DOCSLIB.ORG

New Password Authenticated Key Exchange Based on the Ring Learning with Errors

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

New Password Authenticated Key Exchange Based on the Ring Learning with Errors A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Mathematical Sciences McMicken College of Arts and Sciences University of Cincinnati, June 2016 Author: Saed Alsayigh Chair: Jintai Ding Degrees: B.S. Mathematics, 2003, Committee: Ning Zhong King Saud University Daniel Smith M.S. Applied Mathematics, 2009, Chris Christensen King Saud University Yizao Wang M.S. Mathematics, 2016, University of Cincinnati Abstract Authenticated Key Exchange (AKE) is a cryptographic scheme with the aim to establish a high-entropy and secret session key over an insecure communications network. Password- Authenticated Key Exchange (PAKE) assumes that the parties in communication share a simple password, which is human-memorable and is used to achieve the authentication. These features are appealing in an age when most people access sensitive personal data remotely from perva- sive hand-held devices. Theoretically PAKEs allow secure computation and authentication of a high-entropy piece of data using a low-entropy string as a starting point. In this thesis, we apply the proposed technique in [JD12] to construct two lattice-based PAKE protocols that have simple and elegant designs that extend the class of Random Oracle Model (ROM)-based pro- tocols PAK and PPK [BMP00; Mac02] protocols to a lattice-based setting. The new protocol following the structure of PAK is three-pass and provides mutual explicit authentication; the protocol following the structure of PPK is two-pass and provides implicit authentication. Our protocols rely on the Ring Learning with Errors (RLWE) assumption and exploit the additive structure of the underlying RLWE ring, which allows the protocols to achieve provable security. Our protocols have a comparable level of efficiency to PAK and PPK, which makes them highly attractive. We present a preliminary implementation of our protocols to demonstrate that these protocols are efficient and practical, and, therefore, that our two protocols are suitable quantum safe replacements for PAK and PPK. ii c 2016 by Saed Alsayigh. All rights reserved. Acknowledgments In this moment of submitting my thesis, there are many people who I have to thank for their help and support: First of all, a special thanks to my wife Zainab and my four lovely children, Hawra, Fatimah, Husain and Ridha for being patient and supportive all this time with me. I also thank my parents, all my family, and my friends. I want to express my gratitude to my supervisor professor Jintai Ding who guided me during my PhD studies and helped me to understand and love cryptography. Thank you for being a good friend, for your advice, and for standing with me when I needed you. Next, I would like to thank the University of Cincinnati, specifically the faculty of Department of Mathematical Sciences who have helped me learn a lot during the course of my studies here. I also thank the cryptography group members that I worked with during my study: Jean, Michael, Saraswathy and Yuntao. I really enjoyed working with you guys, thank you. Finally, I would like to thank the King Abdullah Scholarship Program for the financial support and for giving me this opportunity to continue my studies in the United States. iv Contents Abstract ii Copyright iii Acknowledgments iv List of Tables viii List of Figures ix 1. Introduction and Contributions 1 1.1. Introduction . .1 1.2. Our contributions . .6 1.3. Related work . .8 1.3.1. PAKE protocols and security models. .8 1.3.2. AKE from lattices. 10 2. PAK and PPK based on Diffie-Hellman 11 2.1. Introduction . 11 2.2. Security model . 12 2.2.1. Computational Diffie-Hellman assumption . 15 2.3. The PAK protocol . 15 2.3.1. Security of PAK . 17 2.4. The PPK protocol . 18 2.4.1. Security of PPK . 19 2.5. Security of PAK and PPK in a Post-Quantum World . 20 3. Introduction to Lattice Theory 21 3.1. Introduction . 21 3.2. Preliminaries . 22 3.3. Lattices . 25 v 3.4. Hard problems in lattices . 27 3.4.1. Complexity of lattice problems . 29 3.5. Lattice reduction algorithms . 30 3.5.1. Gauss reduction algorithm . 30 3.5.2. LLL lattice reduction algorithm . 31 3.5.3. BKZ lattice reduction algorithm . 32 4. The Hard Cases in LLL reduction 34 4.1. Introduction . 34 4.2. Preliminaries . 36 4.3. Three-dimensional case . 39 4.3.1. LLL outputs a shortest vector? . 39 4.3.2. Main theorem . 39 4.3.3. The Beauty and the Beasts . 44 4.3.4. Experimental results . 45 4.4. High-dimensional cases . 46 4.4.1. Success probability of LLL . 46 4.4.2. How to build hard lattice in high dimensions . 46 4.4.3. Experimental results of high dimensional cases . 48 4.4.4. The quality factor and our build lattice . 