Post-Quantum Secure Password-Authenticated Key Exchange Based on Ouroboros
Password-authenticated key exchange (PAKE) protocols play an important role in cryptography. Most of PAKEs are based on the Diffie–Hellman key exchange protocols or RSA encryption schemes, but their security is threatened by quantum computers. In this study, we propose the first code-based PAKE protocol based on Ouroboros, which is a code-based key exchange protocol. Our scheme enjoys high efficiency and provides mutual explicit authentication, with a security reduction to decoding random quasi-cyclic codes in the random oracle model.
Authenticated key exchange (AKE) allows two communicating entities to establish a common and high-entropy secret session key over an insecure communication network. In general, users need to store some prepared long-time secret keys with high entropy in devices such as smart cards and ID cards. However, the access to hardware devices makes AKE more inconvenient and complex.
To solve this shortcoming, password-authenticated key exchange (PAKE) was proposed since PAKEs only require human-memorable passwords with low entropy, such as six to eight characters. Nowadays, more and more people tend to use handheld devices, and so PAKEs have a wide range of practical applications. Nevertheless, it is difficult to design a secure key exchange protocol based on passwords, because the low entropy of a password makes it vulnerable to dictionary attacks if an adversary can get some password-dependent data. Generally speaking, there are two types of dictionary attacks. The first one is an online dictionary attack. In this attack, an adversary actively participates the execution of a protocol. For example, an adversary runs a protocol with a guessed password and observes whether the protocol succeeds. However, this type of attack is easy to avoid by just allowing an adversary to test at most a constant number of passwords per online interaction. What we need to consider is the another dictionary attack, i.e., offline dictionary attack. In this attack, an adversary can observe the execution of a protocol or interacts with the participants of the protocol. Next, the adversary tests the correctness of a guessed password offline. To avoid this attack, session keys and protocol messages must look computationally independent from passwords to the adversary.
The first PAKE protocol was proposed by Bellovin and Merritt in , which is called the encrypted key exchange (EKE) protocol, but they did not give a formal security proof in the protocol. Since then, a number of PAKE protocols were proposed [2–7]. However, these protocols still have no formal security proof. Until 2000, the formal security models began with the works of Bellare et al.  and Boyko et al. . Canetti et al. introduced the universally composable notion to PAKE security model in 2005 .
With the security model, plenty of protocols have been designed and analyzed. On the one hand, most of PAKEs are designed using the Diffie–Hellman (DH) key exchange protocols [9, 11–15], in which the PAK  and PPK  protocols are two efficient and simple constructions of PAKEs based on the DH key exchange protocol. The PAK protocol is three-pass protocol and provides explicit authentication, and the PPK protocol is two-pass protocol and provides implicit authentication. On the other hand, some PAKEs were designed using RSA encryption schemes [16–19]. In particular, Mackenzie et al. proposed the first RSA-based PAKE protocol with a formal security proof in 2000, which is called SNAPI . In 2004, Zhang showed that SNAPI protocol was not practical and proposed two efficient RSA-based PAKEs .
Since the well-known Shor algorithm was proposed , the security of the DH key exchange protocols and RSA encryption schemes encounters great challenges. Fortunately, lattice-based cryptosystems and code-based cryptosystems are supposed to effectively resist attack on the quantum computers. Based on AKE protocols [21–26], several simple and efficient lattice-based PAKE protocols have been designed [27, 28]. The protocols in  can be regarded as a parallel extension of the PAK and PPK. In the code-based cryptosystem, there are no DH-type key exchange protocols. Nevertheless, Deneuville et al. proposed a secure and efficient code-based key exchange protocol, which is called Ouroboros . The Ouroboros scheme gathers the best properties of the MDPC-McEliece  and the HQC  and has a simple decoding algorithm. The security of the Ouroboros is reduced to decoding random quasi-cyclic codes in the random oracle model. As far as we know, there is no code-based provably secure PAKE scheme.
In this study, we propose the first code-based PAKE protocol based on Ouroboros with formal security proof. The protocol is constructed by using a weight-restricted hash function and enjoys several desired features, including high efficiency, mutual explicit authentication, and quantum resistance, with a security reduction in our scheme to decoding random quasi-cyclic codes in the random oracle model.
