Smooth Projective Hashing and Password-Based Authenticated Key Exchange from Lattices

We describe a public-key encryption scheme based on lattices — specifically, based on the hardness of the learning with error (LWE) problem — that is secure against chosen-ciphertext attacks while admitting (a variant of) smooth projective hashing. This encryption scheme suffices to construct a protocol for password-based authenticated key exchange (PAKE) that can be proven secure based on the LWE assumption in the standard model. We thus obtain the first PAKE protocol whose security relies on a lattice-based assumption. 1 Password-Based Authenticated Key Exchange Protocols for password-based authenticated key exchange (PAKE) enable two users to generate a common, cryptographically-strong key based on an initial, low-entropy, shared secret (i.e., a password). The difficulty in this setting is to prevent off-line dictionary attacks where an adversary exhaustively enumerates potential passwords on its own, attempting to match the correct password to observed protocol executions. Roughly, a PAKE protocol is “secure” if off-line attacks are of no use and the best attack is an on-line dictionary attack where an adversary must actively try to impersonate an honest party using each possible password. On-line attacks of this sort are inherent in the model of passwordbased authentication; more importantly, they can be detected by the server as failed login attempts and (at least partially) defended against. Due to the widespread use of passwords, a significant amount of research has focused on designing PAKE protocols. Early work [13] (see also [14]) considered a “hybrid” model where users share public keys in addition to a password. In the more challenging “password-only” setting clients and servers are required to share only a password. Bellovin and Merritt [4] initiated research in this direction, and presented a PAKE protocol with heuristic arguments for its security. It was not until several years later that formal models for PAKE were developed [3, 5, 11], and provably secure PAKE protocols were shown in the random oracle/ideal cipher models [3, 5, 18]. ? Work done while visiting IBM. Research supported by NSF grants #0627306 and #0716651, and NSF CAREER award #0447075. Goldreich and Lindell [11] constructed the first PAKE protocol without random oracles, and their approach remains the only one for the plain model where there is no additional setup. Unfortunately, their protocol is inefficient in terms of communication, computation, and round complexity. (Nguyen and Vadhan [19] show efficiency improvements, but achieve a weaker notion of security. In any case, their protocol is similarly impractical.) The Goldreich-Lindell protocol also does not tolerate concurrent executions by the same party. Katz, Ostrovsky, and Yung [17] demonstrated the first efficient PAKE protocol with a proof of security in the standard model; extensions and improvements of this protocol were given in [9, 6, 16, 8]. In contrast to the work of Goldreich and Lindell, these protocols are secure even under concurrent executions by the same party. On the other hand, these protocols all require a common reference string (CRS). While this may be less appealing than the “plain model,” reliance on a CRS does not appear to be a serious drawback in the context of PAKE since the CRS can be hard-coded into the protocol implementation. A different PAKE protocol in the CRS model is given by Jiang and Gong [15]. PAKE based on lattices? Cryptographic primitives based on lattices are appealing because of known worst-case/average-case connections between lattice problems, as well as because several lattice problems are currently immune to quantum attacks. Also, the best-known algorithms for several lattice problems require exponential time (in contrast to sub-exponential algorithms for, e.g., factoring). None of the existing PAKE constructions (in either the random oracle or standard models), however, can be instantiated with lattice-based assumptions. The barrier to constructing a lattice-based PAKE protocol using the KOY/GL approach [17, 9] is that this approach requires a CCA-secure encryption scheme (more generally, a non-malleable commitment scheme) with an associated smooth projective hash system [7, 9]. (See Section 2.) Until recently, the existence of CCA-secure encryption schemes based on lattices (even ignoring the additional requirement of smooth projective hashing) was open. Peikert and Waters [22] gave the first constructions of CCA-secure encryption based on lattices, but the schemes they propose are not readily amenable to the smooth projective hashing requirement. Subsequent constructions [24, 20, 12] do not immediately support smooth projective hashing either.