New Password Authenticated Key Exchange Based on the Ring Learning with Errors

Home , Learning with errors, Speke, Trapdoor function

A dissertation submitted in partial fulﬁllment of the requirements for the degree of Doctor of Philosophy

Department of Mathematical Sciences McMicken College of Arts and Sciences University of Cincinnati, June 2016

Author: Saed Alsayigh Chair: Jintai Ding Degrees: B.S. Mathematics, 2003, Committee: Ning Zhong King Saud University Daniel Smith M.S. Applied Mathematics, 2009, Chris Christensen King Saud University Yizao Wang M.S. Mathematics, 2016, University of Cincinnati Abstract

Authenticated Key Exchange (AKE) is a cryptographic scheme with the aim to establish a high-entropy and secret session key over an insecure communications network. Password- Authenticated Key Exchange (PAKE) assumes that the parties in communication share a simple password, which is human-memorable and is used to achieve the authentication. These features are appealing in an age when most people access sensitive personal data remotely from pervasive hand-held devices. Theoretically PAKEs allow secure computation and authentication of a high-entropy piece of data using a low-entropy string as a starting point. In this thesis, we apply the proposed technique in [JD12] to construct two lattice-based PAKE protocols that have simple and elegant designs that extend the class of Random Oracle Model (ROM)-based protocols PAK and PPK [BMP00; Mac02] protocols to a lattice-based setting. The new protocol following the structure of PAK is three-pass and provides mutual explicit authentication; the protocol following the structure of PPK is two-pass and provides implicit authentication. Our protocols rely on the Ring Learning with Errors (RLWE) assumption and exploit the additive structure of the underlying RLWE ring, which allows the protocols to achieve provable security. Our protocols have a comparable level of efﬁciency to PAK and PPK, which makes them highly attractive. We present a preliminary implementation of our protocols to demonstrate that these protocols are efﬁcient and practical, and, therefore, that our two protocols are suitable quantum safe replacements for PAK and PPK.

In this moment of submitting my thesis, there are many people who I have to thank for their help and support: First of all, a special thanks to my wife Zainab and my four lovely children, Hawra, Fatimah, Husain and Ridha for being patient and supportive all this time with me. I also thank my parents, all my family, and my friends. I want to express my gratitude to my supervisor professor Jintai Ding who guided me during my PhD studies and helped me to understand and love cryptography. Thank you for being a good friend, for your advice, and for standing with me when I needed you. Next, I would like to thank the University of Cincinnati, speciﬁcally the faculty of Department of Mathematical Sciences who have helped me learn a lot during the course of my studies here. I also thank the cryptography group members that I worked with during my study: Jean, Michael, Saraswathy and Yuntao. I really enjoyed working with you guys, thank you. Finally, I would like to thank the King Abdullah Scholarship Program for the ﬁnancial support and for giving me this opportunity to continue my studies in the United States.

iv Contents

Abstract ii

Acknowledgments iv

List of Tables viii

List of Figures ix

1. Introduction and Contributions 1 1.1. Introduction ...... 1 1.2. Our contributions ...... 6 1.3. Related work ...... 8 1.3.1. PAKE protocols and security models...... 8 1.3.2. AKE from lattices...... 10

2. PAK and PPK based on Difﬁe-Hellman 11 2.1. Introduction ...... 11 2.2. Security model ...... 12 2.2.1. Computational Difﬁe-Hellman assumption ...... 15 2.3. The PAK protocol ...... 15 2.3.1. Security of PAK ...... 17 2.4. The PPK protocol ...... 18 2.4.1. Security of PPK ...... 19 2.5. Security of PAK and PPK in a Post-Quantum World ...... 20

3. Introduction to Lattice Theory 21 3.1. Introduction ...... 21 3.2. Preliminaries ...... 22 3.3. Lattices ...... 25

v 3.4. Hard problems in lattices ...... 27 3.4.1. Complexity of lattice problems ...... 29 3.5. Lattice reduction algorithms ...... 30 3.5.1. Gauss reduction algorithm ...... 30 3.5.2. LLL lattice reduction algorithm ...... 31 3.5.3. BKZ lattice reduction algorithm ...... 32

4. The Hard Cases in LLL reduction 34 4.1. Introduction ...... 34 4.2. Preliminaries ...... 36 4.3. Three-dimensional case ...... 39 4.3.1. LLL outputs a shortest vector? ...... 39 4.3.2. Main theorem ...... 39 4.3.3. The Beauty and the Beasts ...... 44 4.3.4. Experimental results ...... 45 4.4. High-dimensional cases ...... 46 4.4.1. Success probability of LLL ...... 46 4.4.2. How to build hard lattice in high dimensions ...... 46 4.4.3. Experimental results of high dimensional cases ...... 48 4.4.4. The quality factor and our build lattice ...... 48

5. Lattice and Cryptography 50 5.1. Introduction ...... 50 5.2. Lattices in Cryptography ...... 50 5.3. Hard lattice problems in Cryptography ...... 52 5.3.1. Short Integer Solution ...... 52 5.3.2. Learning with Errors ...... 53 5.3.3. Ring Learning with Errors ...... 54 5.4. New Lattice Problems ...... 55 5.4.1. The RLWE Difﬁe Hellman problem ...... 59 5.4.2. The Pairing with Errors problem ...... 60

6. The New Protocols 62 6.1. Introduction ...... 62 6.2. Security model ...... 63 6.3. Security assumption ...... 63 6.4. Password-Authenticated RLWE Key Exchange(RLWE-PAK)...... 64 6.4.1. Correctness ...... 65 6.4.2. Proof of security for RLWE-PAK ...... 67 6.5. Implicit authentication ...... 81 6.5.1. Proof of security for RLWE-PPK ...... 82 6.6. Implementation ...... 94

7. Conclusion and Future Work 95

vi Bibliography 98

A. Publications 107

Index 108

vii List of Tables

4.1. Some experimental results using our constructed 3-dimensional Beast bases. Note that we call LLL failed if the shortest vector was not in the LLL-reduced basis...... 46 4.2. Some experimental results of higher dimensional Beast bases...... 48

6.1. Timings of PAKE protocol as described in Fig. 6.1 and Fig. 6.2 ...... 94

viii List of Figures

2.1. The Original PAK Protocol ...... 17 2.2. The Original PPK Protocol ...... 19

4.1. The number of LLL failed cases in dimension 3 using same bases but different δ. 40 2 4.2. The structure of Beauty lattices in R ...... 45 4.3. Experimental results of random bases generated from TU Darmstadt SVP Chal- lenge...... 47

6.1. Explicitly Authenticated Protocol ...... 66 6.2. Implicitly Authenticated Protocol ...... 82

ix Chapter 1

Introduction and Contributions

1.1. Introduction

Computers and electronic communications have become essential components of everyday life and are hard to live without. In routine use of these devices, important personal and conﬁdential information are stored and transferred during communications. Keys questions one asks about the use of such devices is whether the information shared during communication is secure and whether that there is unauthorized use of the information. Communication security and the prevention of unauthorized use of information are not new issues that were born with the rapidly increasing use of technology. These issues have been critical issues for thousands of years.

The study of information security is called cryptology. It consists of two different area of study. One is called cryptography. Cryptography studies the construct of cipher systems that can be used to hide information. Such systems are called cryptosystems. Each cryptosystem consists of two functions: one function is used to encrypt or hide messages while the other function is used to decrypt or recover the messages. The other half of cryptology is cryptanalysis.

Cryptanalysis studies breaking cryptosystems and analyzes the leak age of information from a targeted cryptosystem.

1 There are two types of cryptosystems: symmetric cryptosystems and asymmetric cryptosystems. When using a symmetric cryptosystems, all people in the communication have the same ability. Everyone can encrypt and decrypt every messages. The security of a symmetric cryptosystem is usually based on the length of the key and the strength of the algorithm. Symmetric cryptosystems require key exchange among people in the communication. Key exchange is especially a problem when the number of people in the communication is large and they cannot meet to exchange the key. Data Encryption Standard (DES) and the Advanced Encryption Standard

(AES) are examples of this type of cryptosystem. When using an asymmetric cryptosystem, one of the people in the communication has more advantage than the others; the owner of the key can decrypt but other can only encrypt. The security of an asymmetic cryptosystem is usually based on the hardness of a mathematical problem that the system is built upon. Asymmetric cryptosystems are also called public key cryptosystems (PKC) because they publish the encryption key.

The most common PKCs are:

1. Diffie-Hellman Key Exchange Protocol, DHKE, which was invented by Whitfield Diffie

and Martin Hellman in 1976 [DH76].

2. RSA, which was invented by Ronald Rivest, Adi Shamir, and Len Adleman in 1978.

3. ElGamal algorithm, which was invented by Taher Elgamal in 1984 and is based on DHKE.

4. Elliptic curve cryptography (ECC) which was suggested by Neal Koblitz and Victor S.

Miller in 1985 and is based on the algebraic structure of elliptic curves over ﬁnite ﬁelds.

In 1976, Difﬁe and Hellman proposed a public key distribution system in their paper “New directions in cryptography” [DH06]. This system allows two parties to exchange key over an insecure channel. Say, Alice and Bob would like to share a key which they can use with a symmetric cryptosystem. Assume that G is a cyclic group of prime order q and that G is generated by g. Then Difﬁe-Hellman protocol works as follow:

2 a • Alice picks a random integer a ∈ Zq where 2 ≤ a ≤ q − 1, computes x = g mod q and sends x to Bob.

b • Bob receives x, picks a random integer b ∈ Zq where 2 ≤ b ≤ q − 1, computes y = g b mod q, sends y to Alice, and computes the session key Kab = x mod q.

a • Alice receives y and computes the session key Kba = y mod q.

Note that Kab = Kba since the exponential function modulo q is a commutative function. While it is easy to compute the value gab mod q, given ga mod q and gb mod q it is hard to compute gab mod q.

Definition 1.1.1. Computational Diffie-Hellman problem (CDH): Let G be a finite cyclic group

a b ab of order q and let g be a generator of G. Let a, b ∈ Zq and define DH(g , g ) = g . The Computational Diffie-Hellman problem is as follows: given (g, ga, gb), find DH(ga, gb).

An adversary, who is eavesdropping on the communication between Alice and Bob, needs to solve CDH to compute the shared key Kab or to solve another well-known mathematical hard problem that is called the Discrete Logarithm problem (DLP):

Deﬁnition 1.1.2. Discrete Logarithm problem: Let G be a cyclic group of order q and let g be

a a generator of G. Let a ∈ Zq and deﬁne DL(g ) = a. The Discrete Logarithm problem is as follows: given (g, ga), ﬁnd DL(ga) = a.

It is well known that the Difﬁe-Hellman protocol is not resistant against a man-in-the-middle attack. To avoid this kind of attacks, it is necessary to authenticate the people in the communication.

Authenticated Key Exchange (AKE) is a cryptographic service with the aim of allowing several entities to jointly establish a high-entropy and secret session key over an insecure channel.

That the protocol includes authentication of the purported peers is essential to prevent man-in- the-middle attacks. In order to achieve this, it is required that some form of long-term authentication material already be in place prior to the exchange occurring. For instance, the entities could

3 each have their own public-key/secret-key pair (e.g. for STS [DVOW92], or HMQV [Kra05]), that is certiﬁed by a trusted authority, or it could be a shared symmetric key speciﬁcally dedicated to running an AKE with which to establish other session keys (e.g. the protocols in [BR93a]).

Password-Authenticated Key Exchange (PAKE) assumes that the parties of the key exchange share a simple password. PAKE differs from the shared-symmetric-key case in that the password is not necessarily a cryptographically strong piece of data. Indeed, most passwords have very low entropy so that they can retain their main advantage over strong keying material: they are cheap and human-memorable. Moreover, these features are extremely appealing in an age where most people access sensitive personal data remotely from more-and-more pervasive hand-held devices. Thus, PAKEs are practically relevant. From a theoretical standpoint, they are quite unique in that they allow the secure computation and authentication of a high-entropy piece of data using a low-entropy string as a starting point.

From a security modeling perspective, the use of passwords as authentication material presents a specific challenge. A password’s low entropy makes it easy to discover by brute force, if an attacker can obtain password-dependent data against where guesses can be checked. Such attacks are known as dictionary attacks. There are two types of dictionary attacks: In an offline attack, the adversary observes protocol runs - possibly also interacts with the entities involved - and then goes offline to do password testing. To avoid this, protocol messages and session keys must look computationally independent from the password. In an online attack, the attacker needs to be actively involved in a protocol interaction in order to determine the verdicts on its guesses.

The most natural online attack available is to run the protocol with a gussed password as input, and observe whether the protocol run succeeds or fails. Such an attack is unavoidable; thus a

PAKE must be designed such that the adversary can test at most a small constant (ideally, one) number of passwords per online interaction.

PAKEs have been very heavily studied in the past three decades. Formal security models have appeared [BPR00; BMP00], and many protocols have been designed and analyzed

(e.g., [BCP03; Mac02; JG05; KV11; ABM15]). There is a large list of papers regarding

4 password-based key exchange which is cited by Jablon [Jab08]. The current pool of practical protocols1 can be classiﬁed into two categories: the class of Random Oracle Model (ROM)- based PAKEs (such as [BPR00; BCP03; Mac02; BCP04; Jab96; BM92; ACCP08]) and the class of Common Reference String (CRS)-based PAKEs (such as [KOY01; CHKLM05; GL03;

GK10; KV11]). The protocols in the ﬁrst category have very simple and elegant designs but rely crucially on the ROM [BR93b] for their proofs of security. The protocols in the second category use sophisticated cryptographic tools2 to achieve standard-model security (assuming a

CRS is in place3). The simplicity and efﬁciency of ROM-based protocols (and the fact that if carefully instantiated they are not known to have been broken) makes them much more attractive for deployment than CRS-based protocols.

Searching for Cryptography tools that can be resistant against the adversary attacking by a quantum computer is currently one of the fundamental issues in cryptography research because the security of the most commonly used public key algorithms is based on the classical hard problems that can be solved as soon as a quantum computer of satisfactory size is available.

In the US, the National Security Agency (NSA) [NSA05] published a webpage announcing preliminary plans for transitioning the Suite B cryptographic algorithms to quantum resistant algorithms. The suite B algorithms are speciﬁed by the National Institute of Standards and

Technology (NIST) and are used by NSA’s Information Assurance Directorate for protecting classiﬁed and unclassiﬁed National Security Systems (NSS). It is clear that the effort to develop quantum-resistant technologies is intensifying and, soon, NIST, which has the authority to establish the security standards of the US government, will issue a request for proposals for post-quantum cryptosystem. Regardless of which of the aforementioned categories they belong to, most known PAKEs rest their security on either group-type or factoring-type complexity assumptions, making them unsuitable in a possibly upcoming post-quantum world. Therefore,

1Some impractical yet complexity-theoretically efﬁcient protocols have been studied for theoretical reasons. See e.g. [GL01; NV04; GJO10]. 2In particular, they use universal hash proof systems [CS02] over complex languages. 3A CRS is essentially a publicly available string to which a secret trapdoor is theoretically associated, but never used by protocol participants. During a proof of security, the simulator gets access to this trapdoor.

5 searching for PAKEs that can be based on provably secure lattice assumptions is a natural goal.

In the current literature, as far as we know only such PAKE stands out the Katz–Vaikuntanathan protocol [KV09] which relies on lattice-type assumptions for its security, but it is CRS-based.

1.2. Our contributions

The main goal of this thesis is to build new protocols that are secure in the coming quantum world. Since lattices have many problems that are hard to solve even with quantum techniques, we will start with studying lattice reduction. Speciﬁcally we will study the behavior of the LLL algorithm [LLL82] which is the most efﬁcient algorithm that does lattice reduction in polynomial time. The behavior of this algorithm is mysterious. In this thesis, in chapter 4, we study LLL algorithm. Our work aims to reduce the gap between what we know theoretically and what we know from practice. It turns out that the symmetry of the perfect lattice plays a key role. We call the perfect lattice the Beauty lattice (vectors of 60 degree angles with the same length).

The hardest case of LLL reduction is directly associated to the Beauty which explains why the hardest case’s approximation factor is directly related to the Hermite constant for dimension 2.

We call the hard cases in LLL reduction ”Beasts”. They have lattice bases constructed from

Minkowski reduced basis whose vectors satisfying two properties: (1) the vectors are almost the same length. (2). the angles of the vectors are almost 60◦. We proved our discovery theoretically in 3-dimensional lattices. In addition our experiments show that using our setting of parameters,

Beast cases can resist a strong LLL reduction by 100%. For dimension greater than 3, we still have high percentages of failure; however, it is not a 100%.

In this thesis, we proposed two lattice-based PAKE protocols that have very simple and elegant designs which are similar to the class of ROM-based protocols. More speciﬁcally, our protocols can be viewed as direct analogues of the PAK and PPK [BMP00; Mac02] protocols in the lattice-based setting. The protocol resembling PAK is three-pass and provides mutual explicit authentication, while the protocol following the structure of PPK is two-pass, and provides

6 implicit authentication. Most importantly, our protocols have a comparable level of efﬁciency to PAK and PPK.

The starting point for our construction is the recently proposed technique introduced in [JD12], and used in [ZZDSD15] to design a lattice-based variant of the HMQV protocol. As in the latter paper, our protocols rely on the Ring-Learning-with-Errors (RLWE) assumption and exploit the additive structure of the underlying RLWE ring, which makes our two protocols suitable quantum-safe replacements for PAK and PPK.

We can build the PAKE protocol using RLWE in a rather straightforward manner. Though the general structure of the security proofs for our protocols is very similar to that of the original

PAK protocol where the security of PAK relies on an adversary being unable to solve the Difﬁe–

Hellman Problem, the techniques used in this thesis are intricate and completely different.

We establish a full proof of security for our RLWE-PAK protocol in the classic security model proposed by Bellare et al. [BPR00]. To simplify the proof, ﬁrst we, in chapter 5, deﬁne the

Pairing with Errors problem, which can be reduced to the RLWE problem. This new problem is used multiple times in the proof, and allows us to build intermediate steps to ﬁll the gap of the proof, which did not exist in the proof for the classical PAKE.

The complete replacement of the Difﬁe–Hellman core of PAK with the new lattice-based core meant that the similar distinguishers used in the PAK proof had to be completely replaced and were of no use in constructing the new distinguishers. The new distinguishers have to compensate for the presence of the password in the protocol without being able to directly remove its inﬂuence, as they have no access to the value of the password itself. In the proof, there are three places where we have to build some distinguishers to solve the PWE problem. Since such distinguishers are completely new and subtle, we need to use novel methods to construct them.

Only by applying these new distinguishers, are we able to link the security directly with the

PWE problems. Building such these distinguishers was a critical point in our proof, and they enable us to prove that an adversary that is able to break our protocol is able to solve the PWE.

7 We created a proof-of-concept implementation of our new PAKE to show that our new PAKE is efﬁcient and practical. We also created an implementation of the implicit version to show that it is efﬁcient and practical as well.

1.3. Related work

Because AKE protocol research is far too vast to describe in full, we only survey those portions of that are most relevant to this work: PAKE and AKE based on lattice-type assumptions. We only consider protocols in the two-party setting.

1.3.1. PAKE protocols and security models.

PAKE was essentially invented by Bellovin and Merritt in [BM92]. The authors raised the problem of dictionary attacks in this particular setting, proposed some protocols - most notably the Encrypted Key Exchange (EKE) protocol - and offered an informal security analysis of their designs. Jablon [Jab96] later proposed another protocol - Simple Password Exponential Key

Exchange (SPEKE) which avoided some of the pitfalls of EKE, but the also offered only an informal security analysis.

The search for good security models began with the work of Lucks [Luc98] and Halevi and

Krawczyk [HK99]. Laying down adequate foundations for the provable security of PAKE was a particularly subtle task, because it is not possible to prevent an adversary from guessing and trying out candidate passwords in on-line impersonation attempts and because the small size of the dictionary means that an adversary’s natural advantage in succeeding at this is non-negligible.

Good models capturing this phenomenon were ﬁnally exhibited by Bellare et al. [BPR00] and

Boyko et al. [BMP00]. These models build, respectively, on the AKE models proposed by

Bellare et al. in [BR93a] and Shoup in [Sho99]. The model in [BPR00] was further reﬁned by

Abdalla et al. in [AFP05]. The notion of universally composable PAKE has also since been introduced by Canetti et al. [CHKLM05].

8 A large number of protocols have been proposed and analyzed- especially since the apparition of adequate security models. Some efﬁcient examples include the protocols in [BPR00; BCP03;

BCP04; BMP00; Mac02; Mac01; Kwo01; Jab96; HR10; ABP15; ACCP08]. On one hand, these are mostly two-or-three-pass protocols with very few group operations. For instance, the explicitly authenticated PAK protocol in [Mac02] is three-pass and sends 2 group elements (and

2 conﬁrmation bitstrings of length linear in the security parameter) over the network. It requires a total of only 4 exponentiations and 2 group multiplications. On the other hand, these protocols’ security is very heavily reliant on idealized assumptions4. In 2001, a milestone was reached with the work of Katz et al. [KOY01], which showed that it is possible to provably realize PAKE in a practical way without idealized assumptions but at the expense of having a CRS in place.

Many works generalizing and optimizing this result followed, such as [JG05; GK10; KV11;

GL03; Gen08], all using a CRS. It was further shown in [CHKLM05] that without idealized assumptions, universally composable PAKE is possible only if some other trusted setup - e.g. a

CRS - is in place. However, all of these CRS-using protocols are much less practical than the

ROM-using ones mentioned before. While it is possible to achieve a low number of passes using a CRS - e.g. [KV11] is a two-pass protocol - the number of group computations and elements sent is typically high. To our knowledge, the latest techniques [ABP15] discovered to reduce this still do not beat ROM-based PAKEs in efﬁciency. For instance, Abdalla et al. [ABP15] report on being able to bring the total group element and exponentiation counts of the Groce-

Katz protocol [GK10] down to 6 and 18 respectively and those of [KV11] down to 10 and 28 respectively.

Finally, some work has been devoted to determining if PAKE can be efﬁciently realized in a reasonable security model with neither idealized assumptions nor any form of trusted setup.

Goldreich et al. [GL01] were the first to answer in the affirmative, but assuming non-concurrent protocol executions. Their work was followed up by Nguyen et al. [NV04], who found a more efficient construction, but it is in a weaker model. Later, Jain et al. [GJO10] were able to further

4The ROM is one of them; another is the ideal cipher model, see [BPR00].

9 lift the restriction on concurrent executions. These works are viewed as being mainly of theoretical interest; Such protocols, although theoretically efﬁcient, are far less practical then even the

CRS-based protocols.

1.3.2. AKE from lattices.

Several works have begun addressing the problem of ﬁnding AKE protocols based on lattice- type assumptions. The protocols in [Pei14; BCNS15; FSXY12; FSXY13] are essentially lattice- based instantiations of generic constructions that use key-encapsulation mechanisms to construct

AKEs. Recently, this pattern was broken by the work of Zhang et al. [ZZDSD15], where a

RLWE analogue of the unauthenticated Difﬁe-Hellman protocol proposed by Ding et al. [JD12] was leveraged to build a kind of RLWE version of the HMQV protocol.

In all of these works, the authentication mechanism used relies on the deployment of a public- key infrastructure. In the case of password authentication, the only known protocol to appears to be that of Katz et al. [KV09]. It too can be viewed as a lattice-based instantiation of a generic construction because most known CRS-based frameworks for PAKE make use of an encryption scheme that is both secure against adaptive chosen-ciphertext attacks and is equipped with a universal hash proof system [CS02] and the heart of [KV09] is essentially a lattice-based instantiation of such a scheme.

