A Simple Provably Secure AKE from the LWE Problem

Zhou, Limin; Lv, Fengju

doi:https://doi.org/10.1155/2017/1740572

Mathematical Problems in Engineering

On this page

Abstract Introduction Preliminaries Conclusion Appendix Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 1740572 | https://doi.org/10.1155/2017/1740572

A Simple Provably Secure AKE from the LWE Problem

Limin Zhou¹and Fengju Lv²

Academic Editor: Bruno G. M. Robert

Received20 Nov 2016

Accepted12 Mar 2017

Published19 Apr 2017

Abstract

We first propose an authenticated key exchange (AKE) from the LWE problem. The AKE is simple since it does not involve any other cryptographic primitives to achieve authentication and depends on solely the LWE problem in the worst-case (e.g., SVP and SIVP). We give its security under the BR model, which captures wPFS and might be appealing in specific applications.

1. Introduction

Authenticated key exchange (AKE) is one cryptographic tool in establishing secure communication channels which provide secrecy and authenticity for both communication parties. AKE not only allows parties to utilize their known information to compute a session key which is unknown to anybody except for parties, but also ensures authenticity of communication parties, so that an adversary cannot impersonate one party in the conversation.

In an AKE, each party has a static public key which is produced by its static secret key and certified with a party’s identity through a public key. Communication parties utilize ephemeral secret keys to generate ephemeral public keys and compute a session state from their static public/secret keys, the ephemeral public/secret keys, and the transcripts of the session. Communication parties then obtain a session key from these values using a key derivation function.

The session key guarantees data integrity and confidentiality, which implies that security notion for AKE should be developed. To handle this case, Bellare and Rogaway [1] first provided BR security model for AKE which was based on indistinguishability. The BR95 [2] and BPR2000 [3] models were extensions to the BR93 model. Although the BR model captured key authentication, for example, confidentiality of session keys, and basic security requirement, for example, known key security and impersonation resilience, it cannot grasp more complex scenes if one party’s static secret key or session state was revealed. Accordingly, Canetti and Krawczyk [4] defined the first Canetti-Krawczyk CK model which grasped the leakage of static secret keys and session state. But it was not resilient to advanced attacks, for example, key compromise impersonation (KCI) and perfect forward secrecy (PFS) which guaranteed an adversary not obtaining the session key after a completed session even if the static private keys of the parties were subsequently revealed. To resist advanced attacks, Krawczyk [5] proposed HMQV protocol in the CK+ model (which was stronger than CK model [6]) and showed that no 2-pass AKE achieved PFS. Alternatively, he presented weak perfect forward secrecy (wPFS) which guaranteed security only for previous sessions without an adversary’s intrusion. Namely, wPFS declared that the session key was still private if the static keys of a completed session were revealed [5]. To modify the CK+ model, LaMacchia et al. [7] and Sarr et al. [8] proposed the eCK model (which was not stronger than the CK model) and the seCK model, respectively. This paper will only show AKE security under the BR model [1].

In the past three decades, there appeared a large number of AKEs based on number-theoretical problems [9, 10]. With the rapid development of computing technology, for example, quantum information technology, quantum computer brought great threat to these protocols based on classic number-theoretical problems. With a quantum computer, quantum polynomial time algorithm [11] for factorization and the discrete logarithm problem had brought challenges for these traditional cryptosystems. Recently, researchers plan to focus on quantum resistant cryptographic primitives. Lattice-based cryptosystem was one potential candidate for postquantum.

To date, there existed a lot of lattice-based cryptosystems [12–16] because lattice-based cryptosystems can capture strong security proof based on worst-case hardness assumption that can resist quantum attack and be implemented efficiently. What is more, most of lattice-based cryptographic constructions [12, 15, 16] were based directly upon one of the two average-case problems that had been shown to enjoy worst-case hardness guarantees: the Small Integer Solution (SIS) problem [12, 15] and the (Ring-) Learning with Errors problem [13, 14, 16].

As mentioned above, in view of the security guarantee against quantum adversaries, there had been a great number of lattice-based cryptosystems [12–19], which offered resilience against quantum computer attack. Cryptographers especially had put effort into constructing various key exchanges (KEs) and AKEs from the (Ring-) LWE problem, for example, lattice-based KE [20] which can only be secure in passive model but made a big step in constructing a post-quantum KE and a NTRU-KE based on Ring-LWE [21], as well as lattice-KEs [22–25]. However, we only know a few of results on lattice-based AKEs [17–19, 24, 26, 27]. What is more, Ding et al. presented an attack with the leakage of the signal function [28] on RLWE based KE [20]. Gong and Zhao presented a small field attack (SFA) [29] on the one-pass protocol [24]. Motivated by post-quantum security, our paper will focus on the construction of a lattice-based AKE based on the LWE problem [13, 14]. Our basic AKE is simple and comes with a rigorous proof of security based on the LWE problem under the BR model. The AKE is simple since it does not involve any other cryptographic primitive to achieve authentication and depends solely on some hard lattice problems in the worst-case (e.g., SVP and SIVP). We prove its AKE security with wPFS under the BR model.

