The ISC Int'l Journal of Information Security January 2019, Volume 11, Number 1 (pp. 75–85) ISeCure http://www.isecure-journal.org A New Ring-Based SPHF and PAKE Protocol on Ideal Lattices Amir Hassani Karbasi 1, Reza Ebrahimi Atani 2,∗, and Shahabaddin Ebrahimi Atani 1 1Department of Mathematics, University of Guilan, Rasht, Iran 2Department of Computer Engineering, University of Guilan, Rasht, Iran

A R T I C L E I N F O. ABSTRACT

Article history: Smooth Projective Hash Functions (SPHFs) as a specific pattern of zero Received: 10 December 2017 Revised: 9 December 2018 knowledge proof system are fundamental tools to build many efficient Accepted: 19 December 2018 cryptographic schemes and protocols. As an application of SPHFs, Published Online: 30 January 2019 Password-Based Authenticated Key Exchange (PAKE) protocol is well-studied Keywords: area in the last few years. In 2009, Katz and Vaikuntanathan described the Lattice-based , Ring-LWE, SPHF, PAKE. first lattice-based PAKE using the Learning With Errors (LWE) problem. In this work, we present a new efficient ring-based smooth projective hash function “(Ring-SPHF)” using Lyubashevsky, Peikert, and Regev’s dual-style cryptosystem based on the Learning With Errors over Rings (Ring-LWE) problem. Then, using our ring-SPHF, we propose an efficient password-based authenticated key exchange “(Ring-PAKE)” protocol over rings whose security relies on assumptions. c 2019 ISC. All rights reserved.

1 Introduction protocols on ideal lattices [1, 2, 18, 25, 36, 38]. Cramer and Shoup introduced a primitive, called “Smooth uring the past few years, lattice-based cryptog- Projective Hash Function” (SPHF) [4], in order to Draphy has been known for its numerous construc- obtain hash proof systems for IND-CCA security. Gen- tions and cryptographic protocols beside strong secu- naro and Lindell proposed a generalized SPHF [5] rity proofs, resistance to quantum attacks, flexibility for its many attractive properties and purposes such for fully homomorphic encryption [1] and efficiency as implicit designated-verifier proofs of membership with competitive performance among classical schemes [6, 8]. On the other hand, there is a useful applica- which are established by integer factoring problem tion of SPHF, called “Password-Based Authenticated (IFP) and problem (DLP). In par- Key Exchange” (PAKE) protocol. It was presented by ticular, the learning with errors over rings (ring-LWE) Katz, Ostrovsky, and Yung [9] and also Gennaro and [2, 3], as a , is used for development Lindell [5] which is known as the KOY-GL paradigm. of secure and efficient lattice-based primitives based By a common password for the parties of a spe- on rings. However, there still has been little work on cific key exchange, a PAKE protocol is established. A developing ring-based schemes and protocols in real- PAKE provides security against offline dictionary at- word applications using ideal lattices. In addition, the tacks (formally, Bellare-Pointcheval-Rogaway (BPR) ring-LWE is the core of the security of cryptographic model [10]), and this setting, even with low-entropy passwords, prevents from users impersonation. More- ∗ Corresponding author. over, for a PAKE, a secure server equipped with Email addresses: [email protected] (A. Hassani password-based authentication can provide security Karbasi), [email protected] (R. Ebrahimi Atani), against online dictionary attacks such that an attacker [email protected](S. Ebrahimi Atani) tries to impersonate a user using each possible pass- ISSN: 2008-2045 c 2019 ISC. All rights reserved.

ISeCure 76 Ring-SPHF and Ring-PAKE — A.H. Karbasi, R.E. Atani, S.E. Atani

word. PAKE protocols, as a rare cryptographic primi- random oracles are instantiated with hash functions tive for real-word applications like the Internet, have and one heuristically assumes that a hash function been standardized [12] and widely deployed [13]. behaves good enough to be a replacement for random oracles. Random oracles are nice as they allow proving Recent advances in PAKE protocols, especially the security of protocols while they are still practically improvement of password-based protocols, put them efficient. Since there are theoretical results showing in a superior position for researchers. A hybrid model that there are protocols that are secure in the ran- based on password and public keys is described in [14, dom oracle model but trivially insecure whenever the 15]. A password-only model based on only a password random oracle is instantiated with any hash function, with heuristic security is initiated in [16]. In particular, standard model constructs, i.e., constructs that do not PAKEs with provable security in the random oracle rely on random oracles, are nicer from a theoretical model and formal models are shown in [10, 17, 19, 20]. perspective. Standard model means that the proto- The first inefficient PAKE in the standard model is cols only rely on standard cryptographic assumptions presented in [19] and its improvement with weaker (DDH, CDH, ...) in their proofs. notion of security is shown in [21] but similarly it is impractical. The first efficient PAKE in the standard model with provable security is proposed in [9] and 1.1 Our Contributions its variants are given in [22–24, 26, 27]. A Common To the best of our knowledge, by now building ring- Reference String (CRS) is needed for these protocols based SPHF and ring-based PAKE based on the ring- and a PAKE in the CRS model is presented in [28]. LWE are open questions. Fortunately, in certain set- Lattice-based cryptography and its efficient proto- tings we can generalize existing classical schemes to cols are appealing. The use of lattice assumptions and lattice-based mechanisms without loss of security since recognized worst-case to average-case connections be- lattice-based problems have very various mathemati- tween lattice problems for proof of security have put cal properties than IFP and DLP. In this work, using lattices in excellent position in practice. Until recently, ideas and modifications of [2–5, 7, 9, 11, 29], we give constructing SPHF from lattice assumptions based efficient ideal lattice-based schemes for fundamental on LWE and SIS problems has remained open. The asymmetric tasks such as ring-based smooth projective only exception and the first PAKE using SPHFs in hash function (ring-SPHF) and password-based au- the standard model based on lattices is proposed in thenticated key exchange protocol (ring-PAKE) that [29]. In this protocol, first, an approximate SPHF is are suitable for real-word applications like the Inter- constructed, and then, a PAKE is derived from it. The net. Our proposals can all be proved secure (in the most technically effortful aspect of this protocol is standard model) based on the believed difficulty of the designing of a lattice-based IND-CCA encryption the ring-LWE problem. scheme with an associated approximate SPHF. How- ever, this development has a critical downside: it only 1.2 Organization works for a specially appointed dialect of ciphertexts. The rest of this paper is formed as follows. Concretely, the corresponding decryption procedure needs to be tweaked, now requiring q trapdoor inver- • In Section 2, we recall the necessary mathemat- sion attempts, where q is the modulus of theof the ical and cryptographic background and we give underlying Learning With Errors (LWE) problem [40]. some supporting lemmas with respect to the In this paper, we have investigated this issue. ring-LWE problem. • In Section 3, we propose the details of our new As we mentioned earlier, far less consideration has ring-SPHF from ideal lattices for constructing been paid to key exchange protocols for real-world our ring-PAKE. communications from ideal lattice assumptions and as • In Section 4, we present and analyze our new we can see almost all standards for cryptographic prim- secure 3-round ring-PAKE using our ring-SPHF. itives are still designed around classical mechanisms • Section 5 concludes the paper. such as RSA [30] and Diffie-Hellman [31]. However, some recent proposals such as [38–40], are promising. 2 Preliminaries These methods are generally based on random oracles and standard proofs. Precisely, [38, 40] are based on For l ∈ Z+ ∪ {0}, we assume [l] denote the set standard model and [39] is based on ROM. The ran- {0, 1, ..., l−1}. For k ∈ R, we define bke = bk+1/2c ∈ dom oracle model is a heuristic approach that assumes Z. For an integer q > 1, we define by Zq the quotient the existence of a truly random function to which all ring Z/qZ, that is, the ring of cosets k + qZ with the parties involved in a protocol, good and bad alike, induced addition and multiplication operations. For have access. Since in reality no such function exists, any x¯ ∈ R/Z, we assume [[¯x ∈ R]] denote the unique

