Limits on the Efficiency of (Ring) LWE Based Non-interactive Key Exchange

Guo, Siyao; Kamath, Pritish; Rosen, Alon; Sotiraki, Katerina

doi:10.1007/978-3-030-45374-9_13

Cited by 8 publications

(6 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this work, we analyze and construct a multi-party group key exchange protocol. As shown in the work of [18], the key reconciliation mechanism( KRM) is necessary for a LWE based key exchange protocols. Therefore, we first introduce the concept of multi-party KRM and show it's concrete instantiation.…”

Section: Our Contributionsmentioning

confidence: 99%

“…In this section, instead of presenting a concrete instantiation of wGKE, we give a high level description of its existence. In particular, we construct a wGKE using a similar way as in [5,18].…”

Section: Instantiation Of Weak Gkementioning

confidence: 99%

“…Since the quantum resistance of lattice problems, especially the hardness of LWE problems [7,23,25,27,28], most of the recent works [1,6,14,18,19,26,30] mainly focus on designing and improving the quality of lattice based two party protocols. On the other hand, only a few works [2,14] focus on designing lattice based group key exchange( GKE) protocols, but they have their own drawbacks as we show next.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Lattice Based Group Key Exchange Protocol in the Standard Model

Abla¹

2021

Computer Science &Amp; Information Technology (CS &Amp; IT)

View full text Add to dashboard Cite

Group key exchange schemes allow group members to agree on a session key. Although there are many works on constructing group key exchange schemes, but most of them are based on algebraic problems which can be solved by quantum algorithms in polynomial time. Even if several works considered lattice based group key exchange schemes, believed to be post-quantum secure, but only in the random oracle model. In this work, we propose a group key exchange scheme based on ring learning with errors problem. On contrast to existing schemes, our scheme is proved to be secure in the standard model. To achieve this, we define and instantiate multi-party key reconciliation mechanism. Furthermore, using known compiler with lattice based signature schemes, we can achieve authenticated group key exchange with postquantum security.

show abstract

Section: Our Contributionsmentioning

confidence: 99%

Section: Instantiation Of Weak Gkementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Lattice Based Group Key Exchange Protocol in the Standard Model

Abla¹

2021

Computer Science &Amp; Information Technology (CS &Amp; IT)

View full text Add to dashboard Cite

show abstract

“…The learning with errors assumption was introduced by [44]. We will use it with subexponential modulusto-noise ratio to circumvent the difficulties presented in [27]. Definition 2.10 (LWE assumption).…”

Section: Learning With Errors Assumptionmentioning

confidence: 99%

“…NIKE schemes have been studied as an explicit cryptographic building block by Cash, Kiltz, and Shoup [11], followed by a more in-depth study of NIKE security notions and corresponding schemes by Freire, Hofheinz, Kiltz, and Paterson [22]. There are a variety of different NIKE schemes from various computational assumptions (e.g., [16,11,22,5,43,28,27]), and a number of NIKE applications including wireless networks [10], deniable authentication [17], and interactive key exchange [6]. 1 NIKE and tight security.…”

Section: Introductionmentioning

confidence: 99%

Towards Tight Adaptive Security of Non-interactive Key Exchange

Hesse

Hofheinz

Kohl

et al. 2021

Theory of Cryptography

View full text Add to dashboard Cite

We investigate the quality of security reductions for non-interactive key exchange (NIKE) schemes. Unlike for many other cryptographic building blocks (like public-key encryption, signatures, or zero-knowledge proofs), all known NIKE security reductions to date are non-tight, i.e., lose a factor of at least the number of users in the system. In that sense, NIKE forms a particularly elusive target for tight security reductions.The main technical obstacle in achieving tightly secure NIKE schemes are adaptive corruptions. Hence, in this work, we explore security notions and schemes that lie between selective security and fully adaptive security. Concretely:We exhibit a tradeoff between key size and reduction loss. We show that a tighter reduction can be bought by larger public and secret NIKE keys. Concretely, we present a simple NIKE scheme with a reduction loss of O(N 2 log(ν)/ν 2 ), and public and secret keys of O(ν) group elements, where N denotes the overall number of users in the system, and ν is a freely adjustable scheme parameter. Our scheme achieves full adaptive security even against multiple "test queries" (i.e., adversarial challenges), but requires keys of size O(N ) to achieve (almost) tight security under the matrix Diffie-Hellman assumption. Still, already this simple scheme circumvents existing lower bounds.We show that this tradeoff is inherent. We contrast the security of our simple scheme with a lower bound for all NIKE schemes in which shared keys can be expressed as an "inner product in the exponent". This result covers the original Diffie-Hellman NIKE scheme, as well as a large class of its variants, and in particular our simple scheme. Our lower bound gives a tradeoff between the "dimension" of any such scheme (which directly corresponds to key sizes in existing schemes), and the reduction quality. For ν = O(N ), this shows our simple scheme and reduction optimal (up to a logarithmic factor).We exhibit a tradeoff between security and key size for tight reductions. We show that it is possible to circumvent the inherent tradeoff above by relaxing the desired security notion. Concretely, we consider the natural notion of semi-adaptive security, where the adversary has to commit to a single test query after seeing all public keys. As a feasibility result, we bring forward the first scheme that enjoys compact public keys and tight semi-adaptive security under the conjunction of the matrix Diffie-Hellman and learning with errors assumptions.We believe that our results shed a new light on the role of adaptivity in NIKE security, and also illustrate the special role of NIKE when it comes to tight security reductions.

show abstract