In this work, we propose a new type of attack, referred to as small field attack (SFA), against the one-pass protocol $\Pi_1$, as well as its resultant deniable encryption scheme. With SFA, a malicious user can efficiently recover the static private key of the honest victim user in $\Pi_1$ with overwhelming probability. Moreover, the SFA attack is realistic and powerful in practice, in the sense that it is almost impossible for the honest user to prevent, or even detect, the attack. Besides, some new property regarding the CRT basis of $R_q$ is also developed in this work, which is essential for our small field attack and may be of independent interest.
The security proof of the two-pass protocol $\Pi_2$ is then revisited. We are stuck at Claim 16 in [ZZDS14], with a gap identified and discussed in the security proof. To us, we do not know how to fix the gap, which traces back to some critical differences between the security proof of HMQV and that of its RLWE-based analogue.Category / Keywords: small field attack, authenticated key exchange, ring-LWE, ideal lattice, CRT basis Original Publication (with minor differences): PQCrypto 2017, to appear Date: received 16 Sep 2016, last revised 18 Apr 2017 Contact author: ylzhao at fudan edu cn Available format(s): PDF | BibTeX Citation Version: 20170418:171323 (All versions of this report) Short URL: ia.cr/2016/913 Discussion forum: Show discussion | Start new discussion