Group Key Exchange Compilers from Generic Key Exchanges

Abstract

We propose a group key exchange compiler using any two-party key exchange for which the shared key space is the subset of a group and whose security reduces to a decisional hard problem, such that the security of the group key exchange relies on the security of the two-party key exchange and, in turn, the hardness of the underlying decisional problem.

This work is a generalization of the multicast Burmester-Desmedt group key exchange in a modified G-CK\(^+\) security model.

For n parties, the group key exchange protocol has constant round complexity and communicational complexity \(O(\log _2 n)\). We also present a peer-to-peer version with round complexity \(O(\log _2 n)\) and constant communicational complexity.

Thanks and Acknowledgment

This work is partially supported by CREST (JPMJCR1404) at Japan Science and Technology Agency, enPiT(Education Network for Practical Information Technologies) at MEXT, and Innovation Platform for Society 5.0 at MEXT.

Appendices

Appendix 1 SIDH Key Exchange and Hard Problem

We assume knowledge of elliptic curves. An isogeny may be understood as a non-zero rational homomorphism between two elliptic curves, generated by a subgroup of the first curve. Finding the isogeny between them is called the isogeny finding problem. We define the SIDH key exchange by Jao and De Feo [9, 13] in the form of the supersingular isogeny key encapsulation (SIKE⁸) protocol as given by Furukawa et al. in [10].

Consider the SIDH key exchange between parties \(\mathcal {P}_0\) and \(\mathcal {P}_1\). Given a security parameter \(1^\lambda \), \(\mathsf {Gen}\) outputs \((p,E,\{P_0,Q_0\},\{P_1,Q_1\})\), where \(p=f\ell _0^{e_0}\ell _1^{e_1}\pm 1\) is prime for a small integer \(f>0\) and with \(\ell _0^{e_0}\approx \ell _1^{e_1}\) (usually \(\ell _0 = 2\) and \(\ell _1=3\)), E is a randomly chosen supersingular elliptic curve over \(\mathbb {F}_{p^2}\) such that \(\#E(\mathbb {F}_{p^2}) = (p\pm 1)^2\), and \(\{P_i,Q_i\}\) is a randomly chosen basis of \(E[\ell _i^{e_i}]\) for \(i=0,1\).

Protocol 8

(Supersingular isogeny Diffie-Hellman (SIDH) key exchange [10]). For parties \(\mathcal {P}_0\) and \(\mathcal {P}_1,\) the SIDH protocol is as follows:

• Setup: For the security parameter \(1^\lambda \), \(\mathsf {Gen}\) outputs to both parties the tuple of public parameters:

  $$\begin{aligned} \mathfrak {P} = (\mathfrak {P}_0,\mathfrak {P}_1) =((p,E,\{P_0,Q_0\},\{P_1,Q_1\}),(p,E,\{P_1,Q_1\},\{P_0,Q_0\})) \leftarrow \mathsf {Gen}(1^\lambda ), \end{aligned}$$

  where \(\mathfrak {P}_0,\mathfrak {P}_1\) are party-specific tuples.

• Publish: Each party \(\mathcal {P}_i\), for \(i=0,1\), chooses \(r_i\overset{R}{\leftarrow } \mathbb {Z}/\ell _i^{e_i}\mathbb {Z}\) uniformly at random and computes \(R_i := P_i + [r_i]Q_i\). Then it computes the isogeny \(\phi _i: E \rightarrow E_i \cong E/\langle R_i \rangle \) having \(\ker (\phi _i)= \langle R_i \rangle \), as well as the points \(\phi _i(P_{1-i})\) and \(\phi _i(Q_{1-i})\). \(\mathcal {P}_i\) has secret and public keys

  $$\begin{aligned} sk_i:= r_i \text { and } pk_i := (E_i, \phi _i(P_{1-i}),\phi _i(Q_{1-i})), \end{aligned}$$

  of which it sends \(pk_i\) to \(\mathcal {P}_{1-i}\).

• KeyGen: Party \(\mathcal {P}_i\) takes \(pk_{1-i}\) as input and computes an isogeny \(\phi '_i:= E_{1-i} \rightarrow E_{{1-i},i}\) with \(\ker (\phi '_i) = \langle \phi _{1-i}(R_i) \rangle \) and computes \(k_i = j(E_{{1-i},i})\in \mathbb {F}_{p^2}\) (see Fig. 3).

