#### Abstract

We first propose an authenticated key exchange (AKE) from the LWE problem. The AKE is simple since it does not involve any other cryptographic primitives to achieve authentication and depends on solely the LWE problem in the worst-case (e.g., SVP and SIVP). We give its security under the BR model, which captures wPFS and might be appealing in specific applications.

#### 1. Introduction

Authenticated key exchange (AKE) is one cryptographic tool in establishing secure communication channels which provide secrecy and authenticity for both communication parties. AKE not only allows parties to utilize their known information to compute a session key which is unknown to anybody except for parties, but also ensures authenticity of communication parties, so that an adversary cannot impersonate one party in the conversation.

In an AKE, each party has a* static public key* which is produced by its* static secret key* and certified with a party’s identity through a public key. Communication parties utilize* ephemeral secret keys* to generate* ephemeral public keys* and compute a* session state* from their* static public/secret keys*, the* ephemeral public/secret keys*, and the transcripts of the session. Communication parties then obtain a* session key* from these values using a* key derivation function*.

The* session key* guarantees data integrity and confidentiality, which implies that security notion for AKE should be developed. To handle this case, Bellare and Rogaway [1] first provided BR security model for AKE which was based on indistinguishability. The BR95 [2] and BPR2000 [3] models were extensions to the BR93 model. Although the BR model captured key authentication, for example,* confidentiality* of session keys, and basic security requirement, for example, known key security and impersonation resilience, it cannot grasp more complex scenes if one party’s* static secret key* or* session state* was revealed. Accordingly, Canetti and Krawczyk [4] defined the first Canetti-Krawczyk CK model which grasped the leakage of static secret keys and session state. But it was not resilient to advanced attacks, for example, key compromise impersonation (KCI) and perfect forward secrecy (PFS) which guaranteed an adversary not obtaining the session key after a completed session even if the static private keys of the parties were subsequently revealed. To resist advanced attacks, Krawczyk [5] proposed HMQV protocol in the CK+ model (which was stronger than CK model [6]) and showed that no 2-pass AKE achieved PFS. Alternatively, he presented weak perfect forward secrecy (wPFS) which guaranteed security only for previous sessions without an adversary’s intrusion. Namely, wPFS declared that the session key was still private if the static keys of a completed session were revealed [5]. To modify the CK+ model, LaMacchia et al. [7] and Sarr et al. [8] proposed the eCK model (which was not stronger than the CK model) and the seCK model, respectively. This paper will only show AKE security under the BR model [1].

In the past three decades, there appeared a large number of AKEs based on number-theoretical problems [9, 10]. With the rapid development of computing technology, for example, quantum information technology, quantum computer brought great threat to these protocols based on classic number-theoretical problems. With a quantum computer, quantum polynomial time algorithm [11] for factorization and the discrete logarithm problem had brought challenges for these traditional cryptosystems. Recently, researchers plan to focus on quantum resistant cryptographic primitives. Lattice-based cryptosystem was one potential candidate for postquantum.

To date, there existed a lot of lattice-based cryptosystems [12–16] because lattice-based cryptosystems can capture strong security proof based on worst-case hardness assumption that can resist quantum attack and be implemented efficiently. What is more, most of lattice-based cryptographic constructions [12, 15, 16] were based directly upon one of the two average-case problems that had been shown to enjoy worst-case hardness guarantees: the Small Integer Solution (SIS) problem [12, 15] and the (Ring-) Learning with Errors problem [13, 14, 16].

As mentioned above, in view of the security guarantee against quantum adversaries, there had been a great number of lattice-based cryptosystems [12–19], which offered resilience against quantum computer attack. Cryptographers especially had put effort into constructing various key exchanges (KEs) and AKEs from the (Ring-) LWE problem, for example, lattice-based KE [20] which can only be secure in passive model but made a big step in constructing a post-quantum KE and a NTRU-KE based on Ring-LWE [21], as well as lattice-KEs [22–25]. However, we only know a few of results on lattice-based AKEs [17–19, 24, 26, 27]. What is more, Ding et al. presented an attack with the leakage of the signal function [28] on RLWE based KE [20]. Gong and Zhao presented a small field attack (SFA) [29] on the one-pass protocol [24]. Motivated by post-quantum security, our paper will focus on the construction of a lattice-based AKE based on the LWE problem [13, 14]. Our basic AKE is simple and comes with a rigorous proof of security based on the LWE problem under the BR model. The AKE is simple since it does not involve any other cryptographic primitive to achieve authentication and depends solely on some hard lattice problems in the worst-case (e.g., SVP and SIVP). We prove its AKE security with wPFS under the BR model.