48 5. Lattice and Cryptography 50 5.1. Introduction . 50 5.2. Lattices in Cryptography . 50 5.3. Hard lattice problems in Cryptography . 52 5.3.1. Short Integer Solution . 52 5.3.2. Learning with Errors . 53 5.3.3. Ring Learning with Errors . 54 5.4. New Lattice Problems . 55 5.4.1. The RLWE Diffie Hellman problem . 59 5.4.2. The Pairing with Errors problem . 60 6. The New Protocols 62 6.1. Introduction . 62 6.2. Security model . 63 6.3. Security assumption . 63 6.4. Password-Authenticated RLWE Key Exchange(RLWE-PAK).......... 64 6.4.1. Correctness . 65 6.4.2. Proof of security for RLWE-PAK .................... 67 6.5. Implicit authentication . 81 6.5.1. Proof of security for RLWE-PPK .................... 82 6.6. Implementation . 94 7. Conclusion and Future Work 95 vi Bibliography 98 A. Publications 107 Index 108 vii List of Tables 4.1. Some experimental results using our constructed 3-dimensional Beast bases. Note that we call LLL failed if the shortest vector was not in the LLL-reduced basis. 46 4.2. Some experimental results of higher dimensional Beast bases. 48 6.1. Timings of PAKE protocol as described in Fig. 6.1 and Fig. 6.2 ............ 94 viii List of Figures 2.1. The Original PAK Protocol . 17 2.2. The Original PPK Protocol . 19 4.1. The number of LLL failed cases in dimension 3 using same bases but different δ. 40 2 4.2. The structure of Beauty lattices in R ....................... 45 4.3. Experimental results of random bases generated from TU Darmstadt SVP Chal- lenge. 47 6.1. Explicitly Authenticated Protocol . 66 6.2. Implicitly Authenticated Protocol . 82 ix Chapter 1 Introduction and Contributions 1.1. Introduction Computers and electronic communications have become essential components of everyday life and are hard to live without. In routine use of these devices, important personal and confidential information are stored and transferred during communications. Keys questions one asks about the use of such devices is whether the information shared during communication is secure and whether that there is unauthorized use of the information. Communication security and the prevention of unauthorized use of information are not new issues that were born with the rapidly increasing use of technology. These issues have been critical issues for thousands of years. The study of information security is called cryptology. It consists of two different area of study. One is called cryptography. Cryptography studies the construct of cipher systems that can be used to hide information. Such systems are called cryptosystems. Each cryptosystem consists of two functions: one function is used to encrypt or hide messages while the other function is used to decrypt or recover the messages. The other half of cryptology is cryptanalysis. Cryptanalysis studies breaking cryptosystems and analyzes the leak age of information from a targeted cryptosystem. 1 There are two types of cryptosystems: symmetric cryptosystems and asymmetric cryptosys- tems. When using a symmetric cryptosystems, all people in the communication have the same ability. Everyone can encrypt and decrypt every messages. The security of a symmetric cryp- tosystem is usually based on the length of the key and the strength of the algorithm. Symmetric cryptosystems require key exchange among people in the communication. Key exchange is espe- cially a problem when the number of people in the communication is large and they cannot meet to exchange the key. Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) are examples of this type of cryptosystem. When using an asymmetric cryptosystem, one of the people in the communication has more advantage than the others; the owner of the key can decrypt but other can only encrypt. The security of an asymmetic cryptosystem is usually based on the hardness of a mathematical problem that the system is built upon. Asymmetric cryptosys- tems are also called public key cryptosystems (PKC) because they publish the encryption key. The most common PKCs are: 1. Diffie-Hellman Key Exchange Protocol, DHKE, which was invented by Whitfield Diffie and Martin Hellman in 1976 [DH76]. 2. RSA, which was invented by Ronald Rivest, Adi Shamir, and Len Adleman in 1978. 3. ElGamal algorithm, which was invented by Taher Elgamal in 1984 and is based on DHKE. 4. Elliptic curve cryptography (ECC) which was suggested by Neal Koblitz and Victor S. Miller in 1985 and is based on the algebraic structure of elliptic curves over finite fields. In 1976, Diffie and Hellman proposed a public key distribution system in their paper “New directions in cryptography” [DH06]. This system allows two parties to exchange key over an insecure channel. Say, Alice and Bob would like to share a key which they can use with a sym- metric cryptosystem.
Recommended publications
  • Mihir Bellare Curriculum Vitae Contents

