Abstract
Group key-exchange protocols allow a set of N parties to agree on a shared, secret key by communicating over a public network. A number of solutions to this problem have been proposed over the years, mostly based on variants of Diffie-Hellman (two-party) key exchange. To the best of our knowledge, however, there has been almost no work looking at candidate post-quantum group key-exchange protocols.
Here, we propose a constant-round protocol for unauthenticated group key exchange (i.e., with security against a passive eavesdropper) based on the hardness of the Ring-LWE problem. By applying the Katz-Yung compiler using any post-quantum signature scheme, we obtain a (scalable) protocol for authenticated group key exchange with post-quantum security. Our protocol is constructed by generalizing the Burmester-Desmedt protocol to the Ring-LWE setting, which requires addressing several technical challenges.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that CPA-secure key encapsulation is equivalent to two-round key-exchange (with passive security).
- 2.
References
Abdalla, M., Bresson, E., Chevassut, O., Pointcheval, D.: Password-based group key exchange in a constant number of rounds. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 427–442. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_28
Abdalla, M., Pointcheval, D.: A scalable password-based group key exchange protocol in the standard model. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 332–347. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_22
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: NewHope without reconciliation. Cryptology ePrint Archive, Report 2016/1157 (2016). http://eprint.iacr.org/2016/1157
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 327–343. USENIX Association, Austin (2016)
Becker, K., Wille, U.: Communication complexity of group key distribution. In: Proceedings of the 5th ACM Conference on Computer and Communications Security, CCS 1998, pp. 1–6. ACM, New York (1998)
Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: 27th Annual ACM Symposium on Theory of Computing, Las Vegas, NV, USA, 29 May–1 June, pp. 57–66. ACM Press (1995)
Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 209–224. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_9
Bohli, J.-M., Vasco, M.I.G., Steinwandt, R.: Password-authenticated constant-round group key establishment with a common reference string. Cryptology ePrint Archive, Report 2006/214 (2006). http://eprint.iacr.org/2006/214
Bohli, J.-M., Vasco, M.I.G., Steinwandt, R.: Secure group key establishment revisited. Int. J. Inf. Secur. 6(4), 243–254 (2007)
Boneh, D., et al.: Multiparty non-interactive key exchange and more from isogenies on elliptic curves. arXiv preprint arXiv:1807.03038 (2018)
Bresson, E., Catalano, D.: Constant round authenticated group key agreement via distributed computation. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 115–129. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_9
Bresson, E., Chevassut, O., Pointcheval, D.: Provably authenticated group Diffie-Hellman key exchange—the dynamic case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 290–309. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_18
Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic group Diffie-Hellman key exchange under standard assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 321–336. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_21
Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J.: Provably authenticated group Diffie-Hellman key exchange. In: 8th Conference on Computer and Communications Security, ACM CCS 2001, Philadelphia, PA, USA, 5–8 November, pp. 255–264. ACM Press (2001)
Burmester, M., Desmedt, Y.: A secure and efficient conference key distribution system. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275–286. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053443
Burmester, M., Desmedt, Y.: A secure and scalable group key exchange system. Inf. Process. Lett. 94(3), 137–143 (2005)
Choi, K.Y., Hwang, J.Y., Lee, D.H.: Efficient ID-based group key agreement with bilinear maps. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 130–144. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_10
Crockett, E., Peikert, C.: Challenges for ring-LWE. Cryptology ePrint Archive, Report 2016/782 (2016). http://eprint.iacr.org/2016/782
Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688 (2012). http://eprint.iacr.org/2012/688
Hoeffding, W.: Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc. 58(301), 13–30 (1963)
Ingemarsson, I., Tang, D., Wong, C.: A conference key distribution system. IEEE Trans. Inf. Theor. 28(5), 714–720 (1982)
Katz, J., Shin, J.S.: Modeling insider attacks on group key-exchange protocols. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 180–189. ACM, New York (2005)
Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_7
Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. J. Cryptol. 20(1), 85–113 (2007)
