Flaw and amendment of a two-party authenticated key agreement protocol for post-quantum environments

Abstract

Recent advances in quantum computers challenge the security of key agreement protocol that are designed with the intractability assumptions of discrete logarithmic problem and integer factorization problem. Hence, motivated to develop the key agreement protocol that is secure in post-quantum era, recently Islam proposed a provably secure two-party authenticated key agreement (2PAKA) protocol. The protocol is based on the intractability assumption of the famous Ring Learning With Error (RLWE) problem. In this work, we show that Islam’s two-party key agreement is vulnerable to the modified version of the signal leakage attack (SLA) which is termed as improved-signal leakage attack (i-SLA) in this article. Using i-SLA, the attacker can successfully recover the long term private key of the honest user by instantiating utmost $q$ number of key exchange sessions with the honest user using $q$ number of malformed public keys. To overcome the attack, we provide a countermeasure without changing the original design of the protocol.

Introduction

Recently, Islam [1] proposed the provably secure two-party authenticated key agreement (2PAKA) protocol for post-quantum environments. The protocol has been designed with intractability assumption of the popular Ring Learning With Error (RLWE) problem [2]. The provable security of the protocol is proved using the Random Oracle Model (ROM) and it reuses the public/private keys of the two-parties involved in the key exchange. Key reuse is an important feature that saves the computation and communication overheads and is vastly employed in a majority of TLS (Transport Layer Security) connections. Despite its overhead benefits, this feature generates the security issue for the RLWE-based key agreement protocols when deployed in real-world scenarios.

Kirkwood et al. [3] are the first ones to reveal the vulnerability in RLWE-based key agreement protocols which reuse the public/private key pairs. The work in [3] emphasizes the fact that the RLWE-based protocols which reuse the public/private keys leaks the information of recipient’s private key and there is a need for public-key validation to combat this vulnerability. Although this work has alarmed the cryptographers against the reuse of public/private keys for RLWE-based key agreement protocols but it does not provide the concrete description of the attack to exploit the vulnerability. In 2016, Fluhrer [4] proposed the key mismatch attack against the RLWE-based key agreement protocols which reuse the public/private keys. The idea behind the attack is to derive information about the private key of the honest party according to the match or mismatch of the final shared key. However, the attack will not work against the key agreement protocols where the final shared keys have been derived from LSB (Least Significant Bits) of the approximately equal keys computed by both parties, for example, the attack will not work against Ding et al.’s [5] key agreement protocol.

Taking ideas from the above-discussed attacks, Ding et al. [6] in 2017, proposed the SLA (Signal Leakage Attack) against the RLWE-based key agreement protocols which reuse the public/private key pair. In this attack, the attacker will instantiate the multiple sessions with the honest party and analyze the output of the signal function to derive the private key of the honest party. The attack will also work against the schemes where the final shared keys have been derived from LSB (Least Significant Bits) of approximately same keys computed by both parties. Therefore, the attack will work against the Ding et al. [5] key agreement protocol. The complexity of SLA attack to recover the private key $s$ of the honest party is $2\ast q$ (where $q$ is an odd prime number as described in notation Table 1).

In another work of Ding et al. [7], it has been shown that the SLA attack can be mounted efficiently with less number of queries. The authors in [7] suggest that it is not necessary to vary the constant $k$ in the malformed public key of adversary looping from 0 to $q-1$ (as done in original SLA [6]) and there are many iterations of $k$ that can be skipped. Thus, the fewer number of queries are required to recover the private key $s$ of the honest party. These fewer number of queries are utmost $q+c$ (where c is a constant and $q$ is an odd prime number as described in notation Table 1) and thus, the complexity of the SLA attack is reduced to $q+c$, in comparison to $2q$ in the original SLA attack. In section 7 of [7], authors considered two cases of basic Ding et al.’s protocol [5] to show how a fewer number of queries can successfully recover the private key of the honest party. The first case is the simplified one where the error term $g_B$ is not added by the honest party during the computation of its shared key $K_B$. The adversary chooses its private key $s_A$ to be 0 and the corresponding public key is a constant term i.e. $p_A=k$. The second case is the complicated one, where error term $g_B$ is added by the honest party during its shared key computation $K_B$, and also, adversary deviates slightly from the original protocol by choosing its error term $e_A=1$ and private key $s_A$ according to the error distribution ${\chi }_{\beta }$. Thus, the public key of the attacker is of the form $p_A=a{s}_A+k$, where $a\in R_q$ (see the notation Table 2). The authors show that the complexity of attack for the simplified case is $\frac{q}{2}+4$ and for the complicated case is $q+c$.

Our contributions:It is noticeable that we name the modified version of the SLA attack with reduced query complexity [7] as improved-signal leakage attack (i-SLA) for the rest of this article. In this work, we show that the Islam’s [1] key agreement protocol (2PAKA) is vulnerable to the improved-signal leakage attack (i-SLA) [7]. We show that using i-SLA, the attacker can successfully recover the reused secret of the honest party by instantiating utmost $q$ number of key exchange sessions with the honest party using $q$ number of malformed public keys, which are authenticated by the Certificated Authority (CA). In the end, we give the countermeasure to defend the protocol against this attack.