# Strongly secure authenticated key exchange from factoring, codes, and lattices

- 507 Downloads
- 10 Citations

## Abstract

An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random oracles. HMQV, a state of the art AKE protocol, achieves both efficiency and the strong security proposed by Krawczyk (we call it the \({\mathrm {CK}}^+\) model), which includes resistance to advanced attacks. However, the security proof is given under the random oracle model. We propose a generic construction of AKE from a key encapsulation mechanism (KEM). The construction is based on a chosen-ciphertext secure KEM, and the resultant AKE protocol is \({\mathrm {CK}}^+\) secure in the standard model. The construction gives the first \({\mathrm {CK}}^+\) secure AKE protocols based on the hardness of integer factorization problem, code-based problems, or learning problems with errors. In addition, instantiations under the Diffie–Hellman assumption or its variant can be proved to have strong security without non-standard assumptions such as \(\pi \)PRF and KEA1. Furthermore, we extend the \({\mathrm {CK}}^+\) model to identity-based (called the \({\hbox {id-CK}^+}\) model), and propose a generic construction of identity-based AKE (ID-AKE) based on identity-based KEM, which satisfies \({\hbox {id-CK}^+}\) security. The construction leads first strongly secure ID-AKE protocols under the hardness of integer factorization problem, or learning problems with errors.

## Keywords

Authenticated key exchange \({\mathrm {CK}}^+\) model Key encapsulation mechanism Identity-based authenticated key exchange## Mathematics Subject Classification

