WO2017041669A1 - Password based key exchange from ring learning with er-rors - Google Patents

Password based key exchange from ring learning with er-rors Download PDF

Info

Publication number
WO2017041669A1
WO2017041669A1 PCT/CN2016/097895 CN2016097895W WO2017041669A1 WO 2017041669 A1 WO2017041669 A1 WO 2017041669A1 CN 2016097895 W CN2016097895 W CN 2016097895W WO 2017041669 A1 WO2017041669 A1 WO 2017041669A1
Authority
WO
WIPO (PCT)
Prior art keywords
party
mod
choose
computes
sig
Prior art date
Application number
PCT/CN2016/097895
Other languages
French (fr)
Inventor
Jintai Ding
Original Assignee
Jintai Ding
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jintai Ding filed Critical Jintai Ding
Priority to US15/765,238 priority Critical patent/US10764042B2/en
Publication of WO2017041669A1 publication Critical patent/WO2017041669A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/16Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3013Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Definitions

  • This invention is related to the construction of an authenticated key ex-change (KE) systems, where the authentication is achieved using a simple password.
  • KE authenticated key ex-change
  • Such a system is very useful for many applications, in particular, the case where a client wants to communicate securely with a server, and where the only share secret is the password or certain hash value of a password.
  • PAKE password-authenticatedkey exchange
  • This invention first contains a novel method for two parties i and j to per-form an secure authenticated KE over an open communication channel assuming that they share a secret password ⁇ .
  • This method is based on the idea of the computation of pairing of the same bilinear form in two different ways but each with different small errors.
  • the shared key is derived from the pairings with a rounding technique.
  • This method can be viewed as an extension of the idea of the learning with errors (LWE) problem discovered by Regev in 2005 [Reg] and the Ring LWE [LPR] .
  • LWE learning with errors
  • the security of this system depends the hardness of certain lattice problem, which can be mathe-matically proven hard [DALSS] . This system involves only simple multiplication and therefore is very efficient. Such a system can also resist the future quantum computer attacks.
  • This invention contains an additive construction of PAKE with either ex-plicit authentication or implicit authentication. Furthermore, this invention can be mod-ified slightly to build multiplicative version.
  • a LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution ⁇ on the finite ring (field) with q elements. To simplify the exposition, we will take q to be an odd prime but we can also work on any whole number except that we may need to make slight modifications.
  • each element is represented by the set ⁇ - (q-1) /2, .., 0, ..., (q-1) /2 ⁇ .
  • an error distribution
  • ⁇ S, ⁇ on be the probability distribution obtained by selecting an element A in randomly and uniformly, choosing e ⁇ F q according to ⁇ , and out-putting (A, ⁇ A, S>+e) , where+is the addition that is performed in F q .
  • q to be specific polynomial functions of n, thatis q is replaced by a polynomial functions ofn, which we will denote as q (n)
  • to be certain discrete version ofnormal distributioncentered around 0 withthe standard deviation and elements of F q are represented by integers in the range [- (q-1) /2, (q-1) /2) ] , which we denote as ⁇ ⁇ .
  • derives the session key sk j H 2 (i, j, x i , y j , w j , ⁇ ) .
  • derives the session key sk j H 2 (i, j, x i , y j , w j , ⁇ ) .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Algebra (AREA)
  • Computational Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Use the same basic idea of KE based on Ring LWE, this invention gives con-structions of a new authenticated key exchanges system, where the authentication is achieved through a shared password between two parties. These new systems are effi-cient and have very strong security property including provable security and resistance to quantum computer attacks. This invention can also be modified using the LWE problem.