The rest of this study is organized as follows. Section 2 introduces notations used throughout the study and gives needed preliminary definitions and propositions. In Section 3, we review the security model. In Section 4, we provide a detailed description of our PAKE protocol. Section 5 gives the formal security analysis of our PAKE protocol. Section 6 provides the efficiency evaluation of our scheme. Finally, Section 7 concludes the study.
In this section, we introduce notations and needed preliminary definitions and propositions throughout the study.
In this study, the ring of integers is denoted by , and a finite field is denoted by with elements, where is a prime number. Additionally, we denote the Hamming weight of a vector by , ., the number of its nonzero coordinates. denotes a vector space of dimension over for some positive . Elements of can be considered as row vectors or polynomials in and represented by lower-case bold letters. The product of two elements is defined similarly as in , ., with
For any finite set , denotes is a uniformly random element sampled from . For an event , denotes the complementary event of .
In particular, we also use the symbol as follows:
2.2. Coding Theory
We now focus on relevant basic definitions and properties relating to coding theory.
Definition 1. (Linear Code). A linear code with length and dimension over is a subspace of .
Definition 2. (Generator Matrix). A generator matrix for a linear code is a matrix whose rows form a basis for , .,
Definition 3. (Parity Check Matrix). A parity check matrix for a linear code is a generator matrix for the dual code , .,
Definition 4. (Quasi-Cyclic Codes ). Given positive integers , , and , a linear code is quasi-cyclic (QC) of order if for any it holds that .
Definition 5. (Systematic Quasi-Cyclic Codes of Rate 1/s). A systematic quasi-cyclic code of order is a quasi-cyclic code with a parity check matrix of the formwhere are circulant matrices.
Next, we define the syndrome decoding (SD) problem over in the Hamming metric.
Definition 6. (SD Distribution). Given positive integers , the SD distribution chooses and and outputs .
Definition 7. (Search SD Problem). Given from the distribution, the search SD problem decides whether there exists , such that .
Definition 8. (Decisional SD Problem) On input , the decisional SD problem DSD needs to decide with nonnegligible advantage whether came from the distribution or the uniform distribution over .
The search SD problem in the Hamming metric has been proved NP complete over binary field in the worst case , and the decisional SD problem has been proved to be polynomially equivalent to its search version .
Then, we describe relevant definitions of quasi-cyclic codes.
Definition 9. (-QCSD Distribution). Given positive integers , the -QCSD distribution chooses and , where , and outputs .
Definition 10. (Search -QCSD Problem). Given positive integers , a random systematic parity check matrix of a quasi-cyclic code, and , the search -QCSD problem decides whether there exists , where , such that .
Definition 11. (Decisional -QCSD Problem). Given positive integers , a random parity check matrix of a systematic quasi-cyclic code and , the decisional -QCSD (-DQCSD) problem asks to decide with nonnegligible advantage whether came from the -QCSD distribution or the uniform distribution over .
2.2.1. The s-QCSD Problem Assumption 
The search -QCSD problem is hard on average. Let be a probabilistic polynomial time adversary. The input of is a random parity check matrix and a vector . The probability of outputting vector with and by is negligible, where
Let , where the maximum is over all adversaries of time complexity at most .
2.3. Weight-Restricted Hash Function
Our PAKE protocol uses a weight-restricted hash function proposed in the RaCoSS scheme. We denote this weight-restricted hash function by . Although the RaCoSS scheme has been broken, is still secure under proper parameters. Before giving the description of weight-restricted hash function, let us first introduce the definition of collision-resistant hash function.
Definition 12. A hash function is called collision-resistant hash function if the probability that any adversary finds two distinct values that satisfies the following condition is negligible:where is a negligible function.
Lemma 1. (see ). Given a collision-resistant hash function , and an encode algorithm , which encode any bit message into bit message with Hamming weight , the function is still a collision-resistant hash function.
We put the weight-restricted hash function in Algorithm 1. Simply speaking, uses a byte string message , two integers and as input. Then, SHA3-512 is used to calculate the position of 1. The output is a -bit string with Hamming weight . According to Lemma 1, is a collision-resistant hash function.
