Ring learning with errors key exchange

In cryptography, a public key exchange is a cryptographic algorithm which allows two parties to create and share a secret key which they use to encrypt messages between themselves. The Ring Learning with Errors Key Exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because all of the public key algorithms in use today are easily broken by a quantum computer and scientists are making steady progress toward creating such a computer. The RLWE-KEX is one of a set of Post Quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

Background

Since the 1980s the security of cryptographic key exchanges and digital signatures over the internet has been primarily based on a small number of public key algorithms. The security of these algorithms is based on a similarly small number of computationally hard problems in classical computing. These problems are the difficulty of factoring the product of two carefully chosen prime numbers, the difficulty to compute discrete logarithms in a carefully chosen finite field, and the difficulty of computing discrete logarithms in a carefully chosen elliptic curve group. These problems are very difficult to solve on a classical computer (the type of computer the world has known since the 1940s through today) but are rather easily solved by a relatively small quantum computer using only 5 to 10 thousand of bits of memory. There is optimism in the computer industry that larger scale quantum computers will be available in the around 2030. If a quantum computer of sufficient size were built, all of the public key algorithms based on these three classically hard problems would become extremely insecure. This public key cryptography is used today to secure internet websites, protect computer login information, and prevent our computers from accepting malicious software.

Cryptography that is not susceptible to attack by a quantum computer is referred to as Quantum Safe, or Post-Quantum cryptography. One class of quantum resistant cryptographic algorithms is based on a concept called "Learning with errors" introduced by Oded Regev in 2005.[1] A specialized form of Learning with errors operates within the Ring of Polynomials over a Finite Field. This specialized form is called Ring Learning with Errors or RLWE.

There are a variety of cryptographic algorithms which work using the RLWE paradigm. There are public key encryption algorithms, homomorphic encryption algorithms, and RLWE digital signature algorithms in addition to the public key, key exchange algorithm presented in this article

A key exchange algorithm is a type of public key algorithm which establishes a shared secret key between two communicants on a communications link. The classic example of a key exchange is the Diffie-Hellman key exchange. The exchange consists of one transmission from one end of the line and one transmission from the other end of the link. Diffie-Hellman and Elliptic Curve Diffie-Hellman are the two most popular key exchange algorithms.

The RLWE Key Exchange is designed to be a "quantum safe" replacement for the widely used Diffie-Hellman and Elliptic Curve Diffie-Hellman key exchanges that are used to secure the establishment of secret keys over untrusted communications channels. Like Diffie-Hellman and Elliptic Curve Diffie-Hellman, the Ring-LWE key exchange provides a cryptographic property called "forward secrecy"; the aim of which is to reduce the effectiveness of mass surveillance programs and ensure that there are no long term secret keys that can be compromised that would enable bulk decryption.

Introduction

Starting with a prime integer q, the Ring-LWE key exchange works in the ring of polynomials modulo a polynomial Φ(x) with coefficients in the field of integers mod q (i.e. the ring Zq[x]/Φ(x) ). Multiplication and addition of polynomials will work in the usual fashion with results of a multiplication reduced mod Φ(x). This article will closely follow the RLWE work of Peikert in "Lattice Cryptography for the Internet" as further explained by Singh.[2][3] For this presentation a typical polynomial is expressed as:

a(x) = a0 + a1x + a2x2 + ... + an-3xn-3 + an-2xn-2 + an-1xn-1

The coefficients of this polynomial, the ai's, are integers mod q. The polynomial Φ(x) will be the cyclotomic polynomial. When n is a power of 2 then Φ(x) = xn +1.[3][4]

The RLWE-KEX uses polynomials which are considered "small" with respect to a measure called the "infinity norm." The infinity norm for a polynomial is simply the value of the largest coefficient of the polynomial when the coefficients are considered as integers in Z rather than Zq (i.e.from the set {-(q-1)/2,..., 0, ... (q-1)/2} ). The algorithm's security depends on an ability to generate random polynomials which are small with respect to the infinity norm. This is done simply by randomly generating the coefficients for a polynomial (sn-1, ..., s0) which are guaranteed or very likely to be small. There are two common ways to do this:

  1. Using Uniform Sampling - The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let b be an integer that is much less than q. If we randomly choose coefficients from the set: { -b, -b+1, -b+2. ... -2, -1, 0, 1, 2, ... , b-2, b-1, b} the polynomial will be small with respect to the bound (b). Singh suggest using b = 5.[3] Thus coefficients would be chosen from the set { q-5, q-4, q-3, q-2, q-1, 0, 1, 2, 3, 4, 5 }.
  2. Using Discrete Gaussian Sampling - For an odd value for q, the coefficients are randomly chosen by sampling from the set { -(q-1)/2 to (q-1)/2 } according to a discrete Gaussian distribution with mean 0 and distribution parameter σ. The references describe in full detail how this can be accomplished. It is more complicated than uniform sampling but it allows for a proof of security of the algorithm. An overview of Gaussian sampling is found in a presentation by Peikert.[5]

For the rest of this article, the random small polynomials will be sampled according to a distribution which is simply specified as D. Further q will be an odd prime such that q is congruent to 1 mod 4 and 1 mod 2n. The maximum degree of the polynomials (n) will be a power of 2. This follows the work of Singh.[3] Other cases for q and n are thoroughly discussed in "A Toolkit for Ring-LWE Cryptography" and in Singh's "Even More Practical Key Exchange for the Internet using Lattice Cryptography."[6][7] and another paper by Singh. A fixed public polynomial, a(x), shared by all users of the network. It is deterministically generated from a cryptographically secure source.

Given a(x) as stated, we can randomly choose small polynomials s(x) and e(x) to be the "private key" in a public key exchange. The corresponding public key will be the polynomial t(x) = a(x)s(x) + e(x). The security of the key exchange that follows is based the difficulty of finding a pair of small polynomials s'(x) and e'(x) such that for a given t(x), a(x)s'(x) + e'(x) = t(x).

The Key Exchange

The key exchange will take place between two devices. There will be an initiator for the key exchange designated as (I) and a respondent designated as (R). Both I and R know, q, n, a(x), and have the ability to generate small polynomials according to the distribution D. The description which follows does not contain any explanation of why the key exchange results in the same key at both ends of a link. Rather, it succinctly specifies the steps to be taken. For a thorough understanding of why the key exchange results in the initiator and responder having the same key, the reader should look at the referenced works by Peikert and Singh.[2][3]

The key exchange begins with the initiator (I) doing the following:

Initiator's First Steps:

  1. Generate two small polynomials sI(x) and eI(x) by sampling from the distribution D.
  2. Compute tI(x) = a(x)·sI(x) + eI(x).
  3. The initiator sends the polynomial tI(x) to the Responder.

Respondent's Steps:

  1. Generate two small polynomials sR(x) and eR(x) by sampling from the distribution D.
  2. Compute v(x) = tI(x)·sR(x) + eR(x) Note that v(x) = a(x)sI(x)sR(x) + eI(x)sR(x) + eR(x) and that eR(x) + eI(x)sR(x) will be small because eR(x) was chosen to be small and the coefficients of eI(x)sR(x) will be bounded in their growth and still relatively small.
  3. The distribution of the coefficients of v(x) are smoothed by looping through the coefficients and randomly adjusting certain values. For j = 0 to n-1:
    1. If vj = 0, draw a random bit (b). If b = 0 then vj = 0 otherwise vj = q-1
    2. If vj = (q-1)/4, draw a random bit (b). If b = 0 then vj = (q-1)/4 otherwise vj = (q+3)/4
  4. Two n-long bit streams, cj, and uj, are formed from the coefficients of v(x), (vn-1, ... , v0 ), via "Cross Rounding" and "Modular Rounding" respectively. For j = 0 to n-1:
    1. Set cj to be the lowest bit of the floor of quotient (4vj)/q; that is {\textstyle c_j = \lfloor 4 v_j/q \rfloor\mod  2}
    2. Set uj to be the lowest bit of the quotient (2vj)/q after rounding; that is u_j = \lfloor 2v_j/q\rceil\mod 2
  5. Form the key (k) as the concatenation of un-1, ..., u0.
  6. Form an n-long "reconciliation" bit string (c) as the concatenation of cn-1, ..., c0.
  7. Compute tR(x) = a(x)·sR(x) + eR(x).
  8. The Respondent sends tR(x) and c to the Initiator.

Initiators Final Steps:

  1. Receive tR(x) and c from the Responder
  2. Compute w(x) = tR(x)·sI(x) + eI(x) = a(x)sI(x)sR(x) + eR(x)sI(x) + eI(x) Note that while this does not equal v(x) (above) the first term in the result a(x)sI(x)sR(x) equals the first term in v(x) and the other terms are all small. The following reconciliation steps will correct (with high probability) the differences.
  3. An n-long bit stream (uj) is formed by looping through the coefficients of w(x) and performing "Key Reconciliation." For j = 0 to n-1:
    1. If cj = 0 and -q/8 ≤ wj < 3q/8 then uj = 0 otherwise uj = 1
    2. If cj = 1 and -3q/8 ≤ wj < q/8 then uj = 0 otherwise uj = 1
  4. Form the key (k) as the concatenation of un-1, ..., u0

If the key exchange worked properly, the initiator's string: un-1, ..., u0 and the respondent's string: un-1, ..., u0 will be the same.

Depending on the specifics of the parameters chosen n, q, σ, or b, there is an extremely small probability that this key exchange will fail to produce the same key. Parameters for the key exchange can be chosen to make the probability of failure in the key exchange very small; much less than the probability of undetectable garbles or device failures.

Parameter Choices

The RWLE-KEX exchange presented above worked in the Ring of Polynomials of degree n-1 or less mod a polynomial Φ(x). The presentation assumed that n was a power of 2 and that q was a prime which was congruent to 1 (mod 4). Following the guidance given in Peikert's paper, Singh suggested two sets of parameters for the RWLE-KEX.

For 128 bits of security, n = 512, q = 25601, and Φ(x) = x512 + 1

For 256 bits of security, n = 1024, q = 40961, and Φ(x) = x1024 + 1

Because the key exchange uses random sampling and fixed bounds there is a small probability that the key exchange will fail to produce the same key for the initiator and responder. If we assume that the Gaussian parameter σ is 8/sqrt(2σ) and the uniform sampling bound (b) = 5 (see Singh),[3] then the probability of key agreement failure is less than 2−71 for the 128-bit secure parameters and less than 2−91 for the 256-bit secure parameters.

In their November 2015 paper, Alkim, Ducas, Popplemann, and Schwabe recommend the following parameters n = 1024, q =12289, and Φ(x) = x1024 + 1.[8] This represents a 70% reduction in public key size over the n = 1024 parameters of Singh. A listing of a number of different parameter choices for key exchanges using the Ring Learning with Errors problem are given at this link (click here).[9]

Key Exchange Security

The security of this key exchange as well the underlying Ring Learning With Errors method has been proven to be as hard as the worst case solution to the Shortest Vector Problem (SVP) in an Ideal Lattice.[2] The best method to gauge the practical security of a given set of lattice parameters is the BKZ 2.0 lattice reduction algorithm.[10] According to the BKZ 2.0 algorithm the key exchange parameters listed above will provide greater than 128 or 256 bits of security, respectively.

Implementations

In 2014 Douglas Stebila made a patch for OpenSSL 1.0.1f. based on his work and others published in "Post-quantum key exchange for the TLS protocol from the ring learning with errors problem."[11] Software implementing the work of Singh is found on GitHub at https://github.com/vscrypto/ringlwe.[3]

Other approaches

A variant of the approach described above but with very different reconciliation function and parameter choices is the work of Zhang, Zhang, Ding, Snook and Dagdelen in their paper, "Post Quantum Authenticated Key Exchange from Ideal Lattices."[12] The concept of creating what has been called a Diffie-Hellman-like Key Exchange using lattices with a reconciliation function appears to have first been presented by French researchers Aguilar, Gaborit, Lacharme, Schrek, and Zemor at PQCrypto 2010 in their talk, "Noisy Diffie-Hellman Protocols."[13] This work was then extended and put on a much more rigorous foundation by Peikert in his writings.[2][6]

In November 2015, Alkim, Ducas, Popplemann, and Schwabe built on the prior work of Peikert and Singh and used what they believe is a more precise costing of lattice attacks to recommend parameters somewhat smaller (by 3 bits) than those recommended by Singh.[3][8] They also introduce a different reconciliation mechanism and security proof than that used by Peikert and Singh. Software based on the work of Alkim, Ducas, Popplemann, and Schwabe is found on GitHub at https://github.com/tpoeppelmann/newhope[8]

See also

References

  1. Regev, Oded (2005). "On Lattices, Learning with Errors, Random Linear Codes, and Cryptography". Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing. STOC '05 (New York, NY, USA: ACM): 84–93. doi:10.1145/1060590.1060603. ISBN 1-58113-960-8.
  2. 1 2 3 4 Peikert, Chris (2014). Mosca, Michele, ed. Lattice Cryptography for the Internet. Lecture Notes in Computer Science. Springer International Publishing. pp. 197–219. ISBN 978-3-319-11658-7.
  3. 1 2 3 4 5 6 7 8 Singh, Vikram (2015). "A Practical Key Exchange for the Internet using Lattice Cryptography".
  4. "Cryptology ePrint Archive: Report 2015/1120". eprint.iacr.org. Retrieved 2015-12-23.
  5. "An Efficient and Parallel Gaussian Sampler for Lattices" (PDF). www.cc.gatech.edu. Retrieved 2015-05-29.
  6. 1 2 Lyubashevsky, Vadim; Peikert, Chris; Regev, Oded (2013). "A Toolkit for Ring-LWE Cryptography".
  7. "Cryptology ePrint Archive: Report 2015/1120". eprint.iacr.org. Retrieved 2016-01-17.
  8. 1 2 3 "Cryptology ePrint Archive: Report 2015/1092". eprint.iacr.org. Retrieved 2015-11-11.
  9. "Parameters for RLWE". Ring Learning with Errors. Retrieved 2016-02-28.
  10. Chen, Yuanmi; Nguyen, Phong Q. (2011). Lee, Dong Hoon; Wang, Xiaoyun, eds. BKZ 2.0: Better Lattice Security Estimates. Lecture Notes in Computer Science. Springer Berlin Heidelberg. pp. 1–20. ISBN 978-3-642-25384-3.
  11. Bos, Joppe W.; Costello, Craig; Naehrig, Michael; Stebila, Douglas (2014-01-01). "Post-quantum key exchange for the TLS protocol from the ring learning with errors problem".
  12. "Workshop on Cybersecurity in a Post-Quantum World". www.nist.gov. Retrieved 2015-06-06.
  13. "Noisy Diffie-Hellman protocols" (PDF). pqc2010.cased.de. Retrieved 2015-06-06.
This article is issued from Wikipedia - version of the Sunday, February 28, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.