Ding et al. [28] showed that KE based on RLWE problem could be broken by analyzing the number of signal changes of each of the coefficients. Ding and Lin [20] utilized the signal function to construct a KE from (Ring-) LWE. Theoretically, the KE from LWE [20] could be broken by the attack with the leakage of the signal function [28], as the KE from (Ring-) LWE [20] only referred to matrix-vector multiplication in finite field. Hence, our proposed lattice-based AKE from the LWE problem could suffer from the same attack with leakage of signal function [28]; here we do not study it and omit it. Gong and Zhao exploited a SFA (with a property of the CRT basis of , i.e., Proposition 5 in [29]) against one-pass AKE [24] although the SFA may not violate the security of one-pass AKE [24]. Notice that SFA [29] applied only to a special case of the original Ring-LWE problem [16] which sufficed for [24]. Likewise, maybe there exists a similar SFA (with the help of some properties) to break our proposed AKE since every cryptosystem will be broken in the future. And we do not know whether SFA can be applied to the LWE problem since Ring-LWE problem is one special case of the LWE problem [13, 14]. For example, cyclotomic polynomial [30] which was essential for SFA [29] applied only to polynomial ring. We leave them as open problems. Maybe our AKE could capture AKE security and resist some advanced attacks under the CK model, the CK+ model, or the eCK model, but we leave them as future works.

This paper is organized as follows. Section 2 contains definitions and properties related to lattice. In Section 3, we construct a lattice-based AKE based on the LWE problem. Section 4 gives its AKE security under the BR model. Section 5 gives comparison. Conclusion is in Section 6. The BR model is given in appendix.

2. Preliminaries

Notations. Assume that is the main security parameter. Let notations be as defined in [13, 14]. Let be a discrete subset of . The Gaussian function on centered at with any positive is , . Let be the discrete integral of over and be the discrete Gaussian distribution over with center and parameter . Concretely, , , define , If , and are shorted for and , respectively.

Regev proposed the Learning with Errors (LWE) problem [13].

For integers and , . Let , be the distribution on obtained by choosing a vector uniformly at random and a noise term , and output .

The LWE problem is as follows: for uniformly random , given number of samples that are either from or uniformly random in , output if the former holds and if the latter holds.

The decision LWE problem is at least hard as approximating several problems on -dimensional lattice in the worst-case within factors using a quantum computer [13] if , . Brakerski et al. [31, 32] showed that the LWE assumption still preserved if for and but security loses with a factor. The HNF-LWE assumption [32] declared that HNF-LWE problem was still hard if the secret came from the error distribution; for example, .

Formally, a random noise vector with a Gaussian distribution is used to prove that certain lattice problems are in coNP [33]. Lemma 1 [33] gives a norm bound of Gaussian distribution.

Lemma 1 (see [33]). For any -dimensional lattice , a vector , and reals , , we haveSignal Functions [20]. Define the signal function discussed in [20]. For prime , given , , define as the signal function in : if and 1 otherwise as follows.

For simplicity and requirements in some places, set For any belongs to .

We define modular function from where .

Modular function was discussed as robust extractor [20] and can guarantee the correctness of our protocol.

Lemma 2 (see [20]). Let be an odd integer; the function defined above is a robust extractor with respect to with error tolerance .

Lemma 3 (see [20]). For any odd , if is uniformly random in , then is uniformly random conditioned on .

Lemma 4 (see [24]). Let be the security parameter and odd prime . For any and , the output distribution of conditioned on , where the probability is taken over the uniform and independent choice of .

3. One AKE from the LWE Problem

Let and be integers, , is prime. For the same integer , let be KDF which is modeled as random oracles.

Sample a uniformly random matrix . Let and be the static public key and static private key of Alice , where . Let and be the static public key and static private key of Bob , where . Assume that the protocol works between Alice and Bob.

Setup. Alice randomly chooses , computes , and sends to Bob.

Response. Upon receiving from Alice, Bob randomly chooses , computes , , and , and sends to Alice. Then, Bob computes and derives .

Completion. Upon obtaining , Alice computes , , , and .

Correctness. If Alice and Bob run the protocol honestly, they will share the same session key. To show the correctness of our AKE, it is sufficient to show that . and are output by with the same second input . According to Lemma 2, we only show that and are sufficiently close.

If , then with overwhelming probability.

Proof. From the form of , we obtain By Lemma 1, we havewith overwhelming probability. That indicates and being sufficiently close.
By Lemma 2, with with respect to with error tolerance , we have Further, we show thatThis is because and .
Hence, we have

Parameter Selection. Here select the same parameters as those in [20]: . It is easy to verify that and the correctness holds.

4. Security

In our AKE, the public matrix is public and every static public key actually consists of a LWE tuple with Gaussian parameter . Thus, the static public key is computationally indistinguishable from a random element in under the LWE assumption. Analogously, and are also computationally indistinguishable from random elements in under the LWE assumption with Gaussian parameter .

To show the randomness of the session key, it is enough to take Bob as an example. Obviously, if is random over , is statistically close to even conditioned on by Lemmas 2 and 3. Note that is a random oracle; thus is uniform over . Now, we check the randomness of :

It is necessary to establish the randomness of on the hardness of the (decisional) LWE problem, since are actually LWE instances, and are random elements in under the LWE assumption with Gaussian parameter . Generally, we will prove that is statistically close to a real LWE instance if the secret and the error are randomly from . Since and are random over , thus is random over . That is, is statistically close to a real LWE instance.

Formally, let be the maximum number of parties and be maximum number of sessions for each party. We separate the security proof for the initiator and responder, respectively.

