Talk A Simple Secure Key Scheme Based on the Learning with ... … · Exchange Scheme Based on the Learning with Errors Problem Jintai Ding April. 3, 2015 ... Learning with Errors

NIST PQC Talk

A Simple Provably Secure (Authenticated) Key Exchange Scheme Based on the Learning with

Errors Problem

Jintai Ding

April. 3, 2015 Joint work with O. Dagdelen, X. Lin, X. Xie, J. Zhang, Z. Zhang

Key Transport from Encryption versus Key Exchange?

. Alice Uses Bob’s public key to encrypt a random string and sends the ciphertext to Bob. Bob decrypts it and get the random string.

. In practice, public key encryption is only used to transmit random keys. (The key is only determined by one party)

. Using PKE can not guarantee forward security. . If the attacker gets the secret key, then he will learn every

communication made before.

2 / 32

...

. Get a shared secret key in an insecure channel.

What’s Key Exchange

3 / 32



. . .

3 / 32


. . .


3 / 32

(gb)a (ga)b

. Using gab = (gb)a = (ga)b.

The Elegant Diffie-Hellman Protocol

ag

bg

4 / 32

The Elegant Diffie-Hellman Protocol

gb

ga

(gb)a (ga)b

. Using gab = (gb)a = (ga)b .

4 / 32

Other similar attempts?

. Can we get a DH analogy from other mathematical structures?

Many failed attempts to build new DH like protocols.

. Braid group and other finite groups

. Other nonlinear maps?MR1501252, Ritt, J. F. Permutable rational functions. Trans. Amer.Math. Soc. 25 (1923), no. 3, 399-448. 30D05

Mathemtical structure behind

Motivation:

. Can we get a DH analogy from other mathematical tools?

. The case of Diffie-Hellmann:

(g a)b = (g b)a = g ab

The commutativity of nonlinear operators.

5 / 32


Motivation:


. The case of Diffie-Hellmann:

abb)a(g a)b = (g = g

The commutativity of nonlinear operators.

Other similar attempts?

. Can we get a DH analogy from other mathematical structures?

Many failed attempts to build new DH like protocols.

. Braid group and other finite groups

. Other nonlinear maps? MR1501252, Ritt, J. F. Permutable rational functions. Trans. Amer. Math. Soc. 25 (1923), no. 3, 399-448. 30D05

5 / 32


Motivation: Linear case?

. (A × B) × C = A × (B × C)

. To make it secure, we need to add ”errors”.

. We need to be able to remove ”errors”.

6 / 32

Our Results:

. An Efficient (2-round) key exchange protocol from LWE and RLWE.

. A new way to deal with approximate key exhange

. Extend to multi-party key exchange (without security proof).

Motivation and Results

Motivation:


. Can we get KE from lattices (say, LWE, which is apparently resistant to quantum attacks)?

. If so, we will get better efficiency and better security guarantees.

7 / 32

Motivation and Results

Motivation:


. Can we get KE from lattices (say, LWE, which is apparently resistant to quantum attacks)?

. If so, we will get better efficiency and better security guarantees.

Our Results:

. An Efficient (2-round) key exchange protocol from LWE and RLWE.

. A new way to deal with approximate key exhange

. Extend to multi-party key exchange (without security proof ).

7 / 32

Lattices

Given m linear independent vectors B = [b1, ..., bm] ∈ Rn×m . A lattice L(B) consists of the integer combinations of bi’s.

mr L(B) = { zi · bi : zi ∈ Z}.

i=1

8 / 32

. γ = 1; just the SVP problem.

. γ is constant (independent of n); γ-SVP is NP-hard.

. γ ≥ 2n; γ-SVP can be solved in polynomial time (LLL algorithm).

. γ = poly(n); probably not NP-hard, but we do not have polynomialtime algorithms (This is what we use in cryptography).

Hard Problem

γ-SVP(Shortest Vector Problem)

Given a n-dimensional lattice L(B), find a non-zero lattice vector v, such that lvl ≤ γ · λ.