Ding et al. [28] showed that KE based on RLWE problem could be broken by analyzing the number of signal changes of each of the coefficients. Ding and Lin [20] utilized the signal function to construct a KE from (Ring-) LWE. Theoretically, the KE from LWE [20] could be broken by the attack with the leakage of the signal function [28], as the KE from (Ring-) LWE [20] only referred to matrix-vector multiplication in finite field. Hence, our proposed lattice-based AKE from the LWE problem could suffer from the same attack with leakage of signal function [28]; here we do not study it and omit it. Gong and Zhao exploited a SFA (with a property of the CRT basis of , i.e., Proposition 5 in [29]) against one-pass AKE [24] although the SFA may not violate the security of one-pass AKE [24]. Notice that SFA [29] applied only to a special case of the original Ring-LWE problem [16] which sufficed for [24]. Likewise, maybe there exists a similar SFA (with the help of some properties) to break our proposed AKE since every cryptosystem will be broken in the future. And we do not know whether SFA can be applied to the LWE problem since Ring-LWE problem is one special case of the LWE problem [13, 14]. For example, cyclotomic polynomial [30] which was essential for SFA [29] applied only to polynomial ring. We leave them as open problems. Maybe our AKE could capture AKE security and resist some advanced attacks under the CK model, the CK+ model, or the eCK model, but we leave them as future works.

This paper is organized as follows. Section 2 contains definitions and properties related to lattice. In Section 3, we construct a lattice-based AKE based on the LWE problem. Section 4 gives its AKE security under the BR model. Section 5 gives comparison. Conclusion is in Section 6. The BR model is given in appendix.

#### 2. Preliminaries

*Notations*. Assume that is the main security parameter. Let notations be as defined in [13, 14]. Let be a discrete subset of . The* Gaussian function* on centered at with any positive is , . Let be the discrete integral of over and be the* discrete Gaussian distribution* over with center and parameter . Concretely, , , define , If , and are shorted for and , respectively.

Regev proposed the* Learning with Errors (LWE) problem* [13].

For integers and , . Let , be the distribution on obtained by choosing a vector uniformly at random and a noise term , and output .

*The LWE problem* is as follows: for uniformly random , given number of samples that are either from or uniformly random in , output if the former holds and if the latter holds.

The decision LWE problem is at least hard as approximating several problems on -dimensional lattice in the worst-case within factors using a quantum computer [13] if , . Brakerski et al. [31, 32] showed that the LWE assumption still preserved if for and but security loses with a factor. The* HNF-LWE assumption* [32] declared that HNF-LWE problem was still hard if the secret came from the error distribution; for example, .

Formally, a random noise vector with a Gaussian distribution is used to prove that certain lattice problems are in coNP [33]. Lemma 1 [33] gives a norm bound of Gaussian distribution.

Lemma 1 (see [33]). *For any - dimensional lattice , a vector , and reals , , we have*

*Signal Functions [20]*. Define the*signal function*discussed in [20]. For prime , given , , define as the*signal function*in : if and 1 otherwise as follows.For simplicity and requirements in some places, set For any belongs to .

We define* modular function * from where .

*Modular function* was discussed as* robust extractor* [20] and can guarantee the correctness of our protocol.

Lemma 2 (see [20]). *Let be an odd integer; the function defined above is a robust extractor with respect to with error tolerance .*

Lemma 3 (see [20]). *For any odd , if is uniformly random in , then is uniformly random conditioned on .*

Lemma 4 (see [24]). *Let be the security parameter and odd prime . For any and , the output distribution of conditioned on , where the probability is taken over the uniform and independent choice of .*

#### 3. One AKE from the LWE Problem

Let and be integers, , is prime. For the same integer , let be KDF which is modeled as random oracles.