    Mihir Bellare Curriculum Vitae Contents

    Mihir Bellare Curriculum vitae August 2018 Department of Computer Science & Engineering, Mail Code 0404 University of California at San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404, USA. Phone: (858) 534-4544 ; E-mail: [email protected] Web Page: http://cseweb.ucsd.edu/~mihir Contents 1 Research areas 2 2 Education 2 3 Distinctions and Awards 2 4 Impact 3 5 Grants 4 6 Professional Activities 5 7 Industrial relations 5 8 Work Experience 5 9 Teaching 6 10 Publications 6 11 Mentoring 19 12 Personal Information 21 2 1 Research areas ∗ Cryptography and security: Provable security; authentication; key distribution; signatures; encryp- tion; protocols. ∗ Complexity theory: Interactive and probabilistically checkable proofs; approximability ; complexity of zero-knowledge; randomness in protocols and algorithms; computational learning theory. 2 Education ∗ Massachusetts Institute of Technology. Ph.D in Computer Science, September 1991. Thesis title: Randomness in Interactive Proofs. Thesis supervisor: Prof. S. Micali. ∗ Massachusetts Institute of Technology. Masters in Computer Science, September 1988. Thesis title: A Signature Scheme Based on Trapdoor Permutations. Thesis supervisor: Prof. S. Micali. ∗ California Institute of Technology. B.S. with honors, June 1986. Subject: Mathematics. GPA 4.0. Class rank 4 out of 227. Summer Undergraduate Research Fellow 1984 and 1985. ∗ Ecole Active Bilingue, Paris, France. Baccalauréat Série C, June 1981. 3 Distinctions and Awards ∗ PET (Privacy Enhancing Technologies) Award 2015 for publication [154]. ∗ Fellow of the ACM (Association for Computing Machinery), 2014. ∗ ACM Paris Kanellakis Theory and Practice Award 2009. ∗ RSA Conference Award in Mathematics, 2003. ∗ David and Lucille Packard Foundation Fellowship in Science and Engineering, 1996. (Twenty awarded annually in all of Science and Engineering.) ∗ Test of Time Award, ACM CCS 2011, given for [81] as best paper from ten years prior.
  • Stronger Security Notions for Trapdoor Functions and Applications

    Stronger Security Notions for Trapdoor Functions and Applications

    STRONGER SECURITY NOTIONS FOR TRAPDOOR FUNCTIONS AND APPLICATIONS A Thesis Presented to The Academic Faculty by Adam O'Neill In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the College of Computing Georgia Institute of Technology December 2010 STRONGER SECURITY NOTIONS FOR TRAPDOOR FUNCTIONS AND APPLICATIONS Approved by: Professor Alexandra Boldyreva, Professor Chris Peikert Advisor College of Computing College of Computing Georgia Institute of Technology Georgia Institute of Technology Professor Mihir Bellare Professor Dana Randall Computer Science and Engineering College of Computing University of California, San Diego Georgia Institute of Technology Professor Richard Lipton Professor Patrick Traynor College of Computing College of Computing Georgia Institute of Technology Georgia Institute of Technology Date Approved: 9 August 2010 To my parents, John (Chuck) and Phyllis O'Neill, and my sister Katie, for their unconditional support. iii ACKNOWLEDGEMENTS My Ph.D. studies have been a significant undertaking, which would not have been possible without the help and guidance of many people (please forgive any omissions). First of all, I'd like to thank my parents, for encouraging me to pursue higher education and giving me the opportunity to do so. My intellectual development was greatly fostered during my time as an undergrad- uate at UCSD, and for that I have many friends and teaching assistants to thank. I would especially like to thank Daniel Bryant for helping me during my freshman year, and Derek Newland for inviting me to do an independent study with him. I would also like to thank Mihir Bellare for taking the time to help undergraduates find out about graduate school and encouraging them to take graduate-level courses.
  • Part V Public-Key Cryptosystems, I. Key Exchange, Knapsack

