WO2017041669A1 - Password based key exchange from ring learning with er-rors - Google Patents
Password based key exchange from ring learning with er-rors Download PDFInfo
- Publication number
- WO2017041669A1 WO2017041669A1 PCT/CN2016/097895 CN2016097895W WO2017041669A1 WO 2017041669 A1 WO2017041669 A1 WO 2017041669A1 CN 2016097895 W CN2016097895 W CN 2016097895W WO 2017041669 A1 WO2017041669 A1 WO 2017041669A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- party
- mod
- choose
- computes
- sig
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/16—Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3013—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
- H04L9/3073—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
Definitions
- This invention is related to the construction of an authenticated key ex-change (KE) systems, where the authentication is achieved using a simple password.
- KE authenticated key ex-change
- Such a system is very useful for many applications, in particular, the case where a client wants to communicate securely with a server, and where the only share secret is the password or certain hash value of a password.
- PAKE password-authenticatedkey exchange
- This invention first contains a novel method for two parties i and j to per-form an secure authenticated KE over an open communication channel assuming that they share a secret password ⁇ .
- This method is based on the idea of the computation of pairing of the same bilinear form in two different ways but each with different small errors.
- the shared key is derived from the pairings with a rounding technique.
- This method can be viewed as an extension of the idea of the learning with errors (LWE) problem discovered by Regev in 2005 [Reg] and the Ring LWE [LPR] .
- LWE learning with errors
- the security of this system depends the hardness of certain lattice problem, which can be mathe-matically proven hard [DALSS] . This system involves only simple multiplication and therefore is very efficient. Such a system can also resist the future quantum computer attacks.
- This invention contains an additive construction of PAKE with either ex-plicit authentication or implicit authentication. Furthermore, this invention can be mod-ified slightly to build multiplicative version.
- a LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution ⁇ on the finite ring (field) with q elements. To simplify the exposition, we will take q to be an odd prime but we can also work on any whole number except that we may need to make slight modifications.
- each element is represented by the set ⁇ - (q-1) /2, .., 0, ..., (q-1) /2 ⁇ .
- an error distribution
- ⁇ S, ⁇ on be the probability distribution obtained by selecting an element A in randomly and uniformly, choosing e ⁇ F q according to ⁇ , and out-putting (A, ⁇ A, S>+e) , where+is the addition that is performed in F q .
- q to be specific polynomial functions of n, thatis q is replaced by a polynomial functions ofn, which we will denote as q (n)
- ⁇ to be certain discrete version ofnormal distributioncentered around 0 withthe standard deviation and elements of F q are represented by integers in the range [- (q-1) /2, (q-1) /2) ] , which we denote as ⁇ ⁇ .
- derives the session key sk j H 2 (i, j, x i , y j , w j , ⁇ ) .
- derives the session key sk j H 2 (i, j, x i , y j , w j , ⁇ ) .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Algebra (AREA)
- Computational Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
Use the same basic idea of KE based on Ring LWE, this invention gives con-structions of a new authenticated key exchanges system, where the authentication is achieved through a shared password between two parties. These new systems are effi-cient and have very strong security property including provable security and resistance to quantum computer attacks. This invention can also be modified using the LWE problem.
Description
The present disclosure claims priority to the U.S. provisional patent ap-plication 62/215,186, entitled” Password Based Key Exchange from Ring Learning with Errors” , filed September 8, 2012, whichis incorporatedhereinby reference in its entirety andforallpurposes.
In our modern communication systems like Internet, cell phone, etc, to pro-tect the secrecy of the information concerned, we need to encrypt the message. There are two different ways to do this. In the first case, we use symmetric cryptosystems to perform this task, where the sender uses the same key to encrypt the message as the key that the receiver uses to decrypt the message. Symmetric systems demand that the sender and the receiver have a way to exchange such a shared key securely. In an open communication channel without any central authority, like wireless communica-tion, this demands a way to perform such a key exchange (KE) in the open between two parties. In a system with a central server, like a cell phone system within one cell company, this demands an efficient and easy to use key exchange system between the server and the clients.
