Subject: [pqc-forum] OFFICIAL COMMENT: HK17 From: "D. J. Bernstein" Reply-To: authorcontact-hk17@box.cr.yp.to Date: 25 Dec 2017 17:15:41 -0000 To: pqc-forum@list.nist.gov Cc: pqc-comments@nist.gov Message-ID: <20171225171541.13354.qmail@cr.yp.to> Dear designers, dear all, The following attack script breaks HK17 for all proposed parameters. Specifically, this script breaks the Python key-exchange implementation included in the HK17 submission. This key-exchange implementation appears to match the intent of the HK17 documentation, except that the documentation includes a normalization step; this step does not affect the attack. This attack takes p+1 simple computations (and is a search so Grover's algorithm is applicable, but all proposed parameters are small enough to be broken by a non-quantum attack). For comparison, the submission says * 2^64 pre-quantum security for p=251, * 2^128 pre-quantum security for p=65521, * 2^256 pre-quantum security for p=4294967291, and * 2^512 pre-quantum security for p=18446744073709551557. Our attack takes about 2^8, 2^16, 2^32, and 2^64 simple computations for these parameter sets. For simplicity the attack script focuses on the case that the public key rA is invertible, which occurs almost all of the time. Slightly more work should be able to handle the occasional exceptions. To use this script, save the following Python code as break.py; copy octonions.py from the HK17 submission to octonions.py in this directory; copy HK17-O.py from the HK17 submission to ref.py in this directory; and run "python break.py". ---Daniel J. Bernstein and Tanja Lange import octonions import ref import sys p = ref.modulo print ref.message print ref.times print "eve observes public parameters and alice's public key:" print 'oa =',ref.oa print 'ob =',ref.ob print 'rA =',ref.rA def modprecip(x): x %= p if x == 0: raise Exception('dividing by 0') return pow(x,p-2,p) def octonionrecip(x): xnormsq = sum(xi**2 for xi in x) % p xconj = (x[0],-x[1],-x[2],-x[3],-x[4],-x[5],-x[6],-x[7]) return octonions.scale(xconj,modprecip(xnormsq),p) try: rArecip = octonionrecip(ref.rA) except: raise Exception('public key is not invertible, skipping this case for simplicity') try: obrecip = octonionrecip(ref.ob) except: raise Exception('ob is not invertible, should have caught from rA test') assert octonions.multiply(obrecip,ref.ob,p) == (1,0,0,0,0,0,0,0) # goal: write rA as x*ob*y for some x,y in \F_p[oa] # this forces x to be in \F_p + oa\F_p # wlog take x to be 1 or in \F_p + oa for i in range(p): for j in [0,1]: if j == 0 and i != 1: continue x0 = (i,0,0,0,0,0,0,0) x1 = octonions.scale(ref.oa,j,p) x = octonions.summ(x0,x1,p) try: xrecip = octonionrecip(x) except: continue t = octonions.multiply(xrecip,ref.rA,p) # goal: write t as ob*y for some y in \Z[oa] y = octonions.multiply(obrecip,t,p) if octonions.multiply(y,ref.oa,p) == octonions.multiply(ref.oa,y,p): print "eve's secret key:",x,y print "now eve looks at bob's ciphertext (DH public key):" print 'rB =',ref.rB k = octonions.multiply(x,octonions.multiply(ref.rB,y,p),p) print "eve's session key =",k print 'now peek at secrets to verify attack worked:' print "alice's session key =",ref.k1 print "bob's session key =",ref.k2 sys.exit(0) -- You received this message because you are subscribed to the Google Groups "pqc-forum" group. To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov. Visit this group at https://groups.google.com/a/list.nist.gov/group/pqc-forum/.