WO2015184991A1 - Improvements on cryptographic systems using pairing with errors - Google Patents

Improvements on cryptographic systems using pairing with errors Download PDF

Info

Publication number
WO2015184991A1
WO2015184991A1 PCT/CN2015/080697 CN2015080697W WO2015184991A1 WO 2015184991 A1 WO2015184991 A1 WO 2015184991A1 CN 2015080697 W CN2015080697 W CN 2015080697W WO 2015184991 A1 WO2015184991 A1 WO 2015184991A1
Authority
WO
WIPO (PCT)
Prior art keywords
party
key
computes
sig
rlwe
Prior art date
Application number
PCT/CN2015/080697
Other languages
French (fr)
Inventor
Jintai Ding
Zhenfeng Zhang
Jiang Zhang
Original Assignee
Jintai Ding
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jintai Ding filed Critical Jintai Ding
Publication of WO2015184991A1 publication Critical patent/WO2015184991A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3093Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme

Definitions

  • This invention is related to the construction of cryptographic systems, in particular, key exchange (KE) systems, key distribution (KD) systems and identity-based-encryption (IBE) systems, and authenticated key exchange systems which are based on essentially the same mathematical principle, pairing with errors.
  • KE key exchange
  • KD key distribution
  • IBE identity-based-encryption
  • KD key distribution
  • KD key distribution
  • Shamir proposed another kind of public key encryption system [SHA] .
  • a person or an entity’s public key is generated with a public algorithm from the information that can identify the person or the entity uniquely.
  • the information may include the person’s name, residential address, birthday, finger print information, e-mail address, social security number, etc. Since the public key is determined by the public information that can identify the person, this type of public key cryptosystem is called an identity-based encryption (IBE) system.
  • IBE identity-based encryption
  • IBE Identity-based-encryption
  • a sender encrypts a message for a given receiver using the receiver’s public key based on the identity of the receiver.
  • the receiver decrypts the message using the the receiver’s private key.
  • the receiver obtains the private key from a central server, which has a system to generate and distribute the IBE private key for the legitimate user securely.
  • An IBE system does not demand the sender searches for the receiver’s public key, but rather, a sender in an IBE system derives any receiver’s corresponding public key using an algorithm on the information that identifies the receiver, for example, an email address, an ID number or other information.
  • Current IBE systems are very complicated and not efficient in terms of computations, since the bilinear paring over elliptic curves is very computationally intensive. These systems based on pairing over elliptic curves can also be broken efficiently if we have a quantum computer as showed in the work of Shor [SHO] . There are also constructions based on lattices, but those are also rather complicated systems for applications [ABB] [ABVVW] [BKPW] . Therefore it is important and desirable that we have secure and efficient IBE systems.
  • the PWE invention contains a novel method for two parties A and B to perform an secure KE over an open communication channel. This method is based on the computation of pairing of the same bilinear form in two different ways but each with different small errors.
  • each users will secretly choose a private matrix (S A and S B , respectively) with small entries following certain error distributions and a public matrix M randomly. Then each user will compute the multiplication of the user’s secret matrix with the publicly chosen matrix but with small errors, exchange the new matrices, and then perform the computation of pairing of S A and S B over the same bilinear form based on M in two different ways but each with different small errors.
  • This kind of mathematical computation is named pairing with errors.
  • the shared key is derived from the pairings with a rounding technique. This method can be viewed as an extension of the idea of the learning with errors (LWE) problem discovered by Regev in 2005 [Reg] .
  • LWE learning with errors
  • the security of this system depends the hardness of certain lattice problem, which can be mathematically proven hard [DiLi] . This system involves only matrix multiplication and therefore is very efficient. Such a system can also resist future quantum computer attacks.
  • the PWE invention contains a novel method to build a KD system with a central server or authority.
  • the central server or authority assigns to each user i as a public ID a matrix A i with small entries or establishes the ID of each user as a matrix A i with small entries following certain error distributions with the information that can identify the user uniquely, and, in a secure way, gives each user a private key based on certain multiplication of this ID matrix with the central server or authority’s secret master key M, another matrix, but with small errors.
  • any two users in the system will compute the pairing of the two ID matrices of the users with the same bilinear form based on the master key matrix M in two different ways but each with different small errors to derive a shared key between these two users with certain rounding technique.
  • This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005 [Reg] .
  • the security of this system depends on the hardness of the problem related to pairing with errors. This system involves only matrix multiplication and therefore is very efficient.
  • This PWE invention contains a novel method to build a IBE system with a central server or authority.
  • the central server or authority assigns to each user i as a public ID a matrix A i with small entries following certain certain error distributions or establish the ID of each user as a matrix with small entries following certain certain error distributions with the information that can identify the user uniquely.
  • Each user is given by the central server or authority a private key S i based on certain multiplication of this ID matrix with the central server or authority’s master private key S, another matrix, but with errors related to one part of the master public key M, another matrix.
  • the central server or authority will establish another half of the mater key as the multiplication of M and S with small errors, which we call M 1 .
  • any user who wishes to send the user i a message in the system will compute public key of i which consists of M and a paring of M and A i of the bilinear form based on the master secret key matrix S, then encrypt the message using the encryption system based on the MLWE problem, and the user i will use the secret key S i to decrypt the message.
  • This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005.
  • the security of this system depends the harness of certain lattice problem, which can be mathematically proven hard. This system involves only matrix multiplication and therefore is very efficient.
  • the PWE invention uses the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, to build secure and more efficient KE, KD and IBE systems.
  • the rounding technique could cause a small bias in the distribution of the derived keys.
  • the shared keys may have a slightly higher probability to be 0 then to be 1, or the other way around. This is a property, though not necessarily bad in terms of security, which we would like to avoid.
  • a key construction is the case where people built Authenticated Key Exchange (AKE) , a class of KE protocols where each party is able to verify the other’s identity, so that an adversary cannot impersonate one party in the conversation.
