Ring learning with errors key exchange: Difference between revisions

Cryptography that is not susceptible to attack by a quantum computer is referred to as [[Postpost-quantum cryptography|Quantumquantum Safesafe]], or [[Postpost-quantum cryptography|Post-Quantum cryptography]]. One class of quantum resistant cryptographic algorithms is based on a concept called "[[Learninglearning with errors]]" introduced by [[Oded Regev]] in 2005.<ref name=":4">{{Cite journal|title = On Lattices, Learning with Errors, Random Linear Codes, and Cryptography|url = http://doi.acm.org/10.1145/1060590.1060603|publisher = ACM|journal = Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing|date = 2005|___location = New York, NY, USA|isbn = 1-58113-960-8|pages = 84–93|series = STOC '05|doi = 10.1145/1060590.1060603|first = Oded|last = Regev}}</ref> A specialized form of Learning with errors operates within the [[Polynomialpolynomial ring|Ringring of Polynomialspolynomials]] over a [[Finitefinite field|Finite Field]]. This specialized form is called [[Ringring Learninglearning with Errorserrors]] or [[Idealideal lattice cryptography|RLWE]].

There are a variety of cryptographic algorithms which work using the RLWE paradigm. There are [[Public-key cryptography|public -key encryption]] algorithms, [[homomorphic encryption]] algorithms, and [[Ring learning with errors signature|RLWE digital signature]] algorithms in addition to the public key, key exchange algorithm presented in this article

A [[key exchange algorithm]] is a type of public key algorithm which establishes a shared secret key between two communicants on a communications link. The classic example of a key exchange is the [[Diffie–Hellman key exchange|Diffie-Hellman]] key exchange. The exchange consists of one transmission from one end of the line and one transmission from the other end of the link. [[Diffie–Hellman key exchange|Diffie-HellmanDiffie–Hellman]] and [[Ellipticelliptic curve Diffie–Hellman|Elliptic Curve Diffie-HellmanDiffie–Hellman]] are the two most popular key exchange algorithms.

The RLWE Key Exchange is designed to be a "[[Quantum Safe Cryptography|quantum safe]]" replacement for the widely used [[Diffie-HellmanDiffie–Hellman]] and [[Ellipticelliptic Curvecurve Diffie-HellmanDiffie–Hellman]] key exchanges that are used to secure the establishment of secret keys over untrusted communications channels. Like Diffie-HellmanDiffie–Hellman and Elliptic Curve Diffie-HellmanDiffie–Hellman, the Ring-LWE key exchange provides a cryptographic property called "[[forward secrecy]]"; the aim of which is to reduce the effectiveness of [[mass surveillance]] programs and ensure that there are no long term secret keys that can be compromised that would enable bulk decryption.

Starting with a [[Prime number|prime]] integer q, the [[Ringfing Learninglearning with Errorserrors|Ring-LWE]] key exchange works in the [[ring of polynomials]] modulo a polynomial <math>\Phi(x)</math> with coefficients in the field of integers mod q (i.e. the ring <math>R_q := Z_q[x] / \Phi(x)</math>). Multiplication and addition of polynomials will work in the usual fashion with results of a multiplication reduced mod <math>\Phi(x)</math>.

In 2014, Peikert<ref>{{Cite journal|last=Peikert|first=Chris|date=2014-01-01|title=Lattice Cryptography for the Internet|url=http://eprint.iacr.org/2014/070|journal=|volume=|issue=|doi=|pmid=|access-date=|via=}}</ref> presented a key transport scheme based on Ring-LWE. For somewhat greater than 128 [[bits of security]], Singh presents a set of parameters which have 6956-bit public keys for the Peikert's scheme.<ref name=":1">{{Cite journal|last=Singh|first=Vikram|date=2015|title=A Practical Key Exchange for the Internet using Lattice Cryptography|url=http://eprint.iacr.org/2015/138}}</ref> The corresponding private key would be roughly 14000 bits. An RLWE version of the classic MQV variant of a Diffie-HellmanDiffie–Hellman key exchange was later published by Zhang et al. in 2014. The security of both key exchanges is directly related to the problem of finding approximate short vectors in an ideal lattice.This article will closely follow the RLWE work of Ding in "A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem".<ref name=":0">{{Cite book|url=https://eprint.iacr.org/2012/688.pdf|title=A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem|last=Ding|first=Jintai|last2=Xie|first2=Xiang|last3=Lin|first3=Xiaodong|publisher=|year=2012|isbn=|___location=|pages=|via=}}</ref> For this presentation a typical polynomial is expressed as:

: <math> a(x) = a₀a_0 + a₁a_1 x + a₂a_2 x^{^2} + ...\cdots + a_{a_{n-3}} x^{^{n-3}} + a_{x_{n-2}} x^{^{n-2}} + a_{a_{n-1}} x<sup>^{n-1} </supmath>

The coefficients of this polynomial, the ''a''_''i'''s, are integers &nbsp;mod &nbsp;''q''. The polynomial <math>\Phi(x)</math> will be the [[cyclotomic polynomial]]. When ''n'' is a power of 2 then <math>\Phi(x)</math> = x^{^n} +1.</math><ref name=":1" /><ref>{{Cite web|title = Cryptology ePrint Archive: Report 2015/1120|url = https://eprint.iacr.org/2015/1120|website = eprint.iacr.org|accessdate = 2015-12-23}}</ref>

The RLWE-KEX uses polynomials which are considered "small" with respect to a measure called the "[[infinity norm]]." The infinity norm for a polynomial is simply the value of the largest coefficient of the polynomial when the coefficients are considered as integers in '''Z''' rather than <math>Zq</math> (i.e.from the set {-−(''q-''&nbsp;−&nbsp;1)/2,..., 0, ... (''q-''&nbsp;−&nbsp;1)/2} ). The algorithm's security depends on an ability to generate random polynomials which are small with respect to the infinity norm. This is done simply by randomly generating the coefficients for a polynomial (s_n-1, ..., s₀) which are guaranteed or very likely to be small. There are two common ways to do this:

# Using [[Uniform distribution (discrete)|Uniform Sampling]] -– The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let ''b'' be an integer that is much less than ''q''. If we randomly choose coefficients from the set: { -−''b'', -b−b&nbsp;+&nbsp;1, -b−b&nbsp;+&nbsp;2. ... -2−2, -1−1, 0, 1, 2, ... , ''b-''&nbsp;−&nbsp;2, ''b-''&nbsp;−&nbsp;1, ''b''} the polynomial will be small with respect to the bound (b). Singh suggest using b = 5.<ref name=":1" /> Thus coefficients would be chosen from the set { ''q-''&nbsp;−&nbsp;5, ''q-''&nbsp;−&nbsp;4, ''q-''&nbsp;−&nbsp;3, ''q-''&nbsp;−&nbsp;2, ''q-''&nbsp;−&nbsp;1, 0, 1, 2, 3, 4, 5 }.

# Using [[Gaussian distribution|Discrete Gaussian]] Sampling -– For an odd value for q, the coefficients are randomly chosen by sampling from the set { -−(q-&nbsp;−&nbsp;1)/2 to (''q-''&nsbp;−&nbsp;1)/2 } according to a discrete Gaussian distribution with mean 0 and distribution parameter &nbsp;''σ''. The references describe in full detail how this can be accomplished. It is more complicated than uniform sampling but it allows for a proof of security of the algorithm. An overview of Gaussian sampling is found in a presentation by Peikert.<ref>{{Cite web|title = An Efficient and Parallel Gaussian Sampler for Lattices|url = https://web.eecs.umich.edu/~cpeikert/pubs/slides-pargauss.pdf|website = www.cc.gatech.edu|accessdate = 2015-05-29}}</ref>

Given ''a''(''x'') as stated, we can randomly choose small polynomials ''s''(''x'') and ''e''(''x'') to be the "private key" in a public key exchange. The corresponding public key will be the polynomial ''p''(''x'') = ''a''(''x'')''s''(''x'') + 2e2''e''(''x'').

