Authenticated Key Exchange from Ring Learning with Errors Jiang - PowerPoint PPT Presentation

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai Ding Michael Snook Özgür Dagdelen DIMACS Workshop on the Mathematics of Post-Quantum Cryptography January 16, 2015 Michael Snook AKE from rLWE

Learning with Errors . . . . . ... . . . a mn Classic Key Exchange A . . . s n s . . . e m e b . s even exists Reduction to lattice approximation problems Michael Snook . AKE from rLWE b m . Lattice-based Key Exchange Learning with Errors [2006, Regev] b . .         . . . b 1 a 11 a 12 a 1 n s 1 e 1 . . .         b 2 a 21 a 22 a 2 n s 2 e 2         = +                 . . . a m 1 a m 2 � �� � � �� � � �� � � �� � � � � Approximate system over Z q s from A ,� Hard to find � Hard to tell if �

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Ring LWE Definition Hard to distinguish from uniform b Approximation problems on ideal lattices More efficient than standard LWE Michael Snook AKE from rLWE Let n be a power of 2 , q ≡ 1 ( mod 2 n ) prime. Define the ring Z q [ x ] R q = ( x n + 1) . Again, b = as + e hard to find s

Learning with Errors g a b Michael Snook Security based on discrete logarithm g ab , key is shared g b a Since g a b Public g generates finite group g b a Classic Key Exchange g b g a Diffie-Hellman Key Exchange HMQV Diffie-Hellman Lattice-based Key Exchange AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV Diffie-Hellman Key Exchange g a g b Public g generates finite group Security based on discrete logarithm Michael Snook AKE from rLWE ( g b ) a ( g a ) b Since ( g a ) b = ( g b ) a = g ab , key is shared

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV Man-in-the-Middle Attack Michael Snook AKE from rLWE g a 1 g a 2 g b 1 g b 2 g a 1 b 1 g a 1 b 1 g a 2 b 2 g a 2 b 2

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV What Key Exchange Needs Shared key Authentication of each party—long term keys Forward security—single-time keys Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV What Key Exchange Needs Shared key Authentication of each party—long term keys Forward security—single-time keys Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV What Key Exchange Needs Shared key Authentication of each party—long term keys Forward security—single-time keys Michael Snook AKE from rLWE

g y g b e x g y g x g a d y Learning with Errors Michael Snook B H A H Shared key is K Publicly derivable computations d , e . Ephemeral keys x , y : forward security. Static keys a , b ; tied to each party’s identity. da x eb B Classic Key Exchange eb A da g y g b g x g a HMQV Protocol HMQV Diffie-Hellman Lattice-based Key Exchange AKE from rLWE

g y g b e x g y g x g a d y x Michael Snook B H A H Shared key is K Publicly derivable computations d , e . Ephemeral keys x , y : forward security. Static keys a , b ; tied to each party’s identity. da Learning with Errors eb Classic Key Exchange B eb A da HMQV Protocol HMQV Diffie-Hellman Lattice-based Key Exchange AKE from rLWE g a , g x g b , g y

g y Learning with Errors Classic Key Exchange Michael Snook B H A H Shared key is K Publicly derivable computations d , e . Ephemeral keys x , y : forward security. Static keys a , b ; tied to each party’s identity. da x eb AKE from rLWE HMQV HMQV Protocol Diffie-Hellman Lattice-based Key Exchange g a , g x g b , g y ( g y ( g b ) e ) x + da ( g x ( g a ) d ) y + eb � �� � � �� � σ A σ B

Learning with Errors Classic Key Exchange Michael Snook Publicly derivable computations d , e . Ephemeral keys x , y : forward security. Static keys a , b ; tied to each party’s identity. AKE from rLWE Lattice-based Key Exchange Diffie-Hellman HMQV Protocol HMQV g a , g x g b , g y = g ( y + eb )( x + da ) = ( g y ( g b ) e ) x + da ( g x ( g a ) d ) y + eb � �� � � �� � σ A σ B Shared key is K = H ( σ A ) = H ( σ B )

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV The Post-Quantum World DH, HMQV Rely on hardness of discrete logarithm: vulnerable to quantum algorithms Ding’s original Goal: create an analogue to DH based off hard lattice problems Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Michael Snook No authentication—MitM Difference is even—same low bits. Each side’s key is only approximately equal to the other. p A s B k B s A p B k A Diffie-Hellman from Ideal Lattices Lattice HMQV Lattice Diffie-Hellman Lattice-based Key Exchange AKE from rLWE p A = as A + 2 e A p B = as B + 2 e B Public a ∈ R q . Acts like generator g in DH.