ISeCure January 2019, Volume 11, Number 1 (pp. 75–85) 77

representative x ∈ (¯x + Z) ∩ [−1/2, 1/2). Moreover, errors is analyzed by the notion of subgaussian random for x¯ ∈ Zq, we let [[¯x]] be the unique representative variables [33]. For any γ > 0, a random variable X x ∈ (¯x + qZ) ∩ [−q/2, q/2). Furthermore, [[.]] can (or its distribution) over R is said to be γ-subgaussian be extended entrywise to vectors and matrices. By with parameter r > 0, if for all y ∈ R, the (scaled) rad(a), we denote the radical of a positive integer a, moment-generating function satisfies: i.e., it is the product of all primes dividing a. For 2 2 E[exp(2πyX)] 6 exp(γ).exp(πr y ). a vector v over R or C, the l2 norm is defined as ||v|| = (P |v |2)1/2, and the l norm is defined as 2 i i ∞ For all y 0, by Markov’s inequality, X has Gaus- ||v|| = max |v |. The largest singular value and the > ∞ i i sian tails: smallest singular value for an n-by-n matrix M are 2 2 shown by s1(M) and sn(M), respectively. Powerful Pr[|X|> y] 6 2exp(γ − πy /r ). basis, power basis, decoding basis, principal and fractional ideal are defined in [32]. For E[X] = 0 and |X|6 B, B-bounded centered random variable X√, we have X as a 0-subgaussian 2.1 Ring-LWE with parameter B 2π. The learning with errors over rings (ring-LWE) prob- The concept of subgaussianity can be extended to lem and its toolkit were introduced by Lyubashevsky, vectors. In particular, a random real vector X is said Peikert, and Regev in [2, 3], respectively as a gener- to be γ-subgaussian with parameter r if for all real alization of the learning with errors (LWE) problem unit vectors u, the random variable < u, X >∈ R is [32]. Here, we recall the discretized (normal) form γ-subgaussian with parameter r. In general, we can of the ring-LWE probability distribution and deci- take X and u from any real inner product space. sion/search version on ideal lattices, such that all ele- We now present some technical lemmas and results ments are from the cyclotomic ring R or Rq = R/qR, with respect to the ring-LWE problem that will be used and the discretized error distribution is used for the to prove correctness, smoothness, and security of our secret sampling. ring-SPHF and ring-PAKE. Notice that for a positive Definition 1 (Ring-LWE Distribution, [33]). integer index m, K = Q(ζm) and R = Z[ζm] ⊂ K are For an s ∈ R and a distribution χ over R, a sample the mth cyclotomic number field and ring, respectively from the ring-LWE distribution As,χ over Rq × Rq is where ζm is an abstract element with order m. (See generated by choosing a ← Rq uniformly at random, [2] for more details about algebraic number theory choosing e ← χ, and outputting (a, b = a.s + e). background, special properties of cyclotomic number Definition 2 (Decisional Ring-LWE, [33]). In fields, and Gaussians on ideal lattices and ring-LWE the “decision” version of the ring-LWE problem (R- problem.) Lemma 1 (Lemma 2.8 from [3]). For any n- DLWEq,χ) we want to distinguish independent sam- dimensional lattice L and s > 0, a point sampled from ples between As,χ, where s ← χ is sampled once and for all, and the same number of “uniformly ran- discrete Gaussian√ distribution DL,s has Euclidean norm at most s n, except with probability at most dom” independent samples from Rq × Rq with non- −2n negligible advantage. 2 . Lemma 2 (Lemma 2.9 from [3]). There is an efficient Theorem 1 ([2]). Let R be the mth cyclotomic ring algorithm that samples to within negl(n) statistical with dimension n = ϕ(m). Let α = α(n) < plogn/n, distance of D , given c ∈ H, a basis B of L, and a and let q = q(n), q = 1 mod m be a Poly(n)-bounded L+c,s √ √ parameter s max ||˜b ||.ω( logn), where B˜ = {˜b } prime such that αq ω( logn). There is a Poly(n)- > j j j > √ is the Gram-Schmidt orthogonalization of B and the time quantum reduction from O˜( n/α)-approximate subspace H ⊆ s1 × 2s2 for some numbers s +2s = SIVP (or SVP) on ideal lattices in R to solving R- R C 1 2 n is defined as: DLWEq,χ given only l − 1 samples, where χ = bψe s1 2s2 and ψ is the Gaussian distribution (m/g ˆ ).Dζq for ζ = H = {(x1, ..., xn) ∈ R × C : α.(nl/log(nl))1/4. n xs1+s2+j =x ¯s1+j; ∀j ∈ [s2]} ⊆ C . Notice that, there is the search (computational) n such that H is isomorphic to R as an inner product version of the ring-LWE in order to better parameters space. in applications because it is hard for the fixed√ error Lemma 3 (Lemma 2.23 from [3]). Let p and q be pos- distribution ψ = (m/g ˆ ).Dαq, where αq > ω( logn). itive coprime integers, and b.e be a valid discretization In the search problem we want to find the secret s to (cosets of) pR∨, where R∨ ⊂ K is the dual ideal of given arbitrary many ring-LWE samples [2]. ∨ the cyclotomic ring R = Z[X]/φp(X) such that pR ⊆ In ideal lattice-based constructions, the behavior of R ⊆ R∨, with pR∨ ≈ R for pth cyclotomic polynomial φp(X). There exists an optimal transformation that on