== The Keykey Exchangeexchange ==

The key exchange will take place between two devices. There will be an initiator for the key exchange designated as (I) and a respondent designated as (R). Both I and R know ''q'', ''n'', ''a''(''x''), and have the ability to generate small polynomials according to the distribution <math>\chi_\alpha</math> with parameter <math>\alpha</math>. The distribution <math>\chi_\alpha</math> is usually the discrete gaussianGaussian distribution on the ring R<sub>q</submath> R_q = <math>Zq</math>[x]/<math>\Phi(x)</math>. The description which follows does not contain any explanation of why the key exchange results in the same key at both ends of a link. Rather, it succinctly specifies the steps to be taken. For a thorough understanding of why the key exchange results in the initiator and responder having the same key, the reader should look at the referenced work by Ding et al.<ref name=":0" />

# Compute <math>p_I = as_I + 2e_I.</math>.

# Use the signal function <math>\operatorname{Sig}</math> to find <math>w = \operatorname{Sig}(k_R) </math>. This is computed by applying <math>Sig</math> function on each coefficient of <math>k_R</math>

# Respondent side's key stream <math>sk_R = Mod_2\operatorname{Mod}_2(k_R,w)</math> is calculated, based on the reconciliation information <math>w</math> and the polynomial <math>k_R</math>.

# Initiator side's key stream is produced as <math>sk_I = Mod_2\operatorname{Mod}_2(k_I,w)</math> from the reconciliation information <math>w</math> and polynomial <math>k_I</math>.

In the above key exchange, <math>\operatorname{Sig}</math> is the signal function defined as below:

Define subset '''E''':=<math> \mathbf{E}:=\{-\lfloor \frac{q}{4} \rfloor,...\ldots,\lfloor \frac{q}{4}\rceil\}</math> of <math>Zq</math> = <math>\{-\frac{q-1}{2},...\ldots,\frac{q-1}{2}\}</math>. Here, <math>\lfloor.\rfloor</math> and <math>\lfloor.\rceil</math>denotes the floor and the rounding to the nearest integer respectively.

Function <math>\operatorname{Sig}</math> is the characteristic function of the complement of '''E'''.

<math>\operatorname{Sig}: Zq \rightarrow \{0,1\}</math>: <math>\operatorname{Sig}(v) = \begin{cases} 0, & \text{if } v \in E \\ 1, & \text{if } v \notin E. \end{cases} </math>

<math>Mod_2\operatorname{Mod}_2</math> is the mod 2 operation to eliminate the error terms defined as follows: <math>Mod_2\operatorname{Mod}_2 (v,w) = \biggl(v + w.\frac{q-1}{2}\Biggr)\text{bmod mod }q\text{ modbmod 2}</math>

The RWLE-KEX exchange presented above worked in the Ring of Polynomials of degree ''n-''&nbsp;−&nbsp;1 or less mod a polynomial <math>\Phi(x)</math>. The presentation assumed that n was a power of 2 and that q was a prime which was congruent to 1 (mod 2n). Following the guidance given in Peikert's paper, Singh suggested two sets of parameters for the RLWE-KEX.

For 128 bits of security, ''n'' = 512, ''q'' = 25601, and <math>\Phi(x)</math> = x^{^{512}} + 1</math>

For 256 bits of security, ''n'' = 1024, ''q'' = 40961, and <math>\Phi(x)</math> = x^{^{1024}} + 1</math>

Because the key exchange uses random sampling and fixed bounds there is a small probability that the key exchange will fail to produce the same key for the initiator and responder. If we assume that the Gaussian parameter ''σ'' is 8/sqrt&radic;(2π2{{pi}}) and the uniform sampling bound (''b'') = 5 (see Singh),<ref name=":1" /> then the probability of key agreement failure is <u>less than</u> 2⁻⁷¹ for the 128-bit secure parameters and <u>less than</u> 2⁻⁹¹ for the 256-bit secure parameters.

A variant of the approach described above is an authenticated version in the work of Zhang, Zhang, Ding, Snook and Dagdelen in their paper, "Post Quantum Authenticated Key Exchange from Ideal Lattices."<ref>{{Cite web|title = Workshop on Cybersecurity in a Post-Quantum World|url = https://www.nist.gov/itl/csd/ct/post-quantum-crypto-workshop-2015.cfm|website = www.nist.gov|accessdate = 2015-06-06}}</ref> The concept of creating what has been called a Diffie-HellmanDiffie–Hellman-like Key Exchange using lattices with a reconciliation function appears to have first been presented by French researchers Aguilar, Gaborit, Lacharme, Schrek, and Zemor at PQCrypto 2010 in their talk, "Noisy Diffie-HellmanDiffie–Hellman Protocols."<ref>{{Cite web|title = Noisy Diffie-HellmanDiffie–Hellman protocols|url = https://pqc2010.cased.de/rr/03.pdf|website = pqc2010.cased.de|accessdate = 2015-06-06}}</ref>