Description

Password Based Key Exchange from Ring Learning with Er-rors Background
The present disclosure claims priority to the U.S. provisional patent ap-plication 62/215,186, entitled” Password Based Key Exchange from Ring Learning with Errors” , filed September 8, 2012, whichis incorporatedhereinby reference in its entirety andforallpurposes.
In our modern communication systems like Internet, cell phone, etc, to pro-tect the secrecy of the information concerned, we need to encrypt the message. There are two different ways to do this. In the first case, we use symmetric cryptosystems to perform this task, where the sender uses the same key to encrypt the message as the key that the receiver uses to decrypt the message. Symmetric systems demand that the sender and the receiver have a way to exchange such a shared key securely. In an open communication channel without any central authority, like wireless communica-tion, this demands a way to perform such a key exchange (KE) in the open between two parties. In a system with a central server, like a cell phone system within one cell company, this demands an efficient and easy to use key exchange system between the server and the clients.
This invention is related to the construction of an authenticated key ex-change (KE) systems, where the authentication is achieved using a simple password. Such a system is very useful for many applications, in particular, the case where a client wants to communicate securely with a server, and where the only share secret is the password or certain hash value of a password. We call such a key exchange a password-authenticatedkey exchange (PAKE) .
PAKE systems were proposed in [BMc] , [Mc] , whose security is based on the hardness of discrete logarithm problems. This system can be broken by future quantum computers as showed in the work of Shor [SHO] .
In this invention, we construct new PAKEs that can resist quantum com-puter attacks use the LWE problem. The invention is based on the new KE from the LWE problem first constructed in the US Patent” Cryptographic systems using pairing with errors” with Patent number 9246675.
.
BRIEF SUMMARY OF THE INVENTION
This invention first contains a novel method for two parties i and j to per-form an secure authenticated KE over an open communication channel assuming that  they share a secret password π. This method is based on the idea of the computation of pairing of the same bilinear form in two different ways but each with different small errors. The shared key is derived from the pairings with a rounding technique. This method can be viewed as an extension of the idea of the learning with errors (LWE) problem discovered by Regev in 2005 [Reg] and the Ring LWE [LPR] . The security of this system depends the hardness of certain lattice problem, which can be mathe-matically proven hard [DALSS] . This system involves only simple multiplication and therefore is very efficient. Such a system can also resist the future quantum computer attacks.
This invention contains an additive construction of PAKE with either ex-plicit authentication or implicit authentication. Furthermore, this invention can be mod-ified slightly to build multiplicative version.
Though this invention has been described with specific embodiments thereof, it is clear that many variations, alternatives, or modifications will become apparent to those who are skilled in the art ofcryptography. Therefore, the preferred embodiments of the invention as set forth herein, are intended to be illustrative, not limiting. Various changes may be made without departing from the scope and spirit of the invention as set forth herein and defined in the claims. The claims in this invention are based on the U.S. provisional patent application with Ser. No. 62/215,186, entitled” Password Based Key Exchange from Ring Learning with Errors” , filed September 8, 2012, only more technical details are added.
DETAILED DESCRIPTION OF THE INVENTION
1.1 The basic background
The learning with errors (LWE) problem, introduced by Regev in 2005 [Reg] , and its extension, the ring learning with errors (RLWE) problem [LPR] have broad application in cryptographic constructions with some good provable secure prop-erties. The main claim is that they are as hard as certain worst-case lattice problems and hence the related cryptographic constructions.
A LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution κ on the finite ring (field) 
Figure PCTCN2016097895-appb-000001
with q elements. To simplify the exposition, we will take q to be an odd prime but we can also work on any whole number except that we may need to make slight modifications.
In
Figure PCTCN2016097895-appb-000002
