Paper Info
Title
The Whole is Less than the Sum of its Parts: Constructing More Efficient Lattice-Based AKEs.
Abstract
Authenticated Key Exchange AKE is the backbone of internet security protocols such as TLS and IKE. A recent announcement by standardization bodies calling for a shift to quantum-resilient crypto has resulted in several AKE proposals from the research community. Because AKE can be generically constructed by combining a digital signature scheme with public key encryption or a KEM, most of these proposals focused on optimizing the known KEMs and left the authentication part to the generic combination with digital signatures. In this paper, we show that by simultaneously considering the secrecy and authenticity requirements of an AKE, we can construct a scheme that is more secure and with smaller communication complexity than a scheme created by a generic combination of a KEM with a signature scheme. Our improvement uses particular properties of lattice-based encryption and signature schemes and consists of two parts --- the first part increases security, whereas the second reduces communication complexity. We first observe that parameters for lattice-based encryption schemes are always set so as to avoid decryption errors, since many observations by the adversary of such failures usually leads to him recovering the secret key. But since one of the requirements of an AKE is that it be forward-secure, the public key must change every time. The intuition is therefore that one can set the parameters of the scheme so as to not care about decryption errors and everything should still remain secure. We show that this naive solution is not quite correct, but the intuition can be made to work by a small change in the scheme. Our new AKE, which now remains secure in case of decryption errors, fails to create a shared key with probability around $$2^{-30}$$, but adds enough security that we are able to instantiate a KEM based on the NTRU assumption with rings of smaller dimension. Our second improvement is showing that certain hash-and-sign lattice signatures can be used in \"message-recovery\" mode. In this mode, the signature size is doubled but this longer signature is enough to recover an even longer message --- thus the signature is longer but the message does not need to be sent. This is advantageous when signing relatively long messages, such as the public keys and ciphertexts generated by a lattice-based KEM. We show how this technique reduces the communication complexity of the generic construction of our AKE by around $$20\\,\\%$$. Using a lattice-based signature in message-recovery mode is quite generic i.e. it does not depend on the structure of the message, and so it may be used in AKE constructions that use a different KEM, or even simply as a way to reduce the transmission length of a message and its digital signature.
Year
DOI
Venue
2016
10.1007/978-3-319-44618-9_15
IACR Cryptology ePrint Archive
DocType
Volume
ISSN
Conference
2016
0302-9743
Citations 
PageRank 
References 
3
0.40
33
Authors
3
Name
Order
Citations
PageRank
Rafaël Del Pino160.76
Vadim Lyubashevsky2117459.91
David Pointcheval3104563.86