beta. Therefore the inverse of beta is the expected number of shortlisted weak ciphertext required for having one failure. Finally, the total cost for having one failure is W pre-calc times the inverse of beta. The amount of decryption queries is also a parameter of the attack and here the total expected number of queries is the inverse of beta. For example, for our chosen set of parameters, in order to get one failure we need 2 to the 113 work and 2 to the 102 queries. In this work, we wondered about how to find a second failure and the third and many failures. Should we have to start all over again? Let us imagine again the attack for the first failure. We already have our shortlist of weak ciphertexts and we submit them one by one. After several attempts, we get a ciphertext in the gold zone which provides a failure. Our paper makes the following remark. We know from the figure that if we have a failure, the secret vector s or its opposite should not be far. We somehow get a cone for the direction of s. This knowledge can help for finding other failures. Indeed, when we were looking for the first failure, we had no information about the cosine of the angle between s and c because we did not know s. But now, we have a hint on its direction and this can be leveraged for refining the search for failures. Let me present the idea of the directional failure boosting which is a contribution of our paper. We still have our secret s and the first obtained failure is denoted c0. We will modify the way we select our weak ciphertexts to take into account the directional information given by c0. Instead of a circular distribution, we will favor the ciphertexts that are close to our failure c0 by relaxing slightly the high norm requirement around c0. Besides, we will defavor the ones that are orthogonal by only selecting the very large ones. Thus, our weak distribution no more consists in removing a centered disk but a centered ellipsoid. If we intersect this new distribution with the gold zone, we see that the intersection is larger. So the failure probability beta has increased. Therefore, we have better chances to find new failures. Suppose that this allows us to find another failure denoted c1. If we combine the two failures together, we get a better estimate of the direction of the secret. With this estimate e, the attack can start again with a refined weak ciphertext selection, in other words, a better ellipsoid. All in all, this is a virtuous circle for the attacker. If we get one failure, we have a rough estimate of the direction of s. This estimate can be used to get more failures, which leads to a better estimate of the secret, which leads to even more failures, which leads to an even more accurate estimation of the secret, and so on. We can stop when our estimate is precise enough to run lattice reduction attacks. Now, Jan-Peter Danvers will discuss an issue that cannot be seen geometrically. There is technical difficulty in the way we combine the ciphertexts together to get the estimate. As in c, are not just vectors, but vectors of polynomials. This means that there are n possible locations where the failure could have occurred. One for each coefficient of the polynomial. Informally, we can represent each possible failure position with a vector. This gives us two n vectors. There are n coefficients, and two because each failure can be positive or negative. Only one of these vectors will be responsible for the failure, and will give us a hint about the direction of the secret. But how can we find the correct vector? Imagine we have three failing ciphertexts, and we want to find for each ciphertext the vector representing the failure. If we take the inner product between two random vectors belonging to different ciphertexts, we will get some distributional values. However, if we take this inner product for two failing vectors, we do expect a slightly higher output. Why is this? Well, we know that both vectors are highly correlated with the secret, and thus they will be at least slightly correlated with each other. So, if we start taking inner products between random vectors, we will notice a slightly higher value between failing vectors. However, a higher correlation itself is not enough to find failing vectors reliably. What we will use is a technique called loopy-belief propagation. We represent our problem as a fully connected graph, where each node represents a ciphertext. Each node contains a list of possible failure vectors and their probability, which is initially equal for each vector. Then, we will start to take random pairs of vectors from different nodes, and if their inner product is high, it is more likely that there are failures and their node probabilities are slightly enlarged. If, on the other hand, their inner product is low, they are less likely to be failures and their probabilities are diminished. By repeating this procedure for long enough, we end up with the correct failure vectors with a higher probability. Now we have developed these new tools to improve decryption failure attacks, but what can we do with it? In a single target attack, we are only considering one target. In a typical decryption failure attack, one would recover a number of failing ciphertexts, let's say 100 or 200, and then use them to reconstruct a secret. In a traditional approach, finding each failure has approximately the same cost, and thus the cost rises in function of the required ciphertext. Using our technique, the first failure has the same cost, but subsequent failures require much less work and queries to find, and the reduction is so dramatic that the cost is essentially dominated by the search for the first failure. Now, in a practical attack, there is a limit on the number of possible queries to the decapsulation. This is typically taken as 2 to the 64. Mounting an attack with less than 2 to the 64 queries steeply increases the attack cost. One way around this limitation is mounting a multi-target attack. We query each target a maximum of 2 to the 64 times, but we consider 2 to the 64 targets, and our goal is to recover the secret of only one target. So in this case, we have around 2 to the 128 queries to find that first failure, after which we focus on that target and do directional failure boosting using the already found failing ciphertext. As you can see on the graph, the cost for searching an attack is no longer dominated by finding the first failure in maximum 2 to the 128 queries, but by finding subsequent failures in 2 to the 64 queries. And that is exactly because of this 2 to the 64 query limit. So in a multi-target attack, the work is no longer dominated by finding the first failure, but by finding subsequent failures in under 2 to the 64 queries. So to wrap up, in a single target attack, an adversary should not be able to find even one decryption failure with a high probability and with less than 2 to the 64 queries. On the other hand, for a multi-target attack, finding one decryption failure is not devastating, but finding the follow-up failures in less than 2 to the 64 queries dominates the cost. We also want to stress that none of the missed around 2 schemes were harmed in the making of this paper. Let's look at some interesting future work. First, the loopy belief propagation method does work fine for schemes like Sabre or Kyber, but we do not know how it would behave for schemes with air correction, as the correlation between failures would be lower in this case. Secondly, we have tested failure boosting for lattice-based schemes, but the same methodology might be applicable for other families of schemes with decryption failures. Thirdly, we might be able to make the attack a few bits more efficient by fine-tuning the details of the multi-target attack. We would like to thank Alessandro Boudroni and Harry G. Berg for their valuable help in the making of this paper and the organizers of the post-quantum retreat in Oxford for bringing us together. Thanks for watching.