SCIS 2018 2018 Symposium on and Information Security Niigata, Japan, Jan. 23 - 26, 2018 The Institute of Electronics, Copyright c 2018 The Institute of Electronics, Information and Communication Engineers Information and Communication Engineers

AtLast: Another Three-party Lattice-based PAKE Scheme

Rakyong Choi ∗ Hyeongcheol An † Kwangjo Kim ∗

Abstract: Password-based Authenticated Key Exchange (PAKE) protocol assumes that the parties share a low-entropy, easy-to-remember password to achieve the authentication with a high-entropy session key. PAKE protocols can be employed to hand-held devices for access control of sensitive personal data remotely. For communication with more than one user, the user needs to remember all passwords between other users. To resolve this problem, a three-party PAKE (3PAKE) protocol, where user only shares a password with a server, is introduced. In this paper, we construct a novel lattice-based three-party PAKE protocol, AtLast, based on the hardness of ring-LWE assumption, with a simple design and extend Ding et al.’s PAKE protocol with implicit server authentication, RLWE-PPK protocol, to three-party setting by modifying the generic approach by Abdalla et al. Then, we compare our protocol with Xu et al.’s three-party PAKE protocol, RLWE-3PAKE, over lattices. Keywords: Password-based Authenticated Key Exchange (PAKE) protocol, Ring Learning with Errors (ring-LWE) problem, RLWE-PPK protocol

1 Introduction tocols using post-quantum cryptography against quan- tum computing attack is currently one of challenging is- 1.1 Background and Motivation sues in cryptography. Indeed, the security of all public- One of fundamental problems in cryptography is how key algorithms based on classical hard problems will to make a secure communication over a public unreli- no longer be assured as soon as an adequate quantum able channel that might be controlled by the adversary. computer exists. A possible solution for this issue is to guarantee authen- It is clear that the effort to develop quantum-resistant ticity and privacy using the mutual session key from key technologies is intensifying. In the US, the National exchange and authenticated key exchange protocols. Security Agency (NSA) planned to transition from its A key exchange protocol is a cryptographic primitive Suite B cryptographic tools to quantum-resistant al- to establish the mutual session key for communication gorithms. The National Institute of Standards and between two parties over an insecure channel and an Technology (NIST) requested to submit post-quantum authenticated key exchange protocol is a key exchange cryptographic algorithms for standards. protocol with authentication process to prevent attacks Most known 3PAKE protocols put their security on like the man-in-the-middle attack by providing mutual classical hard problems such as Diffie-Hellman prob- authentication between parties. lem and are unsuitable in an upcoming post-quantum In cryptography, Password-based Authenticated Key world. Exchange (PAKE) protocol assumes a more realistic Searching for 3PAKE protocols that can be based scenario where secret keys are not uniformly distributed on provably secure lattice assumptions is important. over a large space with a high-entropy, but chosen from In the current literature, to the best of our knowledge, a human-memorable set with a low-entropy. only one single three-party PAKE protocol stands out Passwords are normally easier to remember for users precisely for this reason. Xu et al. [1] extends Ding than cryptographically secure keys. Though, in the et al.’s PAKE protocol on ring-LWE [2] to three-party scenario that a user communicates with more than one setting. But unfortunately, their protocol is very com- user, he/she needs to remember all passwords between plicated and not very efficient. them. Thus, in this paper, we consider a three-party Thus, in this paper, we design a simpler three-party PAKE (3PAKE) protocol where user only shares a pass- PAKE protocol based on lattice. word with a trusted third party, e.g. a server. On the other hand, as the quantum computer be- 1.2 Outline of the Paper comes realistic in the near future, constructing pro- In Section 2, we overview the previous PAKE proto- ∗ School of Computing, KAIST. 291, Daehak-ro, Yuseong-gu, cols and lattice-based key exchange protocols. Section Daejeon, South Korea 34141. {thepride, kkj}@kaist.ac.kr 3 gives a notation and background knowledge such as † Graduate School of Information Security, School of Computing, the definition and hard problems of lattices. KAIST. 291, Daehak-ro, Yuseong-gu, Daejeon, South Korea In Section 4, we discuss two lattice-based PAKE pro- 34141. [email protected]

