Speech Errors, Phonotactic Constraints, and Implicit Learning: A
Talk A Simple Secure Key Scheme Based on the Learning with ... … · Exchange Scheme Based on the...
Transcript of Talk A Simple Secure Key Scheme Based on the Learning with ... … · Exchange Scheme Based on the...
NIST PQC Talk
A Simple Provably Secure (Authenticated) Key Exchange Scheme Based on the Learning with
Errors Problem
Jintai Ding
April. 3, 2015 Joint work with O. Dagdelen, X. Lin, X. Xie, J. Zhang, Z. Zhang
Key Transport from Encryption versus Key Exchange?
. Alice Uses Bob’s public key to encrypt a random string and sends the ciphertext to Bob. Bob decrypts it and get the random string.
. In practice, public key encryption is only used to transmit random keys. (The key is only determined by one party)
. Using PKE can not guarantee forward security. . If the attacker gets the secret key, then he will learn every
communication made before.
2 / 32
...
. Get a shared secret key in an insecure channel.
What’s Key Exchange
3 / 32
. Get a shared secret key in an insecure channel.
What’s Key Exchange
. . .
3 / 32
What’s Key Exchange
. . .
. Get a shared secret key in an insecure channel.
3 / 32
(gb)a (ga)b
. Using gab = (gb)a = (ga)b.
The Elegant Diffie-Hellman Protocol
ag
bg
4 / 32
The Elegant Diffie-Hellman Protocol
gb
ga
(gb)a (ga)b
. Using gab = (gb)a = (ga)b .
4 / 32
Other similar attempts?
. Can we get a DH analogy from other mathematical structures?
Many failed attempts to build new DH like protocols.
. Braid group and other finite groups
. Other nonlinear maps?MR1501252, Ritt, J. F. Permutable rational functions. Trans. Amer.Math. Soc. 25 (1923), no. 3, 399-448. 30D05
Mathemtical structure behind
Motivation:
. Can we get a DH analogy from other mathematical tools?
. The case of Diffie-Hellmann:
(g a)b = (g b)a = g ab
The commutativity of nonlinear operators.
5 / 32
Mathemtical structure behind
Motivation:
. Can we get a DH analogy from other mathematical tools?
. The case of Diffie-Hellmann:
abb)a(g a)b = (g = g
The commutativity of nonlinear operators.
Other similar attempts?
. Can we get a DH analogy from other mathematical structures?
Many failed attempts to build new DH like protocols.
. Braid group and other finite groups
. Other nonlinear maps? MR1501252, Ritt, J. F. Permutable rational functions. Trans. Amer. Math. Soc. 25 (1923), no. 3, 399-448. 30D05
5 / 32
Mathemtical structure behind
Motivation: Linear case?
. (A × B) × C = A × (B × C)
. To make it secure, we need to add ”errors”.
. We need to be able to remove ”errors”.
6 / 32
Our Results:
. An Efficient (2-round) key exchange protocol from LWE and RLWE.
. A new way to deal with approximate key exhange
. Extend to multi-party key exchange (without security proof).
Motivation and Results
Motivation:
. Can we get a DH analogy from other mathematical tools?
. Can we get KE from lattices (say, LWE, which is apparently resistant to quantum attacks)?
. If so, we will get better efficiency and better security guarantees.
7 / 32
Motivation and Results
Motivation:
. Can we get a DH analogy from other mathematical tools?
. Can we get KE from lattices (say, LWE, which is apparently resistant to quantum attacks)?
. If so, we will get better efficiency and better security guarantees.
Our Results:
. An Efficient (2-round) key exchange protocol from LWE and RLWE.
. A new way to deal with approximate key exhange
. Extend to multi-party key exchange (without security proof ).
7 / 32
Lattices
Given m linear independent vectors B = [b1, ..., bm] ∈ Rn×m . A lattice L(B) consists of the integer combinations of bi’s.
mr L(B) = { zi · bi : zi ∈ Z}.
i=1
8 / 32
. γ = 1; just the SVP problem.
. γ is constant (independent of n); γ-SVP is NP-hard.
. γ ≥ 2n; γ-SVP can be solved in polynomial time (LLL algorithm).
. γ = poly(n); probably not NP-hard, but we do not have polynomialtime algorithms (This is what we use in cryptography).
Hard Problem
γ-SVP(Shortest Vector Problem)
Given a n-dimensional lattice L(B), find a non-zero lattice vector v, such that lvl ≤ γ · λ.