each element is represented by the set {- (q-1) /2, .., 0, ..., (q-1) /2} . In this exposition, by” an error” distribution, we mean a distribution such that if we select an element following this distribution, there is a high probability we will select an element, which is small. There are many such selections and the selections directly affect the security of the system. One should select good error distribution to make sure the system works well and securely.
Let ΠS, κon
Figure PCTCN2016097895-appb-000003
be the probability distribution obtained by selecting an  element A in
Figure PCTCN2016097895-appb-000004
randomly and uniformly, choosing e∈Fq according to κ, and out-putting (A, <A, S>+e) , where+is the addition that is performed in Fq. An algo-rithm that solves the LWE problem with modulus q and error distribution κ, if, for any S in
Figure PCTCN2016097895-appb-000005
with an arbitrary number of independent samples from ΠS, κ, it outputs S (with high probability) .
To achieve the provable security of the related cryptographic construc-tions based on the LWE problem, one chooses q to be specific polynomial functions of n, thatis q is replaced by a polynomial functions ofn, which we will denote as q (n) , κto be certain discrete version ofnormal distributioncentered around 0 withthe standard deviation
Figure PCTCN2016097895-appb-000006
and elements of Fq are represented by integers in the range [- (q-1) /2, (q-1) /2) ] , which we denote as κσ.
In the original encryption system based on the LWE problem, one can only encrypt one bit a time, therefore the system is rather inefficient and it has a large key size. To further improve the efficiency of the cryptosystems based on the LWE problem, anew problem, which is a LWE problem based on a quotient ring of the polynomial ring Fq [x] [LPR] , was proposed. This is called the ring LWE (RLWE) problem. In the cryptosystems based on the RLWE problem, their security is reduced to hard problems on a subclass oflattices, the class ofideal lattices, instead of general lattices.
Later, anew variant of LWE was proposed in [ACPS] . This variant of the LWE problem is based on the LWE problem. We will replace a vector A with a matrix A of size m×n, and S also with a matrix of size n×1, such that they are compatible to perform matrix multiplication A×S. We also replace e with a compatible matrix of size m×1. We will work on the same finite field with q elements.
To simplify the exposition, we will only present PAKE, in detail, for the case using Ring LWE.
For all our constructions, we first define the following notations, which we will use throughout this application. Let n be a power of 2, and f (x) =xn+1. Let q≈2ω (log n) be an odd prime such that q mod 2n=1. Take
Figure PCTCN2016097895-appb-000007
and
Figure PCTCN2016097895-appb-000008
as above. For
Figure PCTCN2016097895-appb-000009
be a hash function with output distributionχγ. Let H2: {0, 1} *→ {0, 1} k be the Key Derivation Function (KDF) , where kis the bit-length of the final shared key. We model both functions as random oracles. Letχα, χβbe two discrete Gaussian distributions with parameters
Figure PCTCN2016097895-appb-000010
Let πi, j be the shared password of parties i and j, and let h: 
Figure PCTCN2016097895-appb-000011
be a uniform hash function used to hide the password.
We now define the Sig and Mod2 functions. We denote
Figure PCTCN2016097895-appb-000012
Figure PCTCN2016097895-appb-000013
and consider the set
Figure PCTCN2016097895-appb-000014
i.e. the “middle” of
Figure PCTCN2016097895-appb-000015
Recall that Sig is simply the characteristic function of the complement of E [DiLi] , and that Mod2
Figure PCTCN2016097895-appb-000016
is defined as:
Figure PCTCN2016097895-appb-000017
When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element. Sig was also denoted by Cha before, and they are the same function with different notation.
We will leave off the subscripts onπin what follows when the parties involved are clearfromcontext.
1.1 The construction of the PAKE with explicit authentication
We also take verification hashesη, ηto ensure both parties are mutually authenticated. Our protocol consists of the following steps, illustrated in Figure 1:
Initiation Party i randomly samples ri, fi←χβ, computes xi=ari+2fi, and sends m=xi+h (π) to party j.
Response Party j receives xi+h (π) from party i and recovers xi=m-h (π) . Party j then randomly samples rj, fj←χβand computes yj=arj+2fj and kj=xi·rj.
Next, party j computes wj=Sig (kj) ∈ {0, 1} 2 andσ=Mod2 (kj, wj) . Party j sends yj, wj, and κ=η (i, j, xi, yj, σ, π) to party i. Lastly, derives the session key skj=H2 (i, j, xi, yj, wj, σ) .
Finish Party i computes ki=ri·yj and κ=η (j, i, xi, yj, σ, π) .
Finally, party i computes σ=Mod2 (ki, wj) and derives the session key ski=H2 (i, j, xi, yj, wj, σ) . Party i also verifies thatκ=η (i, j, xi, yj, σ, π) matches the value of κ receivedfrom party j. If it does not, party i ends the communica-tion. If it does, party i sends κto party j, who verifies it in the same way.
