PASSWORD BASED KEY EXCHANGE FROM RING LEARNING WITH ERRORS

Abstract

Use the same basic idea of KE based on Ring LWE, this invention gives constructions of a new authenticated key exchanges system, where the authentication is achieved through a shared password between two parties. These new systems are efficient and have very strong security property including provable security and resistance to quantum computer attacks. This invention can also be modified using the LWE problem.

Description

BACKGROUND

The present disclosure claims priority to the U.S. provisional patent application 62/215,186, entitled “Password Based Key Exchange from Ring Learning with Errors”, filed Sep. 8, 2012, which is incorporated herein by reference in its entirety and for all purposes.

In our modern communication systems like Internet, cell phone, etc, to protect the secrecy of the information concerned, we need to encrypt the message. There are two different ways to do this. In the first case, we use symmetric cryptosystems to perform this task, where the sender uses the same key to encrypt the message as the key that the receiver uses to decrypt the message. Symmetric systems demand that the sender and the receiver have a way to exchange such a shared key securely. In an open communication channel without any central authority, like wireless communication, this demands a way to perform such a key exchange (KE) in the open between two parties. In a system with a central server, like a cell phone system within one cell company, this demands an efficient and easy to use key exchange system between the server and the clients.

This invention is related to the construction of an authenticated key exchange (KE) systems, where the authentication is achieved using a simple password. Such a system is very useful for many applications, in particular, the case where a client wants to communicate securely with a server, and where the only share secret is the password or certain hash value of a password. We call such a key exchange a password-authenticated key exchange (PAKE).

PAKE systems were proposed in [BMc], [Mc], whose security is based on the hardness of discrete logarithm problems. This system can be broken by future quantum computers as showed in the work of Shor [SHO].

In this invention, we construct new PAKEs that can resist quantum computer attacks use the LWE problem. The invention is based on the new KE from the LWE problem first constructed in the US Patent “Cryptographic systems using pairing with errors” with U.S. Pat. No. 9,246,675.

BRIEF SUMMARY OF THE INVENTION

This invention first contains a novel method for two parties i and j to perform an secure authenticated KE over an open communication channel assuming that they share a secret password π. This method is based on the idea of the computation of pairing of the same bilinear form in two different ways but each with different small errors. The shared key is derived from the pairings with a rounding technique. This method can be viewed as an extension of the idea of the learning with errors (LWE) problem discovered by Regev in 2005 [Reg] and the Ring LWE [LPR]. The security of this system depends the hardness of certain lattice problem, which can be mathematically proven hard [DALSS]. This system involves only simple multiplication and therefore is very efficient. Such a system can also resist the future quantum computer attacks.

This invention contains an additive construction of PAKE with either explicit authentication or implicit authentication. Furthermore, this invention can be modified slightly to build multiplicative version.

Though this invention has been described with specific embodiments thereof, it is clear that many variations, alternatives, or modifications will become apparent to those who are skilled in the art of cryptography. Therefore, the preferred embodiments of the invention as set forth herein, are intended to be illustrative, not limiting. Various changes may be made without departing from the scope and spirit of the invention as set forth herein and defined in the claims. The claims in this invention are based on the U.S. provisional patent application with Ser. No. 62/215,186, entitled “Password Based Key Exchange from Ring Learning with Errors”, filed Sep. 8, 2012, only more technical details are added.

DETAILED DESCRIPTION OF THE INVENTION

1.1 The Basic Background

The learning with errors (LWE) problem, introduced by Regev in 2005 [Reg], and its extension, the ring learning with errors (RLWE) problem [LPR] have broad application in cryptographic constructions with some good provable secure properties. The main claim is that they are as hard as certain worst-case lattice problems and hence the related cryptographic constructions.

A LWE problem can be described as follows. First, we have a parameter n, a (prime) modulus q, and an error probability distribution k on the finite ring (field) _q with q elements. To simplify the exposition, we will take q to be an odd prime but we can also work on any whole number except that we may need to make slight modifications.

_q, each element is represented by the set {−(q−1)/2, . . . , 0, . . . , (q−1)/2}. In this exposition, by “an error” distribution, we mean a distribution such that if we select an element following this distribution, there is a high probability we will select an element, which is small. There are many such selections and the selections directly affect the security of the system. One should select good error distribution to make sure the system works well and securely.

Let II_S,k on _q be the probability distribution obtained by selecting an element A in F_qⁿ randomly and uniformly, choosing e ∈ F_q according to k, and outputting (A, <A, S>+e), where + is the addition that is performed in F_q. An algorithm that solves the LWE problem with modulus q and error distribution k, if, for any S in F_qⁿ, with an arbitrary number of independent samples from II_S,k, it outputs S (with high probability).

To achieve the provable security of the related cryptographic constructions based on the LWE problem, one chooses q to be specific polynomial functions of n, that is q is replaced by a polynomial functions of n, which we will denote as q(n), k to be certain discrete version of normal distribution centered around 0 with the standard deviation σ=αq≥√{square root over (n)}, and elements of F_q are represented by integers in the range [−(q−1)/2, (q−1)/2)], which we denote as k_σ.

In the original encryption system based on the LWE problem, one can only encrypt one bit a time, therefore the system is rather inefficient and it has a large key size. To further improve the efficiency of the cryptosystems based on the LWE problem, a new problem, which is a LWE problem based on a quotient ring of the polynomial ring F_q[x][LPR], was proposed. This is called the ring LWE (RLWE) problem. In the cryptosystems based on the RLWE problem, their security is reduced to hard problems on a subclass of lattices, the class of ideal lattices, instead of general lattices.

Later, a new variant of LWE was proposed in [ACPS]. This variant of the LWE problem is based on the LWE problem. We will replace a vector A with a matrix A of size m×n, and S also with a matrix of size n×1, such that they are compatible to perform matrix multiplication A×S. We also replace e with a compatible matrix of size m×1. We will work on the same finite field with q elements.

To simplify the exposition, we will only present PAKE, in detail, for the case using Ring LWE.

For all our constructions, we first define the following notations, which we will use throughout this application. Let n be a power of 2, and f(x)=xⁿ+1. Let q≈2^{w(log n)} be an odd prime such that q mod 2n=1. Take R=[x]/f(x) and R_q=_q[x]/f(x) as above. For γ ∈ ⁺, let H₁: {0, 1}*→X_γ=_,γ be a hash function with output distribution X_γ. Let H₂: {0, 1}*→{0, 1}^k be the Key Derivation Function (KDF), where k is the bit-length of the final shared key. We model both functions as random oracles. Let X_α, X_β be two discrete Gaussian distributions with parameters α, β ∈ ⁺. Let π_i,j be the shared password of parties i and j, and let h: {0, 1}*→R_q be a uniform hash function used to hide the password.

We now define the Sig and Mod₂ functions. We denote

${\mathbb{Z}}_q=\left\{-\frac{q-1}{2},\dots ,\frac{q-1}{2}\right\},$

$E:=\left\{-\lfloor \frac{q}{4}\rfloor ,\dots ,\lfloor \frac{q}{4}\rfloor \right\},$

and consider the set i.e. the “middle” of _q. Recall that Sig is simply the characteristic function of the complement E[DiLi], and that Mod₂: _q×{0, 1}→{0, 1} is defined as:

${\mathrm{Mod}}_2\left(v,b\right)=\left(v+b·\frac{q-1}{2}\right)\mathrm{mod}q\mathrm{mod}2.$

When Sig, Mod₂ are applied to a ring elements, it will apply to each coefficient of the ring element. Sig was also denoted by Cha before, and they are the same function with different notation.

We will leave off the subscripts on π in what follows when the parties involved are clear from context.

1.1 The Construction of the PAKE with Explicit Authentication

We also take verification hashes n, n′ to ensure both parties are mutually authenticated. Our protocol consists of the following steps, illustrated in FIG. 1:

Initiation Party i randomly samples r_i, f_i←Xβ, computes x_i=ar_i+2f_i, and sends m=x_i+h(π) to party j.

Response Party j receives x_i+h(π) from party i and recovers x_i=m−h(π). Party j then randomly samples r_j, f_j←Xβ and computes y_j=ar_j+2f_j and k_j=x_i·r_j.

• • Next, party j computes w_j=Sig(k_j) ∈ {0, 1}² and σ=Mod₂(k_j, w_j). Party j sends y_j, w_j, and k=n(i, j, x_i, y_j, σ, π) to party i. Lastly, derives the session key sk_j=H₂(i, j, x_i, y_j, w_j, σ).

Finish Party i computes k_i=r_i·y_j and k′=n′(j, i, x_i, y_j, σ, π).

• • Finally, party i computes σ=Mod₂(k_i, w_j) and derives the session key sk_i=H₂(i, j, x_i, y_j, w_j, σ). Party i also verifies that k=n(i, j, x_i, y_j, σ, π) matches the value of k received from party j. If it does not, party i ends the communication. If it does, party i sends k′ to party j, who verifies it in the same way.

1.2 The Construction of the PAKE with Implicit Authentication

We construct here a variation of the protocol that gives implicit authentication, similar to the PPK variation on the PAK protocol. If either party provides an incorrect password, then the parties' “shared” keys will not actually match, effectively preventing communication without explicitly checking for matching passwords.