Sample a uniformly random matrix . Let and be the static public key and static private key of Alice , where . Let and be the static public key and static private key of Bob , where . Assume that the protocol works between Alice and Bob.

*Setup*. Alice randomly chooses , computes , and sends to Bob.

*Response*. Upon receiving from Alice, Bob randomly chooses , computes , , and , and sends to Alice. Then, Bob computes and derives .

*Completion*. Upon obtaining , Alice computes , , , and .

*Correctness*. If Alice and Bob run the protocol honestly, they will share the same session key. To show the correctness of our AKE, it is sufficient to show that . and are output by with the same second input . According to Lemma 2, we only show that and are sufficiently close.

If , then with overwhelming probability.

*Proof. *From the form of , we obtain By Lemma 1, we havewith overwhelming probability. That indicates and being sufficiently close.

By Lemma 2, with with respect to with error tolerance , we have Further, we show thatThis is because and .

Hence, we have

*Parameter Selection*. Here select the same parameters as those in [20]: . It is easy to verify that and the correctness holds.

#### 4. Security

In our AKE, the public matrix is public and every* static public key* actually consists of a LWE tuple with Gaussian parameter . Thus, the* static public key* is computationally indistinguishable from a random element in under the LWE assumption. Analogously, and are also computationally indistinguishable from random elements in under the LWE assumption with Gaussian parameter .

To show the randomness of the session key, it is enough to take Bob as an example. Obviously, if is random over , is statistically close to even conditioned on by Lemmas 2 and 3. Note that is a random oracle; thus is uniform over . Now, we check the randomness of :

It is necessary to establish the randomness of on the hardness of the (decisional) LWE problem, since are actually LWE instances, and are random elements in under the LWE assumption with Gaussian parameter . Generally, we will prove that is statistically close to a real LWE instance if the secret and the error are randomly from . Since and are random over , thus is random over . That is, is statistically close to a real LWE instance.

Formally, let be the maximum number of parties and be maximum number of sessions for each party. We separate the security proof for the initiator and responder, respectively.

##### 4.1. Security for the Initiator

In this session, the AKE security for initiator is proved when the initiator is the owner of the test session. Let be the test session chosen by the adversary . Consider two types of adversaries.

*Type One*: is output by a session activated at by a .

*Type Two*: is not output by any session activated at by a .

To capture wPFS, adversary is allowed to obtain the static secret keys of parties and by corrupting and (but* Type Two* adversary is not allowed to corrupt either or ).

###### 4.1.1. Security against Type One Adversary

First, AKE security is proved for any PPT* Type One* adversary .

Theorem 5. *If is hard, the proposed AKE is secure for any PPT Type One adversary under the BR model.*

*Proof. *The security analysis is performed with a sequence of games for . It starts with the real security game, between an adversary and a simulator , that models the indistinguishability of the fresh session key. Use to show the differences between the previous game and its next one. Let be the event that outputs a guess : in , .*Game *. This is the original game where the messages are generated honestly. In Game , randomly selects and , and hopes the adversary will choose as the test session, where is output by th session of party , and is output by th session of party activated by a . selects at random, honestly generates static public keys for all parties by randomly choosing , and simulates the attack environment for . Specifically, keeps one table for random oracle and responds to queries of .(i) queries: if there is no tuple in , it randomly selects an element and adds to list. At last it returns to .(ii): initiates a new session of with intended partner , randomly selects and sends to on behalf of Alice .(iii): randomly selects and computes , , and according to the protocol. Finally, send to on behalf of Bob.(iv): computes by using according to the protocol.(v)*SessionKeyReveal(sid)*: let ; returns if session key of has been produced.(vi): return Alice’s static secret key to .(vii)*Test(sid)*: let ; if , or and are not output by the th session of and the th session of , respectively, stops. Otherwise, randomly selects , and . If , returns ; else it returns the real session key of .*Analysis of *. In this game, randomly selects and independently from the view of . Hence, the probability that will not stop in is at least .

