We show that HILA5 is not secure against chosen-ciphertext attacks. Specifically, we demonstrate a key-recovery attack on HILA5 using an active attack on reused keys. The attack works around the error correction in HILA5. The attack applies to the HILA5 key-encapsulation mechanism (KEM), and also to the public-key encryption mechanism (PKE) obtained by NIST's procedure for combining the KEM with authenticated encryption. This contradicts the most natural interpretation of the IND-CCA security claim for HILA5.
Original language | English |
---|
Place of Publication | s.l. |
---|
Publisher | IACR |
---|
Number of pages | 14 |
---|
Publication status | Published - 2017 |
---|
Name | Cryptology ePrint Archive |
---|
Volume | 2017/1214 |
---|