9 / 32

Hard Problem

γ-SVP(Shortest Vector Problem)

Given a n-dimensional lattice L(B), find a non-zero lattice vector v, such that lvl ≤ γ · λ.

. γ = 1; just the SVP problem.

. γ is constant (independent of n); γ-SVP is NP-hard.

. γ ≥ 2n; γ-SVP can be solved in polynomial time (LLL algorithm).

. γ = poly(n); probably not NP-hard, but we do not have polynomial time algorithms (This is what we use in cryptography).

9 / 32

Learning with Errors (LWE) [Oded Regev 2005]

Goal: distinguishing “noisy inner products” from uniform.

a1 ← Zn q ;

a2 ← Zn q ;

am ← Zn q ;

. . .

b1 = (a1, s) + e1 mod q b2 = (a2, s) + e2 mod q

bm = (am, s) + em mod q

a1 ← Zn q ;

a2 ← Zn q ;

am ← Zn q ;

. . .

b1 ← Zq

b2 ← Zq

bm ← Zq

In a matrix form (A, As + e) ≈c (A, b)

Where s ← Zn , m = poly(n), q = poly(n) and ei ← χ is some q distribution in Z. ei has small size, much smaller than q.

10 / 32

Theorem (Informal)[Reg’05]

Let χ be a discrete Gaussian distribution with parameter 0 < α < 1, s.t. αq ≥ 2

√ n. If there exists a polynomial time algorithm solves LWE

problem, then there exists a quantum algorithm solves (n/α)-SVP problems for all n-dimension lattices.

. s ← χn is as hard as standard LWE (s ← Zn q ) [ACPS’09].

11 / 32

Notations

q−1 . We always consider Zq for prime q, and Zq = [− q−1 , ].2 2

. We always consider the LWE problem with s ← χ, i.e. s is much smaller than q.

12 / 32

sTApB pTAsB≈

. sTApB = sTAMT sB + 2sTAeB ≈ sTAM

T sB + 2eTAsB = pTAsB .

. note that sA, sB , eA, eB are “small”.

. the difference between sTApB and pTAsB is even

Our Protocol (basic idea)

Public Parameter: M ← Znq ×n

pA = MsA + 2eA

pB = MT sB + 2eB

13 / 32

≈



pA = MsA + 2eA

pB = MT sB + 2eB

T TsApB pAsB

T T MT T T MT T T . sApB = s sB + 2sAeB ≈ s sB + 2eAsB = pAsB .A A

. note that sA, sB , eA, eB are “small”. T T . the difference between sApB and pAsB is even

13 / 32



pA = MsA + 2eA

pB = MT sB + 2eB

T TsApB ≈ pAsB

T T MT T T MT T T . sApB = s sB + 2sAeB ≈ s sB + 2eAsB = pAsB .A A

. note that sA, sB , eA, eB are “small”. T T . the difference between sApB and pAsB is even

13 / 32

Robust Extractors

Intuitively, a robust extractor enables to two parties to extract identical information from two close elements with some additional hint.

Definition (Robust Extractors)

An algorithm E is a robust extractor on Zq with error tolerance δ with respect to a hint algorithm S, if the following holds:

. The deterministic algorithm E: for x ∈ Zq and σ ∈ {0, 1}, output k = E(x, σ) ∈ {0, 1}.

. The hint algorithm S: for y ∈ Zq, output σ ← S(y) ∈ {0, 1}.

. For any x, y ∈ Zq such that x − y is even and |x − y| ≤ δ, then E(x, σ) = E(y, σ), where σ ← S(y).

. If y $← Zq and σ ← S(y), then E(y, σ) is uniform conditioned on σ.

Note that the errors of x, y in the definition can be set to be multiple of t, where t is a small integer.

