Chosen ciphertext attacks on lattice-based public key encryption and modern (non-quantum) cryptography in a quantum environment

Abstract

Modern cryptography is based on various building blocks such as one way functions with or without trapdoors, pseudo-random functions, one way permutations with or without trapdoors, etc. In a quantum world some of the main candidates for these building blocks are broken. For instance, the security of the most popular public-key cryptosystem—RSA—is related to the difficulty of factoring large numbers, and is broken (in principle) by a quantum computer. We investigate some of the remaining candidates, and discuss the resulting “Post-Quantum Cryptography” (namely, the resulting “modern cryptography in a quantum environment”). About half a decade ago Ajtai and Dwork (and later on, also Goldreich, Goldwasser and Halevi) proposed a public key cryptosystem that has a proven security under a plausible complexity assumption. The plausible assumption is that the so-called unique shortest vector problem (u-SVP) is hard on the worst case. This problem is potentially still hard also in a quantum environment. Recently, Regev introduced a new (and much simpler) public key cryptosystem, based on the same u-SVP hardness assumption, but with improved parameters. In this paper we present chosen ciphertext attacks (CCA) against all three cryptosystems. Our attack shows that these cryptosystems are totally insecure against CCA, because the private keys can be recovered in polynomial time. We then discuss the possibility of making public key encryption (PKE) secure against CCA, without adding stronger assumptions than the assumption that u-SVP is hard. We conclude that the current understanding of modern cryptography in a quantum environment can only suggest CCA-secure interactive-PKE, which is obviously weaker than CCA-secure PKE. Finally, we discuss the relation of our attack to the reaction attack of Hall, Goldberg and Schneier, which we only recently became aware of.