This invention is related to the construction of an authenticated key ex-change (KE) systems, where the authentication is achieved using a simple password. Such a system is very useful for many applications, in particular, the case where a client wants to communicate securely with a server, and where the only share secret is the password or certain hash value of a password. We call such a key exchange a password-authenticatedkey exchange (PAKE) .
PAKE systems were proposed in [BMc] , [Mc] , whose security is based on the hardness of discrete logarithm problems. This system can be broken by future quantum computers as showed in the work of Shor [SHO] .
In this invention, we construct new PAKEs that can resist quantum com-puter attacks use the LWE problem. The invention is based on the new KE from the LWE problem first constructed in the US Patent” Cryptographic systems using pairing with errors” with Patent number 9246675.
.
BRIEF SUMMARY OF THE INVENTION
This invention first contains a novel method for two parties i and j to per-form an secure authenticated KE over an open communication channel assuming that
they share a secret password π. This method is based on the idea of the computation of pairing of the same bilinear form in two different ways but each with different small errors. The shared key is derived from the pairings with a rounding technique. This method can be viewed as an extension of the idea of the learning with errors (LWE) problem discovered by Regev in 2005 [Reg] and the Ring LWE [LPR] . The security of this system depends the hardness of certain lattice problem, which can be mathe-matically proven hard [DALSS] . This system involves only simple multiplication and therefore is very efficient. Such a system can also resist the future quantum computer attacks.
This invention contains an additive construction of PAKE with either ex-plicit authentication or implicit authentication. Furthermore, this invention can be mod-ified slightly to build multiplicative version.
Though this invention has been described with specific embodiments thereof, it is clear that many variations, alternatives, or modifications will become apparent to those who are skilled in the art ofcryptography. Therefore, the preferred embodiments of the invention as set forth herein, are intended to be illustrative, not limiting. Various changes may be made without departing from the scope and spirit of the invention as set forth herein and defined in the claims. The claims in this invention are based on the U.S. provisional patent application with Ser. No. 62/215,186, entitled” Password Based Key Exchange from Ring Learning with Errors” , filed September 8, 2012, only more technical details are added.
1.1 The basic background
The learning with errors (LWE) problem, introduced by Regev in 2005 [Reg] , and its extension, the ring learning with errors (RLWE) problem [LPR] have broad application in cryptographic constructions with some good provable secure prop-erties. The main claim is that they are as hard as certain worst-case lattice problems and hence the related cryptographic constructions.
A LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution κ on the finite ring (field) with q elements. To simplify the exposition, we will take q to be an odd prime but we can also work on any whole number except that we may need to make slight modifications.
Ineach element is represented by the set {- (q-1) /2, .., 0, ..., (q-1) /2} . In this exposition, by” an error” distribution, we mean a distribution such that if we select an element following this distribution, there is a high probability we will select an element, which is small. There are many such selections and the selections directly affect the security of the system. One should select good error distribution to make sure the system works well and securely.
Let ΠS, κonbe the probability distribution obtained by selecting an
element A inrandomly and uniformly, choosing e∈Fq according to κ, and out-putting (A, <A, S>+e) , where+is the addition that is performed in Fq. An algo-rithm that solves the LWE problem with modulus q and error distribution κ, if, for any S inwith an arbitrary number of independent samples from ΠS, κ, it outputs S (with high probability) .
To achieve the provable security of the related cryptographic construc-tions based on the LWE problem, one chooses q to be specific polynomial functions of n, thatis q is replaced by a polynomial functions ofn, which we will denote as q (n) , κto be certain discrete version ofnormal distributioncentered around 0 withthe standard deviationand elements of Fq are represented by integers in the range [- (q-1) /2, (q-1) /2) ] , which we denote as κσ.
