Paper 2023/324

LATKE: An identity-binding PAKE from lattice assumptions

Abstract

In a recent work, Cremers, Naor, Paz, and Ronen (CRYPTO '22) point out the problem of catastrophic impersonation in balanced password authenticated key exchange protocols (PAKEs). Namely, in a balanced PAKE, when a single party is compromised, the attacker learns the password and can subsequently impersonate anyone to anyone using the same password. The authors of the work present two solutions to this issue: CHIP, an identity-binding PAKE (iPAKE), and CRISP, a strong identity-binding PAKE (siPAKE). These constructions prevent the impersonation attack by generating a secret key on setup that is inextricably tied to the party's identity, and then deleting the password. Thus, upon compromise, all an attacker can immediately do is impersonate the victim. The strong variant goes further, preventing attackers from performing any precomputation before the compromise occurs. In this work we present LATKE, an iPAKE from lattice assumptions in the random oracle model. In order to achieve security and correctness, we must make changes to CHIP's primitives, security models, and protocol structure.

Note: We discovered an error in the composition of the two primary components of the LATKE construction, yielding a significant key recovery attack. We have added a disclaimer on the first page of this version explaining the error. This shortcoming will be fixed in a future version of this paper.