10 Chapter 2

PAK and PPK based on Difﬁe-Hellman

2.1. Introduction

In this chapter, we represent the password authenticated key exchange protocol (PAK) and the password protected key exchange (PPK), which were introduced by Boyko, MacKenzie, and

Patel [BPR00]. We are presenting these two protocols because we are going to introduce two new post-quantum replacements for them. We chose these protocols to replace due to the good features that they have. PAK and PPK are both balanced password-authenticated key exchange protocols that allow two or more parties to establish cryptographic keys based on the same party’s knowledge of a password. One of the important properties that these two protocols have is that an adversary or man-in-the-middle will need further interactions with the parties in order to start brute force guesses to a password. Therefore we can have strong security even when using weak passwords. Users cannot remember long random numbers, so users who are required to know a large secret key will have to store this key. However, key storage requires extra security assumptions, and it introduce a new point of weakness. In the formal paper [BPR00], the authors gave an argument of security using the simulation model [Sho99]. They later updated

11 their proofs in the proposal paper that they submitted to standardize their protocols PAK, PPK, and PAK-Z [Mac02]. Even though the new proof used the same model of security as used in [BPR00], they analyzed the security differently. They deﬁned the number of tasks that the adversary needs to achieve in order to break the security of the protocol, assuming that the adversary has not expose particular interacting parties too much which make the tasks trivial. In our proof of security in this thesis we are following the proof model that is used in [Mac02].

2.2. Security model

Here, we review the security model from [BPR00]. It basically models the communications between a fixed number of users - which are clients and servers - over a network that is fully controlled by a probabilistic, polynomial-time adversary A. Users are expected to both establish and use session keys over this network. Therefore, A is given access to a certain number of queries which reflect this usage. It may initialize protocol communications between user instances of its choice, deliver any message it wants to these instances, and observe their reaction according to protocol specification. It may also reveal session keys established by instances, thereby modeling loss of keys through higher-level protocol use. Finally, we even allow the adversary to obtain user passwords, in order to capture forward secrecy. We describe this formally now.

Let P be a PAKE protocol.

Security game. An algorithmic game initialized with a security parameter k is played between a challenger CH and a probabilistic polynomial time adversary A. CH will essentially run P on behalf of honest users, thereby simulating network trafﬁc for A.

Users and passwords. We assume a ﬁxed set U of users, partitioned into two non-empty sets

C of clients and S of servers. We also assume some ﬁxed, non-empty dictionary D of size L.

Before the game starts, for each C ∈ C a password pwC is drawn uniformly at random from D and assigned to C outside of A’s view. For each server S ∈ S, we set pwS := f(pwC) C,

12 where C runs through all of C, and f is some efﬁciently computable one-way function speciﬁed by P. (In our case, f will be essentially a hash of the password.) CH also generates P’s public parameters on input 1k, and gives these to A. We assume that A is polynomial-time in k as well.

The game can then begin.

User instances. During the game, to any user U ∈ U is associated an unlimited number of user

i instances ΠU , where i is a positive integer. The adversary may activate any of these instances using the queries listed below, causing them to initiate and run the protocol.

i At any point in time, an instance ΠU may accept. When this happens, it holds a Partner i i i IDentity (PID) pidU , a Session IDentity (SID) sidU , and a Session Key (SK) skU . The PID is i the identity of the user that instance believes it is talking to. The SK is what ΠU is aiming to ultimately compute. The SID is a string which uniquely identiﬁes the protocol run and ensuing session in which the SK is to be used in. Without loss of generality, the SID is usually deﬁned as the ordered concatenation of messages sent and received by an instance, except possibly the last message.

i Queries. The queries A may make to any given instance ΠU during the game are as follows:

i • Send(U, i, M): Causes message M to be sent to instance ΠU . The instance computes what the protocol P says, updates its state, and gives the output to A. We also assume that

i A sees if the query causes ΠU to accept or terminate.

i • Execute(C, i, S, j): Causes P to be executed to completion between ΠC (where C ∈ C) j and ΠS (where S ∈ S) and hands A the execution’s transcript.

i i • Reveal(U, i): Returns the SK skU held by ΠU to A.

i • Test(U, i): For this query to be valid, instance ΠU must be fresh, as defined later (Defi- nition 2.2.2). If this is the case, the query causes a bit b to be flipped. If b = 1, the actual

U SK ski is returned to A; otherwise a string is drawn uniformly from the SK space and returned to A. Note that this query can be asked only once during the game.

13 • Corrupt(U): Returns f(pwC) U to A if U ∈ S else returns pwU to A.

Ending the game. Eventually, A ends the game, and outputs a single bit b0. We return to the use of this bit in the deﬁnition of security below.

Partnering and freshness. In order to have a meaningful deﬁnition of security, we need to

i introduce the notions of instance partnering and instance freshness. Essentially, an instance ΠU is fresh if the adversary does not already know that instance’s SK through trivial means provided by the security model’s queries, for instance by using a Reveal query on the instance in question.

Furthermore, since instances are supposed to be sharing keys under normal circumstances, it also makes sense to consider freshness destroyed if an instance’s proper communicant has been revealed as well. Thus, we need to formally deﬁne what this proper communicant is:

i j i j Deﬁnition 2.2.1. Let ΠU and ΠV be two instances. We shall say that ΠU and ΠV are partnered i j if i) one is in C and one is in S, ii) both have accepted, iii) pidU = V and pidV = U, iv) i j sidU = sidV =: sid and this value is not null, and v) no other instance accepts with a SID of sid.

Capturing the notion of forward secrecy requires freshness to be carefully deﬁned around the corrupt query. Intuitively, if a corruption occurs after an instance has had a correct exchange with a proper partner, then those instances’ shared session key should still remain secure. How- ever, we cannot guarantee anything for an instance that has interacted with the adversary after a corruption. More formally:

i Deﬁnition 2.2.2. An instance ΠU is fresh if none of the following events occur: i) Reveal(U, i) j i was queried, ii) a Reveal(V, j) was queried, where ΠV is ΠU ’s partner, if it has one, or iii) Corrupt(V) was queried for some V before the Test query and a Send(U, i, M) query occurs for some M.

Deﬁnition of security. We now turn to actually measuring the adversary’s success rate in breaking P. A’s objective is to tell apart a random string from a true SK belonging to a fresh instance.

ake This is the whole purpose of the Test query. Let SuccP (A) be the event:

14 i 0 “A makes a Test(U, i) query where ΠU has terminated and is fresh and b = b, where b is the bit selected when Test(U, i) was made, and b0 is the bit A output at the end of the game.”

A’s advantage is then deﬁned as:

ake ake AdvP (A) = 2P r[SuccP (A)] − 1

It is easy to see that if we have two protocols P and P0 then for any adversary A we have

ake ake ake ake P r[SuccP (A)] = P r[SuccP0 (A)] + if and only if AdvP (A) = AdvP0 (A) + 2.

2.2.1. Computational Difﬁe-Hellman assumption

Here we state the CDH assumption that PAK and PPK security rely on. Let Gq be a ﬁnite cyclic group of order q and let g be a generator of Gq. For two values X and Y , if X ∈ G then let DH(X = gx,Y ) = Y x, else if Y ∈ G then let DH(X,Y = gy) = Xy. Let A be an algorithm with input (X,Y ). Let

CDH def R 2 x y AdvGq (A) = P r[(x, y) ← Zq; X ← g ; Y ← g : DH(X,Y ) ∈ A(X,Y )]

Let AdvCDH(t, n) = max {AdvCDH(A)}, where the maximum is taken over all adversaries Gq A Gq of time complexity at most t that output a list containing at most n elements of Gq. The CDH assumption states that for t and n polynomial in k, AdvCDH(t, n) is negligible. Gq

Deﬁnition 2.2.3 (Negligible function). A function f : N → R is said to be negligible if, for + −c every constant c ∈ R , there exists a k0 ∈ N such that |f(k)| < k , ∀k > k0.

2.3. The PAK protocol

Let Gq be a ﬁnite cyclic group of order q and let g be a generator of Gq. Let κ be the security parameter. Let {0, 1}∗ denote the set of ﬁnite binary strings and {0, 1}n the set of binary strings

∗ ∗ κ of length n. Let H1 : {0, 1} → Gq be a hash function, Hl : {0, 1} → {0, 1} for l ∈ {2, 3}

15 ∗ κ be hash functions for veriﬁcation of communications, and H4 : {0, 1} → {0, 1} be a Key Derivation Function (KDF), where κ is the bit-length of the ﬁnal shared key. We model the hash functions and KDF as random oracles. The function γ0 used to compute client passwords’

0 −1 veriﬁers is set as γ = (H1(·)) . We also deﬁne the function ACCEP T (m) to be “True” if m 6= 0 and m from the group and “ Fault” othewise.

The PAK protocol consists of two stages. These are a user registration stage and a login stage.

The former will typically be invoked once for each user upon account setup, while the latter will be run each time a user needs to login. All arithmetic is done modulo a large prime q and makes use of a generator g, both of which may be standardized or parameters of the scheme.

In the user registration stage, the client C picks a password pwC from the password space and uses this value to construct a long-term private value γ with the server S. Then, using a private, authenticated channel, the client provides C, and γ−1 to the server S which stores them as γ0[C].

The login stage consists of the following steps, illustrated in Figure 2.1:

x Initiation Client C randomly chooses x ← Zq, computes α = g , γ = H1(pwC) and m = α·γ then sends < C, m > to party S.

Response Server S receives < C, m > from party C and checks that ACCEP T (m); if not, it

aborts. Otherwise it calls the value γ0 for C that is stored in registration stage and computes

0 y y α = m · γ . Server S then randomly picks y ← Zq , computes µ = g and σ = α .

0 Next, Server S computes k = H2(C, S, m, µ, σ, γ ) and sends µ and k to party C. After

00 0 that it computes the value k = H3(C, S, m, µ, σ, γ ).

Initiator ﬁnish Client C computes σ = µx and γ0 = γ−1. Then Client C veriﬁes that

0 H2(C, S, m, µ, σ, γ ) matches the value of k received from Server S. If it does not,

0 0 Client C ends the communication. If it does, Client C computes k = H3(C, S, m, µ, σ, γ )

0 0 and derives the session key skC = H4(C, S, m, µ, σ, γ ). It then sends k back to Server S.

16 0 0 Responder finish Finally, Server S verifies that k = H3(C, S, m, µ, σ, γ ) the same way Client C verified k. If this is correct, Server S then derives the session key by computing

0 skS = H4(C, S, m, µ, σ, γ ). Otherwise, S refuses to compute a session key.

Client C Server S 0 −1 γ [C] =< (H1(pwC)) > Input S, pwC Abort if ¬ACCEP T (m) x ← q < C, m > Z y ← α = gx Zq µ = gy γ = H (pw ) 1 C γ0 ← γ0[C] m = α · γ α = m · γ0 y x σ = α σ = µ µ, k 0 0 −1 k = H2(C, S, m, µ, σ, γ ) γ = γ 00 0 k = H3(C, S, m, µ, σ, γ ) 0 Abort if k 6= H2(C, S, m, µ, σ, γ ) else 0 00 0 0 k0 Abort if k 6= k k = H3(C, S, m, µ, σ, γ ) 0 0 skS = H4(C, S, m, µ, σ, γ ) skC = H4(C, S, m, µ, σ, γ )

Figure 2.1.: The Original PAK Protocol

2.3.1. Security of PAK

The proof of security of PAK follows the Bellare et al. model assuming the hardness of the

Computational Difﬁe-Hellman problem. They give an argument to show that PAK has forward secrecy. We are not going to present the proof in this thesis. However if someone is interested to see the full proof, they can see it in MacKenzie [Mac02]. The main idea of the proof is to show that an adversary A attacking the system is unable to determine the SK of a fresh instance with greater advantage than that of an online dictionary attack. The formal security statement for PAK is as follows,

Theorem 2.3.1 ( [Mac02]). Let P:=PAK, described in Figure 2.1, using group Gq, and with a password dictionary of size L. Fix an adversary A that runs in time t, and makes nse, nex, nre, nco

17 queries of type Send, Execute, Reveal, Corrupt, respectively, and nro queries to the random or-

0 acles. Then for t = O(t + (nro + nse + nex)texp):

n (n + n )(n + n + n ) Advake−fs(A) = se + O n AdvCDH (t0, n 2) + se ex ro se ex P L se Gq ro q

Note that texp is the expected time to ﬁnish the exponentiation in Gq.

2.4. The PPK protocol

Let Gq be a ﬁnite cyclic group of order q and let g be a generator of Gq. We use the same notations that we used for the PAK protocol with some changes on the hash functions since the PPK

∗ protocol does not have hash functions of communication veriﬁcation. Let H1,H2 : {0, 1} →

∗ κ Gq be hash functions and H3 : {0, 1} → {0, 1} be a Key Derivation Function (KDF), where κ is the bit-length of the ﬁnal shared key. We model the hash functions and KDF as random oracles.

0 0 −1 The function γ used to compute client passwords’ veriﬁers is set as γ =< (H1(·)) ,H2(·) >. Similar to the PAK, the PPK protocol consists of two stages. These are a user registration stage and a login stage. The former will also be invoked once for each user upon account setup, while the latter will be run each time a user needs to login. All arithmetic is done modulo a large prime q and makes use of a generator g, both of which may be standardized or parameters of the scheme.

In the user registration stage, the client C picks a password pwC from the password space and uses this value to construct a long-term private values γ1 and γ2 with the server S. Then, using −1 a private, authenticated channel, the client provides C, γ1 and γ2 to the server S which stores them as γ0[C].

The login stage consists of the following steps, illustrated in Figure 2.2:

x Initiation Client C randomly chooses x ← Zq, computes α = g , γ1 = H1(pwC), γ2 =

H2(pwC) and m = α · γ1 then sends < C, m > to party S.

18 Response and Responder ﬁnish Server S receives < C, m > from party C and checks

that ACCEP T (m); if not, it aborts. Otherwise it calls the values γ0 for C that is stored

0 in registration stage and computes α = m · γ1 . Server S then randomly picks y ← Zq , y y computes β = g , µ = β · γ2 and σ = α .

Next, Server sends µ to party C. After that Server S derives the session key by computing

0 skS = H3(C, S, m, µ, σ, γ1).

Initiator ﬁnish Client C checks that ACCEP T (µ); if not, it aborts. Otherwise computes

−1 x 0 −1 β = µ · γ2 , σ = β , γ1 = γ1 . Then Client C derives the session key skC = 0 H3(C, S, m, µ, σ, γ1).

Client C Server S 0 −1 Input S, pwC γ [C] =< (H1(pwC)) ,H2(pwC) >

x ← Zq Abort if ¬ACCEP T (m) x < C, m > α = g y ← Zq y γ1 = H1(pwC) β = g 0 0 γ2 = H2(pwC) < γ1, γ2 >← γ [C] m = α · γ1 µ = β · γ2

Abort if ¬ACCEP T (µ) 0 −1 x α = m · γ1 β = µ · γ2 σ = β µ, k y 0 −1 σ = α γ1 = γ1 0 0 skS = H3(C, S, m, µ, σ, γ1) skC = H3(C, S, m, µ, σ, γ1)

Figure 2.2.: The Original PPK Protocol

2.4.1. Security of PPK

The proof of security of PPK follows the Bellare et al. model assuming the hardness of the

Computational Difﬁe-Hellman problem. As opposed to PAK, they did not give an argument that shows that PPK has a forward secrecy and left it as an open question. We are not going to present the proof in this thesis. However if someone is interested to see the full proof, again they can see

19 it in MacKenzie [Mac02]. The main idea of the proof is to show that an adversary A attacking the system is unable to determine the SK of a fresh instance with greater advantage than that of an online dictionary attack. The formal security statement for PPK is as follows,

Theorem 2.4.1 ( [Mac02]). Let P:=PPK, described in Figure 2.2, using group Gq, and with a password dictionary of size L. Fix an adversary A that runs in time t, and makes nse, nex, nre, nco queries of type Send, Execute, Reveal, Corrupt, respectively, and nro queries to the random or-

0 2 acles. Then for t = O(t + ((nro) + nse + nex)texp):

n (n + n )(n + n + n ) Advake−fs(A) = se + O AdvCDH (t0, n 2) + se ex ro se ex P L Gq ro q

2.5. Security of PAK and PPK in a Post-Quantum World

We know that if a passive eavesdropper be able to solve the Diffie-Hellman problem or the discrete logarithm problem then he/she can break PAK and PPK easily. After three decades of first appearing to the discrete logarithm problem, it is still a hard problem to solve using a conven- tional computer. However, that is not the case when a sufficient size of quantum computer exists.

Using the quantum algorithm that was presented by Shor [Sho94] in 1994, the discrete logarithm problem can be solved efﬁciently in polynomial time. Therefore, PAK and PPK protocols are completely insecure in a Post-Quantum world.

Actually, not only the discrete logarithm problem can be solved by this quantum algorithm but also we can factorize any composite number. As a result, this quantum computer will break all discrete logarithm-based and factorization-based cryptosystems. It is true that the quantum computer now is weak; however, that does not mean we have to wait until a full scale quantum computer exists to start looking for alternative quantum resistant cryptosystems.

20 Chapter 3

Introduction to Lattice Theory

3.1. Introduction

As we mentioned at the end of the previous chapter, Shor discovered a quantum algorithm that can solve the discrete logarithm and integer factorization problems in polynomial time using a quantum computer. Cryptographers did not wait until a quantum computer showed up; they established a discipline known as Post-Quantum cryptography. This new discipline analyzes the strength of the existing cryptosystems against the quantum search and develops new cryptosystems that are resistant against quantum computers. Currently, the cryptosystems that resist attacks from quantum computer are mainly classiﬁed in the following types:

• the Hash-based public key cryptosystems,

• the lattice-based public key cryptosystems,

• the code-based public key cryptosystems and

• the multivariate public key cryptosystems.

In this thesis, we are aiming to build new lattice-based protocols. Therefore it will be a good start to achieve our goal by giving an introduction chapter about lattices. Simply, a lattice over

21 n n R is an integer combination of some linearly independent vectors of R . It is actually similar to a vector space over the real number R; however in lattices we are restricted in our scalar multiplication by integers. In this chapter we ﬁrst present a brief introduction to vector space and lattices. Then we talk about some of the hard problems in lattices and give a brief section about their complexity. Finally, we review the main the lattice reduction algorithms. We note here that we used [NV10; HPSS08; GN08; Bre11] as main references to our background in this chapter.

3.2. Preliminaries

In this section we give a brief review of vector spaces which can help the reader to follow our

n notation and remember some of the important deﬁnitions and results from linear algebra. Let R denote the n-dimensional real vector space. In our notation, we write the vectors of this space in boldface to avoid the confusion that might occur with numbers.

n Deﬁnition 3.2.1. A vector space over R is a set V together with the operations of addition and scalar multiplication satisfying the following properties:

1. Commutativity: u + v = v + u for all u, v ∈ V ,

2. Associativity: (u + v) + w = u + (v + w) and (ab)v = a(bv) for all u, v, w ∈ V and

a, b ∈ R,

3. Additive identity: There exists an element 0 ∈ V such that 0 + v = v for all v ∈ V ,

4. Additive inverse: For every v ∈ V , there exists an element w ∈ V such that v + w = 0,

5. Multiplicative identity: 1v = v for all v ∈ V , and

6. Distributivity: a(u+v) = au+av and (a+b)u = au+bu for all u, v ∈ V and a, b ∈ R.

Deﬁnition 3.2.2. Let v1, v2,..., vk ∈ V then we have the following deﬁnitions:

22 Linear Combination. We say w ∈ V is linear combination of v1, v2,..., vk if there exist

α1, α2, . . . , αk ∈ R such that,

w = α1v1 + α2v2 + ··· + αkvk.

Also the collection of all linear combinations of the vectors v1, v2,... and vk is called the span

of {v1, v2,..., vk}.

Linear Independence. The vectors v1, v2,..., vk ∈ V are linearly independent if the only way

to have a linear combination α1v1 + α2v2 + ··· + αkvk = 0 is the case which α1 = α2 =

··· = αk = 0.

Bases. We say that the vectors v1, v2,..., and vk form a basis to the vector space V if and only if they are linearly independent and they also span V .

n Proposition 3.2.3. Let V be a vector space from R then we have the following facts:

• There exist many bases for the vector space V .

• All the bases for V have the same number of elements. The number of elements in the

bases is called the dimension of the vector space V .

• If we have two bases B and C for the vector space V , then there exist a nonsingular

matrix M such that B = CM.

Deﬁnition 3.2.4. Let a and b be two vectors in the real vector space where a = (a1, a2, . . . , an)

and b = (b1, b2, . . . , bn) then we deﬁne the inner product between them as the following:

n X < a, b >= ai.bi. i=1

23 Deﬁnition 3.2.5. Let a be a vector in the real vector space where a = (a1, a2, . . . , an) then we deﬁne the length of the vector by the Euclidean norm as the following:

v u n √ uX 2 kak = < a, a > = t ai . i=1

Proposition 3.2.6. Let a and b be two vectors in the real vector space then we have the following result:

< a, b >= kak · kbk cos (θ)

where θ is the angle between a and b.

2. (Cauchy-Schwarz ineguality)

| < a, b > | ≤ kak · kbk

Deﬁnition 3.2.7. Let a and b be two vectors in the real vector space then we say that a and b are orthogonal if < a, b >= 0, and we write then a ⊥ b.

The last thing that we would like to present in this section is about the Gram-Schmidt Or- thogonalization. Given a basis {b1,..., bn} of the real vector space then the Gram-Schmidt

∗ ∗ Orthogonal basis (GSO) {b1, ..., bn} is given by the following:

∗ • b1 = b1

∗ Pi−1 ∗ i j • bi = bi − j=1 µijbj for all 2 ≤ i ≤ n where µij = ∗ 2 (1 ≤ j < i ≤ n) kbj k

n Theorem 3.2.8. The Gram-Schmidt Theorem. Let {b1, ..., bn} be a basis of R and let ∗ ∗ {b1, ..., bn} be its GSO basis then

∗ a) < bi , bj >= 0 ∀1 ≤ i < j ≤ n.

24 ∗ ∗ b) span(b1, ..., bk) = span(b1, ..., bk) ∀1 ≤ k ≤ n.

∗ c) kbkk ≤ kbkk ∀1 ≤ k ≤ n.

Proof. Look at lattice Basis Reduction by Murray R Bremner [Bre11] if you are interested.

3.3. Lattices

Lattices have been studied for a long time. The geometry of numbers was the area of mathematics that lattice results fell into. The first known studies about lattices were by the two well-known mathematicians Joseph Louis Lagrange and Carl Friedrich Gauss. After that there were some results related to lattices done by Minkowski. In this section we would like to review the basic definitions and the fundamental properties that lattices have. We start with the formal definition of lattice:

m Deﬁnition 3.3.1. Let b1, ..., bn ∈ R be a set of linearly independent vectors. The lattice L generated by b1, ..., bn is the set of linear combination of b1, ..., bn with coefﬁcients in Z,

n X L = { xibi : xi ∈ Z}. i=1

We call the set B = {b1, ..., bn} a basis of the lattice L and we denote the lattice that is generated by B as L(B).

As a resut from proposition 3.2.3 we have the following result:

m Corollary 3.3.2. Let L be a lattice generated by the basis B from R then we have the following facts:

• Basis is not unique.

• All the bases for L have the same number of elements. The number of elements in the

bases is called the dimension of the lattice L.