4.1. Security for the Initiator

In this session, the AKE security for initiator is proved when the initiator is the owner of the test session. Let be the test session chosen by the adversary . Consider two types of adversaries.

Type One: is output by a session activated at by a .

Type Two: is not output by any session activated at by a .

To capture wPFS, adversary is allowed to obtain the static secret keys of parties and by corrupting and (but Type Two adversary is not allowed to corrupt either or ).

4.1.1. Security against Type One Adversary

First, AKE security is proved for any PPT Type One adversary .

Theorem 5. If is hard, the proposed AKE is secure for any PPT Type One adversary under the BR model.

Proof. The security analysis is performed with a sequence of games for . It starts with the real security game, between an adversary and a simulator , that models the indistinguishability of the fresh session key. Use to show the differences between the previous game and its next one. Let be the event that outputs a guess : in , .
Game . This is the original game where the messages are generated honestly. In Game , randomly selects and , and hopes the adversary will choose as the test session, where is output by th session of party , and is output by th session of party activated by a . selects at random, honestly generates static public keys for all parties by randomly choosing , and simulates the attack environment for . Specifically, keeps one table for random oracle and responds to queries of .(i) queries: if there is no tuple in , it randomly selects an element and adds to list. At last it returns to .(ii): initiates a new session of with intended partner , randomly selects and sends to on behalf of Alice .(iii): randomly selects and computes , , and according to the protocol. Finally, send to on behalf of Bob.(iv): computes by using according to the protocol.(v)SessionKeyReveal(sid): let ; returns if session key of has been produced.(vi): return Alice’s static secret key to .(vii)Test(sid): let ; if , or and are not output by the th session of and the th session of , respectively, stops. Otherwise, randomly selects , and . If , returns ; else it returns the real session key of .Analysis of . In this game, randomly selects and independently from the view of . Hence, the probability that will not stop in is at least .
. first computes , where randomly. Then, it acts almost the same as in except for the case below.
(i) . If , or it is not the th session of , responds to the query as in . Otherwise, randomly selects and computes . Then computes : Finally, it honestly computes according to the protocol and sends to .
Analysis of . Since is a LWE tuple with randomly , then is computationally indistinguishable from uniform distribution over ; thus the probability that guesses the correct before is negligible. Since , , we have By Lemma 1, the norm of each entry in both and is at most ; thus both and have distribution negligibly close to . This implies that the distribution of in is statistically close to that in . Thus, under the assumption, we have .
. computes , where it randomly selects . Then it acts almost the same as in apart from the following cases.
(i) . If , or it is not the th session of , responds to the query as in . Otherwise, randomly selects and computes . Finally, it sends to .
(ii) . If or it is not the th of , responds to the query as in . Otherwise, if is output by the th session of party , let be the session key of session , sets . Else, computes . At last, it honestly computes according to the protocol.Analysis of . The proof of the distribution of being statistically close to that in is the same as the proof of Analysis of ; as a result, the probability that stops in is negligibly close to that of . Under the assumption, we have . randomly chooses and acts almost the same as in apart from the following case.
(i) . If , or it is not the th session of party , or is output by the th session of party , acts the same as in . Else, it randomly selects as the session key.
We discuss the differences between and . The real session key in is changed to a randomly chosen one in , where () is output by the th session of party . Fortunately, the adversary cannot notice the difference if he does not query with exact , since is a random oracle. To prove it conveniently, denote by the event that in can query with for the th session of , when () is output by the th session of , where .
Analysis of . Since is a random oracle, the event is independent from the distribution of . Namely, no matter whether or not obtains , is identical, which is suitable for . Especially, under the LWE assumption, the public information in and is computationally indistinguishable, so that . In addition, if does not happen, the distribution of is identical in and . Namely, .
. randomly selects and acts almost the same as in except for the following case.
(i) . If or it is not the th session of , responds to the query as in . Otherwise, randomly select and compute . randomly choose and compute according to the protocol. If made a query , stops the simulation. Else, it randomly selects and sets . At last, it returns to .
Analysis of . Let be two challenge LWE tuples with error distribution (scale by multiplying ). Suppose that there exists an adversary that distinguishes and , there must exist a distinguisher that can solve the LWE problem. In particular, first sets ; then it acts identically as in except for cases as follows.
(i) . If or it is not the th session of , responds to queries as in . Otherwise, it randomly selects and computes . Then sets , computes according to the protocol, and stops if made a query . Otherwise, it sets with a randomly chosen . At last, it returns to .
If are LWE tuples for some secret , is in ; else it is in . Thus, under the assumption, and are computationally indistinguishable. Especially, Next, we analyze Let be output by the th session of and be the information that finishes the test session (e.g., the th session of party ). In , is randomly selected from uniform distribution over which is independent from both public keys and transcripts (except for ). This still holds even if the adversary uses a session key reveal query to obtain , since is randomly chosen and is a random oracle. Let be the element computed by ; according to the protocol, and are sufficiently close; that is, ; for some with short element. Since both public keys and transcripts (expect for ) are random and independent from , is also independent from without the adversary’s view. Since , then is also statistically close to by Lemma 4. Namely, the probability that the adversary query is at most . Thus, .
Let be output by the th session of party and be the message that can finish the test session (e.g., the th session of party ). Consider two cases.
(ii) . In this case, , where . Since, in , is randomly chosen from the uniform distribution over , then is statistically close to uniform distribution over from the adversary’s point by Lemma 4. Thus the probability that has made query with is less than .
(iii) . By assumption that does not happen, thus will never make a query with .
In short, the probability that has made a query with is negligible since is a random oracle. If the adversary does not make a query with exactly, s distribution is uniform over in the adversary’s point. Thus, .
In a word, we get by Analysis of and . By Analysis of and , we have By the law of the probability, Thus Combining this with , we obtain This finishes the proof.