9 / 32
Hard Problem
γ-SVP(Shortest Vector Problem)
Given a n-dimensional lattice L(B), find a non-zero lattice vector v, such that lvl ≤ γ · λ.
. γ = 1; just the SVP problem.
. γ is constant (independent of n); γ-SVP is NP-hard.
. γ ≥ 2n; γ-SVP can be solved in polynomial time (LLL algorithm).
. γ = poly(n); probably not NP-hard, but we do not have polynomial time algorithms (This is what we use in cryptography).
9 / 32
Learning with Errors (LWE) [Oded Regev 2005]
Goal: distinguishing “noisy inner products” from uniform.
a1 ← Zn q ;
a2 ← Zn q ;
am ← Zn q ;
. . .
b1 = (a1, s) + e1 mod q b2 = (a2, s) + e2 mod q
bm = (am, s) + em mod q
a1 ← Zn q ;
a2 ← Zn q ;
am ← Zn q ;
. . .
b1 ← Zq
b2 ← Zq
bm ← Zq
In a matrix form (A, As + e) ≈c (A, b)
Where s ← Zn , m = poly(n), q = poly(n) and ei ← χ is some q distribution in Z. ei has small size, much smaller than q.
10 / 32
Theorem (Informal)[Reg’05]
Let χ be a discrete Gaussian distribution with parameter 0 < α < 1, s.t. αq ≥ 2
√ n. If there exists a polynomial time algorithm solves LWE
problem, then there exists a quantum algorithm solves (n/α)-SVP problems for all n-dimension lattices.
. s ← χn is as hard as standard LWE (s ← Zn q ) [ACPS’09].
11 / 32
Notations
q−1 . We always consider Zq for prime q, and Zq = [− q−1 , ].2 2
. We always consider the LWE problem with s ← χ, i.e. s is much smaller than q.
12 / 32
sTApB pTAsB≈
. sTApB = sTAMT sB + 2sTAeB ≈ sTAM
T sB + 2eTAsB = pTAsB .
. note that sA, sB , eA, eB are “small”.
. the difference between sTApB and pTAsB is even
Our Protocol (basic idea)
Public Parameter: M ← Znq ×n
pA = MsA + 2eA
pB = MT sB + 2eB
13 / 32
≈
Our Protocol (basic idea)
Public Parameter: M ← Znq ×n
pA = MsA + 2eA
pB = MT sB + 2eB
T TsApB pAsB
T T MT T T MT T T . sApB = s sB + 2sAeB ≈ s sB + 2eAsB = pAsB .A A
. note that sA, sB , eA, eB are “small”. T T . the difference between sApB and pAsB is even
13 / 32
Our Protocol (basic idea)
Public Parameter: M ← Znq ×n
pA = MsA + 2eA
pB = MT sB + 2eB
T TsApB ≈ pAsB
T T MT T T MT T T . sApB = s sB + 2sAeB ≈ s sB + 2eAsB = pAsB .A A
. note that sA, sB , eA, eB are “small”. T T . the difference between sApB and pAsB is even
13 / 32
Robust Extractors
Intuitively, a robust extractor enables to two parties to extract identical information from two close elements with some additional hint.
Definition (Robust Extractors)
An algorithm E is a robust extractor on Zq with error tolerance δ with respect to a hint algorithm S, if the following holds:
. The deterministic algorithm E: for x ∈ Zq and σ ∈ {0, 1}, output k = E(x, σ) ∈ {0, 1}.
. The hint algorithm S: for y ∈ Zq, output σ ← S(y) ∈ {0, 1}.
. For any x, y ∈ Zq such that x − y is even and |x − y| ≤ δ, then E(x, σ) = E(y, σ), where σ ← S(y).
. If y $← Zq and σ ← S(y), then E(y, σ) is uniform conditioned on σ.
Note that the errors of x, y in the definition can be set to be multiple of t, where t is a small integer.
14 / 32
Our Robust Extractor
We first define two functions: for q > 2 is prime σ0(x) =
0, 1,
x ∈ [−l q J, l q
otherwise. 44 J];
; σ1(x) =0, 1,
44x ∈ [−l q J+ 1, l q
otherwise. J+ 1];
The hint algorithm S(y): b← {0, 1}, S (y) = σb(y).
The robust extractor E(x, σ): q − 1 E(x, σ) = x + σ · mod q mod 2
2
$
15 / 32
For any x, y ∈ Zq, and x− y � 2ε, with |2ε| ≤ q4 − 2.
