The Whole is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based AKEs

Rafael Del Pino 1 Vadim Lyubashevsky 2 David Pointcheval 1
1 CASCADE - Construction and Analysis of Systems for Confidentiality and Authenticity of Data and Entities
DI-ENS - Département d'informatique de l'École normale supérieure, CNRS - Centre National de la Recherche Scientifique : UMR 8548, Inria de Paris
Abstract : Authenticated Key Exchange (AKE) is the backbone of internet security protocols such as TLS and IKE. A recent announcement by standardization bodies calling for a shift to quantum-resilient crypto has resulted in several AKE proposals from the research community. Because AKE can be generically constructed by combining a digital signature scheme with public key encryption (or a KEM), most of these proposals focused on optimizing the known KEMs and left the authentication part to the generic combination with digital signatures. In this paper, we show that by simultaneously considering the secrecy and authenticity requirements of an AKE, we can construct a scheme that is more secure and with smaller communication complexity than a scheme created by a generic combination of a KEM with a signature scheme. Our improvement uses particular properties of lattice-based encryption and signature schemes and consists of two parts – the first part increases security, whereas the second reduces communication complexity. We first observe that parameters for lattice-based encryption schemes are always set so as to avoid decryption errors, since many observations by the adversary of such failures usually leads to him recovering the secret key. But since one of the requirements of an AKE is that it be forward-secure, the public key must change every time. The intuition is therefore that one can set the parameters of the scheme so as to not care about decryption errors and everything should still remain secure. We show that this naive solution is not quite correct, but the intuition can be made to work by a small change in the scheme. Our new AKE, which now remains secure in case of decryption errors, fails to create a shared key with probability around 2 −30 , but adds enough security that we are able to instantiate a KEM based on the NTRU assumption with rings of smaller dimension. Our second improvement is showing that certain hash-and-sign lattice signatures can be used in " message-recovery " mode. In this mode, the signature size is doubled but this longer signature is enough to recover an even longer message – thus the signature is longer but the message does not need to be sent. This is advantageous when signing relatively long messages, such as the public keys and ciphertexts generated by a lattice-based KEM. We show how this technique reduces the communication complexity of the generic construction of our AKE by around 20%. Using a lattice-based signature in message-recovery mode is quite generic (i.e it does not depend on the structure of the message), and so it may be used in AKE constructions that use a different KEM, or even simply as a way to reduce the transmission length of a message and its digital signature.
Type de document :
Communication dans un congrès
Vassilis Zikas; Roberto De Prisco. SCN 2016 - 10th International Conference Security and Cryptography for Networks, Aug 2016, Amalfi, Italy. Springer SCN 2016 - 10th International Conference Security and Cryptography for Networks, Lecture Notes in Computer Science (9841), pp.273 - 291, 2016, Security and Cryptography for Networks. 〈http://link.springer.com/book/10.1007/978-3-319-44618-9〉. 〈10.1007/978-3-319-44618-9_15〉
Liste complète des métadonnées

Littérature citée [33 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01378005
Contributeur : David Pointcheval <>
Soumis le : samedi 8 octobre 2016 - 14:00:49
Dernière modification le : jeudi 26 avril 2018 - 10:29:04
Document(s) archivé(s) le : lundi 9 janvier 2017 - 12:13:59

Fichier

435.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Collections

Citation

Rafael Del Pino, Vadim Lyubashevsky, David Pointcheval. The Whole is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based AKEs. Vassilis Zikas; Roberto De Prisco. SCN 2016 - 10th International Conference Security and Cryptography for Networks, Aug 2016, Amalfi, Italy. Springer SCN 2016 - 10th International Conference Security and Cryptography for Networks, Lecture Notes in Computer Science (9841), pp.273 - 291, 2016, Security and Cryptography for Networks. 〈http://link.springer.com/book/10.1007/978-3-319-44618-9〉. 〈10.1007/978-3-319-44618-9_15〉. 〈hal-01378005〉

Partager

Métriques

Consultations de la notice

419

Téléchargements de fichiers

100