94A60 Cryptography## References

- 1.Agrawal S., Boneh D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: EUROCRYPT 2010, pp. 553–572 (2010).Google Scholar
- 2.Agrawal S., Boneh D., Boyen X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: CRYPTO 2010, pp. 98–115 (2010).Google Scholar
- 3.Ajtai M.: Generating hard instances of lattice problems (extended abstract). In: STOC 1996, pp. 99–108 (1996).Google Scholar
- 4.Banerjee A., Peikert C., Rosen A.: Pseudorandom functions and lattices. In: EUROCRYPT 2012, pp. 719–737 (2012).Google Scholar
- 5.Bellare M., Rogaway P.: Entity authentication and key distribution. In: CRYPTO 1993, pp. 232–249 (1993).Google Scholar
- 6.Bernstein D.J., Lange T., Peters C.: Wild McEliece. In: SAC 2010, pp. 143–158 (2010).Google Scholar
- 7.Bernstein D.J., Lange T., Peters C.: Smaller decoding exponents: ball-collision decoding. In: CRYPTO 2011, pp. 743–760 (2011).Google Scholar
- 8.Boneh D., Boyen X.: Efficient selective-ID secure identity-based encryption without random oracles. In: EUROCRYPT 2004, pp. 223–238 (2004). See also Cryptology ePrint Archive-2004/172.Google Scholar
- 9.Boneh D., Boyen X., Shacham H.: Short group signatures. In: CRYPTO 2004, pp. 41–55 (2004).Google Scholar
- 10.Boneh D., Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput.
**36**(5), 1301–1328 (2007).Google Scholar - 11.Boneh D., Franklin M.K.: Identity-based encryption from the weil pairing. In: CRYPTO 2001, pp. 213–229 (2001).Google Scholar
- 12.Boyd C., Cliff Y., González Nieto J.M., Paterson K.G.: Efficient one-round key exchange in the standard model. In: ACISP 2008, pp. 69–83 (2008).Google Scholar
- 13.Boyd C., Cliff Y., González Nieto J.M., Paterson K.G.: One-round key exchange in the standard model. In: IJACT 1(3), pp. 181–199 (2009).Google Scholar
- 14.Boyd C., González Nieto J.M.: On forward secrecy in one-round key exchange. In: IMA Int. Conf. 2011, pp. 451–468 (2011).Google Scholar
- 15.Boyen X., Mei Q., Waters B.: Direct chosen ciphertext security from identity-based techniques. In: ACM Conference on Computer and Communications Security 2005, pp. 320–329 (2005).Google Scholar
- 16.Canetti R., Goldreich O., Halevi S.: The random oracle methodology, revisited (preliminary version). In: STOC 1998, pp. 131–140 (1998).Google Scholar
- 17.Canetti R., Krawczyk H.: Analysis of key-exchange protocols and their use for building secure channels. In: EUROCRYPT 2001, pp. 453–474 (2001).Google Scholar
- 18.Cash D., Hofheinz D., Kiltz E., Peikert C.: Bonsai trees, or how to delegate a lattice basis. In: EUROCRYPT 2010, pp. 523–552 (2010).Google Scholar
- 19.Chen L., Cheng Z., Smart N.P.: Identity-based key agreement protocols from pairings. Int. J. Inf. Secur.
**6**(4), 213–241 (2007).Google Scholar - 20.Chevallier-Mames B., Joye M.: Chosen-ciphertext secure RSA-type cryptosystems. In: ProvSec 2009, pp. 32–46 (2009).Google Scholar
- 21.Cramer R., Shoup V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: CRYPTO 1998, pp. 13–25 (1998).Google Scholar
- 22.Cramer R., Shoup V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput.
**33**, 167–226 (2004).Google Scholar - 23.Cremers C.J.F.: Session-state reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol. In: ACNS 2009, pp. 20–33 (2009).Google Scholar
- 24.Cremers C.J.F.: Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK. In: ASIACCS 2011, pp. 80–91 (2011).Google Scholar
- 25.Cremers C.J.F., Feltz M.: One-round strongly secure key exchange with perfect forward secrecy and deniability. In: Cryptology ePrint Archive: 2011/300 (2011).Google Scholar
- 26.Cremers C.J.F., Feltz M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: ESORICS 2012, pp. 734–751 (2012).Google Scholar
- 27.Dachman-Soled D., Gennaro R., Krawczyk H., Malkin T.: Computational extractors and pseudorandomness. In: TCC 2012, pp. 383–403 (2012).Google Scholar
- 28.Damgård I.: Towards practical public key systems secure against chosen ciphertext attacks. In: CRYPTO 1991, pp. 445–456 (1991).Google Scholar
- 29.Dowsley R., Müller-Quade J., Nascimento A.C.A.: A CCA2 secure public key encryption scheme based on the McEliece assumptions in the standard model. In: CT-RSA 2009, pp. 240–251 (2009).Google Scholar
- 30.Fiore D., Gennaro R.: Making the Diffie–Hellman protocol identity-based. In: CT-RSA 2010, pp. 165–178 (2010).Google Scholar
- 31.Fujioka A., Suzuki K., Ustaoglu B.: Ephemeral key leakage resilient and efficient ID-AKEs that can share identities, private and master keys. In: Pairing 2010, pp. 187–205 (2010).Google Scholar
- 32.Gennaro R., Krawczyk H., Rabin T.: Okamoto-Tanaka revisited: fully authenticated Diffie–Hellman with minimal overhead. In: ACNS 2010, pp. 309–328 (2010).Google Scholar
- 33.Gennaro R., Shoup V.: A note on an encryption scheme of Kurosawa and Desmedt. In: Cryptology ePrint Archive: 2004/194 (2004).Google Scholar