14 / 32

Our Robust Extractor

We first define two functions: for q > 2 is prime σ0(x) =

0, 1,

x ∈ [−l q J, l q

otherwise. 44 J];

; σ1(x) =0, 1,

44x ∈ [−l q J+ 1, l q

otherwise. J+ 1];

The hint algorithm S(y): b← {0, 1}, S (y) = σb(y).

The robust extractor E(x, σ): q − 1 E(x, σ) = x + σ · mod q mod 2

2

$

15 / 32

For any x, y ∈ Zq, and x− y � 2ε, with |2ε| ≤ q4 − 2.

Let σ ← S(y), we have

|y + σ · q − 1

2mod q| ≤ q

4+ 1.

Therefore,

x+σ· q − 1

2mod q = y+σ· q − 1

2+2ε mod q = (y+σ· q − 1

2) mod q+2ε,

this implies

E(x, σ) = x+ σ · q − 1

2mod q mod 2

= y + σ · q − 1

2mod q mod 2 = E(y, σ)

Lemma

Let q > 8 be an odd integer, E is a robust extractor with respect to S with error tolerance q

4 − 2.

16 / 32

Lemma

Let q > 8 be an odd integer, E is a robust extractor with respect to S with error tolerance q

4 − 2.

For any x, y ∈ Zq , and x − y � 2ε, with |2ε| ≤ q − 2.4 Let σ ← S(y), we have

q − 1 q|y + σ · mod q| ≤ + 1. 2 4

Therefore,

q − 1 q − 1 q − 1 x+σ· mod q = y+σ· +2ε mod q = (y+σ· ) mod q+2ε,

2 2 2

this implies

q − 1 E(x, σ) = x + σ · mod q mod 2

2 q − 1

= y + σ · mod q mod 2 = E(y, σ)2

16 / 32

. A outputs E(sTApB , σ)

. B outputs E(pTAsB , σ)

Removing the Approximation


pA

TpB , σ ← S(pAsB )

A B

17 / 32

Removing the Approximation


pB , σ ← S(pT AsB )

pA

A B

T . A outputs E(sApB , σ) T . B outputs E(pAsB , σ)

17 / 32

KA −KB = 2(sTAeB − eTAsB)

If |2(sTAeB − eTAsB)| ≤q4 − 2, then we have

E(KA, σ) = E(KB , σ)

It is easy to check that the shared key is

sTAMT sB + σ · q − 1

2mod q mod 2.

Correctness

T . A has: sA and σ ← S(pAsB ); B has: sB . T T . Let KA = sApB and KB = pAsB .

18 / 32

If |2(sTAeB − eTAsB)| ≤q4 − 2, then we have




2mod q mod 2.

Correctness


T TKA − KB = 2(sAeB − eAsB )

18 / 32



2mod q mod 2.

Correctness



T TIf |2(sAeB − eAsB )| ≤ q − 2, then we have 4


18 / 32

Correctness



T TIf |2(sAeB − eAsB )| ≤ q − 2, then we have 4



q − 1T sAMT sB + σ · mod q mod 2.

2

18 / 32

Security

. We slightly change the protocol to prove the passive security based on LWE.

T T . We set KA = sApB + 2eA mod q and KB = pA · sB + 2eB mod q.

. The proof is given from a series of hybrid experiments.

. Note that (A, As + 2e mod q) ≈c (A, b) for odd q.

19 / 32

Replace pA with uniform random one from Znq (LWE assumption).

Since pA is uniform, we replace pB and KB with uniform ones (LWEassumption).Note that σ can always be computed.Now use the uniform property of robust extractors: E(KB , σ) is uniform,conditioned on σ.

Proof Intuition

pB

pA = MsA + 2eA

= MT sB + 2eB , σ = S(KB )

TKB = pAsB + 2eB

20 / 32

Since pA is uniform, we replace pB and KB with uniform ones (LWEassumption).Note that σ can always be computed.Now use the uniform property of robust extractors: E(KB , σ) is uniform,conditioned on σ.