ISeCure 78 Ring-SPHF and Ring-PAKE — A.H. Karbasi, R.E. Atani, S.E. Atani

∨ 0 0 ∨ input w ∈ Rp and a pair in (a , b ) ∈ Rq × KR/qR , We assume the distance of a vector z ∈ Rq from 0 ∨ outputs a pair (a = pa mod qR, b) ∈ Rq × Rq , where the lattice L(A) is denoted by dist(z, L(A)). Lemma {1,...,l} KR = K ⊗Q R is isomorphic to H, with the following 8 shows that for most matrices A ∈ Rq , the guarantees: if the input pair is uniformly distributed fraction of vectors z ∈ Rq that are very close to L(A) then so is the output pair; and if the input pair is dis- is very small. We give outline of the proof of Lemma8 tributed according to the ring-LWE distribution As,ψ for arbitrary lattices and using Corollary1 this lemma for some (unknown) s ∈ R∨ and distribution ψ over and its proof can be adapted quite well to the ring- KR, then the output pair is distributed according to LWE case. As,χ, where χ = bp.ψew+pR∨ . Lemma 8 (Adapted from [29]). Let n, q, and m be Lemma 4 (Lemma 2.24 from [3]). Let p and q be m×n m integers such that m > nlogq. Let A ∈ Zq , z ∈ Zq , positive coprime integers, b.e be a valid discretization m and e ← DZ ,s. For all but a negligible portion of to (cosets of) pR∨, and w be an arbitrary element in matrices A: R∨. If R-DLWE is hard given some number l of p q,ψ √ −(m+n)/2 Prz← m [dist(z, L(A)) q/4] q . samples, then so is the variant of R-DLWEq,ψ in which Zq 6 6 the secret is sampled from χ := bp.ψew+pR∨ , given l − 1 samples. Proof. Let d be a free variable that will be optimized Claim 1 (Claim 4.2 from [3]). The length of each at the end of the proof. We want to find an upper −→ element pj of p in l∞ norm is ||pj||∞= 1, and in bound for: p √ −→ l2 norm is ||pj||2= ϕ(m) = n, where p is the PrA,z[dist(z, L(A)) 6 d] powerful Z-basis of R. Lemma 5 (Lemma 6.2 from [3]). The spectral norm of This may be re-written as: −→ −→ p −→ n m d is s1( d ) = rad(m)/m, where d is the decoding PrA,z[∃s ∈ Zq , ∃e ∈ Z with ||e||6 d : z = A ∗ s + e mod q]. Z-basis of R∨. Lemma 6 (Lemma 6.5 from [3]). Let I = (R∨)k for By the union bound, this is smaller than: 1−k−→ X X some k > 1, let a ∈ I and write a =< mˆ d , a > PrA,z[z = A ∗ s + e mod q] = for some integral coefficient vector a, and let q > 1 s e X X √ be an integer. If every coefficient aj ∈ [−q/2, q/2), q(−m) ≈ q(n−m).dm/( m)m. then [[a mod qI]] = a. In particular, if every aj is γ- s e subgaussian with parameter s, then [[a mod qI]] = a In the last step, we use a bound on the number of except with probability at most 2n.exp(γ − πq2/(2s)2). integer points in the ball of radius d. This is indeed Lemma 7 (Lemma 6.6 from [3]). Let I = (R∨)k for small for the d. some k > 1, and let a ∈ I. 1−k−→ {1,...,l} • Writing a =< mˆ d , a > for some in- Moreover, for a matrix A ∈ Rq and a vector tegral vector a, we have that every |aj|6 z ∈ Rq, we assume the statistical distance between k−1√ mˆ n.||a||2. the uniform distribution on Rq and the distribution −→ −→ −→ • If a is γ-subgaussian with parameter s, and b ∈ of ( e A, e z) is denoted by ∆s(A, z), where e = (R∨)l for some l 0 is arbitrary, then writing (e , ..., e ) ∈ (R∨){1,...,l}. Lemma9 shows a converse −→> 1 l a.b =< mˆ 1−k−l d , c > for some integral vector statement of Lemma8. That is, if z and all its non- c, we have that every c is γ-subgaussian with zero multiples are far from the ideal lattice L(A), then j −→ −→ parameter mˆ k+l−1||b|| .s. e A does not reveal any information about e z. More 2 −→ −→ Corollary 1 (Leftover hash lemma, Corollary 7.5 generally, given e A, then e z is statistically close to from [3]). Let R be the ring of integers in the mth cy- the random. clotomic number field K of degree n, and q > 2 an Lemma 9. Let R, n, q, k, l, and A be as in Corollary1. integer. For positive integers k 6 l 6 Poly(n), let A = For small enough d, if z ∈ Rq is such that for all non- ¯ [k]×[l] [k]×[k] [I[k]|A] ∈ (Rq) , where I[k] ∈ (Rq) is the zero constant polynomial a ∈ Rq, dist(az, L(A)) > d, [k]×[l−k] then ∆ (A, z) negl(n). identity matrix and A¯ ∈ (Rq) is uniformly ran- s 6 dom. Then, with probability 1 − 2−Ω(n) over the choice −→ [k] of A¯, the distribution of A x ∈ Rq where each coordi- Proof. Let B = [A|z], that is, we attach the vec- −→ [l] tor z and all its multiples to the ideal lattice L(A). nate of x ∈ Rq is sampled from a discrete Gaussian distribution of parameter r > 2n.q(k/l)+2/(nl) over R, By a generalization of Corollary1, the distribution −→ −Ω(n) nk of B x ∈ Rq is within statistical distance 2 satisfies that the probability of each of the q possi- −→ ble outcomes is in the interval (1 ± 2−Ω(n))q−nk, and of uniform over Rq, where each coordinate of x is in particular, is within statistical distance 2−Ω(n) of drawn from a discrete Gaussian distribution of pa- k/l+2/(nl) [k] rameter s > 2n.q over R, then ∆ (A, z) uniform distribution over R . s 6 q negl(n).

