Constant-Round Group Key Exchange from the Ring-LWE Assumption

Abstract

Group key-exchange protocols allow a set of N parties to agree on a shared, secret key by communicating over a public network. A number of solutions to this problem have been proposed over the years, mostly based on variants of Diffie-Hellman (two-party) key exchange. To the best of our knowledge, however, there has been almost no work looking at candidate post-quantum group key-exchange protocols.

Here, we propose a constant-round protocol for unauthenticated group key exchange (i.e., with security against a passive eavesdropper) based on the hardness of the Ring-LWE problem. By applying the Katz-Yung compiler using any post-quantum signature scheme, we obtain a (scalable) protocol for authenticated group key exchange with post-quantum security. Our protocol is constructed by generalizing the Burmester-Desmedt protocol to the Ring-LWE setting, which requires addressing several technical challenges.

A Correctness of the Group Key-Exchange Protocol

Theorem 4.1

Given \(\beta _{\mathsf {Rec}}\) as parameter of \(\mathsf {KeyRec}\) protocol, \(N, n, \rho , \sigma _1, \sigma _2\) as parameters of GKE protocol \(\varPi \), \((N^2 + 2N)\cdot \sqrt{n}\rho ^{3/2}\sigma _1^2 + (\frac{N^2}{2}+ 1)\sigma _1+ (N - 2)\sigma _2\le \beta _{\mathsf {Rec}}\) is satisfied, if all players honestly execute the group key exchange protocol as described above, then each player derive the same key as input of \(\mathcal {H}\) with probability .

Proof

Given \(s_i, e_i, e_i', e_{N-1}'' \leftarrow \chi _{\sigma _1}\), \(\hat{e}_0\leftarrow \chi _{\sigma _2}\) for all i as specified in protocol \(\varPi \), we begin by introducing the following lemmas to analyze probabilities that each coordinate of \(s_i, e_i, e_i', e_{N-1}'',\hat{e}_0\) are “short” for all i, and conditioned on the first event, \(s_ie_i\) are “short”.

Lemma A.1

Given \(s_i, e_i, e_i', e_{N-1}'', \hat{e}_0\) for all i as defined above, let \(\mathsf {bound}\) denote the event that for all i and all coordinate indices j, \(|(s_i)_j|\le c\sigma _1\), \(|(e_i)_j|\le c\sigma _1\), \(|(e_i')_j|\le c\sigma _1\), \(|(e_{N-1}'')_j|\le c\sigma _1\), and \(|(\hat{e}_0)_j |\le c\sigma _2\), where \(c = \sqrt{\frac{2\rho }{\pi \log e}}\), we have \({\mathrm {Pr}}[\mathsf {bound}] \ge 1 - 2^{-\rho }\).

Proof

Using the fact that complementary error function \(\mathrm {erfc}(x) = \frac{2}{\sqrt{\pi }}\int _{x}^{\infty }e^{-t^2}dt \le e^{-x^2}\), we obtain

$$\begin{aligned} {\mathrm {Pr}}[|v| \ge c\sigma + 1; v \leftarrow D_{{\mathbb {Z}}_q, \sigma }]&\le 2\sum _{x = \lfloor c\sigma + 1\rceil }^{\infty } D_{{\mathbb {Z}}_q, \sigma }(x) \le \frac{2}{\sigma }\int _{c\sigma }^{\infty }e^{-\frac{\pi x^2}{\sigma ^2}}dx\\&= \frac{2}{\sqrt{\pi }}\int _{\frac{\sqrt{\pi }}{\sigma }(c\sigma )}^{\infty }e^{-t^2}dt \le e^{-c^2 \pi }. \end{aligned}$$

Note that there are 3nN number of coordinates sampled from distribution \(D_{{\mathbb {Z}}_q, \sigma _1}\), and n number of coordinates sampled from distribution \(D_{{\mathbb {Z}}_q, \sigma _2}\) in total. Assume \(3nN + n \le e^{c^2\pi /2}\), since all the coordinates are sampled independently, we bound \({\mathrm {Pr}}[\mathsf {bound}]\) as follow:

The last inequality follows as \(c = \sqrt{\frac{2\rho }{\pi \log e}}\).   \(\square \)

