ABSTRACT
This paper discusses how to realize practical post-quantum authenticated key exchange (AKE) with strong security, i.e., CK+ security (Krawczyk, CRYPTO 2005). It is known that strongly secure post-quantum AKE protocols exist on a generic construction from IND-CCA secure key encapsulation mechanisms (KEMs) in the standard model.
However, when it is instantiated with existing IND-CCA secure post-quantum KEMs, resultant AKE protocols are far from practical in communication complexity. We propose a generic construction of AKE protocols from OW-CCA secure KEMs and prove CK+ security of the protocols in the random oracle model. We exploit the random oracle and instantiate AKE protocols from various assumptions; DDH, gap DH, CDH, factoring, RSA, DCR, (ring-)LWE, McEliece one-way, NTRU one-way, subset sum, multi-variate quadratic systems, and more. For example, communication costs of our lattice-based scheme is approximately 14 times lower than the previous instantiation (for 128-bit security). Also, in the case of code-based scheme, it is approximately 25 times lower.
- Agrawal, S., Boneh, D., and Boyen, X. Efficient lattice (H)IBE in the standard model. In Gilbert {25}, pp. 553--572. Google Scholar
- Agrawal, S., Boneh, D., and Boyen, X. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In Rabin {51}, pp. 98--115. Google Scholar
- Ajtai, M., and Dwork, C. A public-key cryptosystem with worst-case/average-case equivalence. In STOC '97 (1997), ACM, pp. 284--293. See also ECCC TR96-065. Google ScholarDigital Library
- Applebaum, B., Cash, D., Peikert, C., and Sahai, A. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Halevi {26}, pp. 595--618. Google Scholar
- Bellare, M., and Rogaway, P. Random oracle are practical: A paradigm for designing efficient protocols. In CCS '93 (1993), ACM, pp. 62--73. Google ScholarDigital Library
- Bernstein, D. J., Lange, T., and Peters, C. Smaller decoding exponents: Ball-collision decoding. In CRYPTO 2011 (2011), P. Rogaway, Ed., vol. 6841 of LNCS, Springer, Heidelberg, pp. 743--760. Google ScholarDigital Library
- Boneh, D. Simplified OAEP for the RSA and Rabin functions. In CRYPTO 2001 (2001), J. Kilian, Ed., vol. 2139 of LNCS, Springer, Heidelberg, pp. 275--291. Google ScholarDigital Library
- Boneh, D., Canetti, R., Halevi, S., and Katz, J. Chosen-ciphertext security from identity-based encryption. SIAM Journal on Computing 36, 5 (12 2006), 1301--1328. Google ScholarDigital Library
- Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., and Zhandry, M. Random oracles in a quantum world. In ASIACRYPT 2011 (2011), D. H. Lee and X. Wang, Eds., vol. 7073 of LNCS, Springer, Heidelberg, pp. 41--69. Google ScholarDigital Library
- Boyd, C., Cliff, Y., Gonzalez Nieto, J. M., and Paterson, K. G. One-round key exchange in the standard model. International Journal of Applied Cryptography (IJACT) 1, 3 (2009), 181--199. A preliminary version appeared in ACISP 2008, 2008. Google ScholarDigital Library
- Boyen, X. Miniature CCA2 PK encryption: Tight security without redundancy. In Kurosawa {35}, pp. 485--501. Google Scholar
- Canetti, R., and Krawczyk, H. Analysis of key-exchange protocols and their use for building secure channels. In EUROCRYPT 2001 (2001), B. Pfitzmann, Ed., vol. 2045 of LNCS, Springer, Heidelberg, pp. 453--474. Google ScholarDigital Library
- Cash, D., Hofheinz, D., Kiltz, E., and Peikert, C. Bonsai trees, or how to delegate a lattice basis. In Gilbert {25}, pp. 523--552. Google Scholar
- Cayrel, P.-L., Hoffmann, G., and Persichetti, E. Efficient implementation of a CCA2-secure variant of McEliece using generalized Srivastava codes. In Fischlin et al. {22}, pp. 138--155. Google Scholar
- Coron, J.-S., Gouget, A., Paillier, P., and Villegas, K. SPAKE: A single-party public-key authenticated key exchange protocol for contact-less applications. In FC 2010 Workshops (2010), R. Sion, R. Curtmola, S. Dietrich, A. Kiayias, J. M. Miret, K. Sako, and F. Sebé, Eds., vol. 6054 of LNCS, Springer, Heidelberg, pp. 107--122. Google ScholarDigital Library
- Dent, A. W. A designer's guide to KEMs. In IMA 2003 (2003), K. G. Paterson, Ed., vol. 2898 of LNCS, Springer, Heidelberg, pp. 133--151.Google Scholar
- Diffie, W., and Hellman, M. E. New directions in cryptography. IEEE Transactions on Information Theory 22 (November 1976), 644--654. Google ScholarDigital Library