  • AKE Authenticated Key Exchange
  • a key construction is the HMQV construction by Krawczyk, which is completely based on the Diffie–Hellman KE [Kraw] .
  • This invention firstly contains a new robust (and randomized) extractor (RE) as a rounding technique that will ensure the final keys have no bias and therefore provide the highest security.
  • RE can be applied to the KE schemes, the KD schemes in the PWE invention. It is applicable for both RLWE and LWE cases.
  • This invention secondly contains a construction of AKE, which is a direct improve-ment of the PWE invention of Ding along the same line of the HMQV construction over the Diffie–Hellman KE.
  • This construction eliminates the man in the middle attack with an au-thentication mechanism without using digital signature, and therefore provide the highest security.
  • RLWE LWE
  • a LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution ⁇ on the finite ring (field) F q with q elements. To simplify the exposition, we will take q to be a odd prime and but we can also work on any whole number except that we may need to make slight modifications.
  • each element is represented by amember of the set ⁇ - (q-1) /2, ..., 0, ..., (q-1) /2 ⁇ .
  • error distribution we mean a distribution such that there is a high probability we will select an element which is small. There are many such selections and the selection directly affects the security of the system. One should select a good error distribution to make sure the system works well and securely.
  • ⁇ S, ⁇ on F q be the probability distribution obtained by selecting an element A in randomly and uniformly, choosing e ⁇ F q according to ⁇ , and outputting (A, ⁇ A, S> +e) , where+is the addition that is performed in F q .
  • An algorithm solves the LWE problem with modulus q and error distribution ⁇ , if, for any S in with an arbitrary number of independent samples from ⁇ S, ⁇ , it outputs S (with high probability) .
  • q to be specific polynomial functions of n, that is q is replaced by a polynomial functions of n, which we will denote as q (n) , ⁇ to be certain discrete versions of the normal distribution centered around 0 with the standard deviation which we denote as ⁇ ⁇ , and elements of F q are represented by integers in the range [- (q-1) /2, (q-1) /2] .
  • F q be the probability distribution obtained by selecting an n ⁇ n matrix A, whose entries are each chosen in F q uniformly and independently, choosing e as a n ⁇ 1 vector over F q with entries chosen according to certain error distribution ⁇ n , for example, each entries follows an error distribution ⁇ independently, and outputting (A, A ⁇ S+e) , where+is the addition that is performed in An algorithm solves a LWE with modulus q and error distribution ⁇ n , if, for any vector S in with any number of independent sample (s) from it outputs S (with high probability) .
  • Such a product can be mathematically viewed as computing the bilinear paring of the row vectors of A with column vectors of C.
  • E A , E B , E AC , E BC are matrices with small entries following the same (or different) error distributions. Then we have two way to compute the product ABC with small errors or differences between these two matrices. We call such a computation pairing with errors. All our constructions depends on such a paring with errors and on the fact that the two different paring are close to each other if A and C are also small.
  • Alice and Bob will first publicly select F q , n and a n ⁇ n matrix M over F q uniformly and randomly, where q is of size of a polynomial of n, for example q ⁇ n 3 , and an error distribution to be a distribution over n ⁇ n matrices over F q , for example, a distribution that each component are independent and each component follow cer-tain error distribution like the discrete error distribution ⁇ ⁇ as in the case of LWE, namely a discrete normal distribution over F q center around 0 with standard devia-tion approximately All the information above is public. They jointly and publicly choose a small (prime) integer t (t ⁇ n) .
  • t is a small integer (t ⁇ n) .
  • M B M t S B +te B .
  • each party will compute the residues of these entries modular t in T 1 , and for the entries not in T 1 , which is in T 2 , they will add (q-1) /2 to each entry and compute the residue modular q first (into the range of [- (q-1) /4, (q-1) /4] ) then the residue modular t. That gives a shared key between these two users.
  • Bob will make apply randomly either signal function ⁇ 0 or ⁇ 1 to all the entries of K B and make a list T 1 of all positions of the entries of K B such that these entries have value 0 and a list of T 2 which are the entries with value 1. Then Bob will send to Alice the list T 1 .
  • f (x) is a degree n polynomial in is the ring of integers
  • q is a prime integer
  • elements in are represented by elements: - (q-1) /2, ..., -1, 0, 1, .., (q-1) /2, which can be viewed as elements in when we talk about norm of an element.
  • Any element in is represented by a degree n-1 polynomial, which can also be viewed as a vector with its corresponding coefficients as its entries.
  • a (x) a 0 +a 1 x+...+a n-1 x n-1 ,
  • the RLWE f, q, ⁇ problem is parameterized by an polynomial f (x) of degree n, a prime number q and an error distribution ⁇ over It is defined as follows.
  • the error distribution ⁇ is the discrete Gaussian distribution for some
  • Alice and Bob will first publicly select all the parameters for the RLWE f, q, ⁇ including q ( ⁇ n 3 or similar polynomial functions of n) , n, f (x) and ⁇ . In addition, they will select a random element M over R q uniformly. All the information above is public.
  • each party chooses its own secret s i as an element in R q according to the error distribution ⁇ , and e i independently also as an element following the error distribution ⁇ ,but jointly choose a small prime integer t (t ⁇ n)
  • t is a small integer (t ⁇ n) .
  • M B Ms B +te B .
  • n be a power of 2, and the finite ring (or field) and let and analogously.
  • y (x) in R (or R q ) we identify y with its coefficient vector in (or ) .
  • the discrete Gaussian distribution is defined as the distribution of where Y is distributed according to a Gaussian distribution with standard deviation ⁇ centered on c.
  • For the spherical discrete Gaussian distribution over is defined as the distribution where the ith coordinate is distributed according to If the center c is zero, we denote the distribution as ⁇ ⁇ .
  • x ⁇ r ⁇ ⁇ means we sample the vector x from the distribution ⁇ ⁇ ; for an element y ⁇ R, by y ⁇ r ⁇ ⁇ , we mean that we sample an element of R whose coefficient vector is distributed according to ⁇ ⁇ .
  • the AKE can be described as follows:
  • n be a power of 2
  • H 2 ⁇ 0, 1 ⁇ * ⁇ ⁇ 0, 1 ⁇ ⁇ be the key derivation function, where ⁇ is the bit-length of the final shared key.
  • ⁇ ⁇ , ⁇ ⁇ be two discrete Gaussian distributions with parameters There are 2 parties in our AKE: Party i and Party j.
  • the quantities c and d are the same as computed by party j.
  • the distribution of the public keys can be done by a central party like the pub-lic key infrastructure, or it can be generated by each user with way such that others can authenticate it by digital signature or similar mechanism.
  • the multiple of 2 on the error terms can be replaced by a small integer t.
  • the error terms g i can be removed or replace by terms with other error distribu-tions.
  • the procedure for two users i and j to derive a shared key can be modified such that the roles of i and j are exchanged.
  • the rounding technique in derived the shared key can be replaced by similar method with a similar signal function.