Initiation Party i randomly samples r_i, f_i←Xβ, computes x_i=ar_i+2f_i, and sends m=x_i+h(π) to party j.

Response Party j receives x_i+h(π) from party i and recovers x_i=m−h(π). Party j then randomly samples r_j, f_j←Xβ and computes y_j=ar_j+2f_j and k_j=x_i·r_j.

• • Next, party j computes w_j=Sig(k_j) ∈ {0, 1}². Party j sends μ=y_j+h(π) and w_j to party i. Lastly, party j computes σ_j=Mod₂(k_j, w_j) and derives the session key sk_j=H₂(i, j, x_i, y_j, w_j, σ_j).

Finish Party i recovers the pair (y_j, w_j), and uses it compute k_i=r_i·y_j.

• • Finally, party i computes σ_i=Mod₂(k_i, w_j) and derives the session key sk_i=H₂(i, j, x_i, y_j, w_j, σ_i).

1.3 The Construction of Multiplicative Version the PAKE

In addition to the two protocols above, we can also blind the protocol messages by multiplying by the hashed password rather than adding as done above. Note that this form only works if h(π) is invertible in the ring, but that condition will usually be met.

Initiation Party i randomly samples r_i, f_i←Xβ, computes x_i=ar_i+2f_i, and sends m=x_i·h(π) to party j.

Response Party j receives x_i·h(π) from party i and recovers x_i=m·h(π)⁻¹. Party j then randomly samples r_j, f_j←Xβ and computes y_j=ar_j+2f_j and k_j=x_i·r_j.

• • Next, party j computes w_j=Sig(k_j) ∈ {0, 1}² and σ=Mod₂(k_j, w_j). Party j sends y_j, w_j, and k=n(i, j, x_i, y_j, σ, π) to party i. Lastly, derives the session key sk_j=H₂(i, j, x_i, y_j, w_j, σ).

Finish Party i computes k_i=r_i·y_j and k′=n′(j, i, x_i, y_j, σ, π).

• • Finally, party i computes σ=Mod₂(k_i, w_j) and derives the session key sk_i=H₂(i, j, x_i, y_j, w_j, σ). Party i also verifies that k=n(i, j, x_i, y_j, σ, π) matches the value of k received from party j. If it does not, party i ends the communication. If it does, party i sends k′ to party j, who verifies it in the same way.

We can also apply the multiplicative variant to the implicitly authenticated version, as described below:

Initiation Party i randomly samples r_i, f_i←Xβ, computes x_i=ar_i+2f_i, and sends m=x_i·h(π) to party j.

Response Party j receives x_i·h(π) from party i and recovers x_i=m·h(π)⁻¹. Party j then randomly samples r_j, f_j←Xβ and computes y_j=ar_j+2f_j and k_j=x_i·r_j.

• • Next, party j computes w_j=Sig(k_j) ∈ {0, 1}². Party j sends μ=y_j·h(π)⁻¹ and w_j to party i. Lastly, party j computes σ_j=Mod₂(k_j, w_j) and derives the session key sk_j=H₂(i, j, x_i, y_j, w_j, σ_j).

Finish Party i recovers the pair (y_j, w_j), and uses it compute k_i=r_i·y_j.

• • Finally, party i computes σ_i=Mod₂(k_i, w_j) and derives the session key sk_i=H₂(i, j, x_i, y_j, w_j, σ_i).

LITERATURE CITED

[ACPS] B. Applebaum, D. Cash, C. Peikert, A. Sahai; Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems. Advances in Cryptology-CRYPTO 2009, Lecture Notes in Computer Science, Volume 5677 pp 595-618, 2009

[BMc] Boyko, V.; P. MacKenzie; S. Patel (2000). “Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman”. Advances in Cryptology—Eurocrypt 2000, LNCS. Lecture Notes in Computer Science. Springer-Verlag. 1807: 156?171.

[COP] D. Coppersmith, Shmuel Winograd, Matrix multiplication via arithmetic progressions, Journal of Symbolic Computation—Special issue on computational algebraic complexity archive 9 (3), pp 251-280, 1990

[DALSS] Jintai Ding, Saed Alsayigh, Jean Lancrenon, Saraswathy R V, Michael Snook, Provably Secure Password Authenticated Key Exchange Based on RLWE for the Post-Quantum World, Cryptology ePrint Archive: Report 2016/552

[DiHe] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6), pp 644-54, 1976.

[DiLi] J. Ding, X. Lin, A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem, Cryptology ePrint Archive, Report 688, 2012

[LPR] V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings In Eurocrypt 2010

[Mc] MacKenzie, P.: On the Security of the SPEKE Password-Authenticated Key Exchange Protocol. Cryptology ePrint Archive, Report 2001/057 (2001), http://eprint.iacr.org/2001/057

[REG] O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in Proceedings of the 37th Annual ACM Symposium on Theory of Computing—STOC05, ACM, pp 84-93, 2005

[SHO] P. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal of Computing 26, pp. 1484-1509, 1997.

