Paper 2023/1401
On the Multi-User Security of LWE-based NIKE
Abstract
Non-interactive key exchange (NIKE) schemes like the Diffie-Hellman key exchange are a widespread building block in several cryptographic protocols. Since the Diffie-Hellman key exchange is not post-quantum secure, it is important to investigate post-quantum alternatives. We analyze the security of the LWE-based NIKE by Ding et al. (ePrint 2012) and Peikert (PQCrypt 2014) in a multi-user setting where the same public key is used to generate shared keys with multiple other users. The Diffie-Hellman key exchange achieves this security notion. The mentioned LWE-based NIKE scheme comes with an inherent correctness error (Guo et al., PKC 2020), and this has significant implications for the multi-user security, necessitating a closer examination. Single-user security generically implies multi-user security when all users generate their keys honestly for NIKE schemes with negligible correctness error. However, the LWE-based NIKE requires a super-polynomial modulus to achieve a negligible correctness error, which makes the scheme less efficient. We show that - generically, single-user security does not imply multi-user security when the correctness error is non-negligible, but despite this - the LWE-based NIKE with polynomial modulus is multi-user secure for honest users when the number of users is fixed in advance. This result takes advantage of the leakage-resilience properties of LWE. We then turn to a stronger model of multi-user security that allows adversarially generated public keys. For this model, we consider a variant of the LWE-based NIKE where each public key is equipped with a NIZKPoK of the secret key. Adding NIZKPoKs is a standard technique for this stronger model and Hesse et al. (Crypto 2018) showed that this is sufficient to achieve security in the stronger multi-user security model for perfectly correct NIKEs (which the LWE-based NIKE is not). We show that - for certain parameters that include all parameters with polynomial modulus, the LWE-based NIKE can be efficiently attacked with adversarially generated public keys, despite the use of NIZKPoKs, but - for suitable parameters (that require a super-polynomial modulus), this security notion is achieved by the LWE-based NIKE with NIZKPoKs. This stronger security notion has been previously achieved for LWE-based NIKE only in the QROM, while all our results are in the standard model.
Note: - Added Section 3.2 and more details on the usage of the left-over hash Lemma. I would like to thank Phillip Gajland for making me aware that the assumption in Equation (2) is problematic for some settings. - Added a missing d′ factor to the correctness and security bounds of the result in Section 3. - Removed the ring expansion factor. Since this work only considers the canonical embedding, it is not needed. - Fixed some typos.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- A major revision of an IACR publication in TCC 2023
- DOI
- 10.1007/978-3-031-48624-1_2
- Keywords
- non-interactive key exchangelearning with errors
- Contact author(s)
- roman langrehr @ inf ethz ch
- History
- 2024-11-05: revised
- 2023-09-18: received
- See all versions
- Short URL
- https://ia.cr/2023/1401
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1401, author = {Roman Langrehr}, title = {On the Multi-User Security of {LWE}-based {NIKE}}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/1401}, year = {2023}, doi = {10.1007/978-3-031-48624-1_2}, url = {https://eprint.iacr.org/2023/1401} }