Let σ ← S(y), we have
|y + σ · q − 1
2mod q| ≤ q
4+ 1.
Therefore,
x+σ· q − 1
2mod q = y+σ· q − 1
2+2ε mod q = (y+σ· q − 1
2) mod q+2ε,
this implies
E(x, σ) = x+ σ · q − 1
2mod q mod 2
= y + σ · q − 1
2mod q mod 2 = E(y, σ)
Lemma
Let q > 8 be an odd integer, E is a robust extractor with respect to S with error tolerance q
4 − 2.
16 / 32
Lemma
Let q > 8 be an odd integer, E is a robust extractor with respect to S with error tolerance q
4 − 2.
For any x, y ∈ Zq , and x − y � 2ε, with |2ε| ≤ q − 2.4 Let σ ← S(y), we have
q − 1 q|y + σ · mod q| ≤ + 1. 2 4
Therefore,
q − 1 q − 1 q − 1 x+σ· mod q = y+σ· +2ε mod q = (y+σ· ) mod q+2ε,
2 2 2
this implies
q − 1 E(x, σ) = x + σ · mod q mod 2
2 q − 1
= y + σ · mod q mod 2 = E(y, σ)2
16 / 32
. A outputs E(sTApB , σ)
. B outputs E(pTAsB , σ)
Removing the Approximation
Public Parameter: M ← Znq ×n
pA
TpB , σ ← S(pAsB )
A B
17 / 32
Removing the Approximation
Public Parameter: M ← Znq ×n
pB , σ ← S(pT AsB )
pA
A B
T . A outputs E(sApB , σ) T . B outputs E(pAsB , σ)
17 / 32
KA −KB = 2(sTAeB − eTAsB)
If |2(sTAeB − eTAsB)| ≤q4 − 2, then we have
E(KA, σ) = E(KB , σ)
It is easy to check that the shared key is
sTAMT sB + σ · q − 1
2mod q mod 2.
Correctness
T . A has: sA and σ ← S(pAsB ); B has: sB . T T . Let KA = sApB and KB = pAsB .
18 / 32
If |2(sTAeB − eTAsB)| ≤q4 − 2, then we have
E(KA, σ) = E(KB , σ)
It is easy to check that the shared key is
sTAMT sB + σ · q − 1
2mod q mod 2.
Correctness
T . A has: sA and σ ← S(pAsB ); B has: sB . T T . Let KA = sApB and KB = pAsB .
T TKA − KB = 2(sAeB − eAsB )
18 / 32
It is easy to check that the shared key is
sTAMT sB + σ · q − 1
2mod q mod 2.
Correctness
T . A has: sA and σ ← S(pAsB ); B has: sB . T T . Let KA = sApB and KB = pAsB .
T TKA − KB = 2(sAeB − eAsB )
T TIf |2(sAeB − eAsB )| ≤ q − 2, then we have 4
E(KA, σ) = E(KB , σ)
18 / 32
Correctness
T . A has: sA and σ ← S(pAsB ); B has: sB . T T . Let KA = sApB and KB = pAsB .
T TKA − KB = 2(sAeB − eAsB )
T TIf |2(sAeB − eAsB )| ≤ q − 2, then we have 4
E(KA, σ) = E(KB , σ)
It is easy to check that the shared key is
q − 1T sAMT sB + σ · mod q mod 2.
2
18 / 32
Security
. We slightly change the protocol to prove the passive security based on LWE.
T T . We set KA = sApB + 2eA mod q and KB = pA · sB + 2eB mod q.
. The proof is given from a series of hybrid experiments.
. Note that (A, As + 2e mod q) ≈c (A, b) for odd q.
19 / 32
Replace pA with uniform random one from Znq (LWE assumption).
Since pA is uniform, we replace pB and KB with uniform ones (LWEassumption).Note that σ can always be computed.Now use the uniform property of robust extractors: E(KB , σ) is uniform,conditioned on σ.
Proof Intuition
pB
pA = MsA + 2eA
= MT sB + 2eB , σ = S(KB )
TKB = pAsB + 2eB
20 / 32
Since pA is uniform, we replace pB and KB with uniform ones (LWEassumption).Note that σ can always be computed.Now use the uniform property of robust extractors: E(KB , σ) is uniform,conditioned on σ.
Proof Intuition
pB
$pA ← Zn
q
= MT sB + 2eB , σ = S(KB )
TKB = pAsB + 2eB
Replace pA with uniform random one from Zn (LWE assumption). q
20 / 32
Note that σ can always be computed.Now use the uniform property of robust extractors: E(KB , σ) is uniform,conditioned on σ.
Proof Intuition
pB $← Zn
q , σ = S(KB)
pA $← Zn
q
KB $← Zq
Replace pA with uniform random one from Zn (LWE assumption). q Since pA is uniform, we replace pB and KB with uniform ones (LWE assumption).
20 / 32
Now use the uniform property of robust extractors: E(KB , σ) is uniform,conditioned on σ.
Proof Intuition
pB $← Zn
q , σ = S(KB)
pA $← Zn
q
KB $← Zq
Replace pA with uniform random one from Zn (LWE assumption). q Since pA is uniform, we replace pB and KB with uniform ones (LWE assumption). Note that σ can always be computed.
20 / 32
Proof Intuition
pB $← Zn
q , σ = S(KB)
pA $← Zn
q
KB $← Zq
Replace pA with uniform random one from Zn (LWE assumption). q Since pA is uniform, we replace pB and KB with uniform ones (LWE assumption). Note that σ can always be computed. Now use the uniform property of robust extractors: E(KB , σ) is uniform, conditioned on σ.
20 / 32
Extend to RLWE
Ring Learning with Errors (RLWE) [LPR’10]: Let R = Z[x]/(xn + 1) and Rq = Zq[x]/(x
n + 1), n = 2k for k ∈ Z+ .
Goal: distinguishing “noisy ring products” from uniform.
a1 ← Rq; a2 ← Rq;
am ← Rq;
. . .
b1 = a · s + e1 ∈ Rq
b2 = a2 · s + e2 ∈ Rq
bm = am · s + em ∈ Rq
a1 ← Rq; a2 ← Rq;
am ← Rq;
. . .
b1 ← Rq
b2 ← Rq
bm ← Rq
s ← Rq and ei ← χ is some distribution on R and leil is “small”.
21 / 32
Key Exchange from RLWE Public Parameter: m ← Rq
pB = msB + 2eB , Oσ ← S(pAsB )
pA = msA + 2eA
A B
n−1 n−1 . Oσb(a = aiXi ∈ Rq) = σb(ai)X
i ∈ R2.i=0 i=0
$. S(a) : b ← {0, 1}, S (a) = Oσb(a).
. A outputs E(sApB , Oσ).
. B outputs E(sB pA, Oσ).
. The shared secret key is (sAmsB + q−1 Oσ mod q) mod 2 ∈ R2.2
22 / 32
pA = msA + 2eA
pB = msB + 2eB
p�B = pAsB + 2e�B
pC = msC + 2eC
p�C = pBsC + 2e�C
p�A = pCsA + 2e�A, Oσ ← S(sAp�C)
Multi-party Key Exchange Public Parameter m ← Rq
C
A B
23 / 32
pB = msB + 2eB
p�B = pAsB + 2e�B
pC = msC + 2eC
p�C = pBsC + 2e�C
p�A = pCsA + 2e�A, Oσ ← S(sAp�C)
Multi-party Key Exchange Public Parameter m ← Rq
C
A
pA = msA + 2eA
B
23 / 32
pC = msC + 2eC
p�C = pBsC + 2e�C
p�A = pCsA + 2e�A, Oσ ← S(sAp�C)
Multi-party Key Exchange Public Parameter m ← Rq
C
= msB + 2eBpB �p = pAsB + 2e� B B
A
pA = msA + 2eA
B
23 / 32
� � �
p�A = pCsA + 2e�A, Oσ ← S(sAp�C)
Multi-party Key Exchange Public Parameter m ← Rq
C
pB = msB + 2eBpC = msC + 2eC
= pB sC + 2e � = pAsB + 2ep pC C B B
A
pA = msA + 2eA
B
23 / 32
� � �
� �
Multi-party Key Exchange Public Parameter m ← Rq
C
pB = msB + 2eBpC = msC + 2eC
= pB sC + 2e � = pAsB + 2ep pC C B B
A p� A
pA = msA + 2eA
= pC sA + 2eA, Oσ ← S(sApC ) B
23 / 32
�
�
�
. A outputs E(sAp , Oσ)C
. B outputs E(sB p , Oσ)A
. C outputs E(sC p , Oσ)B
q−1 . The shared key is (sAsB sC m + Oσ mod q) mod 2 ∈ R2.2
24 / 32
. The correctness is similar to the previous protocols.