Figure PCTCN2016097895-appb-000018
Figure 1: Explicitly Authenticated Protocol
1.2 The construction of the PAKE with implicit authentication
We construct here a variation of the protocol that gives implicit authenti-cation, similar to the PPK variation on the PAK protocol. If either party provides an incorrect password, then the parties’ “shared” keys will not actually match, effectively preventing communication without explicitly checking for matching passwords.
Initiation Party i randomly samples ri, fi←χβ, computes xi=ari+2fi, and sends m=xi+h (π) to party j.
Response Party j receives xi+h (π) from party i and recovers xi=m-h (π) . Party j then randomly samples rj, fj←χβand computes yj=arj+2fj and kj=xi·rj.
Next, party j computes wj=Sig (kj) ∈ {0, 1} 2. Party j sendsμ=yj+h (π) and wj to party i. Lastly, party j computesσj=Mod2 (kj, wj) and derives the session key skj=H2 (i, j, xi, yj, wj, σj) .
Finish Party i recovers the pair (yj, wj) , and uses itcompute ki=ri·yj.
Finally, party i computesσi=Mod2 (ki, wj) and derives the session key ski= H2 (i, j, xi, yj, wj, σi) .
Figure PCTCN2016097895-appb-000019
Figure 2: Implicitly Authenticated Protocol
1.3 The construction of Multiplicative Version the PAKE
In addition to the two protocols above, we can also blind the protocol messages by multiplying by the hashed password rather than adding as done above.  Note that this form only works if h (π) is invertible in the ring, but that condition will usually be met.
Initiation Party i randomly samples ri, fi←χβ, computes xi=ari+2fi, and sends m=xi·h (π) to partyj.
Response Party j receives xi·h (π) from party i and recovers xi=m·h (π) -1. Party j then randomly samples rj, fj←χβand computes yj=arj+2fj and kj=xi·rj.
Next, partyj computes wj=Sig (kj) ∈ {0, 1} 2 andσ=Mod2 (kj, wj) . Party j sends yj, wj, andκ=η (i, j, xi, yj, σ, π) to party i. Lastly, derives the session key skj=H2 (i, j, xi, yj, wj, σ) .
Finish Party i computes ki=ri·yj andκ=η (j, i, xi, yj, σ, π) .
Finally, party i computesσ=Mod2 (ki, wj) and derives the session key ski= H2 (i, j, xi, yj, wj, σ) . Party i also verifies thatκ=η (i, j, xi, yj, σ, π) matches the value of κ receivedfrom party j. Ifit does not, party i ends the communica-tion. If it does, party i sends κto party j, who verifies itinthe same way.
Figure PCTCN2016097895-appb-000020
Figure 3: Multiplicative Protocol
We can also apply themultiplicative variant to the implicitly authenticated version, as described below:
Initiation Party i randomly samples ri, fi←χβ, computes xi=ari+2fi, and sends m=xi·h (π) to party j.
Response Party j receives xi·h (π) from party i and recovers xi=m·h (π) -1. Party j then randomly samples rj, fj←χβand computes yj=arj+2fj and kj=xi·rj.
Next, party j computes wj=Sig (kj) ∈ {0, 1} 2. Partyj sendsμ=yj·h (π) -1 and wj to party i. Lastly, party j computesσj=Mod2 (kj, wj) and derives the session key skj=H2 (i, j, xi, yj, wj, σj) .
Finish Party i recovers the pair (yj, wj) , anduses itcompute ki=ri·yj.
Finally, party i computesσi=Mod2 (ki, wj) and derives the session key ski= H2 (i, j, xi, yj, wj, σi) .
Figure PCTCN2016097895-appb-000021
Figure 4: Multiplicative Implicitly Authenticated Protocol
LITERATURE CITED
[ACPS] B. Applebaum, D. Cash, C. Peikert, A. Sahai; Fast Cryptographic Prim-itives and Circular-Secure Encryption Based on Hard Learning Problems. Advances in Cryptology-CRYPTO 2009, Lecture Notes in Computer Science, Volume 5677 pp 595-618,2009
[BMc] Boyko, V.; P. MacKenzie; S. Patel (2000) . ” Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman” . Advances in Cryptology–Eu-rocrypt 2000, LNCS. Lecture Notes in Computer Science. Springer-Verlag. 1807: 156? 171.
[COP] D. Coppersmith, Shmuel Winograd, Matrix multiplication via arithmetic progressions, Journal ofSymbolic Computation-Special issue on computational alge-braic complexity archive 9 (3) , pp 251-280, 1990
[DALSS] Jintai Ding, Saed Alsayigh, Jean Lancrenon, Saraswathy RV, Michael Snook, Provably Secure Password Authenticated Key Exchange Based on RLWE for the Post-QuantumWorld, Cryptology ePrint Archive: Report 2016/552
[DiHe] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) , pp 644-54, 1976.
[DiLi] J. Ding, X. Lin, A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem, Cryptology ePrint Archive, Report 688, 2012
[LPR] V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings In Eurocrypt 2010
[Mc] MacKenzie, P. : On the Security of the SPEKE Password-Authenticated Key Exchange Protocol. Cryptology ePrint Archive, Report 2001/057 (2001) ,
http: //eprint. iacr. org/2001/057
[REG] O. Regev, On lattices, learning with errors, random linear codes, and cryp-tography, in Proceedings of the 37th Annual ACM Symposium on Theory of Comput-ing–STOC05, ACM, pp 84-93, 2005
[SHO] P. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal of Computing 26, pp. 1484-1509, 1997.

