Post-quantum key exchange for the TLS protocol from the ring learning with errors problem

Proceedings - IEEE Symposium on Security and Privacy

Volumn 2015-July, Issue , 2015, Pages 553-570

  Bos, Joppe W ^a   Costello, Craig ^b   Naehrig, Michael ^b   Stebila, Douglas ^c  

^a NXP SEMICONDUCTORS   (Netherlands)

^b MICROSOFT RESEARCH   (United States)

^c QUEENSLAND UNIVERSITY OF TECHNOLOGY   (Australia)

Author keywords

key exchange; learning with errors; post quantum; Transport Layer Security (TLS)

Indexed keywords

AUTHENTICATION; CURVE FITTING; DIGITAL LIBRARIES; ERRORS; GEOMETRY; HTTP; NETWORK SECURITY; QUANTUM COMPUTERS; QUANTUM CRYPTOGRAPHY; SEEBECK EFFECT; TRANSPORT LAYER;

CRYPTOGRAPHIC PRIMITIVES; ELLIPTIC CURVE DIGITAL SIGNATURE; KEY EXCHANGE; LEARNING WITH ERRORS; LEARNING WITH ERRORS PROBLEMS; POST QUANTUM; TRANSPORT LAYER SECURITY; TRANSPORT LAYER SECURITY PROTOCOLS;

QUANTUM CHEMISTRY;

EID: 84945181738     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2015.40     Document Type: Conference Paper

References (53)