- Dowsley, R., Muller-Quade, J., and Nascimento, A. C. A. A CCA2 secure public key encryption scheme based on the McEliece assumptions in the standard model. In CT-RSA 2009 (2009), M. Fischlin, Ed., vol. 5473 of LNCS, Springer, Heidelberg, pp. 240--251. Google Scholar
- Ducas, L., and Durmus, A. Ring-LWE in polynomial rings. In Fischlin et al. {22}, pp. 34--51. Google Scholar
- Dwork, C., Naor, M., and Reingold, O. Immunizing encryption schemes from decryption errors. In EUROCRYPT 2004 (2004), C. Cachin and J. Camenisch, Eds., vol. 3027 of LNCS, Springer, Heidelberg, pp. 342--360.Google ScholarCross Ref
- ElGamal, T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transaction on Information Theory 31, 4 (1985), 469--472. Google ScholarDigital Library
- Fischlin, M., Buchmann, J., and Manulis, M., Eds. Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, May 21-23, 2012, Proceedings (2012), vol. 7293 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
- Fujioka, A., Suzuki, K., Xagawa, K., and Yoneyama, K. Strongly secure authenticated key exchange from factoring, codes, and lattices. In Fischlin et al. {22}, pp. 467--484. Google Scholar
- Fujisaki, E., and Okamoto, T. How to enhance the security of public-key encryption at minimum cost. IEICE transactions on fundamentals of electronics, communications and computer sciences 83, 1 (2000), 24--32. A preliminary version appeared in PKC '99, 1999. Google ScholarDigital Library
- Gilbert, H., Ed. Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30-June 3, 2010. Proceedings (2010), vol. 6110 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
- Halevi, S., Ed. Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings (2009), vol. 5677 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
- Hoffstein, J., Pipher, J., and Silverman, J. H. NTRU: A ring-based public key cryptosystem. In ANTS-III (1998), J. Buhler, Ed., vol. 1423 of Lecture Notes in Computer Science, Springer-Verlag, pp. 267--288. Google Scholar
- Hofheinz, D., and Kiltz, E. The group of signed quadratic residues and applications. In Halevi {26}, pp. 637--653. Google Scholar
- Hofheinz, D., and Kiltz, E. Practical chosen ciphertext secure encryption from factoring. In EUROCRYPT 2009 (2009), A. Joux, Ed., vol. 5479 of LNCS, Springer, Heidelberg, pp. 313--332. Google ScholarDigital Library
- Huang, Y.-J., Liu, F.-H., and Yang, B.-Y. Public-key cryptography from new multivariate quadratic assumptions. In Fischlin et al. {22}, pp. 190--205. Google Scholar
- IEEE. IEEE P1363.1/D12 Draft Standard for Public-Key Cryptographic Techniques Based on Hard Problems over Lattices, October 2008. Available at http://grouper.ieee.org/groups/1363/lattPK/.Google Scholar
- ISO/IEC. ISO/IEC 18033-2 Information technology-Security techniques-Encryption algorithms Part 2: Asymmetric ciphers. Geneva, 2006.Google Scholar
- Kobara, K., and Imai, H. Semantically secure McEliece public-key cryptosystems "conversions for McEliece PKC". In PKC 2001 (2001), K. Kim, Ed., vol. 1992 of LNCS, Springer, Heidelberg, pp. 19--35. Google ScholarDigital Library
- Krawczyk, H. HMQV: A high-performance secure Diffie-Hellman protocol. In CRYPTO 2005 (2005), V. Shoup, Ed., vol. 3621 of LNCS, Springer, Heidelberg, pp. 546--566. Google ScholarDigital Library
- Kurosawa, K., Ed. Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings (2007), vol. 4833 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
- LaMacchia, B. A., Lauter, K., and Mityagin, A. Stronger security of authenticated key exchange. In ProvSec 2007 (2007), W. Susilo, J. K. Liu, and Y. Mu, Eds., vol. 4784 of LNCS, Springer, Heidelberg, pp. 1--16. Google Scholar
- Langlois, A., and Stehle, D. Hardness of decision (R)LWE for any modulus. Cryptology ePrint Archive, Report 2012/091, 2012. Available at http://eprint.iacr.org/2012/091Google Scholar
- Lindner, R., and Peikert, C. Better key sizes (and attacks) for LWE-based encryption. In CT-RSA 2011 (2011), A. Kiayias, Ed., vol. 6558 of LNCS, Springer, Heidelberg, pp. 319--330. Google Scholar
- Lyubashevsky, V., Palacio, A., and Segev, G. Public-key cryptographic primitives provably as secure as subset sum. In TCC 2010 (2010), D. Micciancio, Ed., vol. 5978 of LNCS, Springer, Heidelberg, pp. 382--400. Google ScholarDigital Library
- Lyubashevsky, V., Peikert, C., and Regev, O. On ideal lattices and learning with errors over rings. In Gilbert {25}, pp. 1--23. Google Scholar
- McEliece, R. J. A public key cryptosystem based on algebraic coding theory. Tech. rep., DSN progress report, 1978.Google Scholar