Kim, Y., Perrig, A., Tsudik, G.: Simple and fault-tolerant key agreement for dynamic collaborative groups. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, CCS 2000, pp. 235–244. ACM, New York (2000)
Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_14
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Peikert, C.: Lattice cryptography for the internet. Cryptology ePrint Archive, Report 2014/070 (2014). http://eprint.iacr.org/2014/070
Steer, D.G., Strawczynski, L.: A secure audio teleconference system. In: 21st Century Military Communications - What’s Possible?’. Conference Record. Military Communications Conference, MILCOM 1988, October 1988
Steiner, M., Tsudik, G., Waidner, M.: Key agreement in dynamic peer groups. IEEE Trans. Parallel Distrib. Syst. 11(8), 769–780 (2000)
Wu, Q., Mu, Y., Susilo, W., Qin, B., Domingo-Ferrer, J.: Asymmetric group key agreement. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 153–170. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_9
Zhang, J., Zhang, Z., Ding, J., Snook, M., Dagdelen, Ö.: Authenticated key exchange from ideal lattices. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 719–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_24
Acknowledgments
This material is based on work performed under financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology. Work by Dana Dachman-Soled was additionally supported in part by NSF grants #CNS-1840893 and #CNS-1453045, and by a research partnership award from Cisco.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Correctness of the Group Key-Exchange Protocol
A Correctness of the Group Key-Exchange Protocol
Theorem 4.1
Given \(\beta _{\mathsf {Rec}}\) as parameter of \(\mathsf {KeyRec}\) protocol, \(N, n, \rho , \sigma _1, \sigma _2\) as parameters of GKE protocol \(\varPi \), \((N^2 + 2N)\cdot \sqrt{n}\rho ^{3/2}\sigma _1^2 + (\frac{N^2}{2}+ 1)\sigma _1+ (N - 2)\sigma _2\le \beta _{\mathsf {Rec}}\) is satisfied, if all players honestly execute the group key exchange protocol as described above, then each player derive the same key as input of \(\mathcal {H}\) with probability .
Proof
Given \(s_i, e_i, e_i', e_{N-1}'' \leftarrow \chi _{\sigma _1}\), \(\hat{e}_0\leftarrow \chi _{\sigma _2}\) for all i as specified in protocol \(\varPi \), we begin by introducing the following lemmas to analyze probabilities that each coordinate of \(s_i, e_i, e_i', e_{N-1}'',\hat{e}_0\) are “short” for all i, and conditioned on the first event, \(s_ie_i\) are “short”.
Lemma A.1
Given \(s_i, e_i, e_i', e_{N-1}'', \hat{e}_0\) for all i as defined above, let \(\mathsf {bound}\) denote the event that for all i and all coordinate indices j, \(|(s_i)_j|\le c\sigma _1\), \(|(e_i)_j|\le c\sigma _1\), \(|(e_i')_j|\le c\sigma _1\), \(|(e_{N-1}'')_j|\le c\sigma _1\), and \(|(\hat{e}_0)_j |\le c\sigma _2\), where \(c = \sqrt{\frac{2\rho }{\pi \log e}}\), we have \({\mathrm {Pr}}[\mathsf {bound}] \ge 1 - 2^{-\rho }\).
Proof
Using the fact that complementary error function \(\mathrm {erfc}(x) = \frac{2}{\sqrt{\pi }}\int _{x}^{\infty }e^{-t^2}dt \le e^{-x^2}\), we obtain
Note that there are 3nN number of coordinates sampled from distribution \(D_{{\mathbb {Z}}_q, \sigma _1}\), and n number of coordinates sampled from distribution \(D_{{\mathbb {Z}}_q, \sigma _2}\) in total. Assume \(3nN + n \le e^{c^2\pi /2}\), since all the coordinates are sampled independently, we bound \({\mathrm {Pr}}[\mathsf {bound}]\) as follow:
The last inequality follows as \(c = \sqrt{\frac{2\rho }{\pi \log e}}\). \(\square \)
Lemma A.2
Given \(s_i, e_i, e_i', e_{N-1}'', \hat{e}_0\) for all i as defined above, and \(\mathsf {bound}\) as defined in Lemma A.1, let \(\mathsf {product_{s_i, e_j}}\) denote the event that, for all coefficient indices v, \(|(s_ie_j)_v| \le \sqrt{n}\rho ^{3/2}\sigma _1^2\). we have
Proof
For \(t \in \{0, \ldots , n-1\}\), Let \((s_{i})_{t}\) denote the \(t^{th}\) coefficient of \(s_i \in R_q\), namely, \(s_i = \sum _{t = 0}^{n - 1}(s_{i})_tX^i\). \((e_{j})_{t}\) is defined analogously. Since we have \(X^n + 1\) as modulo of R, it is easy to see that \((s_ie_j)_v = c_vX^v\), where \(c_v = \sum _{u = 0}^{n-1}(s_{i})_{u}(e_{j})_{v-u}^*\), and \((e_j)_{v-u}^* = (e_{j})_{v-u}\) if \(v-u \ge 0\), \((e_{j})_{v-u}^* = - (e_{j})_{v-u + n}\), otherwise. Thus, conditioned on \(|(s_{i})_{t}| \le c\sigma _1\) and \(|(e_j)_{t}| \le c\sigma _1\) (for all i, j, t) where \(c = \sqrt{\frac{2\rho }{\pi \log e}}\), by Hoeffding’s Inequality [20], we derive
as each product \((s_{i})_{u}(e_{j})_{v-u}^*\) in the sum is an independent random variable with mean 0 in the range \([-c^2\sigma _1^2, c^2\sigma _1^2]\). By setting \(\delta = \sqrt{n}\rho ^{3/2}\sigma _1^2\), we obtain
Finally, by Union Bound,
\(\square \)
Now we begin analyzing the chance that not all parties agree on the same final key. The correctness of \(\mathsf {KeyRec}\) guarantees that this group key exchange protocol has agreed session key among all parties \(\forall i, k_i = k_{N-1}\), if \(\forall j\), the \(j^{th}\) coefficient of \(|b_{N-1} - b_i| \le \beta _{\mathsf {Rec}}\).