It holds that \(E_{1,0} = \phi '_0(\phi _1(E)) \cong \phi '_1(\phi _0(E)) = E_{0,1},\) i.e. \(k_0 = j(E_{1,0}) = j(E_{0,1}) = k_1\), such that \(\mathcal {P}_0\) and \(\mathcal {P}_1\) have the shared key \(k=k_0=k_1\).

Fig. 3.

SIDH key exchange. Quantities only known by \(\mathcal {P}_0\), respectively \(\mathcal {P}_1\), are drawn in red, respectively blue. The dotted lines signify public keys being exchanged. (Original TikZ code courtesy of De Feo via GitHub [6].)

The following definition is taken from De Feo et al. [9] with minor changes to fit our notation.

Definition 6

(Supersingular decisional Diffie-Hellman (SSDDH) problem). Given a tuple sampled with probability 1/2 from one of the following two distributions:

• \((\mathfrak {P},(pk_0,pk_1),k),\) where \(\mathfrak {P},pk_0=(E_0,\phi _0(P_1),\phi _0(Q_1)),\) and \(pk_1=(E_1,\phi _1(P_0),\phi _1(Q_0))\) are as in the SIDH protocol (Definition 8) and \(k=E_{0,1} \cong E/\langle P_0 + [r_0]Q_0, P_1 + [r_1]Q_1\rangle ,\)

• \((\mathfrak {P},(pk_0,pk_1),k'),\) where \(\mathfrak {P},pk_0=(E_0,\phi _0(P_1),\phi _0(Q_1)),\) and \(pk_1=(E_1,\phi _1(P_0),\phi _1(Q_0))\) are as in the SIDH protocol (Definition 8) and \(k' = E_{x} \cong E/\langle P_0 + [r'_0]Q_0, P_1 + [r'_1]Q_1\rangle ,\) where \(r'_0\) (respectively \(r'_1\)) is chosen at random from \(\mathbb {Z}/\ell _0^{e_0}\mathbb {Z}\) (respectively \(\mathbb {Z}/\ell _1^{e_1}\mathbb {Z}\)),

determine from which distribution the tuple is sampled.

Theorem 9

(Security of SIDH [9]). Under the SSDDH assumption, the key-agreement protocol of Definition 8 is session-key secure in the authenticated-links adversarial model of Canetti and Krawczyk.

Appendix 2 R-LWE Key Exchange and Hard Problem

Although R-LWE protocols are usually expected to reduce to the R-LWE problem, Bos et al. [1] give a Diffie-Hellman-like definition of indistinguishability that takes Peikert’s key reconciliation into consideration and show how it reduces to the hardness of the R-LWE problem. All definitions are taken from Bos et al. [1].

Let \(\mathbb {Z}\) be the ring of integers and denote \([ N ] = \{0,1,\ldots ,N-1\}\). In this article, we set \(R= \mathbb {Z}[X]/(f(X))\) where \(f(X)=X^n+1\) for \(n=2^l,l>0\) for some l. We let q be a modulus defining the quotient ring \(R_q = R/qR \cong \mathbb {Z}_q[X]/(f[X])\), where \(\mathbb {Z}_q = \mathbb {Z}/q\mathbb {Z}\).

Definition 7

(Decisional R-LWE (D-R-LWE) problem). Let the values n, R, q and \(R_q\) be as above. Let \(\chi \) be a distribution over R and let \(s\overset{R}{\leftarrow } \chi \). Define \(O_{\chi ,s}\) as an oracle that does the following:

1. 1.

   Sample \(a\overset{R}{\leftarrow } R_q\) and \(e\overset{R}{\leftarrow } \chi \),

2. 2.

   Return \((a,as+e)\in R_q\times R_q\).

The decisional R-LWE problem for \(n,q,\chi \) is to distinguish \(O_{\chi ,s}\) from an oracle that returns uniformly random samples from \(R_q\times R_q\).

Let \(\left\lceil \cdot \right\rfloor \) denote the rounding function: \(\left\lceil x\right\rfloor = z\) for \(z\in \mathbb {Z}\) and \(x \in [z-1/2 , z + 1/2)\).