    Part V Public-Key Cryptosystems, I. Key Exchange, Knapsack

    Part V Public-key cryptosystems, I. Key exchange, knapsack, RSA CHAPTER 5: PUBLIC-KEY CRYPTOGRAPHY I. RSA The main problem of secret key (or symmetric) cryptography is that in order to send securely A secret message we need to send at first securely a secret key and therefore secret key cryptography is clearly not a sufficiently good tool for massive communication capable to protect secrecy, privacy and anonymity. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 2/67 SECURE ENCRYPTION - a PRACTICAL POINT OF VIEW From practical point of view encryptions by a cryptosystem can be considered as secure if they cannot be broken by many (thousands) superomputeers with exaflop performance working for some years. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 3/67 CONTENT In this chapter we describe the birth of public key cryptography, that can better manage key distribution problem, and three of its cryptosystems, especially RSA. The basic idea of a public key cryptography: In a public key cryptosystem not only the encryption and decryption algorithms are public, but for each user U also the key eU for encrypting messages (by anyone) for U is public. Moreover, each user U keeps secret another (decryption) key, dU , that can be used for decryption of messages that were addressed to him and encrypted with the help of the public encryption key eU . Encryption and decryption keys could (and should) be different - we can therefore speak also about asymmetric cryptography. Secret key cryptography, that has the same key for encryption and for decryption is also called symmetric cryptography.
  • Presentation

    Presentation

    Side-Channel Analysis of Lattice-based PQC Candidates Prasanna Ravi and Sujoy Sinha Roy [email protected], [email protected] Notice • Talk includes published works from journals, conferences, and IACR ePrint Archive. • Talk includes works of other researchers (cited appropriately) • For easier explanation, we ‘simplify’ concepts • Due to time limit, we do not exhaustively cover all relevant works. • Main focus on LWE/LWR-based PKE/KEM schemes • Timing, Power, and EM side-channels Classification of PQC finalists and alternative candidates Lattice-based Cryptography Public Key Encryption (PKE)/ Digital Signature Key Encapsulation Mechanisms (KEM) Schemes (DSS) LWE/LWR-based NTRU-based LWE, Fiat-Shamir with Aborts NTRU, Hash and Sign (Kyber, SABER, Frodo) (NTRU, NTRUPrime) (Dilithium) (FALCON) This talk Outline • Background: • Learning With Errors (LWE) Problem • LWE/LWR-based PKE framework • Overview of side-channel attacks: • Algorithmic-level • Implementation-level • Overview of masking countermeasures • Conclusions and future works Given two linear equations with unknown x and y 3x + 4y = 26 3 4 x 26 or . = 2x + 3y = 19 2 3 y 19 Find x and y. Solving a system of linear equations System of linear equations with unknown s Gaussian elimination solves s when number of equations m ≥ n Solving a system of linear equations with errors Matrix A Vector b mod q • Search Learning With Errors (LWE) problem: Given (A, b) → computationally infeasible to solve (s, e) • Decisional Learning With Errors (LWE) problem: Given (A, b) →
  • Overview of Post-Quantum Public-Key Cryptosystems for Key Exchange