25 • If we have two bases B and C for the lattice L, then there exist a unique unimodular

matrix M trnsfer such that B = CM.

n It is common to deal with a lattice in the integer entries for example Z . So this type of lattices can be deﬁned as,

Deﬁnition 3.3.3. A lattice, that is all of its vectors have integer coordinates, is called an integer lattice.

m Theorem 3.3.4. A subset of R is a lattice if and only if it is a discrete additive subgroup.

m Deﬁnition 3.3.5. Let L = L(B) for some basis B = {b1, ..., bn} ⊂ R , we deﬁne the fundamental domain of the lattice L to be

n X F(B) = { xi bi : xi ∈ [0, 1)}. i=1

m Deﬁnition 3.3.6. Let L = L(B) for some basis B = {b1, ..., bn} ⊂ R . Then the volume of the fundamental domain of the lattice L is called the determinant of the lattice L and we write,

det(L) = vol(F(B)).

m Proposition 3.3.7. Let L = L(B) for some basis B = {b1, ..., bn} ⊂ R . If m = n then

det(L) = det(B), else det(L) = pdet(BtB).

m Proposition 3.3.8 (Hadamard’s Inequality). . Let L be a lattice and let B = {b1, ..., bn} ⊂ R be a basis for L. If F is the fundamental domain of L then we have

vol(F) ≤ kb1k...kbnk.

26 3.4. Hard problems in lattices

A decision problem can be classiﬁed into two main classes. The ﬁrst one is called the P class while the other is called NP class. One of the most important open questions in complexity theory is that

Is P equal to NP?

Any decision problem that solves in polynomial time is called a P problem. An example of a P problem is ﬁnding the great common divisor of two given integers. On the other hand, the NP class contains all decision problems that we can check their yes-instance in polynomial time by a non-deterministic Turing machine. In other words, we are allowed to guess a solution for the problem by non-deterministic algorithm, and our goal becomes to check the correctness of our guess. If we can accomplish the goal by deterministic algorithm in polynomial time then this problem is in the NP class. The decision integer factorization problem is an example of an NP problem. Given two integers m and n, is there an integer number d where 1 < d < m and d divides n?

In many cases it is hard to give a direct decision whether a problem A is P or NP. In these cases, it will be easier to characterize it by ﬁnding a polynomial time transformation to a problem of known class. For example, if A is reduced in polynomial time to an NP problem then we say

A is NP problem too. It is clear that all the P problems are in the NP class when we consider them in the decisional versions. However there is no answer to the converse case. Therefore,

NP problems can be characterized by its reducibility. We call an NP problem that is failed to be in P class NP-complete problem. Moreover, any problem that has the property that all the

NP problems reduced to it is called NP-hard problem. Note that the NP-hard problem does not have to be in NP class. We can also note that any NP-complete problem is NP-hard but not the converse.

The security of a cryptosystem depends on its underlining hard problem. So it will be a great achievement if we construct a cryptosystem that is based on an NP-hard problem. Lattices are

27 fertile ground of a lot of NP problems that can be used in our protocols constructions. In this section we would like to present the deﬁnition of some of these hard problems.

The first type of hard problems in lattices is the problems that aim to find a short vector in a given lattice. We start with the definition of the Shortest Vector Problem (SVP).

m Deﬁnition 3.4.1. Given a lattice L = L(B) for some basis B ⊂ R , we want to ﬁnd a nonzero vector y ∈ L such that for all x ∈ L, kxk ≥ kyk.

We now denote the length of the shortest vector in lattice L by λ1(L). Another hard problem in lattices that is related to ﬁnding a short vector is the Approximate Short Vector Problem (γ-

SVP) where γ is the approximation parameter.

m Deﬁnition 3.4.2. Given a lattice L = L(B) for some basis B ⊂ R and a parameter γ ≥ 1, we want to ﬁnd a nonzero vector y ∈ L such that kyk ≤ γλ1(L).

The Decision Shortest Vector Problem (DSVP) is also a hard problem that can be deﬁned as:

m Deﬁnition 3.4.3. Given a lattice L = L(B) for some basis B ⊂ R and a radius r > 0 , we want to ﬁnd if there exist a nonzero vector y ∈ L such that 0 ≤ kyk ≤ r.

The other type of hard problems in lattices is problems that aim to ﬁnd a close vector to a given vector in a lattice. The main problem of this type is the Closest Vector Problem (CVP).

m m Deﬁnition 3.4.4. Given a lattice L = L(B) for some basis B ⊂ R and a vector z ∈ R that is not in L, we want to ﬁnd a vector y ∈ L such that for all x ∈ L, kx − zk ≥ ky − zk.

If we denote by d1(L, z) to be the distance between z and the vector we ﬁnd in the Closest Vector Problem the we can deﬁne the Approximate Close Vector Problem (γ-CVP) where γ is the approximation parameter as the following:

m m Deﬁnition 3.4.5. Given a lattice L = L(B) for some basis B ⊂ R , a vector z ∈ R that is not in L and a a parameter γ ≥ 1, we want to ﬁnd a vector y ∈ L such that ky − zk ≤ γd1(L, z).

We can also deﬁne the Decision Closest Vector Problem (DCVP) as the following:

28 m m Deﬁnition 3.4.6. Given a lattice L = L(B) for some basis B ⊂ R , a vector z ∈ R that is not in L and a radius r > 0 , we want to ﬁnd if there exist a nonzero vector y ∈ L such that

0 ≤ ky − zk ≤ r.

The last type of hard problems in lattices that we would like to review in this chapter is the type of problems that is related to ﬁnding short sets of vectors. We start this type with the

Shortest Basis Problem (SBP). In this problem, we want to ﬁnd a basis that consists of short vectors in some sense. Here is the formal deﬁnition:

m Deﬁnition 3.4.7. Given a lattice L ⊂ R and an approximation parameter γ ≥ 1, we want to

ﬁnd a basis A = {a1,..., am} of L where

max kaik ≤ γ min{max kbjk: B = {b1,..., bm} is a basis of L}. i j

3.4.1. Complexity of lattice problems

The complexity of the shortest vector problem and the closest vector problem were being open questions for long time. In 1981, Peter Boas gave a proof that close openness of the CVP problem [EB81]. He proved that CVP is indeed NP-complete problem by reducing it to the

Bonded Homogenous Linear Equation problem. Even though there was a strong conjecture by

Boas that the shortest vector problem is NP-hard problem, this problem has remained open until

1998. The complete proof of NP-hardness for SVP was given by Ajtai [Ajt98]. He shows that the

SVP is NP-hard problem for randomized reductions. However if we look for the complexities of the approximation versions, they usually vary according to the approximation factor γ. When

1/(2−) √ γ = 2(log(n)) ≈ n, Khot proved in [Kho05] that there is no polynomial time algorithm that solves γ-SVP, where n is the dimension of the lattice and is an arbitrarily small positive

1− value. While γ-CVP is considered to be NP-hard problem if γ < 2(log(n)) [ABSS93].

For the decision versions of the problems, we present some results from a lecture notes by

Regev[Reg04b] which conclude the complexity of those problems.

29 Lemma 3.4.8 (Lemma1, [Reg04b]). If there is an algorithm that can solve decision closest vector problem then this algorithm can be used to solve the CVP in polynomial time.

Another important result regard the complexity of the DCVP is the following theorem.

Lemma 3.4.9 (Theorem 2, [Reg04b]). The decision closest vector problem (DCVP) is NP- complete.

In Theorem 3 of that lecture note, he shows that for the same value of γ, γ-SVP is not harder than γ-CVP. So, existence of an algorithm that can solve γ-CVP leads to ﬁnd an algorithm that solves γ-SVP in polynomial time.

Regarding the Short Basis Problem complexity, the NP-completeness was proved by Blomer¨ in [BS99] for γ = 1. He also proved that SBP is NP-hard problem for γ = √ n . log(n)

3.5. Lattice reduction algorithms

This section reviews the main lattice reduction algorithms that can be used to solve the hard lattices problems. We start this suction by Gauss lattice reduction algorithm which can solve

2 SVP in polynomial time in R .

3.5.1. Gauss reduction algorithm

The best way to see this algorithm is that it is a generalization of ﬁnding the greatest common divisor of two integers using the Euclidian algorithm. This algorithm is an important algorithm in lattice reduction since it plays an important role in the development and the construction of lattice reduction algorithms for higher dimension. It is also called the Lagrange algorithm since it was ﬁrst presented by Lagrange in 1773 [Lag73]. After that Gauss gave a description to the algorithm later in 1801, and it becomes known as Gauss’ algorithm. We recall the algorithm itself (Algorithm 1) in this thesis.

30 Algorithm 1 Lagrange-Gauss algorithm. Require: a basis {b1, b2} of 2 dimensional lattice L. Ensure: the output basis with (λ1(L), λ2(L)) of L. 1: if kb1k < kb2k then 2: swap b1 and b2 3: end if 4: while kb1k > kb2k do 5: v ← (b1 − bµ2,1eb2) 6: b1 ← b2 7: b2 ← v 8: end while

2 Given two basis elements b1 and b2 for a lattice L ∈ R , Algorithm 1 will output ﬁrst and sec- 2 ond shortest independent basis elements in L, in time O(log (ν)) where ν = max{kb1k, kb2k} (Theorem 3.0.3, [NS09]).

3.5.2. LLL lattice reduction algorithm

LLL stands for Lenstra-Lenstra-Lovasz,´ the three mathematician who present this important algorithm for lattice reduction in 1982 [LLL82]. It is combines between the idea of Gauss algorithm and the Gram-Schmidt orthogonalization algorithm. It is important due to its polynomial time terminations, the efficiency of its outputs, and the diversity of its use. Even though the initial purpose of this algorithm was to find solutions for integer linear programming, this algorithm has many different applications. Recently this algorithm became an effective tool in cryptanalysis. It is used to attack the Knapsack cryptosystem and NTRU cryptosystem. We can define a LLL- reduced basis as the following:

n ∗ ∗ Deﬁnition 3.5.1. Let (b1, ..., bn) be a basis of lattice L ⊂ R and let (b1, ..., bn) be its GSO basis then (b1, ..., bn) is called α-reduced basis if it satisﬁes:

1) |µij| ≤ η for all 1 ≤ j < i ≤ n (Size Condition)

∗ ∗ 2 ∗ 2 1 2) kbi + µi,i−1bi−1k ≥ αkbi−1k for all 2 ≤ i ≤ n where 4 < α ≤ 1. (Lovasz´ Condition)

∗ ∗ Since b1, ..., bn are orthogonal basis, we can rewrite condition (2) as the following:

31 ∗ 2 2 ∗ 2 1 2’) kbi k ≥ (α − µi,i−1)kbi−1k for all 2 ≤ i ≤ n where 4 < α ≤ 1.

Algorithm 2 describes a simple implementation to LLL algorithm.

Algorithm 2 LLL algorithm. 1 Require: (b1, ..., bn) as a basis to L, and a value α ∈ ( 4 , 1). Ensure: Give a basis (b1, ..., bn) of L satisﬁes deﬁnition3.5.1 for each i from 2 to n. 1: i ← 2 2: while i ≤ n do P1 3: bi ← bi − j=i−1bµi,jebj ∗ 2 2 ∗ 2 4: if kbi k ≥ (α − µi,i−1)kbi−1k then 5: i ← i + 1 6: else 7: swap(bi, bi−1) 8: i ← max{2, i − 1} 9: end if 10: end while

Theoretically, LLL can solve the approximation shortest vector problem γ-SVP for any approximate factor γ ≥ 2(n−1)/2(Theorem 6.66,[HPSS08]). However, it can do even more in practice which was shown by Nguyen[GN08]. As far as we know there is a lack of understanding how this algorithm exactly works in practice. Therefore we are going to give our own work regarding this open issue in the next chapter.

3.5.3. BKZ lattice reduction algorithm

BKZ or Block Korkine Zolotareff reduction algorithm was presented by Schnorr in 1987 [Sch87].

It is a generalization of LLL algorithm using a different sense of reductions. This algorithm transfers any given basis to be a Korkine-Zolotareff reduced basis. We say a basis (b1,..., bn) of L is α-reduced in the sense of Korkine Zolotareff with blocksize β ≥ 2 if it satisﬁes the following conditions:

1. it is an α-LLL reduced basis and,

2. for all 1 ≤ j ≤ n, we have kbjk = λ1(Lj,m) where m = min{β + j − 1, n} and Lj,m is

⊥ the lattice span(cj, . . . , cm) where cj = P roj(bj) on (b1,..., bj−1) .

32 Theorem2.2 in [Sch87] states that every Korkine-Zolotareff reduced basis (b1,..., bn) of a lattice L must satisfy the following inequality:

2 4 kbik 3 + i ≤ 2 ≤ for all i = 1, . . . , n. 3 + i (λi(L)) 4

BKZ algorithm efficiency depends on the size of its blocks and the dimension of the lattice that we work on. So, when the blocksize is 2, it will be identical to LLL algorithm that we discussed in the previous section. In addition when the blocksize is increasing then it is definitely giving more efficient results than what we can get from LLL. However the running time will grow exponentially, and that will limit its practicality. We are not going to present the algorithm here.

More details can be found in [Sch87; LPW12].

To conclude this chapter, we would like to say that we tried to be simple and informative in this chapter. We ﬁrst presented some of the basic and important deﬁnitions and results that are

n related to lattice theory in R . After that we talked about some of the hard problems and their complexities. Finally we summarized the three main lattice reductions algorithms. Deﬁnitely there are a lot of information and results in lattice theory that we do not include in this chapter.

The most important things that we did not include in this chapter are the information about lattices in ﬁnite sets. We really believe that this topic should be separated in an individual chapter due the abundance of information that it has.

33 Chapter 4

The Hard Cases in LLL reduction

Before we go through this chapter, I would like to acknowledge that this chapter is mainly based on our paper “The Beauty and the Beasts -The Hard Cases in LLL Reduction” joint work with

Jintai Ding,Yuntao Wang and Tsuyoshi Takagi with a slight modiﬁcation. It was presented at

SCIS 2016, Kumamoto, Japan, on Jan. 19 - 22, 2016.

4.1. Introduction

Lattice-based cryptography is now a very hot topic due to all the versatile constructions based on the Learning with Errors (LWE)[Reg05] and the Ring Learning with Errors (RLWE) problems[Reg10] which we are going to discuss in the next chapter. But to select a practical parameter, we must have a solid understanding on the hardness of the reduction algorithms, in particular, the approximate factor and therefore the related Hermite factors. But as far as we know, now there is a clear gap between the theoretical estimation of the approximation factor and the case of experiments. Not much work has been done in this direction, and this serious gap can be a real roadblock for us to move forward in this direction. However there are some related works in other directions. These works aim to build reduction algorithms in low-dimensional bases. For more details you can read in Semaev [Sem01] and Nguyen, Stehle[NS04].´

34 In this chapter, we would like to open a new direction to look at this problem from a different angle; namely we would like to find out mathematically how we characterize the hard cases and explain from the point view of mathematical structure why they are hard. The reason behind is that we hope this will allow us first to fill the theoretical gap we mentioned above and further more this may gives us new ideas on how to improve further the reduction algorithms. This is a direction which, we believe, was not explored before, and we do not know much about at the moment. Our method starts from low-dimension cases. Here through intuitive understanding and experiments, we realize that the key idea in low-dimension is related to the symmetry of the underlying lattice. By symmetry here, we mean the isometry group that keeps the lattice invariant.

We will first define the perfect lattice. Here in low-dimensional lattices, we would like to look at the symmetry of the bases, namely how many different good bases they could have. Then we can use this to explain that if we have a basis which is very close to the perfect lattice, then there are many possibility of “almost good basis”, that makes the decision to find the shortest vectorvery hard without very high precision, namely there are many pretenders for the good basis, which comes from the weakness coming from selecting a non-perfect parameter δ, which forms the barriers to find the good basis and therefore the shortest vector. Or even in more simple terms, there are many bases that could pass the LLL criterion to be a reduced basis. The change from Hermite algorithm to LLL allows pretenders to step in to be a reduced basis. But once the good basis is far from the Beauty then such pretenders start to disappear. The Beasts, namely the really hard cases, are the ones very near to the Beauty – the perfect lattice. The symmetry actually tells us how to find the shortest vector.

In principle, we do reduction to make the basis better and better, one reason we could not reach the best reduction is that in the LLL reduction process, we are essentially trying to do the best local reduction (2 vectors each time) to achieve the global reduction, which is very much related to local optimization and global optimization. Such a local method decides that there is a high probability that we will make the local decisions is not really right globally. What BKZ

35 is doing is exactly to compensate such a defect, namely improve the local reduction by doing a better local reduction ( instead of a local reduction in 2 dimension, a better reduction through searching in 3 or higher dimension). For us, we would like to ﬁnd out what is really happening in such a local reduction. It turns out that the symmetry of the perfect lattice plays a key role here.

Since the hardest case is directly associated to the Beauty (vectors of 60 degree angles with the same length), this explains why the hardest case’s approximation factor is directly related to the Hermite constant for dimension 2.

Now, we can see that the closer one gets close to the Beauty, the harder it becomes to ﬁnd the shortest vector. The Hermite factor is essentially determined by the Beauty.

Next, we will look that if we randomly select a lattice, how close that it can get near to the

Beauty. It turns out it is not so easy to get close to the Beauty. We now know how to explain why the approximate factor is on average much smaller; namely when we select a random lattice, it is not easy ( in terms of probability) to get too close to the Beasts but fairly close to the Beauty from the point of the distribution. It is nearly impossible for a lattice to have a good basis with the same length and close to 60 degree simultaneously. For this, we need some form of good probability experiments.

In this case of integer lattices, this is even harder which is due to the fact that the Beauty can not be an integer lattice and one can only approximate it using integer lattices.

4.2. Preliminaries

In this section we review some basic deﬁnitions and theorems related to lattice reduction algorithm and the LLL algorithm. We refer to these books and papers for the basic contents [NV10;

HPSS08; GN08; Bre11].

m Let B be a linearly independent vectors set where B = (b1, ..., bn) ∈ Rn . B is called a Pn basis of a lattice L if L(b1,..., bn) = { i=1 xibi, xi ∈ Z}. In our work, we use row vectors

36 in lattice bases and we denote the i-th row vector of the basis by B[i]. The determinant of L is given by the volume of fundamental domain F for L corresponding to this basis, which is the set F(b1,..., bn) = {t1b1 + t2b2 + ··· + tnbn : 0 ≤ ti < 1}. For one lattice L, it has uncountable number of bases. However, all of them have the same number n of elements, and

m they all have the same volume. The Euclidean norm of a vector v ∈ R is denoted by kvk. We ∗ ∗ recall the Gram-Schmidt Orthogonal basis (GSO) (b1, ..., bn) that is given by the following:

∗ • b1 = b1

∗ Pi−1 ∗ i j • bi = bi − j=1 µijbj for all 2 ≤ i ≤ n where µij = ∗ 2 (1 ≤ j < i ≤ n) kbj k

Before we present the deﬁnition of what is called α-reduced or LLL-reduced basis, we have to see what does it mean by size-reduction.

1 Size-reduction. A basis (b1, ..., bd) is called size-reduced with factor η ≥ 2 if its GSO family satisﬁes |µij| ≤ η for all 1 ≤ j < i ≤ d.

1 Here it’s important to know that η is usually 2 , but for the ﬂoating-point LLL we take it at least slightly larger since the µij’s will be known only approximately.

n ∗ ∗ α-reduction. Let (b1, ..., bn) ∈ Rn be a basis of lattice L and let (b1, ..., bn) be its GSO basis then (b1, ..., bn) is called α-reduced basis if it satisﬁes:

1) |µij| ≤ η for all 1 ≤ j < i ≤ n. (Size Condition)

∗ ∗ 2 ∗ 2 1 2) kbi + µi,i−1bi−1k ≥ αkbi−1k for all 2 ≤ i ≤ n where 4 < α ≤ 1. (Lovasz´ Condition)

∗ ∗ Since b1, ..., bn are orthogonal basis, we can rewrite condition (2) as the following:

∗ 2 2 ∗ 2 1 2’) kbi k ≥ (α − µi,i−1)kbi−1k for all 2 ≤ i ≤ n where 4 < α ≤ 1.

Minkowski’s minima and Minkowski’s reduced basis.[Min10],[Min11]

n Let L be a lattice with basis (b1, ..., bn) ∈ Rn. We denote the Euclidean norm of the shortest vector in L as λ1(L). For all 1 ≤ i ≤ n, the ith minimum λi(L) is deﬁned as the minimum of max1≤j≤i||bj|| over all i linearly independent lattice vectors (b1, ..., bn) ∈ L. λi(L) are called

37 Minkowski’s minima and the basis is called Minkowski’s basis if the entries are all Minkowski’s minima.

LLL-reduction. LLL algorithm is a practical algorithm that is proven to be terminated in a

1 polynomial time and gives an α-reduced basis [LLL82]. However that is proven when α ∈ ( 4 , 1) 1 1 and in many applications they used η ≥ 2 and really close to 2 to guarantee termination in a 1 practical time. In our work, we use η = 2 . It is considered that if we take α = 1 in practice, the LLL algorithm may not terminate in polynomial time. But in some cases of our experiments, the LLL terminates in polynomial time even we take α = 1 + e, where e is a small positive decimal → 0. We presented a simple implementation to LLL algorithm in section 3.5.2 (Algorithm 2).

Note that it is easy to be confused, but our idea is different from works as [BCFNRZ14][NS04], which are trying to improve the LLL algorithm by using ﬂoating-point calculation or rounding technique, etc. We just want to explore the hard cases for LLL from the geometrical structure of lattice bases, ignoring the efﬁciency of LLL so far. And also the new algorithm proposed in

[Sem01] is also a future work for us to modify our conjectures.

Schnorr- Euchner’s enumeration algorithm.

In 1994, Schnorr and Euchner proposed an enumeration algorithm to search the shortest vector

2 of a lattice [SE94], which runs in exponential time and the costs more than 2O(n ). We denote it by “ENUM” in this thesis. ENUM is the most efﬁcient in practice that can ﬁnd the shortest vector successfully in 100% but very costly in high dimensions. There are some improvements for it as in [GNR10]. However, we won’t describe the details about ENUM here, because in our experiments we just need it to examine if the LLL can produce a shortest vector by performing

ENUM on the LLL-reduced basis.

Two-dimensional case. Assume we have a lattice spanned by two vectors with an almost 60 degree angle and almost of the same length, then if we have a precision which is not good enough, we may not ﬁnd the shortest vector but rather a set of vectors that is given by vectors close to those of Minkowski’s reduced basis for the perfect lattice.

38 Of course for two-dimensional lattices, as one of the special cases (α = 1) of LLL algorithm, deﬁnitely Lagrange’s algorithm can ﬁnd the Minkowski’s basis for any structure of bases in polynomial time [Lag73], see Algorithm 1. So our main focus in this thesis are cases of 3 dimensions and higher.

4.3. Three-dimensional case

In this section, we will review the performance of classical rational LLL algorithm at ﬁrst. Then we willl give a usual form of the hard cases for 3-dimensional lattices, even using the exact- arithmetic variants of LLL in NTL library. Next we give the main structure of our so-called

Beauty and Beasts bases. We also get some experimental results to support our conjecture.

4.3.1. LLL outputs a shortest vector?

As we know, the LLL algorithm gets stronger with the parameter α asymptotically close to 1 in experiments. But for a given basis, can LLL deﬁnitely output the shortest vector even if the dimension is 3? The answer is no. The Goldstein-Mayer bases [GM03] give us random bases in some sense. And it is used in Hermite Normal Form in the famous SVP Challenge operated by

TU Darmstadt [Tu]. We generated 100,000 3-dimensional random bases from SVP Challenge and did some initial experiments using exact-arithmetic variants of LLL in NTL library. Fur- thermore, we perform ENUM on the LLL-reduced bases to check if the shortest vector is in the

LLL-reduced bases. Here we call LLL reduction “success” if the shortest one is in the output of it. In Figure 4.1, you can see the number variety of LLL-failed cases using α ∈ (0.25, 1).