2.4. Ouroboros Scheme
We now recall the Ouroboros scheme from , which is the basic of our PAKE protocol. The Ouroboros scheme uses a function proposed in . Simply speaking, giving the positions of the “1” is enough to obtain random vectors with fixed weight . For more details about this function, we refer the readers to . Besides, the Ouroboros scheme uses a hash function . The decoding algorithm CE decoder is presented in Algorithm 2. In short, it puts , , , threshold value , the weight of and , and the weight of as input. The output of this algorithm is if it succeeds.
The Ouroboros scheme is presented as follows:(a) generates and . Then, she computes . Finally, she sends to Bob.(b) generates and computes . Next, he randomly generates . Then, he computes and . Finally, he sends to Alice and saves the vector as the shared secret.(c) computes when receiving and . Then, she uses the decoding algorithm CE decoder to get and . Finally, she computes the shared secret .
Theorem 1 (see ). The Ouroboros protocol satisfies indistinguishability under chosen plaintext attack (IND-CPA) under the 2- and 3- assumptions.
3. Security Model
This section reviews the formal security model from . Consider the form of a PAKE protocol with two users. Users are expected to establish and use the same keys over the network that is fully controlled by a probabilistic and polynomial time adversary . The adversary can initialize protocol communications between user instances, deliver messages to unintended recipients, and observe their reaction according to the protocol. The adversary can reveal the session keys established by user instances and enumerate all the passwords in the password space in the offline attack. In the following, we perform the formal description of the security model.
3.1. Security Game
Let P be a PAKE protocol and be the fixed set of users. A two-party protocol in PAKE model is considered, and the users in are partitioned to two non-empty entities, called Alice and Bob ( and for short). Before the game starts, for each entity, a password is chosen uniformly at random from password space . A set of efficiently computable cryptographic functions is specified, i.e., hash functions, and the public cryptographic parameters are generated.
3.2. User Instances
During the model, there are an unlimited number of instances running the protocol simultaneously for each user. The instance of user is denoted as . An instance accepts at any time, and the same rule applies to user . When an instance accepts, it possesses a partner id , a session id , and a session key . The is the identity of the user instance that the current instance believes it is talking to. The is a string, which uniquely identifies this session. In general, the is composed of the concatenation of all messages sent and received by the instance (or ). The is the final target to be calculated.
The queries that adversary may make during the game are as follows :(i)Send: the message is send to instance . The instance computes what the protocol specifies and outputs the result to the adversary. We assume whether the instance accepts or not is visible to the adversary.(ii)Execute: an honest execution between two instances and is carried out, where and and were not used before. Finally, the transcript of this execution is given to the adversary.(iii)Reveal: the session key of is returned to the adversary.(iv)Test: this query is valid if and only if the instance is fresh, as defined below. In this case, generates a random bit . If , the real session key is sent to the adversary; otherwise, a random session key chosen uniformly from the space is sent. This query is allowed only once during the game.(v)Oracle: this gives the adversary oracle access to a function , which is selected at random from some probability space.
Now, we give some definitions for the formal security model.
Definition 13. (Partnering). Let and be a pair of instances. and are partnered if both have accepted and have the same unique session id and the same session key .
Definition 14. (Freshness). is fresh if (i) it has accepted, and (ii) an adversary has not queried or , where is ’s partner, if it has.
Definition 15. (Correctness). If and are partnered and both are accepted, then they conclude with the same session key .
Definition 16. Let be the event that adversary asks a single test query on a fresh instance and outputs a bit with at the end of the game. The advantage of the adversary is defined as follows:The following is definition of secure PAKE protocol, which is the same as in .
Definition 17. A protocol P is called a secure PAKE protocol if for every polynomial time adversary that makes at most queries of Send type to different instances, the following inequality holds, , where means the size of the password space and is a negligible function of security parameters.
4. Our PAKE Protocol
In this section, we present an efficient Ouroboros-based PAKE protocol called OPAKE. Our protocol is described in a generic fashion in Figure 1. We use a weight-restricted hash function as mentioned earlier. Hash functions are defined as follows:, , where is a security parameter. Assume that , and are independent random functions. Let be the password space, and be the password that Alice and Bob share. Then, our protocol is shown as follows.
(a) generates and chooses and . Next, she computes . Then, she computes . Finally, she sends to Bob.(b) tests whether . If not, then he rejects the protocol. Otherwise, he generates and computes . Next, he randomly generates . Then, he computes . Finally, he computes and and sends to Alice.(c) computes when receiving and . Then, she uses the decoding algorithm CE decoder to get and . Then, she computes . Finally, she computes and sends to Bob.(d) tests whether is equal to . If not, then he rejects. Otherwise, he accepts and computes and a session key . Finally, he sends to Alice.(e) tests whether is equal to . If not, then she rejects. Otherwise, she accepts and computes a session key .
To show the correctness of our protocol, it is sufficient to show that the material derived from Alice and Bob is the same, ., . Firstly, honest Alice sends reasonable to Bob, and honest Bob uses the correct password to compute . Then, Bob chooses the secret material and encrypts it into the ciphertext . Next, Alice decrypts and gets the same material according to the Ouroboros scheme. Hence, the correctness of our PAKE protocol is verified when the two participants execute the protocol honestly.
5. Formal Security Analysis of OPAKE
This section gives the formal security of OPAKE under the security model defined in Section 3. We prove that an adversary attacking the protocol OPAKE is unable to determine the of a fresh instance with advantage greater than that of an online dictionary attack.
Theorem 2. Let be an adversary, which runs in time , and the adversary’s advantage in attacking the protocol is bounded bywhere denotes the size of the password space, denotes the number of the queries of type oracle, denotes the number of the queries of the random oracle, and denotes the number of queries of type oracle.
To prove this theorem, we present a sequence of hybrid experiments by , and and denote the advantage of when attacking in the experiment by .
Protocol P0: in this protocol, the adversary makes a number of oracle queries in Section 3, ., , and . Besides, the adversary has access to five independent random oracles , and . Each random oracle is simulated by a list of input-output pairs. When receiving a new query input , the oracle checks whether was queried before. If there exists , then the oracle returns the output in the list. Otherwise, the oracle generates a random number and returns it. Then, the oracle adds the new pair to the list.
Protocol P1: this protocol is identical to except that if the oracle Execute is called between two instances and , then the session keys and are set equal to a random number selected from . Now, we prove that change in the oracle affects the advantage of in a negligible value.
Claim 1. For any polynomial time adversary , we havewhere denotes the number of the queries of typeoracle,denotes the number of the queries of random oracle, anddenotes the running time of.
. First, we show that the probability of same random numbers generated in two different Execute oracle queries is very small. In this situation, can distinguish and by making the Reveal query simplify. According to the birthday paradox, it is easy to show that the probability of this situation occurring is bounded by .
Now, we fix an oracle Execute and assume that the random numbers ) and in this oracle call are not used in previous query. Without the knowledge of , the output of is indistinguishable from a random number uniformly selected from . Thus, the adversary can distinguish and if and only if can recover the information of . We denote the probability that recovers the information of by . We give two games and to bound . : the adversary carries an honest execution between instances and :(1) generates and chooses and . Next, queries the random oracle on (). The reply of is denoted by . Then, computes . Finally, sends to .(2) generates , queries the random oracle on (), and computes . Next, randomly generates . Then, queries the random oracle on . The reply of is denoted by . Finally, computes and and sends to .(3) computes when receiving and . Next, uses the decoding algorithm CE decoder to get . Then, computes . Finally, queries the random oracle on (denoted by ) and sends to .(4)After receiving from , queries the random oracle on (denoted by ). Finally, accepts and sends to .(5)After receiving from , accepts. This game ends and adversary outputs its guess of . : this game is similar to game except that instances and do not query random oracles and :(1) generates and chooses and . Next, queries the random oracle on (). The reply of is denoted by . Then, computes . Finally, sends to .(2) generates , queries the random oracle on (), and computes . Next, randomly generates . Then, queries the random oracle on . The reply of is denoted by . Finally, computes and and sends to .(3)After receiving and from , sends a random number to .(4)After receiving from , sends a random number to and accepts.(5)After receiving from , accepts. This game ends, and adversary outputs his guess of .We denote the probability that guesses the correct in game by . Let be the event that guesses the correct on oracle or with . Then,Obviously, the probability that guesses the correct is as follows:where means the number of queries to random oracle and . By assuming , we have .
