OFFICIAL COMMENT: LOTUS

[Tancrede Lepoint]

Dear authors, dear all,

The current reference implementation of KEM LOTUS128 fails to achieve CCA security.

Indeed, similarly to Odd Manhattan, even though the verification of the ciphertext is performed, when it fails, the shared secret is not modified. As such, it is also possible to run a new CCA attack where one discards the return flag and exploits what is in ss to recover the matrix S row by row.

Find attached an attack script to be put in the Reference_Implementation/kem/lotus128/ directory and to run as follows:
$ gcc -O3 -lcrypto lwe-arithmetics.c crypto.c rng.c pack.c sampler.c kem.c cpa-pke.c attack.c -o attack
$ ./attack

(Note that you also need to add the files rng.c and rng.h from NIST.)

This attack can be avoided if proper action is taken in case of failure.

Kind regards,
Tancrède Lepoint.

PS: I did not try, but this attack may apply directly to kem/lotus192 and kem/lotus256

[Le Trieu Phong]

Dear Tancrède and all in pqc-forum,

Thank you for the careful review and the nice attack code.

>This attack can be avoided if proper action is taken in case of failure.

Agreed. In implementation, the shared secret should be set only after the verification passes.

The patch for the code is attached to this email. With the patch, the attack is now unsuccessful.

By the way, we wish you all a happy new year!

Kind regards,

Phong

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov.
Visit this group at https://groups.google.com/a/list.nist.gov/group/pqc-forum/.

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov.
Visit this group at https://groups.google.com/a/list.nist.gov/group/pqc-forum/.