Provably Secure Password Authenticated Key Exchange Based on RLWE for the Post-Quantum World

Ding, Jíntai; Alsayigh, Saed; Lancrenon, Jean; Rv, Saraswathy; Snook, Michael

doi:10.1007/978-3-319-52153-4_11

Cited by 82 publications

(54 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the protocol, odd modulus and even errors are used when generating (Ring-)LWE samples, a hint bit is additionally sent from one party to the other to aid computing a least significant bit of a value dependent on each side's secret as a common value. By using Ding et al's reconciliation mechanism as a building block, subsequent works constructing versatile provably secure RLWE analogues of existing protocols based on DH problem, like Zhang et al's authenticated key exchange protocol [30] and Ding et al's password authenticated key exchange protocols [12], have emerged. In 2019, Ding's key exchange protocol [11] was instantiated with two set of parameters [16].…”

Section: Reconciliation-based Approachmentioning

confidence: 99%

See 1 more Smart Citation

It all Started with Compression: Another Look at Reconciliation Mechanism

Xie

Pan

2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

In a (Ring-)LWE-based key exchange scheme, the error reconciliation technique is usually employed to help the two parties establish the exactly same shared key. In an error reconciliation mechanism, a hint should be produced and sent by one party, which makes the key exchange scheme sequential and the two parties asymmetrical. There is an alternative approach to realize key exchange, the encryption-based key encapsulation mechanism (KEM), where a message is encrypted by one party and the other party decrypts the corresponding ciphertext to derive the shared key from the recovered message. In this paper, we try to unify the two approaches and show that the two mainstream reconciliation instantiations, Ding et al.'s branch and Peikert's branch, can both be derived by just choosing a certain message in some encryption-based KEMs we constructed, in which the compressed ciphertext is just the hint and the certain message is exactly the reconciled value. This explains why reconciliation-based key exchange scheme must be sequential and have two asymmetrical parties and will bring more generalization for reconciliation mechanism. As a byproduct, a new (Ring-)LWE-based encryption structure is proposed. CCS CONCEPTS • Security and privacy → Public key encryption.

show abstract

Section: Reconciliation-based Approachmentioning

confidence: 99%

“…By a randomized tweak of hint function, the reconciled bit has the same probability to be 0 or 1 conditioned on the hint value. Ding et al's reconciliation mechanism is later used in constructing many advanced latticebased protocols, such as the authenticated key exchange protocols [12,30].…”

Section: Introductionmentioning

confidence: 99%

It all Started with Compression: Another Look at Reconciliation Mechanism

Xie

Pan

2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…For authenticated key exchange (AKE) protocol, a RLWE-based protocol which is a RLWE analogue of HMQV was proposed by Zhang et al in 2015 [10]. Two provably secure password-based authenticated key exchange (PAKE) protocols that are RLWE analogues of PAK and PPK were given in 2017 [11]. These two works use same error reconciliation mechanism as DING12.…”

Section: Related Workmentioning

confidence: 99%

Comparison analysis and efficient implementation of reconciliation-based RLWE key exchange protocol

Gao

Ding

et al. 2019

IJHPCN

Self Cite

View full text Add to dashboard Cite

Error reconciliation is an important technique for Learning With Error (LWE) and Ring-LWE (RLWE)-based constructions. In this paper, we present a comparison analysis on two error reconciliation-based RLWE key exchange protocols: Ding et al. in 2012 (DING12) and Bos et al. in 2015 (BCNS15). We take them as examples to explain core idea of error reconciliation, building key exchange over RLWE problem, implementation, real-world performance and compare them comprehensively. We also analyse a LWE key exchange "Frodo" that uses an improved error reconciliation mechanism in BCNS15. To the best of our knowledge, our work is the first to present at least 128-bit classic (80-bit quantum) and 256-bit classic (>200-bit quantum) secure parameter choices for DING12 with efficient portable C/C++ implementations. Benchmark shows that our efficient implementation is 11x faster than BCNS15 and one key exchange execution only costs 0.07ms on a 4-year-old middle range CPU. Error reconciliation is 1.57x faster than BCNS15.

show abstract

“…Based on the work of Ding et al [42], Bos et al applied the generic LWE in a scheme called Frodo [10]. A provably secure authenticated key exchange protocol applying the R-LWE was presented by Zhang et al [84] and a password authenticated key exchange scheme was presented by Ding et al [25].…”

Section: Schemes Based Latticesmentioning

confidence: 99%

Algebraic generalization of Diffie–Hellman key exchange

Partala

2017

Journal of Mathematical Cryptology

View full text Add to dashboard Cite

The Diffie–Hellman key exchange scheme is one of the earliest and most widely used public-key primitives. Its underlying algebraic structure is a cyclic group and its security is based on the discrete logarithm problem (DLP). The DLP can be solved in polynomial time for any cyclic group in the quantum computation model. Therefore, new key exchange schemes have been sought to prepare for the time when quantum computing becomes a reality. Algebraically, these schemes need to provide some sort of commutativity to enable Alice and Bob to derive a common key on a public channel while keeping it computationally difficult for the adversary to deduce the derived key. We suggest an algebraically generalized Diffie–Hellman scheme (AGDH) that, in general, enables the application of any algebra as the platform for key exchange. We formulate the underlying computational problems in the framework of average-case complexity and show that the scheme is secure if the problem of computing images under an unknown homomorphism is infeasible. We also show that a symmetric encryption scheme possessing homomorphic properties over some algebraic operation can be turned into a public-key primitive with the AGDH, provided that the operation is complex enough. In addition, we present a brief survey on the algebraic properties of existing key exchange schemes and identify the source of commutativity and the family of underlying algebraic structures for each scheme.

show abstract

Provably Secure Password Authenticated Key Exchange Based on RLWE for the Post-Quantum World

Cited by 82 publications

References 45 publications

It all Started with Compression: Another Look at Reconciliation Mechanism

It all Started with Compression: Another Look at Reconciliation Mechanism

Comparison analysis and efficient implementation of reconciliation-based RLWE key exchange protocol

Algebraic generalization of Diffie–Hellman key exchange

Contact Info

Product

Resources

About