4.1.2. Type Two Adversary

We will prove that our AKE is secure against any PPT Type Two adversary .

Theorem 6. If the is hard, the proposed AKE is secure against any PPT Type Two adversary under the BR model.

Proof. It proceeds by a sequences of , .
. This initial game corresponds to the real attack game in which all the honest players execute. randomly selects , , and hopes that the adversary will select as the test session, where is output by the th session of party with intended party (remark that has no matching session for Type Two adversary). Then, randomly selects , produces static public keys for all parties (by randomly choosing ), and simulates the security game for . In particular, preserves one table for random oracle and responds to queries from .(i) queries: if there is no tuple in list, randomly select and add to list. Then, send to .(ii): initiates one session of with intended partner , randomly selects and returns to on behalf of Alice .(iii). randomly selects and computes , , and according to the protocol. Then, send to on behalf of Bob.(iv): computes by using according to the protocol.(v)SessionKeyReveal(sid): let ; returns once session key of has been produced.(vi): return Alice’s static secret key to .(vii)Test(sid): let ; if , or and are not output by the th session of and the th session of , respectively, stops. Otherwise, randomly selects and . If , returns ; else it returns the real session of .Analysis of . In this game, randomly selects and independently from ’s view. Thus, the probability that will not stop in is at least .
. acts identically as in except for the following case.
(i) . If , responds to queries as in . Otherwise, computes , where . Then, it randomly selects , computes , and sends to .
(ii) . If , responds to queries as in . Otherwise, computes , where . Then, it randomly selects and computes . also computes :Finally, it honestly computes following the protocol, and sends to .
(iii) . If , responds to queries as in Else, let for ; computes . At last, computes according to the protocol.
Analysis of . Let be the event that outputs a guess in . Similar to Analysis of , under assumption, then . acts almost identically as in , except it replaces ’s public key with a uniformly chosen .
Analysis of . Note that the only difference between and is that replaces in with a randomly chosen over in ; thus an adversary that can distinguish the difference between and could solve the problem. That implies that if is hard, then . first computes , where it randomly chooses . Then it acts identically as in except for such cases as follows.
(i) . If , or it is not the th session of , responds to queries as in . Else, randomly selects and computes . Finally, returns to .
(ii) . If or it is not the th of , responds to the query as in . Otherwise, computes , where . Finally, it computes according to the protocol.Analysis of . Similar to Analysis of , under assumption, we have . first computes , where . Then it computes (or set ), where . Finally, it acts identically as in except for the following cases.
(i) . If , or it is not the th session of party , responds to queries as in . Else, computes At last, it computes according to the protocol.
Analysis of . In , we have where . By Lemma 2, the distribution of is statistically close to ; the distribution of is statistically close to . Thus, if is hard, we get . acts identically as in except for the following cases.
(i) . If or it is not the th session of , responds to queries as in . Otherwise, it randomly selects and computes according to the protocol.
Analysis of . The only difference between and is that replaces the real in with a randomly chosen in . Since is a random oracle, the only difference will not affect the ’s view until it makes a query with derived from . Formally, denote for as the event that makes a query with derived from .
Now, we prove that if is hard, then Because is a random oracle, is independent from ’s distribution. No matter whether or not gets , is identical; is so. Besides, if for does not happen, is actually identical to in adversary view. In particular, ’s distribution is random and uniform over ; namely, the advantage of guessing is negligible if does not happen. This finishes the proof.
If , this completes the proof. But it is not easy to do so. As a matter of fact, though is random in the adversary’s view under the LWE assumption, we cannot have the fact that is random since is related to . Now we show is random. If we randomly chose another and obtain we have . That is, . Naturally, if the adversary can distinguish (and ) from a uniformly chosen one, it can distinguish (which is computationally under the LWE assumption) from a random chosen from .
Actually, will happen with negligible probability according to Lemma 1. Let be the test session. By assumption that is a adversary, namely, is not output by by a , given , in , denote (which is the same as in ), where . By our assumption, will make a query with derived from with probability at least .
Now, fixing which are all chosen by and are independent from the adversary’s actions, sets by randomly choosing and sets . By Lemma 1, will utilize to finish the test session and makes a query with derived from with probability at least . Denote such that an event for in will make in ’s two runs, where is derived from in ’s first run and is derived from in ’s second run. In particular, .
. randomly chooses and acts identically as in
Analysis of . Since the only difference between and is that replaces and with randomly chosen elements in , respectively, an adversary that distinguishes the difference between and could solve the problem. Hence, under the assumption, is computationally indistinguishable from . In particular, we get Besides, we can get . Actually, in , does not really compute and (it cannot compute the values since is randomly chosen from and is randomly chosen from ). Suppose that and (e.g., the values determined before) are as ’s target values. especially holds, since cannot efficiently distinguish from as mentioned above. Since is uniformly distributed over and independent from ’s view (thus is independent from and ), then is statistically close to uniform over even when conditioned on by Lemma 4 ( is in invertible with overwhelming probability). Thus, the probability that will make a query with is at most . Namely, , which is negligible in . Namely, .
Generally speaking, by Analysis of , we have , which implies that by the condition that . Combining this with Analysis of , we obtain . A simple computation shows that . The proof is completed.