    Overview of Post-Quantum Public-Key Cryptosystems for Key Exchange

    Overview of post-quantum public-key cryptosystems for key exchange Annabell Kuldmaa Supervised by Ahto Truu December 15, 2015 Abstract In this report we review four post-quantum cryptosystems: the ring learning with errors key exchange, the supersingular isogeny key exchange, the NTRU and the McEliece cryptosystem. For each protocol, we introduce the underlying math- ematical assumption, give overview of the protocol and present some implementa- tion results. We compare the implementation results on 128-bit security level with elliptic curve Diffie-Hellman and RSA. 1 Introduction The aim of post-quantum cryptography is to introduce cryptosystems which are not known to be broken using quantum computers. Most of today’s public-key cryptosys- tems, including the Diffie-Hellman key exchange protocol, rely on mathematical prob- lems that are hard for classical computers, but can be solved on quantum computers us- ing Shor’s algorithm. In this report we consider replacements for the Diffie-Hellmann key exchange and introduce several quantum-resistant public-key cryptosystems. In Section 2 the ring learning with errors key exchange is presented which was introduced by Peikert in 2014 [1]. We continue in Section 3 with the supersingular isogeny Diffie–Hellman key exchange presented by De Feo, Jao, and Plut in 2011 [2]. In Section 5 we consider the NTRU encryption scheme first described by Hoffstein, Piphe and Silvermain in 1996 [3]. We conclude in Section 6 with the McEliece cryp- tosystem introduced by McEliece in 1978 [4]. As NTRU and the McEliece cryptosys- tem are not originally designed for key exchange, we also briefly explain in Section 4 how we can construct key exchange from any asymmetric encryption scheme.
  • Speke Cycle Route

    Speke Cycle Route

    www.LetsTravelWise.org 1253 330 0151 Telephone: need. might you else 090305/IS/TM/08O9/P anything and times, the through you talk will bike. by easily more Speke around get and person local a – 33 22 200 0871 travel to way wiser a is cycling how shows leaflet This future. our and us on Traveline call want, for move wise a is out them trying Merseyside, in options of lots have We Updated you train or bus which out find To Getting around Speke on your bike your on Speke around Getting September journey. each making of way Manchester. best the about think to need all we cities big other in seen pollution and and Widnes Warrington, in stations 2011. congestion the avoid to want we If slower. getting is travel car meaning Cycle Speke Cycle for outwards and Centre City the in MA. rapidly, rising is Merseyside in car by made being trips of number the Central Liverpool and Street Lime but journeys, their of many or all for TravelWise already are people Most Liverpool towards stations rail Cross Hunts and Parkway South Liverpool from both operate trains Line City and Northern Frequent Centre. City car. a without journeys make the to Parkway South Liverpool from minutes 15 to 10 about takes only It to everyone for easier it make to aim we Merseytravel, and Authorities Local Merseyside the by Funded sharing. car and transport public cycling, trains. Merseyside walking, more – travel sustainable more encourage to aims TravelWise all on free go Bikes problem. a be can parking where Centre City Liverpool into travelling when or workplace, your or school to get to easier it makes www.transpenninetrail.org.uk Web: This way.
  • Making NTRU As Secure As Worst-Case Problems Over Ideal Lattices

    Making NTRU As Secure As Worst-Case Problems Over Ideal Lattices

    Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé1 and Ron Steinfeld2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d’Italie, 69364 Lyon Cedex 07, France. [email protected] – http://perso.ens-lyon.fr/damien.stehle 2 Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University, NSW 2109, Australia [email protected] – http://web.science.mq.edu.au/~rons Abstract. NTRUEncrypt, proposed in 1996 by Hoffstein, Pipher and Sil- verman, is the fastest known lattice-based encryption scheme. Its mod- erate key-sizes, excellent asymptotic performance and conjectured resis- tance to quantum computers could make it a desirable alternative to fac- torisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields. Our main contribution is to show that if the se- cret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the R-LWE problem. Keywords. Lattice-based cryptography, NTRU, provable security. 1 Introduction NTRUEncrypt, devised by Hoffstein, Pipher and Silverman, was first presented at the Crypto’96 rump session [14]. Although its description relies on arithmetic n over the polynomial ring Zq[x]=(x − 1) for n prime and q a small integer, it was quickly observed that breaking it could be expressed as a problem over Euclidean lattices [6].
  • Solving NTRU Challenges Using the New Progressive BKZ Library