- Merkle, R. C., and Hellman, M. E. Hiding information and signatures in trap door knapsacks. IEEE Transactions on Information Theory 24, 5 (September 1978), 525--530. Google ScholarDigital Library
- Okamoto, T. Authenticated key exchange and key encapsulation in the standard model. In Kurosawa {35}, pp. 474--484. Google Scholar
- Okamoto, T., and Pointcheval, D. REACT: Rapid enhanced-security asymmetric cryptosystem transform. In CT-RSA 2001 (2001), D. Naccache, Ed., vol. 2020 of LNCS, Springer, Heidelberg, pp. 159--175. Google Scholar
- Peikert, C. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In STOC 2009 (2009), M. Mitzenmacher, Ed., ACM, pp. 333--342. Google ScholarDigital Library
- Peikert, C., Vaikuntanathan, V., and Waters, B. A framework for efficient and composable oblivious transfer. In CRYPTO 2008 (2008), D. Wagner, Ed., vol. 5157 of LNCS, Springer, Heidelberg, pp. 554--571. Google ScholarDigital Library
- Peikert, C., and Waters, B. Lossy trapdoor functions and their applications. In STOC 2008 (2008), C. Dwork, Ed., ACM, pp. 187--196. Google ScholarDigital Library
- Persichetti, E. Compact McEliece keys based on quasi-dyadic Srivastava codes. Journal of Mathematical Cryptology 6, 2 (2012), 149--169.Google ScholarCross Ref
- Poppelman, T., and Guneysu, T. Towards efficient arithmetic for lattice-based cryptography on reconfigurable hardware. In LATINCRYPT 2012 (2012), A. Hevia and G. Neven, Eds., vol. 7533 of LNCS, Springer, Heidelberg, pp. 139--158. Google ScholarDigital Library
- Rabin, M. O. Digitalized signatures and public-key functions as intractable as factorization. Tech. rep., MIT, January 1979. Google ScholarDigital Library
- Rabin, T., Ed. Advances in Cryptology - CRYPTO 2010, 30th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings (2010), vol. 6223 of LNCS, Springer, Heidelberg. Google ScholarDigital Library
- Regev, O. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM 56, 6 (2009), Article 34. A preliminary version appeared STOC 2005, 2005. Google ScholarDigital Library
- Rivest, R. L., Shamir, A., and Adleman, L. M. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21, 2 (Febrary 1978), 120--126. Google ScholarDigital Library
- Ruckert, M., and Schneider, M. Estimating the security of lattice-based cryptosystems. Cryptology ePrint Archive, Report 2010/137, 2010. Available at http://eprint.iacr.org/2010/137.Google Scholar
- Shor, P. W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26, 5 (1997), 1484--1509. Google ScholarDigital Library
- Stehlé, D., and Steinfeld, R. Making NTRU as secure as worst-case problems over ideal lattices. In EUROCRYPT 2011 (2011), K. G. Paterson, Ed., vol. 6632 of LNCS, Springer, Heidelberg, pp. 27--47. Google ScholarDigital Library
- Stehle, D., Steinfeld, R., Tanaka, K., and Xagawa, K. Efficient public key encryption based on ideal lattices. In ASIACRYPT 2009 (2009), M. Matsui, Ed., vol. 5912 of LNCS, Springer, Heidelberg, pp. 617--635. Google ScholarDigital Library
- Steinfeld, R., Ling, S., Pieprzyk, J., Tartary, C., and Wang, H. NTRUCCA: How to strengthen NTRUEncrypt to chosen-ciphertext security in the standard model. In Fischlin et al. {22}, pp. 353--371. Google Scholar
- Wee, H. Efficient chosen-ciphertext security via extractable hash proofs. In Rabin {51}, pp. 314--332. Google Scholar
- Zhandry, M. Secure identity-based encryption in the quantum random oracle model. In CRYPTO 2012 (2012), R. Safavi-Naini and R. Canetti, Eds., vol. 7417 of LNCS, Springer, Heidelberg, pp. 758--775.Google ScholarDigital Library
Index Terms
- Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism
Recommendations
Strongly secure authenticated key exchange from factoring, codes, and lattices
An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random ...
Strongly secure authenticated key exchange from factoring, codes, and lattices
PKC'12: Proceedings of the 15th international conference on Practice and Theory in Public Key CryptographyAn unresolved problem in research on authenticated key exchange (AKE) is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random oracles. HMQV, a state of the ...
Efficient key encapsulation mechanisms with tight security reductions to standard assumptions in the two security models
In this paper, we propose two new practical constructions of chosen ciphertext attack secure CCA secure key encapsulation mechanisms KEM, which is the main building block for public key encryption in hybrid encryption, with remarkable security features: ...
Comments