It is easy to see that and are indistinguishable from the random numbers in when is not queried in random oracle and . So, . In the following, we show that . Given a reasonable , finding the correct information such that is a 2-QCSD problem. Besides, given and , we construct an algorithm to solve 3-QCSD problem by running on a simulation of the game . Algorithm runs exactly as except for the change that computes the encryption of message in step (2). If returns the correct , then our algorithm can solve the 3-QCSD problem. Hence,Moreover,Suppose makes queries of at all. We haveThus, the claim is desired.
Protocol P2: this protocol is identical to except that when receives the message generated from , and if and both accept, they are given same random session key . If only accepts, a session key is for , while no session key is for .
Claim 2. For any polynomial time adversary , we getwhere denotes the number of queries of the type Send and denotes the running time of .
. when instance receives the message generated from , the message is sent by and got by the adversary . Since the message was generated by , has no information about the secret private key according to the 2-QCSD problem. The advantage of solving the message from and by the adversary is bounded by . In conclusion, suppose that the adversary makes oracle queries of Send oracle, adversary’s advantage of distinguishing between and is bounded by . Therefore, the claim is desired.
Protocol P3: in this protocol, we assume that instance receives a message generated from instance , while receives a message from . In this situation, both and accept and are given a same random session key if their session key were not replaced with a random key in protocol .
Claim 3. For any polynomial time adversary making queries of oracle to different instances, we obtain
. It is clear that and are perfectly indistinguishable for polynomial time adversary .
Protocol P4: in this protocol, we assume that instance receives a message generated from adversary , or receives a message generated from adversary . In this situation, if or accepts the protocol instance, then the protocol halts and adversary succeeds automatically.
Claim 4. For any polynomial time adversary making queries of oracle to different instances, we have
. It is clear that the modification in improves the probability of winning the protocol for the adversary .
Claim 5. For any polynomial time adversary making queries of oracle, we get
. we consider two cases.
Case 1. Assume that instance receives a message generated from adversary . After receiving the message, instance computes from the message. Then, gets from the query of the random oracle on . Next, returns to the adversary. In this situation, has to generate a , which is equal to the output from random oracle on . One possibility is that guesses the correct with probability since has no knowledge of . Another possibility is that recovers the message of with probability . Obviously, is restricted by two factors. The first factor is that adversary guesses the correct password and gets the right number from the query of the random oracle . The probability of this case is . The second factor is that adversary has to generate the correct form containing and recover the message from . As analyzed before, the probability in this situation is bounded by . We use to denote the number of this kind of queries. Thus, the success probability of in this case is bounded by
Case 2. Assume that instance receives a message generated from adversary . After receiving the message, instance generates , queries the random oracle on (), and computes . Next, randomly generates . Then, queries the random oracle on . The reply of is denoted by . Finally, computes and and returns to . In this situation, has to generate a , which is equal to the output from random oracle on . Similar to the previous case, one possibility is that guesses the correct with probability since has no knowledge of . Another possibility is that guesses the correct password . We use to denote the number of this kind of queries. Thus, the success probability of in this case is bounded byHence, we getTherefore, we haveBy combining all the claims, we have the advantage for the adversary in the real attack, i.e.,Hence, Theorem 2 is desired.
6. Performance Analysis
In this section, we provide the efficiency evaluation of our scheme. The security parameters we used are adopted from the Ouroboros scheme. The scheme implementation is written in C++. The program has been performed on a computer running Linux. The computer has an Intel Core i7-8750H [email protected] GHz and 4 GB of memory. For each parameter set, the performance of our proposed protocol is shown in Table 1. The results show that the efficiency of our scheme is considerable.
In this study, we propose a new password-authenticated key exchange based on Ouroboros key exchange scheme with formal security proof. Our PAKE scheme enjoys several desired properties, including (1) our scheme has considerable efficiency; (2) our scheme provides mutual explicit authentication; and (3) our scheme is resistant to quantum attacks and an attacker who gets the session key cannot use it to perform an offline dictionary attack. The security of our scheme is reduced to decoding random quasi-cyclic codes in the random oracle model.