Abstract

In this invention, we first build a new robust (and randomized) extractor (RE) as a rounding technique that will ensure the final keys have no bias and therefore provide the highest security. This RE can be applied to the KE schemes, the KD schemes in the PWE invention. It is applicable for both RLWE and LWE cases. Secondly we build a construction of AKE, which is a direct improvement of the PWE invention of Ding along the same line of the HMQV construction over the Diffie-Hellman KE. This construction eliminates the man in the middle attack with an authentication mechanism without using digital signature, and therefore provide the highest security. Here, one uses the public keys in RLWE (LWE) without doing encryption and decryption.

Description

Improvements on cryptographic systems using pairing with errors Background
The present disclosure claims priority to the U.S. provisional patent applications: Ser. No. 61997523 entitled “A robust extractor to improve the Key exchange based on LWE and RLEW” filed June 4, 2014 and Ser. No. 61997524 entitled “An Authenticated Key Exchange based on LWE and RLWE” filed June 4, 2014, which are incorporated herein by reference in its entirety and for all purposes.
The present disclosure are developed upon the U.S. provisional patent application with Ser. No. 61623272, entitled “New methods for secure communications and secure infor-mation systems” , filed April 12, 2012 and PCT application with the same title and the PCT number PCT/CN2013/074053 filed on April 11, 2013.
This invention is related to the construction of cryptographic systems, in particular, key exchange (KE) systems, key distribution (KD) systems and identity-based-encryption (IBE) systems, and authenticated key exchange systems which are based on essentially the same mathematical principle, pairing with errors.
In our modern communication systems like the Internet, cell phones, etc, to protect the secrecy of the information concerned, we need to encrypt the message. There are two different ways to do this. In the first case, we use symmetric cryptosystems to perform this task, where the sender uses the same key to encrypt the message as the key that the receiver uses to decrypt the message. Symmetric systems demand that the sender and the receiver have a way to exchange such a shared key securely. In an open communication channel without any central authority, like wireless communication, this demands a way to perform such a key exchange (KE) in the open between two parties. In a system with a central server, like a cell phone system within one cell company, this demands an efficient and scalable key distribution (KD) system such that any two users can derive a shared key via the key distribution (KD) system established by the central server. Therefore it is important and desirable that we have secure and efficient KE systems and KD systems. The first KE system was proposed by Diffie and Hellman [DiHe] , whose security is based on the hardness of discrete logarithm problems. This system can be broken by future quantum computers as showed in the work of Shor [SHO] . There are many key-distribution systems including the system using pairing over quadratic forms [BSHKVY] , and the one based on bilinear paring over elliptic curves by Boneh and Boyen (in USA Patent 7,590,236) . But the existing systems have either the problem of computation efficiency or scalability. For instance, the bilinear paring over elliptic curves is very computationally intensive.
In the second case, we use asymmetric systems, namely public key cryptographic systems, for encryption, where the receiver has a set of a public key and a private key, and the sender has only the public key. The sender uses the public key to encrypt messages, the receiver uses the private key to decrypt the messages and only the entity who has the private key can decrypt the messages. In a usual public key system, we need to make sure of the authenticity of the public keys and therefore each public key needs to have a certificate, which is a digital signature provided by a trusted central authority. The certificate is used  to verify that the public key belongs to the legitimate user, the receiver of a message. To make public key encryption system fully work, we need to use such a system, which is called a public key infrastructure (PKI) system.
In 1984, Shamir proposed another kind of public key encryption system [SHA] . In this new system, a person or an entity’s public key is generated with a public algorithm from the information that can identify the person or the entity uniquely. For example, in the case of a person, the information may include the person’s name, residential address, birthday, finger print information, e-mail address, social security number, etc. Since the public key is determined by the public information that can identify the person, this type of public key cryptosystem is called an identity-based encryption (IBE) system.
There are a few Identity-based-encryption (IBE) public key cryptosystems, and currently, the (best) one being practically used is the IBE system based on bilinear paring over elliptic curves invented by Boneh and Franklin (in USA Patent: 7,113,594) . In IBE systems, a sender encrypts a message for a given receiver using the receiver’s public key based on the identity of the receiver. The receiver decrypts the message using the the receiver’s private key. The receiver obtains the private key from a central server, which has a system to generate and distribute the IBE private key for the legitimate user securely. An IBE system does not demand the sender searches for the receiver’s public key, but rather, a sender in an IBE system derives any receiver’s corresponding public key using an algorithm on the information that identifies the receiver, for example, an email address, an ID number or other information. Current IBE systems are very complicated and not efficient in terms of computations, since the bilinear paring over elliptic curves is very computationally intensive. These systems based on pairing over elliptic curves can also be broken efficiently if we have a quantum computer as showed in the work of Shor [SHO] . There are also constructions based on lattices, but those are also rather complicated systems for applications [ABB] [ABVVW] [BKPW] . Therefore it is important and desirable that we have secure and efficient IBE systems.
Clearly, there are still needs for more efficient and secure KE, KD and IBE systems for practical applications.
In 2011, Ding invented new key exchange systems which are based on the learning with error problems (LWE) . He named the method: pairing with errors (PWE) . The U.S. provisional patent application with Ser. No. 61623272, entitled “New methods for secure communications and secure information systems” , filed April 12, 2012 and PCT application with the same title and the PCT number PCT/CN2013/074053 filed on April 11, 2013 are based on this invention.
The PWE invention contains a novel method for two parties A and B to perform an secure KE over an open communication channel. This method is based on the computation of pairing of the same bilinear form in two different ways but each with different small errors. In the KE process, each users will secretly choose a private matrix (SA and SB, respectively) with small entries following certain error distributions and a public matrix M randomly. Then each user will compute the multiplication of the user’s secret matrix with the publicly chosen matrix but with small errors, exchange the new matrices, and then perform the computation of pairing of SA and SB over the same bilinear form based on M in two different ways but each with different small errors. This kind of mathematical computation is named pairing with errors. The shared key is derived from the pairings with a rounding technique. This method can be viewed as an extension of the idea of the learning with errors  (LWE) problem discovered by Regev in 2005 [Reg] . The security of this system depends the hardness of certain lattice problem, which can be mathematically proven hard [DiLi] . This system involves only matrix multiplication and therefore is very efficient. Such a system can also resist future quantum computer attacks.
The PWE invention contains a novel method to build a KD system with a central server or authority. In this system, the central server or authority assigns to each user i as a public ID a matrix Ai with small entries or establishes the ID of each user as a matrix Ai with small entries following certain error distributions with the information that can identify the user uniquely, and, in a secure way, gives each user a private key based on certain multiplication of this ID matrix with the central server or authority’s secret master key M, another matrix, but with small errors. Then any two users in the system will compute the pairing of the two ID matrices of the users with the same bilinear form based on the master key matrix M in two different ways but each with different small errors to derive a shared key between these two users with certain rounding technique. This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005 [Reg] . The security of this system depends on the hardness of the problem related to pairing with errors. This system involves only matrix multiplication and therefore is very efficient.
