Ring learning with errors key exchange

Last updated

In cryptography, a public key exchange algorithm is a cryptographic algorithm which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The ring learning with errors key exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because some public key algorithms in use today will be easily broken by a quantum computer if such computers are implemented. RLWE-KEX is one of a set of post-quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

Contents

Background

Since the 1980s the security of cryptographic key exchanges and digital signatures over the Internet has been primarily based on a small number of public key algorithms. The security of these algorithms is based on a similarly small number of computationally hard problems in classical computing. These problems are the difficulty of factoring the product of two carefully chosen prime numbers, the difficulty to compute discrete logarithms in a carefully chosen finite field, and the difficulty of computing discrete logarithms in a carefully chosen elliptic curve group. These problems are very difficult to solve on a classical computer (the type of computer the world has known since the 1940s through today) but are rather easily solved by a relatively small quantum computer using only 5 to 10 thousand of bits of memory. There is optimism in the computer industry that larger scale quantum computers will be available around 2030. If a quantum computer of sufficient size were built, all of the public key algorithms based on these three classically hard problems would be insecure. This public key cryptography is used today to secure Internet websites, protect computer login information, and prevent our computers from accepting malicious software.

Cryptography that is not susceptible to attack by a quantum computer is referred to as quantum safe, or post-quantum cryptography. One class of quantum resistant cryptographic algorithms is based on a concept called "learning with errors" introduced by Oded Regev in 2005. [1] A specialized form of Learning with errors operates within the ring of polynomials over a finite field. This specialized form is called ring learning with errors or RLWE.

There are a variety of cryptographic algorithms which work using the RLWE paradigm. There are public-key encryption algorithms, homomorphic encryption algorithms, and RLWE digital signature algorithms in addition to the public key, key exchange algorithm presented in this article

A key exchange algorithm is a type of public key algorithm which establishes a shared secret key between two communicants on a communications link. The classic example of a key exchange is the Diffie–Hellman key exchange. The exchange consists of one transmission from one end of the line and one transmission from the other end of the link. Diffie–Hellman and Elliptic Curve Diffie–Hellman are the two most popular key exchange algorithms.

The RLWE Key Exchange is designed to be a "quantum safe" replacement for the widely used Diffie–Hellman and elliptic curve Diffie–Hellman key exchanges that are used to secure the establishment of secret keys over untrusted communications channels. Like Diffie–Hellman and Elliptic Curve Diffie–Hellman, the Ring-LWE key exchange provides a cryptographic property called "forward secrecy"; the aim of which is to reduce the effectiveness of mass surveillance programs and ensure that there are no long term secret keys that can be compromised that would enable bulk decryption.

Introduction

Starting with a prime integer q, the Ring-LWE key exchange works in the ring of polynomials modulo a polynomial with coefficients in the field of integers mod q (i.e. the ring ). Multiplication and addition of polynomials will work in the usual fashion with results of a multiplication reduced mod .

The idea of using LWE and Ring LWE for key exchange was first proposed and filed at the University of Cincinnati in 2011 by Jintai Ding. The idea comes from the associativity of matrix multiplications, and the errors are used to provide the security. The paper [2] appeared in 2012 after a provisional patent application was filed in 2012. The security of the protocol is proven based on the hardness of solving the LWE problem.

In 2014, Peikert presented a key-transport scheme [3] following the same basic idea of Ding's, where the new idea of sending an additional 1-bit signal for rounding in Ding's construction is also used.

The "New Hope" implementation [4] selected for Google's post-quantum experiment, [5] uses Peikert's scheme with variation in the error distribution.

For somewhat greater than 128 bits of security, Singh presents a set of parameters which have 6956-bit public keys for the Peikert's scheme. [6] The corresponding private key would be roughly 14,000 bits. An RLWE version of the classic MQV variant of a Diffie–Hellman key exchange was later published by Zhang et al. in 2014. The security of both key exchanges is directly related to the problem of finding approximate short vectors in an ideal lattice. This article will closely follow the RLWE work of Ding in "A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem". [2] For this presentation a typical polynomial is expressed as:

The coefficients of this polynomial are integers mod q. The polynomial will be the cyclotomic polynomial. When n is a power of 2 then [6] [7]

