Skip to Main content Skip to Navigation
Conference papers

The Whole is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based AKEs

Rafael del Pino 1 Vadim Lyubashevsky 2 David Pointcheval 1 
1 CASCADE - Construction and Analysis of Systems for Confidentiality and Authenticity of Data and Entities
DI-ENS - Département d'informatique - ENS Paris, CNRS - Centre National de la Recherche Scientifique : UMR 8548, Inria de Paris
Abstract : Authenticated Key Exchange (AKE) is the backbone of internet security protocols such as TLS and IKE. A recent announcement by standardization bodies calling for a shift to quantum-resilient crypto has resulted in several AKE proposals from the research community. Because AKE can be generically constructed by combining a digital signature scheme with public key encryption (or a KEM), most of these proposals focused on optimizing the known KEMs and left the authentication part to the generic combination with digital signatures. In this paper, we show that by simultaneously considering the secrecy and authenticity requirements of an AKE, we can construct a scheme that is more secure and with smaller communication complexity than a scheme created by a generic combination of a KEM with a signature scheme. Our improvement uses particular properties of lattice-based encryption and signature schemes and consists of two parts – the first part increases security, whereas the second reduces communication complexity. We first observe that parameters for lattice-based encryption schemes are always set so as to avoid decryption errors, since many observations by the adversary of such failures usually leads to him recovering the secret key. But since one of the requirements of an AKE is that it be forward-secure, the public key must change every time. The intuition is therefore that one can set the parameters of the scheme so as to not care about decryption errors and everything should still remain secure. We show that this naive solution is not quite correct, but the intuition can be made to work by a small change in the scheme. Our new AKE, which now remains secure in case of decryption errors, fails to create a shared key with probability around 2 −30 , but adds enough security that we are able to instantiate a KEM based on the NTRU assumption with rings of smaller dimension. Our second improvement is showing that certain hash-and-sign lattice signatures can be used in " message-recovery " mode. In this mode, the signature size is doubled but this longer signature is enough to recover an even longer message – thus the signature is longer but the message does not need to be sent. This is advantageous when signing relatively long messages, such as the public keys and ciphertexts generated by a lattice-based KEM. We show how this technique reduces the communication complexity of the generic construction of our AKE by around 20%. Using a lattice-based signature in message-recovery mode is quite generic (i.e it does not depend on the structure of the message), and so it may be used in AKE constructions that use a different KEM, or even simply as a way to reduce the transmission length of a message and its digital signature.
Document type :
Conference papers
Complete list of metadata

Cited literature [33 references]  Display  Hide  Download
Contributor : David Pointcheval Connect in order to contact the contributor
Submitted on : Saturday, October 8, 2016 - 2:00:49 PM
Last modification on : Wednesday, June 8, 2022 - 12:50:03 PM
Long-term archiving on: : Monday, January 9, 2017 - 12:13:59 PM


Files produced by the author(s)




Rafael del Pino, Vadim Lyubashevsky, David Pointcheval. The Whole is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based AKEs. SCN 2016 - 10th International Conference Security and Cryptography for Networks, Aug 2016, Amalfi, Italy. pp.273 - 291, ⟨10.1007/978-3-319-44618-9_15⟩. ⟨hal-01378005⟩



Record views


Files downloads