Claims

1. Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and explicit authentication, comprising: Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f(x)=xn+1. q≈2w(log n) be an odd prime such that q mod 2n=1. Take R=[x]/f(x) and Rq=q[x]/f(x). Choose γ ∈ +, and H1: {0, 1}*→Xγ=γ be a hash function with output distribution Xγ. Choose H2: {0, 1}*→{0, 1}k be the Key Derivation Function (KDF), where k is the bit-length of the final shared key. Let Xα, Xβ be two discrete Gaussian distributions with parameters α, β ∈ +. πi,j be the shared password of parties i and j, and choose h: {0, 1}*→Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clear from context. Choose the Sig and Mod2 functions. We denote and

2. Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and implicit authentication, comprising: Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f(x)=xn+1. q≈2w(log n) be an odd prime such that q mod 2n=1. Take R=[x]/f(x) and Rq=q[x]/f(x). Choose γ ∈ +, and H1: {0, 1}*→Xγ=,γ be a hash function with output distribution Xγ. Choose H2: {0, 1}*→{0, 1}k be the Key Derivation Function (KDF), where k is the bit-length of the final shared key. Let Xα, Xβ be two discrete Gaussian distributions with parameters α, β ∈ +. πi,j be the shared password of parties i and j, and choose h: {0, 1}*→Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clear from context. Choose the Sig and Mod2 functions. We denote and

3. Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and explicit authentication by multiplication of hashed password, comprising: Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f(x)=xn+1. q≈2w(log n) be an odd prime such that q mod 2n=1. Take R=[x]/f(x) and Rq=q[x]/f(x). Choose γ ∈ +, and H1: {0, 1}*→Xγ=Dn,γ be a hash function with output distribution Xγ. Choose H2: {0, 1}*→{0, 1}k be the Key Derivation Function (KDF), where k is the bit-length of the final shared key. Let Xα, Xβ be two discrete Gaussian distributions with parameters α, β ∈ +. πi,j be the shared password of parties i and j, and choose h: {0, 1}*→Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clear from context. Choose the Sig and Mod2 functions. We denote and

4. Method for establishing a key exchange over an open channel between a first party i and a second party j with a shared password and implicit authentication by multiplication of hashed password, comprising: Set up Party i and Party j openly choose the following parameters and functions. n be a power of 2, and f(x)=xn+1. q≈2w(log n) be an odd prime such that q mod 2n=1. Take R=[x]/f(x) and Rq=q[x]/f(x). Choose γ ∈ +, and H1: {0, 1}*→Xγ=,γ be a hash function with output distribution Xγ. Choose H2: {0, 1}*→{0, 1}k be the Key Derivation Function (KDF), where k is the bit-length of the final shared key. Let Xα, Xβ be two discrete Gaussian distributions with parameters α, β ∈ +. πi,j be the shared password of parties i and j, and choose h: {0, 1}*→Rq be a uniform hash function used to hide the password. We will leave off the subscripts on π in what follows when the parties involved are clear from context. Choose the Sig and Mod2 functions. We denote and

5. The method according to claim 1, wherein the “Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.

6. The methods according to claim 1, wherein the “Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectangular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.

7. The methods according to claim 1, wherein one of Party i and Party j is a server and the other a client.

8. The methods according to claim 1, wherein the rounding technique is replaced with a similar technique.

9. The method according to claim 2, wherein the “Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.

10. The methods according to claim 2, wherein the “Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectangular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.

11. The methods according to claim 2, wherein one of Party i and Party j is a server and the other a client.

12. The methods according to claim 2, wherein the rounding technique is replaced with a similar technique.

13. The method according to claim 3, wherein the “Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.

14. The methods according to claim 3, wherein the “Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectangular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.

15. The methods according to claim 3, wherein one of Party i and Party j is a server and the other a client.

16. The methods according to claim 3, wherein the rounding technique is replaced with a similar technique.

17. The method according to claim 4, wherein the “Set Up” step chooses different parameters (q n, distributions etc) as long as the related Ring LWE problem is hard to solve.

18. The methods according to claim 4, wherein the “Set Up” step choose parameters from the LWE problem instead of the Ring LWE problem, and we will do matrix operation instead of ring element operations and the matrices is rectangular or square as long as the matrix multiplication is compatible and the parameters are adjusted accordingly.

19. The methods according to claim 4, wherein one of Party i and Party j is a server and the other a client.

20. The methods according to claim 4, wherein the rounding technique is replaced with a similar technique.