ISeCure January 2019, Volume 11, Number 1 (pp. 75–85) 79

2.2 Dual-Style Cryptosystem L¯ ⊆ L; approximate correctness is guaranteed for x ∈ L¯, while smoothness is guaranteed for x ∈ X\L. The dual LWE encryption was first introduced in [34], Let (Gen, Enc−→, Dec−→) be a CPA-secure (labeled) and its ring-based variant is presented in [3] which is a x dual-style encryption system and let R be message called dual-style cryptosystem. In these two dual sys- p space (dictionary of passwords in our application to tems, the public key is statistically close to uniform, ring-PAKE) that can be recognized efficiently. The whereas ciphertexts are only pseudorandom and have dual-style cryptosystem defines a notion of ciphertext unique encryption randomness, i.e., the systems have validity such that: dual properties to LWE-based cryptosystem [32]. We −→ know by Claim1[ 32], the elements of R with the pow- • By only pk = a , we can determine validity of √ −→ erful basis −→p have maximum length n, so we can a ciphertext with respect to a . use the algorithm from Lemma2 for sampling, that • All honestly created ciphertexts are valid. • There is no decryption failure. is, the√ discrete√ Gaussian distribution DR,r for some r > n.ω( logn) is used in the key generation algo- Let (pk = −→a , sk = −→x ) be a key pair of Gen(1l) rithm. Now let l > 2 and let principal and fractional −→ ∨ k −k and let C be the set of valid ciphertexts regard to a . ideal (R ) =< t >, the dual-style cryptosystem is The details of sets X, {L¯ } , and L¯ are as follows. defined as follows. µ µ∈Rp −→ −→ l X = {(label, c , µ): label ∈ R; c ∈ C; µ ∈ Rp}, • Gen(1 ): choose a0 = −1 ∈ Rq and uniformly L¯ = {(label, Enc−→(label, µ), µ): label ∈ R} ⊂ X. random and independent a1, ..., al−1 ∈ Rq, and µ a −→ ¯ independent x0, ..., xl−1 ← DR,r. Output a = For µ ∈ Rp, Lµ is the set of honestly created encryp- {1,...,l} S P tions of µ using any label, and L¯ = L¯µ. (a1, ..., al−1, al = − i∈[l] aixi) ∈ Rq as µ∈Rp the public key, and −→x = (x , ..., x , x = 1) ∈ −→ −→ 1 l−1 l Lµ = {(label, c , µ): label ∈ R; Dec−→x (label, c ) = µ}, {1,...,l} R as the secret key. S ¯ ¯ and set L = µ∈R Lµ. In addition, we have Lµ ⊆ Lµ • Enc−→a (µ∈Rp): choose independent e0, ..., el−1 ← p −→ for all µ, and for any ciphertext −→c and label ∈ R, we bp.ψepR∨ , and el ← bp.ψet−1µ+pR∨ . Let e = −→ ∨ {1,...,l} have at most one µ ∈ Rp for which (label, c , µ) ∈ L. (e1, ..., el) ∈ (R ) . Output ciphertext −→ −→ −→ ∨ {1,...,l} c = e0 ∗ a + e ∈ (Rq ) . Now we define a ring-based SPHF. A family of sets −→ −→ −→ ∨ ∨ • Dec−→x ( c ): compute d = [[< c , x >]] ∈ R , of keyed functions {Hk : X → R }k∈K , as well as and output µ = t.d mod pR. a projection function α : K × (pR∨ × C) → S is Lemma 10 (Lemma 8.1 from [3]). If r > 2n.q1/l+2/(nl), called a “ring-based approximate smooth projective then the dual-style cryptosystem is IND-CPA secure hash function” (ring-SPHF) with the following notions assuming the hardness of R-DLWEq,ψ given l + 1 of (approximate) correctness and smoothness, where ∨ samples. Hk(y) = (r0, r1, ..., rn−1) ∈ R for y ∈ X. Notice that based on the efficiency of ideal lattices, all operations By Corollary1, Lemma3, and Lemma4 the proof of can be performed in time O˜(n) and the size of the Lemma 10 is obvious. We can refer to [3] for the full digest is O˜(n) [35]. Moreover, based on the structure proof. of ideal lattices, H ’s will be collision-resistance [35]. Lemma 11 (Lemma 8.2 from [3]). Suppose that k ∨ for any c ∈ Rp , bp, ψec+pR∨ is γ-subgaussian • Approximate correctness : As in [29], we with parameter √s for some γ = O(1/l), and q > require only approximate correctness for y = p 2 −→ s (r l + 1)n.ω( logn). Then decryption is correct (label, c , µ) ∈ L¯, then the value of Hk(y) is ap- with probability 1 − negl(n) over all the randomness proximately obtained by α(k, label, −→c ) and y. of key generation and encryption. In addition, the projection function α should be a function of label, −→c only. The proof of Lemma 11 is obtained by Lemma1, • Smoothness : Given α(k, label, −→c ) and y, if Lemma5, Lemma6, and Lemma7. We can refer to y ∈ X\L then, the value of H (y) is statistically [3] for the full proof. k close to uniform (assume k ∈ K is sampled uniformly). 2.3 Ring-Based Smooth Projective Hash Functions Here, we give the formal definition of ring-based approximate smooth projective hash function by a Cramer and Shoup introduced smooth projective hash sampling algorithm and given −→a . functions [4]; we improve and adapt the treatment Definition 3. We say that (K, G, = {H : X → of Katz and Vaikuntanathan [29], who extended the H k R∨} , S, α : K × (pR∨ × C) → S) is a ring-SPHF scheme of Gennaro and Lindell [5] based on lattices. k∈K such that: We assume there are sets X,L ⊂ X, and a subset • Using efficient algorithms in [2,3]:

ISeCure 80 Ring-SPHF and Ring-PAKE — A.H. Karbasi, R.E. Atani, S.E. Atani

(1) we can compute Hk(y) for all y ∈ X and ring-based approximate smooth projective hash system k ∈ K, (ring-SPHF). (2) we can sample a uniform k ∈ K, and (3) we can compute α(k, label, −→c ) for all k ∈ Proof. Clearly, using ring-LWE toolkit [3], the fol- K and (label, −→c ) ∈ pR∨ × C. lowing processes can all be done in polynomial time: • For y = (label, −→c , µ) ∈ L¯ we can compute the • A uniform key for the hash function −→x = value of H (y) approximately by α(k, label, −→c ), k (x , ..., x ) ← D is sampled. relative to the statistical distance. In particular, 1 l R,r • The hash function H on input the key −→x = let ∆(a, b) denote the statistical distance of two (x , ..., x ) and a ciphertext y is computed. variables a, b as vectors in R∨, then we have an 1 l • The projected key A−→x = α(x , ..., x ) is com- efficient algorithm H0 that takes as input s = 1 l puted. (k, label, −→c ) and y0 = (label, −→c , µ, r) for which −→ • Using the projected key al, a ciphertext y, and c = Enc−→a (label, µ, r) and satisfies: a witness e0 for the ciphertext y, the hash func- 0 0 ∆(Hk(y),H (y , s)) 6 negl(n). tion is computed. • For any y = (label, −→c , µ) ∈ X\L, the following Now, approximate correctness is shown. We have any two distributions have statistical distance neg- (label, −→c , µ) ∈ L¯, where on input the message µ, the ligible in n: dual-style cryptosystem gives a ciphertext −→c , i.e., −→ −→ −→ {1,...,l} −→ c = e0 ∗ a + e ∈ Rq where according to {k ← K; s = α(k, label, c ):(s, Hk(y))}, √ √ Lemma1, ||xi||26 r n and ||xl||2= ||1||2= n. and We first show that the values h (performed using −→ ∨ {k ← K; s = α(k, label, c ); v ← R :(s, v)}. the key) and h0 (performed using the projected key) are close, that is, h and h0 have statistical distance 3 Ring-SPHF Using Ideal Lattices negligible in n. More precisely, we show that the val- 0 Now we explain our main results for constructing of a ues h and h are statistically indistinguishable from SPH system over rings (ring-SPHF) using ring-LWE uniform, i.e. problem on ideal lattices. 0 ∆(h, U) 6 negl(n) and ∆(h , U) 6 negl(n), −→ ¯ {1,...,l} Assume a public key A = a = [I[k]|A] ∈ Rq then, is chosen for the system such that k = 1 and A¯ ∈ 0 ∆(h, h ) 6 negl(n). {1,...,l−1} ¯ Rq . Let Rp be a dictionary. Let sets X, Lµ, Based on Corollary1 (leftover hash lemma) and and Lµ be as defined in Section 2.3, and let r be such −→ √ √ Lemma 10, al = A x is statistically indistinguish- that n.ω( logn) r. 0 6 able from uniform, so clearly h = [[al ∗ e0 + el]] is −→ A key for the ring-SPHF is x = (x1, ..., xl) ∈ statistically close to the uniform. {1,...,l} R where each xi ← DR,r is drawn indepen- On the other hand, according to Lemma2, −→x dently. is statistically indistinguishable from uniform and −→ • We know the projection set S = Rq. The projec- according to Lemma3 and Lemma4, c is statis- −→ tion is α( x ) = α(x1, ..., xl) = al ∈ Rq for a key tically indistinguishable from uniform, so clearly −→ {1,...,l} −→ −→ x = (x1, ..., xl) ∈ R , where al = A x . h = [[< y, x >]] is close to the uniform. Therefore, ∆(H (y),H0 (y, e )) negl(n). This shows approxi- • Now, the ring-SPHF H = {Hk}k∈K is defined. k al 0 6 −→ {1,...,l} 0 We have a key x = (x1, ..., xl) ∈ R = K mate correctness (h = h ). −→ and a ciphertext y = (label, c , µ) as input, the We now show smoothness. Recall each coefficient hash function is given as follows: of polynomials h and h0 is in Z, so we can show h and −→ ∨ 0 −→ h = Hk(y) = [[< y, x >]] ∈ R , h as vectors in Z. Consider any y = (label, c , µ) ∈ X\L. By definition of L, this reveals that the decryp- where h = (a , a , ..., a ) ∈ R∨ as a vector. 0 1 n−1 tion process on input (label, −→c , µ) and any possible • On input a projected key a ∈ S, a ciphertext l secret key sk = −→x , outputs either ⊥, or a message y = (label, −→c , µ) and a witness e ∈ R for 0 q µ0 6= µ. We explain the two cases: the ciphertext, the hash function is executed as follows: • The decryption algorithm gives ⊥. This reflects 0 0 ∨ that for the constant polynomial a ∈ Rq, the h = H (y, e0) = [[al ∗ e0 + el]] ∈ R , al vector az is far from the ideal lattice L(B). So, 0 ∨ where h = (b0, b1, ..., bn−1) ∈ R as a vector. az must be close to the ideal lattice L(B). Theorem 2. Let the parameters n, l, q, p, and r be • The decryption algorithm gives a message µ0 6= 0 as defined in Section 2. Then, H = {Hk}k∈K is a µ. This could occur only if there is an a ∈ Rq

ISeCure January 2019, Volume 11, Number 1 (pp. 75–85) 81

Table 1. Parallel comparison between the SPHF on arbitrary lattices and ring-SPHF on ideal lattices.

Scheme HashKey(K) ProjectedKey(S) Hashing ProjectiveHashing ( ( 0 if z < 0 0 if uT s < 0 i 0 i s = α(e1, ..., ek) Hk = bi = , H = bi = , T 1 if zi > 0 1 if ui s > 0

k = (e1, ..., ek) = (u1, ..., uk), i = 1, ..., k i = 1, ..., k ! 1 m k T T SPHF[29] ∈ (Zq ) , ui = B ei, zi = ei [y − U. ] (u1, ..., uk) ∈ S, m

m n ei ← DZ ,r A = [B|U] ∈ Zq, witness s ∈ Zq c = (label, y, m)

−→ 0 s = α( x ) H = [[al ∗ e0 + el]] −→ −→ ∨ k = x = (x1, ..., xl) = α(x1, ..., xl) Hk = [[< y, x >]] ∈ R , {1,...,l} ∨ Ring-SPHF ∈ R , = al ∈ Rq, ∈ R , al ∈ S, −→ −→ xi ← DR,r al = A x , y = (label, c , µ) witness e0 ∈ Rq A = −→a = [I|A¯]

such that a0z0 is close to the ideal lattice L(B). of the shared password w. Then, a random hash key So, a0z0 must be far from the ideal lattice L(B). k0 ← K is sampled by the client and it selects the pro- −→ jected key s0 = α(k0, label0, c0 ). The client now sends Note that, according to an application of Lemma8 −→ and Lemma9, az and a0z0 are uniformly random and “Clientkc0 ks0” to the server. independent, because we utilize two honest CPA and −→ 0 0 CCA-secure cryptosystems with meaningful decryp- After receiving the message “Clientkc ks ”, two ∗ tion algorithm. random hash keys k, k ← K are sampled by the server and it computes the projected keys s = −→ −→ In Table 1, we summarize Katz and Vaikun- α(k, label0, c0 ) and s∗ = α(k∗, label0, c0 ). Then, −→ −→ tanathan’s SPHF [29] over arbitrary lattices based 0 ∨ 0 ∨ hash values Hk(c , w) ∈ R and Hk∗ (c , w) ∈ R on the LWE problem and our ring-SPHF over ideal −→ using the ciphertext c0 and the password w are lattices based on the ring-LWE problem. −→0 computed by the server. The value Hk∗ (c , w) is ∗ ∗ 4 Ring-PAKE Using Ring-SPHF parsed as a sequence of three bit strings rj , ζj , and SK∗ where r∗ will be used as the random string In this section, a new efficient password-based authen- j j for an encryption. Here, the server sets “label = ticated key exchange protocol over rings (ring-PAKE) −→0 on ideal lattices from ring-SPHF is presented that its ClientkServerkc ks”, and encrypts the shared pass- −→ ∗ structure is a modification and improvement of the word w as c = Enc−→a (label, w, rj ). Then, the hash 0 −→ 0 Katz and Vaikuntanathan’s framework [29] and its value H(s , c ) using the client’s projected key s is performed by the server, and it computes a tem- security is defined based on the standard definition of −→ security for PAKE [19, 22, 27, 29]. Here, we describe porary session key tk = H (c0 , w) ⊕ H(s0, −→c ). In k −→ the details of the protocol and we show a high-level 0 addition, it computes ∆ = Ecc(Hk∗ (c , w)) ⊕ tk overview of the 3-round ring-PAKE protocol as well. where Ecc : {0, 1}n → {0, 1}m, n < m is an appro- The ring-based dual-style cryptosystem P0 with priate error-correcting code. Finally, the message associated ring-SPHF is used and an ideal lattice- “Serverk−→c ksks∗k∆” is sent to the client by the server. based CCA-secure encryption system such as [33] is P After receiving the message “Serverk−→c ksks∗k∆”, denoted by . In the ring-PAKE, there is a common −→ −→ −→ 0 −→ 0 first, hash values Hk0 ( c , w) and H(s, c ) using the reference string (CRS) containing of public keys a , a −→ for P, P0, respectively. Moreover, as we know, the server’s projected key s and encryption value c are 0 −→0 computed by the client such that k is created in ring-SPHF associated with a is shown by: the first round. Furthermore, the client computes ∨ ∨ −→ (K, G, H = {Hk : X → R }k∈K , S, α : K × (pR × C) → S). H(s∗, c0 ) using the server’s projected key s∗. Next, it For authenticating of a client instance to a server in- computes: stance, at first, a random string r is chosen by the client −→ 0 0 −→ −→0 and then it executes an encryption c = Enc−→(w, r) 0 a0 tk = Hk ( c , w) ⊕ H(s, c ),

ISeCure 82 Ring-SPHF and Ring-PAKE — A.H. Karbasi, R.E. Atani, S.E. Atani

Figure 1. The proposed scheme.

∗ and server, hence outputs the session key SKi , otherwise, H0 = Ecc−1(tk ⊕ tk0 ⊕ ∆). the client terminates. ∗ Then, the client verifies the Hamming distance: After receiving the massage ζi in the third round, ∗ ∗ the server verifies ζi = ζj , if it is the case, the client 0 ∗ −→0 Ham(H ,H(s , c )) 6 negl(n), is authenticated to the server, and the server accepts ∗ if not, the client terminates. Otherwise, it parse and outputs the session key SKj , otherwise, the server −→ terminates. H0 to r∗, ζ∗, and SK∗ and computes c00 = i i i −→ ∗ 00 −→ Correctness. In an honest execution of the ring- Enc−→a (label, w, ri ). Next, the client verifies c = c such that −→c is generated in the second round, if it PAKE and without adversarial interference, we show is the case, the server is authenticated to the client, that the client and server’s session keys are match and ∗ common. We have: and the client make a connection and sends ζi to the

ISeCure January 2019, Volume 11, Number 1 (pp. 75–85) 83

H0 = Ecc−1(tk ⊕ tk0 ⊕ ∆) 5 Conclusion where In this work, we first presented a new efficient construc- −→ tion of a ring-based smooth projective hash function tk = H (c0 , w) ⊕ H(s0, −→c ), k (ring-SPHF) on ideal lattices using ring-LWE problem

0 −→ −→0 based on ideas of Katz and Vaikuntanathan’s SPHF tk = Hk0 ( c , w) ⊕ H(s, c ), on arbitrary lattices using LWE problem. Namely, we and built an improvement of the lattice-based SPHF and −→0 analyzed its security based on ideal lattice assump- ∆ = Ecc(H ∗ (c , w)) ⊕ tk. k tions. Approximate correctness of the ring-SPHF (Theo- Then, we proposed the first efficient password-based rem2), implies that: authenticated key exchange (ring-PAKE) protocol over rings using our ideal lattice-based ring-SPHF and −1 0 −→0 Ecc (tk ⊕ tk ⊕ ∆) = Hk∗ (c , w), described its security.