Definition 8

([1], Definition 2). Let q be a positive integer. Define the modular rounding function \(\left\lceil \cdot \right\rfloor _{q,2}: \mathbb {Z}_q \rightarrow \mathbb {Z}_2, x\mapsto \left\lceil x\right\rfloor _{q,2} = \left\lceil \tfrac{2}{q}x\right\rfloor \mod 2,\) and the cross-rounding function \(\left\langle \cdot \right\rangle _{q,2}: \mathbb {Z}_q \rightarrow \mathbb {Z}_2, x \mapsto \left\langle x\right\rangle _{q,2} = \lfloor \tfrac{4}{q}x \rfloor \mod 2.\) Both functions are extended to elements of \(R_q\) coefficient-wise: for \(f=f_{n-1}X^{n-1}+\cdots +f_1X+f_0 \in R_q\), define

$$\begin{aligned} \left\lceil f\right\rfloor _{q,2}&= \left( \left\lceil f_{n-1}\right\rfloor _{q,2}, \left\lceil f_{n-2}\right\rfloor _{q,2},\ldots ,\left\lceil f_0\right\rfloor _{q,2}\right) , \\ \left\langle f\right\rangle _{q,2}&= \left( \left\langle f_{n-1}\right\rangle _{q,2}, \left\langle f_{n-2}\right\rangle _{q,2},\ldots ,\left\langle f_0\right\rangle _{q,2}\right) . \end{aligned}$$

We also define the randomized doubling function \(\mathtt {dbl}: \mathbb {Z}_q \rightarrow \mathbb {Z}_{2q}, x\mapsto \mathtt {dbl}(x) = 2x-e,\) where e is sampled from \(\lbrace -1,0,1 \rbrace \) with probabilities \(p_{-1} = p_1 = \tfrac{1}{4}\) and \(p_0=\tfrac{1}{2}\).

The doubling function may be applied to elements in \(R_q\) by applying it on each of the coefficients, as done with the rounding functions. Such an application of the doubling function results in a polynomial in \(R_{2q}\). The reason for considering such a doubling function is that this allows for odd q.

The rounding of the doubling function on a uniformly random element in \(\mathbb {Z}_q\) results in a uniformly random element in \(\mathbb {Z}_{2q}\).

Lemma 1

([1], Lemma 1). For odd q, if \(v\in \mathbb {Z}_q\) is uniformly random and \(\overline{v}\overset{R}{\leftarrow }\mathtt {dbl}(v)\in \mathbb {Z}_{2q}\), then \(\left\lceil \overline{v}\right\rfloor _{2q,2}\) is uniformly random, given \(\left\langle \overline{v}\right\rangle _{2q,2}\).

We may now define Peikert’s reconciliation function, \(\mathtt {rec}(\cdot )\), which recovers \(\left\lceil v\right\rfloor _{q,2}\) from an element \(w\in \mathbb {Z}_q\) that is “close” to the original \(v\in \mathbb {Z}_q\), given only w and the cross-rounding of v.

Definition 9

Define sets \(I_0 = \{ 0,1,\ldots ,\left\lceil \tfrac{q}{2}\right\rfloor -1\}\) and \(I_1 = \{ -\left\lceil \tfrac{q}{2}\right\rfloor ,\ldots , -1 \}\). Let \(E=[ - \tfrac{q}{4}, \tfrac{q}{4} )\), then define the map \(\mathtt {rec}: \mathbb {Z}_{2q} \times \mathbb {Z}_2 \rightarrow \mathbb {Z}_2\),

$$\begin{aligned} (w,b)\mapsto {\left\{ \begin{array}{ll} 0, \text { if } w\in I_b + E \mod 2q, \\ 1, \text { otherwise }. \end{array}\right. } \end{aligned}$$

Reconciliation of a polynomial in \(R_q\) is done coefficient-wise so the following lemma allows us to reconcile two polynomials in \(R_q\) that are close to each other.

Lemma 2

([1], Lemma 2). For odd q, let \(v=w+e\in \mathbb {Z}_q\) for \(w,e\in \mathbb {Z}_q\) such that \(2e\pm 1\in E \pmod {q}\). Let \(\overline{v}= \mathtt {dbl}(v)\), then \(\mathtt {rec}(2w,\left\langle \overline{v}\right\rangle _{2q,2}) = \left\lceil \overline{v}\right\rfloor _{2q,2}\).

We may finally define the R-LWE key exchange below. Given a security parameter \(1^\lambda \), \(\mathsf {Gen}\) outputs \(\mathfrak {I}=(n,R,q,R_q)\) as in the D-R-LWE problem (Definition 7), a distribution \(\chi \) on \(R_q\) (usually the Discrete Gaussian distribution), and a uniformly random \(a\overset{R}{\leftarrow } R_q\).