This PWE invention contains a novel method to build a IBE system with a central server or authority. In this system, the central server or authority assigns to each user i as a public ID a matrix Ai with small entries following certain certain error distributions or establish the ID of each user as a matrix with small entries following certain certain error distributions with the information that can identify the user uniquely. Each user is given by the central server or authority a private key Si based on certain multiplication of this ID matrix with the central server or authority’s master private key S, another matrix, but with errors related to one part of the master public key M, another matrix. The central server or authority will establish another half of the mater key as the multiplication of M and S with small errors, which we call M1. Then any user who wishes to send the user i a message in the system will compute public key of i which consists of M and a paring of M and Ai of the bilinear form based on the master secret key matrix S, then encrypt the message using the encryption system based on the MLWE problem, and the user i will use the secret key Si to decrypt the message. This method can be viewed as an extension of the idea of the learning with error problem discovered by Regev in 2005. The security of this system depends the harness of certain lattice problem, which can be mathematically proven hard. This system involves only matrix multiplication and therefore is very efficient.
In the PWE inventions, one can replace matrices by elements of an ideal lattice, and we can also use other type of rounding techniques. One can also build the system in a distributed way where several servers can work together to build KD and IBE systems.
Overall, the PWE invention uses the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, to build secure and more efficient KE, KD and IBE systems.
One shortcoming of the PWE invention is that the rounding technique could cause a small bias in the distribution of the derived keys. For the case of binary rounding, the shared keys may have a slightly higher probability to be 0 then to be 1, or the other way around. This is a property, though not necessarily bad in terms of security, which we would like to avoid.
In the case of the classical constructions, people improved further on the Diffie–Hellman key exchange to build new types of schemes, and a key construction is the case where people built Authenticated Key Exchange (AKE) , a class of KE protocols where each party is able to verify the other’s identity, so that an adversary cannot impersonate one party in the conversation. A key construction is the HMQV construction by Krawczyk, which is completely based on the Diffie–Hellman KE [Kraw] .
BRIEF SUMMARY OF THE INVENTION
This invention firstly contains a new robust (and randomized) extractor (RE) as a rounding technique that will ensure the final keys have no bias and therefore provide the highest security. This RE can be applied to the KE schemes, the KD schemes in the PWE invention. It is applicable for both RLWE and LWE cases.
This invention secondly contains a construction of AKE, which is a direct improve-ment of the PWE invention of Ding along the same line of the HMQV construction over the Diffie–Hellman KE. This construction eliminates the man in the middle attack with an au-thentication mechanism without using digital signature, and therefore provide the highest security. Here, one uses the public keys in RLWE (LWE) without doing encryption and decryption.
Though this invention has been described with specific embodiments thereof, it is clear that many variations, alternatives, modifications will become apparent to those who are skilled in the art of cryptography. Therefore, the preferred embodiments of the invention as set forth herein, are intended to be illustrative, not limiting. Various changes may be made without departing from the scope and spirit of the invention as set forth herein and defined in the claims. The claims in this invention are based on the U.S. provisional patent applications: Ser. No. 61997523 entitled “A robust extractor to improve the Key exchange based on LWE and RLEW” filed June 4, 2014 and Ser. No. 61997524 entitled “An Authenticated Key Exchange based on LWE and RLWE” filed June 4, 2014.
DETAILED DESCRIPTION OF THE INVENTION
1.1 The basic idea of pairing with errors
The learning with errors (LWE) problem, introduced by Regev in 2005 [Reg] , and its extension, the ring learning with errors (RLWE) problem [LPR] have broad appli-cation in cryptographic constructions with some good provable secure properties. The main claim is that they are as hard as certain worst-case lattice problems and hence the related cryptographic constructions are as well.
A LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution κ on the finite ring (field) Fq with q elements. To simplify the exposition, we will take q to be a odd prime and but we can also work on any whole number except that we may need to make slight modifications.
In Fq, each element is represented by amember of the set {- (q-1) /2, ..., 0, ..., (q-1) /2} . In this exposition, by an “error distribution” , we mean a distribution such that there  is a high probability we will select an element which is small. There are many such selections and the selection directly affects the security of the system. One should select a good error distribution to make sure the system works well and securely.
Let ΠS, κ on Fq be the probability distribution obtained by selecting an element A in 
Figure PCTCN2015080697-appb-000001
randomly and uniformly, choosing e∈Fq according to κ, and outputting (A, <A, S> +e) , where+is the addition that is performed in Fq. An algorithm solves the LWE problem with modulus q and error distribution κ, if, for any S in
Figure PCTCN2015080697-appb-000002
with an arbitrary number of independent samples from ΠS, κ, it outputs S (with high probability) .
To achieve the provable security of the related cryptographic constructions based on the LWE problem, one chooses q to be specific polynomial functions of n, that is q is replaced by a polynomial functions of n, which we will denote as q (n) , κ to be certain discrete versions of the normal distribution centered around 0 with the standard deviation 
Figure PCTCN2015080697-appb-000003
which we denote as κσ, and elements of Fq are represented by integers in the range [- (q-1) /2, (q-1) /2] .
In the original encryption system based on the LWE problem, one can only encrypt one bit a time, therefore the system is rather inefficient and it has a large key size. To further improve the efficiency of the cryptosystems based on the LWE problem, a new problem, which is a LWE problem based on a quotient ring of the polynomial ring Fq [x] [LPR] , was proposed. This is called the ring LWE (RLWE) problem. In the cryptosystems based on the RLWE problem, their security is reduced to hard problems on a subclass of lattices, the class of ideal lattices, instead of general lattices.
Later, a new variant of LWE was proposed in [ACPS] . This variant of the LWE problem is based on the LWE problem. We will replace a vector A with a matrix A of size m×n, and S also with a matrix of size n×1, such that they are compatible to perform matrix multiplication A×S. We also replace e with a compatible matrix of size m×1. We will work on the same finite field with q elements.
To simplify the exposition, we will only present, in detail, for the case where A is a square matrix of the size n×n, and S and e are of the size n×1.
Let
Figure PCTCN2015080697-appb-000004
over Fq be the probability distribution obtained by selecting an n×n matrix A, whose entries are each chosen in Fq uniformly and independently, choosing e as a n×1 vector over Fq with entries chosen according to certain error distribution κn, for example, each entries follows an error distribution κ independently, and outputting (A, A×S+e) , where+is the addition that is performed in
Figure PCTCN2015080697-appb-000005
An algorithm solves a LWE with modulus q and error distribution κn, if, for any vector S in
Figure PCTCN2015080697-appb-000006
with any number of independent sample (s) from
Figure PCTCN2015080697-appb-000007
it outputs S (with high probability) .
For the case that we choose a small S, namely entries of S are chosen independently according to also the error distribution κn, we call this problem a small LWE problem (SLWE) . If we further impose the condition A to be symmetric, we call it a small symmetric LWE problem (SSLWE) . If we choose the secret S randomly and independently from the set {-z, ..., 0, 1 ..., z} with z a fixed small positive integer, we call such a problem uniformly small LWE problem (USLWE) .
For practical applications, we can choose S and e with different kind of error distributions.
Due to the results in [ACPS] , we know if the secret S’s coordinates and the error e’s entries are sampled independently from the LWE error distribution κσ, the corresponding LWE problem is as hard as LWE with a uniformly random secret S. This shows that the  SLWE problem is as hard as the corresponding LWE problem. The same is true for the case of the RLWE problem that if one can solve the Ring LWE problem with a small secret namely the element S being small, then one can solve it with an uniform secret.
We further extend the problem to a full matrix form.
Let
Figure PCTCN2015080697-appb-000008
be the probability distribution over Fq obtained by selecting an n×n matrix A, whose entries are each chosen in Fq uniformly and independently, choosing e as an n×n matrix over Fq with entries following a certain error distribution
Figure PCTCN2015080697-appb-000009
for exmaple, an distribution chosen according to the error distribution κ independently, and outputting (A, A×S+e) , where+is the addition that is performed in
Figure PCTCN2015080697-appb-000010
An algorithm solves LWE with modulus q and error distribution
Figure PCTCN2015080697-appb-000011
if, for any n×n matrix S in
Figure PCTCN2015080697-appb-000012
with any number of independent sample (s) from
Figure PCTCN2015080697-appb-000013
it outputs S (with a high probability) .
We call this problem matrix LWE problem (MLWE) . For the case where we choose a small S, namely entries of S also follow the error distribution
Figure PCTCN2015080697-appb-000014
we call this problem a small MLWE problem (SMLWE) . If we further impose the condition A to be symmetric, we call it a small symmetric MLWE problem (SSMLWE) . If we choose the secret S randomly and independently from the set {-z, ..., 0, 1, ..., z} with z a fixed small positive integer, we call such a problem uniformly small MLWE problem (USMLWE) . It is clear the MLWE problem is nothing but put n LWE problems together and sharing the same matrices. Therefore it is as hard as the corresponding LWE problem.