In the original encryption system based on the LWE problem, one can only encrypt one bit a time, therefore the system is rather inefficient and it has a large key size. To further improve the efficiency of the cryptosystems based on the LWE problem, anew problem, which is a LWE problem based on a quotient ring of the polynomial ring Fq [x] [LPR] , was proposed. This is called the ring LWE (RLWE) problem. In the cryptosystems based on the RLWE problem, their security is reduced to hard problems on a subclass oflattices, the class ofideal lattices, instead of general lattices.
Later, anew variant of LWE was proposed in [ACPS] . This variant of the LWE problem is based on the LWE problem. We will replace a vector A with a matrix A of size m×n, and S also with a matrix of size n×1, such that they are compatible to perform matrix multiplication A×S. We also replace e with a compatible matrix of size m×1. We will work on the same finite field with q elements.
To simplify the exposition, we will only present PAKE, in detail, for the case using Ring LWE.
For all our constructions, we first define the following notations, which we will use throughout this application. Let n be a power of 2, and f (x) =xn+1. Let q≈2ω (log n) be an odd prime such that q mod 2n=1. Takeandas above. Forbe a hash function with output distributionχγ. Let H2: {0, 1} *→ {0, 1} k be the Key Derivation Function (KDF) , where kis the bit-length of the final shared key. We model both functions as random oracles. Letχα, χβbe two discrete Gaussian distributions with parametersLet πi, j be the shared password of parties i and j, and let h: be a uniform hash function used to hide the password.
We now define the Sig and Mod2 functions. We denote
and consider the seti.e. the “middle” ofRecall that Sig is simply the characteristic function of the complement of E [DiLi] , and that Mod2: is defined as:
When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element. Sig was also denoted by Cha before, and they are the same function with different notation.
We will leave off the subscripts onπin what follows when the parties involved are clearfromcontext.
1.1 The construction of the PAKE with explicit authentication
We also take verification hashesη, η′to ensure both parties are mutually authenticated. Our protocol consists of the following steps, illustrated in Figure 1:
Initiation Party i randomly samples ri, fi←χβ, computes xi=ari+2fi, and sends m=xi+h (π) to party j.
Response Party j receives xi+h (π) from party i and recovers xi=m-h (π) . Party j then randomly samples rj, fj←χβand computes yj=arj+2fj and kj=xi·rj.
Next, party j computes wj=Sig (kj) ∈ {0, 1} 2 andσ=Mod2 (kj, wj) . Party j sends yj, wj, and κ=η (i, j, xi, yj, σ, π) to party i. Lastly, derives the session key skj=H2 (i, j, xi, yj, wj, σ) .
Finish Party i computes ki=ri·yj and κ′=η′ (j, i, xi, yj, σ, π) .
Finally, party i computes σ=Mod2 (ki, wj) and derives the session key ski=H2 (i, j, xi, yj, wj, σ) . Party i also verifies thatκ=η (i, j, xi, yj, σ, π) matches the value of κ receivedfrom party j. If it does not, party i ends the communica-tion. If it does, party i sends κ′to party j, who verifies it in the same way.
Figure 1: Explicitly Authenticated Protocol
1.2 The construction of the PAKE with implicit authentication
We construct here a variation of the protocol that gives implicit authenti-cation, similar to the PPK variation on the PAK protocol. If either party provides an incorrect password, then the parties’ “shared” keys will not actually match, effectively preventing communication without explicitly checking for matching passwords.
Initiation Party i randomly samples ri, fi←χβ, computes xi=ari+2fi, and sends m=xi+h (π) to party j.
Response Party j receives xi+h (π) from party i and recovers xi=m-h (π) . Party j then randomly samples rj, fj←χβand computes yj=arj+2fj and kj=xi·rj.