Claims (20)

  1. Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and explicit authen-tication, comprising:
    Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f (x) = xn + 1. q ≈ 2ω (log n) be an odd prime such that q mod 2n = 1. Take
    Figure PCTCN2016097895-appb-100001
    and
    Figure PCTCN2016097895-appb-100002
    Choose 
    Figure PCTCN2016097895-appb-100003
    and
    Figure PCTCN2016097895-appb-100004
    be a hash function with output distribution χγ. Choose H2: {0, 1} * → {0, 1} k be the Key Derivation Func-tion (KDF) , where k is the bit-length of the final shared key. Let χα, χβ be two discrete Gaussian distributions with parameters α, 
    Figure PCTCN2016097895-appb-100005
    πi,j be the shared password of parties i and j, and choose h: {0, 1} * → Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clearfrom context.
    Choose the Sig and Mod2 functions. We denote
    Figure PCTCN2016097895-appb-100006
    and consider the set
    Figure PCTCN2016097895-appb-100007
    i.e. the “middle” of
    Figure PCTCN2016097895-appb-100008
    Recall that Sig is simply the characteristic function of the complement of E [DiLi] , and that Mod2: 
    Figure PCTCN2016097895-appb-100009
    is defined as:
    Figure PCTCN2016097895-appb-100010
    When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element.
    Initiation Party i randomly samples ri, fi ← χβ, computes xi = ari + 2fi, and sends m = xi + h (π) to party j.
    Response Party j receives xi + h (π) from party i and recovers xi = m-h (π) . Party j then randomly samples rj, fj ← χβ and computes yj = arj + 2fj and kj = xi·rj. Next, party j computes wj = Sig (kj ) ∈ {0, 1} 2 and σ = Mod2 (kj, wj ) . Party j sends yj, wj, and κ = η (i, j, xi, yj, σ, π) to party i. Lastly, derives the session key skj = H2 (i, j, xi, yj, wj, σ) .
    Finish Party i computes ki = ri·yj and κ′ = η′ (j, i, xi, yj, σ, π) .
    Finally, party i computes σ = Mod2 (ki, wj) and derives the session key ski = H2(i, j, xi, yj, wj, σ) . Party i also verifies that κ = η (i, j, xi, yj, σ, π) matches the value of κ received from party j. If it does not, party i ends the communica-tion. If it does, party i sends κ′ to party j, who verifies it in the same way.
  2. Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and implicit au-thentication, comprising:
    Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f (x) = xn + 1. q ≈ 2ω (log n) be an odd prime such that q mod 2n = 1. Take
    Figure PCTCN2016097895-appb-100011
    and
    Figure PCTCN2016097895-appb-100012
    Choose 
    Figure PCTCN2016097895-appb-100013
    and H1: 
    Figure PCTCN2016097895-appb-100014
    be a hash function with output distribution χγ. Choose H2: {0, 1} * → {0, 1} k be the Key Derivation Func-tion (KDF) , where k is the bit-length of the final shared key. Let χα, χβ be two discrete Gaussian distributions with parameters α, 
    Figure PCTCN2016097895-appb-100015
    πi,j be the shared password of parties i and j, and choose h: {0, 1} * → Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clearfrom context.
    Choose the Sig and Mod2 functions. We denote
    Figure PCTCN2016097895-appb-100016
    and consider the set
    Figure PCTCN2016097895-appb-100017
    i.e. thte “middle” of
    Figure PCTCN2016097895-appb-100018
    Recall that Sig is simply the characteristic function of the complement of E [DiLi] , and that Mod2: 
    Figure PCTCN2016097895-appb-100019
    is defined as:
    Figure PCTCN2016097895-appb-100020
    When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element.
    Initiation Party i randomly samples ri, fi ← χβ, computes xi = ari + 2fi, and sends m = xi + h (π) to party j.
    Response Party j receives xi + h (π) from party i and recovers xi = m-h (π) . Party j then randomly samples rj, fj ← χβ and computes yj = arj + 2fj and kj = xi·rj. Next, party j computes wj = Sig (kj) ∈ {0, 1} 2. Party j sends μ = yj + h (π) and wj to party i. Lastly, party j computes σj = Mod2 (kj, wj ) and derives the session key skj = H2 (i, j, xi, yj, wj, σj) .
    Finish Party i recovers the pair (yj, wj) , and uses it compute ki = ri·yj.
    Finally, party i computes σi = Mod2 (ki, wj) and derives the session key ski = H2(i, j, xi, yj, wj, σi) .
  3. Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and explicit authen-tication by multiplication of hashed password, comprising:
    Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f (x) = xn + 1. q ≈ 2ω (log n) be an odd prime such that q mod 2n = 1. Take
    Figure PCTCN2016097895-appb-100021
    and
    Figure PCTCN2016097895-appb-100022
    Choose 
    Figure PCTCN2016097895-appb-100023
    and H1: 
    Figure PCTCN2016097895-appb-100024
    be a hash function with output distribution χγ. Choose H2: {0, 1} * → {0, 1} k be the Key Derivation Func-tion (KDF) , where k is the bit-length of the final shared key. Let χα, χβ be two discrete Gaussian distributions with parameters α, 
    Figure PCTCN2016097895-appb-100025
    πi, j be the shared password of parties i and j, and choose h: {0, 1} * → Rq be a uniform hash  function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clearfrom context.
    Choose the Sig and Mod2 functions. We denote
    Figure PCTCN2016097895-appb-100026
    and consider the set
    Figure PCTCN2016097895-appb-100027
    i.e. the “middle” of
    Figure PCTCN2016097895-appb-100028
    Recall that Sig is simply the characteristic function of the complement of E [DiLi] , and that Mod2: 