We can use different error distributions for S and e.
The mathematical principle behind our construction comes from the fact of asso-ciativity of matrices multiplications of three matrices A, B and C:
A×B×C= (A×B) ×C=A× (B×C) .
Such a product can be mathematically viewed as computing the bilinear paring of the row vectors of A with column vectors of C.
For two matrices A and B with small entries following certain error distributions, for example, with entries following some error distributions, instead of computing this prod-uct directly, we can first compute
AB+Ea,
then compute
(AB+EA) C or (AB+EA) C+EAC,
or we will compute
BC+EC,
then compute
A (BC+Ec) or (AB+EA) C+EBC,
where EA, EB, EAC, EBC are matrices with small entries following the same (or different) error distributions. Then we have two way to compute the product ABC with small errors or differences between these two matrices. We call such a computation pairing with errors. All our constructions depends on such a paring with errors and on the fact that the two different paring are close to each other if A and C are also small.
We can mathematically prove the theorem that an MLWE problem is as hard as the corresponding LWE problem with the same parameters. This provides the foundation of the provable security of our constructions
1.2 The construction of the new KE systems based on paring with errors using the new robust extractor
First we will present the original PWE construction.
Two parties Alice and Bob decide to do a key exchange (KE) over an open channel. This means that the communication of Alice and Bob are open to anyone including malicious attackers. To simplify the exposition, we will assume in this part all matrices involves are n×n matrices. But they do not have to be like this, and they can be matrices of any sizes except that we need to choose compatible sizes such that the matrix multiplications performed are well defined.
Their key change protocol will go step by step as follows.
(1) Alice and Bob will first publicly select Fq, n and a n×n matrix M over Fq uniformly and randomly, where q is of size of a polynomial of n, for example q≈n3, and an error distribution
Figure PCTCN2015080697-appb-000015
to be a distribution over n×n matrices over Fq, for example, a distribution that each component are independent and each component follow cer-tain error distribution like the discrete error distribution κσ as in the case of LWE, namely a discrete normal distribution over Fq center around 0 with standard devia-tion approximately
Figure PCTCN2015080697-appb-000016
All the information above is public. They jointly and publicly choose a small (prime) integer t (t<<n) .
(2) Then each party chooses its own secret Si (i=A, B) as an n×n matrix chosen according to the error distribution
Figure PCTCN2015080697-appb-000017
and ei also as an n×n matrix following the error distribution. For Alice, she computes
MA=MSA+teA,
where t is a small integer (t<<n) .
For Bob, he computes
MB=MtSB+teB.
(3) Both parties exchange Mi in the open communication channel. This means both Mi (i=A, B) are public, but keep Si and ei (i=A, B) , secret.
(4) Alice computes:
Figure PCTCN2015080697-appb-000018
Bob computes:
Figure PCTCN2015080697-appb-000019
(5) Both of them will perform a rounding technique to derive the shared key as follows:
(a) Bob will make a list T1 of all positions of the entries of KB such that these entries are in the range of [- (q-1) /4, (q-1) /4] and a list T2 of all positions which are not in the range of [- (q-1) /4, (q-1) /4] . Then Bob will send to Alice the list T1.
(b) Then each party will compute the residues of these entries modular t in T1, and for the entries not in T1, which is in T2, they will add (q-1) /2 to each entry and compute the residue modular q first (into the range of [- (q-1) /4, (q-1) /4] ) then the residue modular t. That gives a shared key between these two users.
Here Si and ei can follow different kind of error distributions.
The rounding technique in Step 5 above could derive key with small biases. In the case where t is 2, this means there is a bias toward either 0 or 1.
Here we will present first a RE for the case t=2, which will eliminate the bias.
We now define two “signal” functions, which are crucial in our construction. For prime q>2, we define σ0 (x) , σ1 (x) from Fq to {0, 1} as follows.
Figure PCTCN2015080697-appb-000020
We also define a randomized Key algorithm from Fq to {0, 1} as follows:
Figure PCTCN2015080697-appb-000021
When we define the functions σ0 and σ1, we can modify the corresponding intervals 
Figure PCTCN2015080697-appb-000022
and
Figure PCTCN2015080697-appb-000023
slightly by making it slightly bigger or smaller or to the left or the right slightly.
Then the step 5 above can be replaced by a new rounding technique for t=2, which we call a robust extractor, which works as follows:
Robust Extractor Step:
(1) Bob will make apply randomly either signal function σ0 or σ1 to all the entries of KB and make a list T1 of all positions of the entries of KB such that these entries have value 0 and a list of T2 which are the entries with value 1. Then Bob will send to Alice the list T1.
(2) Then each party will compute the residues of these entries modular t=2 in T1, and for the entries not in T1, which is in T2, they will add (q-1) /2 to each entry and compute the residue modular q first then the residue modular t. That gives a shared key between these two users.
We notice that the (2) of RE Step is the same as applying the function Key (x) .
For a different t≠2, we can easily build a robust extractor using the same idea, namely using several σi, i=0, ..., t-1, and randomly apply them to make a robust extractor.
We note here that we can choose also rectangular matrix for the construction as long as we make sure the sizes are matching in terms of matrix multiplications, but parameters need to be chosen properly to ensure the security.
Similarly, in the PWE construction, we can build a key exchange system based on the ring learning with errors problem (RLWE) [LPR] ; we will use a variant of the RLWE problem described in [LNV] .
For the RLWE problem, we consider the rings
Figure PCTCN2015080697-appb-000024
and
Figure PCTCN2015080697-appb-000025
where f (x) is a degree n polynomial in
Figure PCTCN2015080697-appb-000026
Figure PCTCN2015080697-appb-000027
is the ring of integers, and q is a prime integer. Here q is an odd (prime) and elements in
Figure PCTCN2015080697-appb-000028
are represented by elements: - (q-1) /2, ..., -1, 0, 1, .., (q-1) /2, which can be viewed as elements in
Figure PCTCN2015080697-appb-000029
when we talk about norm of an element. Any element in
Figure PCTCN2015080697-appb-000030
is represented by a degree n-1 polynomial, which can also be viewed as a vector with its corresponding coefficients as its entries. For an element
a (x) =a0+a1x+...+an-1xn-1,
we define
|| a|| =max|ai|,
the l norm of the vector (a0, a1, ..., an-1) and we treat this vector as an element in
Figure PCTCN2015080697-appb-000031
and ai an element in 
Figure PCTCN2015080697-appb-000032
We can also choose q to be even positive number and things need slight modification.
The RLWEf, q, χ problem is parameterized by an polynomial f (x) of degree n, a prime number q and an error distribution χ over
Figure PCTCN2015080697-appb-000033
It is defined as follows.
Let the secret s be an element in
Figure PCTCN2015080697-appb-000034
a uniformly chosen random ring element. The problem is to find s, given any polynomial number of samples of the pair
(ai, bi=ai×s+ei) ,
where ai is uniformly random in Rq and ei is selected following certain error distribution χ.
The hardness of such a problem is based on the fact that the bi are computationally indistinguishable from uniform in Rq. One can show [LPR] that solving the RLWEf, q, χ problem above is known to give us a quantum algorithm that solves short vector problems on ideal lattices with related parameters. We believe that the latter problem is exponentially hard.
We will here again use the facts in [ACPS] , [LPR] that the RLWEf, q, χ problem is equivalent to a variant where the secret s is sampled from the error distribution χ rather than being uniform in
Figure PCTCN2015080697-appb-000035
and the error element ei are multiples of some small integer t.
To derive the provable security, we need consider the RLWE problem with specific choices of the parameters.
·We choose f (x) to be the cyclotomic polynomial xn+1 for n=2u, a power of two;
·The error distribution χ is the discrete Gaussian distribution
Figure PCTCN2015080697-appb-000036
for some
Figure PCTCN2015080697-appb-000037
Figure PCTCN2015080697-appb-000038
·q=1 (mod 2n) and q a polynomial of n and q≈n3
·t a small prime and t<<n<<q.
We can also use other parameters for practical applications.
There are two key facts in the RLWEf, q, χ setting defined above, which are needed for our key exchange system.
(1) The length of a vector drawn from a discrete Gaussian of with standard deviation σ is bounded by σn, namely,
Pr (|X|>σn) ≤2-n+1,
for X chosen according to χ.
(2) The multiplication in the ring
Figure PCTCN2015080697-appb-000039
increases from the norms of the constituent elements in a reasonable scale, that is,
|X×Y (mod f (x) ) |≤n|X||Y|,
for
Figure PCTCN2015080697-appb-000040
and the norm is the l norm defined above.
With the RLWEf, q, χ setting above, we are now ready to have two parties Alice and Bob to do a key exchange over an open channel. It goes step by step as follows:
(1) Alice and Bob will first publicly select all the parameters for the RLWEf, q, χ including q (≈n3 or similar polynomial functions of n) , n, f (x) and χ. In addition, they will select a random element M over Rq uniformly. All the information above is public.
(2) Then each party chooses its own secret si as an element in Rq according to the error distribution χ, and ei independently also as an element following the error distribution χ,but jointly choose a small prime integer t (t<<n)
