Key Mismatch Attack on ThreeBears, Frodo and Round5.

In the last years, several key reuse attacks were proposed against Round 2 candidates of the NIST Post-Quantum Cryptography Standardization Process. In these attacks, the adversary has access to the key mismatch oracle which tells her if a given ciphertext decrypts to a given message under the targeted secret key. One of the so far non-targeted candidates is ThreeBears, which is a key encapsulation mechanism based on the integer module learning with errors (I-MLWE) problem. In this paper, we present a first key mismatch attack against the ThreeBears cryptosystem. Our attack recovers the whole secret key with probability of 100% and requires about 2(11) queries on average. Besides that, we use our technique to target other Round 2 candidates Frodo and Round5, and we improve the state-of-the-art results for them.