The data used to support the findings of this study are included within the article.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
The work of L.-P. Wang was supported in part by the National Natural Science Foundation of China (Grant No. 61872355) and National Key Research and Development Program of China ( No. 2018YFA0704703) and Mathematical Tianyuan foundation of National Natural Science Foundation of China (Grant No.12026427).
S. M. Bellovin and M. Merritt, “Encrypted key exchange: password-based protocols secure against dictionary attacks,” in Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84, IEEE Computer Society, Oakland, CA, USA, May 4-6, 1992.View at: Google Scholar
S. M. Bellovin and M. Merritt, “Augmented encrypted key exchange:a password-based protocol secure against dictionary attacks and password file compromise,” in Proceedings of the CCS ’93, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, D. E. Denning, R. Pyle, R. Ganesan, R. S. andhu, and V. Ashby, Eds., pp. 244–250, ACM, Virginia, USA, November 3-5, 1993.View at: Publisher Site | Google Scholar
D. P. Jablon, “Extended password key exchange protocols immune to dictionary attacks,” in Proceedings of the 6th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises WETICE, pp. 248–255, IEEE Computer Society, June 1997.View at: Google Scholar
T. D. Wu, “The secure remote password protocol,” in Proceedings of the Network and Distributed System Security Symposium, NDSS 1998, The Internet Society, San Diego, California, USA, 1998.View at: Google Scholar
M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, B. Preneel, Ed., pp. 139–155, Springer, Bruges, Belgium, May 14-18, 2000.View at: Publisher Site | Google Scholar
V. Boyko, P. MacKenzie, and S. Patel, “Provably secure password-authenticated key exchange using diffie-hellman,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, B. Preneel, Ed., pp. 156–171, Springer, Bruges, Belgium, May 14-18, 2000.View at: Publisher Site | Google Scholar
R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. D. MacKenzie, “Universally composable password-based key exchange,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, R. Cramer, Ed., pp. 404–421, Springer, Aarhus, Denmark, May 22-26, 2005.View at: Google Scholar
M. Abdalla, D. Catalano, C. Chevalier, and D. Pointcheval, “Efficient two-party password-based key exchange protocols in the UC framework,” in Proceedings of the Track at the RSA Conference 2008, T. Malkin, Ed., pp. 335–351, Springer, San Francisco, CA, USA, April 8-11, 2008.View at: Google Scholar
M. Abdalla and D. Pointcheval, “Simple password-based encrypted key exchange protocols,” in Proceedings of the Topics in Cryptology - CT-RSA 2005, The Cryptographers’ Track at the RSA Conference 2005, A. Menezes, Ed., pp. 191–208, Springer, San Francisco, CA, USA, February 14-18, 2005.View at: Publisher Site | Google Scholar
E. Bresson, O. Chevassut, and D. Pointcheval, “Security proofs for an efficient password-based key exchange,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, S. Jajodia, V. Atluri, and T. Jaeger, Eds., pp. 241–250, ACM, Washington, DC, USA, October 27-30, 2003.View at: Publisher Site | Google Scholar
E. Bresson, O. Chevassut, and D. Pointcheval, “New security results on encrypted key exchange,” in Proceedings of the Public Key Cryptography - PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, F. Bao, R. H. Deng, and J. Zhou, Eds., pp. 145–158, Springer, Singapore, March 1-4, 2004.View at: Google Scholar
P. Mackenzie, “The pak suite: protocols for password-authenticated key exchange,” IEEE, vol. 2, 2002.View at: Google Scholar
E. Dongna, Q. Cheng, and C. Ma, “Password authenticated key exchange based on RSA in the three-party settings,” in Proceedings of the Provable Security, Third International Conference, ProvSec 2009, J. Pieprzyk and F. Zhang, Eds., pp. 168–182, Springer, Guangzhou, China, November 11-13, 2009.View at: Publisher Site | Google Scholar
