New Password Authenticated Key Exchange Based on the Ring Learning with Errors A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Mathematical Sciences McMicken College of Arts and Sciences University of Cincinnati, June 2016 Author: Saed Alsayigh Chair: Jintai Ding Degrees: B.S. Mathematics, 2003, Committee: Ning Zhong King Saud University Daniel Smith M.S. Applied Mathematics, 2009, Chris Christensen King Saud University Yizao Wang M.S. Mathematics, 2016, University of Cincinnati Abstract Authenticated Key Exchange (AKE) is a cryptographic scheme with the aim to establish a high-entropy and secret session key over an insecure communications network. Password- Authenticated Key Exchange (PAKE) assumes that the parties in communication share a simple password, which is human-memorable and is used to achieve the authentication. These features are appealing in an age when most people access sensitive personal data remotely from perva- sive hand-held devices. Theoretically PAKEs allow secure computation and authentication of a high-entropy piece of data using a low-entropy string as a starting point. In this thesis, we apply the proposed technique in [JD12] to construct two lattice-based PAKE protocols that have simple and elegant designs that extend the class of Random Oracle Model (ROM)-based pro- tocols PAK and PPK [BMP00; Mac02] protocols to a lattice-based setting. The new protocol following the structure of PAK is three-pass and provides mutual explicit authentication; the protocol following the structure of PPK is two-pass and provides implicit authentication. Our protocols rely on the Ring Learning with Errors (RLWE) assumption and exploit the additive structure of the underlying RLWE ring, which allows the protocols to achieve provable security. Our protocols have a comparable level of efficiency to PAK and PPK, which makes them highly attractive. We present a preliminary implementation of our protocols to demonstrate that these protocols are efficient and practical, and, therefore, that our two protocols are suitable quantum safe replacements for PAK and PPK. ii c 2016 by Saed Alsayigh. All rights reserved. Acknowledgments In this moment of submitting my thesis, there are many people who I have to thank for their help and support: First of all, a special thanks to my wife Zainab and my four lovely children, Hawra, Fatimah, Husain and Ridha for being patient and supportive all this time with me. I also thank my parents, all my family, and my friends. I want to express my gratitude to my supervisor professor Jintai Ding who guided me during my PhD studies and helped me to understand and love cryptography. Thank you for being a good friend, for your advice, and for standing with me when I needed you. Next, I would like to thank the University of Cincinnati, specifically the faculty of Department of Mathematical Sciences who have helped me learn a lot during the course of my studies here. I also thank the cryptography group members that I worked with during my study: Jean, Michael, Saraswathy and Yuntao. I really enjoyed working with you guys, thank you. Finally, I would like to thank the King Abdullah Scholarship Program for the financial support and for giving me this opportunity to continue my studies in the United States. iv Contents Abstract ii Copyright iii Acknowledgments iv List of Tables viii List of Figures ix 1. Introduction and Contributions 1 1.1. Introduction . .1 1.2. Our contributions . .6 1.3. Related work . .8 1.3.1. PAKE protocols and security models. .8 1.3.2. AKE from lattices. 10 2. PAK and PPK based on Diffie-Hellman 11 2.1. Introduction . 11 2.2. Security model . 12 2.2.1. Computational Diffie-Hellman assumption . 15 2.3. The PAK protocol . 15 2.3.1. Security of PAK . 17 2.4. The PPK protocol . 18 2.4.1. Security of PPK . 19 2.5. Security of PAK and PPK in a Post-Quantum World . 20 3. Introduction to Lattice Theory 21 3.1. Introduction . 21 3.2. Preliminaries . 22 3.3. Lattices . 25 v 3.4. Hard problems in lattices . 27 3.4.1. Complexity of lattice problems . 29 3.5. Lattice reduction algorithms . 30 3.5.1. Gauss reduction algorithm . 30 3.5.2. LLL lattice reduction algorithm . 31 3.5.3. BKZ lattice reduction algorithm . 32 4. The Hard Cases in LLL reduction 34 4.1. Introduction . 34 4.2. Preliminaries . 36 4.3. Three-dimensional case . 39 4.3.1. LLL outputs a shortest vector? . 39 4.3.2. Main theorem . 39 4.3.3. The Beauty and the Beasts . 44 4.3.4. Experimental results . 45 4.4. High-dimensional cases . 46 4.4.1. Success probability of LLL . 46 4.4.2. How to build hard lattice in high dimensions . 46 4.4.3. Experimental results of high dimensional cases . 48 4.4.4. The quality factor and our build lattice . 48 5. Lattice and Cryptography 50 5.1. Introduction . 