Lemma A.2

Given \(s_i, e_i, e_i', e_{N-1}'', \hat{e}_0\) for all i as defined above, and \(\mathsf {bound}\) as defined in Lemma A.1, let \(\mathsf {product_{s_i, e_j}}\) denote the event that, for all coefficient indices v, \(|(s_ie_j)_v| \le \sqrt{n}\rho ^{3/2}\sigma _1^2\). we have

$${\mathrm {Pr}}[\mathsf {product_{s_i, e_j}}|\mathsf {bound}] \ge 1 - 2n\cdot 2^{-2\rho }.$$

Proof

For \(t \in \{0, \ldots , n-1\}\), Let \((s_{i})_{t}\) denote the \(t^{th}\) coefficient of \(s_i \in R_q\), namely, \(s_i = \sum _{t = 0}^{n - 1}(s_{i})_tX^i\). \((e_{j})_{t}\) is defined analogously. Since we have \(X^n + 1\) as modulo of R, it is easy to see that \((s_ie_j)_v = c_vX^v\), where \(c_v = \sum _{u = 0}^{n-1}(s_{i})_{u}(e_{j})_{v-u}^*\), and \((e_j)_{v-u}^* = (e_{j})_{v-u}\) if \(v-u \ge 0\), \((e_{j})_{v-u}^* = - (e_{j})_{v-u + n}\), otherwise. Thus, conditioned on \(|(s_{i})_{t}| \le c\sigma _1\) and \(|(e_j)_{t}| \le c\sigma _1\) (for all i, j, t) where \(c = \sqrt{\frac{2\rho }{\pi \log e}}\), by Hoeffding’s Inequality [20], we derive

$$\begin{aligned} {\mathrm {Pr}}[|(s_ie_j)_v| \ge \delta ] = {\mathrm {Pr}}\left[ \left| \sum _{u = 0}^{n-1}(s_{i})_{u}(e_{j})_{v-u}^*\right| \ge \delta \right] \le 2\exp \left( \frac{-2\delta ^2}{n(2c^2\sigma _1^2)^2}\right) , \end{aligned}$$

as each product \((s_{i})_{u}(e_{j})_{v-u}^*\) in the sum is an independent random variable with mean 0 in the range \([-c^2\sigma _1^2, c^2\sigma _1^2]\). By setting \(\delta = \sqrt{n}\rho ^{3/2}\sigma _1^2\), we obtain

$$\begin{aligned} {\mathrm {Pr}}[|(s_ue_v)_i| \ge \sqrt{n}\rho ^{3/2}\sigma _1^2] \le 2^{-2\rho + 1}. \end{aligned}$$

(8)

Finally, by Union Bound,

$$\begin{aligned} {\mathrm {Pr}}[\mathsf {product_{s_i, e_j}}|\mathsf {bound}] = {\mathrm {Pr}}[|(s_ie_j)_v| \le \sqrt{n}\rho ^{3/2}\sigma _1^2, \forall v] \ge 1 - 2n\cdot 2^{-2\rho }. \end{aligned}$$

(9)

   \(\square \)

Now we begin analyzing the chance that not all parties agree on the same final key. The correctness of \(\mathsf {KeyRec}\) guarantees that this group key exchange protocol has agreed session key among all parties \(\forall i, k_i = k_{N-1}\), if \(\forall j\), the \(j^{th}\) coefficient of \(|b_{N-1} - b_i| \le \beta _{\mathsf {Rec}}\).

For better illustration, we first write \(X_0, \ldots , X_{N-1}\) in form of linear system as follows. \(\mathbf {X}= [X_0 \ \ X_1\ \ X_2\ \ \cdots \ \ X_{N-1}]^T\)

$$\begin{aligned} = \underbrace{ \begin{bmatrix} 1&0&0&0&\dots&0&-1 \\ -1&1&0&0&\dots&0&0 \\ 0&-1&1&0&\dots&0&0 \\ 0&0&-1&1&\dots&0&0 \\ \vdots&\vdots&\vdots&\ddots&\vdots \\ 0&0&0&0&\dots&-1&1 \end{bmatrix} }_{ \mathbf {M}} \underbrace{ \begin{bmatrix} as_0s_1\\ as_1s_2\\ as_2s_3\\ as_3s_4\\ \vdots \\ as_{N-2}s_{N-1}\\ as_{N-1}s_0 \end{bmatrix} }_{ \mathbf {S}} + \underbrace{ \begin{bmatrix} s_0e_1-s_0e_{N-1}+e_0'\\ s_1e_2-s_1e_0+e_1'\\ s_2e_3-s_2e_1+e_2'\\ s_3e_4-s_3e_{2}+e_3'\\ \vdots \\ s_{N-2}e_{N-3}-s_{N-2}e_{N-3}+e_{N-2}'\\ s_{N-1}e_0-s_{N-1}e_{N-2}+e_{N-1}' \end{bmatrix} }_{\mathbf {E}}. \end{aligned}$$