    Figure PCTCN2016097895-appb-100029
    is de fined as:
    Figure PCTCN2016097895-appb-100030
    When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element.
    Initiation Party i randomly samples ri, fi ← χβ, computes xi = ari + 2fi, and sends m = xi·h (π) to party j.
    Response Party j receives xi·h (π) from party i and recovers xi = m·h (π) -1. Party j then randomly samples rj, fj ← χβ and computes yj = arj + 2fj and kj = xi·rj. Next, party j computes wj = Sig (kj) ∈ {0, 1} 2 and σ= Mod2 (kj, wj ) . Party j sends yj, wj, and κ = η (i, j, xi, yj, σ, π) to party i. Lastly, derives the session key skj = H2 (i, j, xi, yj, wj, σ) .
    Finish Party i computes ki = ri·yj and κ′ = η′ (j, i, xi, yj, σ, π) .
    Finally, party i computes σ = Mod2 (ki, wj) and derives the session key ski = H2(i, j, xi, yj, wj, σ) . Party i also verifies that κ = η (i, j, xi, yj, σ, π) matches the value of κ received from party j. If it does not, party i ends the communica-tion. If it does, party i sends κ′ to party j, who verifies it in the same way.
  4. Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and implicit au-thentication by multiplication of hashed password, comprising:
    Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f (x) = xn + 1. q ≈ 2ω (log n) be an odd prime such that q mod 2n = 1. Take
    Figure PCTCN2016097895-appb-100031
    and
    Figure PCTCN2016097895-appb-100032
    Choose 
    Figure PCTCN2016097895-appb-100033
    and H1: 
    Figure PCTCN2016097895-appb-100034
    be a hash function with output distribution χγ. Choose H2: {0, 1} * → {0, 1} k be the Key Derivation Func-tion (KDF) , where k is the bit-length of the final shared key. Let χα, χβ be two discrete Gaussian distributions with parameters α, 
    Figure PCTCN2016097895-appb-100035
    πi, j be the shared password of parties i and j, and choose h: {0, 1} * → Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clear from context.
    Choose the Sig and Mod2 functions. We denote
    Figure PCTCN2016097895-appb-100036
    and consider the set
    Figure PCTCN2016097895-appb-100037
    i.e. the “middle” of
    Figure PCTCN2016097895-appb-100038
    Recall that Sig  is simply the characteristic function of the complement of E [DiLi] , and that Mod2: 
    Figure PCTCN2016097895-appb-100039
    is defined as:
    Figure PCTCN2016097895-appb-100040
    When Sig, Mod2 are applied to a ring elements, it will apply to each coefficient of the ring element.
    Initiation Party i randomly samples ri, fi ← χβ, computes xi = ari + 2fi, and sends m = xi·h (π) to party j.
    Response Party j receives xi·h (π) from party i and recovers xi = m·h (π) -1. Party j then randomly samples rj, fj ← χβ and computes yj = arj + 2fj and kj = xi·rj. Next, party j computes wj = Sig (kj) ∈ {0, 1} 2. Party j sends μ = yj·h (π) -1 and wj to party i. Lastly, party j computes σj = Mod2 (kj, wj ) and derives the session key skj = H2 (i, j, xi, yj, wj, σj) .
    Finish Party i recovers the pair (yj, wj) , and uses it compute ki = ri·yj.
    Finally, party i computes σi = Mod2 (ki, wj) and derives the session key ski = H2 (i, j, xi, yj, wj, σi) .
  5. The method according to Claim 1, wherein the ”Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.
  6. The methods according to Claim 1, wherein the ”Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectan-gular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
  7. The methods according to Claim 1, wherein one of Party i and Party j is a server and the other a client.
  8. The methods according to Claim 1, wherein the rounding tech-nique is replaced with a similar technique.
  9. The method according to Claim 2, wherein the ”Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.
  10. The methods according to Claim 2, wherein the ”Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectan-gular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
  11. The methods according to Claim 2, wherein one of Party i and Party j is a server and the other a client.
  12. The methods according to Claim 2, wherein the rounding tech-nique is replaced with a similar technique.
  13. The method according to Claim 3, wherein the ”Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.
  14. The methods according to Claim 3, wherein the ”Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectan-gular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
  15. The methods according to Claim 3, wherein one of Party i and Party j is a server and the other a client.
  16. The methods according to Claim 3, wherein the rounding tech-nique is replaced with a similar technique.
  17. The method according to Claim 4, wherein the ”Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.
  18. The methods according to Claim 4, wherein the ”Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectan-gular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.
  19. The methods according to Claim 4, wherein one of Party i and Party j is a server and the other a client.
  20. The methods according to Claim 4, wherein the rounding tech-nique is replaced with a similar technique.
PCT/CN2016/097895 2015-09-08 2016-09-02 Password based key exchange from ring learning with er-rors WO2017041669A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/765,238 US10764042B2 (en) 2015-09-08 2016-09-02 Password based key exchange from ring learning with errors