For Alice, she computes
MA=MsA+teA,
where t is a small integer (t<<n) .
For Bob, he computes
MB=MsB+teB.
(3) Both parties exchange Mi. This means both Mi are public, but certainly keep si and ei secret.
(4) Alice computes:
KA=sA×MB=sAMsB+teBsA.
Bob computes:
KB=MA×sB=sAMsB+teAsB.
(5) Both of them will perform a rounding technique to derive the shared key as follows:
(a) Bob will then make a list of size n, and this list consists of pairs in the form of (i, j) , where i=0, ..., n-1, and j=1 if the xi coefficient of KB is in the range of [- (q-1) /4, (q-1) /4] , otherwise j=0.
(b) Then Bob will send this list to Alice. Then each will compute the residue of the corresponding entries modulo t in the following way:
for an element of the list (i, j) ,
1) if j=1, each will compute the i-th entry of KA and KB modular t respectively;
2) if j=0, each will add (q-1) /2 to the i-th entry of KA and KB modulo q back to range of [- (q-1) /4, (q-1) /4] , then compute the residues modulo t.
We can use different distributions for si and ei.
That will give a shared key between these two users. We call this system a RLWE key exchange system. We can deduce that there is a very low probability of failure of this key exchange system. We note here that the commutativity and the associativity of the ring 
Figure PCTCN2015080697-appb-000041
play a key role in this construction.
We can apply the RE technique to replace the last Step as well, which can be described as follows for the case t=2:
Robust Extractor Step for RLWE
(1) Bob will then make a list of size n, and this list consists of pairs in the form of (i, j) , where i=0, ..., n-1, and j=σb (ai) , where ai is the xi coefficient of KB and b is randomly chosen to be 0 or 1.
(2) Then Bob will send this list to Alice. Then each will compute the residue of the corresponding entries modular t in the following way:
for an element of the list (i, j) ,
1) if j=0, each will compute the i-th entry of KA and KB modular t=2 respec-tively;
2) if j=1, each will add (q-1) /2 to the i-th entry of KA and KB modular q back to range of [- (q-1) /4, (q-1) /4] , then compute the residues modular t.
In terms of security analysis, we can show the provable security of the system following the hardness of the RLWEf, q, χ problem by using a similar PEP over the ring Rq [DiLi] .
The same RE can be applied directly to the KD in the PWE invention.
1.3 New AKE based on RLWE and LWE
We can extend the HMQV construction parallelly based on the KE of LWE and RLWE from the PWE constructions. To simplify the exposition, we will use the RLWE case to demonstrate the construction and the case of LWE is built in the same way.
Again, we set n be a power of 2, and
Figure PCTCN2015080697-appb-000042
the finite ring (or field) and let 
Figure PCTCN2015080697-appb-000043
and
Figure PCTCN2015080697-appb-000044
analogously. For any element y (x) in R (or Rq) , we identify y with its coefficient vector in
Figure PCTCN2015080697-appb-000045
 (or 
Figure PCTCN2015080697-appb-000046
) .
For any
Figure PCTCN2015080697-appb-000047
and
Figure PCTCN2015080697-appb-000048
the ring of real numbers, the discrete Gaussian distribution
Figure PCTCN2015080697-appb-000049
is defined as the distribution of
Figure PCTCN2015080697-appb-000050
where Y is distributed according to a Gaussian distribution with standard deviation α centered on c. For
Figure PCTCN2015080697-appb-000051
Figure PCTCN2015080697-appb-000052
the spherical discrete Gaussian distribution
Figure PCTCN2015080697-appb-000053
over
Figure PCTCN2015080697-appb-000054
is defined as the distribution where the ith coordinate is distributed according to
Figure PCTCN2015080697-appb-000055
If the center c is zero, we denote the distribution
Figure PCTCN2015080697-appb-000056
as χα. We use bold-face variables to denote vectors, and x←r χα means we sample the vector x from the distribution χα; for an element y∈R, by y←r χα, we mean that we sample an element of R whose coefficient vector is distributed according to χα.
We will use the normal form of the RLWE, where the secret s also is chosen according to the error distribution χβ.
For an odd prime q>2, we use the notation that
Figure PCTCN2015080697-appb-000057
and set the subset
Figure PCTCN2015080697-appb-000058
as the middle half of 
Figure PCTCN2015080697-appb-000059
We define Sig to be the characteristic function of the complement of E, so Sig (v) =0 if v∈E and 1 otherwise. It is easy to verify that for any v in
Figure PCTCN2015080697-appb-000060
Figure PCTCN2015080697-appb-000061
mod q belongs to E. We define an auxiliary modular function, Mod2:
Figure PCTCN2015080697-appb-000062
Figure PCTCN2015080697-appb-000063
We further extend the definitions of Sig and Mod2 to
Figure PCTCN2015080697-appb-000064
by applying them entry-wise to vectors.
The AKE can be described as follows:
Setup: We choose n be a power of 2, and q=2ω (logn) to be an odd prime such that q mod 2n=1. Take
Figure PCTCN2015080697-appb-000065
and
Figure PCTCN2015080697-appb-000066
as above. For
Figure PCTCN2015080697-appb-000067
let
Figure PCTCN2015080697-appb-000068
be a hash function with output distribu-tion χγ 1. Let H2: {0, 1} *→ {0, 1} κ be the key derivation function, where κ is the bit-length of the final shared key. Let χα, χβ be two discrete Gaussian distributions with parameters
Figure PCTCN2015080697-appb-000069
There are 2 parties in our AKE: Party i and Party j. Let pi=asi+2ei∈Rq be party i’s static public key, where si is the corresponding 
Figure PCTCN2015080697-appb-000070
static secret key; both si and ei are taken from the distribution χα. Similarly, party j has static public key pj=asj+2ej and static secret key sj.
Initiation: Party i randomly samples ri, fi, gir χβ and computes xi=ari+2fi, which he sends to party j.
Response: Party j receives xi from party i, randomly samples rj, fj, gjr χβand computes yj=arj+2fj, similar to xi. Party j also computes c=H1 (i, j, xi) , d=H1 (j, i, yj, xi) , and kj= (pic+xi) (sjd+rj) +2gj using xi. Note c and d are both distributed according to χγ. Next, party j computes wj=Sig (kj) ∈ {0, 1} n and sends the pair (kj, wj) to party i. Lastly, party j computes σj=Mod2 (kj, wj) and derives the session key skj=H2 (i, j, xi, yj, wj, σj) .
Finish: Party i receives the pair (yj, wj) , and uses it compute c=H1 (i, j, xi) , d=H1(j, i, yj, xi) , and ki= (pjd+yj) (sic+ri) +2gi. The quantities c and d are the same as computed by party j. Finally, party i computes σi=Mod2 (ki, wj) and derives the session key ski=H2 (i, j, xi, yj, wj, σi) .
Our protocol consists of the following steps, illustrated in Figure 1.
The distribution of the public keys can be done by a central party like the pub-lic key infrastructure, or it can be generated by each user with way such that others can authenticate it by digital signature or similar mechanism.
We can apply the RE method to the AKE by replacing the Sig function with the random selection of σ0 and σ1
The multiple of 2 on the error terms can be replaced by a small integer t.
The selection of error distributions and parameters can be replaced by similar distributions and parameters with the necessary basic property
The error terms gi can be removed or replace by terms with other error distribu-tions.
We can build a parallel AKE based on the LWE using matrices.
The procedure for two users i and j to derive a shared key can be modified such that the roles of i and j are exchanged.
Further more, the rounding technique in derived the shared key can be replaced by similar method with a similar signal function.
LITERATURE CITED
[ABB] S. Agrawal, D. Boneh, X. Boyen: Efficient Lattice (H) IBE in the Standard Model. In proceedings of Eurocrypt 2010, Lecture Notes in Computer Science, Volume 6110, pp. 553-572, 2010.
[ABVVW] S. Agrawal, X. Boyen, V. Vaikuntanathan, P. Voulgaris, H. Wee: Fuzzy Identity Based Encryption from Lattices. IACR Cryptology ePrint Archive 2011: 414 (2011)
[ACPS] B. Applebaum, D. Cash, C. Peikert, A. Sahai; Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems. Advances in Cryptology-CRYPTO 2009, Lecture Notes in Computer Science, Volume 5677 pp 595-618, 2009
[BKPW] M. Bellare, E. Kiltz, C. Peikert, B. Waters: Identity-Based (Lossy) Trapdoor Functions and Applications. In Proceedings of EUROCRYPT 2012, Lecture Notes in Com-puter Science, Volume 7237, pp 228-2452012.
Figure PCTCN2015080697-appb-000071
Figure 1. AKE based on RLWE.
[BSHKVY] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, M. Yung: Perfectly-Secure Key Distribution for Dynamic Conferences. in Advances in Cryptology–Crypto 92, Lecture Notes in Computer Science, Volume 740, pp 471-486, 1993
[BKW] A. Blum, A. Kalai, and H. Wasserman. Noise-tolerant learning, the parity problem, and the statistical query model. Journal of the ACM, 50 (4) , pp506-19, 2003.
[COP] D. Coppersmith, Shmuel Winograd, Matrix multiplication via arithmetic progres-sions, Journal of Symbolic Computation-Special issue on computational algebraic complex-ity archive 9 (3) , pp 251-280, 1990
[DiHe] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) , pp 644-54, 1976.
[DiLi] J. Ding, X. Lin, ASimple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem, Cryptology ePrint Archive, Report 688, 2012
[Kraw] H. Krawczyk. HMQV: A high-performance secure Diffie–Hellman protocol. In CRYPTO, pages 546? 566.2005.
[LNV] K. Lauter, M. Naehrig, V. Vaikuntanathan, Can Homomorphic Encryption be Practical? , Cryptology ePrint Archive, Report 2011/405, 2011, http: //eprint. iacr. org,
[LPR] V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings In Eurocrypt 2010
[REG] O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in Proceedings of the 37th Annual ACM Symposium on Theory of Computing–STOC05, ACM, pp 84-93, 2005
[SHA] A. Shamir, Identity-based cryptosystems and signature schemes, in Advances in Cryptology–Crypto’84, Lecture Notes in Computer Science, Vol. 196, Springer-Verlag, pp. 47-53, 1984
[SHO] P. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal of Computing 26, pp. 1484-1509, 1997.
[STR] V. Strassen, Gaussian Elimination is not Optimal, Numer. Math. 13, p. 354-356, 1969