4.3.2. Main theorem

Now we would like to investigate why LLL algorithm fails to get the shortest vector. We will

3 start our investigation within R . Although we did examine more than 100,000 random bases

39 Figure 4.1.: The number of LLL failed cases in dimension 3 using same bases but different δ.

3 of R and found it almost always succeeded to get the shortest vectors, the reality is that LLL- algorithm can fail in special cases. Our next theorem gives examples of failure cases:

Theorem 4.3.1. Let P be a big positive integer number and let 1, 2, 3 and 4 be very small positive integers number satisfying

  P ∈ [2x−1, 2x − 1] (x ∈ and x >> y)  Z  y−1 y i ∈ [2 , 2 − 1] (y ∈ Z and y ≥ 1) (4.3.1)   −z  α = 1 − 2 (z ∈ R and z > 0.415)

1 > 2 > 3 > 4 (4.3.2) and

x − y − z ≥ 1 and y ≤ z. (4.3.3)

Then   P − 1 P − 2 0     B =  0 P − P −   3 4    P 0 P

40 is Minkowski reduced basis and EB is LLL-reduced where E is unimodular matrix as

  0 −1 1     E =  1 −1 0  .     0 1 0

Here EB is an LLL reduced basis, but the ﬁrst row vector of EB is not the shortest vector in

L(EB) = L(B).

t Proof. At ﬁrst, we let B = (b1, b2, b3) then by the construction process we can see that B is Minkowski reduced basis.Next we set

t C = EB = (b3 − b2, b1 − b2, b2) .

To prove this theorem, we have to show that C satisﬁes the LLL conditions where

  P −(P − 3) 4     C =  P − − −(P − )   1 3 2 4    0 P − 3 P − 4

First we will show that C is size-reduced matrix then we’ll show it satisﬁes Lova´sz condition.

1 Note that in our work, we use η = 2 for size reduction of LLL.

C P (P − 1) − (P − 3)(3 − 2) − (P − 4)4 |µ2,1| = | 2 2 2 | P + (P − 3) + 4 2 2 2 2 P + (2 − 1 − 3 − 4)P + 3 − 32 + 4) P − P 3 1 = 2 2 ≤ 2 ≤ = η 2P − 2P 3 + 4 2P − 2P 3 2

2 2 C −(P − 3) + 4(P − 4) (P − 3) − 4(P − 4) |µ3,1 | = | 2 2 2 | = 2 2 2 P + (P − 3) + 4 P + (P − 3) + 4 2 P − 3 1 ≤ 2 ≤ = η 2P − 23P 2

41 Here we omit some factors since we assumed that the values of epsilons are very small with respect to the value P. So the omitted value does not affect the sum. We also need to notice that

1 0 ≤ µ ≤ 2 which will be helpful to estimate the last value.

2 2 C (3 − 2)(P − 3) + µ2,1(P − 3) − (P − 4) − µ2,14(P − 4) |µ3,2| = | 2 2 2 | ((1 − µ2,1)P − 1) + (µ2,1P + (1 − µ2, 1)3 − 2) + (−P + (1 − µ2,1)4) 2 2 (2 − 3)(P − 3) − µ2,1(P − 3) + (P − 4) + µ2,14(P − 4) = 2 2 2 ((1 − µ2,1)P − 1) + (µ2,1P + (1 − µ2,1)3 − 2) + (−P + (1 − µ2,1)4) 2 (P − 4) ≤ 2 2 (P − 4) + (P − 4) 1 ≤ = η 2

Next we want to show that the vectors of C also satisfy Lovasz´ condition. From Gram-Schmidt theorem, we have

2 ∗ 2 C 2 ∗ 2 kb1 − b2k = k(b1 − b2) k + (µ2,1) k(b3 − b2) k . (4.3.4)

So we can get

∗ 2 2 C 2 ∗ 2 k(b1 − b2) k = kb1 − b2k − (µ2,1) k(b3 − b2) k . (4.3.5)

∗ 2 2 C 2 ∗ 2 k(b1 − b2) k = kb1 − b2k − (µ2,1) k(b3 − b2) k

2 C 2 ∗ 2 ≥ kb3 − b2k − (µ2,1) k(b3 − b2) k (sincekb1 − b2k ≥ kb3 − b2k)

∗ 2 C 2 ∗ 2 ≥ k(b3 − b2) k − (µ2,1) k(b3 − b2) k

C 2 ∗ 2 ≥ (1 − (µ2,1) )k(b3 − b2) k

C 2 ∗ 2 ≥ (α − (µ2,1) )k(b3 − b2) k

42 Similarly, we have the equation:

2 ∗ 2 C 2 ∗ 2 C 2 ∗ 2 kb2k = kb2k + (µ3,1) k(b3 − b2) k + (µ3,2) k(b1 − b2) k (4.3.6)

∗ 2 2 C 2 ∗ 2 C 2 ∗ 2 kb2k = kb2k − (µ3,1) k(b3 − b2) k − (µ3,2) k(b1 − b2) k

2 C 2 ∗ 2 ≥ kb2k − (µ3,2) k(b1 − b2) k

2 C 2 ∗ 2 ≥ kb1 − b2k − (µ3,2) k(X1 − X2) k (sincekb2k ≥ kb1 − b2k)

∗ 2 C 2 ∗ 2 ≥ k(b1 − b2) k − (µ3,2) k(b1 − b2) k

C 2 ∗ 2 = (1 − (µ3,2) )k(b1 − b2) k

C 2 ∗ 2 ≥ (α − (µ3,2) )k(b1 − b2) k

C Therefore C satisﬁes µi,j ≤ η and Lovasz´ condition too. Hence C is LLL reduced and by the construction process we know that kB[1]k < kC[1]k

Theorem 4.3.1 means that even though we apply a strong LLL reduction to EB, LLL fails to get the shortest vector in our parameter setting. We call EB as the Beast basis in our work.

(4.3.1), (4.3.2) and (4.3.3) are the most important conditions in our theoretical proof. What is more, the theoretical conjecture perfectly matches our experimental results. After we see the proof of the theorem, the question that we have to answer is what properties the basis B has.

In addition to the properties that the theorem required, one can easily note that the basis elements have the following two properties:

1. The vectors have almost the same length.

2. The angles between them are almost 60◦.

43 Here the reader might ask what happens if the lattice consists of elements that have the same length with angles exactly 60◦?

Before we answer this question, we give a deﬁnition to what we called a Beauty lattice.

4.3.3. The Beauty and the Beasts

Deﬁnition 4.3.2. ( Deﬁnition of Beauty Lattice)

Let B be a full rank matrix then we say L(B) is a Beauty lattice if its basis elements have angles 60◦ and have the same length.

3 Example: In R , the lattice generated by

  1 1 0     B =  0 1 1      1 0 1 is a Beauty lattice.

2 Another example that we can see in Figure 4.2, this example shows the Beauty lattice in R graphically.

To ﬁnd an answer to the question above, we did experiments by multiplying the Beauty lattice

3 in R by unimodular random matrix and using NTL LLL function [Ntl] to compute LLL-reduced basis. Our experiments on 10,000,000 lattices showed that the success percentage is 100%. So, we can say that if the shortest basis of lattice is basis of a Beauty lattice the LLL algorithm will never fail to get the shortest vector. Moreover, experiments show that if the ﬁrst shortest vector is too much shorter than the second one, then LLL will always succeed to reach the shortest vector.

Therefore we can conclude that in the low-dimension space, hard lattice or what we called the

Beast lattice exist very close to the Beauty. As a result to build a Beast lattice, as the beast basis

EB in Theorem 4.3.1, we have to start with basis has the two previous properties:

1. Its elements are almost of the same length.

44 2 Figure 4.2.: The structure of Beauty lattices in R .

2. The angles between its basis elements are almost 60◦.

4.3.4. Experimental results

In our experiments, we implemented our main program using C++ language and calculated the random unimodular matrices from Magma computational algebra system [BCP97]. In our experiments, we also considered the size of entries and the construction technique in unimodular matrix, but it seems that there is no much affect on our result. Because in LLL reductions, sometimes the shortest vector in the reduced basis is not in the ﬁrst position, for the sake of fairness, we resort the reduced basis vectors by increasing norms. And we also used ENUM algorithm to check if the ﬁrst vector is the shortest one in the lattice.

We also give some cases following the strategy of TU Darmstadt SVP Challenge [Tu], which takes the size of entries of random lattice basis as 10·m bits, where m is the dimension of lattice.

In Table 4.1, we show some experimental results according to our assumption on parameters

(4.3.1), (4.3.2) and (4.3.3).

45 x y z α LLL failed prob. 10 2 6.64 1 − 10−2 100% 20 2 16.6 1 − 10−5 100% 30 9 19.9 1 − 10−6 100% 30 5 23.25 1 − 10−7 100% 30 2 26.5 1 − 10−8 100%

Table 4.1.: Some experimental results using our constructed 3-dimensional Beast bases. Note that we call LLL failed if the shortest vector was not in the LLL-reduced basis.

Here the parameter y is the critical value to make sure the LLL fail by 100%. Respective how big is y, α → 1 which means our Beast bases can resist a strong LLL reduction.

4.4. High-dimensional cases

In this section, we will study the hard cases in higher dimensions. We extend the dimension of

Beasts, keeping their two properties, which is the basis vectors are almost the same length and their angles are almost 60◦. Our experimental results show that our constructed Beast bases are stronger than random lattices to resist LLL reduction.

4.4.1. Success probability of LLL

Similar with the experiments in section 4.3.1, we also did experiments for higher dimensions until 32. For each dimension, we used 100,000 random bases generated from TU Darmstadt

SVP Challenge [Tu], and we ﬁxed α = 0.99 in our experiments. From Figure 4.3 we can see that the success probability sharply declines after dimension 10. Next we will show our supposed hard cases for dimensions higher than 3 and show some analysis by our experimental results.

4.4.2. How to build hard lattice in high dimensions

We saw in the previous section that the Beasts lattice or the hard lattice should have properties 1 and 2 above. Moreover, it exists very close to the Beauty one. So, we start with the basis

46 Figure 4.3.: Experimental results of random bases generated from TU Darmstadt SVP Challenge.

  1 1 0     B3 =  0 1 1  .     1 0 1

4 We want to add a vector to get a Beauty lattice basis in R . By basic calculation, we can easily get,   1 1 0 0      0 1 1 0    B4 =   .    1 0 1 0   √  1 1 1 5 2 2 2 2

m And by construction, we can get a Beauty lattice of R which is generated by the basis: Hence we know now how to build a Beauty lattice which can be easily converted to a hard lattice as the following:

1. Pick a large integer P .

2. Multiply the Beauty Bm by the integer P and round it to the ceiling integer.

3. Substract a random matrix Σ = [ij] where ij sufﬁcient small integer.

47  1 1 0 0 0 0 ··· 0 ··· 0   0 1 1 0 0 0 ··· 0 ··· 0     1 0 1 0 0 0 ··· 0 ··· 0   √   1 1 1 5 0 0 ··· 0 ··· 0   2 2 2 √2 q   1 1 1 5 6   2 2 2 2 5 0 ··· 0 ··· 0    Bm =  ......   ......   √   1 1 1 5 q 6 1 q i+1   ··· √ ··· 0   2 2 2 2 5 i(i−1) i     ......   ......   √ q q  1 1 1 5 6 ········· √ 1 m+1 2 2 2 2 5 m(m−1) m

4.4.3. Experimental results of high dimensional cases

We used the same environment as used in 3-dimensional cases, but just calculated the random unimodular matrices from Magma [BCP97]. However, our constructed Beasts for higher dimensions seem to be deviating from our expectation, although they are much stronger than the usual random lattice bases. Here we just give several critical values in Table 4.2, and the proof will be done in the future works.

dim x y z α LLL success prob. 4 30 9 6.64 1 − 10−2 30% 5 30 9 3.32 1 − 10−1 32% 6 30 9 3.32 1 − 10−1 15%

Table 4.2.: Some experimental results of higher dimensional Beast bases.

4.4.4. The quality factor and our build lattice

In this section we would like to talk about some of our computational results, and since we are studying a quality of lattice, we must give a deﬁnition of the quality factors.

n Deﬁnition 4.4.1. Let L be a lattice in R and let λ1(L) be the length of the shortest vector in L.

Also let b1 be the shortest vector LLL gets then:

th kb1k • Hermite factor: Compared to the n -root of the volume 1 . vol(L) n

48 The next theorem gives us the boundaries of these factors theoretically.

Theorem 4.4.2. Let γ2 be the Hermite constant then,

(n−1)/2 n • Hermite Factor ≤ γ2 ≈ 1.039 .

However, in practice Nicolas Gama and Phong Nguyen [GN08] found that:

• Hermite Factor ≤ 1.022n.

Due to the fact that the perfect lattice is actually an irrational lattice in the sense that given any basis, the basis vectors will be irrational, therefore if we round the lattices to be integer lattices, which can be used to approximate the perfect lattices, the closer they get, the more bits they require.

49 Chapter 5

Lattice and Cryptography

5.1. Introduction

In chapter 3 we talked about lattices and reviewed the basic definitions and results regarding lattices. Here we continue what we start in chapter 3. Our goals of this chapter are to show the connection between lattices and cryptography, review definitions of the lattice problems that are already used in cryptographic schemes, and finally define new hard lattice problems that will help us later in our constructions.

5.2. Lattices in Cryptography

The effective connection between lattice and cryptography was the one established by Ajtai in

1996 [Ajt96]. Ajtai ﬁrst generated a random class of lattices which has an average-case complexity. The reduction of a lattice from this class is a lattice that has the worst-case complexity.

Then he proved that if there is a probabilistic algorithm that can solve a decision approximate

SVP for a lattice from this class then this algorithm can be used to solve at least one of the three

NP-hard lattice problems —1) the shortest length, 2) SVP or approximate SVP to polynomial factor and/or 3) approximate SBP— for lattice in the worst-case. This link between the average- case and worst-case complexity in lattices opened the door to ﬁnd a trapdoor function that can

50 be used to build lattice based cryptosystems. Ajtai and Dwork showed that lattices can be used in cryptography, and they built the ﬁrst cryptosystem based on lattices in 1997 [AD97].

Another interesting cryptosystem is NTRU which was started to develop in 1996 by Jef- frey Hoffstein, Jill Pipher, and Joseph Silverman. The ﬁrst publication of the system was in

1998 [HPS98]. This cryptosystem is built on a complex polynomial ring constructer over ﬁnite

ﬁeld. The security of it relys on the hardness of ﬁnding a short vector in a special lattice [CS97].

In 1997, Goldreich, Goldwasser, and Halevi proposed a lattice based cryptosystem that is known as GGH cryptosystem [GGH97]. The idea of this cryptosystem is using a good basis as a private key—good means short and almost orthogonal— and a bad basis as a public key. The security of this scheme relies on the hardness to solve CVP for a bad basis. This scheme was analyzed successfully by Nguyen in 1999 [Ngu99].

An important movement for our construction in this work is the one given by Oded Regev in 2003 [Reg04a]. Regev found a way to use the Gaussian distribution to improve the results that Ajtai and Dwork found in [AD97]. Then in [Reg05], he introduced the Leaning with Error problem(LWE) which become later one of the most attractive lattice problem in cryptography in the last ten years. A lot of cryptographic schemes are built based on the hardness of LWE, for examples [Reg05; PVW08; Pei09; ABB10; JD12; ZZDSD15].

In 2010, Lyubashevsky, Peikert, and Regev gave a new cryptographic scheme based on the

LWE and its dual problem the Small Integer Solution [LPR10]. The new scheme is built in a polynomial ring similar to the one used in NTRU cryptosystem; as a result the Ring Learn- ing with Error (RLWE) has more algebraic constructer which gives more ﬂexibility during the computations between the ring elements.

51 5.3. Hard lattice problems in Cryptography

In this section we review the main hard lattice problems that are proved to be efﬁcienct to build cryptosystems. Before that we recall the deﬁnition of q-ary which is the most interesting lattice used in the current lattice cryptographic schemes:

n n Deﬁnition 5.3.1. Let L be a lattice in Z , we say L is a q-ary lattice for an integer q, if qZ ⊆ L.

So if we let A to be an n × m matrix from Zq then we have the following two m-dimensional q − ary lattices,

m t n L(A) = {z ∈ Z : z = A · y mod q for some y ∈ Z } and

⊥ m L (A) = {z ∈ Z : A · z = 0 mod q}.

A dual lattice of given one is another important notion to know which is deﬁned as the following:

n ∗ Deﬁnition 5.3.2. Given a lattice L ⊂ R , the dual lattice of L, denoted by L , is the lattice given by

∗ n L = {y ∈ R : < x, y >∈ Z ∀x ∈ L}.

5.3.1. Short Integer Solution

The Short Integer Solution (SIS) problem is the problem provided by Ajtai [Ajt96] who proved that solving this problem is as hard as solving some lattice problems in the worst-case. This problem is deﬁned as:

52 n Deﬁnition 5.3.3. Given a real number β > 0 and a1,..., am random uniform vectors from Zq m where q > β, we want to ﬁnd a vector y ∈ Z with kyk ≤ β and such that

m X yiai = 0 mod q. i=1

In a recent research by Micciancio and Peikert [MP13], they proved that SIS is hard to solve for β ≤ q where β = α · nδ for any constant δ > 0 while the Euclidian norm of the solution is still bounded by α.

5.3.2. Learning with Errors

Learning with Errors (LWE) was presented by Regev in [Reg05] in 2004. In this review of this fundamental problem to many of cryptographic researches, we are using these papers [Reg05;

GPV08; Reg10]. Also we use the same notations that are used in [Reg10]. We use n ≥ 1 to be the size notation of the problem and q ≥ 2 the modular integer. We also take χ to be an error probability distribution in particular the disecrate Gaussian distribution.

The probability density function of Gaussian distribution with median µ and variance σ2

n kv−µk 2 n over R is the exponential function of the function g(v) = −( σ ) where v ∈ R . So, the disecrate Gaussian distribution over n-dimensional lattice L with the density function where

µ = 0 and σ = r for some parameter r > 0; denoted by DL,r. Given a parameter α > 0 and a modulus q, we denote by χα the discrete Gaussian distribution over Zq obtained by µ = 0, with σ = α. For more details about Gaussian distribution the reader can look at[Reg05].

Now we can deﬁne the Learning with Errors problem. Let n > 0 be ﬁxed and χα be an

n error distribution for some parameter α > 0 then for a ﬁxed s ∈ Zq we denote As,χα to be the n n distribution over pairs (a, < a, s > +2e) ∈ Zq × Zq, where a ← Zq is chosen uniformly at random and e ← χα is independent of a.

n Definition 5.3.4. (Searching LWE.) For a fixed s from Zq , given many independent samples from As,χα , the goal is to find s with high probability.

53 n Deﬁnition 5.3.5. (Decisional LWE.) For a ﬁxed s from Zq , given arbitrary number of pairs n (a, c) ← Zq × Zq the goal is to decide whether they are from As,χα , or they are uniformally random pairs.

Regev proved that if there exists an algorithm that solves the decision version of LWE then this algorithm can be used to build an algorithm that can solve the search version in polynomial time (Lemma 4.2[Reg05], Lemma 3.1[Reg10]).

We are not going to prove the hardness of LWE problem in this thesis work but we recall the main result regarding that for completeness.

Lemma 5.3.6 (Proposition 2.1,[Reg10]). Let q > 2 be an integer and α ∈ (0, 1) be some real number. Assume we are given access to an oracle that solves the LWE problem with modulus q and error parameter α. Then, given as input any lattice L, a large enough polynomial number of samples from the discrete Gaussian distribution DL∗,r for some (not too small) r, and a point x within distance √αq of L, we can output the (unique) closest lattice point to x in polynomial 2r time.

5.3.3. Ring Learning with Errors

Here, we introduce some notation and recall informally the Ring Learning with Errors (RLWE) assumption, introduced in [LPR10]. The ring of polynomials over Z (respectively, Zq = Z/qZ) we denote by Z[x] (resp., Zq[x]). Let n ∈ Z be a power of 2. We consider the ring R = n n Z[x]/(x + 1). For any positive q ∈ Z, we set Rq = Zq[x]/(x + 1). For any polynomial y in R n n or Rq, we identify y with its coefﬁcient vector in Z or Zq , respectively. Recall that for a ﬁxed

β > 0, the discrete Gaussian distribution over Rq (parametrized by β) is naturally induced by

n that over Z (centered at 0, with standard deviation β). We denote this distribution over Rq by

χβ. More details can be found in [ZZDSD15].

For a ﬁxed s ∈ Rq, let As,χβ be the distribution over pairs (a, as + 2x) ∈ Rq × Rq, where a ← Rq is chosen uniformly at random and x ← χβ is independent of a. The Ring Learning with

Errors assumption is the assumption that for a ﬁxed s sampled from χβ, the distribution As,χβ

54 2 is computationally indistinguishable from the uniform distribution on Rq, given polynomially many samples.

In doing so we also deﬁne the norm of a polynomial to be the norm of its coefﬁcient vector.

Then we have the following useful facts:

Lemma 5.3.7 ([ZZDSD15]). Let R be deﬁned as above. Then, for any s, t ∈ R, we have √ ks · tk ≤ n · ksk · ktk and ks · tk∞ ≤ n · ksk∞ · ktk∞. √ Lemma 5.3.8 ([MR07; GPV08]). For any real number α = ω( log n), we have Prx←χα [kxk > √ α n] ≤ 2−n+1.

Next we recall the main result regarding completeness.

Theorem 5.3.9 (Theorem 1,[LPR10]). Suppose that it is hard for polynomial-time quantum algorithms to approximate the search version of the shortest vector problem (SVP) in the worst case on ideal lattices in R to within a ﬁxed poly(n) factor. Then any poly(n) number of samples drawn from the RLW E distribution are pseudorandom to any polynomial-time (possibly quantum) attacker.

5.4. New Lattice Problems

In this section we are going to introduce two new lattice problems which can be reduced to the RLWE problem. Before we deﬁne these problems, we recall the Cha and Mod2 func- q−1 q−1 tions deﬁned in [ZZDSD15]. We denote Zq = {− 2 ,..., 2 } and consider the set E : q q = {−b 4 c,..., b 4 e}, i.e. the “middle” of Zq. Recall that Cha is the characteristic function of the complement of E, which returns 0 if the input in E and 1 othewise, and that

Mod2 : Zq × {0, 1} → {0, 1} is deﬁned as:

q − 1 Mod (v, b) = (v + b · ) mod q mod 2. 2 2

55 These two functions have fundamental features which can be seen from the following two lemmas.

Lemma 5.4.1 ( [ZZDSD15]). Let n be the security parameter, and let q = 2ω(log n) + 1 be an

0 odd prime. Let v ∈ Zq be chosen uniformly at random. For any b ∈ {0, 1} and any v ∈ Zq, the 0 output distribution of Mod2(v + v , b) given Cha(v) is statistically close to uniform on {0, 1}.

Lemma 5.4.2 ( [ZZDSD15]). Let q be an odd prime, v ∈ Zq and e ∈ Zq such that |e| < q/8.

Then, for w = v + 2e, we have Mod2(v, Cha(v)) = Mod2(w, Cha(v)).

Regarding to understand these two functions more, we did some independent effort and came up with the following theorem:

q−1 q−1 Theorem 5.4.3. Let σ = Mod2(X, w1) for some X ∈ Zq = {− 2 ,..., 2 } and w1 = q Cha(X) then for all α ∈ Zq such that |α| < 4 we can determine σα = Mod2(X + α, w2) where w2 = Cha(X + α) if we know w2.

q Proof. Without loss of generality we can assume 0 ≤ α < 4 . Let X be an element from Zq, the following picture shows how the Cha function works in Zq. Simply, Cha(X) = 0,X ∈ E and Cha(X) = 1,X ∈ Ec.

