Two-Message Key Exchange with Strong Security from Ideal Lattices

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)

Abstract

In this paper, we first revisit the generic two-message key exchange (TMKE) scheme (which will be referred to as KF) introduced by Kurosawa and Furukawa (CT-RSA 2014). This protocol is mainly based on key encapsulation mechanism (KEM) which is assumed to be secure against chosen plaintext attacks. However, we find out that the security of the KF protocol cannot be reduced to IND-CPA KEM. The concrete KF protocol instantiated from ElGamal KEM is even subject to key compromise impersonation attacks. In order to overcome the flaws of the KF scheme, we introduce a new generic TMKE scheme from KEM. Instead, we require that the KEM should be secure against one-time adaptive chosen ciphertext attacks. We call this class of KEM as OTKEM. In particular, we propose a new instantiation of OTKEM from Ring Learning with Errors problem in the standard model. This yields a concrete post-quantum TMKE protocol with strong security. The security of our TMKE scheme is shown in the extended Canetti-Krawczyk model with perfect forward secrecy.

Keywords

KCI attack Two-message key exchange Standard model Lattice Ring-LWE 

Notes

Acknowledgments

We would like to thank Kimmo U. Järvinen, and the anonymous referees for helpful comments and discussions. The first author is supported by the National Natural Science Foundation of China (Grant No. 11647097), and the Research Project of Academy of Finland (Grant No. 303578). The second author is supported by the National Key Research and Development Plan (Grant No. 2016YFB0800403), the National Natural Science Foundation of China (Grant No. 61772522), Youth Innovation Promotion Association CAS and Key Research Program of Frontier Sciences, CAS (Grant No. QYZDB-SSW-SYS035).

References

  1. 1.
    Alawatugoda, J., Stebila, D., Boyd, C.: Modelling after-the-fact leakage for key exchange. In: ASIACCS 2014, pp. 207–216. ACM Press (2014)Google Scholar
  2. 2.
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_42 CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48329-2_21 Google Scholar
  4. 4.
    Bergsma, F., Jager, T., Schwenk, J.: One-round key exchange with strong security: an efficient and generic construction in the standard model. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 477–494. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46447-2_21 Google Scholar
  5. 5.
    Bos, J.W., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., Raghunathan, A., Stebila, D.: Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE. In: ACM CCS 2016, pp. 1006–1018. ACM Press (2016)Google Scholar
  6. 6.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: IEEE S&P 2015, pp. 553–570. IEEE Computer Society Press (2015)Google Scholar
  7. 7.
    Boyd, C., Cliff, Y., Gonzalez Nieto, J., Paterson, K.G.: Efficient one-round key exchange in the standard model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69–83. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-70500-0_6 CrossRefGoogle Scholar
  8. 8.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_28 CrossRefGoogle Scholar
  9. 9.
    Cramer, R., Hanaoka, G., Hofheinz, D., Imai, H., Kiltz, E., Pass, R., Shelat, A., Vaikuntanathan, V.: Bounded CCA2-secure encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 502–518. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_31 CrossRefGoogle Scholar
  10. 10.
    Cremers, C., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and Ephemeral-key reveal. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 734–751. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33167-1_42 CrossRefGoogle Scholar
  11. 11.
    Yang, Z., Lai, J.: New constructions for (multiparty) one-round key exchange with strong security. Sci. China Inf. Sci. 61(5), 059102 (2018)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Elgamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36362-7_17 CrossRefGoogle Scholar
  15. 15.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 467–484. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-30057-8_28 CrossRefGoogle Scholar
  16. 16.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism. In: ASIACCS 2013, pp. 83–94. ACM Press (2013)Google Scholar
  17. 17.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_17 CrossRefGoogle Scholar
  18. 18.
    Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_33 CrossRefGoogle Scholar
  19. 19.
    Kurosawa, K., Furukawa, J.: 2-pass key exchange protocols from CPA-secure KEM. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 385–401. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-04852-9_20 CrossRefGoogle Scholar
  20. 20.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-75670-5_1 CrossRefGoogle Scholar
  21. 21.
    Lyubashevsky, V., Micciancio, D.: Asymptotically efficient lattice-based digital signatures. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 37–54. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78524-8_3 CrossRefGoogle Scholar
  22. 22.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-71039-4_4 CrossRefGoogle Scholar
  23. 23.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_1 CrossRefGoogle Scholar
  24. 24.
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_3 CrossRefGoogle Scholar
  25. 25.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: FOCS 2004, pp. 372–381, October 2004Google Scholar
  26. 26.
    Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_41 CrossRefGoogle Scholar
  27. 27.
    Rückert, M.: Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 182–200. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-12929-2_14 CrossRefGoogle Scholar
  28. 28.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11659-4_12 Google Scholar
  29. 29.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: ACM STOC 2005, pp. 84–93. ACM Press (2005)Google Scholar
  30. 30.
    Zhang, J., Zhang, Z., Ding, J., Snook, M., Dagdelen, Ö.: Authenticated key exchange from ideal lattices. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 719–751. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_24 Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of HelsinkiHelsinkiFinland
  2. 2.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  3. 3.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina
  4. 4.School of Computer Science and EngineeringChongqing University of TechnologyChongqingChina

Personalised recommendations