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV Diffie-Hellman from Ideal Lattices Each side’s key is only approximately equal to the other. Difference is even—same low bits. No authentication—MitM Michael Snook AKE from rLWE p A = as A + 2 e A p B = as B + 2 e B k A = s A p B k B = p A s B Public a ∈ R q . Acts like generator g in DH.

Learning with Errors Classic Key Exchange Michael Snook No authentication—MitM Difference is even—same low bits. Each side’s key is only approximately equal to the other. AKE from rLWE Lattice HMQV Diffie-Hellman from Ideal Lattices Lattice Diffie-Hellman Lattice-based Key Exchange p A = as A + 2 e A p B = as B + 2 e B k A = s A p B ≈ k B = p A s B Public a ∈ R q . Acts like generator g in DH.

x A y B same form. Forward secrecy. c d publicly derivable; g A g B random, small. Learning with Errors y B Michael Snook cg B r B s B d x A p A c k B dg A r A s A c p B d Classic Key Exchange k A f B ar B y B p B f A ar A x A p A HMQV from Ideal Lattices Lattice HMQV Lattice Diffie-Hellman Lattice-based Key Exchange AKE from rLWE p A , p B as above. Public, static keys for authentication

c d publicly derivable; g A g B random, small. Learning with Errors Classic Key Exchange Michael Snook cg B r B s B d x A p A c k B dg A r A s A c y B p B d k A HMQV from Ideal Lattices Lattice HMQV Lattice Diffie-Hellman Lattice-based Key Exchange AKE from rLWE p A , x A = ar A + 2 f A p B , y B = ar B + 2 f B p A , p B as above. Public, static keys for authentication x A , y B same form. Forward secrecy.

Learning with Errors HMQV from Ideal Lattices Michael Snook Classic Key Exchange AKE from rLWE Lattice HMQV Lattice Diffie-Hellman Lattice-based Key Exchange p A , x A = ar A + 2 f A p B , y B = ar B + 2 f B k A = ( p B d + y B )( s A c + r A ) k B = ( p A c + x A )( s B d + r B ) +2 dg A +2 cg B p A , p B as above. Public, static keys for authentication x A , y B same form. Forward secrecy. c , d publicly derivable; g A , g B random, small.

Each k j k j g j . Each g j is small ( g j Learning with Errors Classic Key Exchange Michael Snook , get n bit secret Take each coefficient mod Matching coefficients differ by small multiple of q ). B A g AKE from rLWE B Obtaining shared secret from approximate shared secret: Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV Key Derivation A k A = ( k (0) A , k (1) A , . . . , k ( n − 1) ) k B = ( k (0) B , k (1) B , . . . , k ( n − 1) ) g = ( g (0) , g (1) , . . . , g ( n − 1) ) ˜ k A − k B = 2˜ k A ≡ k B ( mod 2)

Learning with Errors A Michael Snook g Classic Key Exchange B Obtaining shared secret from approximate shared secret: Lattice HMQV Lattice-based Key Exchange Lattice Diffie-Hellman AKE from rLWE Key Derivation k A = ( k (0) A , k (1) A , . . . , k ( n − 1) ) k B = ( k (0) B , k (1) B , . . . , k ( n − 1) ) g = ( g (0) , g (1) , . . . , g ( n − 1) ) ˜ k A − k B = 2˜ k A ≡ k B ( mod 2) Each k ( j ) A = k ( j ) B + 2 g ( j ) . Each g ( j ) is small ( | g ( j ) | < q 8 ). Matching coefficients differ by small multiple of 2 Take each coefficient mod 2 , get n bit secret

Learning with Errors Classic Key Exchange Michael Snook , now parities disagree! becomes . q , But wait! If q g AKE from rLWE Lattice HMQV Wrap-around Illustrated Lattice Diffie-Hellman Lattice-based Key Exchange 2˜ g = 2 − 2 − 1 0 1 2 3 4 5 Difference 2 , both even.

Learning with Errors Classic Key Exchange Michael Snook g AKE from rLWE Wrap-around Illustrated Lattice HMQV Lattice Diffie-Hellman Lattice-based Key Exchange 2˜ g = 3 − 2 − 1 0 1 2 3 4 5 Difference 2 , both even. But wait! If q = 5 , Z q = {− 2 , − 1 , 0 , 1 , 2 } . 4 becomes − 1 , now parities disagree!