International Journal of Network Security, Vol.20, No.5, PP.923-930, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).14) 923 Efficient Implementation of Password-based Authenticated Key Exchange from RLWE and Post-Quantum TLS Xinwei Gao1, Jintai Ding2, Lin Li1, Saraswathy RV2, and Jiqiang Liu1 (Corresponding author: Jintai Ding and Lin Li) Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University1 No.3 ShangYuanCun, Haidian District, Beijing, 100044, P.R.China Department of Mathematical Sciences, University of Cincinnati2 French Hall, 2815 Commons Way, Cincinnati, Ohio 45219, United States (Email: [email protected]; [email protected]) (Received Aug. 6, 2017; revised and accepted Nov. 21, 2017) Abstract the-middle (MITM) attack can compromise the security of communication. Authenticated key exchange (AKE) Two post-quantum password-based authenticated key is a solution to this problem. AKE protocols can ne- exchange (PAKE) protocols were proposed at CT- gotiate key and authenticate identity of communicat- RSA 2017. Following this work, we give much more ef- ing parties simultaneously. Well studied protocols in- ficient and portable C++ implementation of these two cluding HMQV [20], authenticated DH etc. As long protocols. We also choose more compact parameters as each party has certified public key, two parties can providing 200-bit security. Compared with original im- use various explicit or implicit authentication mecha- plementation, we achieve 21.5x and 18.5x speedup for nisms to verify the identity of communicating party. The RLWE-PAK and RLWE-PPK respectively. Compare widely-deployed approach is combining unauthenticated with quantum-vulnerable J-PAKE protocol, we achieve key exchange with digital signatures and trusted certifi- nearly 8x speedup. We also integrate RLWE-PPK into cates [21]. This is also known as Public Key Infrastructure TLS to construct a post-quantum TLS ciphersuite. This (PKI)-based authentication. allows simpler key management, mutual authentication and resistant to phishing attack. Benchmark shows that Another important line of AKE is password-based our ciphersuite is indeed practical. AKE (PAKE). PAKE utilizes human-memorable pass- Keywords: Authenticated Key Exchange; Implementa- word (or passphrase) which is cryptographically inse- tion; Post-quantum; RLWE; TLS cure to authenticate and negotiate symmetric session key. PAKE is very strong in the sense that user does not re- veal passwords to others [7]. In PAKE, password (or its 1 Introduction variant) is pre-shared by both parties. Since only com- municating parties know this password, it can be intu- 1.1 Key Exchange and Post-Quantum itively used as authentication mechanism. Advantages World of PAKE include simpler key management since PAKE does not rely on certificates and signatures to authenti- With the groundbreaking work \New Directions in Cryp- cate, secure against webpage spoofing, phishing and man- tography" from Diffie and Hellman in 1976 [9], the idea in-the-middle (MITM) attacks since attacker does not of key exchange (KE) and public key cryptography come know the password, user-friendly authentication (using into reality. Key exchange is a very important crypto- human-memorable password), prevents offline dictionary graphic primitive. With properly designed protocols, two attack etc. Plenty of PAKE protocols have been stan- or more parties can agree on same session key for mes- dardized and deployed in various applications. Exam- sage or data encryption using symmetric encryption algo- ples and real-world applications of PAKE include PAK rithms over adversary-controlled network. Well known & PPK [5], Password Authenticated Key Exchange by protocols including Diffie-Hellman key exchange (DH), Juggling (J-PAKE) [16], secure Pre-Shared Key (PSK) elliptic curve DH (ECDH) etc. However, these pro- authentication for Internet Key Exchange (IKE) proto- tocols cannot authenticate user's identity, i.e., man-in- col in RFC 6617 [17], elliptic curve J-PAKE ciphersuites International Journal of Network Security, Vol.20, No.5, PP.923-930, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).14) 924 in TLS [8], Secure Remote Password protocol (SRP) in Our implementation is a portable C++ implementation RFC 2945 [29] and patented protocols like Encrypted Key and does not rely on new instruction set (eg, AVX2) to Exchange (EKE) [3], Simple Password Exponential Key achieve high performance. Exchange (SPEKE) [18] etc. Also OpenSSL supports J- Second, we introduce a post-quantum TLS ciphersuite PAKE and Firefox Sync service adopted J-PAKE for au- and present our proof-of-concept implementation. We thentication and key exchange. Some other works related integrate our efficient RLWE-PPK implementation into to key exchange include [12, 13, 