Next, party j computes wj=Sig (kj) ∈ {0, 1} 2. Party j sendsμ=yj+h (π) and wj to party i. Lastly, party j computesσj=Mod2 (kj, wj) and derives the session key skj=H2 (i, j, xi, yj, wj, σj) .
Finish Party i recovers the pair (yj, wj) , and uses itcompute ki=ri·yj.
Finally, party i computesσi=Mod2 (ki, wj) and derives the session key ski= H2 (i, j, xi, yj, wj, σi) .
Figure 2: Implicitly Authenticated Protocol
1.3 The construction of Multiplicative Version the PAKE
In addition to the two protocols above, we can also blind the protocol messages by multiplying by the hashed password rather than adding as done above.
Note that this form only works if h (π) is invertible in the ring, but that condition will usually be met.
Initiation Party i randomly samples ri, fi←χβ, computes xi=ari+2fi, and sends m=xi·h (π) to partyj.
Response Party j receives xi·h (π) from party i and recovers xi=m·h (π) -1. Party j then randomly samples rj, fj←χβand computes yj=arj+2fj and kj=xi·rj.
Next, partyj computes wj=Sig (kj) ∈ {0, 1} 2 andσ=Mod2 (kj, wj) . Party j sends yj, wj, andκ=η (i, j, xi, yj, σ, π) to party i. Lastly, derives the session key skj=H2 (i, j, xi, yj, wj, σ) .
Finish Party i computes ki=ri·yj andκ′=η′ (j, i, xi, yj, σ, π) .
Finally, party i computesσ=Mod2 (ki, wj) and derives the session key ski= H2 (i, j, xi, yj, wj, σ) . Party i also verifies thatκ=η (i, j, xi, yj, σ, π) matches the value of κ receivedfrom party j. Ifit does not, party i ends the communica-tion. If it does, party i sends κ′to party j, who verifies itinthe same way.
Figure 3: Multiplicative Protocol
We can also apply themultiplicative variant to the implicitly authenticated version, as described below:
Initiation Party i randomly samples ri, fi←χβ, computes xi=ari+2fi, and sends m=xi·h (π) to party j.
Response Party j receives xi·h (π) from party i and recovers xi=m·h (π) -1. Party j then randomly samples rj, fj←χβand computes yj=arj+2fj and kj=xi·rj.
Next, party j computes wj=Sig (kj) ∈ {0, 1} 2. Partyj sendsμ=yj·h (π) -1 and wj to party i. Lastly, party j computesσj=Mod2 (kj, wj) and derives the session key skj=H2 (i, j, xi, yj, wj, σj) .
Finish Party i recovers the pair (yj, wj) , anduses itcompute ki=ri·yj.
Finally, party i computesσi=Mod2 (ki, wj) and derives the session key ski= H2 (i, j, xi, yj, wj, σi) .
Figure 4: Multiplicative Implicitly Authenticated Protocol
LITERATURE CITED
[ACPS] B. Applebaum, D. Cash, C. Peikert, A. Sahai; Fast Cryptographic Prim-itives and Circular-Secure Encryption Based on Hard Learning Problems. Advances in Cryptology-CRYPTO 2009, Lecture Notes in Computer Science, Volume 5677 pp 595-618,2009
[BMc] Boyko, V.; P. MacKenzie; S. Patel (2000) . ” Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman” . Advances in Cryptology–Eu-rocrypt 2000, LNCS. Lecture Notes in Computer Science. Springer-Verlag. 1807: 156? 171.
[COP] D. Coppersmith, Shmuel Winograd, Matrix multiplication via arithmetic progressions, Journal ofSymbolic Computation-Special issue on computational alge-braic complexity archive 9 (3) , pp 251-280, 1990
[DALSS] Jintai Ding, Saed Alsayigh, Jean Lancrenon, Saraswathy RV, Michael Snook, Provably Secure Password Authenticated Key Exchange Based on RLWE for the Post-QuantumWorld, Cryptology ePrint Archive: Report 2016/552
[DiHe] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) , pp 644-54, 1976.
[DiLi] J. Ding, X. Lin, A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem, Cryptology ePrint Archive, Report 688, 2012
[LPR] V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings In Eurocrypt 2010
[Mc] MacKenzie, P. : On the Security of the SPEKE Password-Authenticated Key Exchange Protocol. Cryptology ePrint Archive, Report 2001/057 (2001) ,
http: //eprint. iacr. org/2001/057
[REG] O. Regev, On lattices, learning with errors, random linear codes, and cryp-tography, in Proceedings of the 37th Annual ACM Symposium on Theory of Comput-ing–STOC05, ACM, pp 84-93, 2005
[SHO] P. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal of Computing 26, pp. 1484-1509, 1997.
Claims (20)
- Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and explicit authen-tication, comprising:Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f (x) = xn + 1. q ≈ 2ω (log n) be an odd prime such that q mod 2n = 1. TakeandChoose andbe a hash function with output distribution χγ. Choose H2: {0, 1} * → {0, 1} k be the Key Derivation Func-tion (KDF) , where k is the bit-length of the final shared key. Let χα, χβ be two discrete Gaussian distributions with parameters α, πi,j be the shared password of parties i and j, and choose h: {0, 1} * → Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clearfrom context.Choose the Sig and Mod2 functions. We denoteand consider the seti.e. the “middle” ofRecall that Sig is simply the characteristic function of the complement of E [DiLi] , and that Mod2: is defined as:When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element.Initiation Party i randomly samples ri, fi ← χβ, computes xi = ari + 2fi, and sends m = xi + h (π) to party j.Response Party j receives xi + h (π) from party i and recovers xi = m-h (π) . Party j then randomly samples rj, fj ← χβ and computes yj = arj + 2fj and kj = xi·rj. Next, party j computes wj = Sig (kj ) ∈ {0, 1} 2 and σ = Mod2 (kj, wj ) . Party j sends yj, wj, and κ = η (i, j, xi, yj, σ, π) to party i. Lastly, derives the session key skj = H2 (i, j, xi, yj, wj, σ) .Finish Party i computes ki = ri·yj and κ′ = η′ (j, i, xi, yj, σ, π) .Finally, party i computes σ = Mod2 (ki, wj) and derives the session key ski = H2(i, j, xi, yj, wj, σ) . Party i also verifies that κ = η (i, j, xi, yj, σ, π) matches the value of κ received from party j. If it does not, party i ends the communica-tion. If it does, party i sends κ′ to party j, who verifies it in the same way.
- Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and implicit au-thentication, comprising:Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f (x) = xn + 1. q ≈ 2ω (log n) be an odd prime such that q mod 2n = 1. TakeandChoose and H1: be a hash function with output distribution χγ. Choose H2: {0, 1} * → {0, 1} k be the Key Derivation Func-tion (KDF) , where k is the bit-length of the final shared key. Let χα, χβ be two discrete Gaussian distributions with parameters α, πi,j be the shared password of parties i and j, and choose h: {0, 1} * → Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clearfrom context.Choose the Sig and Mod2 functions. We denoteand consider the seti.e. thte “middle” ofRecall that Sig is simply the characteristic function of the complement of E [DiLi] , and that Mod2: is defined as:When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element.Initiation Party i randomly samples ri, fi ← χβ, computes xi = ari + 2fi, and sends m = xi + h (π) to party j.Response Party j receives xi + h (π) from party i and recovers xi = m-h (π) . Party j then randomly samples rj, fj ← χβ and computes yj = arj + 2fj and kj = xi·rj. Next, party j computes wj = Sig (kj) ∈ {0, 1} 2. Party j sends μ = yj + h (π) and wj to party i. Lastly, party j computes σj = Mod2 (kj, wj ) and derives the session key skj = H2 (i, j, xi, yj, wj, σj) .Finish Party i recovers the pair (yj, wj) , and uses it compute ki = ri·yj.Finally, party i computes σi = Mod2 (ki, wj) and derives the session key ski = H2(i, j, xi, yj, wj, σi) .
- Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and explicit authen-tication by multiplication of hashed password, comprising:Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f (x) = xn + 1. q ≈ 2ω (log n) be an odd prime such that q mod 2n = 1. TakeandChoose and H1: be a hash function with output distribution χγ. Choose H2: {0, 1} * → {0, 1} k be the Key Derivation Func-tion (KDF) , where k is the bit-length of the final shared key. Let χα, χβ be two discrete Gaussian distributions with parameters α, πi, j be the shared password of parties i and j, and choose h: {0, 1} * → Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clearfrom context.Choose the Sig and Mod2 functions. We denoteand consider the seti.e. the “middle” ofRecall that Sig is simply the characteristic function of the complement of E [DiLi] , and that Mod2: is de fined as:When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element.Initiation Party i randomly samples ri, fi ← χβ, computes xi = ari + 2fi, and sends m = xi·h (π) to party j.Response Party j receives xi·h (π) from party i and recovers xi = m·h (π) -1. Party j then randomly samples rj, fj ← χβ and computes yj = arj + 2fj and kj = xi·rj. Next, party j computes wj = Sig (kj) ∈ {0, 1} 2 and σ= Mod2 (kj, wj ) . Party j sends yj, wj, and κ = η (i, j, xi, yj, σ, π) to party i. Lastly, derives the session key skj = H2 (i, j, xi, yj, wj, σ) .Finish Party i computes ki = ri·yj and κ′ = η′ (j, i, xi, yj, σ, π) .Finally, party i computes σ = Mod2 (ki, wj) and derives the session key ski = H2(i, j, xi, yj, wj, σ) . Party i also verifies that κ = η (i, j, xi, yj, σ, π) matches the value of κ received from party j. If it does not, party i ends the communica-tion. If it does, party i sends κ′ to party j, who verifies it in the same way.
- Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and implicit au-thentication by multiplication of hashed password, comprising:Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f (x) = xn + 1. q ≈ 2ω (log n) be an odd prime such that q mod 2n = 1. TakeandChoose and H1: be a hash function with output distribution χγ. Choose H2: {0, 1} * → {0, 1} k be the Key Derivation Func-tion (KDF) , where k is the bit-length of the final shared key. Let χα, χβ be two discrete Gaussian distributions with parameters α, πi, j be the shared password of parties i and j, and choose h: {0, 1} * → Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clear from context.Choose the Sig and Mod2 functions. We denoteand consider the seti.e. the “middle” ofRecall that Sig is simply the characteristic function of the complement of E [DiLi] , and that Mod2: is defined as:When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element.Initiation Party i randomly samples ri, fi ← χβ, computes xi = ari + 2fi, and sends m = xi·h (π) to party j.Response Party j receives xi·h (π) from party i and recovers xi = m·h (π) -1. Party j then randomly samples rj, fj ← χβ and computes yj = arj + 2fj and kj = xi·rj. Next, party j computes wj = Sig (kj) ∈ {0, 1} 2. Party j sends μ = yj·h (π) -1 and wj to party i. Lastly, party j computes σj = Mod2 (kj, wj ) and derives the session key skj = H2 (i, j, xi, yj, wj, σj) .Finish Party i recovers the pair (yj, wj) , and uses it compute ki = ri·yj.Finally, party i computes σi = Mod2 (ki, wj) and derives the session key ski = H2 (i, j, xi, yj, wj, σi) .
- The method according to Claim 1, wherein the ”Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.
- The methods according to Claim 1, wherein the ”Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectan-gular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
- The methods according to Claim 1, wherein one of Party i and Party j is a server and the other a client.
- The methods according to Claim 1, wherein the rounding tech-nique is replaced with a similar technique.
- The method according to Claim 2, wherein the ”Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.
- The methods according to Claim 2, wherein the ”Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectan-gular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
- The methods according to Claim 2, wherein one of Party i and Party j is a server and the other a client.
- The methods according to Claim 2, wherein the rounding tech-nique is replaced with a similar technique.
- The method according to Claim 3, wherein the ”Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.
- The methods according to Claim 3, wherein the ”Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectan-gular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
- The methods according to Claim 3, wherein one of Party i and Party j is a server and the other a client.
- The methods according to Claim 3, wherein the rounding tech-nique is replaced with a similar technique.
- The method according to Claim 4, wherein the ”Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.
- The methods according to Claim 4, wherein the ”Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectan-gular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
- The methods according to Claim 4, wherein one of Party i and Party j is a server and the other a client.
- The methods according to Claim 4, wherein the rounding tech-nique is replaced with a similar technique.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/765,238 US10764042B2 (en) | 2015-09-08 | 2016-09-02 | Password based key exchange from ring learning with errors |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201562215186P | 2015-09-08 | 2015-09-08 | |
US62/215,186 | 2015-09-08 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017041669A1 true WO2017041669A1 (en) | 2017-03-16 |
Family
ID=58239210
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/097895 WO2017041669A1 (en) | 2015-09-08 | 2016-09-02 | Password based key exchange from ring learning with er-rors |
Country Status (2)
Country | Link |
---|---|
US (1) | US10764042B2 (en) |
WO (1) | WO2017041669A1 (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018213875A1 (en) * | 2017-05-22 | 2018-11-29 | Commonwealth Scientific And Industrial Research Organisation | Asymmetric cryptography and authentication |
EP3754896A1 (en) * | 2019-06-18 | 2020-12-23 | Koninklijke Philips N.V. | Authenticated key agreement |
EP4322460A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Reliability setting for improved security establishment methods and systems |
EP4322456A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Quantum secure implicit authenticated password-based protocols and systems |
EP4322458A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Post quantum integration for password-authenticated key exchange |
EP4322463A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems |
EP4322462A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems wherein keys are derived from a protocol transcript |
EP4322461A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems |
EP4322459A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems |
EP4322457A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113094722B (en) * | 2021-03-25 | 2022-05-24 | 中国科学院信息工程研究所 | Three-party password authentication key exchange method |
CN115276984B (en) * | 2022-07-29 | 2024-03-29 | 山东大学 | Key exchange method and system based on GR-LWE problem |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080046732A1 (en) * | 2006-08-15 | 2008-02-21 | Motorola, Inc. | Ad-hoc network key management |
US20080069344A1 (en) * | 2006-08-30 | 2008-03-20 | Samsung Electronics Co., Ltd. | Method and apparatus for key agreement between devices using polynomial ring |
US20090154711A1 (en) * | 2007-12-18 | 2009-06-18 | Jho Namsu | Multi-party key agreement method using bilinear map and system therefor |
CN104396184A (en) * | 2012-04-12 | 2015-03-04 | 丁津泰 | New cryptographic systems using pairing with errors |
-
2016
- 2016-09-02 US US15/765,238 patent/US10764042B2/en active Active
- 2016-09-02 WO PCT/CN2016/097895 patent/WO2017041669A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080046732A1 (en) * | 2006-08-15 | 2008-02-21 | Motorola, Inc. | Ad-hoc network key management |
US20080069344A1 (en) * | 2006-08-30 | 2008-03-20 | Samsung Electronics Co., Ltd. | Method and apparatus for key agreement between devices using polynomial ring |
US20090154711A1 (en) * | 2007-12-18 | 2009-06-18 | Jho Namsu | Multi-party key agreement method using bilinear map and system therefor |