We have four different cases with respect to the values of w1 and w2 as the following:

56 Case1: If w1 = w2 = 0 then X ∈ E and X + α ∈ E

σ = Mod2(X, w1) = X mod q mod 2 = X mod 2

σα = Mod2(X + α, w2) = X + α mod q mod 2

= X + α mod 2 = σ + α mod 2.

q q q c Case2: If w1 = 0 and w2 = 1 then X ∈ (0, b 4 e] ⊂ E and X + α ∈ (b 4 e, b 2 c] ⊂ E

σ = Mod2(X, w1) = X mod q mod 2 = X mod 2 q − 1 σ = Mod (X + α, w ) = X + α + mod q mod 2 α 2 2 2 q + 1 q + 1 = X + α − mod 2 = σ + α − mod 2. 2 2

q q c q Case3: If w1 = 1 and w2 = 0 then X ∈ (−b 2 c, −b 4 c] ⊂ E and X + α ∈ (−b 4 c, 0] ⊂ E

q − 1 q − 1 σ = Mod (X, w ) = X + mod q mod 2 = X + mod 2 2 1 2 2

σα = Mod2(X + α, w2) = X + α mod q mod 2 q − 1 q − 1 = X + α mod 2 = X + + (α − ) mod 2 2 2 q − 1 = σ + α − mod 2. 2

57 q q c q q c Case4: If w1 = 1 and w2 = 1 then X ∈ (b 4 e, b 2 c] ⊂ E or X ∈ (−b 2 c, −b 4 c] ⊂ E . If q q X ∈ (b 4 e, b 2 c] then,

q − 1 q + 1 σ = Mod (X, w ) = X + mod q mod 2 = X − mod 2 2 1 2 2 q − 1 σ = Mod (X + α, w ) = X + α + mod q mod 2 α 2 2 2 q + 1 = X + α − mod 2 = σ + α mod 2. 2

q q However if X ∈ (−b 2 c, −b 4 c] then,

q − 1 q − 1 σ = Mod (X, w ) = X + mod q mod 2 = X + mod 2 2 1 2 2 q − 1 σ = Mod (X + α, w ) = X + α + mod q mod 2 α 2 2 2 q − 1 = X + α + mod 2 = σ + α mod 2. 2

Hence from the Cases 1,2,3 and 4, we can see that,

  σ + α mod 2 w1 = w2   q+1 σα = σ + α − 2 mod 2 w1 = 0, w2 = 1    q−1 σ + α − 2 mod 2 w1 = 1, w2 = 0

q Finally we prove by similar argument that if − 4 < α ≤ 0, we get

  σ + α mod 2 w1 = w2   q+1 σα = σ + α − 2 mod 2 w1 = 1, w2 = 0    q−1 σ + α − 2 mod 2 w1 = 0, w2 = 1

58 which completes the proof.

We also note here that Cha and Mod2 functions also can be extended to Rq by applying them coefficient-wise to the coefficients in Zq that define the ring elements. In other words, for any ring element v = (v0, . . . , vn−1) ∈ Rq and binary vector b = (b0, . . . , bn−1) ∈

n {0, 1} , we set Cha(v) = (Cha(v0),..., Cha(vn−1)) and Mod2(v, b) = (Mod2(v0, b0),...,

Mod2(vn−1, bn−1)).

5.4.1. The RLWE Difﬁe Hellman problem

Now we would like to give a deﬁnition to what we called the RLWE-DH problem which can be reduced to RLWE problem.

Deﬁnition 5.4.4. (RLWE-DH) Let Rq and χβ be deﬁned as in section 5.3.3. Given as input ring

2 elements a, X, Y, and K, where (a, X) is uniformly random in Rq, the RLWE-DH problem is to tell if K is X · sy + 2gy for some gy ← χβ and Y = a · sy + 2ey for some sy, ey ← χβ, or

2 (K,Y ) is uniformly random in Rq.

To show the reduction to RLWE problem, we prove the following theorem:

Theorem 5.4.5. Let Rq and χβ be deﬁned as above. The RLWE-DH problem is hard to solve if RLWE problem is hard.

Proof. Suppose that RLWE is hard and that there exists an algorithm D which can solve RLWE-

DH on input (a, X, Y, K) with non-negligible advantage. This means that D can determine if

K = X · sy + 2gy for some gy ← χβ and Y = a · sy + 2ey for some sy, ey ← χβ, or (K,Y ) is

2 uniformly random in Rq.

Now given two samples of a RLWE challenge (a1, b1) and (a2, b2) where both share the same s ← χβ, using D we can build a distinguisher D that can solve the RLWE problem as follows:

1. Set (a, X, Y, K) = (a1, a2, b1, b2).

2. Run D on input (a, X, Y, K). By construction, we have:

59 • b2 = a2 · s + e2 for some e2 ← χβ and b1 = a1 · s + e1 for some e1 ← χβ.

• Or b2 and b1 are a uniformly random from Rq.

Since D solves the RLWE-DH with non-negligible advantage, then D0 solves RLWE with non- negligible advantage advantage as well, which contradicts the hardness of RLWE. Hence if

RLWE hard to solve then RLWE-DH is also hard to solve.

5.4.2. The Pairing with Errors problem

The Pairing with Errors (PWE) problem is the problem deﬁned as:

Deﬁnition 5.4.6. (Search PWE) Given a a uniformly random element from Rq , X ∈ Rq,

Y = as + 2e a sample from RLW Eq,χβ and w = Cha (X.s + 2g) for some g ∈ χβ. The

Pairing with Errors problem is to ﬁnd σ = Mod2(X.s + 2g, w).

We also have a decision version that can be deﬁned as follows.

n n Deﬁnition 5.4.7. (Decision PWE) Given (a, X, Y, W, σ) ∈ Rq × Rq × Rq × {0, 1} × {0, 1} where W = Cha (K) for some K ∈ Rq and σ = Mod2(K,W ). The decision Pairing with Errors problem is to decide whether K = Xs + 2g and Y = as + 2e for some s, g, and e drawn

2 from χβ, or (K,Y ) is uniformly random in Rq.

Now we show the reduction of the PWE problem to the RLWE-DH problem by the following theorem.

Theorem 5.4.8. Let Rq and χβ be deﬁned as above. The PWE problem is hard if the RLWE-DH problem is hard.

Proof. Suppose that RLWE-DH is hard to solve and assume that there exists an algorithm D which can solve the PWE problem on input (a, X, Y, w, σ) where for some K ∈ Rq, w =

Cha(K) and σ = Mod2(K, w) with non-negligible advantage. This means that D can determine if

60 1. K = Xs + 2g and Y = as + 2e for some s, g, and e drawn from χβ, or

2 2. (K,Y ) is uniformly random in Rq.

Now we can build a distinguisher D0 that, on input (a, X, Y, K), solves the RLWE-DH problem by using D as a subroutine in the following manner:

1. Compute w = Cha(K) and σ = Mod2(K, w).

2. Run D to solve PWE problem using the input (a, X, Y, w, σ).

• If D outputs 1 then K = Xs + 2g and Y = as + 2e for some s, g, e ← χβ,

2 • else (K,Y ) is a uniformly random element from Rq.

Since D solves PWE with non-negligible advantage, it follows that D0 solves RLWE-DH with non-negligible advantage as well, contradicting RLWE-DH’s hardness.

As a result from Theorem 5.4.5 and Theorem5.4.8, we can say that if RLWE is a hard problem then PWE problem is also hard.

61 Chapter 6

The New Protocols

The work in this chapter is based on our submitted paper to Asiacrypt 2016 “Provably Secure

Password Authenticated Key Exchange Based on RLWE for the Post-QuantumWorld”. This is joint work with Jintai Ding, Jean Lancrenon, Saraswathy R.V. and Michael Snook.

6.1. Introduction

Building a Password Authenticated Key Exchange that is secure in the Post-Quantum Word is the main goal of our thesis. This kind of key agreement is really important in practice, since many applications and software required users to have passwords from a small entropy. This makes sense because humankind cannot usually remember long random passwords. So, how can we fulﬁll this demand?

In this chapter we are going to show how to construct protocols that match our master goal.

Our construction is basically a composition between the work done by MacKenzie in [Mac02], that we reviewed in chapter 2 and the work done by Jintai Ding et al. in[JD12]. In the latter paper, the authors introduced a simple key exchange protocol that is based on the Learning with

Errors problem which was presented by Regev in [Reg05], and we reviewed it in section 5.3.2.

Then they extended this protocol by using the Ring Learning with Errors [Reg10](section 5.3.3)

62 instead of LWE. The most important advantages that they gain from this extension are the shared key becomes shorter and the computation becomes easier and faster with a good level of security.

Those aspects are important for any cryptographer and play a virtual role in building any new cryptographic scheme.

Our new protocols’ security relys on a hard problem that we called Pairing with Errors problem. This can be reduced polynomially to RLWE problem as we have shown in section 5.4.

Mainly this problem is the one that is used in [JD12], however we redeﬁne it in a way that can be help to embed it in our proof properly. So our new protocols are carrying all good features that both MacKenzie and Jintai works have.

6.2. Security model

Here, we use the security model from [BPR00]. We describe this security model in Section 2.2.

In summary, it models the communications between the clients and servers over a network that is insecure. We assume this network to be fully controlled by a probabilistic, polynomial-time adversary A. Users are expected to both establish and use session keys over this network. There- fore, the adversary is given access to specific queries which reflect the user usage. A also may initialize protocol communications between user instances of its choice, send any message wants, and observe their reaction according to protocol specification. It may also reveal session keys established by instances, thereby modeling loss of keys through higher-level protocol use. Finally, we even allow the adversary to obtain user passwords, in order to capture forward secrecy. More details can be found in Section 2.2.

6.3. Security assumption

We deﬁned the Pairing with Errors problem in Section 5.4.2. Now we state the Pairing with

Errors (PWE) assumption, under which we prove that our protocols are secure. We return to the

∗ general notations of section 5.3.3, but using the Gaussian distribution χβ for a ﬁxed β ∈ R+. For

63 2 any (X, s) ∈ Rq, we set τ(X, s) = Mod2(Xs, Cha(Xs)). Let A be probabilistic, polynomial- 3 n time algorithm taking inputs of the form (a, X, Y, W ), where (a, X, Y ) ∈ Rq and W ∈ {0, 1} , and outputting a list of values in {0, 1}n. A’s objective will be for the string τ(X, s) to be in its output, where s is randomly chosen from Rq, Y is a “small additive perturbation” of as, and W is Cha(Xs) itself. Formally, let

PWE def h AdvRq (A) = P r a←Rq; s←χβ; X←Rq; e←χβ; i Y ← as + 2e; W ← Cha(Xs): τ(X, s) ∈ A(a, X, Y, W )

n o Let AdvPWE(t, N) = max AdvPWE(A) , where the maximum is taken over all adver- Rq A Rq saries of time complexity at most t that output a list containing at most N elements of {0, 1}n.

The PWE assumption states that for t and N polynomial in k, AdvPWE(t, N) is negligible in Rq k.

We turn to describing the protocols RLWE-PAK and RLWE-PPK themselves and examine their security.

6.4. Password-Authenticated RLWE Key

Exchange(RLWE-PAK)

Let n be a power of 2, and f(x) = xn + 1. Let q = 2ω(log n) + 1 be an odd prime such

∗ ∗ κ that q mod 2n = 1. Let H1 : {0, 1} → Rq be a hash function, Hl : {0, 1} → {0, 1} for

∗ κ l ∈ {2, 3} be hash functions for verification of communications, and H4 : {0, 1} → {0, 1} be a Key Derivation Function (KDF), where κ is the bit-length of the final shared key. We model the hash functions and KDF as random oracles. Let a be a fixed element chosen uniformly at random from Rq and given to all users. Let χβ be a discrete Gaussian distribution with

∗ parameter β ∈ R+. We will make use of the Cha and Mod2 functions deﬁned in [ZZDSD15] and recalled above.

64 0 0 The function γ used to compute client passwords’ veriﬁers is set as γ = −H1(·). Our protocol consists of the following steps, illustrated in Figure 6.1:

Initiation Client C randomly samples sC, eC ← χβ, computes α = asC + 2eC, γ = H1(pwC) and m = α + γ and sends < C, m > to party S.

Response Server S receives < C, m > from party C and checks that m ∈ Rq; if not, it aborts.

0 0 Otherwise it computes α = m + γ where γ = −H1(pwC). Server S then randomly

samples sS , eS ← χβ and computes µ = asS + 2eS and kS = α · sS .

n Next, Server S computes w = Cha(kS ) ∈ {0, 1} and σ = Mod2(kS , w). Server S

0 00 sends µ, w, and k = H2(C, S, m, µ, w, σ, γ ) to party C and computes the value k =

0 H3(C, S, m, µ, σ, γ ).

Initiator ﬁnish Client C checks that µ ∈ Rq, and computes kC = sC ·µ and σ = Mod2(kC, w).

0 Client C veriﬁes that H2(C, S, m, µ, σC, γ ) matches the value of k received from Server S where γ0 = −γ. If it does not, Client C ends the communication.

0 0 If it does, Client C computes k = H3(C, S, m, µ, σ, γ ) and derives the session key skC =

0 0 H4(C, S, m, µ, σ, γ ). It then sends k back to Server S.

0 0 Responder finish Finally, Server S verifies that k = H3(C, S, m, µ, σ, γ ) the same way Client C verified k. If this is correct, Server S then derives the session key by computing

0 skS = H4(C, S, m, µ, σ, γ ). Otherwise, S refuses to compute a session key.

6.4.1. Correctness

Theorem 6.4.1 (Correctness). Let q be an odd prime such that q > 16β2n3/2. Let two parties, C and S, establish a shared key by honestly following the protocol described above. Then, the two will end with the same key with overwhelming probability.

65 Client C Server S 0 Input S, pwC γ = −H1(pwC) Sample sC, eC ← χβ Abort if m∈ / Rq < C, m > α = asC + 2eC Sample sS , eS ← χβ γ = H1(pwC) µ = asS + 2eS ∈ Rq m = α + γ α = m + γ0

kS = αsS Abort if µ∈ / Rq n w = Cha(kS ) ∈ {0, 1} kC = sCµ µ, w, k σ = Mod2(kS , w) σ = Mod2(kC, w) 0 0 k = H2(C, S, m, µ, σ, γ ) γ = −γ 00 0 k = H3(C, S, m, µ, σ, γ ) 0 Abort if k 6= H2(C, S, m, µ, σ, γ ) else 0 00 0 0 k0 Abort if k 6= k k = H3(C, S, m, µ, σ, γ ) 0 0 skS = H4(C, S, m, µ, σ, γ ) skC = H4(C, S, m, µ, σ, γ )

Figure 6.1.: Explicitly Authenticated Protocol

Proof. To show the correctness of our RLWE-PAK protocol, it is sufficient to show that the key material derived as Mod2(kC, Cha(kS )) = Mod2(kS , Cha(kS )). By Lemma 5.4.2, if kC and kS are sufficiently close then we done. Specifically, if |kC − kS | < q/4 then both sides have the same value, σ. If we compare the two:

kC = sCµ = sC.(asS + 2eS )

= asC.sS + 2eS sC

kS = αsS = (asC + 2eC).sS

= asC.sS + 2eC.sS

we ﬁnd that kC − kS = 2[eS sC − eC.sS ]. By Lemma 5.3.8, each individual eS , sC, eC, sS term √ has norm less than β n with overwhelming probability. Applying Lemma 5.3.7 and the triangle

66 2 3/2 inequality, we have that kkC − kS k ≤ 4β n < q/4 with overwhelming probability. Hence

Mod2(kC, Cha(kS )) = Mod2(kS , Cha(kS )).

6.4.2. Proof of security for RLWE-PAK

Our proof of security follows the one in the PAK suite paper by MacKenzie [Mac02]. We essentially adapt it to our PWE instantiation. The objective is to show that an adversary A attacking the system is unable to determine the SK of a fresh instance with greater advantage than that of an online dictionary attack.

In what follows, we distinguish Client Action (CA) queries and Server Action (SA) queries.

The adversary makes a:

i • CA0 query if it instructs some unused ΠC to send the ﬁrst message to some S;

j • SA1 query if it sends some message to a previously unused ΠS ;

i • CA1 query if it sends a message to some ΠC expecting the second protocol message;

j • SA2 query if it sends some message to a ΠS expecting the last protocol message.

For the convenience of the reader, certain events corresponding to A making password guesses

- against a client instance, against a server instance, and against a client instance and server instance that are partnered - are deﬁned:

0 0 • testpw(C, i, S, pw, l): for some m, µ, γ , w and k, A makes an Hl(< C, S, m, µ, σ, γ >)

i i query, a CA0 query to ΠC with input S and output < C, m >, a CA1 query to ΠC with 0 input < µ, k, w > and an H1(pw) query returning −γ = ash+2eh ∈ Rq, where the latest

query is either the Hl(.) query or the CA1 query. σ = Mod2(kS , w) = Mod2(kC, w),

0 kS = αsS , kC = µsC and m = α − γ . The associated value of this event is output of

Hl(.), l ∈ {2, 3, 4}.

• testpw!(C, i, S, pw): for some w and k a CA1 query with input < µ, k, w > causes a

testpw(C, i, S, pw, 2) event to occur, with associated value k.

67 0 0 • testpw(S, j, C, pw, l): for some m, µ, γ , w and k A makes an Hl(< C, S, m, µ, σ, γ >) j query and previously made SA1 query to ΠS with input < C, m > and output < µ, k, w > 0 , and an H1(pw) query returning −γ , where σ = Mod2(kS , w) = Mod2(kC, w), kS =

0 αsS , kC = µsC and m = α − γ . The associated value of this event is output of Hl(.), l ∈ j {2, 3, 4} generated by ΠS .

j 0 • testpw!(S, j, C, pw): a SA2 query to ΠS is made with k , where a testpw(S, j, C, pw, 3) event previously occured with associated value k0.

• testpw∗(S, j, C, pw): testpw(S, j, C, pw, l) occurs for some l ∈ {2, 3, 4}.

• testpw(C, i, S, j, pw): for some l ∈ {2, 3, 4}, both a testpw(C, i, S, pw, l) event and a

i j j i testpw(S, j, C, pw, l) event occur, where ΠC is paired with ΠS and ΠS is paired with ΠC after its SA1 query.

0 0 • testexecpw(C, i, S, j, pw): for some m, µ, γ , w, A makes an Hl(< C, S, m, µ, σ, γ >) query for l ∈ {2, 3, 4}, and previously made an Execute(C, i, S, j) query that generates m

0 and µ and an H1(pw) query returning −γ = ash+2eh ∈ Rq, where σ = Mod2(kS , w) =

0 Mod2(kC, w), kS = αsS , kC = µsC and m = α − γ .

• correctpw: before any Corrupt query, either a testpw!(C, i, S, pw) event occurs for

∗ some C, i and S, or a testpw (S, j, C, pwC) event occurs for some S, j, and C.

• correctpwexec: a testexecpw(C, i, S, j, pwC) event occurs for some C, i, S, and j.

• doublepwserver: before any Corrupt query happens, both a testpw∗(S, j, C, pw) event

and testpw∗(S, j, C, pw0) occur for some S, j, C, pw and pw0, with pw 6= pw0.

• pairedpwguess: a testpw(C, i, S, j, pwC) event occurs, for some C, i, S, and j.

Theorem 6.4.2. Let P:=RLWE-PAK, described in Figure 6.1, using group Rq, and with a password dictionary of size L. Fix an adversary A that runs in time t, and makes nse, nex, nre, nco

68 queries of type Send, Execute, Reveal, Corrupt, respectively, and nro queries to the random or-

0 acles. Then for t = O(t + (nro + nse + nex)texp):

n Advake(A) = se + O n AdvPWE(t0, n 2) + AdvDRLW E(t0, n ) P L se Rq ro Rq ro (n + n )(n + n + n ) n + se ex ro se ex + se qn 2κ

Proof. We study a sequence of protocols - P0, P1, ··· , P7 - with the following properties. First

P0 = P and P7 is by design only possible to attack using natural online guessing. Secondly, we have

ake ake ake AdvP0 (A) ≤ AdvP1 (A) + 1 ≤ · · · ≤ AdvP7 (A) + 7 where 1, ··· , 7 are all negligible values in k. Adding up the negligible values and counting the success probability of the online attack in P7 then gives the desired result.

We can assume that nro and nse + nex are both ≥ 1. Random oracle queries are answered in the usual way: new queries are answered with uniformly random values, and previously made queries are answered identically to the past response. We further assume that the H1(pw) query is answered by the simulator by computing the response as ash + 2eh ∈ Rq, where (sh, eh) is

2 sampled uniformly at random from Rq. Finally, if A makes an Hl(v) query for l ∈ {2, 3, 4} and some v then the corresponding Hl0 (v) and Hl00 (v) queries are computed and stored, where

0 00 l , l ∈ {2, 3, 4}\{l}. A only sees the output of Hl(v), but the other two queries are still considered to have been made by A.

We now detail our sequence of protocols, and bound A’s advantage difference from each protocol to the next.

Protocol P0: is just the original protocol P.

Protocol P1: P1 is nearly identical to P0, but is forcefully halted as soon as honest parties randomly choose m or µ values seen previously in the execution.

69 Speciﬁcally, let E1 be the event that an m value generated in a CA0 or Execute query yields an m value already seen in some previous CA0 or Execute query, an m value already used as input in some previous SA1 query, or an m value from some previous Hl(.) query made by A.

Let E2 be the event that a µ value generated in SA1 or Execute query yields a µ from a previous SA1 or Execute query, a µ value sent as input in some previous CA1 query, or a µ value from a previous Hl(.) query. Setting E = E1 ∨ E2 then P1 is deﬁned as being identical to P0 except that the protocol halts and the adversary fails when E occurs.

Claim 1. For any adversary A,

O((n + n )(n + n + n )) Advake(A) ≤ Advake(A) + se ex ro se ex P0 P1 qn

Proof. Consider the latest m or µ value generated. The probability that this value has previously

nro+nse+nex been generated in a Send, Execute, or random oracle query is qn . There are nse + nex values that are required to be unique if event E does not occur. Thus, the probability of any of

O((nse+nex)(nro+nse+nex)) the m or µ values not being unique is indeed qn . Note that the cardinal n of Rq is exactly q , and that m is random because γ is.

Protocol P2: This protocol is identical to P1 except that Send and Execute queries are answered without using random oracles. Any random oracle query A subsequently makes is answered in such a way as to be consistent with the results of these Send and Execute queries. In more detail, the queries in P2 are now answered as follows:

• In an Execute(C, i, S, j) query, m = asm + 2em where sm, em ← Rq, µ = asS + 2eS

n 0 κ i j κ where sS , eS ← χβ, w ← {0, 1} , k, k ← {0, 1} , and skC ← skS ← {0, 1} .

i • In a CA0 query to instance ΠC, m = asm + 2em where sm, em ← Rq.

j n • In a SA1 query to instance ΠS , µ = asS + 2eS where sS , eS ← χβ, w ← {0, 1} , and j 00 κ skS , k, k ←{0, 1} .

70 i • In a CA1 query to instance ΠC, do the following.

0 – If this query leads to a testpw!(C, i, S, pwC) event to happen, then place k to the

i associated value of the testpw(C, i, S, pwC, 3) event, and place skC to the associated

value of the testpw(C, i, S, pwC, 4) event.

i j i j 0 κ – Else if ΠC is paired with a server instance ΠS , set skC ← skS , then k ←{0, 1} .

i – Otherwise, ΠC aborts.

j • In a SA2 query to instance ΠS , if this query leads to a testpw!(S, j, C, pwC) event to j i j happen, or if ΠS is paired with a client instance ΠC, terminate. Otherwise, ΠS aborts.