1 tocols which are deeply related to our work. Then, we a user while executing the protocol. give the design and analysis of new lattice-based three- In contrast, a 3PAKE protocol with explicit server party PAKE protocol named as AtLast, in Section 5. authentication must have mutual authentication be- Finally, we give a concluding remark with future tween a server and users. Thus, a 3PAKE protocol work in Section 6. with explicit server authentication normally has more complicated than the one with implicit server authen- 2 Previous Work tication. In 2005, Abdalla et al. [11] proposed a formal secu- 2.1 PAKE Protocol rity model (AFP model) for 3PAKE protocols. In their The first PAKE protocol was first suggested by Bellovin work, they provide a new model for 3PAKE protocols and Merritt [3] without formal security analysis. PAKE by modifying the BR model [12] and BPR model [4] and protocol is beneficial for its simple use but is always call it the Real-Or-Random (ROR) model. However, vulnerable against the so-called dictionary attacks. In resistance to undetectable on-line dictionary attack is dictionary attacks, the adversary tries all possible com- not taken into consideration in the AFP model. The bination of secret keys in a small set of values like dic- authors of AFP model count this attack in the number tionary, to break the security of a scheme. This attack of queries for message modifications which are limited is not very effective in the case of high-entropy keys to certain numbers. Hence, undetectable on-line dic- but it becomes very damaging when the secret key is tionary attacks are not discriminated from detectable a password with low-entropy since the attacker has a on-line dictionary attacks. non-negligible chance of finding the valid secret key. To improve the AFP model, Wang and Hu [13] pro- Dictionary attacks are divided into two types: on- vided a stronger security model (WH model) of 3PAKE line and off-line dictionary attacks. To address this protocol. problem, several protocols are designed to be secure However, Yoneyama [14] pointed out that each model even when the secret key is a password. The goal of has its drawbacks. For example, the AFP model and these protocols is to restrict the adversaries success to WH model do not consider the notion of forward se- on-line guessing attacks and prevent off-line dictionary crecy and WH model do not offer key privacy for the attacks. The security of these systems relies on a pol- server. In addition, resistance to undetectable on-line icy invalidating or blocking the use of a password if a dictionary attacks is not taken into consideration in the certain number of failed attempts has occurred. AFP model as stated above. To address these prob- To prevent this kind of attacks, Bellare et al. [4] and lems, Yoneyama extended the eCK model proposed by Boyko et al. [5] independently suggested the first prov- LaMacchia et al. [15] to the 3-party password-based sit- ably secure PAKE protocols. uation, deriving the 3eCK model. The major difference In PAKE protocols, they are generally listed into between the 3eCK model and previous models is in an two types as balanced PAKE and augmented PAKE. adversary’s oracle queries and capabilities in the target A balanced protocol assumes two party use the same session. password to authenticate a shared key for communi- cation. This is generic for any communication, in- 2.3 Key Exchange Protocol from Lattice cluding client-server and client-client. As an exam- Ding et al. [16] suggested the first lattice-based key ple of balanced PAKE protocol, Encrypted Key Ex- exchange protocol in 2012. Following this research, nu- change (EKE) [3], Password Authenticated Key ex- merous work studied key exchange and authenticated change (PAK) and Password-Protected Key exchange key exchange protocols based on Learning with Errors (PPK) [5], Simple Password Exponential Key Exchange (LWE) problem and its variant [17–22]. (SPEKE) [6], Simple Password-Authenticated Key Ex- Peikert [17] gave efficient and practical lattice-based change (SPAKE) [7], and Password Authenticated Key protocols for key transport and authenticated key ex- Exchange by Juggling (J-PAKE) [8] are well-known. change that are suitable as “drop-in” replacement for On the other hand, an augmented one is more suit- current Internet standards. Bos et al. [18] designed the able to the client-server case, in which the server does more efficient protocol to be implemented in the TLS not store password-equivalent data. This means that protocol and NewHope protocol [19] improved the per- an attacker that stole the server data still cannot im- formance this protocol with higher security level. personate as the client unless they first perform a brute Frodo protocol [20] was suggested to remove the risk force search for the password. Examples include aug- to have more structure in the hardness problem, ring mented EKE [9] and PAK-Z [10]. structure in the case of lattice-based key exchange pro- tocols. It was designed to rest its security on LWE 2.2 3PAKE Protocol problem instead of ring-LWE problem. The 3PAKE protocols are divided into two categories Zhang et al. [21] designed an authenticated key ex- as implicit server authentication and explicit server au- change based on lattice similar to HMQV [23]. thentication. A 3PAKE protocol with implicit server Kyber protocol [22] is yet another authenticated key authentication can only have mutual authentication be- exchange protocol recently proposed by Bos et al. This tween two users, i.e., the server does not authenticate protocol is based on a variant of LWE problem called

2 ⊥ m Module-LWE to enhance the performance and proves and as a set Λq (A) = {e ∈ Z |A · e = 0 mod q} when the security with the Quantum-accessible Random Or- u = 0. acle Model (QaROM) instead of classical Random Or- Lattice-based cryptography has a lot of advantages acle Model (ROM). that their security is based on the average-case hard- There are only a small number of PAKE protocols ness problems like Small Integer Solution (SIS) problem based on lattice at the time of this research. One and Learning With Errors (LWE) problem, which re- of these lattice-based PAKE protocols is that of Katz main secure against quantum computing attacks and and Vaikuntanathan [24]. This protocol is proven se- can be reduced to the worst-case hardness problem in cure in the standard model security, but it is not so lattices like Shortest Vector Problem (SVP) and Clos- efficient due to its Common Reference String (CRS)- est Vector Problem (CVP). based design. Recently, Zhang and Yu [25] suggested Among them, LWE problem is introduced by Regev a new CRS-based PAKE framework from public key [26] in 2005 and ring-LWE problem is introduced by encryption with associated approximate smooth pro- Lyubashevsky et al. [27] in 2010. Both are shown to be jective hashing. quantum-resistant mathematical hard problem against But CRS-based protocols use complicated crypto- quantum adversary. graphic tools to achieve standard-model security while We give a formal definition of these problems in the ROM-based protocols have very simple and elegant de- below: signs. Compared to those CRS-based protocols [24,25], Ding et al.’s PAKE protocol [2] is more efficient since Definition 1. (LWE problem) m×n it is proven secure based on ROM. For a matrix A ∈ Zq with m ≥ n log q, a vector m Recently, Xu et al. [1] proposed the first lattice-based b ∈ Zq where b = A · s + e mod q and a small vector m n 3PAKE protocol extending RLWE-PAK protocol by e ←χ Zq , it is hard to find a secret vector s ∈ Zq . Ding et al. [2], but this protocol is quite complicated Error distribution χ over Zq is usually either Gaus- since it is the 3PAKE protocol with explicit server au- sian distribution or binomial distribution. thentication. LWE problem can be also interpreted as a set of m independent samples (ai, bi) = (hs, aii + ei mod q). If 3 Preliminaries we switch the space to the , the computa- 3.1 Notation tion behaves like a ring. We denote vectors as bold small letters (e.g., x, y) Definition 2. (ring-LWE problem) and matrices as bold capital letters (e.g., A, B). In a ring Rq, given a pair of ring elements (a, b) where Let R and Z express the set of real numbers and the b = a · s + e mod q and a small vector e ←χ Rq, it set of integers, respectively and italic letters express is hard to find a secret vector s ∈ Rq. real numbers (e.g., a, b, c). We say that all instances from Definitions 1 and 2 For any integer q ≥ 2, Zq denotes the ring of integers n×m are from LWE distribution and ring-LWE distribution, modulo q and Zq denotes the set of n × m matrices respectively. with entries in Zq. Decisional version of LWE (ring-LWE) problem is, For a ring R of degree n over Z, we denote its quo- for m independent LWE (ring-LWE) instances, to dis- tient ring as Rq = R/qR and its ring element as bold italic letters (e.g., a, b, c). tinguish whether the set of instances are from uniform n×m1 n×m2 distribution or LWE (ring-LWE) distribution. When A ∈ Zq , B ∈ Zq , we write the con- n×(m1+m2) catenation of A and B as [A | B] ∈ Zq . 4 Previous Lattice-based PAKE Let f(a, b) be a function f on a and b. We say a function f : Z → R+ is negligible when f = O(n−c) for 4.1 RLWE-PAK and RLWE-PPK all c > 0 and denoted by negl(n). A function g(m) = Ding et al. [2] generalized the Diffie-Hellman like pro- dme is the ceiling function from R to Z such that g(m) tocols, PAK and PPK, by Boyko et al. [5] in lattice- is the smallest integer which is greater than or equal to based setting. m. In their protocol, Cha and Mod functions are used. q q For a set E = {−d e, ··· , d e} 3.2 Hard Problems on Lattices 4 4 Briefly, lattices are a fascinating tool in modern cryp- Cha is the characteristic function where tography and a lattice Λ can be defined as a discrete ( q q 0, if a ∈ E = {−d e, ··· , d e} subgroup of Rm with its basis S. A basis S of Λ is a set Cha(a) = 4 4 of linearly independent vectors S = {b1, b2, ··· , bm} 1, otherwise. which spans the lattice Λ and S = (b1|b2| · · · |bm) is a basis matrix of lattice Λ. and Mod2 : Zq × {0, 1} → {0, 1} is defined as: m Integer lattices are defined as a subgroup of Z in-   stead of m. For a matrix A ∈ n×m, we can denote q − 1 R Zq Mod2 (v, b) = v + b · mod q mod 2 u m 2 lattices as a set Λq (A) = {e ∈ Z |A · e = u mod q}

3 Figure 1: RLWE-PAK Protocol [2]

Figure 2: RLWE-PPK Protocol [2]

They defined the new lattice-based hardness assump- 5 AtLast Protocol tion called Pairing with Errors (PWE) problem which can be reduced to RLWE problem. 5.1 System Model The 3PAKE protocols are divided into two categories Definition 3. (PWE problem) as implicit server authentication and explicit server au- In a ring Rq, given a tuple of ring elements (a, x, y, k) ∈ thentication. A 3PAKE protocol with implicit server 4 2 Rq where (a, x) ∈ Rq are uniformly chosen, y = authentication can only have mutual authentication be- a · s + 2e with e ←χ Rq is a ring-LWE sample, and tween two users, i.e., the server does not authenti- ω = Cha (x · s + g) for some g ←χ Rq and , it is hard cate a user while executing the protocol. In contrast, to find σ = Mod2 (x · s + g, ω). a 3PAKE protocol with explicit server authentication Figures 1 and 2 show the description of lattice-based must have mutual authentication between a server and PAKE protocols with explicit server authentication and users. Thus, a 3PAKE protocol with explicit server au- implicit server authentication, respectively. thentication normally has more complicated than the one with implicit server authentication. 4.2 RLWE-3PAKE In our protocol, we assume that the server is honest but curious so that the server should not be able to gain Xu et al. [1] introduced the first lattice-based 3PAKE any information on the value of that session key during protocol extending Ding et al.’s RLWE-PAK protocol. the protocol. To achieve this property, we design a They assume that the server S is fully trustful and 3PAKE protocol with implicit server authentication. clients A and B seek to have server’s help to establish a shared session key. 5.2 Our Construction Then, they implemented their RLWE-3PAKE proto- col with the similar security parameter used in NewHope We design a novel 3PAKE protocol based on lattice, protocol [19] and compared the result with another AtLast, as shown in Figure 3 by extending RLWE-PPK 3PAKE protocol based on elliptic curve. protocol.

4 Figure 3: Our AtLast Protocol

During the RLWE-PPK key exchange process be- keys is guaranteed, but only for sessions in which tween server and each client, we assume that server the adversary did not actively interfere. uses the same secret key sS, while the public keys for 5. Key privacy each process are different as νA = a · sS + eSA and In the proposed protocol, the server should not νB = a · sS + eSB. be able to gain any information on the value of Then, we compute k AB = sA ·k BS = sA ·sS{a ·sB + the session key, even though the server’s help is 2eB} and k BA = sB · k AS = sB · sS{a · sA + 2eA} for client A and B, respectively. mandatory to establish a session key between two After that, similar to the process of RLWE-PPK pro- clients in the protocol. tocol, we apply Cha and Mod2 to have the mutual key 6. Resistance to three classes of password guess- to establish the shared secret key between two clients ing attacks and use MAC function for mutual authentication be- To ensure the security of the password, the pro- tween them. tocol should resist undetectable online password guessing attacks, detectable online password guess- 5.3 Security Requirements ing attacks, and offline password guessing attacks. To check the security of AtLast protocol, we have to prove the following security requirements of 3PAKE 7. Resistance to other various attacks protocols. The protocol should withstand other attacks such as user impersonation, modification and man-in- 1. Session key security the-middle attacks. If two uncorrupted clients in the proposed pro- tocol complete matching sessions, they have the Among these security requirements, we show the va- same key and the probability that the adversary lidity of our protocol for some security requirements. guesses whether the key is from the protocol or We assume that the adversary A can make queries from random is negligible. to any instance as the former security modelling of key exchange protocols [4, 12, 28]. A can send messages to 2. Known key security a client, run the protocol to get the appropriate session Even after an adversary A has acquired one par- key, reveal the some session key, corrupt some clients, ticular session key, other session keys are still se- etc. cure. In the following proof sketch of our protocol, we as- 3. Forward secrecy sume the following conjecture. Even if a client’s password is leaked to the adver- Conjecture 1. If RLWE-PAK protocol based on ring- sary, the adversary is not able to acquire previous LWE is secure in the ROM, our AtLast protocol is also session keys, even though the adversary actively secure in the ROM. interfered, or tried to act as a man-in-the-middle attack. Session key security 4. Weak perfect forward secrecy (wPFS) In our proposed protocol, the server and clients au- Even though client’s long-term keys are compro- thenticate each other via the shared password. mised, the secrecy of previously established session-

5 Thus, anyone who does not have the password of clients (e.g. pwA for Client A) cannot compute the right computation for (γ1, γ2) = (H1 (pwA) ,H2 (pwA)). Hence, he/she cannot be authenticated by the other client and the proposed 3PAKE protocol provides mu- tual authentication between the server and the client like the original RLWE-PPK protocol. On the other hand, since unauthorized client will not be authenticated by the server and unable to interact with other legitimate client, our protocol provides ses- sion key security. Figure 4: A generic construction by Abdalla et al. [11] Known key security The clients use ephemeral keys to establish the ses- Oracle Model (ROM) and Quantum-accessible Ran- sion key. Thus, a session key has no relation to other dom Oracle Model (QaROM) and embed our protocol session keys. Though the adversary A has one session to internet protocols like TLS protocol. key, other session keys will remain secure. Therefore, our protocol provides known key security. Acknowledgement

Forward secrecy and wPFS This work was partly supported by Institute for In- formation & communications Technology Promotion Since our protocol provides known key security and (IITP) grant funded by the Korea government (MSIT) the session key is independent of the password, leak- (No. 2017-0-00555, Towards Provable-secure Multi- age of the password does not make the adversary have party Authenticated Key Exchange Protocol based on previously established session keys unless the adversary Lattices in a Quantum World) and National Research interfered the protocol directly. Therefore, our protocol Foundation of Korea (NRF) grant funded by the Korea provides weak perfect forward secrecy. government (MSIT) (No. NRF-2015R1A2A2A01006812, Key privacy Design and Security Analysis of Novel Lattice-based Fully Homomorphic Signatures Robust to Quantum In our protocol, the server cannot compute the value Computing Attack). of the session key, even though the server provides ephemeral keys while establishing a session key between References two clients in the protocol. Thus, our protocol satisfies the key privacy property. [1] D. Xu, D. He, K.-K. R. Choo, and J. Chen, “Provably secure three-party password authenti- 6 Conclusion and Future Work cated key exchange protocol based on ring learn- ing with error,” IACR Cryptology ePrint Archive In this paper, we designed a novel 3PAKE proto- 2017/360, 2017. col with implicit server authentication based on the RLWE-PPK [2] and sketch the security requirements [2] J. Ding, S. Alsayigh, J. Lancrenon, R. Saraswathy, of the proposed protocol. Though RLWE-3PAKE pro- and M. Snook, “Provably secure password authen- tocol assumed that the server is fully trustful, we as- ticated key exchange based on rlwe for the post- sume more realistic scenario that the server might be quantum world,” in Cryptographers’ Track at the not fully trustful. RSA Conference, pp. 183–204, Springer, 2017. Our approach is based on the generic construction by Abdalla et al. [11] in Figure 4 since we use MAC proto- [3] S. M. Bellovin and M. Merritt, “Encrypted key ex- col for further authentication between two clients but change: Password-based protocols secure against we modify the construction to adjust it to the lattice- dictionary attacks,” in IEEE Computer Society based cryptography Symposium on Research in Security and Privacy, Compared to RLWE-3PAKE protocol by Xu et al. pp. 72–84, IEEE, 1992. [1], our protocol is conceptually simpler lattice-based [4] M. Bellare, D. Pointcheval, and P. Rogaway, 3PAKE protocol than the protocol by Xu et al. [1]. “Authenticated key exchange secure against dic- But, we only gave the proof sketch of some of security tionary attacks,” in Advances in Cryptology– requirements and missed the proof for the resistance to EUROCRYPT 2000, pp. 139–155, Springer, 2000. password guessing attacks and other various attacks. As future work, we plan to extend the proposed pro- [5] V. Boyko, P. MacKenzie, and S. Patel, “Prov- tocol to a group-oriented setting (i.e. lattice-based ably secure password-authenticated key exchange group PAKE protocol) and multi-party setting (i.e. using diffie-hellman,” in Advances in Cryptology– lattice-based multi-party PAKE protocol). EUROCRYPT 2000, pp. 156–171, Springer, 2000. In addition, we will give the formal security proof for both classical and quantum adversaries from Random

6 [6] D. P. Jablon, “Strong password-only authenti- [18] J. W. Bos, C. Costello, M. Naehrig, and D. Ste- cated key exchange,” ACM SIGCOMM Computer bila, “Post-quantum key exchange for the tls pro- Communication Review, vol. 26, no. 5, pp. 5–26, tocol from the ring learning with errors prob- 1996. lem,” in IEEE Symposium on Security and Pri- vacy, pp. 553–570, IEEE, 2015. [7] M. Abdalla and D. Pointcheval, “Simple password-based pro- [19] E. Alkim, L. Ducas, T. P¨oppelmann, and tocols,” in Cryptographers’ Track at the RSA P. Schwabe, “Post-quantum key exchange-a new Conference, vol. 3376, pp. 191–208, Springer, hope,” in USENIX Security Symposium, pp. 327– 2005. 343, 2016.