Claims (18)

  1. Claim 1. Method for an improved key exchange based on LWE over an open channel between a first party A and a second party B using a RE rounding technique, comprising:
    (1) openly selecting, by Party A and Party B together, parameters, n, q and small whole number t, (t<<n) , where q is an odd prime, and an error distribution
    Figure PCTCN2015080697-appb-100001
    to be a distribution over n×n matrix over Fq, an×n matrix M over Fq uniformly and randomly, where q is of size of a polynomial of n like n3, and elements of Fq are represented by integers in the range [- (q-1) /2, (q-1) /2) ] ;
    (2) choosing, by each party privately, its own secret matrix Si (i=A, B) an×n matrix chosen according to the error distribution
    Figure PCTCN2015080697-appb-100002
    and error matrix ei , (i=A, B) as a n×n matrixfollowing the error distribution
    Figure PCTCN2015080697-appb-100003
    computing by Party A
    MA=MSA+teA,
    where t=2 is a small integer (t<<n) ;
    computing by Party B
    MB=MtSB+teB.
    (3) Both parties exchange Mi in the open communication channel;
    (4) computing by Party A:
    Figure PCTCN2015080697-appb-100004
    computing by Party B:
    Figure PCTCN2015080697-appb-100005
    (5) performing by both Party A and Party B a RE rounding technique to derive the shared key, comprising:
    (a) Bob will make apply randomly either signal function σ0 or σ1 to all the entries of KB and make a list T1 of all positions of the entries of KB such that these entries have value 0 and a list of T2 which are the entries with value 1. Here σ0(x) , σ1 (x) from Fq to {0, 1} are de fined as as follows.
    Figure PCTCN2015080697-appb-100006
    Then Bob will send to Alice the list T1.
    (b) Then each party will compute the residues of these entries modulo t=2 in T1, and for the entries not in T1, which is in T2, they will add (q-1) /2 to each entry and compute the residue modulo q first then the residue modulo t. That gives a shared key between these two users.
  2. Claim 2. Method, for two parties Alice and Bob to do a improved key exchange based on RLWE with RE rounding technique, comprising
    (1) Alice and Bob will first publicly select all the parametersfor the RLWEf, q, χ as de fined in the description including q (≈n3 or similar polynomial functions of n) , n, f (x) and χ. In addition, they will select a random element M over
    Figure PCTCN2015080697-appb-100007
    uniformly. All the information above is public.
    (2) Then each party chooses its own secret si as an element in
    Figure PCTCN2015080697-appb-100008
    according to the error distribution χ, and ei independently also as an element following the error distribution χ, but jointly choose a small prime integer t=2 (t<<n) For Alice, she computes
    MA=MsA+teA,
    where t is a small integer (t<<n) .
    For Bob, he computes
    MB=MsB+teB.
    (3) Both parties exchange Mi. This means both Mi are public, but certainly keep si and ei secret.
    (4) Alice computes:
    KA=sA×MB=sAMsB+teBsA.
    Bob computes:
    KB=MA×sB=sAMsB+teAsB.
    (5) Both ofthem willperform a RE rounding technique to derive the shared key asfollows:
    (a) Bob will then make a list of size n, and this list consists ofpairs in the form of (i, j) , where i=0, ... , n-1, and j=σb (ai) , where ai is the the xi coeffcient of KB, b is randomly chosen to be 0 or 1, and Sig0 and Sig1 are defined in Claim 1.
    (b) Then Bob will send this list to Alice. Then each will compute the residue of the corresponding entries modulo t in the following way:
    for an element of the list (i, j) ,
    1) if j=0, each will compute the i-th entry of KA and KB modulo t=2 respectively;
    2) ifj=1, each will add (q-1) /2 to the i-th entry of KA and KB modulo q back to range of [- (q-1) /4, (q-1) /4] , then compute the residues modulo t.
  3. Claim 3. Method, for an authenticated key exchange for party i and party j base on RLWE, comprising:
    Setup Step: Both parties choose n be a power of 2, and q=2ω (logn) be an odd prime such that q mod 2n=1. Select
    Figure PCTCN2015080697-appb-100009
    and
    Figure PCTCN2015080697-appb-100010
    For 
    Figure PCTCN2015080697-appb-100011
    select H1:
    Figure PCTCN2015080697-appb-100012
    be a hash function with output distribu-tion χγ. For example, one can take a function such as SHA-2 to obtain a uniformly random string, and then use that to sample from
    Figure PCTCN2015080697-appb-100013
    ) Select H2: {0, 1} *→ {0, 1} k be the key derivation function, where k is the bit-length of the final shared key. Se-lect χα, χβ be two discrete Gaussian distributions with parameters α,
    Figure PCTCN2015080697-appb-100014
    Party i selects pi=asi+2ei∈Rq be party i’s static public key, where si is the corresponding static secret key; both si and ei are taken from the distribution χα and Party j has static public key pj=asj+2ej and static secret key sj.
    Initiation Step: Party i randomly samples ri, fi, gi←r χβ and computes xi=ari+2fi, which he sends to party j.
    Response Step: Party j receives xi from party i, randomly samples rj, fj, gjr χβ and computes yj=arj+2fj, similar to xi. Party j also computes c=H1 (i, j, xi) , d=H1 (j, i, yj, xi) , and kj= (pic+xi) (sjd+rj) +2gj using xi. Note c and d are both distributed according to χγ. Next, party j computes wj=Sig (kj) ∈ {0, 1} n and sends the pair (kj, wj) to party i. Lastly, party j computes σj=Mod2 (kj, wj) and derives the session key skj=H2 (i, j, xi, yj, wj, σj) . Here Sig to be the characteristic function over the polynomial ring by applying on each coefficient as
    Figure PCTCN2015080697-appb-100015
    where bl such that it is 0 if ai∈E and 1 otherwise, where
    Figure PCTCN2015080697-appb-100016
    and Mod2:
    Figure PCTCN2015080697-appb-100017
    is given as:
    Figure PCTCN2015080697-appb-100018
    Finish Step: Party i receives the pair (yj, wj) , and uses it compute c=H1 (i, j, xi) , d=H1 (j, i, yj, xi) , and ki= (pjd+yj) (sic+ri) +2gi. The quantities c and d are the same as computed by party j. Finally, party i computes σi=Mod2 (ki, wj) and derives the session key ski=H2 (i, j, xi, yj, wj, σi) .
  4. Claim 4. The method according to Claim 1, wherein t can a different small integer than 2 and the RE will be modified accordingly using several σi, i=0, ... , t-1, and randomly applying them.
  5. Claim 5. The method according to Claim 2, wherein wherein t can a different small integer than 2 and the RE will be modified accordingly using several σi, i=0, ... , t-1, and randomly applying them.
  6. Claim 6. The method for a new KD by apply the RE rounding technique to the KD in the original KD in the original PWE invention in the U. S. provisional patent application with Ser. No. 61623272, entitled “New methods for secure communications and secure information systems” , filed April 12, 2012 and PCT application with the same title and the PCT number PCT/CN2013/074053 filed on April 11, 2013.
  7. Claim 7. The method according to Claim 3, wherein we can apply the RE rounding technique to the AKE by replacing the Sig function with the random selection of Sig0 and Sig1 as defined in Claim 1.
  8. Claim 8. The method according to Claim 3, wherein wherein t can be a different small integer than 2.
  9. Claim 9. The method according to Claim 3, wherein t can be a different small integer than 2 and the RE will be modified accordingly using several σi, i=0, ... , t-1, and randomly applying them.
  10. Claim 10. The method according to Claim 3, wherein we can use the LWE instead of RLWE, and/or we can use a small integer t other than 2.
  11. Claim 11. The method according to Claim 3, wherein we can use the LWE in-stead of RLWE, and t can be a different small integer than 2 and the RE will be modified accordingly using several σi, i=0, ... , t-1, and randomly applying them.
  12. Claim 12. The method according to Claim 3, wherein we can use the LWE instead of RLWE, and we can apply the RE rounding technique to the AKE by replacing the Sig function with the random selection of Sig0 and Sig1.
  13. Claim 13. The method according to Claim 3, wherein the procedure for two users i and j to derive a shared key is modified such that the roles of i and j are exchanged.
  14. Claim 14. The method according to Claim 3, wherein the rounding technique is replaced with a another rounding technique using a signal function.
  15. Claim 15. The method according to Claim 1, 2, 3, wherein the intervals used to define the signal function can be modified slightly such as making it slightly bigger or smaller or shift to the left or the right slightly.
  16. Claim 16. The method according to Claim 3, wherein the selection of error dis-tributions and parameters can be replaced by similar distributions and parameters with the necessary basic property to make the system work.
  17. Claim 17. The method according to Claim 3, wherein the error terms gi and gj can be removed or replace by terms with other error distributions.
  18. Claim 18. The method according to Claim 3, wherein the rounding technique in deriving the shared key can be replaced by similar method with a similar signal function.
PCT/CN2015/080697 2014-06-04 2015-06-03 Improvements on cryptographic systems using pairing with errors WO2015184991A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201461997523P 2014-06-04 2014-06-04
US201461997524P 2014-06-04 2014-06-04
US61/997,523 2014-06-04
US61/997,524 2014-06-04