1. O. Regev, "On lattices, learning with errors, random linear codes, and cryptography," in 37th ACM STOC, H. N. Gabow and R. Fagin, Eds. ACM Press, May 2005, pp. 84-93.
2. -, "Lattice-based cryptography (invited talk)," in CRYPTO 2006, ser. LNCS, C. Dwork, Ed., vol. 4117. Springer, Aug. 2006, pp. 131-141.
3. C. Gentry, "Fully homomorphic encryption using ideal lattices," in 41st ACM STOC, M. Mitzenmacher, Ed. ACM Press, May/Jun. 2009, pp. 169-178.
4. S. Garg, C. Gentry, and S. Halevi, "Candidate multilinear maps from ideal lattices," in EUROCRYPT 2013, ser. LNCS, T. Johansson and P. Q. Nguyen, Eds., vol. 7881. Springer, May 2013, pp. 1-17.
5. P. W. Shor, "Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer," SIAM Journal on Computing, vol. 26, no. 5, pp. 1484-1509, 1997.
6. R. L. Rivest, A. Shamir, and L. M. Adleman, "A method for obtaining digital signature and public-key cryptosystems," Communications of the Association for Computing Machinery, vol. 21, no. 2, pp. 120-126, 1978.
7. V. S. Miller, "Use of elliptic curves in cryptography," in CRYPTO'85, ser. LNCS, H. C. Williams, Ed., vol. 218. Springer, Aug. 1985, pp. 417-426.
8. N. Koblitz, "Elliptic curve cryptosystems," Mathematics of Computation, vol. 48, no. 177, pp. 203-209, 1987.
9. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2," RFC 5246 (Proposed Standard), Internet Engineering Task Force, Aug. 2008. [Online]. Available: http://www.ietf.org/rfc/rfc5246.txt
10. V. Lyubashevsky, C. Peikert, and O. Regev, "On ideal lattices and learning with errors over rings," Journal of the ACM, vol. 60, no. 6, p. 43, 2013.
11. W. Diffie and M. E. Hellman, "New directions in cryptography," IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644-654, 1976.
12. T. Jager, F. Kohlar, S. Schäge, and J. Schwenk, "On the security of TLS-DHE in the standard model," in CRYPTO 2012, ser. LNCS, R. Safavi-Naini and R. Canetti, Eds., vol. 7417. Springer, Aug. 2012, pp. 273-293.
13. J. W. Bos, J. A. Halderman, N. Heninger, J. Moore, M. Naehrig, and E. Wustrow, "Elliptic curve cryptography in practice," Cryptology ePrint Archive, Report 2013/734, 2013, http://eprint.iacr.org/2013/734.
14. P. C. Kocher, "Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems," in CRYPTO'96, ser. LNCS, N. Koblitz, Ed., vol. 1109. Springer, Aug. 1996, pp. 104-113.
15. NIST. (2012, July) Recommendations for key management-Part 1: General (revision 3). [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57 part1 rev3 general.pdf
16. J. Ding, X. Xie, and X. Lin, "A simple provably secure key exchange scheme based on the learning with errors problem," Cryptology ePrint Archive, Report 2012/688, 2012, http://eprint.iacr.org/2012/688.
17. O. Blazy, C. Chevalier, L. Ducas, and J. Pan, "Exact smooth projective hash function based on LWE," Cryptology ePrint Archive, Report 2013/821, 2013, http://eprint.iacr.org/2013/821.
18. J. Katz and V. Vaikuntanathan, "Smooth projective hashing and password-based authenticated key exchange from lattices," in ASIACRYPT 2009, ser. LNCS, M. Matsui, Ed., vol. 5912. Springer, Dec. 2009, pp. 636-652.
19. A. Fujioka, K. Suzuki, K. Xagawa, and K. Yoneyama, "Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism," in ASIACCS 13, K. Chen, Q. Xie, W. Qiu, N. Li, and W.-G. Tzeng, Eds. ACM Press, May 2013, pp. 83-94.
20. C. Peikert, "Lattice cryptography for the Internet," in PQCrypto 2014, ser. LNCS, M. Mosca, Ed., vol. 8772. Springer, 2014, pp. 197-219.
21. J. Zhang, Z. Zhang, J. Ding, M. Snook, and Ö. Dagdelen, "Authenticated key exchange from ideal lattices," Cryptology ePrint Archive, Report 2014/589, 2014, http://eprint.iacr.org/2014/589.
22. E. Fujisaki and T. Okamoto, "How to enhance the security of public-key encryption at minimum cost," in PKC'99, ser. LNCS, H. Imai and Y. Zheng, Eds., vol. 1560. Springer, Mar. 1999, pp. 53-68.
23. A. Fujioka, K. Suzuki, K. Xagawa, and K. Yoneyama, "Strongly secure authenticated key exchange from factoring, codes, and lattices," in PKC 2012, ser. LNCS, M. Fischlin, J. Buchmann, and M. Manulis, Eds., vol. 7293. Springer, May 2012, pp. 467-484.
24. H. Krawczyk, "SIGMA: The "SIGn-and-MAc" approach to authenticated Diffie-Hellman and its use in the IKE protocols," in CRYPTO 2003, ser. LNCS, D. Boneh, Ed., vol. 2729. Springer, Aug. 2003, pp. 400-425.
25. J. Hoffstein, J. Pipher, and J. H. Silverman, "NTRU: A ring based public key cryptosystem," in Algorithmic Number Theory (ANTS III), ser. LNCS, J. P. Buhler, Ed., vol. 1423. Springer, 1997, pp. 267-288.
26. A. Singer, "NTRU cipher suites for TLS," July 2001, Internet-Draft. [Online]. Available: https://tools.ietf.org/html/draft-ietf-tls-ntru
27. V. Lyubashevsky, C. Peikert, and O. Regev, "A toolkit for ring-LWE cryptography," in EUROCRYPT 2013, ser. LNCS, T. Johansson and P. Q. Nguyen, Eds., vol. 7881. Springer, May 2013, pp. 35-54.