Proof Intuition

pB

$pA ← Zn

q

= MT sB + 2eB , σ = S(KB )

TKB = pAsB + 2eB

Replace pA with uniform random one from Zn (LWE assumption). q

20 / 32

Note that σ can always be computed.Now use the uniform property of robust extractors: E(KB , σ) is uniform,conditioned on σ.

Proof Intuition

pB $← Zn

q , σ = S(KB)

pA $← Zn

q

KB $← Zq

Replace pA with uniform random one from Zn (LWE assumption). q Since pA is uniform, we replace pB and KB with uniform ones (LWE assumption).

20 / 32

Now use the uniform property of robust extractors: E(KB , σ) is uniform,conditioned on σ.

Proof Intuition

pB $← Zn

q , σ = S(KB)

pA $← Zn

q

KB $← Zq

Replace pA with uniform random one from Zn (LWE assumption). q Since pA is uniform, we replace pB and KB with uniform ones (LWE assumption). Note that σ can always be computed.

20 / 32

Proof Intuition

pB $← Zn

q , σ = S(KB)

pA $← Zn

q

KB $← Zq

Replace pA with uniform random one from Zn (LWE assumption). q Since pA is uniform, we replace pB and KB with uniform ones (LWE assumption). Note that σ can always be computed. Now use the uniform property of robust extractors: E(KB , σ) is uniform, conditioned on σ.

20 / 32

Extend to RLWE

Ring Learning with Errors (RLWE) [LPR’10]: Let R = Z[x]/(xn + 1) and Rq = Zq[x]/(x

n + 1), n = 2k for k ∈ Z+ .

Goal: distinguishing “noisy ring products” from uniform.

a1 ← Rq; a2 ← Rq;

am ← Rq;

. . .

b1 = a · s + e1 ∈ Rq

b2 = a2 · s + e2 ∈ Rq

bm = am · s + em ∈ Rq

a1 ← Rq; a2 ← Rq;

am ← Rq;

. . .

b1 ← Rq

b2 ← Rq

bm ← Rq

s ← Rq and ei ← χ is some distribution on R and leil is “small”.

21 / 32

Key Exchange from RLWE Public Parameter: m ← Rq

pB = msB + 2eB , Oσ ← S(pAsB )

pA = msA + 2eA

A B

n−1 n−1 . Oσb(a = aiXi ∈ Rq) = σb(ai)X

i ∈ R2.i=0 i=0

$. S(a) : b ← {0, 1}, S (a) = Oσb(a).

. A outputs E(sApB , Oσ).

. B outputs E(sB pA, Oσ).

. The shared secret key is (sAmsB + q−1 Oσ mod q) mod 2 ∈ R2.2

22 / 32

pA = msA + 2eA

pB = msB + 2eB

p�B = pAsB + 2e�B

pC = msC + 2eC

p�C = pBsC + 2e�C

p�A = pCsA + 2e�A, Oσ ← S(sAp�C)

Multi-party Key Exchange Public Parameter m ← Rq

C

A B

23 / 32

pB = msB + 2eB

p�B = pAsB + 2e�B

pC = msC + 2eC




C

A

pA = msA + 2eA

B

23 / 32

pC = msC + 2eC




C

= msB + 2eBpB �p = pAsB + 2e� B B

A

pA = msA + 2eA

B

23 / 32

� � �



C

pB = msB + 2eBpC = msC + 2eC

= pB sC + 2e � = pAsB + 2ep pC C B B

A

pA = msA + 2eA

B

23 / 32

� � �

� �


C

pB = msB + 2eBpC = msC + 2eC

= pB sC + 2e � = pAsB + 2ep pC C B B

A p� A

pA = msA + 2eA

= pC sA + 2eA, Oσ ← S(sApC ) B

23 / 32

�

�

�

. A outputs E(sAp , Oσ)C

. B outputs E(sB p , Oσ)A

. C outputs E(sC p , Oσ)B

q−1 . The shared key is (sAsB sC m + Oσ mod q) mod 2 ∈ R2.2

24 / 32

. The correctness is similar to the previous protocols.