Publications (1)

Publication Number Publication Date
WO2015184991A1 true WO2015184991A1 (en) 2015-12-10

Family

ID=54766169

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/080697 WO2015184991A1 (en) 2014-06-04 2015-06-03 Improvements on cryptographic systems using pairing with errors

Country Status (1)

Country Link
WO (1) WO2015184991A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685663A (en) * 2017-02-15 2017-05-17 华中科技大学 Encryption method for error learning problem in ring domain and circuit
CN108599923A (en) * 2018-02-26 2018-09-28 华南师范大学 The implementation method of data efficient safe transmission between cloud computing server
WO2018208546A1 (en) * 2017-05-08 2018-11-15 Amazon Technologies, Inc. Generation of shared secrets using pairwise implicit certificates
WO2018213875A1 (en) * 2017-05-22 2018-11-29 Commonwealth Scientific And Industrial Research Organisation Asymmetric cryptography and authentication
WO2019018049A1 (en) * 2017-07-17 2019-01-24 Hrl Laboratories, Llc Reusable fuzzy extractor based on the learning-with-error assumption secure against quantum attacks
CN109474425A (en) * 2018-12-25 2019-03-15 国科量子通信网络有限公司 A method of length derivative key is arbitrarily designated based on the acquisition of multiple shared keys
EP3474484A1 (en) * 2017-10-17 2019-04-24 Koninklijke Philips N.V. Cryptographic device with updatable shared matrix
US10511591B2 (en) 2017-05-08 2019-12-17 Amazon Technologies, Inc. Generation of shared secrets using pairwise implicit certificates
US10516543B2 (en) 2017-05-08 2019-12-24 Amazon Technologies, Inc. Communication protocol using implicit certificates
US10798086B2 (en) 2017-05-08 2020-10-06 Amazon Technologies, Inc. Implicit certificates using ring learning with errors
CN115276984A (en) * 2022-07-29 2022-11-01 山东大学 Secret key exchange method and system based on GR-LWE problem

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030229789A1 (en) * 2002-06-10 2003-12-11 Morais Dinarte R. Secure key exchange with mutual authentication
US20090154711A1 (en) * 2007-12-18 2009-06-18 Jho Namsu Multi-party key agreement method using bilinear map and system therefor
CN102412971A (en) * 2011-11-30 2012-04-11 西安西电捷通无线网络通信股份有限公司 SM2 key exchange protocol based key agreement method and device
WO2013152725A1 (en) * 2012-04-12 2013-10-17 Jintai Ding New cryptographic systems using pairing with errors

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030229789A1 (en) * 2002-06-10 2003-12-11 Morais Dinarte R. Secure key exchange with mutual authentication
US20090154711A1 (en) * 2007-12-18 2009-06-18 Jho Namsu Multi-party key agreement method using bilinear map and system therefor
CN102412971A (en) * 2011-11-30 2012-04-11 西安西电捷通无线网络通信股份有限公司 SM2 key exchange protocol based key agreement method and device
WO2013152725A1 (en) * 2012-04-12 2013-10-17 Jintai Ding New cryptographic systems using pairing with errors

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685663A (en) * 2017-02-15 2017-05-17 华中科技大学 Encryption method for error learning problem in ring domain and circuit
CN106685663B (en) * 2017-02-15 2019-07-19 华中科技大学 The encryption method and circuit of error problem concerning study in a kind of annulus
US10511591B2 (en) 2017-05-08 2019-12-17 Amazon Technologies, Inc. Generation of shared secrets using pairwise implicit certificates
CN110999203B (en) * 2017-05-08 2021-09-07 亚马逊技术有限公司 Method and system for generating shared secret key
WO2018208546A1 (en) * 2017-05-08 2018-11-15 Amazon Technologies, Inc. Generation of shared secrets using pairwise implicit certificates
US10798086B2 (en) 2017-05-08 2020-10-06 Amazon Technologies, Inc. Implicit certificates using ring learning with errors
CN110999203A (en) * 2017-05-08 2020-04-10 亚马逊技术有限公司 Generating shared secrets using paired implicit certificates
US10516543B2 (en) 2017-05-08 2019-12-24 Amazon Technologies, Inc. Communication protocol using implicit certificates
WO2018213875A1 (en) * 2017-05-22 2018-11-29 Commonwealth Scientific And Industrial Research Organisation Asymmetric cryptography and authentication
WO2019018049A1 (en) * 2017-07-17 2019-01-24 Hrl Laboratories, Llc Reusable fuzzy extractor based on the learning-with-error assumption secure against quantum attacks
US10778423B2 (en) 2017-07-17 2020-09-15 Hrl Laboratories, Llc Reusable fuzzy extractor based on the learning-with-error assumption secure against quantum attacks
WO2019076737A1 (en) * 2017-10-17 2019-04-25 Koninklijke Philips N.V. Cryptographic device with updatable shared matrix
EP3474484A1 (en) * 2017-10-17 2019-04-24 Koninklijke Philips N.V. Cryptographic device with updatable shared matrix
US11212099B2 (en) 2017-10-17 2021-12-28 Koninklijke Philips N.V. Cryptographic device with updatable shared matrix
CN108599923A (en) * 2018-02-26 2018-09-28 华南师范大学 The implementation method of data efficient safe transmission between cloud computing server
CN109474425A (en) * 2018-12-25 2019-03-15 国科量子通信网络有限公司 A method of length derivative key is arbitrarily designated based on the acquisition of multiple shared keys
CN109474425B (en) * 2018-12-25 2021-06-25 国科量子通信网络有限公司 Method for obtaining derived key with any specified length based on multiple shared keys
CN115276984A (en) * 2022-07-29 2022-11-01 山东大学 Secret key exchange method and system based on GR-LWE problem
CN115276984B (en) * 2022-07-29 2024-03-29 山东大学 Key exchange method and system based on GR-LWE problem

Similar Documents

Publication Publication Date Title
USRE48643E1 (en) Cryptographic system using pairing with errors
WO2015184991A1 (en) Improvements on cryptographic systems using pairing with errors
US10764042B2 (en) Password based key exchange from ring learning with errors
Lv et al. Group key agreement for secure group communication in dynamic peer systems
Ezhilmaran et al. Key exchange protocol using decomposition problem in near-ring
Kalyani et al. Survey on identity based and hierarchical identity based encryption schemes
Ren et al. Provably secure aggregate signcryption scheme
Wang et al. New identity-based key-encapsulation mechanism and its applications in cloud computing
Gupta et al. Security weakness of a lattice-based key exchange protocol
Gupta et al. Identity-based/attribute-based cryptosystem using threshold value without shamir's secret sharing
Nithya et al. Survey on asymmetric key cryptography algorithms
Wade et al. The Iso-ElGamal Cryptographic Scheme
Yi et al. ID-based key agreement for multimedia encryption
Zhang et al. A new construction of threshold cryptosystems based on RSA
El-Yahyaoui et al. A Like ELGAMAL Cryptosystem But Resistant To Post-Quantum Attacks
Bassous et al. Ambiguous asymmetric schemes
Gupta et al. Revocable key identity based cryptography without key escrow problem
Anbhuvizhi et al. A Study On Cipher-Text Attribute Based Encryption Using Secret Sharing Schemes
Lv et al. ID-based authenticated group key agreement from bilinear maps
Liu et al. On the fundamental difference between encryption and key establishment
Lizama-Pérez et al. Non-Commutative Key Exchange Protocol
Tian et al. Security of a biometric identity-based encryption scheme
Elhao et al. Towards Quantum Resistant Key Agreement Schemes Using Unpredictability
Gao et al. Improving user's privacy for multi-authority ABE using privacy homomorphism
Töbke et al. A Practical Approach to Quantum Resilient Cloud Usage Obtaining Data Privacy

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15803200

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15803200

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 019.06.2017)

122 Ep: pct application non-entry in european phase

Ref document number: 15803200

Country of ref document: EP

Kind code of ref document: A1