- 34.Gorantla M.C., Boyd C., González Nieto J.M., Manulis M.: Generic one round group key exchange in the standard model. In: ICISC 2009, pp. 1–15 (2009).Google Scholar
- 35.Hanaoka G., Kurosawa K.: Efficient chosen ciphertext secure public key encryption under the computational Diffie–Hellman assumption. In: ASIACRYPT 2008, pp. 308–325 (2008).Google Scholar
- 36.Haralambiev K., Jager T., Kiltz E., Shoup V.: Simple and efficient public-key encryption from computational Diffie–Hellman in the standard model. In: Public Key Cryptography 2010, pp. 1–18 (2010).Google Scholar
- 37.Hofheinz D., Kiltz E.: Practical chosen ciphertext secure encryption from factoring. In: EUROCRYPT 2009, pp. 313–332 (2009).Google Scholar
- 38.Hofheinz D., Kiltz E.: The group of signed quadratic residues and applications. In: CRYPTO 2009, pp. 637–653 (2009).Google Scholar
- 39.Huang H., Cao Z.: An ID-based authenticated key exchange protocol based on bilinear Diffie–Hellman problem. In: ASIACCS 2009, pp. 333–342 (2009).Google Scholar
- 40.Jeong I.R., Katz J., Lee D.H.: One-round protocols for two-party authenticated key exchange. In: ACNS 2004, pp. 220–232 (2004).Google Scholar
- 41.Kiltz E.: Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie–Hellman. In: Public Key Cryptography 2007, pp. 282–297 (2007).Google Scholar
- 42.Kiltz E., Mohassel P., O’Neill A.: Adaptive trapdoor functions and chosen-ciphertext security. In: EUROCRYPT 2010, pp. 673–692 (2010).Google Scholar
- 43.Krawczyk H.: HMQV: A high-performance secure Diffie–Hellman protocol. In: CRYPTO 2005, pp. 546–566 (2005).Google Scholar
- 44.Krawczyk H.: Cryptographic extraction and key derivation: The HKDF Scheme. In: CRYPTO 2010, pp. 631–648 (2010).Google Scholar
- 45.Kurosawa K., Desmedt Y.: A new paradigm of hybrid encryption scheme. In: CRYPTO 2004, pp. 426–442 (2004).Google Scholar
- 46.LaMacchia B.A., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. In: ProvSec 2007, pp. 1–16 (2007).Google Scholar
- 47.Langlois A., Stehle D.: Hardness of decision (R)LWE for any modulus. In: Cryptology ePrint Archive: 2012/091 (2012).Google Scholar
- 48.Lyubashevsky V., Micciancio D.: Generalized compact knapsacks are collision resistant. In: ICALP (2) 2006, pp. 144–155 (2006).Google Scholar
- 49.Lyubashevsky V., Peikert C., Regev O.: On Ideal lattices and learning with errors over rings. In: EUROCRYPT 2010, pp. 1–23 (2010).Google Scholar
- 50.McEliece R.J.: A public-key cryptosystem based on algebraic coding theory. In: Deep Space Network progress Report (1978).Google Scholar
- 51.Mei Q., Li B., Lu X., Jia D.: Chosen ciphertext secure encryption under factoring assumption revisited. In: Public Key Cryptography 2011, pp. 210–227 (2011).Google Scholar
- 52.Micciancio D., Peikert C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: EUROCRYPT 2012, pp. 700–718 (2012).Google Scholar
- 53.Micciancio D., Regev O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput.
**37**(1), 267–302 (2007).Google Scholar - 54.Naor M.: On cryptographic assumptions and challenges. In: CRYPTO 2003, pp. 96–109 (2003).Google Scholar
- 55.Nojima R., Imai H., Kobara K., Morozov K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr.
**49**(1–3), 289–305 (2008).Google Scholar - 56.Okamoto T.: Authenticated key exchange and key encapsulation in the standard model. In: ASIACRYPT 2007, pp. 474–484 (2007).Google Scholar
- 57.Peikert C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC 2009, pp. 333–342 (2009).Google Scholar
- 58.Peikert C., Rosen A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: TCC 2006, pp. 145–166 (2006).Google Scholar
- 59.Peikert C., Waters B.: Lossy trapdoor functions and their applications. In: STOC 2008, pp. 187–196 (2008).Google Scholar
- 60.Regev O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM
**56**(6), 139–160 (2009).Google Scholar - 61.Sarr A.P., Elbaz-Vincent P., Bajard J.C.: A new security model for authenticated key agreement. In: SCN 2010, pp. 219–234 (2010).Google Scholar
- 62.Stehlé D., Steinfeld R., Tanaka K., Xagawa K.: Efficient public key encryption based on ideal lattices. In: ASIACRYPT 2009, pp. 617–635 (2009).Google Scholar
- 63.Yoneyama K.: One-round authenticated key exchange with strong forward secrecy in the standard model against constrained adversary. In: IWSEC 2012, pp. 69–86 (2012).Google Scholar
- 64.Yoneyama K.: Generic construction of two-party round-optimal attribute-based authenticated key exchange without random oracles. IEICE Trans.
**96A**(6), 1112–1123 (2013).Google Scholar - 65.Yoneyama K.: One-round authenticated key exchange with strong forward secrecy in the standard model against constrained adversary. IEICE Trans.
**96A**(6), 1124–1138 (2013).Google Scholar