0 • In an Hl(< C, S, m, µ, σ, γ >) query, for l ∈ {2, 3, 4}, if this Hl(.) query causes a

testpw(S, j, C, pwC, l) event, or testexecpw(C, i, S, j, pwC) event to happen, then output the associated value of the event else output a random value from {0, 1}κ.

Claim 2. For any adversary A,

O(n ) O(n ) Advake(A) = Advake(A) + ro + se P1 P2 qn 2κ

Proof. In P1 we can see that H2(.),H3(.) and H4(.) queries are new therefore the values

j 00 j skS , k and k which are created by a server instance ΠS in the SA1 query are uniformly chosen from {0, 1}κ, independent of anything that previously occurred. Then in SA2 query, if a j j testpw!(C, i, S, pwC) event happens, or ΠS is paired, the instance terminates, and if ΠS is unpaired and no testpw!(C, i, S, pwC) event happens, then either the instance terminates or aborts.

nse Then one can easily see that the total probability of any instance terminating is pounded by 2κ in this case.

i Moreover, in P1, we have one of the following cases for any client instance ΠC:

0 i 1.a testpw!(C, i, S, pwC) event happens, and then k and skC are placed to be the values as-

sociated with the testpw(C, i, S, pwC, 3) and testpw(C, i, S, pwC, 4) events, respectively, which are guranteed to happen by our original assumption, or

71 j i 2. no testpw!(C, i, S, pwC) event happens, but just one instance ΠS is paired with ΠC, in i j 0 κ any case skC = skS , and k is chosen uniformly from {0, 1} , independent of anything

that previously happened (because no testpw(C, i, S, pwC, 3) event could have occurred in this case), or

i 3. no testpw!(C, i, S, pwC) event happens and no instance is paired with ΠC then either the instance terminates or aborts. In this case also we have the total probability of any instance

nse terminating is pounded by 2κ .

For any Hl(.) query where l ∈ {2, 3, 4}, we have four possibilities: (1) it might leads to a testpw(S, j, C, pwC, l), or a testexecpw(C, i, S, pwC) event to happen, in each case the result is the associated value of the event, (2) it does not lead to a testpw(C, i, S, pwC) event, but does lead to a testpw(C, i, S, pwC, l) event to happen, where the CA1 query of the event had entry

i 0 C i < µ, k > for some µ, in which case either ΠC terminated and the output is k, k ,or ski or ΠC κ 0 C 0 aborted and the result is uniformly chosen from {0, 1} \{k, k , skj }, (3) γ but the adversary κ has not made an H1(pwC)query, or (4) the output of Hl(.) is uniformly chosen from {0, 1} independent of anything that previously happened because this is a new Hl(.) query. The total

nro probability of an Hl(.) query causing the third case above is at most qn . The second case above where the result is ﬁxed can only occurred when an unpaired client instance terminated with no testpw!(C, i, S, pwC) event and for l ∈ {3, 4} it can only occur when an H2(.) query causes a second case where its output is ﬁxed.

i If an unpaired client instance ΠC never terminates without a testpw!(C, i, S, pwC) event, an j unpaired server instance ΠS never terminates without a testpw!(S, j, C, pwC) event, and the third case of the H2,H3, and H4 queries does not occur, then P2 matches P1 and the claim follows.

0 Protocol P3: is identical to P2 except that in an Hl(< C, S, m, µ, σ, γ >) query, for l ∈ {2, 3, 4}, it is not checked for consistency against Execute query. So the protocol responds with

72 a random output instead backpatching to preserve consistency with an Execute query. Simply there is no testexecpw(C, i, S, j, pwC) event checking.

0 Claim 3. For any adversary A running in time t, there is a t = O(t + (nro + nse + nex)texp) such that,

ake ake DRLW E 0 PWE 0 AdvP2 (A) ≤ AdvP3 (A) + AdvRq (t , nro) + 2AdvRq (t , nro)

Proof. Let E be the event that a correctpwexec event happens then clearly P2 and P3 are indistinguishable if E does not occur. So if we have a probability for E to occur when A is running against protocol P then we have P r[Succake(A)] ≤ P r[Succake(A)] + and thus 2 P2 P3 Advake(A) ≤ Advake(A) + 2. P2 P3 Now we build a method D that attempts to solve PWE by running A on a simulation of the protocol. Given (a, X, Y, W ), D simulates P2 forA with the following changes:

1. In an Execute(C, i, S, j) query, set m = X + (asf + 2ef ) where sf , ef ←χβ, µ = Y +

n (asff + 2eff ) where sff , eff ← χβ, and selects w ← {0, 1}

0 2. Run A against the simulation of P2 when it ﬁnishes, for every Hl(< C, S, m, µ, σ, γ >) query for l ∈ {2, 3, 4}, where m and µ were generated in an Execute query, and an

0 H1 query returned −γ = ash + 2eh ∈ Rq, By simple calculation we can see that the simulation computes,

kS = α · (sy + sff ) = (X + a(sf − sh) + 2(ef − eh)) · (sy + sff )

= X · sy + (a(sf − sh) + 2(ef − eh)) · sy + (X + a(sf − sh) + 2(ef − eh)) · sff

≈ X · sy + Y · (sf − sh) + (X + a(sf − sh) + 2(ef − eh)) · sff

0 = X · sy + Y · (sf − sh) + (X + γ + (asf + 2ef )) · sff

73 So,

0 X · sy = kS − Y · (sf − sh) − (X + γ + (asf + 2ef )) · sff .

And,

0 0 σ = Mod2(kS − Y · (sf − sh) − (X + γ + (asf + 2ef )) · sff ,W ).

Finally, add the value of σ0 to the list of possible values for τ(X, s).

Note that during an execute query, the simulation sets m = X + (asf + 2ef ) instead of m = asm + 2em and since X is chosen uniformly at random from Rq and m is randomized by γ then they are deﬁnitely indistinguishable. However the simulation also sets µ = Y + (asff + 2eff ) instead of it being µ = asS + 2eS which is distinguishable if someone can solve the decision

RLWE problem. As a result this simulation is indistinguishable from P2 until E occurs or DRLWE is solved with non negligible advantage, and in former case, D adds the correct τ(X, s) to the list, but in this case we have to assume that A still follows the relevant time and the query limit or the simulator can stop A from exceeding this limit. 1 If t0 is the running time of D and

0 since D creates a list of size nro with advantage then t = O(t + (nro + nse + nex)texp). The claim follows from the fact that AdvPWE(D) ≤ AdvPWE(t0, n ). Rq Rq ro

Protocol P4: is identical to P3 except that if correctpw occurs then the protocol halts and the adversary automatically succeeds. This causes these changes:

i 1. In a CA1 query to ΠC, if a testpw!(C, i, S, pwC) event happens with no Corrupt query made, halt and say the adversary automatically succeeds.

0 ∗ 2. In an Hl(< C, S, m, µ, σ, γ >) query for l ∈ {2, 3, 4}, if a testpw (S, j, C, pwC) event happens with no Corrupt query made, halt and say the adversary automatically succeeds.

Claim 4. For any adversary A,

ake ake AdvP3 (A) ≤ AdvP4 (A)

74 Proof. This is trivial because the change in this protocol only increase the adversary’s chances at winning the game.

Protocol P5: is identical to P4 except that if the adversary makes a password guess against partnered client and server instances, the protocol halts and the adversary fails. Simply if a pairedpwguess event occurs, the protocal halts and the adversary fails.We suppose that when a query is made, the test for correctpw occurs after the test for pairedpwguess. Note that this causes the following change: if a testpw(C, i, S, pw, l) event occurs, this should be checked in a

CA1 query, or an Hl(.) query for l ∈ {2, 3, 4} check if a testpw(C, i, S, pw) event also occurs.

0 Claim 5. For any adversary A running in time t, there is a t = O(t + (nro + nse + nex)texp) such that,

ake ake PWE 0 AdvP4 (A) ≤ AdvP5 (A) + 2nseAdvRq (t , nro)

Proof. Let E be the event that a pairedpwguess event occurs then clearly P4 and P5 are indistinguishable if E does not occur. So if we have a probability for E to occur, when A is running against protocol P then we have P r[Succake(A)] ≤ P r[Succake(A)] + and thus 4 P4 P5 Advake(A) ≤ Advake(A) + 2. P4 P5 Now we build a distinguisher D that aims to solve PWE by running A on a simulation of the protocol. Given (a, X, Y, W ), D chooses a random d ∈ {1, . . . , nse} and simulates P4 forA with the following changes:

th i0 1. In the d CA0, say to a client instance ΠC , with input S, set m = X.

j 2. In a SA1 query to server instance ΠS with input < C, m > where there was a CA0 query i0 th to ΠC (i.e. the instance with the d CA0 query) with input S and output < C, m >, let

µ = Y + (asff + 2eff ) where sff , eff ← χβ.

i0 i0 3. In a CA1 query to ΠC . If ΠC is unpaired, D outputs 0 and halts.

j j i0 4. In a SA2 query to ΠS , if ΠS was paired with ΠC after its SA1 query but is not now paired i0 j with ΠC , no test for correctpw event is made and ΠS aborts.

75 0 5. Run A on the simulation of P4 when if ﬁnishes, for every Hl(< C, S, m, µ, σ, γ >) query

i0 for l ∈ {2, 3, 4}, where m and µ were generated in an ΠC query and an H1(pw) query 0 returned −γ = ash + 2eh ∈ Rq, we can see that the simulation computes,

kS = α · (sy + sff ) = (X − (ash + 2eh)) · (sy + sff )

= X · sy − (ash + 2eh) · sy + (X − (ash + 2eh)) · sff

≈ X · sy − Y · sh + (X − (ash + 2eh)) · sff

0 = X · sy − Y · sh + (X + γ ) · sff

So,

0 X · sy = kS + Y · sh − (X + γ ) · sff .

And,

0 0 σ = Mod2(kS + Y · sh − (X + γ ) · sff ,W ).

Finally, add the value of σ0 to the list of possible values for τ(X, s).

This simulation is indistinguishable from the protocol P4 until one of the following occurs: (1)

j i0 i0 a testpw(S, j, C, pw) event, where ΠS was paired with ΠC after the SA1 query, or (2) ΠC is not paired with server instance when the CA1 query is made. One can see that the probability

0 of a pairedpwguess event occurring for the instance Πi , is bigger than or equal to which C nse is at most the probability of an event of type (1) occurring. If an event of type (2) occurs,

i0 pairedpwguess event will never happen in P4 for the instance ΠC as a result from P1. So the only possible event in this case is (1) and if an event of type (1) occurs, D adds the correct

τ(X, s) to the list.

Even though the simulation might be distinguishable from P4 in these cases, but this does not

0 affect the fact that a pairedpwguess event still occurs for Πi with probability at least in C nse

76 the simulation. However, we still have to assume that A follows the relevant time and the query limit or the simulator can stop A from exceeding this limit.

Hence if t0 is the running time of D and since D creates a list of size n with advantage ro nse then t0 = O(t + (n + n + n )t ). The claim follows from the fact that AdvPWE(D) ≤ ro se ex exp Rq AdvPWE(t0, n ). Rq ro

Protocol P6: is identical to P5 except that if the adversary makes two password guesses against the same server instance, i.e. if a doublepwserver event occurs, the protocol halts and the adversary fails. We suppose that when a query is made, the test for pairedpwguess or correctpw occurs after the test for doublepwserver.

0 Claim 6. For any adversary A running in time t, there is a t = O(t + (nro + nse + nex)texp) such that,

ake ake PWE 0 2 AdvP5 (A) ≤ AdvP6 (A) + 4AdvRq (t , nro )

Proof. Let us assume that we have a probability for doublepwserver event to be occured, when A is running against a simulation of protocol P5. We build a distinguisher D to solve PWE problem.

Now Given (a, X, Y, W ), D simulates P5 forA with these changes:

1. In an H1(pw) query output X · sh + (asf + 2ef ).

j 2. In a SA1 query to a server instance ΠS with entry < C, m > where m ∈ Rq, set µ =

Y + (asff + 2eff ) where sff , eff ← χβ.

3. Tests for correctpw(from P4) and pairedpwguess (from P5) are not made. In particular, unpaired client instances that receive a CA1 query abort and unpaired server instances

that receive a SA2 query abort. Also, Hl(.) queries always give values that are uniformly chosen from {0, 1}κ.

0 4. When A ﬁnishes, for every pair of queries of the form Hl(< C, S, m, µ, σ, γ >) and

ˆ0 0 Hl0 (< C, S, m, µ, σ,ˆ γ >) for l, l ∈ {2, 3, 4}, where σ ∈ Rq and σˆ ∈ Rq, there was a

77 j 0 SA1 query to a server instance ΠS with input < C, m > and output < µ, k, w > (and thus 0 m ∈ Rq), an H1(pw) query returned −γ = Xsh + (asf + 2ef ) ∈ Rq, an H1(pw ˆ ) query

ˆ0 returned −γ = Xshˆ + (asfˆ + 2efˆ) ∈ Rq and sh 6= shˆ , we can see that the simulation computes,

0 kS = α · (sy + sff ) = (m + γ ) · (sy + sff )

ˆ ˆ0 kS =α ˆ · (sy + sff ) = (m + γ ) · (sy + sff )

ˆ ˆ0 0 kS − kS = (γ − γ ) · (sy + sff )

ˆ0 0 ˆ0 0 = (γ − γ ) · sy + (γ − γ ) · sff

ˆ0 0 = (Xsh + (asf + 2ef ) − (Xshˆ + (asfˆ + 2efˆ))) · sy + (γ − γ ) · sff

ˆ0 0 = Xsy(sh − shˆ ) + (a(sf − sfˆ) + 2(ef − efˆ))sy + (γ − γ ) · sff

ˆ0 0 ≈ Xsy(sh − shˆ ) + Y · (sf − sfˆ) + (γ − γ ) · sff

So,

ˆ ˆ0 0 −1 X · sy = (kS − kS − Y · (sf − sfˆ) − (γ − γ ) · sff ) · (sh − shˆ ) .

Add,

ˆ 0 ˆ0 −1 Mod2[(kS − kS − Y · (sf − sfˆ) − (γ − γ ) · sff ) · (sh − shˆ ) ,W ]

to the list of possible values for τ(X, s).

This simulation is indistinguishable from the protocol P5 until a doublepwserver event, a pairedpwguess event or a correctpw event happens, or A makes a Corrupt query. If an event

1 of type doublepwserver happens, then with probability 2 it happens for two passwords pw and pwˆ with sh 6= shˆ and in this case D adds the correct τ(X, s) to the list. If a correctpw event or a pairedpwguess event happens, then P5 will halt and the doublepwserver event would never

78 have happened. Also, the doublepwserver event will not happen if a Corrupt query made by deﬁnition.

Even though the simulation might be distinguishable from P5 in these cases, but this does not affect the fact that a doublepwserver event occurs with probability at least in the simulation.

However, we still have to assume that A follows the relevant time and the query limit or the simulator can stop A from exceeding this limit.

0 2 Hence if t is the running time of D and since D creates a list of size nro with advantage 2 then t0 = O(t + (n + n + n )t ). The claim follows from the fact that AdvPWE(D) ≤ ro se ex exp Rq AdvPWE(t0, n 2). Rq ro

Protocol P7: is identical to P6 except that this protocol has an internal password oracle that holds all passwords and accepts queries that examine the correctness of a given password. Note that this internal oracle passwordoracle is not available to the adversary. So this oracle generates all passwords during initialization. It accepts queries of the form testpw(C, pw) and returns TRUE if pw = pwC, and FALSE otherwise. It also accepts Corrupt(U) queries whether U ∈ S or U ∈ C. When a Corrupt(U) query made in the protocol, it is answered using a

Corrupt(U) query to the password oracle. The protocol also tests if correctpw occurs when-

i ever the ﬁrst testpw(C, i, S, pw) event occurs for an instance ΠC and password pw, or the ﬁrst j testpw(S, j, C, pw) event occurs for an instance ΠS and password pw, a testpw(C, pw) query is made to the password oracle to see if pw = pwC.

Claim 7. For any adversary A,

ake ake AdvP6 (A) = AdvP7 (A)

Proof. By observation, P6 and P7 are perfectly indistinguishable.

79 Now we analyze the advantage of an adversary A against the protocol P7. From the deﬁnition of P7, one can easily bound the probability of adversary A succeeding in P7 as the following:

ake ake P r(SuccP7 (A)) ≤ P r(correctpw) + P r(SuccP7 (A) | ¬correctpw)P r(¬correctpw)

nse Note that P r(correctpw) ≤ L if the passwords are uniformly chosen from a dictionary of size L, because a Corrupt query occurs after at most nse queries were occurred to the password oracle.

Next we compute P r(Succake(A) | ¬correctpw). Since correctpw event does not occur, P7 i the only way for A to succeed is to make a Test query to a fresh instance ΠU and to guess the bit used in the Test query. Note that if we can prove that the view of the adversary is not dependent

i 1 on skU then the probability of success is exactly 2 and to do that we have to examine Reveal and H4(.) queries. For the ﬁrst type, we know by deﬁnition of Reveal(U, i) query that there could be no one

i 0 QU 0 for the fresh instance ΠU . Also there is no Reveal(U , j) query for the instance j which is i partnered with ΠU . Moreover the adversary fails if more than a single client instance and a single server instance accept with the same sid by protocol P1. Thus the output of Reveal queries is

i independent of skU .

For the second type, from P4 the unpaired client or server instance will not terminate before a correctpw event or a Corrupt query which means an instance may only be fresh and receive a

i i Test query if it is partnered. However if ΠU is partnered, H4(.) query will never reveal skU by

P5.

i So, the view of the adversary not dependent on skU then the probability of success is exactly 1 2 . Therefore,

80 ake ake P r(SuccP7 (A)) ≤ P r(correctpw) + P r(SuccP7 (A) | ¬correctpw)P r(¬correctpw)

ake ≤ P r(correctpw) + P r(SuccP7 (A) | ¬correctpw)(1 − P r(correctpw)) n 1 n ≤ se + (1 − se )) L 2 L 1 n ≤ + se . 2 2L

And Advake(A) ≤ nse . The theorem follows from this and the Claims 1-7 above. P7 L

6.5. Implicit authentication

In this section, we describe a variant of the protocol that gives implicit authentication similar to the PPK variant on the PAK protocol. We call it the RLWE-PPK protocol. This is illustrated in

Figure 6.2. If either party provides an incorrect password, then the parties’ keys will not actually match, and neither party will learn anything about the key held by the other. This effectively prevents communication without explicitly checking for matching passwords.

The setup is slightly different from that of RLWE-PAK. Here we need two hash functions H1

∗ ∗ κ and H2 from {0, 1} into Rq, and one KDF H3 from {0, 1} into {0, 1} , where κ is again the length of the derived SK. Of course, these are modeled as random oracles. Also, the function

0 < γ1, γ2 > used to compute password veriﬁers for the server is instantiated as follows: < 0 γ1, γ2 >= − H1(·),H2(·) .

Initiation Client C randomly samples sC, eC ← χβ, computes α = asC + 2eC, γ1 = H1(pwC),

γ2 = H2(pwC) and m = α + γ1 and sends< C, m > to party S.

Response Server S receives < C, m > from party C and checks if m ∈ Rq. If not, abort;

otherwise Server S randomly samples sS , eS ← χβ and computes ν = asS + 2eS and

0 0 recovers α = m+γ1 where < γ1, γ2 >. Then compute µ = ν +γ2 and kS = α·sS . Next,

81 n Server S computes w = Cha(kS ) ∈ {0, 1} and σ = Mod2(kS , w). Server S sends µ

0 and w to party C and computes skS = H3(C, S, m, µ, σ, γ1).

Initiator ﬁnish Client C receives < µ, w > from party S and checks if µ ∈ Rq. If not, it

aborts, and otherwise C recovers ν = µ−γ2, computes kC = sC ·ν and σ = Mod2(kC, w).

0 Finally, Client C derives the session key skC = H3(C, S, m, µ, σ, γ1).

Client C Server S 0 Input S, pw < γ1, γ2 >=< −H1(pwC),H2(pwC) >

Sample sC, eC ← χβ Abort if m∈ / Rq α = asC + 2eC < C, m > Sample sS , eS ← χβ γ1 = H1(pwC) ν = asS + 2eS ∈ Rq γ2 = H2(pwC) 0 α = m + γ1 m = α + γ1

Abort if µ∈ / Rq µ = ν + γ2 ν = µ − γ2 kS = αsS kC = sCν < µ, w > n w = Cha(kS ) ∈ {0, 1} σ = Mod2(kC, w) 0 σ = Mod2(kS , w) γ1 = −γ1 0 0 skS = H3(C, S, m, µ, σ, γ1) skC = H3(C, S, m, µ, σ, γ1)

Figure 6.2.: Implicitly Authenticated Protocol

6.5.1. Proof of security for RLWE-PPK

The proof of security for our Implicitly Authenticated Protocol follows the model of security in the PAK suite paper by Mackenzie, Laboratories and Technologies [Mac02], and it is similar to our proof for the Explicitly Authenticated Protocol in Section 6.4.2. Therefore we refer to it when there are no changes through the proof details. We ﬁrst deﬁne some similar events to what we have in section 6.4.2 corresponding to the adversary making a password guess against a client instance, against a server instance, and against a client instance and server instance that are partnered:

82 0 0 • testpw(C, i, S, pw): for some m, µ, γ1, γ2, w and k, A makes an H3(< C, S, m, µ, σ, γ1 > i ) query. The associated value of this event is skC.

0 0 • testpw(S, j, C, pw): for some m, µ, γ1, γ2, w and k, A makes an H3(< C, S, m, µ, σ, γ1 > j ) query. The associated value of this event is skS .

0 0 • testexecpw(C, i, S, j, pw): for m, µ, γ1, γ2 and w, A makes an H3(< C, S, m, µ, σ, γ1 > ) query, and previously made an Execute(C, i, S, j) query that generates m and µ, an

0 H1(pw) query returning −γ1 = ash + 2eh ∈ Rq, and an H2(pw) query returning γ2 =

ash0 + 2eh0 ∈ Rq where σ = Mod2(kS , w) = Mod2(kC, w), kS = αsS , kC = νsC where

0 m = α − γ and µ = ν + γ2.

• correctpw: either a testpw(C, i, S, pwC) event occurs for some C, i and S, or some

testpw(S, j, C, pwC) event occurs for some S, j, and C.

• correctpwexec: a testexecpw(C, i, S, j, pwC) event occurs for some C, i, S, and j.

• doublepwserver: both a testpw(S, j, C, pw) event and testpw(S, j, C, pw0) occur for

some S, j, C, pw and pw0, with pw 6= pw0.

• doublepwclient: both a testpw(C, i, S, pw) event and testpw(C, i, S, pw0) occur for

some C, i, S, pw and pw0, with pw 6= pw0.

Now we need to show that an adversary attacking the system is unable to determine the session key of a fresh instance with greater advantage than that of an online dictionary attack.

Theorem 6.5.1. Let P=RLWE-PPK as described in Figure 6.2, using group Rq, and with a password dictionary of size L. Fix an adversary A that runs in time t, and makes nse, nex, nre, nco queries of type Send, Execute, Reveal, Corrupt, respectively, and nro queries to the random or-

0 acles. Then for t = O(t + (nro + nse + nex)texp):

n (n + n )(n + n + n ) Advake(A) = se + O AdvPWE(t0, n 2) + se ex ro se ex P L Rq ro qn

83 Proof. We introduce a series of protocols P0, P1, ··· , P7 where P0 = P and P7 is a protocol that can be only attacked by simple online guessing attack which admit a straight forward analysis.

