Content deleted Content added
NbspCleaner (talk | contribs) m fix nbsp typo |
→The key exchange: fixed typo Z_a not Zq Tags: Mobile edit Mobile web edit |
||
| (26 intermediate revisions by 21 users not shown) | |||
Line 1:
{{technical|date=June 2015}}
In [[cryptography]], a [[key exchange|public key exchange]] algorithm is a [[cryptographic algorithm]] which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The '''[[ring learning with errors]] key exchange''' ('''RLWE-KEX''') is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a [[quantum computer]]. This is important because some [[public key algorithm]]s in use today will be easily broken by a quantum computer if
== Background ==
Since the 1980s the security of cryptographic [[key exchange]]s and [[digital signature]]s over the Internet has been primarily based on a small number of [[public key]] algorithms. The security of these algorithms is based on a similarly small number of computationally hard problems in classical computing. These problems are the difficulty of [[Integer factorization|factoring the product of two carefully chosen prime numbers]], the difficulty to compute [[discrete logarithms]] in a carefully chosen finite field, and the difficulty of computing discrete logarithms in a carefully chosen [[elliptic curve]] group. These problems are very difficult to solve on a classical computer (the type of computer the world has known since the 1940s through today) but are rather easily solved by a relatively small [[Quantum computing|quantum computer]] using only 5 to 10 thousand of bits of memory. There is optimism in the computer industry that larger scale quantum computers will be available around 2030. If a [[quantum computer]] of sufficient size were built, all of the public key algorithms based on these three classically hard problems would be insecure. This public key cryptography is used today to secure Internet websites, protect computer login information, and prevent our computers from accepting malicious software.
Cryptography that is not susceptible to attack by a quantum computer is referred to as [[post-quantum cryptography|quantum safe]], or [[post-quantum cryptography]]. One class of quantum resistant cryptographic algorithms is based on a concept called "[[learning with errors]]" introduced by [[Oded Regev (computer scientist)|Oded Regev]] in 2005.<ref name=":4">{{Cite book
There are a variety of cryptographic algorithms which work using the RLWE paradigm. There are [[Public-key cryptography|public-key encryption]] algorithms, [[homomorphic encryption]] algorithms, and [[Ring learning with errors signature|RLWE digital signature]] algorithms in addition to the public key, key exchange algorithm presented in this article
Line 15:
== Introduction ==
Starting with a [[Prime number|prime]] integer q, the [[
In 2014, Peikert presented a key-transport scheme<ref>{{Cite journal|last=Peikert|first=Chris|date=2014-01-01|title=Lattice Cryptography for the Internet|journal=Cryptology ePrint Archive |url=https://eprint.iacr.org/2014/070}}</ref> following the same basic idea of Ding's, where the new idea of sending an additional 1-bit signal for rounding in Ding's construction is also used.
The "New Hope" implementation<ref>{{Cite journal|last1=Alkim|first1=Erdem|last2=Ducas|first2=Léo|last3=Pöppelmann|first3=Thomas|last4=Schwabe|first4=Peter|date=2015-01-01|title=Post-quantum key exchange - a new hope|journal=Cryptology ePrint Archive |url=https://eprint.iacr.org/2015/1092}}</ref> selected for Google's post-quantum experiment,<ref>{{Cite news|url=https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html|title=Experimenting with Post-Quantum Cryptography|newspaper=Google Online Security Blog|access-date=2017-02-08|language=en-US}}</ref> uses Peikert's scheme with variation in the error distribution.
For somewhat greater than 128 [[bits of security]], Singh presents a set of parameters which have 6956-bit public keys for the Peikert's scheme.<ref name=":1">{{Cite journal|last=Singh|first=Vikram|date=2015|title=A Practical Key Exchange for the Internet using Lattice Cryptography|journal=Cryptology ePrint Archive |url=http://eprint.iacr.org/2015/138}}</ref> The corresponding private key would be roughly 14,000 bits. An RLWE version of the classic MQV variant of a Diffie–Hellman key exchange was later published by Zhang et al. in 2014. The security of both key exchanges is directly related to the problem of finding approximate short vectors in an ideal lattice. This article will closely follow the RLWE work of Ding in "A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem".<ref name=":0">{{Cite book|url=https://eprint.iacr.org/2012/688.pdf|title=A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem|last1=Ding|first1=Jintai|last2=Xie|first2=Xiang|last3=Lin|first3=Xiaodong|year=2012}}</ref> For this presentation a typical polynomial is expressed as:
: <math> a(x) = a_0 + a_1 x + a_2 x^2 + \cdots + a_{n-3} x^{n-3} + a_{n-2} x^{n-2} + a_{n-1} x^{n-1} </math>
The coefficients <math>a_i</math> of this polynomial
The RLWE-KEX uses polynomials which are considered "small" with respect to a measure called the "[[infinity norm]]." The infinity norm for a polynomial is simply the value of the largest coefficient of the polynomial when the coefficients are considered as integers in '''Z''' rather than <math>Zq</math> (i.e.from the set {−(''q'' − 1)/2,..., 0, ... (''q'' − 1)/2} ). The algorithm's security depends on an ability to generate random polynomials which are small with respect to the infinity norm. This is done simply by randomly generating the coefficients for a polynomial (s<sub>n-1</sub>, ..., s<sub>0</sub>) which are guaranteed or very likely to be small. There are two common ways to do this:
# Using [[Uniform distribution (discrete)|Uniform Sampling]] – The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let ''b'' be an integer that is much less than ''q''. If we randomly choose coefficients from the set: { −''b'', −b + 1, −b + 2. ... −2, −1, 0, 1, 2, ... , ''b'' − 2, ''b'' − 1, ''b''} the polynomial will be small with respect to the bound (b). Singh suggest using b = 5.<ref name=":1" /> Thus coefficients would be chosen from the set {''q'' − 5, ''q'' − 4, ''q'' − 3, ''q'' − 2, ''q'' − 1, 0, 1, 2, 3, 4, 5 }.