. first computes , where randomly. Then, it acts almost the same as in except for the case below.*(i) *. If , or it is not the th session of , responds to the query as in . Otherwise, randomly selects and computes . Then computes : Finally, it honestly computes according to the protocol and sends to .*Analysis of *. Since is a LWE tuple with randomly , then is computationally indistinguishable from uniform distribution over ; thus the probability that guesses the correct before is negligible. Since , , we have By Lemma 1, the norm of each entry in both and is at most ; thus both and have distribution negligibly close to . This implies that the distribution of in is statistically close to that in . Thus, under the assumption, we have .

. computes , where it randomly selects . Then it acts almost the same as in apart from the following cases.*(i) *. If , or it is not the th session of , responds to the query as in . Otherwise, randomly selects and computes . Finally, it sends to .*(ii) *. If or it is not the th of , responds to the query as in . Otherwise, if is output by the th session of party , let be the session key of session , sets . Else, computes . At last, it honestly computes according to the protocol.*Analysis of *. The proof of the distribution of being statistically close to that in is the same as the proof of* Analysis of *; as a result, the probability that stops in is negligibly close to that of . Under the assumption, we have . randomly chooses and acts almost the same as in apart from the following case.*(i) *. If , or it is not the th session of party , or is output by the th session of party , acts the same as in . Else, it randomly selects as the session key.

We discuss the differences between and . The real session key in is changed to a randomly chosen one in , where () is output by the th session of party . Fortunately, the adversary cannot notice the difference if he does not query with exact , since is a random oracle. To prove it conveniently, denote by the event that in can query with for the th session of , when () is output by the th session of , where .*Analysis of *. Since is a random oracle, the event is independent from the distribution of . Namely, no matter whether or not obtains , is identical, which is suitable for . Especially, under the LWE assumption, the public information in and is computationally indistinguishable, so that . In addition, if does not happen, the distribution of is identical in and . Namely, .

. randomly selects and acts almost the same as in except for the following case.*(i) *. If or it is not the th session of , responds to the query as in . Otherwise, randomly select and compute . randomly choose and compute according to the protocol. If made a query , stops the simulation. Else, it randomly selects and sets . At last, it returns to .*Analysis of *. Let be two challenge LWE tuples with error distribution (scale by multiplying ). Suppose that there exists an adversary that distinguishes and , there must exist a distinguisher that can solve the LWE problem. In particular, first sets ; then it acts identically as in except for cases as follows.*(i) *. If or it is not the th session of , responds to queries as in . Otherwise, it randomly selects and computes . Then sets , computes according to the protocol, and stops if made a query . Otherwise, it sets with a randomly chosen . At last, it returns to .

If are LWE tuples for some secret , is in ; else it is in . Thus, under the assumption, and are computationally indistinguishable. Especially, Next, we analyze Let be output by the th session of and be the information that finishes the test session (e.g., the th session of party ). In , is randomly selected from uniform distribution over which is independent from both public keys and transcripts (except for ). This still holds even if the adversary uses a session key reveal query to obtain , since is randomly chosen and is a random oracle. Let be the element computed by ; according to the protocol, and are sufficiently close; that is, ; for some with short element. Since both public keys and transcripts (expect for ) are random and independent from , is also independent from without the adversary’s view. Since , then is also statistically close to by Lemma 4. Namely, the probability that the adversary query is at most . Thus, .

Let be output by the th session of party and be the message that can finish the test session (e.g., the th session of party ). Consider two cases.*(ii) *. In this case, , where . Since, in , is randomly chosen from the uniform distribution over , then is statistically close to uniform distribution over from the adversary’s point by Lemma 4. Thus the probability that has made query with is less than .*(iii) *. By assumption that does not happen, thus will never make a query with .

In short, the probability that has made a query with is negligible since is a random oracle. If the adversary does not make a query with exactly, s distribution is uniform over in the adversary’s point. Thus, .

In a word, we get by Analysis of and . By Analysis of and , we have By the law of the probability, Thus Combining this with , we obtain This finishes the proof.

###### 4.1.2. Type Two Adversary

We will prove that our AKE is secure against any* PPT Type Two adversary *.

Theorem 6. *If the is hard, the proposed AKE is secure against any PPT Type Two adversary under the BR model.*

*Proof. *It proceeds by a sequences of , .