. The security proof involves some “circular” problem, we leave it as an open problem.

25 / 32

. This scheme is secure under passive attacks, but how about man-in-the-middle attacks?

. In this case, we need an autenticated KE. Traditionally, we use digital signature. Can we do without digital signature?

. We can build an authenticated key exchange (AKE) protocol, which can be seen as an HMQV-like AKE from lattices.

. The protocol is simple since it does not involve any other cryptographic primitives to achieve authentication (e.g., signatures) and the system is also very efficient.

Eurocrypt 2015

26 / 32

xi = ari + 2fi ∈ Rq

where ri, fi ←r χβ

xi

yj = arj + 2fj ∈ Rq

kj = (pic+ xi)(sjd+ rj) + 2gjwhere rj , fj , gj ←r χβ

wj = Cha(kj) ∈ {0, 1}nσj = Mod2(kj , wj) ∈ {0, 1}nskj = H2(i, j, xi, yj , wj , σj)

yj , wj

c = H1(i, j, xi) ∈ R, d = H1(j, i, yj , xi) ∈ R

27 / 32

AKE from ring-LWE

Party i

Public Key: pi = asi + 2ei ∈ Rq

Secret Key: si ∈ Rq

where si, ei ←r χα

Party j

Public Key: pj = asj + 2ej ∈ Rq

Secret Key: sj ∈ Rq

where sj , ej ←r χα


kj = (pic+ xi)(sjd+ rj) + 2gjwhere rj , fj , gj ←r χβ

wj = Cha(kj) ∈ {0, 1}nσj = Mod2(kj , wj) ∈ {0, 1}nskj = H2(i, j, xi, yj , wj , σj)

yj , wj


27 / 32

AKE from ring-LWE

Party i Party j









xi

AKE from ring-LWE

Party i






xi

yj , wj

Party j





kj = (pic + xi)(sj d + rj ) + 2gj where rj , fj , gj ←r χβ wj = Cha(kj ) ∈ {0, 1}n

σj = Mod2(kj , wj ) ∈ {0, 1}n

skj = H2(i, j, xi, yj , wj , σj )


27 / 32

AKE from ring-LWE

Party i Party j

Public Key: pi = asi + 2ei ∈ Rq Public Key: pj = asj + 2ej ∈ Rq

Secret Key: si ∈ Rq Secret Key: sj ∈ Rq

where si, ei ←r χα where sj , ej ←r χα

xi = ari + 2fi ∈ Rq xi

yj = arj + 2fj ∈ Rqwhere ri, fi ←r χβ kj = (pic + xi)(sj d + rj ) + 2gj

yj , wj where rj , fj , gj ←r χβ ki = (pj d + yj )(sic + ri) + 2gi wj = Cha(kj ) ∈ {0, 1}n

where gi ←r χβ σj = Mod2(kj , wj ) ∈ {0, 1}n

σi = Mod2(ki, wj ) ∈ {0, 1}n skj = H2(i, j, xi, yj , wj , σj ) ski = H2(i, j, xi, yj , wj , σi)


27 / 32

2 We can prove the forward security of the system

3 We did preliminary implementation and it is very efficient.

4 Parameters for implementation:

Parameters n Security (expt.) α γ log βα

log q (bits)

I∗ 1024 80 bits 3.397 101.919 8.5 40

II 2048 80 bits 3.397 161.371 27 78

III 2048 128 bits 3.397 161.371 19 63

IV 4096 128 bits 3.397 256.495 50 125

V 4096 192 bits 3.397 256.495 36 97

VI 4096 256 bits 3.397 256.495 28 81

AKE from ring-LWE

Intuition for Security: 1 We can prove the security of the system

28 / 32

3 We did preliminary implementation and it is very efficient.



log q (bits)

