Authenticated Key Exchange from Ideal Lattices

  • Jiang Zhang
  • Zhenfeng ZhangEmail author
  • Jintai DingEmail author
  • Michael Snook
  • Özgür Dagdelen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9057)


In this paper, we present a practical and provably secure two-pass authenticated key exchange protocol over ideal lattices, which is conceptually simple and has similarities to the Diffie-Hellman based protocols such as HMQV (CRYPTO 2005) and OAKE (CCS 2013). Our method does not involve other cryptographic primitives—in particular, it does not use signatures—which simplifies the protocol and enables us to base the security directly on the hardness of the ring learning with errors problem. The security is proven in the Bellare-Rogaway model with weak perfect forward secrecy in the random oracle model. We also give a one-pass variant of our two-pass protocol, which might be appealing in specific applications. Several concrete choices of parameters are provided, and a proof-of-concept implementation shows that our protocols are indeed practical.


Random Oracle Ideal Lattice Random Oracle Model Rejection Sampling Transport Layer Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22, 644–654 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) Google Scholar
  3. 3.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  4. 4.
    LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  5. 5.
    Krawczyk, H.: HMQV: a high-performance secure diffie-hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  6. 6.
    Cremers, C., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 734–751. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  7. 7.
    Harkins, D., Carrel, D., et al.: The internet key exchange (IKE). Technical report, RFC 2409, November 1998Google Scholar
  8. 8.
    Kaufman, C., Hoffman, P., Nir, Y., Eronen, P.: Internet key exchange protocol version 2 (IKEv2). Technical report, RFC 5996, September 2010Google Scholar
  9. 9.
    Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated diffie-hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  10. 10.
    Freier, A.: The SSL protocol version 3.0 (1996).
  11. 11.
    Dierks, T.: The transport layer security (TLS) protocol version 1.2 (2008)Google Scholar
  12. 12.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  13. 13.
    Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneel, B.: A cross-protocol attack on the TLS protocol. In: CCS, pp. 62–72 (2012)Google Scholar
  14. 14.
    Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: CCS, pp. 87–398 (2013)Google Scholar
  15. 15.
    Brzuska, C., Fischlin, M., Smart, N.P., Warinschi, B., Williams, S.C.: Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Sec. 12, 267–297 (2013)CrossRefGoogle Scholar
  16. 16.
    Dagdelen, Ö., Fischlin, M.: Security analysis of the extended access control protocol for machine readable travel documents. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 54–68. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  17. 17.
    Dagdelen, Ö., Fischlin, M., Gagliardoni, T., Marson, G.A., Mittelbach, A., Onete, C.: A cryptographic analysis of OPACITY. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 345–362. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  18. 18.
    Degabriele, J.P., Fehr, V., Fischlin, M., Gagliardoni, T., Günther, F., Marson, G.A., Mittelbach, A., Paterson, K.G.: Unpicking PLAID. In: Chen, L., Mitchell, C. (eds.) SSR 2014. LNCS, vol. 8893, pp. 1–25. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  19. 19.
    Matsumoto, T., Takashima, Y.: On seeking smart public-key-distribution systems. IEICE Transactions (1976–1990) 69, 99–106 (1986)Google Scholar
  20. 20.
    Menezes, A., Qu, M., Vanstone, S.: Some new key agreement protocols providing mutual implicit authentication. In: SAC, pp. 22–32 (1995)Google Scholar
  21. 21.
    ANS X9.42-2001: Public key cryptography for the financial services industry: Agreement of symmetric keys using discrete logarithm cryptography (2001)Google Scholar
  22. 22.
    ANS X9.63-2001: Public key cryptography for the financial services industry: Key agreement and key transport using elliptic curve cryptography (2001)Google Scholar
  23. 23.
    ISO/IEC: 11770–3:2008 information technology - security techniques - key management - part 3: Mechanisms using asymmetric techniques (2008)Google Scholar
  24. 24.
    IEEE 1363: IEEE std 1363–2000: Standard specifications for public key cryptography. IEEE, August 2000Google Scholar
  25. 25.
    Barker, E., Chen, L., Roginsky, A., Smid, M.: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography. NIST Special Publication 800, 56A (2013)Google Scholar
  26. 26.
    Yao, A.C.C., Zhao, Y.: OAKE: A new family of implicitly authenticated Diffie-Hellman protocols. In: CCS, pp. 1113–1128 (2013)Google Scholar
  27. 27.
    Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26, 1484–1509 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  28. 28.
    Chen, L.: Practical impacts on qutumn computing. In: Quantum-Safe-Crypto Workshop at the European Telecommunications Standards Institute (2013).
  29. 29.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  30. 30.
    Ducas, L., Durmus, A.: Ring-LWE in polynomial rings. In: PKC, pp. 34–51 (2012)Google Scholar
  31. 31.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Proceedings of the 6th IMA International Conference on Cryptography and Coding, Springer-Verlag, London, UK, pp. 30–45 (1997)Google Scholar
  32. 32.
    Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.C.: Composability of Bellare-Rogaway key exchange protocols. In: CCS, pp. 51–62 (2011)Google Scholar
  33. 33.
    Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688 (2012)Google Scholar
  34. 34.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  35. 35.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. Cryptology ePrint Archive, Report 2014/599 (2014)Google Scholar
  36. 36.
    Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Robustness of the learning with errors assumption. In: Innovations in Computer Science, pp. 230–240 (2010)Google Scholar
  37. 37.
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  38. 38.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  39. 39.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  40. 40.
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  41. 41.
    Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W.: Practical signatures from the partial fourier recovery problem. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 476–493. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  42. 42.
    Katz, J., Vaikuntanathan, V.: Smooth projective hashing and password-based authenticated key exchange from lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 636–652. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  43. 43.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. In: PKC, pp. 467–484 (2012)Google Scholar
  44. 44.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism. In: ASIACCS, pp. 83–94 (2013)Google Scholar
  45. 45.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC, pp. 187–196 (2008)Google Scholar
  46. 46.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC, pp. 333–342 (2009)Google Scholar
  47. 47.
    Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  48. 48.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  49. 49.
    Watrous, J.: Zero-knowledge against quantum attacks. SIAM J. Comput. 39, 25–58 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  50. 50.
    Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  51. 51.
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  52. 52.
    Dagdelen, Ö., Fischlin, M., Gagliardoni, T.: The fiat–shamir transformation in a quantum world. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 62–81. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  53. 53.
    Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems (the hardness of quantum rewinding). In: FOCS 2014, pp. 474–483. IEEE (2014)Google Scholar
  54. 54.
    Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  55. 55.
    Song, F.: A note on quantum security for post-quantum cryptography. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 246–265. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  56. 56.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37, 267–302 (2007)CrossRefzbMATHMathSciNetGoogle Scholar
  57. 57.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  58. 58.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  59. 59.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: Fully homomorphic encryption without bootstrapping. In: ITCS, Innovations in Theoretical Computer Science, pp. 309–325 (2012)Google Scholar
  60. 60.
    Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity. In: FOCS, pp. 429–442 (1985)Google Scholar
  61. 61.
    Trevisan, L., Vadhan, S.: Extracting randomness from samplable distributions. In: FOCS, pp. 32–42 (2000)Google Scholar
  62. 62.
    Trevisan, L.: Extractors and pseudorandom generators. J. ACM 48, 860–879 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  63. 63.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  64. 64.
    Barak, B., Impagliazzo, R., Wigderson, A.: Extracting randomness using few independent sources. SIAM Journal on Computing 36, 1095–1118 (2006)CrossRefzbMATHMathSciNetGoogle Scholar
  65. 65.
    Barker, E., Roginsky, A.: Recommendation for the entropy sources used for random bit generation. Draft NIST Special Publication 800–90B, August 2012Google Scholar
  66. 66.
    Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  67. 67.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS, pp. 62–73 (1993)Google Scholar
  68. 68.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS, pp. 390–399 (2006)Google Scholar
  69. 69.
    Gennaro, R., Shoup, V.: A note on an encryption scheme of Kurosawa and Desmedt. Cryptology ePrint Archive, Report 2004/194 (2004)Google Scholar
  70. 70.
    Dagdelen, O., Bansarkhani, R.E., Göpfert, F., Güneysu, T., Oder, T., Pöppelmann, T., Sánchez, A.H., Schwabe, P.: High-speed signatures from standard lattices. In: LATINCRYPT (2014)Google Scholar
  71. 71.
    Schnorr, C., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Mathematical Programming 66, 181–199 (1994)CrossRefzbMATHMathSciNetGoogle Scholar
  72. 72.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  73. 73.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6, 1–13 (1986)CrossRefzbMATHMathSciNetGoogle Scholar
  74. 74.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  75. 75.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  76. 76.
    Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  77. 77.
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  78. 78.
    Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C., et al.: Introduction to algorithms, vol. 2. MIT press, Cambridge (2001) zbMATHGoogle Scholar
  79. 79.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  80. 80.
    Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Trusted Computing and Information Assurance Laboratory, SKLCSInstitute of Software, Chinese Academy of SciencesBeijingChina
  2. 2.Heshi Inc.ShixenzeChina
  3. 3.Department of Mathematical SciencesUniversity of CincinnatiCincinnatiUSA
  4. 4.Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations