Cryptanalysis of RLWE-based one-pass authenticated key exchange

Abstract

Authenticated key exchange (AKE) plays a fundamental role in modern cryptography. Up to now, the HMQV protocol family is among the most efficient provably secure AKE protocols, which has been widely standardized and in use. Given recent advances in quantum computing, it would be desirable to develop lattice-based analogue of HMQV for the possible upcoming post-quantum era. Towards this goal, a family of AKE schemes from ideal lattice was recently proposed at Eurocrypt 2015 [ZZD+15], which could be seen as an HMQV-analogue based on the ring-LWE (RLWE) problem. It consists a two-pass variant Π2 and a one-pass variant Π1. As a supplement to its security analysis, we propose an efficient attack against Π1, which is referred to as the small field attack (SFA) since it fully utilizes the algebraic structure of the ring Rq in RLWE. The SFA attack can efficiently recover the static private key of the victim party in Π1, provided adversaries are allowed to register their own public keys. Such an assumption is reasonable in practice, but may not be allowed in the security model of Π1 [ZZD+15]. We also show that it is hard for the victim party to even detect the attack in practice.