[8] F. Hao and P. Y. Ryan, “Password authenticated [20] J. Bos, C. Costello, L. Ducas, I. Mironov, key exchange by juggling,” in International Work- M. Naehrig, V. Nikolaenko, A. Raghunathan, and shop on Security Protocols, pp. 159–171, Springer, D. Stebila, “Frodo: Take off the ring! practi- 2008. cal, quantum-secure key exchange from LWE,” in ACM SIGSAC Conference on Computer and [9] S. M. Bellovin and M. Merritt, “Augmented en- Communications Security, pp. 1006–1018, ACM, crypted key exchange: a password-based proto- 2016. col secure against dictionary attacks and password file compromise,” in ACM Conference on Com- [21] J. Zhang, Z. Zhang, J. Ding, M. Snook, puter and Communications Security, pp. 244–250, and O.¨ Dagdelen, “Authenticated key exchange ACM, 1993. from ideal lattices,” in Advances in Cryptology– EUROCRYPT 2015, pp. 719–751, 2015. [10] P. MacKenzie, “The PAK suite: Protocols for password-authenticated key exchange,” in Contri- [22] J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyuba- butions to IEEE P1363.2, 2002. shevsky, J. M. Schanck, P. Schwabe, and D. Stehl´e, “CRYSTALS–Kyber: a CCA-secure module- [11] M. Abdalla, P.-A. Fouque, and D. Pointcheval, lattice-based KEM,” IACR Cryptology ePrint “Password-based authenticated key exchange in Archive 2017/634, 2017. the three-party setting,” in International Work- shop on Public Key Cryptography, pp. 65–84, [23] H. Krawczyk, “HMQV: A high-performance Springer, 2005. secure Diffie-Hellman protocol (extended ab- stract),” in Advances in Cryptology–CRYPTO [12] M. Bellare and P. Rogaway, “Entity authen- 2005, pp. 546–566, Springer, 2005. tication and key distribution,” in Advances in Cryptology–CRYPTO’93, pp. 232–249, Springer, [24] J. Katz and V. Vaikuntanathan, “Smooth pro- 1993. jective hashing and password-based authenti- cated key exchange from lattices,” in Advances [13] W. Wang and L. Hu, “Efficient and provably se- in Cryptology–ASIACRYPT 2009, vol. 5912, cure generic construction of three-party password- pp. 636–652, Springer, 2009. based authenticated key exchange protocols,” in INDOCRYPT, pp. 118–132, Springer, 2006. [25] J. Zhang and Y. Yu, “Two-round PAKE from ap- proximate SPH and instantiations from lattices,” [14] K. Yoneyama, “Password-based authenticated key in International Conference on the Theory and exchange without centralized trusted setup,” in Application of Cryptology and Information Secu- International Conference on Applied Cryptography rity, pp. 37–67, Springer, 2017. and Network Security, pp. 19–36, Springer, 2014. [26] O. Regev, “On lattices, learning with errors, ran- [15] B. LaMacchia, K. Lauter, and A. Mityagin, dom linear codes, and cryptography,” in Annual “Stronger security of authenticated key ex- ACM symposium on Theory of computing, pp. 84– change,” in International Conference on Provable 93, ACM, 2005. Security, pp. 1–16, Springer, 2007. [27] V. Lyubashevsky, C. Peikert, and O. Regev, “On [16] J. Ding, X. Xie, and X. Lin, “A simple provably ideal lattices and learning with errors over rings,” secure key exchange scheme based on the learn- in Annual International Conference on the The- ing with errors problem,” IACR Cryptology ePrint ory and Applications of Cryptographic Techniques, Archive 2012/688, 2012. pp. 1–23, Springer, 2010. [17] C. Peikert, “Lattice cryptography for the in- [28] M. Bellare and P. Rogaway, “Provably secure ses- ternet,” in International Workshop on Post- sion key distribution: the three party case,” in Quantum Cryptography, pp. 197–219, Springer, Annual ACM symposium on Theory of computing, 2014. pp. 57–66, ACM, 1995.

7