    Solving NTRU Challenges Using the New Progressive BKZ Library

    Solving NTRU Challenges Using the New Progressive BKZ Library Erik Mårtensson Department of Electrical and Information Technology Lund University Advisors: Professor Thomas Johansson and Qian Guo 2016-08-24 Printed in Sweden E-huset, Lund, 2016 Abstract NTRU is a public-key cryptosystem, where the underlying mathematical problem is currently safe against large-scale quantum computer attacks. The system is not as well investigated, as for example RSA and the company behind NTRU has created the NTRU Challenges, to remedy this. These challenges consist of 27 different public keys of increasing size, where the task in each challenge is to calculate (something similar to) the private key. The goal of this thesis was to examine different attacks against the NTRU Challenges and solve as many challenges as possible. By lattice reduction attacks, using a recently published new progressive BKZ algorithm, the first five challenges were solved, while the current biggest solved challenge by any researcher is challenge number seven. Keywords: NTRU Challenge, Progressive BKZ , BDD, Enumeration, SVP i ii Acknowledgements I would like to thank my main supervisor Professor Thomas Johansson for all his help and feedback during the project, for introducing me to the lattice-based cryptography area and last but not least for pointing out the necessity of solving a small problem correctly before tackling a big problem. I would like to thank my assistant supervisor Qian Guo for all his help and feed- back during the project and for introducing me to the progressive BKZ algorithm that turned out to become the focus of this thesis. I would like to thank all the researchers that patiently answered my many ques- tions during this project, with special thanks to Yoshinori Aono, Léo Ducas and Zhenfei Zhang for answering questions regarding the progressive BKZ algorithm and library, the BKZ plus BDD enumeration strategy for attacking NTRU and the NTRU Challenges respectively.
  • Improved Attacks Against Key Reuse in Learning with Errors Key Exchange (Full Version)

    Improved Attacks Against Key Reuse in Learning with Errors Key Exchange (Full Version)

    Improved attacks against key reuse in learning with errors key exchange (full version) Nina Bindel, Douglas Stebila, and Shannon Veitch University of Waterloo May 27, 2021 Abstract Basic key exchange protocols built from the learning with errors (LWE) assumption are insecure if secret keys are reused in the face of active attackers. One example of this is Fluhrer's attack on the Ding, Xie, and Lin (DXL) LWE key exchange protocol, which exploits leakage from the signal function for error correction. Protocols aiming to achieve security against active attackers generally use one of two techniques: demonstrating well-formed keyshares using re-encryption like in the Fujisaki{Okamoto transform; or directly combining multiple LWE values, similar to MQV-style Diffie–Hellman-based protocols. In this work, we demonstrate improved and new attacks exploiting key reuse in several LWE-based key exchange protocols. First, we show how to greatly reduce the number of samples required to carry out Fluhrer's attack and reconstruct the secret period of a noisy square waveform, speeding up the attack on DXL key exchange by a factor of over 200. We show how to adapt this to attack a protocol of Ding, Branco, and Schmitt (DBS) designed to be secure with key reuse, breaking the claimed 128-bit security level in 12 minutes. We also apply our technique to a second authenticated key exchange protocol of DBS that uses an additive MQV design, although in this case our attack makes use of ephemeral key compromise powers of the eCK security model, which was not in scope of the claimed BR-model security proof.
  • Hardness of K-LWE and Applications in Traitor Tracing

    Hardness of K-LWE and Applications in Traitor Tracing

    Hardness of k-LWE and Applications in Traitor Tracing San Ling1, Duong Hieu Phan2, Damien Stehlé3, and Ron Steinfeld4 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore 2 Laboratoire LAGA (CNRS, U. Paris 8, U. Paris 13), U. Paris 8 3 Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), ENS de Lyon, France 4 Faculty of Information Technology, Monash University, Clayton, Australia Abstract. We introduce the k-LWE problem, a Learning With Errors variant of the k-SIS problem. The Boneh-Freeman reduction from SIS to k-SIS suffers from an ex- ponential loss in k. We improve and extend it to an LWE to k-LWE reduction with a polynomial loss in k, by relying on a new technique involving trapdoors for random integer kernel lattices. Based on this hardness result, we present the first algebraic con- struction of a traitor tracing scheme whose security relies on the worst-case hardness of standard lattice problems. The proposed LWE traitor tracing is almost as efficient as the LWE encryption. Further, it achieves public traceability, i.e., allows the authority to delegate the tracing capability to “untrusted” parties. To this aim, we introduce the notion of projective sampling family in which each sampling function is keyed and, with a projection of the key on a well chosen space, one can simulate the sampling function in a computationally indistinguishable way. The construction of a projective sampling family from k-LWE allows us to achieve public traceability, by publishing the projected keys of the users. We believe that the new lattice tools and the projective sampling family are quite general that they may have applications in other areas.
  • IEEE P1363.2: Password-Based Cryptography