4.2. Security for the Responder

Now we prove the security when the responder is the owner of the test session. Let be the test session; consider three types of adversaries.

: is not output by any session of activated by a .

: is output by a session of activated by a , but never completes the session, or it completes it with exact .

: is output by a session of activated by a , but completes the session with another .

, and give a complete partition of all the adversaries that choose as the test session. Note that if the adversary is a or one, the test session has no matching session. To address wPFS in our security proof, adversary is allowed to obtain the static secret keys of parties and by corrupting both parties (a or adversary is not allowed to corrupt party or ).

4.2.1. Type Three

Here we prove AKE security against any PPT adversary .

Theorem 7. If is hard, the proposed AKE is secure against any PPT adversary under the BR model.

Proof. We prove the theorem by a series of games for .
. randomly selects and and hopes that the adversary will select as the test session, where is output by the th session of party activated by for some party . Then, randomly selects , honestly generates static public keys for all parties (by randomly choosing ), and simulates security game for . Specially, preserves one table for random oracle , and responds to queries from as follows.(i) queries: if there is no tuple in , randomly select an element and add to list. Then send to .(ii): initiates a new session of with intended partner , randomly selects and sends to on behalf of Alice .(iii): randomly selects and computes , , and according to the protocol. At last, send to on behalf of Bob.(iv): computes by using according to the protocol.(v)SessionKeyReveal(sid): let ; returns once session key of has been generated.(vi): return the static secret key of Alice to .(vii)Test(sid): let ; if , or and are not output by the th session of and the th session of , respectively, stops. Otherwise, randomly selects , and . If , returns ; else it returns the real session of .Analysis of . In this game, randomly chooses and without ’s view. Thus, the probability that will not abort in is at least .
. acts identically as in except for the following cases.
(i) . If , responds to queries as in . Else, computes , where . Then, it randomly selects , computes , and sends to .
(ii) . If , responds to the query as in . Otherwise, computes , where . Then, randomly selects and computes and :At last, it computes according to the protocol and sends to .
(iii) . If , responds to query as in . Else, it chooses randomly , let for ; computes . Finally, computes according to the protocol.
Analysis of . Let be the event that outputs a guess in , . Similar to the Analysis of , under assumption, we have . acts identically as in , except it replaces the public key for the party with a uniformly chosen .
Analysis of . Similar to Analysis of or , under assumption, then . first computes , where it randomly chooses . Then it acts identically as in except for the following cases.
(i) . If , or it is not the th session of , responds to the query as in . Else, randomly selects and computes and , where . At last, it computes according to the protocol and returns to .Analysis of . Similar to Analysis of , under assumption, then . first computes , where . Then it computes (or set ), where . Finally, it acts identically as in except for the following cases.
(i) . If , or it is not the th session of party , responds to queries as in . Otherwise, randomly selects , and computes , At last, it computes , according to the protocol and returns to .
Analysis of . Similar to Analysis of , under assumption, then . acts identically as in apart from the following cases.
(i) . If or it is not the − th session of , responds to the query as in . Otherwise, randomly selects and computes . Then, it randomly selects and computes as described in protocol. If has made a query , stops. Otherwise, it randomly selects and sets . At last, it returns to .
Analysis of . The only difference between and is that replace the real key in Game with a randomly chosen in Game . Since is a random oracle, the only difference cannot affect ’s view until it makes a query with derived from . Denote for as the event where makes a query with derived from .
Now, we proveBecause is a random oracle, is independent from ’s distribution. No matter whether or not gets , is identical; is so. Besides, if for does not happen, is actually identical as in adversary view. In particular, ’s distribution is random and uniform over ; namely, the advantage of guessing is negligible if does not happen. This completes the proof.
Likewise, let be the test session. By assumption that is a adversary, namely, is not output by party , given in , denote (which is the same as in ), where . By our assumption, will make a query with derived from with probability at least .
Now, fixing which are all chosen by and are independent from the adversary’s actions, sets by randomly choosing , and sets . By Lemma 1, will utilize in the test session and makes a query with derived from with probability at least . Denote as an event for ; in will make in ’s two runs, where is derived from in ’s first run and is derived from in ’s second run. In particular, .
. randomly chooses and acts identically as in
Analysis of . On the one hand, the difference between and is that replaces with randomly chosen elements in , respectively; an adversary that distinguishes the difference between and could solve the problem. Under the assumption, is computationally indistinguishable from . In particular, On the other hand, in , does not really compute and ( it cannot compute them since is randomly chosen from and is randomly chosen from ). Suppose that and (e.g., the values determined before) are as ’s target values. especially holds, since cannot distinguish from as mentioned above. Since is uniformly distributed over and independent from ’s view (thus is independent from and ), then is statistically close to uniform over even when conditioned on by Lemma 4 ( is in invertible with overwhelming probability). Thus, the probability that will make a query with is at most . Namely, which is negligible in . As a result, .
Generally speaking, by Analysis of , , which implies that by the condition that . Combining this with Analysis of , we get . A simple computation shows that . The proof is completed.

