research-article

Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism

Authors:
Atsushi Fujioka

NTT Secure Platform Laboratories, Tokyo, Japan

NTT Secure Platform Laboratories, Tokyo, Japan
View Profile

,
Koutarou Suzuki

NTT Secure Platform Laboratories, Tokyo, Japan

NTT Secure Platform Laboratories, Tokyo, Japan
View Profile

,
Keita Xagawa

NTT Secure Platform Laboratories, Tokyo, Japan

NTT Secure Platform Laboratories, Tokyo, Japan
View Profile

,
Kazuki Yoneyama

NTT Secure Platform Laboratories, Tokyo, Japan

NTT Secure Platform Laboratories, Tokyo, Japan
View Profile

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securityMay 2013Pages 83–94https://doi.org/10.1145/2484313.2484323

Published:08 May 2013Publication History

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Pages 83–94

ABSTRACT

This paper discusses how to realize practical post-quantum authenticated key exchange (AKE) with strong security, i.e., CK⁺ security (Krawczyk, CRYPTO 2005). It is known that strongly secure post-quantum AKE protocols exist on a generic construction from IND-CCA secure key encapsulation mechanisms (KEMs) in the standard model.

However, when it is instantiated with existing IND-CCA secure post-quantum KEMs, resultant AKE protocols are far from practical in communication complexity. We propose a generic construction of AKE protocols from OW-CCA secure KEMs and prove CK⁺ security of the protocols in the random oracle model. We exploit the random oracle and instantiate AKE protocols from various assumptions; DDH, gap DH, CDH, factoring, RSA, DCR, (ring-)LWE, McEliece one-way, NTRU one-way, subset sum, multi-variate quadratic systems, and more. For example, communication costs of our lattice-based scheme is approximately 14 times lower than the previous instantiation (for 128-bit security). Also, in the case of code-based scheme, it is approximately 25 times lower.