The RLWE-KEX uses polynomials which are considered "small" with respect to a measure called the "infinity norm." The infinity norm for a polynomial is simply the value of the largest coefficient of the polynomial when the coefficients are considered as integers in Z rather than (i.e.from the set {−(q  1)/2,..., 0, ... (q  1)/2} ). The algorithm's security depends on an ability to generate random polynomials which are small with respect to the infinity norm. This is done simply by randomly generating the coefficients for a polynomial (sn-1, ..., s0) which are guaranteed or very likely to be small. There are two common ways to do this:

  1. Using Uniform Sampling – The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let b be an integer that is much less than q. If we randomly choose coefficients from the set: { −b, −b + 1, −b + 2. ... −2, −1, 0, 1, 2, ... , b  2, b  1, b} the polynomial will be small with respect to the bound (b). Singh suggest using b = 5. [6] Thus coefficients would be chosen from the set {q  5, q  4, q  3, q  2, q  1, 0, 1, 2, 3, 4, 5 }.
  2. Using Discrete Gaussian Sampling – For an odd value for q, the coefficients are randomly chosen by sampling from the set { −(q  1)/2 to (q  1)/2 } according to a discrete Gaussian distribution with mean 0 and distribution parameter σ. The references describe in full detail how this can be accomplished. It is more complicated than uniform sampling but it allows for a proof of security of the algorithm. An overview of Gaussian sampling is found in a presentation by Peikert. [8]

For the rest of this article, the random small polynomials will be sampled according to a distribution which is simply specified as D. Further q will be an odd prime such that q is congruent to 1 mod 4 and 1 mod 2n. Other cases for q and n are thoroughly discussed in "A Toolkit for Ring-LWE Cryptography" and in Singh's "Even More Practical Key Exchange for the Internet using Lattice Cryptography." [9] [10] and another paper by Singh. A fixed public polynomial, a(x), shared by all users of the network. It is deterministically generated from a cryptographically secure source.

Given a(x) as stated, we can randomly choose small polynomials s(x) and e(x) to be the "private key" in a public key exchange. The corresponding public key will be the polynomial p(x) = a(x)s(x) + 2e(x).

The key exchange

The key exchange will take place between two devices. There will be an initiator for the key exchange designated as (I) and a respondent designated as (R). Both I and R know q, n, a(x), and have the ability to generate small polynomials according to the distribution with parameter . The distribution is usually the discrete Gaussian distribution on the ring . The description which follows does not contain any explanation of why the key exchange results in the same key at both ends of a link. Rather, it succinctly specifies the steps to be taken. For a thorough understanding of why the key exchange results in the initiator and responder having the same key, the reader should look at the referenced work by Ding et al. [2]

The key exchange begins with the initiator (I) doing the following:

Initiation:

  1. Generate two polynomials and with small coefficients by sampling from the distribution .
  2. Compute
  3. The initiator sends the polynomial to the Responder.

Response:

  1. Generate two polynomials and with small coefficients by sampling from the distribution .
  2. Compute .
  3. Generate a small from . Compute . Then .
  4. Use the signal function to find . This is computed by applying function on each coefficient of
  5. Respondent side's key stream is calculated, based on the reconciliation information and the polynomial .
  6. The Respondent sends and to the Initiator.

Finish:

  1. Receive and from the Responder.
  2. Sample from and Compute .
  3. Initiator side's key stream is produced as from the reconciliation information and polynomial .

In the above key exchange, is the signal function defined as below:

Define subset of . Here, and denotes the floor and the rounding to the nearest integer respectively.

Function is the characteristic function of the complement of E.

:

is the mod 2 operation to eliminate the error terms defined as follows:

Note that the values of and are only approximately equal. In order to extract a shared key using this approximate equal values, a reconciliation function, also known as a signal function is used. This function indicates the region in which each coefficient of a polynomial in lies and helps to make sure that the error terms in and do not result in different mod q operations.

The methods of reconciliation and key string generation depends on the specific RLWE-KEX scheme in question. Some method is based on modular arithmetic, while others may be based on high-dimension geometry. [6] [11]

If the key exchange worked properly, the initiator's string and the respondent's string will be the same.

Depending on the specifics of the parameters chosen, there is an extremely small probability that this key exchange will fail to produce the same key. Parameters for the key exchange can be chosen to make the probability of failure in the key exchange very small; much less than the probability of undetectable garbles or device failures.

Parameter choices

The RLWE-KEX exchange presented above worked in the Ring of Polynomials of degree n  1 or less mod a polynomial . The presentation assumed that n was a power of 2 and that q was a prime which was congruent to 1 (mod 2n). Following the guidance given in Peikert's paper, Singh suggested two sets of parameters for the RLWE-KEX.

For 128 bits of security, n = 512, q = 25601, and

For 256 bits of security, n = 1024, q = 40961, and

Because the key exchange uses random sampling and fixed bounds there is a small probability that the key exchange will fail to produce the same key for the initiator and responder. If we assume that the Gaussian parameter σ is and the uniform sampling bound (b) = 5 (see Singh), [6] then the probability of key agreement failure is less than 2−71 for the 128-bit secure parameters and less than 2−91 for the 256-bit secure parameters.

In their November 2015 paper, Alkim, Ducas, Pöppelmann, and Schwabe recommend the following parameters n = 1024, q =12289, and = x1024 + 1. [11] This represents a 70% reduction in public key size over the n = 1024 parameters of Singh, and was submitted to NIST's Post-Quantum Cryptography Standardization project under the name NewHope.

Also in their November 2015 paper, Alkim, Ducas, Pöppelmann and Schwabe recommend that the choice of the base polynomial for the key exchange ( a(x) above ) be either generated randomly from a secure random number generator for each exchange or created in a verifiable fashion using a "nothing up my sleeve" or NUMS technique. [11] An example of parameters generated in this way are the prime numbers for the Internet Key Exchange (RFC 2409) which embed the digits of the mathematical constant pi in the digital representation of the prime number. [12] Their first method prevents amortization of attack costs across many key exchanges at the risk of leaving open the possibility of a hidden attack like that described by Dan Bernstein against the NIST elliptic curves. [13] The NUMS approach is open to amortization but generally avoids the Bernstein attack if only common mathematical constants such as pi and e are used.

Key exchange security

The security of this key exchange is based on the underlying hardness of ring learning with errors problem that has been proven to be as hard as the worst case solution to the shortest vector problem (SVP) in an ideal lattice. [1] [2] The best method to gauge the practical security of a given set of lattice parameters is the BKZ 2.0 lattice reduction algorithm. [14] According to the BKZ 2.0 algorithm the key exchange parameters listed above will provide greater than 128 or 256 bits of security, respectively.

Implementations

In 2014 Douglas Stebila made a patch for OpenSSL 1.0.1f. based on his work and others published in "Post-quantum key exchange for the TLS protocol from the ring learning with errors problem." [15] Software implementing the work of Singh is found on GitHub at https://github.com/vscrypto/ringlwe. [6]

Other approaches

A variant of the approach described above is an authenticated version in the work of Zhang, Zhang, Ding, Snook and Dagdelen in their paper, "Post Quantum Authenticated Key Exchange from Ideal Lattices." [16] The concept of creating what has been called a Diffie–Hellman-like Key Exchange using lattices with a reconciliation function appears to have first been presented by French researchers Aguilar, Gaborit, Lacharme, Schrek, and Zemor at PQCrypto 2010 in their talk, "Noisy Diffie–Hellman Protocols." [17]

In November 2015, Alkim, Ducas, Pöppelmann, and Schwabe built on the prior work of Peikert and used what they believe is a more conservative costing of lattice attacks to recommend parameters. [11] Software based on the work of Alkim, Ducas, Pöppelmann, and Schwabe is found on GitHub at https://github.com/tpoeppelmann/newhope [11]

See also

Related Research Articles

<span class="mw-page-title-main">Diffie–Hellman key exchange</span> Method of exchanging cryptographic keys

Diffie–Hellman (DH) key exchange is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

The Merkle–Hellman knapsack cryptosystem was one of the earliest public key cryptosystems. It was published by Ralph Merkle and Martin Hellman in 1978. A polynomial time attack was published by Adi Shamir in 1984. As a result, the cryptosystem is now considered insecure.

In mathematics, for given real numbers a and b, the logarithm logba is a number x such that bx = a. Analogously, in any group G, powers bk can be defined for all integers k, and the discrete logarithm logba is an integer k such that bk = a. In number theory, the more commonly used term is index: we can write x = indra (mod m) (read "the index of a to the base r modulo m") for rxa (mod m) if r is a primitive root of m and gcd(a,m) = 1.

<span class="mw-page-title-main">Trapdoor function</span> One-way cryptographic tool

In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction without special information, called the "trapdoor". Trapdoor functions are a special case of one-way functions and are widely used in public-key cryptography.