4.2.2. Type Four Adversary

Theorem 8. If is hard, the proposed AKE is secure against any PPT Type Four adversary under the BR model.

Proof. We prove it by a series of Game for
. randomly selects and and hopes that the adversary will select as the test session, where is output by the th session of party , is output by the th session of party activated by . Then, randomly selects , generates static public keys for all parties (by randomly choosing ), and simulates security game for . In particular, preserves one table for random oracle , and responds the queries from in the following.(i) queries: if there is no tuple in , randomly select an element and add to list. Then send to .(ii): initiates a session of with intended partner ; randomly selects and sends to on behalf of Alice .(iii): randomly selects and computes , , and according to protocol. At last, send to on behalf of Bob.(iv): computes with according to the protocol.(v)SessionKeyReveal(sid): let ; returns if session key of has been generated.(vi): send the static secret key of Alice to .(vii)Test(sid): let ; if , or and are not output by the th session of and the th session of , respectively, stops. Otherwise, randomly selects , and . If , returns ; else it returns the real session key of .Analysis of . In this game, randomly selects and independent from ’s view. Thus, the probability that will not stop in is at least .
Let be the event that outputs a guess in .
. first computes , where . Then, it acts identically as in except for the following cases.
(i) . If , or it is not the th session of , responds to the query as in . Otherwise, randomly selects and computes . Then, also computes :Finally, it honestly computes following the protocol and returns to .
Analysis of . Similar to Analysis of , under assumption, we have . first computes , where . Then, acts identically as in , apart from the following cases.
(i) . If , or it is not the th session of , responds to the query as in . Else, it randomly selects , computes , and sends to .
(ii) . If , or it is not the th session of , responds to queries as in . Otherwise, is output by the th session of party . Let be the session key of session ; sets . Otherwise, it computes . At last, computes according to the protocol.
Analysis of . Similar to Analysis of , under assumption, we have . first randomly selects . Then it acts identically as in except in the following cases.
. If , or it is not the th session of , or is output by the th session of party , answers the query as in . Else, it randomly selects as the session key.
Analysis of . Denote as the event where in for , makes a query with for the th session of party , when is output by the th session of party but .
Similar to Analysis of , under assumption, we have . randomly selects and acts almost identically in except for the following cases.
(i) . If or it is not the th session of , responds to the query as in . Otherwise, randomly chooses and computes . Then randomly selects and computes as described in protocol. If has made a query , stops. Else, it randomly selects and sets . Finally, it sends to .
Analysis of . Similar to Analysis of , under assumption, and are computationally indistinguishable. In particular, and .
Similar to Analysis of about , under assumption, we have .
Similar to Analysis of about , we get .
In summary, by Analysis of and . By Analysis of , Since thus Combining this with Analysis of and , then This finishes the proof.

4.2.3. Type Five Adversary

Theorem 9. If is hard, the proposed AKE is secure against any PPT Type Five adversary under the BR model.

Proof. We prove the theorem by a series of Games for .
Game . randomly selects and , and hopes that the adversary will select as the test session, where is output by the th session of party and is output by the th session of party activated by . Then, randomly selects , honestly generates static public keys for all parties (by randomly choosing ), and simulates security game for . In particular, preserves one table for random oracle and responds to queries from in the following.(i) queries: if there is no tuple in , randomly select an element and add to list. Then send to .(ii): initiates a session of with intended partner ; randomly selects and returns to on behalf of Alice .(iii): randomly selects and computes , , and according to the protocol. At last, send to on behalf of Bob.(iv): computes by using according to the protocol.(v)SessionKeyReveal(sid): let ; returns if session key of has been generated.(vi): send Alice’s static secret key to .(vii)Test(sid): let ; if , or and are not output by the th session of and the th session of , respectively, stops. Otherwise, randomly selects , and . If , returns ; else it returns the real session key of .Analysis of . In this game, randomly selects and independent from ’s view. Thus, the probability that will not stop in is at least
Game . first computes , where . Then, it acts identically as in except for the following cases.
(i) . If , or it is not the th session of , responds to queries as in . Else, randomly selects and computes , :Finally, it honestly computes according to the protocol and sends to .
Let be the event that outputs a guess in for .
Analysis of . Similar to Analysis of , under assumption, then . first computes , where . Then, acts identically as in apart from the following cases.
(i) . If , or it is not the th session of , responds as in . Else, it randomly selects , computes , and sends to .
(ii) . If , or it is not the th session of , responds to queries as in . Otherwise, is output by the th session of party ; let be the session key of session ; sets . Otherwise, it computes . At last, computes according to the protocol.
Analysis of . Similar to Analysis of , under assumption, we have . first randomly chooses . Then it acts identically as in with the following exceptions.
(i) . If , or it is not the th session of , or is output by the th session of party , responds to query as in . Else, it randomly selects as the session key.
Analysis of . Similar to Analysis of , , and , under assumption, we have . randomly selects and acts identically in with the following exceptions.
(i) . If or it is not the th session of , responds to the query as in . Otherwise, randomly chooses and computes . Then randomly selects and computes as described in protocol. If has made a query , stops. Otherwise, it randomly selects and sets . At last, it returns to .
Analysis of . Similar to Analysis of , under assumption, we have .
Similar to Analysis of about , under assumption, we have In summary, by Analysis of and . By Analysis of , . Combining this with Analysis of and , we have This completes the proof.

