Key Reuse Attacks on Post-quantum Cryptosystems, Revisited

The National Institute of Standards and Technology (NIST) has been working on standardization of post-quantum cryptography and is approaching the end of round-3 evaluation of algorithms. Key reuse security evaluation is an important part of algorithm evaluation. In order to evaluate the key reuse security of candidate IND-CPA PKEs, at Eurocrypt'19, Ba?etu et al. proposed a classical key recovery under plaintext checking attack (KR-PCA) which can recover the reused secret keys by querying an oracle thousands of times. However, the method does not work for cryptosystems which shorten ciphertexts by rounding off the low bits, such as round-3 finalists Kyber and Saber. Subsequently, Dumittan and Vaudenay (ACNS'20) and Qin et al. (ASIACRYPT'21) came up with new effective methods, which require carefully constructed queries. In this paper, we propose an automatic method to recover the reused secret keys of IND-CPA PKEs in Kyber and Saber. Instead of constructing queries carefully, our method uses automated search combined with an optimized bruteforce. The effect and cost of the method depend on the specific parameters. In particular, we can recover the secret keys after thousands of queries in all parameter sets, which is comparable with the current best result.