P. D. MacKenzie, S. Patel, and R. Swaminathan, “Password-authenticated key exchange based on RSA,” in Proceedings of the Advances in Cryptology - ASIACRYPT 2000, 6th International Conference on the Theory and Application of Cryptology and Information Security, T. Okamoto, Ed., pp. 599–613, Springer, Kyoto, Japan, December 3-7, 2000.View at: Google Scholar
S. Park, J. Nam, S. Kim, and D. Won, “Efficient password-authenticated key exchange based on RSA,” in Proceedings of the Topics in Cryptology - CT-RSA 2007, The Cryptographers’ Track at the RSA Conference 2007, M. Abe, Ed., pp. 309–323, Springer, San Francisco, CA, USA, February 5-9, 2007.View at: Google Scholar
M. Zhang, “New approaches to password authenticated key exchange based on RSA,” in Proceedings of the Advances in Cryptology - ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, P. J. Lee, Ed., pp. 230–244, Springer, Jeju Island, Korea, December 5-9, 2004.View at: Google Scholar
J. W. Bos, C. Costello, M. Naehrig, and D. Stebila, “Post-quantum key exchange for the TLS protocol from the ring learning with errors problem,” in Proceedings of the 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 553–570, IEEE Computer Society, San Jose, CA, USA, May 17-21, 2015.View at: Publisher Site | Google Scholar
J. Ding, “A simple provably secure key exchange scheme based on the learning with errors problem,” IACR Cryptol. ePrint Arch., p. 688, 2012.View at: Google Scholar
A. Fujioka, K. Suzuki, K. Xagawa, and K. Yoneyama, “Strongly secure authenticated key exchange from factoring, codes, and lattices,” in Proceedings of the Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography, M. Fischlin, J. Bushmann, and M. Manulis, Eds., pp. 467–484, Springer, Darmstadt, Germany, May 21-23, 2012.View at: Google Scholar
A. Fujioka, K. Suzuki, K. Xagawa, and K. Yoneyama, “Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism,” in Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’13, K. Chen, Q. Xie, W. Qiu, N. Li, and W. Tzeng, Eds., pp. 83–94, ACM, Hangzhou, China, May 08 - 10, 2013.View at: Publisher Site | Google Scholar
J. Zhang, Z. Zhang, J. Ding, M. Snook, and Ö. Dagdelen, “Authenticated key exchange from ideal lattices,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, E. Oswald and M. Fischlin, Eds., pp. 719–751, Springer, Sofia, Bulgaria, April 26-30, 2015.View at: Publisher Site | Google Scholar
J. Ding, S. Alsayigh, J. Lancrenon, S. Rv, and M. Snook, “Provably secure password authenticated key exchange based on RLWE for the post-quantum world,” in Proceedings of the Topics in Cryptology – CT-RSA 2017, P. H. Handschuh, Ed., pp. 183–204, Springer, San Francisco, CA, USA, February 14-17, 2017.View at: Publisher Site | Google Scholar
X. Gao, J. Ding, J. Liu, and L. Li, “Post-quantum secure remote password protocol from RLWE problem,” in Proceedings of the Information Security and Cryptology - 13th International Conference, Inscrypt 2017, X. Chen, D. Lin, and M. Yung, Eds., pp. 99–116, Springer, Xi’an, China, November 3-5, 2017.View at: Google Scholar
R. Misoczki, J.-P. Tillich, N. Sendrier, and P. S. L. M. Barreto, “Mdpc-mceliece: New mceliece variants from moderate density parity-check codes,” in Proceedings of the 2013 IEEE International Symposium on Information Theory, p. 2069, IEEE, Istanbul, Turkey, July 7-12, 2013.View at: Publisher Site | Google Scholar
K. Fukushima, P. S. Roy, R. Xu, S. Kiyomoto, K. Morozov, and T. Takagi, “Random code-based signature scheme (racoss),” First Round Submission to the NIST post-quantum Cryptography Call, 2017.View at: Google Scholar
D. J. Bernstein, A. Hülsing, T. Lange, and L. Panny, “Comments on racoss,” A Submission to NISTaAZs PQC Competition, 2017.View at: Google Scholar
R. Gennaro and Y. Lindell, “A framework for password-based authenticated key exchange,” in Proceedings.of the Advances in Cryptology - EUROCRYPT 2003, International Conference on the Theory and Applications of Cryptographic Techniques, E. Biham, Ed., pp. 524–543, Springer, Warsaw, Poland, May 4-8, 2003.View at: Google Scholar