Protocol 10

(R-LWE key exchange w/ Peikert’s tweak [14, 16]). Parties \(\mathcal {P}_0\) and \(\mathcal {P}_1\) generate an R-LWE key exchange w/ Peikert’s tweak protocol as follows:

• \(\mathbf {Setup}\): For the security parameter \(1^\lambda \), \(\mathsf {Gen}\) outputs to both parties the tuple of public parameters: \(\mathfrak {P}=(\mathfrak {I}, \chi , a) \leftarrow \mathsf {Gen}(1^\lambda ).\)

• \(\mathbf {Publish_1}\): Each party \(\mathcal {P}_i\) chooses \(s_i,e_i\overset{R}{\leftarrow } \chi \) as their secret key and error key,⁹ respectively, computes their public key \(b_i = as_i + e_i\in R_q\), and sends their public key \(b_i\) to party \(\mathcal {P}_{1-i}\).

• \(\mathbf {Publish_2}\): Party \(\mathcal {P}_1\), upon receiving \(b_0\) from \(P_0\), chooses a new error key \(e'_1\overset{R}{\leftarrow } \chi \), computes \(v = b_0s_1 + e'_1\in R_q\), and uses the randomized doubling function on v to receive \(\overline{v}\overset{R}{\leftarrow }\mathtt {dbl}(v)\in R_{2q}\). Using the cross-rounding function, \(\mathcal {P}_1\) computes \(c = \left\langle \overline{v}\right\rangle _{2q,2}\in \{ 0,1\}^n\) and sends c to \(\mathcal {P}_0\)

• \(\mathbf {KeyGen}\): In order to generate the final key, party \(\mathcal {P}_0\) uses the reconciliation function to output \(k_0 \leftarrow \mathtt {rec}(2b_1s_0,c)\in \{0,1\}^n\). Party \(\mathcal {P}_1\) simply computes \(k_1 = \left\lceil \overline{v}\right\rfloor _{2q,2}\in \{0,1\}^n\).

Except with negligible probability \(k_0= k_1 = k\), i.e. this protocol satisfies correctness.

The protocol reduces to a decisional hardness problem that Bos et al. [1] dub the decision Diffie-Hellman-like (DDH-like) problem. We give a reformulation, which is equivalent, but fits the other security definitions in this paper.

Definition 10

(Decision Diffie-Hellman-like (DDH-like) problem). Let \(n,R,q,\chi \) be R-LWE key exchange parameters. Given a tuple sampled with probability 1/2 from one of the following two distributions:

• \((\mathfrak {P},(b_0,(b_1,c)),k),\) where \(\mathfrak {P} = (\mathfrak {I},\chi ,a)\) for \(a\overset{R}{\leftarrow } R_q\), \(s_0,s_1,e_0,e_1,e'_1\overset{R}{\leftarrow } \chi \), \(b_i = as_i+e_i\) for \(i=0,1\), \(v = b_0s_1 + e'_1\), \(\overline{v}\overset{R}{\leftarrow } \mathtt {dbl}(v)\), \(c = \left\langle \overline{v}\right\rangle _{2q,2}\), and \(k = \left\lceil \overline{v}\right\rfloor _{2q,2}\),

• \((\mathfrak {P},(b_0,(b_1,c)),k'),\) where \(\mathfrak {P} = (\mathfrak {I},\chi ,a)\) for \(a\overset{R}{\leftarrow } R_q\), \(s_0,s_1,e_0,e_1,e'_1\overset{R}{\leftarrow } \chi \), \(b_i = as_i+e_i\) for \(i=0,1\), \(v = b_0s_1 + e'_1\), \(\overline{v}\overset{R}{\leftarrow } \mathtt {dbl}(v)\), \(c = \left\langle \overline{v}\right\rangle _{2q,2}\), and \(k' \overset{R}{\leftarrow } \{0,1\}^n\),

determine from which distribution the tuple is sampled.

Theorem 11

(Hardness of DDH-like problem; [1], Theorem 1). Let q be an odd integer, let n a parameter, R a polynomial ring, and \(\chi \) a distribution on \(R_q\). If the decision R-LWE problem for \(q,n,\chi \) is hard, then the DDH-like problem for \(q,n,\chi \) is also hard.