For better illustration, we first write \(X_0, \ldots , X_{N-1}\) in form of linear system as follows. \(\mathbf {X}= [X_0 \ \ X_1\ \ X_2\ \ \cdots \ \ X_{N-1}]^T\)
We denote the matrices above by \(\mathbf {M}, \mathbf {S}, \mathbf {E}\) from left to right and have the linear system as \(\mathbf {X}= \mathbf {M}\mathbf {S}+\mathbf {E}\). By setting \(\mathbf {B}_i = [i-1 \ \ i-2 \ \ \cdots \ \ 0 \ \ N-1 \ \ N-2 \ \ \cdots \ \ i]\) as a N-dimensional vector, we can then write \(b_i\) as \(\mathbf {B}_i\cdot \mathbf {X}+ N(as_is_{i-1} + s_ie_{i-1}) = \mathbf {B}_i\mathbf {M}\mathbf {S}+ \mathbf {B}_i\mathbf {E}+ N(as_is_{i-1} + s_ie_{i-1})\), for \(i\ne N-1\) and write \(b_{N-1}\) as \(\mathbf {B}_{N-1}\mathbf {M}\mathbf {S}+ \mathbf {B}_{N-1}\mathbf {E}+ N(as_{N-1}s_{N-2} + s_{N-1}e_{N-2}) +e_{N-1}''\). It is straightforward to see that, entries of \(\mathbf {M}\mathbf {S}\) and \(Nas_is_{i-1}\) are eliminated through the process of computing \(b_{N-1} - b_i\). Thus we get
Observe that for an arbitrary \(i\in [N]\), there are at most \((N^2 + 2N)\) terms in form of \(s_ue_v\), at most \(N^2/2\) terms in form of \(e_w'\) where \(e_w' \leftarrow \chi _{\sigma _1}\), at most \(N-2\) terms of \(e_0'\), where \(e_0' \leftarrow \chi _{\sigma _2}\), and one term in form of \( e_{N-1}''\) in any coordinate of the sum above. Let \(\mathsf {product_{ALL}}\) denote the event that for all the terms in form of \(s_ue_v\) observed above, each coefficient of such term is bounded by \(\sqrt{n}\rho ^{3/2}\sigma _1^2\). By Union Bound and by assuming \(2n(N^2 + 2N) \le 2^{\rho }\), it is straightforward to see \({\mathrm {Pr}}[\overline{\mathsf {product_{ALL}}}|\mathsf {bound}] \le (N^2 + 2N)\cdot 2n2^{-2\rho } \le 2^{-\rho }\).
Let \(\mathsf {bad}\) be the event that not all parties agree on the same final key. Given the constraint \((N^2 + 2N)\cdot \sqrt{n}\rho ^{3/2}\sigma _1^2 + (\frac{N^2}{2}+ 1)\sigma _1+ (N - 2)\sigma _2\le \beta _{\mathsf {Rec}}\) satisfied, we have
which completes the proof. \(\square \)
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Apon, D., Dachman-Soled, D., Gong, H., Katz, J. (2019). Constant-Round Group Key Exchange from the Ring-LWE Assumption. In: Ding, J., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2019. Lecture Notes in Computer Science(), vol 11505. Springer, Cham. https://doi.org/10.1007/978-3-030-25510-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-25510-7_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25509-1
Online ISBN: 978-3-030-25510-7
eBook Packages: Computer ScienceComputer Science (R0)