Furthermore we should have

ake ake ake AdvP0 (A) ≤ AdvP1 (A) + 1 ≤ · · · ≤ AdvP7 (A) + 7

where 1, ··· , 7 are negligible values. Here are some assumptions that we need in our proof. First, we assume without loss of generality that nro ≥ 1 and nse + nex ≥ 1. We also assume that the random oracle responds with a fresh output for any new query and a consistent one with the previous queries for not new query. The third assumption is that H1(pw) query outputs (ash + 2eh) ∈ Rq and H2(pw) query outputs (ash0 + 2eh0 ) ∈ Rq where (sh, eh) and (sh0 , eh0 ) are known. The last assumption is that if A made an Hl(.) query for l ∈ {1, 2} then the corresponding Hl0 (.) query is made automatically, where l0 ∈ {1, 2}\{l}. Even though all queries are considered to be made by A,

A only sees the output of Hl(.).

Protocol P0: is just the original protocol P.

Protocol P1: is similar to P0 protocol however this protocol halts if honest parties randomly choose m or µ values seen previously in the execution of the protocol.

Claim 8. For any adversary A we can show that

O((n + n )(n + n + n )) Advake(A) ≤ Advake(A) + se ex ro se ex P0 P1 qn

Proof. The proof is exactly similar to what we did to prove Claim 1 in section 6.4.2.

Protocol P2: is identical to P1 except this protocol answers Send and Execute queries without making any random oracle queries, and following random oracle queries by A are backpatched, while it is possible, to be proper with the results of Send and Execute queries. In more detail, the queries in P2 are now answered as follows:

84 • In an Execute(C, i, S, j) query, m = asm + 2em where sm, em ← ∈Rq, µ = asµ + 2eµ

n i j κ where sµ, eµ ← ∈Rq, w ←∈ {0, 1} , and skC ← skS ← {0, 1} .

i • In a CA0 query to instance ΠC, m = asm + 2em where sm, em ← ∈Rq.

j n • In a SA1 query to instance ΠS , µ = asµ + 2eµ where sµ, eµ ← ∈Rq, w ← {0, 1} , and j κ skS ←{0, 1} .

i i • In a CA1 query to instance ΠC, do the following. If ΠC is paired with a server instance j i j ΠS , skC ← skS , else if this query leads to a testpw(C, i, S, pwC) event to happen, then i i κ let skC to be the associated value of that event, else skC←{0, 1} .

0 • In an H3(< C, S, m, µ, σ, γ >) query, if this H3(.) query causes a testpw(S, j, C, pwC)

event, or testexecpw(C, i, S, j, pwC) event to happen, then output the associated value of the event, otherwise output a random value from {0, 1}κ.

Claim 9. For any adversary A,

O(n ) Advake(A) = Advake(A) + ro P1 P2 qn

j Proof. In P1 we can see that H3(.) query is new therefore the value skS which is created by a j κ server instance ΠS in the SA1 query is uniformly chosen from {0, 1} , independent of anything that previously happened.

i Moreover in P1, for any client instance ΠC, we have on of the following:

j i i j 1. exactly one instance ΠS is paired with ΠC, in that case skC = skS , or

i 2. no instance is paired with ΠC in any case either testpw!(C, i, S, pwC) event occurs, and i i then skC are placed to be the value associated with that event ,or skC is uniformly chosen κ from {0, 1} , independent of anything that previously happened (since H3(.) is a new query).

For any H3(.) query, either

85 • it causes a testpw(C, i, S, pwC), testpw(S, j, C, pwC), or a testexecpw(C, i, S, pwC) event to happen, in any case the output is the associated value of the event (i.e., the key value

associated with the particular event that occurs), or

0 • γ but the adversary has not made an H1(pwC)query, or

κ • the output of H3(.) is uniformly chosen from {0, 1} independent of anything that previ-

ously occurred, since this is a new H3(.) query.

nro The total probability of an H3(.) query causing the second case above is bounded by qn . If the second case does not occur, then P2 is identical to P1 and the claim follows.

0 Protocol P3: is identical to P2 except that in an H3(< C, S, m, µ, σ, γ1 >) query, it is not checked for consistency against Execute query. So the protocol responds with a random output instead backpatching to preserve consistency with an Execute query.

0 Claim 10. For any adversary A running in time t, there is a t = O(t + (nro + nse + nex)texp) such that,

ake ake PWE 0 AdvP2 (A) ≤ AdvP3 (A) + 2AdvRq (t , nro)

Proof. This can be shown by using reduction from PWE similar to what we did in the proof of

Claim 3 in section 6.4.2 as the following: Let E be the event that a correctpwexec event occurs then clearly P2 and P3 are indistinguishable if E does not happen. So if we have a probability for E to happen when A is running against protocol P then we have P r[Succake(A)] ≤ 2 P2 P r[Succake(A)] + and thus Advake(A) ≤ Advake(A) + 2. P3 P2 P3 Now we construct a distinguisher D that aims to solve PWE by running A on a simulation of the protocol. Given (a, X, Y, W ), D simulates P2 forA with the following changes:

1. In an Execute(C, i, S, j) query, set m = X + (asf + 2ef ) where sf , ef ←χβ, µ = Y +

n (asff + 2eff ) where sff , eff ← χβ, and selects w ← {0, 1}

86 0 2. When A ﬁnishes, for every H3(< C, S, m, µ, σ, γ 1 >) query, where m and µ were gen- 0 erated in an Execute query, an H1 query returned −γ1 = ash + 2eh ∈ Rq, and H2 query 0 0 returned γ2 = ash + 2eh ∈ Rq. By simple calculation we can see that the simulation computes,

kS = α · (sy + sff − sh0 ) = (X + a(sf − sh) + 2(ef − eh)) · (sy + sff − sh0 )

= X · sy + (a(sf − sh) + 2(ef − eh)) · sy + (X + a(sf − sh) + 2(ef − eh)) · (sff − sh0 )

≈ X · sy + Y · (sf − sh) + (X + a(sf − sh) + 2(ef − eh)) · (sff − sh0 )

0 = X · sy + Y · (sf − sh) + (X + γ1 + (asf + 2ef )) · (sff − sh0 )

So,

0 X · sy = kS − Y · (sf − sh) − (X + γ1 + (asf + 2ef )) · (sff − sh0 ).

And,

0 0 σ = Mod2(kS − Y · (sf − sh) − (X + γ1 + (asf + 2ef )) · (sff − sh0 ),W ).

Finally, add the value of σ0 to the list of possible values for τ(X, s).

If E does not happen, this simulation is deﬁnitely indistinguishable from P2. However if E occurs then D will add the correct τ(X, s) to the list. In this case the simulation will be distinguishable from P2. So we have to assume that A still follows the relevant time and query bounds or at least the simulator can stop A from exceeding these pounds.

0 If t is the running time of D and since D creates a list of size nro with advantage then t0 = O(t + (n + n + n )t ). The claim follows from the fact that AdvPWE(D) ≤ ro se ex exp Rq AdvPWE(t0, n ). Rq ro

87 Protocol P4: is identical to P3 except that if correctpw occurs then the protocol halts and the adversary automatically succeeds.

Claim 11. For any adversary A,

ake ake AdvP3 (A) ≤ AdvP4 (A

Proof. This is obvious because until correctpw happens the outputs of H3(.) query and the session key for unpaired client instance are uniformly chosen from {0, 1}κ.

Protocol P5: is identical to P4 except that if the adversary makes two password guesses against the same server instance, the protocol halts and the adversary fails.

0 Claim 12. For any adversary A running in time t, there is a t = O(t + (nro + nse + nex)texp) such that,

ake ake PWE 0 2 AdvP4 (A) ≤ AdvP5 (A) + 4AdvRq (t , (nro) )

Proof. This can be proved by using a reduction from PWE similar to what we did in Claim 6 as the following:

Let us assume that doublepwserver event happens with probability when A is running against a simulation of P4. We build a distinguisher D to solve PWE problem.

Given (a, X, Y, W ), D imitate P4 forA with the following changes:

0 0 1. In the H1(pw), H2(pw) queries output X · sh + (asf + 2ef ) and ash + 2eh respectively.

j 2. In a SA1 query to a server instance ΠS with input < C, m > where m ∈ Rq, set µ =

Y + (asff + 2eff ) where sff , eff ←χβ.

3. Check that correctpw(from P4) are not made.

0 4. When A is done, for each pair of queries of the form H3(< C, S, m, µ, σ, γ1 >) and ˆ0 j H3(< C, S, m, µ, σ,ˆ γ1 >), where σ, σˆ ∈ Rq, also there was a SA1 query to ΠS with 0 eatery < C, m > and output < µ, k, w > (and thus m ∈ Rq), an H1(pw) query returned

88 0 ˆ0 −γ1 = Xsh +(asf +2ef ) ∈ Rq, an H1(pw ˆ ) query returned −γ1 = Xshˆ +(asfˆ+2efˆ) ∈ 0 0 Rq and sh 6= shˆ , and γ2 = ash + 2eh. We can see that the simulation computes,

0 0 0 kS = α · (sy + sff − sh) = (m + γ1) · (sy + sff − sh)

ˆ 0 ˆ0 0 kS = α · (sy + sff − sh) = (m + γ1) · (sy + sff − sh)

ˆ 0 ˆ0 0 kS − kS = (γ−γ1) · (sy + sff − sh)

0 ˆ0 0 ˆ0 0 = (γ1 − γ1) · sy + (γ1 − γ1) · (sff − sh)

0 ˆ0 0 = (Xshˆ + (asfˆ + 2efˆ) − (Xsh + (asf + 2ef ))) · sy + (γ1 − γ1) · (sff − sh)

0 ˆ0 0 = Xsy(shˆ − sh) + (a(sfˆ − sf ) + 2(efˆ − ef )sy + (γ1 − γ1) · (sff − sh)

0 ˆ0 0 ≈ Xsy(shˆ − sh) + Y · (sfˆ − sf ) + (γ1 − γ1) · (sff − sh)

So,

ˆ 0 ˆ0 0 −1 X · sy = (kS − kS − (Y · (sfˆ − sf ) + (γ1 − γ1) · (sff − sh))) · (shˆ − sh) .

Add,

ˆ 0 ˆ0 0 −1 Mod2[(kS − kS − (Y · (sfˆ − sf ) + (γ1 − γ1) · (sff − sh))) · (shˆ − sh) ,W ]

to the list of possible values for τ(X, s).

This simulation is deﬁnitely indistinguishable from the protocol P4 till a doublepwserver event, or a correctpw event happens. If an event of type doublepwserver happens, then with proba-

1 bility 2 it occurs for two passwords pw and pwˆ with sh 6= shˆ and in this case D adds the correct τ(X, s) to the list. If a correctpw event happens before a doublepwserver event occurs, then

P4 will halt and the doublepwserver event would never have happened..

89 Even though the simulation might be distinguishable from P4, this does not affect the fact that a doublepwserver event will occur with probability at least in the simulation. However, we still have to assume that A follows the relevant time and query bounds.

Protocol P6: is identical to P5 except that if the adversary makes two password guesses against the same client instance, the protocol halts and the adversary fails.

0 Claim 13. For any adversary A running in time t, there is a t = O(t + (nro + nse + nex)texp) such that,

ake ake PWE 0 2 AdvP5 (A) ≤ AdvP6 (A) + 4AdvRq (t , nro )

Proof. This can be proved by using a reduction from PWE similar to what we did in Claim 6.

However here we randomly plug in Y plus a random element of Rq into the output of H2(.) queries, and X added to random element of Rq. Let us assume that doublepwclient event occurs with probability when A is running against a simulation of P4. We build a distinguisher D to solve PWE problem.

Given (a, X, Y, W ), D imitate P5 forA with the following changes:

1. In the H2(pw) query output Y · sh + (asff + 2eff ).

i 2. In a CA0 query to a client instance ΠC with input S set m = X + (asf + 2ef ) where

sf , ef ←χβ.

3. Check that correctpw and doublepwserver (from P4 and P5 respectively) are not made.

0 4. When A is done, for each queries of the form H3(< C, S, m, µ, σ, γ1 >) and H3(< ˆ0 i C, S, m, µ, σ,ˆ γ1 >), where σ, σˆ ∈ Rq, and there was a CA0 query to ΠC with entry S and 0 output < C, m >, a CA1 query with entry < µ, w > (and thus µ ∈ Rq), an H1(pw) query returned −γ0 = as + 2e ∈ R , an H (pw ˆ ) query returned −γˆ0 = as + 2e ∈ R , 1 h1 h1 q 1 1 hˆ1 hˆ1 q

90 an H2(pw) query returned γ2 = Y sh + (asff + 2eff ), an H2(pw ˆ ) query returned γˆ2 =

Y shˆ + (asffˆ + 2effˆ ) where sh 6= shˆ . We can see that the simulation computes,

kC = ν · (sx + sf − sh1 ) = (µ − γ2) · (sx + sf − sh1 )

kˆ =ν ˆ · (s + s − s ) = (µ − γˆ ) · (s + s − s ) C x f hˆ1 2 x f hˆ1 k − kˆ = (µ − γ )(s + s − s ) − (µ − γˆ ) · (s + s − s ) C C 2 x f h1 2 x f hˆ1 = (µ − γ )(s + s ) − (µ − γ )s − (µ − γˆ ) · (s + s ) + (µ − γˆ ) · s 2 x f 2 h1 2 x f 2 hˆ1 = (γ ˆ − γ )(s + s ) − (µ − γ )s + (µ − γˆ ) · s 2 2 x f 2 h1 2 hˆ1 = (γ ˆ − γ )s + (γ ˆ − γ )s − (µ − γ )s + (µ − γˆ ) · s 2 2 x 2 2 f 2 h1 2 hˆ1 ≈ Y s (s − s ) + X(s − s ) + (γ ˆ − γ )s − (µ − γ )s + (µ − γˆ ) · s x h hˆ ff ffˆ 2 2 f 2 h1 2 hˆ1

So,

Y ·s = (k −kˆ −(X(s −s )+(γ ˆ −γ )s −(µ−γ )s +(µ−γˆ )·s )·(s −s )−1. x C C ff ffˆ 2 2 f 2 h1 2 hˆ1 h hˆ

Add,

Mod [(k −kˆ −(X(s −s )+(γ ˆ −γ )s −(µ−γ )s +(µ−γˆ )·s )·(s −s )−1,W ] 2 C C ff ffˆ 2 2 f 2 h1 2 hˆ1 h hˆ

to the list of possible values for τ(X, s).

This simulation is deﬁnitely indistinguishable from the protocol P5 untll a doublepwclient event, doublepwserver or a correctpw event happens. If an event of type doublepwclient

1 happens, then with probability 2 it occurs for two passwords pw and pwˆ with sh 6= shˆ and in this case D adds the correct τ(X, s) to the list. If a correctpw, doublepwserver event occurs before a doublepwclient event occurs, then P5 will halt and the doublepwclient event would never have occurred..

91 Note that in either case, the simulation may be distinguishable from P5, but this does not affect the fact that a doublepwclient event will happen with probability at least in the simulation.

However, we still have to assume that A follows the relevant time and query bounds or at least the simulator can stop A from exceeding these bounds.

Protocol P7: is identical to P6 except that this protocol has an internal password oracle that holds all passwords and accepts queries that examine the correctness of a given password. Note that this internal oracle passwordoracle is not available to the adversary. So this oracle generates all passwords during initialization. That changes the test for correct password guesses from P4 as the following a query is submitted to the oracle to determine if it is correct when the adversary makes a password guess.

Claim 14. For any adversary A,

ake ake AdvP6 (A) = AdvP7 (A)

Proof. By observation that P6 and P7 are perfectly indistinguishable.

Now we analyze the advantage of an adversary A against the protocol P7. From the deﬁnition of P7, one can easily bound the probability of adversary A succeeding in P7 as the following:

ake ake P r(SuccP7 (A)) ≤ P r(correctpw) + P r(SuccP7 (A) | ¬correctpw)P r(¬correctpw)

nse Note that P r(correctpw) ≤ L if the passwords are uniformly chosen from a dictionary of size L because a Corrupt query occurs after at most nse queries were occurred to the password oracle.

92 Next we compute P r(Succake(A) | ¬correctpw). Since correctpw event does not occur, P7 i the only way for A to succeed is to make a Test query to a fresh instance ΠU and to guess the bit used in the Test query. Note that if we can prove that the view of the adversary is not dependent

i 1 on skU then the probability of success is exactly 2 , and to do that we have to examine Reveal and H3(.) queries. For the ﬁrst type, we know by deﬁnition of Reveal(U, i) query that there could be no one

i independent of skU .

For the second type, from P4, an H3(.) query returns random values independent of what

i i previously occurred. Therefore H3(.) queries that occur after skU is independent of skU . So, i 1 the view of the adversary not dependent on skU then the probability of success is exactly 2 . Therefore,

ake ake P r(SuccP7 (A)) ≤ P r(correctpw) + P r(SuccP7 (A) | ¬correctpw)P r(¬correctpw)

ake ≤ P r(correctpw) + P r(SuccP7 (A) | ¬correctpw)(1 − P r(correctpw)) n 1 n ≤ se + (1 − se )) L 2 L 1 n ≤ + se . 2 2L

And Advake(A) ≤ nse . The theorem follows from this and the Claims 8-14 above. P7 L

93 6.6. Implementation

We provide a proof of concept implementation for the PAKE protocol presented in this thesis to √ verify the practicality of the protocol. We take n = 1024, β = 8/ 2π ≈ 3.2 and q = 232 − 1, and note that this choice of parameters is suitable for use in RLWE based post-quantum protocols as explained in [BCNS15]. We use the NTL library from Shoup with C++ for the implementation, without any parallel programming or multi-threading techniques. Also, to improve the performance of the implementation, we compile NTL with NTL_GMP_LIP = on. The code is executed on a 3.40 GHz Intel Xeon(R) CPU E5-2687W v2 and 64 GB RAM computer running on Ubuntu 14.04 LTS 64 bit system. The timings for the Initiation, Response, Initiator Finish and Responder Finish parts of the implicit authentication and explicit authentication versions of the protocol are presented in Table1.

Table 6.1.: Timings of PAKE protocol as described in Fig. 6.1 and Fig. 6.2

Protocol Initiation Response and Initiator and Respon- Finish (in der Finish ms) (in ms) RLWE-PAK 4.005 4.639 RLWE-PPK 3.740 4.359

The timings presented in the table are the average of 10000 executions. The operations mainly contributing to the time taken by the protocol are the sampling and multiplication operations on both sides of the protocol. As noted earlier, we have used multiplication with FFT for improved performance. The sampling technique used in the protocol is the sampling procedure in [Pei10] and as noted in [ZZDSD15], the discrete Gaussian approximates the continuous Gaussian extremely well when β ≥ 3.2. This proof of concept implementation is a preliminary implementation to show that the protocol presented in this thesis can be practical. We believe that this implementation can be improved further with new optimizations.

94 Chapter 7

Conclusion and Future Work

We studied the hard cases in LLL reduction, as we called them Beasts; that is a lattice basis constructed from a Minkowski reduced basis whose vectors satisfy two properties: 1) the vectors are almost the same length. 2) the angles of the vectors are almost 60◦. For 3-dimensional lattices, using our precise setting of parameters, our Beast cases can resist a strong LLL reduction by 100%. We also gave a complete theoretical proof for this phenomenon.

However, we cannot assert categorically that the Beasts in dimension 3 are only our constructed one. So in our future works, we should study other structures which may be stronger than our Beasts for 3-dimensional lattices. Furthermore, we tried constructing the Beasts in higher dimensions. The experimental results showed that this constructed Beast is harder than random lattices, but the results did not match our conjecture very well. So constructing a Beast in high dimensions and examining LLL failure important future work.

Then we have proposed two new explicitly and implicitly authenticated PAKE protocols. Our protocols are similar to PAK and PPK; however, they are based on the Ring Learning with Errors problem. Though our construction is very similar to the classical construction, the security proof is subtle and intricate which requires novel techniques. We provide a full proof of security of the new protocols in the Radom Oracle Model. We also provide a proof of concept implementation and implementation results show our protocols are practical and efﬁcient.

95 In the proof, we make use of the ROM, which models hash functions as random functions.

Our proof is a classical proof of security and may not hold against a quantum adversary. Against such adversaries, one natural extension of the ROM is to allow the queries to be in quantum superposition; this is known as the Quantum Random Oracle Model (QROM) [BDFLSZ11].

Unfortunately, many tricks that can be used in the ROM are hard to apply in the QROM. There- fore we leave proving the security of our protocols in the QROM as future work. Although there are some proof techniques in the QROM [Zha12; Unr14a; Unr14b], more work is needed to adapt classical proofs to this setting.

96 97 Bibliography

[ABB10] S. Agrawal, D. Boneh, and X. Boyen. “Efﬁcient lattice (H) IBE in the standard model”. In: Advances in Cryptology–EUROCRYPT 2010. Springer, 2010, pp. 553–572. [ABM15] M. Abdalla, F. Benhamouda, and P. MacKenzie. “Security of the J-PAKE Password- Authenticated Key Exchange Protocol”. In: 2015 IEEE Symposium on Security and Privacy. 2015. [ABP15] M. Abdalla, F. Benhamouda, and D. Pointcheval. “Public-Key Encryption In- distinguishable Under Plaintext-Checkable Attacks”. English. In: Public-Key Cryptography – PKC 2015. Ed. by J. Katz. Vol. 9020. Lecture Notes in Com- puter Science. Springer Berlin Heidelberg, 2015, pp. 332–352. ISBN: 978-3- 662-46446-5. DOI: 10.1007/978-3-662-46447-2_15. URL: http: //dx.doi.org/10.1007/978-3-662-46447-2_15. [ABSS93] S. Arora, L. Babai, J. Stern, and Z Sweedy. “The hardness of approximate optima in lattices, codes, and systems of linear equations”. In: Foundations of Computer Science, 1993. Proceedings., 34th Annual Symposium on. IEEE. 1993, pp. 724–733. [ACCP08] M. Abdalla, D. Catalano, C. Chevalier, and D. Pointcheval. “Efﬁcient Two-Party Password-Based Key Exchange Protocols in the UC Framework”. English. In: Topics in Cryptology CT-RSA 2008. Ed. by T. Malkin. Vol. 4964. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2008, pp. 335–351. ISBN: 978-3-540-79262-8. DOI: 10.1007/978- 3- 540- 79263- 5_22. URL: http://dx.doi.org/10.1007/978-3-540-79263-5_22. [AD97] M. Ajtai and C. Dwork. “A public-key cryptosystem with worst-case/average- case equivalence”. In: Proceedings of the twenty-ninth annual ACM symposium on Theory of computing. ACM. 1997, pp. 284–293. [AFP05] M. Abdalla, P.-A. Fouque, and D. Pointcheval. “Password-Based Authenticated Key Exchange in the Three-Party Setting”. English. In: Public Key Cryptogra- phy - PKC 2005. Ed. by S. Vaudenay. Vol. 3386. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2005, pp. 65–84. ISBN: 978-3-540-24454- 7.