# Using [[Gaussian distribution|Discrete Gaussian]] Sampling – For an odd value for q, the coefficients are randomly chosen by sampling from the set { −(q − 1)/2 to (''q'' − 1)/2 } according to a discrete Gaussian distribution with mean 0 and distribution parameter ''σ''. The references describe in full detail how this can be accomplished. It is more complicated than uniform sampling but it allows for a proof of security of the algorithm. An overview of Gaussian sampling is found in a presentation by Peikert.<ref>{{Cite web|title = An Efficient and Parallel Gaussian Sampler for Lattices|url = https://web.eecs.umich.edu/~cpeikert/pubs/slides-pargauss.pdf|website = www.cc.gatech.edu|
For the rest of this article, the random small polynomials will be sampled according to a distribution which is simply specified as '''D'''. Further q will be an odd prime such that q is congruent to 1 mod 4 and 1 mod 2n. Other cases for q and n are thoroughly discussed in "A Toolkit for Ring-LWE Cryptography" and in Singh's "Even More Practical Key Exchange for the Internet using Lattice Cryptography."<ref name=":2">{{Cite journal|
Given ''a''(''x'') as stated, we can randomly choose small polynomials ''s''(''x'') and ''e''(''x'') to be the "private key" in a public key exchange. The corresponding public key will be the polynomial ''p''(''x'') = ''a''(''x'')''s''(''x'') + 2''e''(''x'').
== The key exchange ==
The key exchange will take place between two devices. There will be an initiator for the key exchange designated as (I) and a respondent designated as (R). Both I and R know ''q'', ''n'', ''a''(''x''), and have the ability to generate small polynomials according to the distribution <math>\chi_\alpha</math> with parameter <math>\alpha</math>. The distribution <math>\chi_\alpha</math> is usually the discrete Gaussian distribution on the ring <math> R_q =
The key exchange begins with the initiator (I) doing the following:
Line 49 ⟶ 55:
# Receive <math>p_R</math> and <math>w</math> from the Responder.
# Sample <math>e'_I</math> from <math>\chi_\alpha</math> and Compute <math>k_I = p_Rs_I + 2e'_I = as_Is_R + 2e_Rs_I + 2e'_I</math>.
# Initiator side's key stream is produced as <math>sk_I = \operatorname{Mod}_2(k_I,w)</math> from the reconciliation information <math>w</math> and polynomial <math>k_I</math>.
Line 71 ⟶ 76:
== Parameter choices ==
The
For 128 bits of security, ''n'' = 512, ''q'' = 25601, and <math>\Phi(x) = x^{512} + 1</math>
Line 77 ⟶ 82:
For 256 bits of security, ''n'' = 1024, ''q'' = 40961, and <math>\Phi(x) = x^{1024} + 1</math>
Because the key exchange uses random sampling and fixed bounds there is a small probability that the key exchange will fail to produce the same key for the initiator and responder. If we assume that the Gaussian parameter ''σ'' is <math display=inline>\frac{8
In their November 2015 paper, Alkim, Ducas,
Also in their November 2015 paper, Alkim, Ducas,
== Key exchange security ==
The security of this key exchange is based on the underlying hardness of [[ring learning with errors]] problem that has been proven to be as hard as the worst case solution to the [[shortest vector problem]] (SVP) in an [[ideal lattice cryptography|ideal lattice]].<ref name=":4" /><ref name=":0" /> The best method to gauge the practical security of a given set of lattice parameters is the BKZ 2.0 lattice reduction algorithm.<ref>{{Cite book
==Implementations==
In 2014 Douglas Stebila made [http://www.douglas.stebila.ca/research/papers/bcns15 a patch] for OpenSSL 1.0.1f. based on his work and others published in "Post-quantum key exchange for the TLS protocol from the ring learning with errors problem."<ref>{{Cite journal|title = Post-quantum key exchange for the TLS protocol from the ring learning with errors problem|url = http://eprint.iacr.org/2014/599|date = 2014-01-01|
== Other approaches ==
A variant of the approach described above is an authenticated version in the work of Zhang, Zhang, Ding, Snook and Dagdelen in their paper, "Post Quantum Authenticated Key Exchange from Ideal Lattices."<ref>{{Cite
In November 2015, Alkim, Ducas,
== See also ==
Line 105:
* [[Ring learning with errors signature]]
* [[Ring learning with errors]]
== References ==
{{reflist}}
==External links==
{{ Cryptography navbox | public-key }}
[[Category:Cryptographic algorithms]]
[[Category:Post-quantum cryptography]]
[[Category:Lattice-based cryptography]]
| |||