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201562215186P 2015-09-08 2015-09-08
US62/215,186 2015-09-08

Publications (1)

Publication Number Publication Date
WO2017041669A1 true WO2017041669A1 (en) 2017-03-16

Family

ID=58239210

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/097895 WO2017041669A1 (en) 2015-09-08 2016-09-02 Password based key exchange from ring learning with er-rors

Country Status (2)

Country Link
US (1) US10764042B2 (en)
WO (1) WO2017041669A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018213875A1 (en) * 2017-05-22 2018-11-29 Commonwealth Scientific And Industrial Research Organisation Asymmetric cryptography and authentication
EP3754896A1 (en) * 2019-06-18 2020-12-23 Koninklijke Philips N.V. Authenticated key agreement
EP4322460A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Reliability setting for improved security establishment methods and systems
EP4322456A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Quantum secure implicit authenticated password-based protocols and systems
EP4322458A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Post quantum integration for password-authenticated key exchange
EP4322463A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems
EP4322462A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems wherein keys are derived from a protocol transcript
EP4322461A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems
EP4322459A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems
EP4322457A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113094722B (en) * 2021-03-25 2022-05-24 中国科学院信息工程研究所 Three-party password authentication key exchange method
CN115276984B (en) * 2022-07-29 2024-03-29 山东大学 Key exchange method and system based on GR-LWE problem

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080046732A1 (en) * 2006-08-15 2008-02-21 Motorola, Inc. Ad-hoc network key management
US20080069344A1 (en) * 2006-08-30 2008-03-20 Samsung Electronics Co., Ltd. Method and apparatus for key agreement between devices using polynomial ring
US20090154711A1 (en) * 2007-12-18 2009-06-18 Jho Namsu Multi-party key agreement method using bilinear map and system therefor
CN104396184A (en) * 2012-04-12 2015-03-04 丁津泰 New cryptographic systems using pairing with errors

