Strongly secure authenticated key exchange from factoring, codes, and lattices

An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random oracles. HMQV, a state of the art AKE protocol, achieves both efficiency and the strong security proposed by Krawczyk (we call it the $${\mathrm {CK}}^+$$CK+ model), which includes resistance to advanced attacks. However, the security proof is given under the random oracle model. We propose a generic construction of AKE from a key encapsulation mechanism (KEM). The construction is based on a chosen-ciphertext secure KEM, and the resultant AKE protocol is $${\mathrm {CK}}^+$$CK+ secure in the standard model. The construction gives the first $${\mathrm {CK}}^+$$CK+ secure AKE protocols based on the hardness of integer factorization problem, code-based problems, or learning problems with errors. In addition, instantiations under the Diffie–Hellman assumption or its variant can be proved to have strong security without non-standard assumptions such as $$\pi $$πPRF and KEA1. Furthermore, we extend the $${\mathrm {CK}}^+$$CK+ model to identity-based (called the $${\hbox {id-CK}^+}$$id-CK+ model), and propose a generic construction of identity-based AKE (ID-AKE) based on identity-based KEM, which satisfies $${\hbox {id-CK}^+}$$id-CK+ security. The construction leads first strongly secure ID-AKE protocols under the hardness of integer factorization problem, or learning problems with errors.

[1]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[2]  Cas J. F. Cremers Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK , 2011, ASIACCS '11.

[3]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[4]  Colin Boyd,et al.  Generic One Round Group Key Exchange in the Standard Model , 2009, ICISC.

[5]  Tatsuaki Okamoto,et al.  Authenticated Key Exchange and Key Encapsulation in the Standard Model , 2007, ASIACRYPT.

[6]  Eike Kiltz,et al.  Chosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman , 2007, Public Key Cryptography.

[7]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[8]  Dong Hoon Lee,et al.  One-Round Protocols for Two-Party Authenticated Key Exchange , 2004, ACNS.

[9]  Dingding Jia,et al.  Chosen Ciphertext Secure Encryption under Factoring Assumption Revisited , 2011, Public Key Cryptography.

[10]  Tanja Lange,et al.  Smaller decoding exponents: ball-collision decoding , 2011, IACR Cryptol. ePrint Arch..

[11]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[12]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[13]  Jean-Claude Bajard,et al.  A New Security Model for Authenticated Key Agreement , 2010, SCN.

[14]  Adam O'Neill,et al.  Adaptive Trapdoor Functions and Chosen-Ciphertext Security , 2010, EUROCRYPT.

[15]  Dan Boneh,et al.  Lattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE , 2010, CRYPTO.

[16]  Tibor Jager,et al.  Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model , 2010, Public Key Cryptography.

[17]  Cas J. F. Cremers Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol , 2009, ACNS.

[18]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[19]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[20]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[21]  Atsushi Fujioka,et al.  Strongly Secure Authenticated Key Exchange from Factoring, Codes, and Lattices , 2012, Public Key Cryptography.

[22]  Cas J. F. Cremers,et al.  One-round Strongly Secure Key Exchange with Perfect Forward Secrecy and Deniability , 2011, IACR Cryptol. ePrint Arch..

[23]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[24]  Rosario Gennaro,et al.  Making the Diffie-Hellman Protocol Identity-Based , 2010, CT-RSA.

[25]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[26]  Damien Stehlé,et al.  Hardness of decision (R)LWE for any modulus , 2012, IACR Cryptol. ePrint Arch..

[27]  Kazuki Yoneyama Generic Construction of Two-Party Round-Optimal Attribute-Based Authenticated Key Exchange without Random Oracles , 2013, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[28]  Liqun Chen,et al.  Identity-based key agreement protocols from pairings , 2017, International Journal of Information Security.

[29]  Kazukuni Kobara,et al.  Semantic security for the McEliece cryptosystem without random oracles , 2008, Des. Codes Cryptogr..

[30]  Zhenfu Cao,et al.  An ID-based authenticated key exchange protocol based on bilinear Diffie-Hellman problem , 2009, ASIACCS '09.

[31]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[32]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2006 .

[33]  Marc Joye,et al.  Chosen-Ciphertext Secure RSA-Type Cryptosystems , 2009, ProvSec.

[34]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[35]  Eike Kiltz,et al.  The Group of Signed Quadratic Residues and Applications , 2009, CRYPTO.

[36]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[37]  Eike Kiltz,et al.  Practical Chosen Ciphertext Secure Encryption from Factoring , 2009, Journal of Cryptology.

[38]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[39]  Atsushi Fujioka,et al.  Ephemeral Key Leakage Resilient and Efficient ID-AKEs That Can Share Identities, Private and Master Keys , 2010, Pairing.

[40]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[41]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[42]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[43]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[44]  Kaoru Kurosawa,et al.  Efficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption , 2008, IACR Cryptol. ePrint Arch..

[45]  Cas J. F. Cremers,et al.  Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal , 2012, ESORICS.

[46]  Kenneth G. Paterson,et al.  Efficient One-Round Key Exchange in the Standard Model , 2008, ACISP.

[47]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[48]  Hugo Krawczyk,et al.  Okamoto-Tanaka Revisited: Fully Authenticated Diffie-Hellman with Minimal Overhead , 2010, ACNS.

[49]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.

[50]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[51]  Tanja Lange,et al.  Wild McEliece , 2010, IACR Cryptol. ePrint Arch..

[52]  Colin Boyd,et al.  On Forward Secrecy in One-Round Key Exchange , 2011, IMACC.

[53]  Kenneth G. Paterson,et al.  One-round key exchange in the standard model , 2009, Int. J. Appl. Cryptogr..

[54]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[55]  Hugo Krawczyk,et al.  Computational Extractors and Pseudorandomness , 2011, IACR Cryptol. ePrint Arch..

[56]  Anderson C. A. Nascimento,et al.  A CCA2 Secure Public Key Encryption Scheme Based on the McEliece Assumptions in the Standard Model , 2009, CT-RSA.

[57]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[58]  Qixiang Mei,et al.  Direct chosen ciphertext security from identity-based techniques , 2005, CCS '05.

[59]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[60]  Kazuki Yoneyama One-Round Authenticated Key Exchange with Strong Forward Secrecy in the Standard Model against Constrained Adversary , 2012, IWSEC.

[61]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[62]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[63]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[64]  Rosario Gennaro,et al.  A Note on An Encryption Scheme of Kurosawa and Desmedt , 2004, IACR Cryptol. ePrint Arch..

[65]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..