How decryption failure reveals information about the secret key?

Question

I have been studying the CRYSTALS-KYBER cryptosystem and came across the description of a Decryption Failure Attack in the paper. The specific part (Section 5.5 https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf) that caught my attention is:

An attacker searches through many different values of m (see line 1 of Alg. 8) until he finds one that produces random coins r (line 3 of Alg. 8) that lead to a decapsulation failure, which will give the attacker information about the secret key.

Here are my questions:

How does the adversary detect a decapsulation failure in a real-time attack? According to the algorithm, in both cases—whether a decapsulation failure occurs or not—the decapsulating party receives a 0/1 bit string. Without explicitly verifying the result with the encapsulating party, how would an adversary distinguish between a decryption failure and success?

How does a detected decapsulation failure leak information about the secret key? Even if the adversary identifies a specific message $$ that causes a decapsulation failure, how does this failure translate into revealing partial or full information about the secret key?

Thank you for consideration and any help.

Answer 1

The first question is simple enough to answer. The adversary has run Algorithm 8 and therefore has the value $K$ which is the intended shared secret given successful decapsulation. In the case of successful decapsulation (i.e. when the predicate at line 7 of Algorithm 9 is true), Algorithm 9 returns the same value; in the case of of unsuccessful decapsulation Algorithm 9 returns a different value. Any usage of $K$ will then allow the adversary to determine whether there is a shared value or two distinct values in use.

An answer to the second question is more complex, but I can sketch out the idea. A decapsulation failure means that the $m'$ value in Algorithm 9 is not equal to the input $m$ to Algorithm 8. Going to Algorithm 6 in the specification (ignoring the NTT obfuscation), $m'$ is calculated as $$\mathrm{Encode}_1(\mathrm{Compress}_q(v-\mathbf s^T\mathbf u)),1)$$ where $v$ is from Algorithm 5 $$v=\mathbf t^T\mathbf r+e_2+\mathrm{Decompress}_q(\mathrm{Decode}_1(m),1).$$ Failure therefore means that there is more variation between $\mathbf t^T\mathbf r+e_2$ and $\mathbf s^T\mathbf u$ than the decompression and decode processes can cope with. The values $\mathbf t$, $\mathbf r$, $e_2$, and $\mathbf u$ are all known to the adversary and $\mathbf s$ is the secret key about which they wish to acquire information. In particular then, this allows them to test whether candidate $\mathbf s$ values would or would not trigger variation in the compress and encode routines, which is information about $\mathbf s$. The information extraction can be made more sophisticated.