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080046732A1 (en) * 2006-08-15 2008-02-21 Motorola, Inc. Ad-hoc network key management
US20080069344A1 (en) * 2006-08-30 2008-03-20 Samsung Electronics Co., Ltd. Method and apparatus for key agreement between devices using polynomial ring
US20090154711A1 (en) * 2007-12-18 2009-06-18 Jho Namsu Multi-party key agreement method using bilinear map and system therefor
CN104396184A (en) * 2012-04-12 2015-03-04 丁津泰 New cryptographic systems using pairing with errors

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DING JINTAI ET AL.: "A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem.", INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH, 29 July 2014 (2014-07-29), pages 1 - 15, XP061016565, Retrieved from the Internet <URL:http://ai2-s2-pdfs.s3.amazonaws.com/b1e7/faec59a9bdd70e75f9d15496cf27916ce060.pdf> *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018213875A1 (en) * 2017-05-22 2018-11-29 Commonwealth Scientific And Industrial Research Organisation Asymmetric cryptography and authentication
EP3754896A1 (en) * 2019-06-18 2020-12-23 Koninklijke Philips N.V. Authenticated key agreement
WO2020254177A1 (en) * 2019-06-18 2020-12-24 Koninklijke Philips N.V. Authenticated lattice-based key agreement or key encapsulation
US11991274B2 (en) 2019-06-18 2024-05-21 Koninklijke Philips N.V. Authenticated lattice-based key agreement or key encapsulation
EP4322460A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Reliability setting for improved security establishment methods and systems
EP4322456A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Quantum secure implicit authenticated password-based protocols and systems
EP4322458A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Post quantum integration for password-authenticated key exchange
EP4322463A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems
EP4322462A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems wherein keys are derived from a protocol transcript
EP4322461A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems
EP4322459A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems
EP4322457A1 (en) * 2022-08-12 2024-02-14 Koninklijke Philips N.V. Improved security establishment methods and systems

Also Published As

Publication number Publication date
US10764042B2 (en) 2020-09-01
US20180302218A1 (en) 2018-10-18

Similar Documents

Publication Publication Date Title
US10764042B2 (en) Password based key exchange from ring learning with errors
TWI502947B (en) New cryptographic system and method based on mismatching
Mandt et al. Certificateless authenticated two-party key agreement protocols
US8918648B2 (en) Digital signature and key agreement schemes
EP2399361B1 (en) Identity based authenticated key agreement protocol
US20030182554A1 (en) Authenticated ID-based cryptosystem with no key escrow
WO2015184991A1 (en) Improvements on cryptographic systems using pairing with errors
Abusukhon et al. Efficient and secure key exchange protocol based on elliptic curve and security models
Gupta et al. Cryptanalysis of Wang et al.’s lattice-based key exchange protocol
Braeken et al. Pairing free and implicit certificate based signcryption scheme with proxy re-encryption for secure cloud data storage
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
Kumar et al. Survey and taxonomy of key management protocols for wired and wireless networks
Mokhtarnameh et al. An enhanced certificateless authenticated key agreement protocol
CA2730626C (en) Improved digital signature and key agreement schemes
Okamoto et al. One-way and two-party authenticated ID-based key agreement protocols using pairing
Goldwasser et al. Proof of plaintext knowledge for the Ajtai-Dwork cryptosystem
Huang et al. Two-party authenticated multiple-key agreement based on elliptic curve discrete logarithm problem
Zheng et al. Threshold attribute‐based signcryption and its application to authenticated key agreement
Nithya et al. Survey on asymmetric key cryptography algorithms
Hyla et al. Certificate-based encryption scheme with general access structure
Pakniat et al. Cryptanalysis of a certificateless aggregate signature scheme
Kumar et al. A pairing free certificateless group key agreement protocol with constant round
Nabil et al. New authenticated key agreement protocols
CN109150545B (en) ECC-based (m, N) threshold group signature method
Nabil et al. Certificate-based authenticated key agreement protocols

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16843607

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 15765238

Country of ref document: US

122 Ep: pct application non-entry in european phase

Ref document number: 16843607

Country of ref document: EP

Kind code of ref document: A1