Verifiable Decapsulation: Recognizing Faulty Implementations of Post-quantum KEMs

Verifiable Decapsulation: Recognizing Faulty Implementations of Post-quantum KEMs

연구 분야: Cryptography

학회: Annual International Cryptology Conference

Cryptographic schemes often contain verification steps that are essential for security. Yet, faulty implementations missing these steps can easily go unnoticed, as the schemes might still function correctly. A prominent instance of such a verification step is the re-encryption check in the Fujisaki–Okamoto (\(\textsf{FO}\)) transform that plays a prominent role in the post-quantum key encapsulation mechanisms (KEMs) considered in NIST’s PQC standardization process. In KEMs built from \(\textsf{FO}\), decapsulation performs a re-encryption check that is essential for security, but not for functionality. In other words, it will go unnoticed if this essential step is omitted or wrongly implemented, opening the door for key recovery attacks. Notably, such an implementation flaw was present in \(\textsf{HQC}\) ’s reference implementation and was only noticed after 19 months. In this work, we develop a modified \(\textsf{FO}\) transform that binds re-encryption to functionality, ensuring that a faulty implementation which skips re-encryption will be exposed through basic correctness tests. We do so by adapting the “verifiable verification” methodology of Fischlin and Günther (CCS 2023) to the context of \(\textsf{FO}\)-based KEMs. More concretely, by exporting an unpredictable confirmation code from the public key encryption and embedding it into the key derivation function, we can confirm that (most of) the re-encryption step was indeed performed during decapsulation. We formalize this concept, establish modified \(\textsf{FO}\) transforms, and prove how unpredictable PKE confirmation codes turn into noticeable correctness errors for faulty implementations. We show how to apply this technique to \(\textsf{ML}\text {-}\textsf{KEM}\) and \(\textsf{HQC}\), both with negligible overhead, by leveraging the entropy lost through ciphertext compression or truncation. We confirm that our approach works through mathematical proofs, as well as experimental data. Our experiments show that the implementation flaw in \(\textsf{HQC}\) ’s reference implementation indeed makes basic test cases fail when following our approach.