    IEEE P1363.2: Password-Based Cryptography

    IEEE P1363.2: Password-based Cryptography David Jablon CTO, Phoenix Technologies NIST PKI TWG - July 30, 2003 What is IEEE P1363.2? • “Standard Specification for Password-Based Public-Key Cryptographic Techniques” • Proposed standard • Companion to IEEE Std 1363-2000 • Product of P1363 Working Group • Open standards process PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 2 One of several IEEE 1363 standards • Std 1363-2000 • Sign, Encrypt, Key agreem’t, using IF, DL, & EC families • P1363a • Same goals & families as 1363-2000 • P1363.1: Lattice family • Same goals as 1363-2000, Different family • P1363.2: Password-based • Same families • More ambitious goals PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 3 Scope of P1363.2 • Modern “zero knowledge” password methods • Uses public key techniques • Uses two or more parties • Needs no other infrastructure • Authenticated key establishment • Resists attack on low-grade secrets • passwords, password-derived keys, PINs, ... PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 4 Rationale (1) • Why low-grade secrets? • People have trouble with high-grade keys • storage -- memorizing • input -- attention to detail • output -- typing • Passwords are ubiquitous • Easy for people to memorize, recognize, and type. • Reduce security/convenience tradeoffs. PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 5 Rationale (2) • Why use public-key techniques? • Symmetric methods can’t do it. • Why new methods? • Different than symmetric, hash, or other PK crypto. • AES, SHA-1, DH, and RSA can’t do it alone. PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 6 Chosen Password Quality Summarized from Distribution Morris & Thompson ‘79, Klein ‘90, Spafford ‘92 0 30 or so 60 or so Password Entropy (bits) History of protocols that fail to dictionary attack (or worse) • Clear text password π • Password as a key Eπ (verifiable text) • (e.g.
  • How to Strengthen Ntruencrypt to Chosen-Ciphertext Security in the Standard Model

    How to Strengthen Ntruencrypt to Chosen-Ciphertext Security in the Standard Model

    NTRUCCA: How to Strengthen NTRUEncrypt to Chosen-Ciphertext Security in the Standard Model Ron Steinfeld1?, San Ling2, Josef Pieprzyk3, Christophe Tartary4, and Huaxiong Wang2 1 Clayton School of Information Technology Monash University, Clayton VIC 3800, Australia [email protected] 2 Div. of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, 637371 lingsan,[email protected] 3 Centre for Advanced Computing - Algorithms and Cryptography, Dept. of Computing, Macquarie University, Sydney, NSW 2109, Australia [email protected] 4 Institute for Theoretical Computer Science, Tsinghua University, People's Republic of China [email protected] Abstract. NTRUEncrypt is a fast and practical lattice-based public-key encryption scheme, which has been standardized by IEEE, but until re- cently, its security analysis relied only on heuristic arguments. Recently, Stehlé and Steinfeld showed that a slight variant (that we call pNE) could be proven to be secure under chosen-plaintext attack (IND-CPA), assum- ing the hardness of worst-case problems in ideal lattices. We present a variant of pNE called NTRUCCA, that is IND-CCA2 secure in the standard model assuming the hardness of worst-case problems in ideal lattices, and only incurs a constant factor overhead in ciphertext and key length over the pNE scheme. To our knowledge, our result gives the rst IND- CCA2 secure variant of NTRUEncrypt in the standard model, based on standard cryptographic assumptions. As an intermediate step, we present a construction for an All-But-One (ABO) lossy trapdoor function from pNE, which may be of independent interest. Our scheme uses the lossy trapdoor function framework of Peik- ert and Waters, which we generalize to the case of (k −1)-of-k-correlated input distributions.