98 [Ajt96] M. Ajtai. “Generating hard instances of lattice problems”. In: Proceedings of the twenty-eighth annual ACM symposium on Theory of computing. ACM. 1996, pp. 99–108. [Ajt98] M. Ajtai. “The Shortest Vector Problem in L2 is NP-hard for Randomized Re- ductions (Extended Abstract)”. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing. STOC ’98. Dallas, Texas, USA: ACM, 1998, pp. 10–19. ISBN: 0-89791-962-9. DOI: 10.1145/276698.276705. URL: http://doi.acm.org/10.1145/276698.276705. [BCFNRZ14] J. Bi, J.-S. Coron, J.-C. Faugere,` P. Q. Nguyen, G. Renault, and R. Zeitoun. “Rounding and chaining LLL: Finding faster small roots of univariate polynomial congruences”. In: Public-Key Cryptography–PKC 2014. Springer, 2014, pp. 185–202. [BCNS15] J. W. Bos, C. Costello, M. Naehrig, and D. Stebila. “Post-quantum key exchange for the TLS protocol from the ring learning with errors problem”. In: Security and Privacy (SP), 2015 IEEE Symposium on. IEEE. 2015, pp. 553–570. [BCP03] E. Bresson, O. Chevassut, and D. Pointcheval. “Security Proofs for an Efﬁcient Password-based Key Exchange.” In: ACM Conference on Computer and Com- munications Security. Ed. by S. Jajodia, V. Atluri, and T. Jaeger. ACM, 2003, pp. 241–250. ISBN: 1-58113-738-9. [BCP04] E. Bresson, O. Chevassut, and D. Pointcheval. “New Security Results on En- crypted Key Exchange.” In: Public Key Cryptography. Ed. by F. Bao, R. H. Deng, and J. Zhou. Vol. 2947. LNCS. Springer, 2004, pp. 145–158. ISBN: 3- 540-21018-0. [BCP97] W. Bosma, J. Cannon, and C. Playoust. “The Magma algebra system. I. The user language”. In: J. Symbolic Comput. 24.3-4 (1997). Computational algebra and number theory (London, 1993), pp. 235–265. ISSN: 0747-7171. DOI: 10. 1006/jsco.1996.0125. URL: http://dx.doi.org/10.1006/ jsco.1996.0125. [BDFLSZ11] D. Boneh, zgr Dagdelen, M. Fischlin, A. Lehmann, C. Schaffner, and M. Zhandry. “Random Oracles in a Quantum World”. In: ASIACRYPT. Vol. 7073. Lecture Notes in Computer Science. Springer, 2011, pp. 41–69. DOI: 10.1007/978- 3-642-25385-0_3. [BM92] S. M. Bellovin and M. Merritt. “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks”. In: 1992 IEEE Computer Society Symposium on Research in Security and Privacy, May 4-6, 1992. 1992, pp. 72– 84. DOI: 10.1109/RISP.1992.213269. [BMP00] V.Boyko, P. D. MacKenzie, and S. Patel. “Provably Secure Password-Authenticated Key Exchange Using Difﬁe-Hellman.” In: Advances in Cryptology – EURO- CRYPT 2000. Ed. by B. Preneel. Vol. 1807. LNCS. Springer, 2000, pp. 156– 171. ISBN: 3-540-67517-5.

99 [BPR00] M. Bellare, D. Pointcheval, and P. Rogaway. “Authenticated Key Exchange Se- cure Against Dictionary Attacks”. In: Advances in Cryptology – EUROCRYPT 2000. Ed. by B. Preneel. Vol. 1807. LNCS. Springer, 2000, pp. 139–155. [BR93a] M. Bellare and P. Rogaway. “Entity Authentication and Key Distribution”. In: Advances in Cryptology – CRYPTO ’93. Ed. by D. R. Stinson. Vol. 773. LNCS. Springer, 1993, pp. 232–249. [BR93b] M. Bellare and P. Rogaway. “Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols”. In: Proceedings of the 1st ACM Conference on Computer and Communications Security. CCS ’93. Fairfax, Virginia, USA: ACM, 1993, pp. 62–73. ISBN: 0-89791-629-8. DOI: 10 . 1145 / 168588 . 168596. URL: http://doi.acm.org/10.1145/168588.168596. [Bre11] M. R. Bremner. “Lattice Basis Reduction: An Introduction to the LLL Algo- rithm and Its Applications”. In: Pure and Applied Mathematics (2011). [BS99] J. Blomer¨ and J.-P. Seifert. “On the Complexity of Computing Short Linearly In- dependent Vectors and Short Bases in a Lattice”. In: Proceedings of the Thirty- first Annual ACM Symposium on Theory of Computing. STOC ’99. Atlanta, Georgia, USA: ACM, 1999, pp. 711–720. ISBN: 1-58113-067-8. DOI: 10 . 1145/301250.301441. URL: http://doi.acm.org/10.1145/ 301250.301441. [CHKLM05] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. D. MacKenzie. “Universally Composable Password-Based Key Exchange.” In: Advances in Cryptology – EUROCRYPT 2005. Ed. by R. Cramer. Vol. 3494. LNCS. Springer, May 20, 2005, pp. 404–421. ISBN: 3-540-25910-4. [CS02] R. Cramer and V. Shoup. “Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption”. In: Proceedings of the In- ternational Conference on the Theory and Applications of Cryptographic Tech- niques: Advances in Cryptology. EUROCRYPT ’02. London, UK, UK: Springer- Verlag, 2002, pp. 45–64. ISBN: 3-540-43553-0. URL: http : / / dl . acm . org/citation.cfm?id=647087.715842. [CS97] D. Coppersmith and A. Shamir. “Lattice attacks on NTRU”. In: Advances in CryptologyEUROCRYPT97. Springer. 1997, pp. 52–61. [DH06] W. Diffie and M. Hellman. “New Directions in Cryptography”. In: IEEE Trans. Inf. Theor. 22.6 (Sept. 2006), pp. 644–654. ISSN: 0018-9448. DOI: 10.1109/ TIT.1976.1055638. URL: http://dx.doi.org/10.1109/TIT. 1976.1055638. [DH76] W. Diffie and M. Hellman. “New Directions in Cryptography”. In: IEEE Trans- actions on Information Theory 22.6 (1976), pp. 644–652. [DVOW92] W. Diffie, P. C. Van Oorschot, and M. J. Wiener. “Authentication and Authenti- cated Key Exchanges”. In: Des. Codes Cryptography 2.2 (June 1992), pp. 107– 125. ISSN: 0925-1022. DOI: 10.1007/BF00124891. URL: http://dx. doi.org/10.1007/BF00124891.

100 [EB81] P. van Emde Boas. Another NP-complete partition problem and the complexity of computing short vectors in a lattice. Technical, Report 81-04. Mathematische Instituut, University of Amsterdam, 1981. [FSXY12] A. Fujioka, K. Suzuki, K. Xagawa, and K. Yoneyama. “Strongly Secure Au- thenticated Key Exchange from Factoring, Codes, and Lattices”. English. In: Public Key Cryptography PKC 2012. Ed. by M. Fischlin, J. Buchmann, and M. Manulis. Vol. 7293. Lecture Notes in Computer Science. Springer Berlin Hei- delberg, 2012, pp. 467–484. ISBN: 978-3-642-30056-1. DOI: 10.1007/978- 3-642-30057-8_28. URL: http://dx.doi.org/10.1007/978- 3-642-30057-8_28. [FSXY13] A. Fujioka, K. Suzuki, K. Xagawa, and K. Yoneyama. “Practical and Post- quantum Authenticated Key Exchange from One-way Secure Key Encapsula- tion Mechanism”. In: Proceedings of the 8th ACM SIGSAC Symposium on Infor- mation, Computer and Communications Security. ASIA CCS ’13. Hangzhou, China: ACM, 2013, pp. 83–94. ISBN: 978-1-4503-1767-2. DOI: 10.1145/ 2484313.2484323. URL: http://doi.acm.org/10.1145/2484313. 2484323. [Gen08] R. Gennaro. “Faster and Shorter Password-Authenticated Key Exchange”. En- glish. In: Theory of Cryptography. Ed. by R. Canetti. Vol. 4948. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2008, pp. 589–606. ISBN: 978-3-540-78523-1. DOI: 10.1007/978- 3- 540- 78524- 8_32. URL: http://dx.doi.org/10.1007/978-3-540-78524-8_32. [GGH97] O. Goldreich, S. Goldwasser, and S. Halevi. “Public-key cryptosystems from lattice reduction problems”. In: Advances in CryptologyCRYPTO’97. Springer, 1997, pp. 112–131. [GJO10] V. Goyal, A. Jain, and R. Ostrovsky. “Password-authenticated Session-key Gen- eration on the Internet in the Plain Model”. In: Proceedings of the 30th An- nual Conference on Advances in Cryptology. CRYPTO’10. Santa Barbara, CA, USA: Springer-Verlag, 2010, pp. 277–294. ISBN: 3-642-14622-8, 978-3-642- 14622-0. URL: http://dl.acm.org/citation.cfm?id=1881412. 1881432. [GK10] A. Groce and J. Katz. “A New Framework for Efﬁcient Password-based Authen- ticated Key Exchange”. In: Proceedings of the 17th ACM Conference on Com- puter and Communications Security. CCS ’10. Chicago, Illinois, USA: ACM, 2010, pp. 516–525. ISBN: 978-1-4503-0245-6. DOI: 10.1145/1866307. 1866365. URL: http://doi.acm.org/10.1145/1866307.1866365. [GL01] O. Goldreich and Y. Lindell. “Session-Key Generation Using Human Passwords Only”. English. In: Advances in Cryptology CRYPTO 2001. Ed. by J. Kilian. Vol. 2139. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2001, pp. 408–432. ISBN: 978-3-540-42456-7. DOI: 10 . 1007 / 3 - 540 - 44647 - 8 _ 24. URL: http : / / dx . doi . org / 10 . 1007 / 3 - 540 - 44647-8_24.

101 [GL03] R. Gennaro and Y. Lindell. “A Framework for Password-Based Authenticated Key Exchange”. English. In: Advances in Cryptology EUROCRYPT 2003. Ed. by E. Biham. Vol. 2656. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2003, pp. 524–543. ISBN: 978-3-540-14039-9. [GM03] D. Goldstein and A. Mayer. “On the equidistribution of Hecke points”. In: Fo- rum Mathematicum. Vol. 15. 2. Berlin; New York: De Gruyter, c1989-. 2003, pp. 165–190. [GN08] N. Gama and P. Q. Nguyen. “Predicting lattice reduction”. In: Advances in Cryptology–EUROCRYPT 2008. Springer, 2008, pp. 31–51. [GNR10] N. Gama, P. Q. Nguyen, and O. Regev. “Lattice enumeration using extreme pruning”. In: Advances in Cryptology–EUROCRYPT 2010. Springer, 2010, pp. 257– 278. [GPV08] C. Gentry, C. Peikert, and V. Vaikuntanathan. “Trapdoors for hard lattices and new cryptographic constructions”. In: Proceedings of the 40th annual ACM symposium on Theory of computing. STOC ’08. Victoria, British Columbia, Canada: ACM, 2008, pp. 197–206. ISBN: 978-1-60558-047-0. [HK99] S. Halevi and H. Krawczyk. “Public-key Cryptography and Password Proto- cols”. In: ACM Trans. Inf. Syst. Secur. 2.3 (Aug. 1999), pp. 230–268. ISSN: 1094-9224. DOI: 10.1145/322510.322514. URL: http://doi.acm. org/10.1145/322510.322514. [HPS98] J. Hoffstein, J. Pipher, and J. H. Silverman. “NTRU: A ring-based public key cryptosystem”. In: Algorithmic number theory. Springer, 1998, pp. 267–288. [HPSS08] J. Hoffstein, J. Pipher, J. H. Silverman, and J. H. Silverman. An introduction to mathematical cryptography. Vol. 1. Springer, 2008. [HR10] F. Hao and P. Ryan. “J-PAKE: Authenticated Key Exchange without PKI”. En- glish. In: Transactions on Computational Science XI. Ed. by M. Gavrilova, C. Tan, and E. Moreno. Vol. 6480. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2010, pp. 192–206. ISBN: 978-3-642-17696-8. DOI: 10 . 1007/978-3-642-17697-5_10. URL: http://dx.doi.org/10. 1007/978-3-642-17697-5_10. [Jab96] D. P. Jablon. “Strong Password-Only Authenticated Key Exchange”. In: ACM SIGCOMM Computer Communication Review 26.5 (1996), pp. 5–26. [JD12] X. L. Jintai Ding Xiang Xie. A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem. Cryptology ePrint Archive, Report 2012/688. http://eprint.iacr.org/. 2012. [JG05] S. Jiang and G. Gong. “Password Based Key Exchange with Mutual Authen- tication”. English. In: Selected Areas in Cryptography. Ed. by H. Handschuh and M. Hasan. Vol. 3357. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2005, pp. 267–279. ISBN: 978-3-540-24327-4.

102 [Kho05] S. Khot. “Hardness of approximating the shortest vector problem in lattices”. In: Journal of the ACM (JACM) 52.5 (2005), pp. 789–808. [KOY01] J. Katz, R. Ostrovsky, and M. Yung. “Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords”. In: Advances in Cryptology – EUROCRYPT 2001. Ed. by B. Pfitzmann. Vol. 2045. LNCS. Springer, 2001, pp. 475–494. [Kra05] H. Krawczyk. “HMQV: A High-Performance Secure Diffie-Hellman Protocol”. English. In: Advances in Cryptology CRYPTO 2005. Ed. by V.Shoup. Vol.3621. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2005, pp. 546– 566. ISBN: 978-3-540-28114-6. DOI: 10.1007/11535218_33. URL: http: //dx.doi.org/10.1007/11535218_33. [KV09] J. Katz and V. Vaikuntanathan. “Smooth Projective Hashing and Password- Based Authenticated Key Exchange from Lattices”. English. In: Advances in Cryptology ASIACRYPT 2009. Ed. by M. Matsui. Vol. 5912. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2009, pp. 636–652. ISBN: 978-3-642-10365-0. DOI: 10.1007/978- 3- 642- 10366- 7_37. URL: http://dx.doi.org/10.1007/978-3-642-10366-7_37. [KV11] J. Katz and V. Vaikuntanathan. “Round-Optimal Password-Based Authenticated Key Exchange”. English. In: Theory of Cryptography. Ed. by Y.Ishai. Vol.6597. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2011, pp. 293– 310. ISBN: 978-3-642-19570-9. DOI: 10 . 1007 / 978 - 3 - 642 - 19571 - 6_18. URL: http://dx.doi.org/10.1007/978-3-642-19571- 6_18. [Kwo01] T. Kwon. “Authentication and key agreement via memorable password”. In: ISOC Network and Distributed System Security Symposium. 2001. [Lag73] L. Lagrange. “Recherches d’arithmetique”.´ In: Nouv. Mem.´ Acad. (1773). [LLL82] A. K. Lenstra, H. W. Lenstra, and L. Lovasz.´ “Factoring polynomials with rational coefficients”. In: Mathematische Annalen 261.4 (1982), pp. 515–534. [LPR10] V. Lyubashevsky, C. Peikert, and O. Regev. “On Ideal Lattices and Learn- ing with Errors over Rings”. English. In: Advances in Cryptology EURO- CRYPT 2010. Ed. by H. Gilbert. Vol. 6110. Lecture Notes in Computer Sci- ence. Springer Berlin Heidelberg, 2010, pp. 1–23. ISBN: 978-3-642-13189-9. DOI: 10.1007/978- 3- 642- 13190- 5_1. URL: http://dx.doi. org/10.1007/978-3-642-13190-5_1. [LPW12] T. Laarhoven, J. van de Pol, and B. de Weger. “Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems.” In: IACR Cryptology ePrint Archive 2012 (2012), p. 533.

103 [Luc98] S. Lucks. “Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys”. In: Proceedings of the 5th International Workshop on Security Protocols. London, UK, UK: Springer-Verlag, 1998, pp. 79–90. ISBN: 3-540-64040-1. URL: http : / / dl . acm . org / citation . cfm ? id = 647215.720526. [Mac01] P. MacKenzie. On the Security of the SPEKE Password-Authenticated Key Ex- change Protocol. Cryptology ePrint Archive, Report 2001/057. http://eprint. iacr.org/2001/057. 2001. [Mac02] P. MacKenzie. The PAK Suite: Protocols for Password-Authenticated Key Ex- change. DIMACS Technical Report 2002-46. (Page 7). 2002. [Min10] H. Minkowski. “Geometrie der Zahlen”. In: (1910). [Min11] H. Minkowski. “Gesammelte Abhandlungen”. In: (1911). [MP13] D. Micciancio and C. Peikert. “Hardness of SIS and LWE with small parameters”. In: Advances in Cryptology–CRYPTO 2013. Springer, 2013, pp. 21–39. [MR07] D. Micciancio and O. Regev. “Worst-Case to Average-Case Reductions Based on Gaussian Measures”. In: SIAM J. Comput. 37 (1 2007), pp. 267–302. ISSN: 0097-5397. [Ngu99] P. Nguyen. “Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from crypto97”. In: Advances in CryptologyCRYPTO99. Springer. 1999, pp. 288– 304. [NS04] P. Q. Nguyen and D. Stehle.´ “Low-dimensional lattice basis reduction revis- ited”. In: Algorithmic number theory. Springer, 2004, pp. 338–357. [NS09] P. Q. Nguyen and D. Stehle.´ “Low-dimensional lattice basis reduction revis- ited”. In: ACM Transactions on Algorithms (TALG) 5.4 (2009), p. 46. [NSA05] NSA. https://www.nsa.gov/ia/programs/suiteb_cryptography/ index.shtml. 2005. [Ntl] “Victor Shoup’s NTL library”. In: URL: http://www.shoup.net/ntl/. [NV04] M.-H. Nguyen and S. Vadhan. “Simpler Session-Key Generation from Short Random Passwords”. English. In: Theory of Cryptography. Ed. by M. Naor. Vol. 2951. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2004, pp. 428–445. ISBN: 978-3-540-21000-9. DOI: 10.1007/978-3-540- 24638-1_24. URL: http://dx.doi.org/10.1007/978-3-540- 24638-1_24. [NV10] P. Q. Nguyen and B. Vallee.´ “The LLL algorithm”. In: Information Security and (2010). [Pei09] C. Peikert. “Public-key cryptosystems from the worst-case shortest vector problem”. In: Proceedings of the forty-ﬁrst annual ACM symposium on Theory of computing. ACM. 2009, pp. 333–342.

104 [Pei10] C. Peikert. An Efficient and Parallel Gaussian Sampler for Lattices. Cryptology ePrint Archive, Report 2010/088. http://eprint.iacr.org/. 2010. [Pei14] C. Peikert. “Lattice Cryptography for the Internet”. English. In: Post-Quantum Cryptography. Ed. by M. Mosca. Vol. 8772. Lecture Notes in Computer Sci- ence. Springer International Publishing, 2014, pp. 197–219. ISBN: 978-3-319- 11658-7. DOI: 10 . 1007 / 978 - 3 - 319 - 11659 - 4 _ 12. URL: http : //dx.doi.org/10.1007/978-3-319-11659-4_12. [PVW08] C. Peikert, V. Vaikuntanathan, and B. Waters. “A framework for efficient and composable oblivious transfer”. In: Advances in Cryptology–CRYPTO 2008. Springer, 2008, pp. 554–571. [Reg04a] O. Regev. “New lattice-based cryptographic constructions”. In: Journal of the ACM (JACM) 51.6 (2004), pp. 899–942. [Reg04b] O. Regev. “Some basic complexity results Lecture 5”. In: Lecture Notes in Computer Science (2004). [Reg05] O. Regev. “On lattices, learning with errors, random linear codes, and cryptography”. In: Proceedings of the thirty-seventh annual ACM symposium on Theory of computing. ACM. 2005, pp. 84–93. [Reg10] O. Regev. “The learning with errors problem”. In: Invited survey in CCC (2010). [Sch87] C.-P. Schnorr. “A hierarchy of polynomial time lattice basis reduction algorithms”. In: Theoretical computer science 53.2 (1987), pp. 201–224. [SE94] C.-P. Schnorr and M. Euchner. “Lattice basis reduction: improved practical algorithms and solving subset sum problems”. In: Mathematical programming 66.1-3 (1994), pp. 181–199. [Sem01] I. Semaev. “A 3-dimensional lattice reduction algorithm”. In: Cryptography and Lattices. Springer, 2001, pp. 181–193. [Sho94] P. W. Shor. “Algorithms for quantum computation: Discrete logarithms and factoring”. In: Foundations of Computer Science, 1994 Proceedings., 35th Annual Symposium on. IEEE. 1994, pp. 124–134. [Sho99] V.Shoup. On Formal Models for Secure Key Exchange. Cryptology ePrint Archive, Report 1999/012. http://eprint.iacr.org/1999/012. 1999. [Tu] “TU Darmstadt lattice challenge”. In: URL: http://www.latticechallenge. org/. [Unr14a] D. Unruh. “Quantum Position Verification in the Random Oracle Model”. In: CRYPTO. Springer, 2014, pp. 1–18. DOI: 10.1007/978-3-662-44381- 1_1. [Unr14b] D. Unruh. “Revocable Quantum Timed-Release Encryption”. In: EUROCRYPT. Springer, 2014, pp. 129–146. DOI: 10.1007/978-3-642-55220-5_8.

105 [Zha12] M. Zhandry. “Secure Identity-Based Encryption in the Quantum Random Ora- cle Model”. In: Advances in Cryptology - Crypto 2012. Vol. 7417. Lecture Notes in Computer Science. Springer, 2012, pp. 758–775. DOI: 10.1007/978-3- 642-32009-5_44. [ZZDSD15] J. Zhang, Z. Zhang, J. Ding, M. Snook, and z. Dagdelen. “Authenticated Key Exchange from Ideal Lattices”. English. In: Advances in Cryptology - EURO- CRYPT 2015. Ed. by E. Oswald and M. Fischlin. Vol. 9057. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2015, pp. 719–751. ISBN: 978- 3-662-46802-9. DOI: 10.1007/978-3-662-46803-6_24. URL: http: //dx.doi.org/10.1007/978-3-662-46803-6_24.

106 Appendix A

Publications

Here I would like to declare that this thesis is my own work and parts of it are from the following publications:

1. J. Ding, S. Alsayigh, Y. Wang, and T. Takagi. “The Beauty and the Beasts -The Hard

Cases in LLL Reduction. In: SCIS 2016 (2016), and

2. J. Ding, S. Alsayigh, J. Lancrenon, S. Ramanathapuram, and M. Snook. “Provably Secure

Password Authenticated Key Exchange Based on RLWE for the Post-QuantumWorld. In:

submitted to Asiacrypt 2016, (2016).

where all the authors contributed equally.

107 Index

Mod2, 55 fundamental domain, 26 Cha, 55 Gaussian distribution, 53 χα, 53 γ-SVP, 28 GSO, 24 t , 18 exp integer lattice, 26 q-ary, 52 NP, 27 lattice, 21, 25, 26 NP-complete, 27 Learning with Errors, 53 NP-hard, 27 LLL, 31 dual lattice, 52 LLL failed, 46 RLWE-PPK, 81 LWE, 53

AKE, 3 Minkowski’s reduced, 37 Authenticated Key Exchange, 3 negligible function, 15 Beast lattice, 44 Beauty lattice, 44 Pairing with Errors, 60, 64 BKZ, 32 PAKE, 4 partnering, 14 CA, 67 Password-Authenticated Key Exchange, 4 CDH, 3, 15 PWE, 60, 64 Closest Vector Problem, 28 cryptanalysis, 1 Queries, 13 cryptography, 1 cryptology, 1 Ring Learning with Errors, 54 Cryptosystem, 1 RLWE, 54 CVP, 28 RLWE-DH, 59 RLWE-PAK, 64 DCVP, 28 Difﬁe-Hellman, 2 SA, 67 SBP, 29 freshness, 14 security model, 12

108 Short Integer Solution, 52 Shortest Vector Problem, 28 SIS, 52 size-reduction, 37 SVP, 28

109