24] etc. TLS ciphersuite in a similar way as pre-shared key ci- With the advent of quantum computers during past phersuites. Pre-shared password in RLWE-PPK in this decades, people have realized the untapped potential from context is a pre-shared key. Advantages of our cipher- quantum computers and huge threats to current crypto- suite more convenient key management compared with graphic constructions, especially public key algorithms. PKI-based authentication, resistant to phishing attacks Two best-known attacks from quantum computers are and mutual authentication. Benchmark of our implemen- Shor's algorithm [28] and Grover's algorithm [14]. Shor's tation shows that our post-quantum TLS ciphersuite is quantum algorithm is widely conjectured to be effective truly practical. against all mainstream public-key algorithms that de- signed based on integer factorization problem, discrete 1.3 Organization logarithm problem etc., including RSA, Diffie-Hellman and elliptic curve-based ones. If large quantum computer We recall necessary background knowledge in Section 2. exists, it is believed that most public key algorithms can In Section 3, we revisit PAKE17 protocol and introduce be broken very efficiently. For Grover's quantum algo- new parameter choice with security level estimation, much rithm, it attacks symmetric encryption algorithms. Re- more efficient implementation, comparison with original sult shows that n-bit key provides n=2-bit security on work and analysis. In Section 4, we introduce our post- quantum computers. Quantum brute force can be de- quantum TLS ciphersuite based on RLWE-PPK, proof- feated by doubling key size without switching to new of-concept implementation, performance and discussions. algorithms. Larger key size works for symmetric and We conclude the paper in Section 5. hash algorithms but current public key algorithms will be broken regardless of key size. In 2017, D-Wave 2000Q quantum computer breaks the 2000-qubit barrier. De- 2 Preliminary spite there are controversies around D-Wave on whether they are building truly quantum computer or not, they 2.1 Post-Quantum Cryptography show the potential of building practical and very power- Due to Shor's algorithm, major public key cryptosys- ful quantum computers within coming years. In 2015, Na- tems nowadays (RSA, Diffie-Hellman, ECDH etc.) are tional Security Agency (NSA) announced plan to switch no longer secure when large quantum computer is avail- to quantum-resistant cryptography in near future. At able. Constructions built on these hard problems: inte- PQCrypto 2016 conference, NIST announced their call ger factorization problem, discrete logarithm problem or for quantum-resistant cryptographic algorithms for fu- elliptic-curve discrete logarithm problem can be broken on ture and plans for post-quantum cryptography standards. sufficient large quantum computer. Although it is hard to Therefore, it is imperative to build quantum-resistant and predict the exact time that efficient quantum computers efficient algorithms, implementations and gain real-world can be built, most scientists believe that they will be built deployment. within decades. Post-quantum cryptography refers to designing and 1.2 Contributions building cryptosystems that can resist attacks from quan- tum computers. Generally, quantum-resistant cryptosys- In this paper, we first present a very efficient implemen- tems can be achieved by these approaches: lattice-based, tation of two RLWE-based post-quantum password-based multivariate-based, hash-based, code-based and symmet- authenticated key exchange protocols proposed at CT- ric ciphers with larger key size. In this paper, we focus RSA 2017 (denoted as PAKE17) [10]. We also choose on lattice-based ones since they have strong provable se- more compact parameters providing at least 200-bit secu- curity, high efficiency, simple structure and much smaller rity. Our implementation achieve 21.5x and 18.5x per- key sizes compared with other approaches. A lattice is formance improvement over original implementation of a set of points in an n-dimensional space with periodic Pn RLWE-PAK and RLWE-PPK protocol respectively. We structure. The lattice L(b1; ··· ; bn) = i=1 xibi : xi 2 Z also compare performance with J-PAKE, which is de- is formed by linear combinations of n linearly independent n ployed in real-world applications but vulnerable to quan- vectors b1; ··· ; bn 2 R . These vectors are called \lat- tum computers. Our implementation is more efficient tice basis". With the groundbreaking work of Ajtai [1], and achieves 8.5x and 7.4x speedup for RLWE-PAK and cryptographic constructions based on lattice come to ex- RLWE-PPK respectively. Benchmark proves that our istence. The security of lattice-based constructions can work is indeed