50 5.2. Lattices in Cryptography . 50 5.3. Hard lattice problems in Cryptography . 52 5.3.1. Short Integer Solution . 52 5.3.2. Learning with Errors . 53 5.3.3. Ring Learning with Errors . 54 5.4. New Lattice Problems . 55 5.4.1. The RLWE Diffie Hellman problem . 59 5.4.2. The Pairing with Errors problem . 60 6. The New Protocols 62 6.1. Introduction . 62 6.2. Security model . 63 6.3. Security assumption . 63 6.4. Password-Authenticated RLWE Key Exchange(RLWE-PAK).......... 64 6.4.1. Correctness . 65 6.4.2. Proof of security for RLWE-PAK .................... 67 6.5. Implicit authentication . 81 6.5.1. Proof of security for RLWE-PPK .................... 82 6.6. Implementation . 94 7. Conclusion and Future Work 95 vi Bibliography 98 A. Publications 107 Index 108 vii List of Tables 4.1. Some experimental results using our constructed 3-dimensional Beast bases. Note that we call LLL failed if the shortest vector was not in the LLL-reduced basis. 46 4.2. Some experimental results of higher dimensional Beast bases. 48 6.1. Timings of PAKE protocol as described in Fig. 6.1 and Fig. 6.2 ............ 94 viii List of Figures 2.1. The Original PAK Protocol . 17 2.2. The Original PPK Protocol . 19 4.1. The number of LLL failed cases in dimension 3 using same bases but different δ. 40 2 4.2. The structure of Beauty lattices in R ....................... 45 4.3. Experimental results of random bases generated from TU Darmstadt SVP Chal- lenge. 47 6.1. Explicitly Authenticated Protocol . 66 6.2. Implicitly Authenticated Protocol . 82 ix Chapter 1 Introduction and Contributions 1.1. Introduction Computers and electronic communications have become essential components of everyday life and are hard to live without. In routine use of these devices, important personal and confidential information are stored and transferred during communications. Keys questions one asks about the use of such devices is whether the information shared during communication is secure and whether that there is unauthorized use of the information. Communication security and the prevention of unauthorized use of information are not new issues that were born with the rapidly increasing use of technology. These issues have been critical issues for thousands of years. The study of information security is called cryptology. It consists of two different area of study. One is called cryptography. Cryptography studies the construct of cipher systems that can be used to hide information. Such systems are called cryptosystems. Each cryptosystem consists of two functions: one function is used to encrypt or hide messages while the other function is used to decrypt or recover the messages. The other half of cryptology is cryptanalysis. Cryptanalysis studies breaking cryptosystems and analyzes the leak age of information from a targeted cryptosystem. 1 There are two types of cryptosystems: symmetric cryptosystems and asymmetric cryptosys- tems. When using a symmetric cryptosystems, all people in the communication have the same ability. Everyone can encrypt and decrypt every messages. The security of a symmetric cryp- tosystem is usually based on the length of the key and the strength of the algorithm. Symmetric cryptosystems require key exchange among people in the communication. Key exchange is espe- cially a problem when the number of people in the communication is large and they cannot meet to exchange the key. Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) are examples of this type of cryptosystem. When using an asymmetric cryptosystem, one of the people in the communication has more advantage than the others; the owner of the key can decrypt but other can only encrypt. The security of an asymmetic cryptosystem is usually based on the hardness of a mathematical problem that the system is built upon. Asymmetric cryptosys- tems are also called public key cryptosystems (PKC) because they publish the encryption key. The most common PKCs are: 1. Diffie-Hellman Key Exchange Protocol, DHKE, which was invented by Whitfield Diffie and Martin Hellman in 1976 [DH76]. 2. RSA, which was invented by Ronald Rivest, Adi Shamir, and Len Adleman in 1978. 3. ElGamal algorithm, which was invented by Taher Elgamal in 1984 and is based on DHKE. 4. Elliptic curve cryptography (ECC) which was suggested by Neal Koblitz and Victor S. Miller in 1985 and is based on the algebraic structure of elliptic curves over finite fields. In 1976, Diffie and Hellman proposed a public key distribution system in their paper “New directions in cryptography” [DH06]. This system allows two parties to exchange key over an insecure channel. Say, Alice and Bob would like to share a key which they can use with a sym- metric cryptosystem.