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. Not being one-to-one is not considered sufficient for a function to be called one-way.

The NTRUEncrypt public key cryptosystem, also known as the NTRU encryption algorithm, is an NTRU lattice-based alternative to RSA and elliptic curve cryptography (ECC) and is based on the shortest vector problem in a lattice.

In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently. It is not known how to prove (unconditional) hardness for essentially any useful problem. Instead, computer scientists rely on reductions to formally relate the hardness of a new or complicated problem to a computational hardness assumption about a problem that is better-understood.

Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions support important standards of post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems — which could, theoretically, be defeated using Shor's algorithm on a quantum computer — some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

In computer science, lattice problems are a class of optimization problems related to mathematical objects called lattices. The conjectured intractability of such problems is central to the construction of secure lattice-based cryptosystems: lattice problems are an example of NP-hard problems which have been shown to be average-case hard, providing a test case for the security of cryptographic algorithms. In addition, some lattice problems which are worst-case hard can be used as a basis for extremely secure cryptographic schemes. The use of worst-case hardness in such schemes makes them among the very few schemes that are very likely secure even against quantum computers. For applications in such cryptosystems, lattices over vector spaces or free modules are generally considered.

In cryptography, learning with errors (LWE) is a mathematical problem that is widely used to create secure encryption algorithms. It is based on the idea of representing secret information as a set of equations with errors. In other words, LWE is a way to hide the value of a secret by introducing noise to it. In more technical terms, it refers to the computational problem of inferring a linear -ary function over a finite ring from given samples some of which may be erroneous. The LWE problem is conjectured to be hard to solve, and thus to be useful in cryptography.

In cryptography, SWIFFT is a collection of provably secure hash functions. It is based on the concept of the fast Fourier transform (FFT). SWIFFT is not the first hash function based on the FFT, but it sets itself apart by providing a mathematical proof of its security. It also uses the LLL basis reduction algorithm. It can be shown that finding collisions in SWIFFT is at least as difficult as finding short vectors in cyclic/ideal lattices in the worst case. By giving a security reduction to the worst-case scenario of a difficult mathematical problem, SWIFFT gives a much stronger security guarantee than most other cryptographic hash functions.

Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are currently thought to be secure against a cryptanalytic attack by a quantum computer. Most widely-used public-key algorithms rely on the difficulty of one of three mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Supersingular isogeny Diffie–Hellman key exchange is an insecure proposal for a post-quantum cryptographic algorithm to establish a secret key between two parties over an untrusted communications channel. It is analogous to the Diffie–Hellman key exchange, but is based on walks in a supersingular isogeny graph and was designed to resist cryptanalytic attack by an adversary in possession of a quantum computer. Before it was broken, SIDH boasted one of the smallest key sizes of all post-quantum key exchanges; with compression, SIDH used 2688-bit public keys at a 128-bit quantum security level. SIDH also distinguishes itself from similar systems such as NTRU and Ring-LWE by supporting perfect forward secrecy, a property that prevents compromised long-term keys from compromising the confidentiality of old communication sessions. These properties seemed to make SIDH a natural candidate to replace Diffie–Hellman (DHE) and elliptic curve Diffie–Hellman (ECDHE), which are widely used in Internet communication. However, SIDH is vulnerable to a devastating key-recovery attack published in July 2022 and is therefore insecure. The attack does not require a quantum computer.

Digital signatures are a means to protect digital information from intentional modification and to authenticate the source of digital information. Public key cryptography provides a rich set of different cryptographic algorithms the create digital signatures. However, the primary public key signatures currently in use will become completely insecure if scientists are ever able to build a moderately sized quantum computer. Post quantum cryptography is a class of cryptographic algorithms designed to be resistant to attack by a quantum cryptography. Several post quantum digital signature algorithms based on hard problems in lattices are being created replace the commonly used RSA and elliptic curve signatures. A subset of these lattice based scheme are based on a problem known as Ring learning with errors. Ring learning with errors based digital signatures are among the post quantum signatures with the smallest public key and signature sizes

In post-quantum cryptography, ring learning with errors (RLWE) is a computational problem which serves as the foundation of new cryptographic algorithms, such as NewHope, designed to protect against cryptanalysis by quantum computers and also to provide the basis for homomorphic encryption. Public-key cryptography relies on construction of mathematical problems that are believed to be hard to solve if no further information is available, but are easy to solve if some information used in the problem construction is known. Some problems of this sort that are currently used in cryptography are at risk of attack if sufficiently large quantum computers can ever be built, so resistant problems are sought. Homomorphic encryption is a form of encryption that allows computation on ciphertext, such as arithmetic on numeric values stored in an encrypted database.