5. Comparison of Performance and Security

At present, there is a handful of results on lattice-based AKE under the BR model. Table 1 compares our protocol with other AKEs in terms of computational complexity and security. For simplicity, means computation methods. “” denotes the exponentiation. “0” means matrix-vector multiplication, not exponentiation operation. stands for security level. For example, means CCA security with high min-entropy keys [27]. Denote by no security level. means security model. For example, [5] denotes modified CK security model [4]. means authenticated and confidential channel establishment [18]. means random oracle model. × denotes no . denotes underlying hardness assumptions. stands for gap Diffie-Hellman assumptions. denotes quantum attack. means resisting quantum attack; means suffering quantum attack.

Note that NAXOS [7], CMQV [34], and HMQV [5] referred to exponentiation computation and achieve AKE security with wPFS in GDH assumption which indicated that they were vulnerable to quantum attack although they are secure in stronger model. Compared with NAXOS [7], CMQV [34], and HMQV [5] based on GDH assumption, our protocol has much more advantages in terms of computation because our protocol grasps matrix-vector multiplication besides resistance to quantum attack. In terms of , [18, 26, 27] captured , , and security without wPFS. But ours achieves security and wPFS without authentication tools under the BR model.

The new protocol has a good balance between computation and security.

6. Conclusion

This paper first proposes an AKE from the LWE problem. The AKE is simple since it does not involve any other cryptographic primitives (e.g., MAC, signature) to achieve authentication and depends on solely the LWE problem in the worst-case (e.g., SVP and SIVP [12–14]). Security analysis with wPFS is proved to resist five kinds of adversaries under the BR model and it might be appealing in specific applications.

This paper also motivates interesting open problems, such as an attack on it, converting it to one AKE under the CK model. If our lattice-based AKE is improved, it may achieve CPA and CCA security with wPFS, PFS, KCI, and so on under the CK, eCK, and model. Maybe there exists a SFA on our protocol. We do not study them here and leave them as the future works.

Appendix

BR Model for AKE

This section outlines the BR model, for further details the reader is referred to [1].

Sessions. Assume that is security parameter and denotes the maximum number of honest parties, each of whom is uniquely identified by integers in , and has a pair of static public/secret keys . An execution of an AKE was called a session or [34] and its matching session is [34]. stands for an AKE protocol.

Adversarial Powers. An adversary is defined to be a probabilistic polynomial time (PPT) Turing machine that controls all communications between parties including obtaining static secret keys via oracle queries below. To capture wPFS [5], can corrupt an honest party of a session . In accordance with our security model, Send query [1, 4, 35] included , , and .(i) makes perform the first step of our protocol and create a session with as an initiator. The oracle returns a message to party .(ii) makes perform the second step of our protocol and use message to create a session with party as a responder. The oracle returns a message to party .(iii) makes perform the third step of our protocol and send party message to complete a session intended for query.(iv)SessionKeyReveal: the adversary obtains the session key for a session if holds a session key.(v): the oracle returns the static secret key of the honest party to .(vi): the oracle chooses a bit ; if , receives a uniformly chosen random value and otherwise the actual session key.

The adversary can only once query the test session which was freshness [35].

AKE Security. The security of a two-pass AKE protocol is defined via a series of games in which makes any sequence of queries to the oracles above. The game ends when outputs a guess of . The advantage of in is defined as in attacking which declares that wins the game if . Namely, AKE is AKE secure if, for any PPT adversary , is negligible.

For convenience, stands for Alice and stands for Bob through the paper.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work is partially supported by the National Natural Science Foundation of China (NSFC) (no. 61370194).

