Limits on the Efficiency of Ring LWE-based Key Exchange

Slide Note
Embed
Share

This study explores the limitations of Ring LWE-based key exchange protocols and their impact on non-interactive key exchange mechanisms. It discusses the LWE assumption, noise distribution, and the practical implications of small moduli q and noise-to-modulus ratio r. Additionally, it delves into Post-Quantum Cryptography standardization efforts, including quantum-resistant cryptosystems like lattice-based, code-based, multivariate, and hash-based signatures.


Uploaded on Sep 18, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Limits on the Efficiency of (Ring) LWE based Non-Interactive Key Exchange Siyao Guo NUY Shanghai Pritish Kamath TTIC Alon Rosen IDC Herzliya Katerina Sotiraki MIT

  2. KEY-EXCHANGE [Diffie-Hellman 76]

  3. KEY-EXCHANGE [Diffie-Hellman 76]

  4. KEY-EXCHANGE [Diffie-Hellman 76]

  5. POST-QUANTUM KEY EXCHANGE NIST Post-Quantum Cryptography standardization includes proposals for key-encapsulation mechanism.

  6. POST-QUANTUM KEY EXCHANGE NIST Post-Quantum Cryptography standardization includes proposals for key-encapsulation mechanism. Many quantum-resistant cryptosystems: lattice-based, code-based, multivariate, hash-based signatures, etc.

  7. POST-QUANTUM KEY EXCHANGE NIST Post-Quantum Cryptography standardization includes proposals for key-encapsulation mechanism. Many quantum-resistant cryptosystems: lattice-based, code-based, multivariate, hash-based signatures, etc.

  8. LWE ASSUMPTION [Regev 05]

  9. LWE ASSUMPTION noise distribution e.g. discrete Gaussian or bounded uniform

  10. LWE ASSUMPTION

  11. LWE ASSUMPTION LWE assumption:

  12. LWE ASSUMPTION LWE assumption: Modulus q: Small q improves practical performance. Fewer constructions known from small q.

  13. LWE ASSUMPTION LWE assumption: Noise-to-modulus ratio r: Intuitively, how large the noise is compared to the modulus q. Large r gives better theoretical guarantees. Fewer constructions known from large r.

  14. LWE-BASED KEY EXCHANGE Key-exchange through public-key encryption Inherently interactive One party completely controls the common secret key Key-exchange through reconciliation

  15. LWE-BASED KEY EXCHANGE Key-exchange through public-key encryption Inherently interactive One party completely controls the common secret key Key-exchange through reconciliation

  16. LWE-BASED KEY EXCHANGE Key-exchange through public-key encryption Inherently interactive One party completely controls the common secret key Key-exchange through reconciliation Introduced by Ding, Xie and Lin [DXL 12], and Peikert [P 14]

  17. LWE-BASED KEY EXCHANGE Key-exchange through public-key encryption Inherently interactive One party completely controls the common secret key Key-exchange through reconciliation Introduced by Ding, Xie and Lin [DXL 12], and Peikert [P 14] Our main focus

  18. LWE-BASED KEY EXCHANGE

  19. LWE-BASED KEY EXCHANGE

  20. LWE-BASED KEY EXCHANGE

  21. LWE-BASED KEY EXCHANGE

  22. LWE-BASED KEY EXCHANGE

  23. LWE-BASED KEY EXCHANGE Approximate Common Key: x1TAx2

  24. EXISTING PROPOSALS extra information Existing proposals [DingXieLui 12], [Peikert 14] add extra communication.

  25. EXISTING PROPOSALS extra information Is this interaction inherent?

  26. LWE-BASED KEY EXCHANGE

  27. LWE-BASED KEY EXCHANGE If noise1 and noise2 are very small compared to q, interaction is not necessary.

  28. LWE-BASED KEY EXCHANGE If noise1 and noise2 are very small compared to q, interaction is not necessary.

  29. LWE-BASED KEY EXCHANGE If we have small noise-to-modulus ratio, interaction is not necessary.

  30. LWE-BASED KEY EXCHANGE In practice, q needs to be small. The typical size of q is 213 and there are proposals that even use q = 257 [LLJ + 17]. Small noise-to-modulus ratio results in worse theoretical security guarantees.

  31. LWE-BASED KEY EXCHANGE In practice, q needs to be small. The typical size of q is 213 and there are proposals that even use q = 257 [LLJ + 17]. Small noise-to-modulus ratio results in worse theoretical security guarantees. Is it possible to have non-interactive LWE-based key exchange when q is small?

  32. OUR RESULTS Natural ideas for achieving non-interactive key agreement do not work.

  33. OUR RESULTS

  34. OUR RESULTS

  35. OUR RESULTS

  36. OUR RESULTS

  37. OUR RESULTS Parties exchange LWE-samples and then run locally a reconciliation function.

  38. OUR RESULTS Natural choices of reconciliation functions cannot achieve agreement.

  39. IMPOSSIBILITY 1 Approximate Common Key: x1TAx2 If noise-to-modulus ratio r is large, then rounding gives agreement with probability < 1 1/q.

  40. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  41. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  42. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  43. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  44. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  45. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  46. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition? Impossible to amplify the agreement probability by repetition

  47. IMPOSSIBILITY 1 Impossible to amplify the agreement probability by repetition Captured by the problem of Non-interactive Agreement Distillation in Information Theory.

  48. MAXIMAL CORRELATION Maximal correlation almostcaptures the best agreement probability that the players can get even with an infinite number of samples!

  49. MAXIMAL CORRELATION Maximal correlation almostcaptures the best agreement probability that the players can get even with an infinite number of samples! If maximal correlation is bounded away from 1, then repetition does not help!

  50. IMPOSSIBILITY 1 Has very special form: Cayley distribution Known how to compute maximal correlation for Cayley distribution [Lov sz 75]

Related


More Related Content