Post-Quantum Secure Remote Password Protocol from RLWE Problem
Lecture Notes in Computer Science
Secure Remote Password (SRP) protocol is an augmented Password-based Authenticated Key Exchange (PAKE) protocol based on discrete logarithm problem (DLP) with various attractive security features. Compared with basic PAKE protocols, SRP does not require server to store user's password and user does not send password to server to authenticate. These features are desirable for secure client-server applications. SRP has gained extensive real-world deployment, including Apple iCloud, 1Password etc.
... However, with the advent of quantum computer and Shor's algorithm, classic DLP-based public key cryptography algorithms are no longer secure, including SRP. Motivated by importance of SRP and threat from quantum attacks, we propose a RLWE-based SR-P protocol (RLWE-SRP) which inherit advantages from SRP and elegant design from RLWE key exchange. We also present parameter choice and efficient portable C++ implementation of RLWE-SRP. Implementation of our 209-bit secure RLWE-SRP is more than 3x faster than 112-bit secure original SRP protocol, 5.5x faster than 80-bit secure J-PAKE and 14x faster than two 184-bit secure RLWE-based PAKE protocols with more desired properties. Key Exchange Key exchange (KE) is an important and fundamental cryptographic primitive. It allows two or multiple parties to agree on same session key, which is later utilized in encryption and other cryptographic primitives. With the ground-breaking Diffie-Hellman key exchange proposed in 1976  , public key cryptography came into reality and it has been widely deployed in real world applications. Since public key computations are rather expensive compared with symmetricbased ones, symmetric encryption is adopted to encrypt actual communication data instead of public key encryption. The shared key generated during key exchange is extremely important, especially in constructing real-world security protocols and applications. Important applications of key exchange include Transport Layer Security (TLS), Secure Shell (SSH), Internet Key Exchange (IKE), Internet Protocol Security (IPsec), Virtual Private Network (VPN) etc. However, Diffie-Hellman and other unauthenticate key exchange protocols are vulnerable to Man-In-The-Middle (MITM) attack, where an adversary in the middle between communicating parties can intercept and tamper messages and pretend himself as legit counterpart. An important line of key exchange protocols that can defeat such attack is authenticated key exchange (AKE). In AKE, authentication mechanisms can ensure one or both sides of key exchange are securely authenticated. HMQV  is an example of AKE. There are various approaches to achieve authentication, including public key infrastructure (PKI)-based (using signatures and verified public key with valid certificates), password (and its variants)-based AKE protocol (PAKE) etc. PAKE is an important approach to realize AKE. Examples of PAKE protocols are PAK & PPK , J-PAKE , EKE , SPAKE2  etc. Some additional works include , ,  etc. In most network security protocols, PKI-based authentication (certificate and signature) is more popular mostly because it is "secure enough". In most cases, server side can be securely authenticated using certificate but client side is not since generally client does not have a valid certificate. This highlights one advantage of PAKE protocols -simpler mutual authentication. In PAKE, mutual authentication can be securely achieved using pre-shared value or tokens for both parties (in most cases, such pre-shared value is password or hash of password). This also saves some rather expensive computations related to public key operations (e.g., compute/verify signature). A shortcoming for basic PAKE protocols is that these constructions directly using password or hash of password as pre-shared value. We can foresee that once server is compromised and actual user password (or its hash value) is leaked, adversary can easily impersonate as the client to authenticate himself. This stresses an crucial problem and challenge for basic PAKE protocols. A solution to this issue is augmented PAKE, since it only requires the server to store a pre-shared verifier (or a token) which is generated using password and other elements, instead of simply storing actual password or hash of password. In execution of augmented PAKE protocol, client needs to enter correct password in order to compute intermediate values correctly and authenticate himself. Server uses the stored verifier to authenticate user. Meanwhile, actual password is not sent to server. The trick is that these intermediate values can be only computed with correct password. Adversary cannot compute such intermediate values thanks to delicate design and hard problems like discrete logarithm problem etc. The advantage of augmented PAKE protocols is that even if attacker owns the verifier, he cannot impersonate as client by sending the verifier he captured since he does not know actual password. Examples of augmented PAKE protocols are SRP , PAK-Z  etc.