. The security proof involves some “circular” problem, we leave it as an open problem.
25 / 32
. This scheme is secure under passive attacks, but how about man-in-the-middle attacks?
. In this case, we need an autenticated KE. Traditionally, we use digital signature. Can we do without digital signature?
. We can build an authenticated key exchange (AKE) protocol, which can be seen as an HMQV-like AKE from lattices.
. The protocol is simple since it does not involve any other cryptographic primitives to achieve authentication (e.g., signatures) and the system is also very efficient.
Eurocrypt 2015
26 / 32
xi = ari + 2fi ∈ Rq
where ri, fi ←r χβ
xi
yj = arj + 2fj ∈ Rq
kj = (pic+ xi)(sjd+ rj) + 2gjwhere rj , fj , gj ←r χβ
wj = Cha(kj) ∈ {0, 1}nσj = Mod2(kj , wj) ∈ {0, 1}nskj = H2(i, j, xi, yj , wj , σj)
yj , wj
c = H1(i, j, xi) ∈ R, d = H1(j, i, yj , xi) ∈ R
27 / 32
AKE from ring-LWE
Party i
Public Key: pi = asi + 2ei ∈ Rq
Secret Key: si ∈ Rq
where si, ei ←r χα
Party j
Public Key: pj = asj + 2ej ∈ Rq
Secret Key: sj ∈ Rq
where sj , ej ←r χα
yj = arj + 2fj ∈ Rq
kj = (pic+ xi)(sjd+ rj) + 2gjwhere rj , fj , gj ←r χβ
wj = Cha(kj) ∈ {0, 1}nσj = Mod2(kj , wj) ∈ {0, 1}nskj = H2(i, j, xi, yj , wj , σj)
yj , wj
c = H1(i, j, xi) ∈ R, d = H1(j, i, yj , xi) ∈ R
27 / 32
AKE from ring-LWE
Party i Party j
Public Key: pi = asi + 2ei ∈ Rq
Secret Key: si ∈ Rq
where si, ei ←r χα
Public Key: pj = asj + 2ej ∈ Rq
Secret Key: sj ∈ Rq
where sj , ej ←r χα
xi = ari + 2fi ∈ Rq
where ri, fi ←r χβ
xi
AKE from ring-LWE
Party i
Public Key: pi = asi + 2ei ∈ Rq
Secret Key: si ∈ Rq
where si, ei ←r χα
xi = ari + 2fi ∈ Rq
where ri, fi ←r χβ
xi
yj , wj
Party j
Public Key: pj = asj + 2ej ∈ Rq
Secret Key: sj ∈ Rq
where sj , ej ←r χα
yj = arj + 2fj ∈ Rq
kj = (pic + xi)(sj d + rj ) + 2gj where rj , fj , gj ←r χβ wj = Cha(kj ) ∈ {0, 1}n
σj = Mod2(kj , wj ) ∈ {0, 1}n
skj = H2(i, j, xi, yj , wj , σj )
c = H1(i, j, xi) ∈ R, d = H1(j, i, yj , xi) ∈ R
27 / 32
AKE from ring-LWE
Party i Party j
Public Key: pi = asi + 2ei ∈ Rq Public Key: pj = asj + 2ej ∈ Rq
Secret Key: si ∈ Rq Secret Key: sj ∈ Rq
where si, ei ←r χα where sj , ej ←r χα
xi = ari + 2fi ∈ Rq xi
yj = arj + 2fj ∈ Rqwhere ri, fi ←r χβ kj = (pic + xi)(sj d + rj ) + 2gj
yj , wj where rj , fj , gj ←r χβ ki = (pj d + yj )(sic + ri) + 2gi wj = Cha(kj ) ∈ {0, 1}n
where gi ←r χβ σj = Mod2(kj , wj ) ∈ {0, 1}n
σi = Mod2(ki, wj ) ∈ {0, 1}n skj = H2(i, j, xi, yj , wj , σj ) ski = H2(i, j, xi, yj , wj , σi)
