spKEX: An optimized lattice-based key exchange [article]

Sauvik Bhattacharya, Óscar García-Morchón, Ronald Rietman, Ludo Tolhuizen
2017 IACR Cryptology ePrint Archive  
The advent of large-scale quantum computers has resulted in significant interest in quantum-safe cryptographic primitives. Lattice-based cryptography is one of the most attractive post-quantum cryptographic families due to its well-understood security, efficient operation and versatility. However, LWE-based schemes are still relatively bulky and slow. In this work, we present spKEX, a forward-secret, post-quantum, unauthenticated lattice-based key-exchange scheme that combines four techniques
more » ... optimize performance. spKEX relies on Learning with Rounding (LWR) to reduce bandwidth; it uses sparse and ternary secrets to speed up computations and reduce failure probability; it applies an improved key reconciliation scheme to reduce bandwidth and failure probability; and computes the public matrix A by means of a permutation to improve performance while allowing for a fresh A in each key exchange. For a quantum security level of 128 bits, our scheme requires 30% lesser bandwidth than the LWE-based key-exchange proposal Frodo [9] and allows for a fast implementation of the key exchange. 8 Acknowledgments A Upper bound on Failure Probability B Distinguishing Advantage in Dual Attack Introduction The exchange of sensitive information, e.g. financial, military or private data, over communication systems requires solutions to ensure the confidentiality of these information transactions. Confidentiality can be enabled by means of cryptographic primitives such as public-key encryption [24] and key-establishment [15] . However, the approach of quantum computing, in combination with Shor's [26] and Grover's [17] algorithms has resulted in a need for quantum-resistant algorithms since a majority of the world's communication today depend on cryptography that is vulnerable to cryptanalysis by quantum computers. This need is recognized by organizations such as NIST and ETSI that are currently standardizing such solutions. Key-exchange is one of the most sensitive and urgent application areas where post-quantum cryptography is required. The reason is that an attacker who collects encrypted data of interest to him (even assuming that forward-secret cryptography is used) will be able to decrypt this data when a quantum computer becomes available. Thus, this paper focuses on this primitive. Lattice-based cryptography is a promising candidate for quantum-resistant cryptography due to its (relatively) good performance, versatility in different cryptographic schemes and resistance against all known quantum algorithms. In particular, the Learning with Errors (LWE) problem [23] is a hard mathematical problem with quantum reductions to the worst-case hard lattice problems GapSVP and SIVP [23] and classical reductions to GapSVP [21, 10] . In one of the flavors of LWE, the attacker is given many pairs (a i , {b i = a i s+e i (mod q)}) and his task is to recover s, where a i and s are randomly chosen vectors from a uniform distribution and e i are randomly taken from a Gaussian distribution. The Learning with Rounding (LWR) problem [6] is a deterministic variant of the LWE problem that replaces standard Gaussian errors with errors introduced by rounding to a smaller modulus. The motivation is to achieve higher efficiency due to the difficulty of sampling from a Gaussian distribution and to reduce the ciphertext length [11] . For both LWE and LWR, small-secret and sparse variants are also possible, i.e., ones in which the secret is sampled from a binary or ternary distribution, secrets that are sparse, and secrets that are both sparse and small [13] . The schemes of Ding et al [16] and the Frodo scheme due to Bos et al [9] are post-quantum, unauthenticated key-exchange schemes based on the Learning with Errors (LWE) problem. They use public keys derived using secret vectors and Gaussian noise to establish a shared secret between two entities in an ephemeral manner. The sampling from a Gaussian distribution while creating the LWE error leads to a significant overhead. The Lizard scheme of Cheon et al [14] is a public-key encryption (PKE) scheme that uses the reduction of the LWE problem to the Learning with Rounding (LWR) problem [6, 8, 5] in order to replace the slower Gaussian sampling with more efficient rounding for incorporating noise. Furthermore, Lizard proposes the use of sparse, ternary secrets in order to increase efficiency, and is based on both LWE and the LWR problem with sparse-ternary secrets (sparse-ternary LWR or sp-terLWR). However,
dblp:journals/iacr/BhattacharyaGRT17 fatcat:7rye6atmgrautk2lohhsso3xou