(10)

We denote the matrices above by \(\mathbf {M}, \mathbf {S}, \mathbf {E}\) from left to right and have the linear system as \(\mathbf {X}= \mathbf {M}\mathbf {S}+\mathbf {E}\). By setting \(\mathbf {B}_i = [i-1 \ \ i-2 \ \ \cdots \ \ 0 \ \ N-1 \ \ N-2 \ \ \cdots \ \ i]\) as a N-dimensional vector, we can then write \(b_i\) as \(\mathbf {B}_i\cdot \mathbf {X}+ N(as_is_{i-1} + s_ie_{i-1}) = \mathbf {B}_i\mathbf {M}\mathbf {S}+ \mathbf {B}_i\mathbf {E}+ N(as_is_{i-1} + s_ie_{i-1})\), for \(i\ne N-1\) and write \(b_{N-1}\) as \(\mathbf {B}_{N-1}\mathbf {M}\mathbf {S}+ \mathbf {B}_{N-1}\mathbf {E}+ N(as_{N-1}s_{N-2} + s_{N-1}e_{N-2}) +e_{N-1}''\). It is straightforward to see that, entries of \(\mathbf {M}\mathbf {S}\) and \(Nas_is_{i-1}\) are eliminated through the process of computing \(b_{N-1} - b_i\). Thus we get

$$\begin{aligned}&b_{N-1} - b_i = \left( \mathbf {B}_{N-1} - \mathbf {B}_{i}\right) \mathbf {E}+ N(s_{N-1}e_{N-2} - s_ie_{i-1}) + e_{N-1}''\\ =&\left( N - i - 1\right) \cdot \left( \sum _{\begin{array}{c} j \in {\mathbb {Z}}\cap [0, i-1]\\ \text {and} j = N-1 \end{array}}s_je_{j+1}-s_je_{j-1} + e_j'\right) + e_{N-1}''\\&+ (-i-1)\left( \sum _{j = i}^{N-2}s_je_{j+1}-s_je_{j-1} + e_{j}'\right) + N(s_{N-1}e_{N-2} - s_ie_{i-1}) \end{aligned}$$

Observe that for an arbitrary \(i\in [N]\), there are at most \((N^2 + 2N)\) terms in form of \(s_ue_v\), at most \(N^2/2\) terms in form of \(e_w'\) where \(e_w' \leftarrow \chi _{\sigma _1}\), at most \(N-2\) terms of \(e_0'\), where \(e_0' \leftarrow \chi _{\sigma _2}\), and one term in form of \( e_{N-1}''\) in any coordinate of the sum above. Let \(\mathsf {product_{ALL}}\) denote the event that for all the terms in form of \(s_ue_v\) observed above, each coefficient of such term is bounded by \(\sqrt{n}\rho ^{3/2}\sigma _1^2\). By Union Bound and by assuming \(2n(N^2 + 2N) \le 2^{\rho }\), it is straightforward to see \({\mathrm {Pr}}[\overline{\mathsf {product_{ALL}}}|\mathsf {bound}] \le (N^2 + 2N)\cdot 2n2^{-2\rho } \le 2^{-\rho }\).

Let \(\mathsf {bad}\) be the event that not all parties agree on the same final key. Given the constraint \((N^2 + 2N)\cdot \sqrt{n}\rho ^{3/2}\sigma _1^2 + (\frac{N^2}{2}+ 1)\sigma _1+ (N - 2)\sigma _2\le \beta _{\mathsf {Rec}}\) satisfied, we have

$$\begin{aligned} {\mathrm {Pr}}[\mathsf {bad}]&= {\mathrm {Pr}}[\mathsf {bad}|\mathsf {bound}] \cdot {\mathrm {Pr}}[\mathsf {bound}] + {\mathrm {Pr}}[\mathsf {bad}|\overline{\mathsf {bound}}]\cdot {\mathrm {Pr}}[\overline{\mathsf {bound}}]\end{aligned}$$

(11)

$$\begin{aligned}&\le {\mathrm {Pr}}[\overline{\mathsf {product_{ALL}}}]\cdot 1 + 1\cdot {\mathrm {Pr}}[\overline{\mathsf {bound}}] \le 2\cdot 2^{-\rho }, \end{aligned}$$

(12)

which completes the proof.   \(\square \)