Paper 2023/1401

On the Multi-User Security of LWE-based NIKE

Roman Langrehr, ETH Zurich
Abstract

Non-interactive key exchange (NIKE) schemes like the Diffie-Hellman key exchange are a widespread building block in several cryptographic protocols. Since the Diffie-Hellman key exchange is not post-quantum secure, it is important to investigate post-quantum alternatives. We analyze the security of the LWE-based NIKE by Ding et al. (ePrint 2012) and Peikert (PQCrypt 2014) in a multi-user setting where the same public key is used to generate shared keys with multiple other users. The Diffie-Hellman key exchange achieves this security notion. The mentioned LWE-based NIKE scheme comes with an inherent correctness error (Guo et al., PKC 2020), and this has significant implications for the multi-user security, necessitating a closer examination. Single-user security generically implies multi-user security when all users generate their keys honestly for NIKE schemes with negligible correctness error. However, the LWE-based NIKE requires a super-polynomial modulus to achieve a negligible correctness error, which makes the scheme less efficient. We show that - generically, single-user security does not imply multi-user security when the correctness error is non-negligible, but despite this - the LWE-based NIKE with polynomial modulus is multi-user secure for honest users when the number of users is fixed in advance. This result takes advantage of the leakage-resilience properties of LWE. We then turn to a stronger model of multi-user security that allows adversarially generated public keys. For this model, we consider a variant of the LWE-based NIKE where each public key is equipped with a NIZKPoK of the secret key. Adding NIZKPoKs is a standard technique for this stronger model and Hesse et al. (Crypto 2018) showed that this is sufficient to achieve security in the stronger multi-user security model for perfectly correct NIKEs (which the LWE-based NIKE is not). We show that - for certain parameters that include all parameters with polynomial modulus, the LWE-based NIKE can be efficiently attacked with adversarially generated public keys, despite the use of NIZKPoKs, but - for suitable parameters (that require a super-polynomial modulus), this security notion is achieved by the LWE-based NIKE with NIZKPoKs. This stronger security notion has been previously achieved for LWE-based NIKE only in the QROM, while all our results are in the standard model.

Note: - Added Section 3.2 and more details on the usage of the left-over hash Lemma. I would like to thank Phillip Gajland for making me aware that the assumption in Equation (2) is problematic for some settings. - Added a missing d′ factor to the correctness and security bounds of the result in Section 3. - Removed the ring expansion factor. Since this work only considers the canonical embedding, it is not needed. - Fixed some typos.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in TCC 2023
DOI
10.1007/978-3-031-48624-1_2
Keywords
non-interactive key exchangelearning with errors
Contact author(s)
roman langrehr @ inf ethz ch
History
2024-11-05: revised
2023-09-18: received
See all versions
Short URL
https://ia.cr/2023/1401
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1401,
      author = {Roman Langrehr},
      title = {On the Multi-User Security of {LWE}-based {NIKE}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1401},
      year = {2023},
      doi = {10.1007/978-3-031-48624-1_2},
      url = {https://eprint.iacr.org/2023/1401}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.