. This initial game corresponds to the real attack game in which all the honest players execute. randomly selects , , and hopes that the adversary will select as the test session, where is output by the th session of party with intended party (remark that has no matching session for* Type Two adversary*). Then, randomly selects , produces static public keys for all parties (by randomly choosing ), and simulates the security game for . In particular, preserves one table for random oracle and responds to queries from .(i) queries: if there is no tuple in list, randomly select and add to list. Then, send to .(ii): initiates one session of with intended partner , randomly selects and returns to on behalf of Alice .(iii). randomly selects and computes , , and according to the protocol. Then, send to on behalf of Bob.(iv): computes by using according to the protocol.(v)*SessionKeyReveal(sid)*: let ; returns once session key of has been produced.(vi): return Alice’s static secret key to .(vii)*Test(sid)*: let ; if , or and are not output by the th session of and the th session of , respectively, stops. Otherwise, randomly selects and . If , returns ; else it returns the real session of .*Analysis of *. In this game, randomly selects and independently from ’s view. Thus, the probability that will not stop in is at least .

. acts identically as in except for the following case.*(i) *. If , responds to queries as in . Otherwise, computes , where . Then, it randomly selects , computes , and sends to .*(ii) *. If , responds to queries as in . Otherwise, computes , where . Then, it randomly selects and computes . also computes :Finally, it honestly computes following the protocol, and sends to .*(iii) *. If , responds to queries as in Else, let for ; computes . At last, computes according to the protocol.*Analysis of *. Let be the event that outputs a guess in . Similar to* Analysis of *, under assumption, then . acts almost identically as in , except it replaces ’s public key with a uniformly chosen .*Analysis of *. Note that the only difference between and is that replaces in with a randomly chosen over in ; thus an adversary that can distinguish the difference between and could solve the problem. That implies that if is hard, then . first computes , where it randomly chooses . Then it acts identically as in except for such cases as follows.*(i) *. If , or it is not the th session of , responds to queries as in . Else, randomly selects and computes . Finally, returns to .*(ii) *. If or it is not the th of , responds to the query as in . Otherwise, computes , where . Finally, it computes according to the protocol.*Analysis of *. Similar to* Analysis of *, under assumption, we have . first computes , where . Then it computes (or set ), where . Finally, it acts identically as in except for the following cases.*(i) *. If , or it is not the th session of party , responds to queries as in . Else, computes At last, it computes according to the protocol.*Analysis of *. In , we have where . By Lemma 2, the distribution of is statistically close to ; the distribution of is statistically close to . Thus, if is hard, we get . acts identically as in except for the following cases.*(i) *. If or it is not the th session of , responds to queries as in . Otherwise, it randomly selects and computes according to the protocol.*Analysis of *. The only difference between and is that replaces the real in with a randomly chosen in . Since is a random oracle, the only difference will not affect the ’s view until it makes a query with derived from . Formally, denote for as the event that makes a query with derived from .

Now, we prove that if is hard, then Because is a random oracle, is independent from ’s distribution. No matter whether or not gets , is identical; is so. Besides, if for does not happen, is actually identical to in adversary view. In particular, ’s distribution is random and uniform over ; namely, the advantage of guessing is negligible if does not happen. This finishes the proof.

If , this completes the proof. But it is not easy to do so. As a matter of fact, though is random in the adversary’s view under the LWE assumption, we cannot have the fact that is random since is related to . Now we show is random. If we randomly chose another and obtain we have . That is, . Naturally, if the adversary can distinguish (and ) from a uniformly chosen one, it can distinguish (which is computationally under the LWE assumption) from a random chosen from .

Actually, will happen with negligible probability according to Lemma 1. Let be the test session. By assumption that is a adversary, namely, is not output by by a , given , in , denote (which is the same as in ), where . By our assumption, will make a query with derived from with probability at least .

Now, fixing which are all chosen by and are independent from the adversary’s actions, sets by randomly choosing and sets . By Lemma 1, will utilize to finish the test session and makes a query with derived from with probability at least . Denote such that an event for in will make in ’s two runs, where is derived from in ’s first run and is derived from in ’s second run. In particular, .

. randomly chooses