c = H1(i, j, xi) ∈ R, d = H1(j, i, yj , xi) ∈ R
27 / 32
2 We can prove the forward security of the system
3 We did preliminary implementation and it is very efficient.
4 Parameters for implementation:
Parameters n Security (expt.) α γ log βα
log q (bits)
I∗ 1024 80 bits 3.397 101.919 8.5 40
II 2048 80 bits 3.397 161.371 27 78
III 2048 128 bits 3.397 161.371 19 63
IV 4096 128 bits 3.397 256.495 50 125
V 4096 192 bits 3.397 256.495 36 97
VI 4096 256 bits 3.397 256.495 28 81
AKE from ring-LWE
Intuition for Security: 1 We can prove the security of the system
28 / 32
3 We did preliminary implementation and it is very efficient.
4 Parameters for implementation:
Parameters n Security (expt.) α γ log βα
log q (bits)
I∗ 1024 80 bits 3.397 101.919 8.5 40
II 2048 80 bits 3.397 161.371 27 78
III 2048 128 bits 3.397 161.371 19 63
IV 4096 128 bits 3.397 256.495 50 125
V 4096 192 bits 3.397 256.495 36 97
VI 4096 256 bits 3.397 256.495 28 81
AKE from ring-LWE
Intuition for Security: 1
2
We can prove the security of the system
We can prove the forward security of the system
28 / 32
4 Parameters for implementation:
Parameters n Security (expt.) α γ log βα
log q (bits)
I∗ 1024 80 bits 3.397 101.919 8.5 40
II 2048 80 bits 3.397 161.371 27 78
III 2048 128 bits 3.397 161.371 19 63
IV 4096 128 bits 3.397 256.495 50 125
V 4096 192 bits 3.397 256.495 36 97
VI 4096 256 bits 3.397 256.495 28 81
AKE from ring-LWE
Intuition for Security: 1 We can prove the security of the system 2 We can prove the forward security of the system 3 We did preliminary implementation and it is very efficient.
28 / 32
AKE from ring-LWE
We can prove the security of the system
We can prove the forward security of the system
We did preliminary implementation and it is very efficient.
Parameters for implementation:
Intuition for Security: 1
2
3
4
Parameters I ∗
II III IV V VI
n 1024 2048 2048 4096 4096 4096
Security (expt.) 80 bits 80 bits 128 bits 128 bits 192 bits 256 bits
α 3.397 3.397 3.397 3.397 3.397 3.397
γ 101.919 161.371 161.371 256.495 256.495 256.495
log β α
8.5 27 19 50 36 28
log q (bits) 40 78 63 125 97 81
28 / 32
AKE from ring-LWE
Communication Overheads:
Choice of Size (KB) Parameters pk sk (expt.) init. msg resp. msg
I ∗ 5 KB 0.75 KB 5 KB 5.125 KB II 19.5 KB 1.5 KB 19.5 KB 19.75 KB III 15.75 KB 1.5 KB 15.75 KB 16 KB IV 62.5 KB 3 KB 62.5 KB 63 KB V 48.5 KB 3 KB 48.5 KB 49 KB VI 40.5 KB 3 KB 40.5 KB 41 KB
The bound 6α with erfc(6) ≈ 2−55 is used to estimate the size of secret keys.
29 / 32
AKE from ring-LWE
Timings:
Parameters Initiation Response Finish I 3.22 ms (0.02 ms) 8.50 ms (4.69 ms) 5.23 ms (4.73 ms) II 12.00 ms (0.04 ms) 29.33 ms (14.64 ms) 17.28 ms (14.61 ms) III 10.33 ms (0.04 ms) 25.83 ms (13.46 ms) 15.58 ms (13.40 ms) IV 83.61 ms (0.08 ms) 156.58 ms (39.86 ms) 73.11 ms (39.73 ms) V 61.74 ms (0.08 ms) 117.81 ms (32.58 ms) 55.64 ms (32.20 ms) VI 25.42 ms (0.08 ms) 62.31 ms (31.32 ms) 36.80 ms (31.29 ms)
Table: Timings of Proof-of-Concept Implementations in ms (The figures in the parentheses indicate the timings with pre-computing. For comparison, by simply using the “speed” command in openssl on the same machine, the timing for dsa1024 signing algorithm is about 0.7 ms, and for dsa2048 is about 2.3 ms).
We believe our systems are very suitable for practical applications and they have very strong security.
30 / 32
Summary
. We build KE and AKE based on LWE and RLWE.
. They are provably secure against both classical and quantum attacks.
. We can prove the Forward Security of the AKE.
. Our preliminary implementations are very efficient.
. Our KE and AKE are strong candidates for quantum-safe crypto.
31 / 32
Thank You!