I∗ 1024 80 bits 3.397 101.919 8.5 40

II 2048 80 bits 3.397 161.371 27 78

III 2048 128 bits 3.397 161.371 19 63

IV 4096 128 bits 3.397 256.495 50 125

V 4096 192 bits 3.397 256.495 36 97

VI 4096 256 bits 3.397 256.495 28 81

AKE from ring-LWE

Intuition for Security: 1

2

We can prove the security of the system

We can prove the forward security of the system

28 / 32



log q (bits)

I∗ 1024 80 bits 3.397 101.919 8.5 40

II 2048 80 bits 3.397 161.371 27 78

III 2048 128 bits 3.397 161.371 19 63

IV 4096 128 bits 3.397 256.495 50 125

V 4096 192 bits 3.397 256.495 36 97

VI 4096 256 bits 3.397 256.495 28 81

AKE from ring-LWE

Intuition for Security: 1 We can prove the security of the system 2 We can prove the forward security of the system 3 We did preliminary implementation and it is very efficient.

28 / 32

AKE from ring-LWE

We can prove the security of the system

We can prove the forward security of the system

We did preliminary implementation and it is very efficient.

Parameters for implementation:

Intuition for Security: 1

2

3

4

Parameters I ∗

II III IV V VI

n 1024 2048 2048 4096 4096 4096

Security (expt.) 80 bits 80 bits 128 bits 128 bits 192 bits 256 bits

α 3.397 3.397 3.397 3.397 3.397 3.397

γ 101.919 161.371 161.371 256.495 256.495 256.495

log β α

8.5 27 19 50 36 28

log q (bits) 40 78 63 125 97 81

28 / 32

AKE from ring-LWE

Communication Overheads:

Choice of Size (KB) Parameters pk sk (expt.) init. msg resp. msg

I ∗ 5 KB 0.75 KB 5 KB 5.125 KB II 19.5 KB 1.5 KB 19.5 KB 19.75 KB III 15.75 KB 1.5 KB 15.75 KB 16 KB IV 62.5 KB 3 KB 62.5 KB 63 KB V 48.5 KB 3 KB 48.5 KB 49 KB VI 40.5 KB 3 KB 40.5 KB 41 KB

The bound 6α with erfc(6) ≈ 2−55 is used to estimate the size of secret keys.

29 / 32

AKE from ring-LWE

Timings:

Parameters Initiation Response Finish I 3.22 ms (0.02 ms) 8.50 ms (4.69 ms) 5.23 ms (4.73 ms) II 12.00 ms (0.04 ms) 29.33 ms (14.64 ms) 17.28 ms (14.61 ms) III 10.33 ms (0.04 ms) 25.83 ms (13.46 ms) 15.58 ms (13.40 ms) IV 83.61 ms (0.08 ms) 156.58 ms (39.86 ms) 73.11 ms (39.73 ms) V 61.74 ms (0.08 ms) 117.81 ms (32.58 ms) 55.64 ms (32.20 ms) VI 25.42 ms (0.08 ms) 62.31 ms (31.32 ms) 36.80 ms (31.29 ms)

Table: Timings of Proof-of-Concept Implementations in ms (The figures in the parentheses indicate the timings with pre-computing. For comparison, by simply using the “speed” command in openssl on the same machine, the timing for dsa1024 signing algorithm is about 0.7 ms, and for dsa2048 is about 2.3 ms).

We believe our systems are very suitable for practical applications and they have very strong security.

30 / 32

Summary

. We build KE and AKE based on LWE and RLWE.

. They are provably secure against both classical and quantum attacks.

. We can prove the Forward Security of the AKE.

. Our preliminary implementations are very efficient.

. Our KE and AKE are strong candidates for quantum-safe crypto.

31 / 32

Thank You!

Talk A Simple Secure Key Scheme Based on the Learning with ... … · Exchange Scheme Based on the Learning with Errors Problem Jintai Ding April. 3, 2015 ... Learning with Errors

Documents