Authenticated Key Exchange from Ring Learning with Errors Jiang - - PowerPoint PPT Presentation

Learning with Errors Classic Key Exchange Lattice-based Key Exchange

Authenticated Key Exchange from Ring Learning with Errors

Jiang Zhang Zhenfeng Zhang Jintai Ding Michael Snook Özgür Dagdelen

DIMACS Workshop on the Mathematics of Post-Quantum Cryptography

January 16, 2015

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange

Learning with Errors [2006, Regev]

     b1 b2 . . . bm     

• b

=      a11 a12 . . . a1n a21 a22 . . . a2n . . . . . . ... . . . am1 am2 . . . amn     

• A

     s1 s2 . . . sn     

• s

+      e1 e2 . . . em     

• e

Approximate system over Zq Hard to find s from A, b. Hard to tell if s even exists Reduction to lattice approximation problems

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange

Ring LWE

Definition Let n be a power of 2, q ≡ 1 (mod 2n) prime. Define the ring Rq = Zq[x] (xn + 1). Again, b = as + e hard to find s Hard to distinguish from uniform b Approximation problems on ideal lattices More efficient than standard LWE

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

Diffie-Hellman Key Exchange

ga gb gb a ga b Public g generates finite group Since ga b gb a gab, key is shared Security based on discrete logarithm

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

Diffie-Hellman Key Exchange

ga gb (gb)a (ga)b Public g generates finite group Since (ga)b = (gb)a = gab, key is shared Security based on discrete logarithm

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

Man-in-the-Middle Attack

ga1 gb1 ga2 gb2 ga1b1 ga2b2 ga1b1 ga2b2

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

What Key Exchange Needs

Shared key Authentication of each party—long term keys Forward security—single-time keys

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

What Key Exchange Needs

Shared key Authentication of each party—long term keys Forward security—single-time keys

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

What Key Exchange Needs

Shared key Authentication of each party—long term keys Forward security—single-time keys

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

HMQV Protocol

ga gx gb gy gy gb e x

da

A

gx ga d y

eb

B

g y

eb x da

Static keys a, b; tied to each party’s identity. Ephemeral keys x, y: forward security. Publicly derivable computations d, e. Shared key is K H

A

H

B

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

HMQV Protocol

ga, gx gb, gy gy gb e x

da

A

gx ga d y

eb

B

g y

eb x da

Static keys a, b; tied to each party’s identity. Ephemeral keys x, y: forward security. Publicly derivable computations d, e. Shared key is K H

A

H

B

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

HMQV Protocol

ga, gx gb, gy (gy(gb)e)x+da

• σA

(gx(ga)d)y+eb

• σB

g y

eb x da

Static keys a, b; tied to each party’s identity. Ephemeral keys x, y: forward security. Publicly derivable computations d, e. Shared key is K H

A

H

B

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Diffie-Hellman HMQV

HMQV Protocol

ga, gx gb, gy (gy(gb)e)x+da

• σA

(gx(ga)d)y+eb

• σB

= g(y+eb)(x+da) = Static keys a, b; tied to each party’s identity. Ephemeral keys x, y: forward security. Publicly derivable computations d, e. Shared key is K = H(σA) = H(σB)

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

The Post-Quantum World

DH, HMQV Rely on hardness of discrete logarithm: vulnerable to quantum algorithms Ding’s original Goal: create an analogue to DH based off hard lattice problems

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Diffie-Hellman from Ideal Lattices

pA = asA + 2eA pB = asB + 2eB kA sApB kB pAsB Public a ∈ Rq. Acts like generator g in DH. Each side’s key is only approximately equal to the other. Difference is even—same low bits. No authentication—MitM

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Diffie-Hellman from Ideal Lattices

pA = asA + 2eA pB = asB + 2eB kA = sApB kB = pAsB Public a ∈ Rq. Acts like generator g in DH. Each side’s key is only approximately equal to the other. Difference is even—same low bits. No authentication—MitM

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Diffie-Hellman from Ideal Lattices

pA = asA + 2eA pB = asB + 2eB kA = sApB kB = pAsB ≈ Public a ∈ Rq. Acts like generator g in DH. Each side’s key is only approximately equal to the other. Difference is even—same low bits. No authentication—MitM

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

HMQV from Ideal Lattices

pA xA arA fA pB yB arB fB kA pBd yB sAc rA dgA kB pAc xA sBd rB cgB pA, pB as above. Public, static keys for authentication xA yB same form. Forward secrecy. c d publicly derivable; gA gB random, small.

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

HMQV from Ideal Lattices

pA, xA = arA + 2fA pB, yB = arB + 2fB kA pBd yB sAc rA dgA kB pAc xA sBd rB cgB pA, pB as above. Public, static keys for authentication xA, yB same form. Forward secrecy. c d publicly derivable; gA gB random, small.

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

HMQV from Ideal Lattices

pA, xA = arA + 2fA pB, yB = arB + 2fB kA = (pBd + yB)(sAc + rA) +2dgA kB = (pAc + xA)(sBd + rB) +2cgB pA, pB as above. Public, static keys for authentication xA, yB same form. Forward secrecy. c, d publicly derivable; gA, gB random, small.

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Key Derivation

Obtaining shared secret from approximate shared secret: kA = (k(0)

A , k(1) A , . . . , k(n−1) A

) kB = (k(0)

B , k(1) B , . . . , k(n−1) B

) ˜ g = (g(0), g(1), . . . , g(n−1)) kA − kB = 2˜ g kA ≡ kB (mod 2) Each k j

A

k j

B

g j . Each g j is small ( g j

q).

Matching coefficients differ by small multiple of Take each coefficient mod , get n bit secret

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Key Derivation

Obtaining shared secret from approximate shared secret: kA = (k(0)

A , k(1) A , . . . , k(n−1) A

) kB = (k(0)

B , k(1) B , . . . , k(n−1) B

) ˜ g = (g(0), g(1), . . . , g(n−1)) kA − kB = 2˜ g kA ≡ kB (mod 2) Each k(j)

A = k(j) B + 2g(j).

Each g(j) is small (|g(j)| < q

8).

Matching coefficients differ by small multiple of 2 Take each coefficient mod 2, get n bit secret

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Wrap-around Illustrated

−2 −1 1 2 3 4 5 2˜ g = 2 g Difference 2, both even. But wait! If q ,

q

. becomes , now parities disagree!

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Wrap-around Illustrated

−2 −1 1 2 3 4 5 g 2˜ g = 3 Difference 2, both even. But wait! If q = 5, Zq = {−2, −1, 0, 1, 2}. 4 becomes −1, now parities disagree!

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Compensating for Wrap-Around

Recall: |g(j)| < q

8

Define E = {−⌊ q

4⌋, . . . , ⌊ q 4⌉}. Middle half of Zq.

If k(j)

B ∈ E, no wrap-around occurs; k(j) A ≡ k(j) B .

If k(j)

B

/ ∈ E, then k(j)

B + q−1 2

∈ E If k(j)

B

/ ∈ E, k(j)

A + q−1 2

≡ k(j)

B + q−1 2 .

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Wrap-around Defeated

Define w(j)

B =

• k(j)

B ∈ E,

1 k(j)

B

/ ∈ E. Then k(j)

B + w(j) B q−1 2

∈ E. Also, k(j)

B + w(j) B q−1 2

≡ k(j)

A + w(j) B q−1 2

(mod 2). k(j)

B + w(j) B q−1 2

mod q mod 2 = k(j)

A + w(j) B q−1 2

mod q mod 2. Wrap-around correction wB = (w(0)

B , w(1) B , . . . , w(n−1) B

) σB = kB + wB

q−1 2

mod 2. σA = kA + wB

q−1 2

mod 2.

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

HMQV from Ideal Lattices—Corrected

pA, xA pB yB wB kA kB

A B

H Key

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

HMQV from Ideal Lattices—Corrected

pA, xA pB yB wB kA kB

A B

H Key

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

HMQV from Ideal Lattices—Corrected

pA, xA pB, yB, wB kA kB

A B

H Key

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

HMQV from Ideal Lattices—Corrected

pA, xA pB, yB, wB kA kB

A B

H Key

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

HMQV from Ideal Lattices—Corrected

pA, xA pB, yB, wB kA kB σA = σB H Key

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

HMQV from Ideal Lattices—Corrected

pA, xA pB, yB, wB kA kB σA = σB H Key

Michael Snook AKE from rLWE

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Lattice Diffie-Hellman Lattice HMQV

Thank You

Michael Snook AKE from rLWE