References

Agrawal, S., Boneh, D., and Boyen, X. Efficient lattice (H)IBE in the standard model. In Gilbert {25}, pp. 553--572. Google Scholar
Agrawal, S., Boneh, D., and Boyen, X. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In Rabin {51}, pp. 98--115. Google Scholar
Ajtai, M., and Dwork, C. A public-key cryptosystem with worst-case/average-case equivalence. In STOC '97 (1997), ACM, pp. 284--293. See also ECCC TR96-065. Google ScholarDigital Library
Applebaum, B., Cash, D., Peikert, C., and Sahai, A. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Halevi {26}, pp. 595--618. Google Scholar
Bellare, M., and Rogaway, P. Random oracle are practical: A paradigm for designing efficient protocols. In CCS '93 (1993), ACM, pp. 62--73. Google ScholarDigital Library
Bernstein, D. J., Lange, T., and Peters, C. Smaller decoding exponents: Ball-collision decoding. In CRYPTO 2011 (2011), P. Rogaway, Ed., vol. 6841 of LNCS, Springer, Heidelberg, pp. 743--760. Google ScholarDigital Library
Boneh, D. Simplified OAEP for the RSA and Rabin functions. In CRYPTO 2001 (2001), J. Kilian, Ed., vol. 2139 of LNCS, Springer, Heidelberg, pp. 275--291. Google ScholarDigital Library
Boneh, D., Canetti, R., Halevi, S., and Katz, J. Chosen-ciphertext security from identity-based encryption. SIAM Journal on Computing 36, 5 (12 2006), 1301--1328. Google ScholarDigital Library
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., and Zhandry, M. Random oracles in a quantum world. In ASIACRYPT 2011 (2011), D. H. Lee and X. Wang, Eds., vol. 7073 of LNCS, Springer, Heidelberg, pp. 41--69. Google ScholarDigital Library
Boyd, C., Cliff, Y., Gonzalez Nieto, J. M., and Paterson, K. G. One-round key exchange in the standard model. International Journal of Applied Cryptography (IJACT) 1, 3 (2009), 181--199. A preliminary version appeared in ACISP 2008, 2008. Google ScholarDigital Library
Boyen, X. Miniature CCA2 PK encryption: Tight security without redundancy. In Kurosawa {35}, pp. 485--501. Google Scholar
Canetti, R., and Krawczyk, H. Analysis of key-exchange protocols and their use for building secure channels. In EUROCRYPT 2001 (2001), B. Pfitzmann, Ed., vol. 2045 of LNCS, Springer, Heidelberg, pp. 453--474. Google ScholarDigital Library
Cash, D., Hofheinz, D., Kiltz, E., and Peikert, C. Bonsai trees, or how to delegate a lattice basis. In Gilbert {25}, pp. 523--552. Google Scholar
Cayrel, P.-L., Hoffmann, G., and Persichetti, E. Efficient implementation of a CCA2-secure variant of McEliece using generalized Srivastava codes. In Fischlin et al. {22}, pp. 138--155. Google Scholar
Coron, J.-S., Gouget, A., Paillier, P., and Villegas, K. SPAKE: A single-party public-key authenticated key exchange protocol for contact-less applications. In FC 2010 Workshops (2010), R. Sion, R. Curtmola, S. Dietrich, A. Kiayias, J. M. Miret, K. Sako, and F. Sebé, Eds., vol. 6054 of LNCS, Springer, Heidelberg, pp. 107--122. Google ScholarDigital Library
Dent, A. W. A designer's guide to KEMs. In IMA 2003 (2003), K. G. Paterson, Ed., vol. 2898 of LNCS, Springer, Heidelberg, pp. 133--151.Google Scholar
Diffie, W., and Hellman, M. E. New directions in cryptography. IEEE Transactions on Information Theory 22 (November 1976), 644--654. Google ScholarDigital Library
Dowsley, R., Muller-Quade, J., and Nascimento, A. C. A. A CCA2 secure public key encryption scheme based on the McEliece assumptions in the standard model. In CT-RSA 2009 (2009), M. Fischlin, Ed., vol. 5473 of LNCS, Springer, Heidelberg, pp. 240--251. Google Scholar
Ducas, L., and Durmus, A. Ring-LWE in polynomial rings. In Fischlin et al. {22}, pp. 34--51. Google Scholar
Dwork, C., Naor, M., and Reingold, O. Immunizing encryption schemes from decryption errors. In EUROCRYPT 2004 (2004), C. Cachin and J. Camenisch, Eds., vol. 3027 of LNCS, Springer, Heidelberg, pp. 342--360.Google ScholarCross Ref
ElGamal, T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transaction on Information Theory 31, 4 (1985), 469--472. Google ScholarDigital Library
Fischlin, M., Buchmann, J., and Manulis, M., Eds. Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, May 21-23, 2012, Proceedings (2012), vol. 7293 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
Fujioka, A., Suzuki, K., Xagawa, K., and Yoneyama, K. Strongly secure authenticated key exchange from factoring, codes, and lattices. In Fischlin et al. {22}, pp. 467--484. Google Scholar
Fujisaki, E., and Okamoto, T. How to enhance the security of public-key encryption at minimum cost. IEICE transactions on fundamentals of electronics, communications and computer sciences 83, 1 (2000), 24--32. A preliminary version appeared in PKC '99, 1999. Google ScholarDigital Library
Gilbert, H., Ed. Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30-June 3, 2010. Proceedings (2010), vol. 6110 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
Halevi, S., Ed. Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings (2009), vol. 5677 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
Hoffstein, J., Pipher, J., and Silverman, J. H. NTRU: A ring-based public key cryptosystem. In ANTS-III (1998), J. Buhler, Ed., vol. 1423 of Lecture Notes in Computer Science, Springer-Verlag, pp. 267--288. Google Scholar
Hofheinz, D., and Kiltz, E. The group of signed quadratic residues and applications. In Halevi {26}, pp. 637--653. Google Scholar
Hofheinz, D., and Kiltz, E. Practical chosen ciphertext secure encryption from factoring. In EUROCRYPT 2009 (2009), A. Joux, Ed., vol. 5479 of LNCS, Springer, Heidelberg, pp. 313--332. Google ScholarDigital Library