28. N. C. Dwarakanath and S. D. Galbraith, "Sampling from discrete gaussians for lattice-based cryptography on a constrained device," Appl. Algebra Eng. Commun. Comput., vol. 25, no. 3, pp. 159-180, 2014.
29. D. Micciancio and O. Regev, "Lattice-based cryptography," in PostQuantum Cryptography, D. J. Bernstein, J. Buchmann, and E. Dahmen, Eds. Springer Berlin Heidelberg, 2009, pp. 147-191.
30. R. Lindner and C. Peikert, "Better key sizes (and attacks) for LWE-based encryption," in CT-RSA 2011, ser. LNCS, A. Kiayias, Ed., vol. 6558. Springer, Feb. 2011, pp. 319-339.
31. J. van de Pol and N. P. Smart, "Estimating key sizes for high dimensional lattice-based systems," in 14th IMA International Conference on Cryptography and Coding, ser. LNCS, M. Stam, Ed., vol. 8308. Springer, Dec. 2013, pp. 290-303.
32. T. Lepoint and M. Naehrig, "A comparison of the homomorphic encryption schemes FV and YASHE," in AFRICACRYPT 2014, ser. LNCS, D. Pointcheval and D. Vergnaud, Eds., vol. 8469. Springer, 2014, pp. 318-335.
33. Y. Chen and P. Q. Nguyen, "BKZ 2.0: Better lattice security estimates," in ASIACRYPT 2011, ser. LNCS, D. H. Lee and X. Wang, Eds., vol. 7073. Springer, Dec. 2011, pp. 1-20.
34. M. R. Albrecht, R. Player, and S. Scott, "On the concrete hardness of learning with errors," Cryptology ePrint Archive, Report 2015/046, 2015, http://eprint.iacr.org/2015/046.
35. T. Laarhoven, M. Mosca, and J. van de Pol, "Finding shortest lattice vectors faster using quantum search," Cryptology ePrint Archive, Report 2014/907, 2014, http://eprint.iacr.org/2014/907.
36. Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé, "Classical hardness of learning with errors," in 45th ACM STOC, D. Boneh, T. Roughgarden, and J. Feigenbaum, Eds. ACM Press, Jun. 2013, pp. 575-584.
37. D. A. Osvik, A. Shamir, and E. Tromer, "Cache attacks and countermea-sures: The case of AES," in CT-RSA 2006, ser. LNCS, D. Pointcheval, Ed., vol. 3860. Springer, Feb. 2006, pp. 1-20.
38. S. Chang, P. C. Cosman, and L. B. Milstein, "Chernoff-type bounds for the Gaussian error function," IEEE Transactions on Communications, vol. 59, no. 11, pp. 2939-2944, 2011.
39. J. W. Cooley and J. W. Tukey, "An algorithm for the machine calculation of complex Fourier series," Mathematics of Computation, vol. 19, pp. 297-301, 1965.
40. H. J. Nussbaumer, "Fast polynomial transform algorithms for digital convolution," IEEE Transactions on Acoustics, Speech and Signal Processing, vol. 28, no. 2, pp. 205-215, 1980.
41. D. E. Knuth, Seminumerical Algorithms, 3rd ed., ser. The Art of Computer Programming. Reading, Massachusetts, USA: Addison-Wesley, 1997.
42. A. Schönhage and V. Strassen, "Schnelle multiplikation großer zahlen," Computing, vol. 7, no. 3-4, pp. 281-292, 1971.
43. J. W. Bos, C. Costello, H. Hisil, and K. Lauter, "Fast cryptography in genus 2," in EUROCRYPT 2013, ser. LNCS, T. Johansson and P. Q. Nguyen, Eds., vol. 7881. Springer, May 2013, pp. 194-210.
44. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) protocol version 1.3," January 2015, Internet-Draft-04. [Online]. Available: https://tools.ietf.org/html/draft-ietf-tls-tls13-04
45. K. G. Paterson, T. Ristenpart, and T. Shrimpton, "Tag size does matter: Attacks and proofs for the TLS record protocol," in ASIACRYPT 2011, ser. LNCS, D. H. Lee and X. Wang, Eds., vol. 7073. Springer, Dec. 2011, pp. 372-389.
46. M. Bellare and P. Rogaway, "Entity authentication and key distribution," in CRYPTO'93, ser. LNCS, D. R. Stinson, Ed., vol. 773. Springer, Aug. 1993, pp. 232-249.
47. F. Bergsma, B. Dowling, F. Kohlar, J. Schwenk, and D. Stebila, "Multi-ciphersuite security of the Secure Shell (SSH) protocol," in ACM CCS 14, G.-J. Ahn, M. Yung, and N. Li, Eds. ACM Press, Nov. 2014, pp. 369-381.
48. H. Krawczyk, K. G. Paterson, and H. Wee, "On the security of the TLS protocol: A systematic analysis," in CRYPTO 2013, Part I, ser. LNCS, R. Canetti and J. A. Garay, Eds., vol. 8042. Springer, Aug. 2013, pp. 429-448.
49. F. Song, "A note on quantum security for post-quantum cryptography," in PQCrypto 2014, ser. LNCS, M. Mosca, Ed., vol. 8772. Springer, 2014, pp. 246-265.
50. M. Mosca, D. Stebila, and B. Ustaoglu, "Quantum key distribution in the classical authenticated key exchange framework," in PQCrypto 2013, ser. LNCS, P. Gaborit, Ed., vol. 7932. Springer, 2013, pp. 136-154.
51. V. Gupta, D. Stebila, S. Fung, S. C. Shantz, N. Gura, and H. Eberle, "Speeding up secure web transactions using elliptic curve cryptography," in NDSS 2004. The Internet Society, Feb. 2004.
52. L. K. Grover, "A framework for fast quantum mechanical algorithms," in 30th ACM STOC. ACM Press, May 1998, pp. 53-62.
53. National Institute of Standards and Technology. (1999, July) Recommended elliptic curves for Federal government use. [Online]. Available: http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf