Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru - PowerPoint PPT Presentation

Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan University, China June 28, 2017 Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 1 / 39

Outline 1 Introduction 2 The Basic SFA Attack (Against M 1 ) 3 The Advanced SFA Attack (Against M 1 ) 4 Small Field Attack (Against M 0 ) 5 Conclusion Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 2 / 39

§ 1 Introduction Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 3 / 39

Lattice-based HMQV A lattice-based analogue of HMQV was proposed at Eurocrypt 2015 [ZZDSD15]. • Similar to that of (DL-based) HMQV. • It consists of a two-pass variant Π 2 , and a one-pass variant Π 1 . • Both variants are proven secure under the (cyclotomic) ring-LWE assumption in the random oracle model (ROM). • A specific ring-LWE: the underlying number field K is the m -th cyclotomic number field Q ( ζ m ), where m is a power-of-two. Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 4 / 39

Our Contributions In this work, we concentrate our analysis on the one-pass variant Π 1 in [ZZDSD15]. • We propose a special type of efficient attack against Π 1 . • Our attack is called small field attack (SFA), since it fully utilizes the algebraic properties of the ring R q in ring-LWE. • An SFA attacker can recover the private key of the victim party in Π 1 with overwhelming probability ( w.o.p. ) The SFA attack may be applicable to other ring-LWE based one-pass AKE schemes. Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 5 / 39

Small Field Attack Against Π 1 To be precise, two SFA attackers against Π 1 are proposed in this work. • The basic SFA attacker is designed to demonstrate the notion of SFA. • Furthermore, we can design an advanced SFA attacker that is “undetectable”, • It is hard in practice for the victim party in Π 1 to identify both the static public key of SFA attacker, as well as those malicious query it makes. • Hence, our attack is practical . We stress that the success of our attack relies on the assumption that the adversary can register a malicious public/private key pair on his own, which is beyond the security model of Π 1 . • Thus, although our attack is practical in essence, the existence of our attack does not violate the security of Π 1 . Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 6 / 39

Introduction to Π 1 In Π 1 , party i party j • Party i and party j are involved. sk:( s i ← D Z n ,α , e i ← D Z n ,α ) sk:( s j ← D Z n ,α , e j ← D Z n ,α ) pk: p i = as i + 2 e i ∈ R q pk: p j = as j + 2 e j ∈ R q • For party i : ephemeral sk: r i , f i ← D Z n ,β ; • Static sk: ( s i ← D Z n ,α , e i ← D Z n ,α ); ephemeral pk: x i = ar i + 2 f i ; c = H 1 ( id i , id j , x i ); g i ← D Z n ,β ; • Static pk: p i := a · s i + 2 e i ( a is a global k i = p j ( s i c + r i ) + 2 g i ; w i = Cha ( k i ) σ i = Mod ( k i , w i ); parameter). sk i = H 2 ( id i , id j , x i , w i , σ i ) • Similar notations carry over to party j . ( x i , w i ) • To recover the (static) private key ( s j , e j ) c = H 1 ( id i , id j , x i ); g j ← D Z n ,α ; k j = ( p i c + x i ) s j + 2 cg j ; of party j , it suffices to recover s j ∈ R q . σ j = Mod ( k j , w i ); sk j = H 2 ( id i , id j , x i , w i , σ j ) Figure: A simplified depiction of Π 1 Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 7 / 39

Party j = ⇒ Oracle M 0 : 1/3 • In each session, party i sends ( x i , w i ) to party j ; • For party j , the resultant session key is sk j ← H 2 ( id i , id j , x i , w i , σ j ). • Observation : for the hash input ( id i , id j , x i , w i , σ j ), all the values except σ j are known to party i . • When H 2 is modeled as an RO, if party i is able to figure out the session key sk j of party j correctly before it issues the associated session-key query to party j , then party i must be able to figure out the associated σ j beforehand , and vice versa . • This observation enables us to simplify the description about SFA significantly. Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 8 / 39

Party j = ⇒ Oracle M 0 : 2/3 session creation with ( x i , w i ) id i , ( x i , w i ) , σ i = ⇒ session key exposure adversary oracle party i party j ? = σ j σ i sk j ← H 2 ( id i , id j , x i , w i , σ j ) Figure: Oracle M 0 : an abstraction of party j Figure: Some valid functionalities of party j Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 9 / 39

Party j = ⇒ Oracle M 0 : 3/3 Claim To recover the private key of party j in Π 1 efficiently, it suffices to construct an efficient attacker against M 0 (to be defined). Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 10 / 39

Formal definition of M 0 The foregoing analysis motivates us to define an oracle M 0 as follows: • sk: ( s ← D Z n ,α , e ← D Z n ,α ); pk: p � a · s + 2 e ∈ R q ; Identifier: id . • Given ( id ∗ , p ∗ , x , w , z ) where id ∗ denotes the identifier of the adversary, p ∗ denotes the static public key of the adversary, x ∈ R q , w ∈ B n , z ∈ B n , M 0 does the following: ← D Z n ,α , g H 1 ( id ∗ , id , x ) c ← ( ∈ R q ) , ( q 0 � q − 1 ( p ∗ c + x ) s + q 0 w + 2 cg k := ( ∈ R q ) , ) 2 ( ∈ B n ); σ := Parity ( k ) Finally, M 0 returns 1 if and only if σ = z . Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 11 / 39

Oracle M 0 = ⇒ Oracle M 1 • Notice that in the definition of M 0 , k = ( p ∗ c + x ) s + q 0 w + 2 cg . • For an attacker against M 0 , if his static public key is p ∗ = 0 ∈ R q , the computation of k would be simplified dramatically. • This motivates us to define the oracle M 1 with secret s ← D Z n ,α as follows: Given ( x , w , z ) ∈ R q × B n × B n , it does the following: Z n ε ← 1+2 θ , v := xs + q 0 w + 2 ε ( ∈ R q ) , ( ∈ B n ); σ := Parity ( v ) Finally, M 1 returns 1 if and only if σ = z . Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 12 / 39

Intermediate Summary Oracle M 0 : an abstraction of party j in Π 1 • To construct an efficient adversary against party j , it suffices to construct an efficient adversary against M 0 . Oracle M 1 : a simplified variant of M 0 • An efficient adversary against M 1 corresponds to an efficient adversary against M 0 with static public key p ∗ = 0 ∈ R q . Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 13 / 39

§ 2 The Basic SFA Attack (Against M 1 ) Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 14 / 39

Difficulty in Attacking Π 1 • For the present, we aim to construct a (basic) attack against M 1 . • Recall that M 1 with secret s ← D Z n ,α works as follows: • Each query is of the form ( x , w , z ) ∈ R q × B n × B n ; • On each query, it computes σ ← Parity ( xs + q 0 w + 2 ε ) ( ∈ B n ), and returns ? σ = z . • Each time M 1 returns only 1-bit information (with small noise) regarding its secret s ∈ R q , which makes it difficult for the adversary to recover s efficiently . • Now, the CRT basis for R q comes into play. Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 15 / 39

The CRT Basis for R q • The notion of CRT basis in the ring-LWE setting was first proposed in [LPR10a]. • In the ring-LWE setting, q ≡ 1 (mod m ) is a positive rational prime. • Therefore, q splits completely in K = Q ( ζ m ), making q R = � i ∈ [ n ] q i i.e. , q R is the product of n distinct nonzero prime ideals in R , each of norm q . • It follows from Chinese Remainder Theorem that � R q � R / q R ∼ R / q i . = i ∈ [ n ] • Each R / q i could be seen as a finite field of order q . • This isomorphism explains how our small field attack bears its name. • Thus, there exist c 1 , · · · , c n ∈ R q such that c i ≡ δ i , j (mod q j ) , ∀ i , j ∈ [ n ] . • Such basis { c 1 , · · · , c n } is unique, and hence is called the CRT basis for R q . Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 16 / 39

Basic Properties of the CRT Basis for R q { c 1 , · · · , c n } could be seen as an integral basis for R . Moreover, • Given n , q (in unary form), the CRT basis for R q could be found efficiently . • Every u ∈ R q can be written uniquely as u = � i ∈ [ n ] u i · c i , u i ∈ F q . • Every u i ∈ F q is called a CRT coefficient of u ∈ R q . • The set { i ∈ [ n ] | u i � = 0 } is called the CRT-dimensionality of u . • The map → ( u 1 , · · · , u n ) ∈ F n u ∈ R q �− q is a ring homomorphism, i.e. , for every u , v ∈ R q , we have � � u + v = ( u i + v i ) · c i , u · v = ( u i v i ) · c i . Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 17 / 39