The Whole is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based AKEs

Authenticated Key Exchange AKE is the backbone of internet security protocols such as TLS and IKE. A recent announcement by standardization bodies calling for a shift to quantum-resilient crypto has resulted in several AKE proposals from the research community. Because AKE can be generically constructed by combining a digital signature scheme with public key encryption or a KEM, most of these proposals focused on optimizing the known KEMs and left the authentication part to the generic combination with digital signatures. In this paper, we show that by simultaneously considering the secrecy and authenticity requirements of an AKE, we can construct a scheme that is more secure and with smaller communication complexity than a scheme created by a generic combination of a KEM with a signature scheme. Our improvement uses particular properties of lattice-based encryption and signature schemes and consists of two parts --- the first part increases security, whereas the second reduces communication complexity. We first observe that parameters for lattice-based encryption schemes are always set so as to avoid decryption errors, since many observations by the adversary of such failures usually leads to him recovering the secret key. But since one of the requirements of an AKE is that it be forward-secure, the public key must change every time. The intuition is therefore that one can set the parameters of the scheme so as to not care about decryption errors and everything should still remain secure. We show that this naive solution is not quite correct, but the intuition can be made to work by a small change in the scheme. Our new AKE, which now remains secure in case of decryption errors, fails to create a shared key with probability around $$2^{-30}$$, but adds enough security that we are able to instantiate a KEM based on the NTRU assumption with rings of smaller dimension. Our second improvement is showing that certain hash-and-sign lattice signatures can be used in "message-recovery" mode. In this mode, the signature size is doubled but this longer signature is enough to recover an even longer message --- thus the signature is longer but the message does not need to be sent. This is advantageous when signing relatively long messages, such as the public keys and ciphertexts generated by a lattice-based KEM. We show how this technique reduces the communication complexity of the generic construction of our AKE by around $$20\,\%$$. Using a lattice-based signature in message-recovery mode is quite generic i.e. it does not depend on the structure of the message, and so it may be used in AKE constructions that use a different KEM, or even simply as a way to reduce the transmission length of a message and its digital signature.

[1]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[2]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[3]  Léo Ducas,et al.  Efficient Identity-Based Encryption over NTRU Lattices , 2014, ASIACRYPT.

[4]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[5]  Ron Steinfeld,et al.  Making NTRU as Secure as Worst-Case Problems over Ideal Lattices , 2011, EUROCRYPT.

[6]  Léo Ducas,et al.  A Hybrid Gaussian Sampler for Lattices over Rings , 2015, IACR Cryptol. ePrint Arch..

[7]  David Pointcheval,et al.  The Impact of Decryption Failures on the Security of NTRU Encryption , 2003, CRYPTO.

[8]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[9]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[10]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[11]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[12]  Ashley Montanaro,et al.  Quantum walk speedup of backtracking algorithms , 2015, Theory Comput..

[13]  Jintai Ding,et al.  Authenticated Key Exchange from Ideal Lattices , 2015, EUROCRYPT.

[14]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[15]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[16]  William Whyte,et al.  Choosing Parameters for NTRUEncrypt , 2017, CT-RSA.

[17]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[18]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[19]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[20]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[21]  Jacques Stern,et al.  Flaws in Applying Proof Methodologies to Signature Schemes , 2002, CRYPTO.

[22]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[23]  Thijs Laarhoven,et al.  Sieving for Shortest Vectors in Lattices Using Angular Locality-Sensitive Hashing , 2015, CRYPTO.

[24]  Jung Hee Cheon,et al.  An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero , 2016, IACR Cryptol. ePrint Arch..

[25]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[26]  Jintai Ding,et al.  A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem , 2012, IACR Cryptol. ePrint Arch..

[27]  William Whyte,et al.  Transcript Secure Signatures Based on Modular Lattices , 2014, PQCrypto.

[28]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.

[29]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[30]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[31]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[32]  Daniel Wichs,et al.  Simple Lattice Trapdoor Sampling from a Broad Class of Distributions , 2015, Public Key Cryptography.

[33]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[34]  Martin R. Albrecht,et al.  A Subfield Lattice Attack on Overstretched NTRU Assumptions - Cryptanalysis of Some FHE and Graded Encoding Schemes , 2016, CRYPTO.

[35]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[36]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[37]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[38]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[39]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[40]  Vadim Lyubashevsky,et al.  Quadratic Time, Linear Space Algorithms for Gram-Schmidt Orthogonalization and Gaussian Sampling in Structured Lattices , 2015, EUROCRYPT.

[41]  Patrick Longa,et al.  Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography , 2016, CANS.

[42]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[43]  William Whyte,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.

[44]  J. Cheon,et al.  An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero , 2016, LMS J. Comput. Math..

[45]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.