Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10346)


Authenticated key exchange (AKE) plays a fundamental role in modern cryptography. Up to now, the HMQV protocol family is among the most efficient provably secure AKE protocols, which has been widely standardized and in use. Given recent advances in quantum computing, it would be desirable to develop lattice-based analogue of HMQV for the possible upcoming post-quantum era. Towards this goal, a family of AKE schemes from ideal lattice was recently proposed at Eurocrypt 2015 [ZZD+15], which could be seen as an HMQV-analogue based on the ring-LWE (RLWE) problem. It consists a two-pass variant \(\Uppi _2\) and a one-pass variant \(\Uppi _1\).

As a supplement to its security analysis, we propose an efficient attack against \(\Uppi _1\), which is referred to as the small field attack (SFA) since it fully utilizes the algebraic structure of the ring \(\mathcal {R}_{q}^{}\) in RLWE. The SFA attack can efficiently recover the static private key of the victim party in \(\Uppi _1\), provided adversaries are allowed to register their own public keys. Such an assumption is reasonable in practice, but may not be allowed in the security model of \(\Uppi _1\) [ZZD+15]. We also show that it is hard for the victim party to even detect the attack in practice.



We are indebted to Daniel J. Bernstein for his great shepherding efforts and for many insightful suggestions, which have significantly improved this work. We also would like to thank the anonymous PQCrypto’17 reviewers for their valuable comments.


  1. [DARF16]
    Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S.: Leakage of signal function with reused keys in RLWE key exchange. IACR Cryptology ePrint Archive, 2016/1176 (2016)Google Scholar
  2. [DD12]
    Ducas, L., Durmus, A.: Ring-LWE in polynomial rings. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 34–51. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30057-8_3 CrossRefGoogle Scholar
  3. [DH76]
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  4. [DXL12]
    Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptology ePrint Archive, 2012/688 (2012)Google Scholar
  5. [Flu16]
    Fluhrer, S.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptology ePrint Archive, 2016/085 (2016)Google Scholar
  6. [GZ16]
    Gong, B. Zhao, Y.: Small field attack, and revisiting RLWE-based authenticated key exchange from Eurocrypt 15. IACR Cryptology ePrint Archive, 2016/913 (2016)Google Scholar
  7. [HK11]
    Halevi, S., Krawczyk, H.: One-pass HMQV and asymmetric key-wrapping. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 317–334. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19379-8_20 CrossRefGoogle Scholar
  8. [Kra05]
    Krawczyk, H.: HMQV: a high-performance secure diffie-hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). doi: 10.1007/11535218_33 CrossRefGoogle Scholar
  9. [LMQ+03]
    Law, L., Menezes, A., Qu, M., Solinas, J.A., Vanstone, S.A.: An efficient protocol for authenticated key agreement. Des. Codes Cryptogr. 28, 119–134 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  10. [LPR13a]
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  11. [LPR13b]
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_3 CrossRefGoogle Scholar
  12. [Reg09]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  13. [ZZD+15]
    Zhang, J., Zhang, Z., Ding, J., Snook, M., Dagdelen, Ö.: Authenticated key exchange from ideal lattices. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 719–751. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46803-6_24 Google Scholar
  14. [ZZDS14]
    Zhang, J., Zhang, Z., Ding, J., Snook, M.: Authenticated key exchange from ideal lattices. IACR Cryptology ePrint Archive, 2014/589 (2014)Google Scholar
  15. [YZ13]
    Yao, A.C., Zhao, Y.: OAKE: a new family of implicitly authenticated Diffie-Hellman protocols. In: ACM CCS 2013, pp. 1113–1128 (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Shanghai Key Laboratory of Data Science, School of Computer ScienceFudan UniversityShanghaiChina
  2. 2.State Key Laboratory of CryptologyBeijingChina

Personalised recommendations