Short integer solution (SIS) and ring-SIS problems are two average-case problems that are used in lattice-based cryptography constructions. Lattice-based cryptography began in 1996 from a seminal work by Miklós Ajtai who presented a family of one-way functions based on SIS problem. He showed that it is secure in an average case if the shortest vector problem (where for some constant ) is hard in a worst-case scenario.

HEAAN is an open source homomorphic encryption (HE) library which implements an approximate HE scheme proposed by Cheon, Kim, Kim and Song (CKKS). The first version of HEAAN was published on GitHub on 15 May 2016, and later a new version of HEAAN with a bootstrapping algorithm was released. Currently, the latest version is Version 2.1.

In post-quantum cryptography, NewHope is a key-agreement protocol by Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe that is designed to resist quantum computer attacks.

References

  1. 1 2 Regev, Oded (2005). "On lattices, learning with errors, random linear codes, and cryptography". Proceedings of the thirty-seventh annual ACM symposium on Theory of computing. STOC '05. New York, NY, USA: ACM. pp. 84–93. CiteSeerX   10.1.1.110.4776 . doi:10.1145/1060590.1060603. ISBN   978-1-58113-960-0. S2CID   53223958.
  2. 1 2 3 4 Ding, Jintai; Xie, Xiang; Lin, Xiaodong (2012). A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem (PDF).
  3. Peikert, Chris (2014-01-01). "Lattice Cryptography for the Internet". Cryptology ePrint Archive.
  4. Alkim, Erdem; Ducas, Léo; Pöppelmann, Thomas; Schwabe, Peter (2015-01-01). "Post-quantum key exchange - a new hope". Cryptology ePrint Archive.
  5. "Experimenting with Post-Quantum Cryptography". Google Online Security Blog. Retrieved 2017-02-08.
  6. 1 2 3 4 5 6 Singh, Vikram (2015). "A Practical Key Exchange for the Internet using Lattice Cryptography". Cryptology ePrint Archive.
  7. "Cryptology ePrint Archive: Report 2015/1120". eprint.iacr.org. Retrieved 2015-12-23.
  8. "An Efficient and Parallel Gaussian Sampler for Lattices" (PDF). www.cc.gatech.edu. Retrieved 2015-05-29.
  9. Lyubashevsky, Vadim; Peikert, Chris; Regev, Oded (2013). "A Toolkit for Ring-LWE Cryptography". Cryptology ePrint Archive.
  10. "Cryptology ePrint Archive: Report 2015/1120". eprint.iacr.org. Retrieved 2016-01-17.
  11. 1 2 3 4 5 "Cryptology ePrint Archive: Report 2015/1092". eprint.iacr.org. Retrieved 2015-11-11.
  12. D., Carrel; D., Harkins (November 1998). "The Internet Key Exchange (IKE)". tools.ietf.org. Retrieved 2017-03-16.
  13. "Is the "New Hope" Lattice Key Exchange vulnerable to a lattice analog of the Bernstein BADA55 Attack?". crypto.stackexchange.com. Retrieved 2017-03-16.
  14. Chen, Yuanmi; Nguyen, Phong Q. (2011). "BKZ 2.0: Better Lattice Security Estimates". In Lee, Dong Hoon; Wang, Xiaoyun (eds.). Advances in Cryptology – ASIACRYPT 2011. Lecture Notes in Computer Science. Vol. 7073. Springer Berlin Heidelberg. pp. 1–20. doi:10.1007/978-3-642-25385-0_1. ISBN   978-3-642-25384-3.
  15. Bos, Joppe W.; Costello, Craig; Naehrig, Michael; Stebila, Douglas (2014-01-01). "Post-quantum key exchange for the TLS protocol from the ring learning with errors problem". Cryptology ePrint Archive.
  16. "Workshop on Cybersecurity in a Post-Quantum World". NIST. 2015-04-02. Retrieved 2015-06-06.
  17. "Noisy Diffie–Hellman protocols" (PDF). pqc2010.cased.de. Archived from the original (PDF) on 2015-06-14. Retrieved 2015-06-06.