CN104396184A (en) * | 2012-04-12 | 2015-03-04 | 丁津泰 | New cryptographic systems using pairing with errors |
Non-Patent Citations (1)
Title |
---|
DING JINTAI ET AL.: "A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem.", INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH, 29 July 2014 (2014-07-29), pages 1 - 15, XP061016565, Retrieved from the Internet <URL:http://ai2-s2-pdfs.s3.amazonaws.com/b1e7/faec59a9bdd70e75f9d15496cf27916ce060.pdf> * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018213875A1 (en) * | 2017-05-22 | 2018-11-29 | Commonwealth Scientific And Industrial Research Organisation | Asymmetric cryptography and authentication |
EP3754896A1 (en) * | 2019-06-18 | 2020-12-23 | Koninklijke Philips N.V. | Authenticated key agreement |
WO2020254177A1 (en) * | 2019-06-18 | 2020-12-24 | Koninklijke Philips N.V. | Authenticated lattice-based key agreement or key encapsulation |
US11991274B2 (en) | 2019-06-18 | 2024-05-21 | Koninklijke Philips N.V. | Authenticated lattice-based key agreement or key encapsulation |
EP4322460A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Reliability setting for improved security establishment methods and systems |
EP4322456A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Quantum secure implicit authenticated password-based protocols and systems |
EP4322458A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Post quantum integration for password-authenticated key exchange |
EP4322463A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems |
EP4322462A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems wherein keys are derived from a protocol transcript |
EP4322461A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems |
EP4322459A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems |
EP4322457A1 (en) * | 2022-08-12 | 2024-02-14 | Koninklijke Philips N.V. | Improved security establishment methods and systems |
Also Published As
Publication number | Publication date |
---|---|
US10764042B2 (en) | 2020-09-01 |
US20180302218A1 (en) | 2018-10-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10764042B2 (en) | Password based key exchange from ring learning with errors | |
TWI502947B (en) | New cryptographic system and method based on mismatching | |
Mandt et al. | Certificateless authenticated two-party key agreement protocols | |
US8918648B2 (en) | Digital signature and key agreement schemes | |
EP2399361B1 (en) | Identity based authenticated key agreement protocol | |
US20030182554A1 (en) | Authenticated ID-based cryptosystem with no key escrow | |
WO2015184991A1 (en) | Improvements on cryptographic systems using pairing with errors | |
Abusukhon et al. | Efficient and secure key exchange protocol based on elliptic curve and security models | |
Gupta et al. | Cryptanalysis of Wang et al.’s lattice-based key exchange protocol | |
Braeken et al. | Pairing free and implicit certificate based signcryption scheme with proxy re-encryption for secure cloud data storage | |
CN113132104A (en) | Active and safe ECDSA (electronic signature SA) digital signature two-party generation method | |
Kumar et al. | Survey and taxonomy of key management protocols for wired and wireless networks | |
Mokhtarnameh et al. | An enhanced certificateless authenticated key agreement protocol | |
CA2730626C (en) | Improved digital signature and key agreement schemes | |
Okamoto et al. | One-way and two-party authenticated ID-based key agreement protocols using pairing | |
Goldwasser et al. | Proof of plaintext knowledge for the Ajtai-Dwork cryptosystem | |
Huang et al. | Two-party authenticated multiple-key agreement based on elliptic curve discrete logarithm problem | |
Zheng et al. | Threshold attribute‐based signcryption and its application to authenticated key agreement | |
Nithya et al. | Survey on asymmetric key cryptography algorithms | |
Hyla et al. | Certificate-based encryption scheme with general access structure | |
Pakniat et al. | Cryptanalysis of a certificateless aggregate signature scheme | |
Kumar et al. | A pairing free certificateless group key agreement protocol with constant round | |
Nabil et al. | New authenticated key agreement protocols | |
CN109150545B (en) | ECC-based (m, N) threshold group signature method | |
Nabil et al. | Certificate-based authenticated key agreement protocols |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16843607 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15765238 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16843607 Country of ref document: EP Kind code of ref document: A1 |