References

M. Bellare and P. Rogaway, “Entity authentication and key distribution,” in Advances in Cryptology—CRYPTO '93, vol. 773 of Lecture Notes in Computer Science, pp. 232–249, Springer, Berlin, Germany, 1994.
View at: Publisher Site | Google Scholar | MathSciNet
M. Bellare and P. Rogaway, “Provably secure session key distribution: the three party case,” in Proceedings of the 27th Annual ACM Symposium on Theory of Computing (STOC '95), pp. 57–66, ACM Press, Las Vegas, Nev, USA, May-June 1995.
View at: Google Scholar
M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” in Advances in Cryptology—EUROCRYPT 2000, vol. 1807 of Lecture Notes in Computer Science, pp. 139–155, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar
R. Canetti and H. Krawczyk, “Analysis of key-exchange protocols and their use for building secure channels,” in Advances in Cryptology—EUROCRYPT 2001, pp. 453–474, Springer, Berlin, Germany, 2001.
View at: Google Scholar
H. Krawczyk, “HMQV: a high-performance secure Diffie-Hellman protocol (extended abstract),” in Advances in cryptology—CRYPTO 2005, vol. 3621 of Lecture Notes in Computer Science, pp. 546–566, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
C. Cremers, “Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK,” in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 80–91, ACM, Hong Kong, March 2011.
View at: Google Scholar
B. LaMacchia, K. Lauter, and A. Mityagin, “Stronger security of authenticated key exchange,” in Provable Security, vol. 4784 of Lecture Notes in Computer Science, pp. 1–16, Springer, Berlin, Germany, 2007.
View at: Publisher Site | Google Scholar
A. P. Sarr, P. Elbaz-Vincent, and J. C. Bajard, “A new security model for authenticated key agreement,” in Security and Cryptography for Networks, pp. 219–234, Springer, Berlin, Germany, 2010.
View at: Google Scholar
M. O. Rabin, Digitalized Signatures and Public-Key Functions as Intractable as Factorization, Massachusetts Institute of Technology, Cambridge Laboratory for Computer Science, 1979.
T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985.
View at: Publisher Site | Google Scholar | MathSciNet
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484–1509, 1997.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 197–206, Victoria, Canada, May 2008.
View at: Publisher Site | Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC '05), pp. 84–93, Baltimore, Md, USA, May 2005.
View at: Publisher Site | Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM, vol. 56, no. 6, article 34, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
C. Peikert, “Public-key cryptosystems from the worst-case shortest vector problem,” in Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC '09), pp. 333–342, ACM, Bethesda, Md, USA, 2009.
View at: Google Scholar
V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with errors over rings,” in Advances in Cryptology—EUROCRYPT 2010: 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Proceedings, H. Gilbert, Ed., vol. 6110 of Lecture Notes in Computer Science, pp. 1–23, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar
C. Peikert, “Lattice cryptography for the internet,” in Post-Quantum Cryptography, vol. 8772 of Lecture Notes in Computer Science, pp. 197–219, Springer International Publishing, Cham, Switzerland, 2014.
View at: Publisher Site | Google Scholar
J. W. Bos, C. Costello, M. Naehrig, and D. Stebila, “Post-quantum key exchange for the TLS protocol from the ring learning with errors problem,” in Proceedings of the 36th IEEE Symposium on Security and Privacy (SP '15), pp. 553–570, San Jose, Calif, USA, May 2015.
View at: Publisher Site | Google Scholar
J. Katz and V. Vaikuntanathan, “Smooth projective hashing and password-based authenticated key exchange from lattices,” in Advances in Cryptology—ASIACRYPT 2009, M. Matsui, Ed., vol. 5912 of Lecture Notes in Computer Science, pp. 636–652, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar
J. Ding and X. Lin, “A simple provably secure key exchange scheme based on the learning with errors problem,” IACR Cryptology ePrint Archive 2012/688, 2012.
View at: Google Scholar
X. Lei and X. Liao, “NTRU-KE: a lattice-based public key exchange protocol,” IACR Cryptology ePrint Archive, vol. 2013, article 718, 2013.
View at: Google Scholar
S. Wang, Y. Zhu, D. Ma, and R. Feng, “Lattice-based key exchange on small integer solution problem,” Science China. Information Sciences, vol. 57, no. 11, pp. 1–12, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
L. Wulu, “A key exchange scheme based on lattice,” in Proceedings of the 11th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC '13), pp. 100–106, Chengdu, China, December 2013.
View at: Publisher Site | Google Scholar
J. Zhang, Z. Zhang, J. Ding et al., “Authenticated key exchange from ideal lattices,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 719–751, Springer, Sofia, Bulgaria, April 2015.
View at: Google Scholar
V. Singh, “A practical key exchange for the internet using lattice cryptography,” IACR Cryptology ePrint Archive 2015/138, 2015.
View at: Google Scholar
A. Fujioka, K. Suzuki, K. Xagawa, and K. Yoneyama, “Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism,” in Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS '13), pp. 83–94, ACM, May 2013.
View at: Publisher Site | Google Scholar
A. Fujioka, K. Suzuki, K. Xagawa, and K. Yoneyama, “Strongly secure authenticated key exchange from factoring, codes, and lattices,” Designs, Codes and Cryptography, vol. 76, no. 3, pp. 469–504, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
J. Ding, S. Alsayigh, R. V. Saraswathy et al., “Leakage of signal function with reused keys in RLWE key exchange,” Cryptology ePrint Archive Report 2016/1176, 2016.
View at: Google Scholar
B. Gong and Y. Zhao, “Small field attack, and revisiting RLWE-based authenticated key exchange from Eurocrypt'15,” Cryptology ePrint Archive Report 2016/913, 2016, http://eprint.iacr.org/2016/913.
View at: Google Scholar
R. Lidl and H. Niederreiter, Instruction to Algebra and Finite Fields, Cambridge University Press, 2000, http://www.cambridge.org.
Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé, “Classical hardness of learning with errors,” in Proceedings of the 45th Annual ACM Symposium on Theory of Computing (STOC '13), pp. 575–584, ACM, June 2013.
View at: Publisher Site | Google Scholar
B. Applebaum, D. Cash, C. Peikert et al., “Fast cryptographic primitives and circular-secure encryption based on hard learning problems,” in Advances in Cryptology—CRYPTO 2009, pp. 595–618, Springer, Berlin, Germany, 2009.
View at: Google Scholar
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” SIAM Journal on Computing, vol. 37, no. 1, pp. 267–302, 2007.
View at: Publisher Site | Google Scholar | MathSciNet
B. Ustaoglu, “Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS,” Designs, Codes, and Cryptography, vol. 46, no. 3, pp. 329–342, 2008.
View at: Publisher Site | Google Scholar
K. K. R. Choo, C. Boyd, and Y. Hitchcock, “Examining indistinguishability-based proof models for key establishment protocols,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 585–604, Springer, Chennai, India, December 2005.
View at: Google Scholar

Copyright

Copyright © 2017 Limin Zhou and Fengju Lv. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

986

Downloads

894

Citations