Authenticated Key Exchange from Ideal Lattices

Zhang, Jiang; Zhang, Zhenfeng; Ding, Jíntai; Snook, Michael; Dagdelen, Özgür

doi:10.1007/978-3-662-46803-6_24

Cited by 120 publications

(83 citation statements)

References 71 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Performance improvements can be expected as future research is done on parameter choices and scheme designs, new optimizations are developed, and CPU speeds increase. [21]. The first three bear similarities, although differ somewhat in the error correction of the shared secret.…”

Section: Introductionmentioning

confidence: 91%

“…The only other implementation for R-LWE with comparable parameters of which we are aware is by Zhang et al [21]. Their authenticated key exchange protocol has a somewhat different structure, and in particular achieves both key exchange and authentication from R-LWE.…”

Section: B Within Tls and Httpsmentioning

confidence: 98%

“…[17], [18], [19], [20], [21]). In Section VI we present performance measurements of the standalone R-LWE operations and of our protocol in the context of TLS; our R-LWE implementation is sufficiently optimized to be an order of magnitude faster than another recent lattice-based key agreement protocol [21] (which is not integrated into TLS). We conclude the paper in Section VII.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem

Bos

Costello

Naehrig

et al. 2015

2015 IEEE Symposium on Security and Privacy

234

131

View full text Add to dashboard Cite

Lattice-based cryptographic primitives are believed to offer resilience against attacks by quantum computers. We demonstrate the practicality of post-quantum key exchange by constructing ciphersuites for the Transport Layer Security (TLS) protocol that provide key exchange based on the ring learning with errors (R-LWE) problem; we accompany these ciphersuites with a rigorous proof of security. Our approach ties latticebased key exchange together with traditional authentication using RSA or elliptic curve digital signatures: the post-quantum key exchange provides forward secrecy against future quantum attackers, while authentication can be provided using RSA keys that are issued by today's commercial certificate authorities, smoothing the path to adoption.Our cryptographically secure implementation, aimed at the 128-bit security level, reveals that the performance price when switching from non-quantum-safe key exchange is not too high. With our R-LWE ciphersuites integrated into the OpenSSL library and using the Apache web server on a 2-core desktop computer, we could serve 506 RLWE-ECDSA-AES128-GCM-SHA256 HTTPS connections per second for a 10 KiB payload. Compared to elliptic curve Diffie-Hellman, this means an 8 KiB increased handshake size and a reduction in throughput of only 21%. This demonstrates that provably secure post-quantum key-exchange can already be considered practical.

show abstract

Section: Introductionmentioning

confidence: 91%

Section: B Within Tls and Httpsmentioning

confidence: 98%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem

Bos

Costello

Naehrig

et al. 2015

2015 IEEE Symposium on Security and Privacy

234

131

View full text Add to dashboard Cite

show abstract

“…However, as it was signaled in [2], the ring signature based authentication makes the schemes vulnerable to KCI and eKCI-adversary knowing the peer long term key can impersonate other parties to that peer. In [35] the lattice based HMQV version for postquantum era was proposed. The proposition exchanges the cryptographic building blocks, preserving the construction design, but as the original version, it is still eKCI vulnerable.…”

Section: Previous Workmentioning

confidence: 99%

Deniable Key Establishment Resistance against eKCI Attacks

Krzywiecki

Wlisłocki

2017

Security and Communication Networks

View full text Add to dashboard Cite

In extended Key Compromise Impersonation (eKCI) attack against authenticated key establishment (AKE) protocols the adversary impersonates one party, having the long term key and the ephemeral key of the other peer party. Such an attack can be mounted against variety of AKE protocols, including 3-pass HMQV. An intuitive countermeasure, based on BLS (Boneh-Lynn-Shacham) signatures, for strengthening HMQV was proposed in literature. The original HMQV protocol fulfills the deniability property: a party can deny its participation in the protocol execution, as the peer party can create a fake protocol transcript indistinguishable from the real one. Unfortunately, the modified BLS based version of HMQV is not deniable. In this paper we propose a method for converting HMQV (and similar AKE protocols) into a protocol resistant to eKCI attacks but without losing the original deniability property. For that purpose, instead of the undeniable BLS, we use a modification of Schnorr authentication protocol, which is deniable and immune to ephemeral key leakages.

show abstract

“…Ongoing progress towards building such quantum computers recently motivated standardization bodies to set up programs for standardizing post-quantum public key primitives, focusing on schemes for digital signatures, public key encryption, and key exchange [7,20,27]. A particularly interesting area of post-quantum cryptography is lattice-based cryptography; there exist efficient lattice-based proposals for signatures, encryption, and key exchange [10,25,16,30,4,42,1] and several of the proposed schemes have implementations, including implementations in open source libraries [39]. While the theoretical and practical security of these schemes is under active research, security of implementations is an open issue.…”

Section: Introductionmentioning

confidence: 99%

Flush, Gauss, and Reload – A Cache Attack on the BLISS Lattice-Based Signature Scheme

Bruinderink

Hülsing

Lange

et al. 2016

Lecture Notes in Computer Science

128

112

View full text Add to dashboard Cite

Abstract. We present the first side-channel attack on a lattice-based signature scheme, using the Flush+Reload cache-attack. The attack is targeted at the discrete Gaussian sampler, an important step in the Bimodal Lattice Signature Schemes (BLISS). After observing only 450 signatures with a perfect side-channel, an attacker is able to extract the secret BLISS-key in less than 2 minutes, with a success probability of 0.96. Similar results are achieved in a proof-of-concept implementation using the Flush+Reload technique with less than 3500 signatures. We show how to attack sampling from a discrete Gaussian using CDT or Bernoulli sampling by showing potential information leakage via cache memory. For both sampling methods, a strategy is given to use this additional information, finalize the attack and extract the secret key. We provide experimental evidence for the idealized perfect side-channel attacks and the Flush+Reload attack on two recent CPUs.

show abstract

Authenticated Key Exchange from Ideal Lattices

Cited by 120 publications

References 71 publications

Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem

Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem

Deniable Key Establishment Resistance against eKCI Attacks

Flush, Gauss, and Reload – A Cache Attack on the BLISS Lattice-Based Signature Scheme

Contact Info

Product

Resources

About