Huang, Y.-J., Liu, F.-H., and Yang, B.-Y. Public-key cryptography from new multivariate quadratic assumptions. In Fischlin et al. {22}, pp. 190--205. Google Scholar
IEEE. IEEE P1363.1/D12 Draft Standard for Public-Key Cryptographic Techniques Based on Hard Problems over Lattices, October 2008. Available at http://grouper.ieee.org/groups/1363/lattPK/.Google Scholar
ISO/IEC. ISO/IEC 18033-2 Information technology-Security techniques-Encryption algorithms Part 2: Asymmetric ciphers. Geneva, 2006.Google Scholar
Kobara, K., and Imai, H. Semantically secure McEliece public-key cryptosystems "conversions for McEliece PKC". In PKC 2001 (2001), K. Kim, Ed., vol. 1992 of LNCS, Springer, Heidelberg, pp. 19--35. Google ScholarDigital Library
Krawczyk, H. HMQV: A high-performance secure Diffie-Hellman protocol. In CRYPTO 2005 (2005), V. Shoup, Ed., vol. 3621 of LNCS, Springer, Heidelberg, pp. 546--566. Google ScholarDigital Library
Kurosawa, K., Ed. Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings (2007), vol. 4833 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
LaMacchia, B. A., Lauter, K., and Mityagin, A. Stronger security of authenticated key exchange. In ProvSec 2007 (2007), W. Susilo, J. K. Liu, and Y. Mu, Eds., vol. 4784 of LNCS, Springer, Heidelberg, pp. 1--16. Google Scholar
Langlois, A., and Stehle, D. Hardness of decision (R)LWE for any modulus. Cryptology ePrint Archive, Report 2012/091, 2012. Available at http://eprint.iacr.org/2012/091Google Scholar
Lindner, R., and Peikert, C. Better key sizes (and attacks) for LWE-based encryption. In CT-RSA 2011 (2011), A. Kiayias, Ed., vol. 6558 of LNCS, Springer, Heidelberg, pp. 319--330. Google Scholar
Lyubashevsky, V., Palacio, A., and Segev, G. Public-key cryptographic primitives provably as secure as subset sum. In TCC 2010 (2010), D. Micciancio, Ed., vol. 5978 of LNCS, Springer, Heidelberg, pp. 382--400. Google ScholarDigital Library
Lyubashevsky, V., Peikert, C., and Regev, O. On ideal lattices and learning with errors over rings. In Gilbert {25}, pp. 1--23. Google Scholar
McEliece, R. J. A public key cryptosystem based on algebraic coding theory. Tech. rep., DSN progress report, 1978.Google Scholar
Merkle, R. C., and Hellman, M. E. Hiding information and signatures in trap door knapsacks. IEEE Transactions on Information Theory 24, 5 (September 1978), 525--530. Google ScholarDigital Library
Okamoto, T. Authenticated key exchange and key encapsulation in the standard model. In Kurosawa {35}, pp. 474--484. Google Scholar
Okamoto, T., and Pointcheval, D. REACT: Rapid enhanced-security asymmetric cryptosystem transform. In CT-RSA 2001 (2001), D. Naccache, Ed., vol. 2020 of LNCS, Springer, Heidelberg, pp. 159--175. Google Scholar
Peikert, C. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In STOC 2009 (2009), M. Mitzenmacher, Ed., ACM, pp. 333--342. Google ScholarDigital Library
Peikert, C., Vaikuntanathan, V., and Waters, B. A framework for efficient and composable oblivious transfer. In CRYPTO 2008 (2008), D. Wagner, Ed., vol. 5157 of LNCS, Springer, Heidelberg, pp. 554--571. Google ScholarDigital Library
Peikert, C., and Waters, B. Lossy trapdoor functions and their applications. In STOC 2008 (2008), C. Dwork, Ed., ACM, pp. 187--196. Google ScholarDigital Library
Persichetti, E. Compact McEliece keys based on quasi-dyadic Srivastava codes. Journal of Mathematical Cryptology 6, 2 (2012), 149--169.Google ScholarCross Ref
Poppelman, T., and Guneysu, T. Towards efficient arithmetic for lattice-based cryptography on reconfigurable hardware. In LATINCRYPT 2012 (2012), A. Hevia and G. Neven, Eds., vol. 7533 of LNCS, Springer, Heidelberg, pp. 139--158. Google ScholarDigital Library
Rabin, M. O. Digitalized signatures and public-key functions as intractable as factorization. Tech. rep., MIT, January 1979. Google ScholarDigital Library
Rabin, T., Ed. Advances in Cryptology - CRYPTO 2010, 30th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings (2010), vol. 6223 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
Regev, O. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM 56, 6 (2009), Article 34. A preliminary version appeared STOC 2005, 2005. Google ScholarDigital Library
Rivest, R. L., Shamir, A., and Adleman, L. M. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21, 2 (Febrary 1978), 120--126. Google ScholarDigital Library
Ruckert, M., and Schneider, M. Estimating the security of lattice-based cryptosystems. Cryptology ePrint Archive, Report 2010/137, 2010. Available at http://eprint.iacr.org/2010/137.Google Scholar
Shor, P. W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26, 5 (1997), 1484--1509. Google ScholarDigital Library
Stehlé, D., and Steinfeld, R. Making NTRU as secure as worst-case problems over ideal lattices. In EUROCRYPT 2011 (2011), K. G. Paterson, Ed., vol. 6632 of LNCS, Springer, Heidelberg, pp. 27--47. Google ScholarDigital Library
Stehle, D., Steinfeld, R., Tanaka, K., and Xagawa, K. Efficient public key encryption based on ideal lattices. In ASIACRYPT 2009 (2009), M. Matsui, Ed., vol. 5912 of LNCS, Springer, Heidelberg, pp. 617--635. Google ScholarDigital Library
Steinfeld, R., Ling, S., Pieprzyk, J., Tartary, C., and Wang, H. NTRUCCA: How to strengthen NTRUEncrypt to chosen-ciphertext security in the standard model. In Fischlin et al. {22}, pp. 353--371. Google Scholar
Wee, H. Efficient chosen-ciphertext security via extractable hash proofs. In Rabin {51}, pp. 314--332. Google Scholar
Zhandry, M. Secure identity-based encryption in the quantum random oracle model. In CRYPTO 2012 (2012), R. Safavi-Naini and R. Canetti, Eds., vol. 7417 of LNCS, Springer, Heidelberg, pp. 758--775.Google ScholarDigital Library

Index Terms

Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Public key encryption

Recommendations

Strongly secure authenticated key exchange from factoring, codes, and lattices

An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random ...
Read More
Strongly secure authenticated key exchange from factoring, codes, and lattices
PKC'12: Proceedings of the 15th international conference on Practice and Theory in Public Key Cryptography

An unresolved problem in research on authenticated key exchange (AKE) is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random oracles. HMQV, a state of the ...
Read More
Efficient key encapsulation mechanisms with tight security reductions to standard assumptions in the two security models

In this paper, we propose two new practical constructions of chosen ciphertext attack secure CCA secure key encapsulation mechanisms KEM, which is the main building block for public key encryption in hybrid encryption, with remarkable security features: ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
May 2013
574 pages
ISBN:9781450317672
DOI:10.1145/2484313
General Chairs:
Kefei Chen
Shanghai Jiao Tong University, China
,
Qi Xie
Hangzhou Normal University, China
,
Weidong Qiu
Shanghai Jiao Tong University, China
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Wen-Guey Tzeng
National Chiao Tung University, Taiwan
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 May 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authenticated key exchange
ck+ model
key encapsulation mechanism
post-quantum cryptography
random oracle model
ring-lwe assumption
Qualifiers
- research-article
Conference

Acceptance Rates
ASIA CCS '13 Paper Acceptance Rate35of216submissions,16%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 33
  Total Citations
  View Citations
- 838
  Total Downloads
- Downloads (Last 12 months)62
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.