∗ ∗ ∗ ∗ so it holds that ri = rj , ζi = ζj . Thus, the same Acknowledgments. ∗ ∗ session key SKi = SKj is obtained for the client and server. The security analysis of the ring-PAKE is We would like to thanks Prof. Jonathan Katz and based on the main ideas of [22, 27, 29, 37] as follows. Prof. Vadim Lyubashevsky for helpful discussions and Theorem 3. The Ring-PAKE provides session key useful suggestions while writing this paper. Special security based on the Ring-SPHF. thanks to Prof. Damien Stehl´e and Prof. Chris Peikert for their invaluable contributions in proving Lemma 8 and 9. Proof. As we know, in the ring-PAKE protocol, we use the dual-style cryptosystem which is associated References with the ring-SPHF, a CCA-secure cryptosystem, [1] Gentry, C.: Fully homomorphic encryption using and an Ecc as an appropriate error-correcting code. ideal lattices. In: 41st ACM STOC, pp. 169–178. For an adversary that observes interactions be- ACM Press, Bethesda, Maryland (2009) tween the client and server (passive attack), the [2] Lyubashevsky, V., Peikert, C., Regev, O.: On shared session key is statistically indistinguishable ideal lattices and learning with errors over rings. from uniform (pseudorandom). Clearly, this is be- Journal of the ACM. 60(6), 43:1–43:35 (2013) cause a CPA-secure encryptions of the password w [3] Lyubashevsky, V., Peikert, C., and Regev, and the projected keys of the ring-SPHF are used for O.: A toolkit for ring-LWE cryptography. In the transcript of each interaction. For attackers that T. Johansson and P. Q. Nguyen, editors, manipulate the messages in interactions between EUROCRYPT 2013, volume 7881 of LNCS, the client and server (active attack) such as man-in- pages 35–54. Springer, May (2013). Archive: the-middle, assume an adversary and a client have https://eprint.iacr.org/2013/293 interactions with a password w. [4] Cramer, R., Shoup., V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext • By the GK framework, if a ciphertext is sent secure public-key encryption. In: EUROCRYPT, from the adversary to the client that does not pp. 45–64. Springer Press, Amsterdam (2002) decrypt to the client’s password w, then ac- [5] Gennaro, R., Lindell, Y.: A framework for cording to adversary’s view, the client’s session password-based authenticated key exchange. In: key is statistically close to uniform. Therefore, EUROCRYPT, pp. 524–543. Springer press, War- based on smoothness of the ring-SPHF (Theo- saw (2003) rem2), this condition holds. [6] Abdalla, M., Chevalier, C., Pointcheval, D.: • By a CCA-secure encryption scheme that we Smooth projective hashing for conditionally ex- use in the protocol, the probability that the at- tractable commitments. In: CRYPTO, pp. 671– tacker can generate a new ciphertext that de- 689. Springer press, Santa Barbara, CA (2009) crypts to the client’s password w is at most [7] Reza Ebrahimi Atani, Shahabaddin Ebrahimi Att./|Rp|+negl(n), where Att. is the number of Atani, Amir Hassani Karbasi, NETRU: A Non- online attacks and Rp is the password dictio- commutative and Secure Variant of CTRU Cryp- nary. Hence, based on the cyclotomic ring R and tosystem, The ISC International Journal of In- parameter p on ideal lattices, this probability is formation Security (ISeCure), Volume 10, Issue negligible in n. 1, Winter and Spring 2018, Page 45-53 [8] Blazy, O., Pointcheval, D., Vergnaud, D.:

ISeCure 84 Ring-SPHF and Ring-PAKE — A.H. Karbasi, R.E. Atani, S.E. Atani

Round-optimal privacy-preserving protocols with cols. In: CRYPTO, pp. 449–475. Springer press, smooth projective hash functions. In: TCC, pp. Santa Barbara, CA (2013) 94–111. Springer press, Taormina, Sicily (2012) [23] Gennaro, R.: Faster and shorter password- [9] Katz, J., Ostrovsky, R., Yung, M.: Efficient authenticated key exchange. In: TCC, pp. 589– password-authenticated key exchange using 606. Springer press (2008) human-memorable passwords. In: EUROCRYPT, [24] Katz, J., MacKenzie, P.D., Taban, G., Gligor, pp. 475–494. Springer press, Innsbruck (2001) V.D.: Two-server password-only authenticated [10] Bellare, M., Pointcheval, D., Rogaway, P.: Au- key exchange. In: 3rd International Conference thenticated key exchange secure against dictio- on Applied Cryptography and Network Security nary attacks. In: EUROCRYPT, pp. 139–155. (ACNS), pp. 1–16. Springer press (2005) Springer press, Bruges (2000) [25] Amir Hassani Karbasi, Reza Ebrahimi Atani, IL- [11] Amir Hassani Karbasi, Reza Ebrahimi Atani, TRU: An NTRU-Like Public Key Cryptosystem Shahabaddin Ebrahimi Atani, PairTRU: Pair- Over Ideal Lattices, IACR Cryptology ePrint wise Non-commutative Extension of The NTRU Archive, 2015. Public key Cryptosystem, International Journal [26] Canetti, R., Halevi, S., Katz, J., Lindell, of Information Security Science, Volume 7, Issue Y., MacKenzie, P.D.: Universally composable 1, 2018, Page 11-19. password-based key exchange. In: Eurocrypt, pp. [12] SPEKE: RFC5931, RFC6617, IEEE P1363.2, U.S. 404–421. Springer press (2005) Patent 6,226,383 [27] Gennaro, R., Lindell, Y.: A framework for [13] J-PAKE: Implemented in OPENSSL, NSS, used password-based authenticated key exchange. by FIREFOX-SYNC, https://wiki.mozilla. ACM Trans. Information and System Security. org/Services/KeyExchange 9(2), 181–234 (2006) [14] Gong, L., Lomas, T.M.A., Needham, R.M., [28] Jiang, S., Gong, G.: Password based key exchange Saltzer, J.H.: Protecting poorly chosen secrets with mutual authentication. In: 11th Annual In- from guessing attacks. IEEE Journal of Selected ternational Workshop on Selected Areas in Cryp- Areas in Communications. 11(5), 648–656 (1993) tography (SAC), pp. 267–279. Springer press [15] Halevi, S., Krawczyk, H.: Public-key cryptogra- (2004) phy and password protocols. ACM Trans. Infor- [29] Katz, J., Vaikuntanathan, V.: Smooth projective mation and System Security. 2(3), 230–268 (1999) hashing and password-based authenticated key [16] Bellovin, S.M., Merritt, M.: Encrypted key ex- exchange from lattices. In: ASIACRYPT, pp. 636– change: Password-based protocols secure against 652. Springer press, Tokyo, Japan (2009) dictionary attacks. In: IEEE Symposium on Se- [30] Rivest, R.L., Shamir, A., Adleman, L.M.: A curity and Privacy, pp. 72–84. IEEE press (1992) method for obtaining digital signatures and [17] MacKenzie, P.D., Patel, S., Swaminathan, R.: public-key cryptosystems. Commun. ACM. 21(2), Password-authenticated key exchange based on 120–126 (1978) RSA. In: Asiacrypt, pp. 599–613. Springer press [31] Diffie, W., Hellman, M.E.: New directions in (2000) cryptography. IEEE Transactions on Information [18] Reza Ebrahimi Atani, Shahabaddin Ebrahimi Theory, IT-22(6), 644–654 (1976) Atani, Amir Hassani Karbasi, A Provably Secure [32] Regev, O.: On lattices, learning with errors, ran- Variant of ETRU Based on Extended Ideal Lat- dom linear codes, and cryptography. In: 37th An- tices Over Direct Product of Dedekind domains, nual ACM Symposium on Theory of Computing To appear in the Journal of Computing and Se- (STOC), pp. 84–93. ACM press (2005) curity, (2018). [33] Peikert, C.: Lattice Cryptography for the Inter- [19] Goldreich, O., Lindell, Y.: Session-key generation net. In: Post-Quantum Cryptography - 6th In- using human passwords only. Journal of Cryptol- ternational Workshop, PQCrypto, pp. 197–219. ogy. 19(3), 241–340 (2006) Springer press, Waterloo, ON (2014) [20] Boyko, V., MacKenzie, P.D., Patel, S.: Provably [34] Gentry, C., Peikert, C., Vaikuntanathan, V.: Trap- secure password-authenticated key exchange us- doors for hard lattices and new cryptographic ing Diffie-Hellman. In: Eurocrypt, pp. 156–171. constructions. In: STOC, pp. 197–206. (2008) Springer press (2000) [35] Lyubashevsky, V., Micciancio, D., Peikert, C., [21] Nguyen, M.H., Vadhan, S.: Simpler session-key Rosen, A.: SWIFFT: A modest proposal for FFT generation from short random passwords. Journal hashing. In: FSE, pp. 54–72. (2008) of Cryptology. 21(1), 52–96 (2008) [36] Reza Ebrahimi Atani, Shahabaddin Ebrahimi [22] Benhamouda, F., Blazy, O., Chevalier, C., Atani, Amir Hassani Karbasi, EEH: AGGH-like Pointcheval, D., Vergnaud, D.: New techniques public key cryptosystem over the eisenstein inte- for SPHFs and efficient one-round PAKE proto- gers using polynomial representations, The ISC

ISeCure January 2019, Volume 11, Number 1 (pp. 75–85) 85

International Journal of Information Security Reza Ebrahimi Atani studied elec- (ISeCure), Volume 7, Issue 2, Summer and Au- tronics engineering at the University tumn 2015, Page 115-126. of Guilan, Rasht, Iran and got his B.S. [37] Groce, A., Katz, J.: A New Framework For Ef- degree in 2002. He followed his mas- ficient Password-based Authenticated Key Ex- ters and Ph.D. studies at Iran Univer- change. In: 17th ACM Conf. on Computer and sity of Science & Technology (IUST) Communications Security, pp. 516525. ACM in Tehran, and received Ph.D. degree Press, New York, (2010) in 2010. He is now holding an associated professor [38] Zhang, J., Zhang, Z., Ding, J., Snook, M., Dagde- position in the department of computer engineering len, O.: Authenticated key exchange from ideal at the University of Guilan. His research interests fo- lattices. In: Oswald, E., Fischlin, M. (eds.) EU- cuses on design and implementation of cryptographic ROCRYPT 2015. LNCS, vol. 9057, pp. 719–751. algorithms and protocols as well as their applications Springer, Berlin (2015). DOI: 10.1007/ 978–3– to computer and network security and mobile commu- 662–46803–624. nications. He is a member of IEEE and IACR. [39] Jintai Ding, Saed Alsayigh, Jean Lancrenon, Provably Secure Password Authenticated Key Shahabaddin Ebrahimi Atani Exchange Based on RLWE for the Post-Quantum got his B.S. and M.S. in Mathematics. World, CT-RSA (2017), pp. 183–204, 2017. DOI: In 1996, he graduated from a Ph.D. 10.1007/978–3–319–52153–411. program of mathematical science de- [40] Fabrice Benhamouda, Olivier Blazy, Lo Ducas, partment of University of Manch- Willy Quach, Hash Proof Systems over Lat- ester, England. He is now a professor tices Revisited, Public-Key Cryptography–PKC at faculty of mathematical sciences of (2018), pp. 644–674. the University of Guilan. His research interests include rings and semi-ring theory and pullback of rings. Amir Hassani Karbasi studied his B.S. in applied mathematics at the University of Tabriz in Tabriz, Iran. He received his B.S. degree in 2010. He received his M.S. in computer networks in 2013 from University of Guilan. He received his Ph.D. in 2018 from University of Guilan (Elite En- trance Students to Ph.D.) and has worked on “Design and security analysis of lattice-based cryptographic structures”. Now, he is a part-time faculty member at some Universities and information security special- ist at some companies. His main research interests include lattice-based cryptography, digital signatures, network security, rings and semi-ring theory and pull- back of rings.

ISeCure