后量子前向安全的可组合认证密钥交换方案

A Composable Authentication Key Exchange Scheme with Post-Quantum Forward Secrecy

随着后量子时代的逼近,网络通信安全要求会话密钥具有针对量子计算攻击的前向安全性,而后量子的公钥基础设施尚未建立,采用现有公钥密钥系统与后量子密钥交换相结合的混合密码系统势在必行.以DHKE-like(Diffie-Hellman key exchange-like)协议为基础,结合签密方案,提出一种通用可组合的认证密钥交换(authentication key exchange,AKE)方案——GC-AKE.GC-AKE的基本思路是采用签密方案对DHKE-like中的临时公钥进行签密,实现实体的相互认证和密钥协商.采用签密机制的主要目的是为了实现GC-AKE方案的完美前向安全性,这要求签密机制满足强不可伪造性.提出一种基于椭圆曲线密码的基于身份签密方案,结合基于环上误差学习问题的DHKE-like协议,提出一种GC-AKE方案实例.定义了能模拟完美前向安全性的wAKE-PFS模型.在wAKE-PFS模型下,GC-AKE方案的安全性被规约为求解DDH-like(decision Diffie-Hellman-like)问题,以及破解基于身份签密的选择密文安全性(indistinguishability against chosen ciphertext attacks,IND-CCA)和强不可伪造性(strong existentially unforgeable under adaptive chosen messages attacks,SEUF-CMA).分析表明:GC-AKE方案实例的计算和通信开销都相对较低,同时实现了会话密钥的完美前向安全性及后量子的前向安全性.

As the post-quantum era approaches,a new security requirement in network communica-tions is forward security against quantum computing attacks.However,the post-quantum public key infrastructure has not been established,and it is imperative to construct a hybrid cryptosystem that consists of traditional public key cryptosystems and post-quantum key exchange protocols.Aimed at this need,a generic and combinable authentication key exchange scheme,named GC-AKE,is proposed.The GC-AKE protocol is a combination of two ciphersuites,which are signcryption scheme and Diffie-Hellman key exchange-like(DHKE-like)protocol,respectively.In GC-AKE,mutual authentication can be realized by using the signcryption scheme to signcrypt the temporary public key in DHKE-like,and session key establishment relies on the DHKE-like protocol.The signcryptions with strong unforgeability ensure that the GC-AKE scheme achieves perfect forward security.An instance of the GC-AKE is proposed.It combines a post-quantum DHKE-like protocol with an identity-based signcryption scheme that is put forward in this paper based on elliptic curve cryptography.The identity-based signcryption scheme is proved to achieve indistinguishability against chosen ciphertext attacks(IND-CCA)and strong existentially unforgeable under adaptive chosen messages attacks(SEUF-CMA).Furthermore,a security model,wAKE-PFS,which can simulate perfect forward security,is defined.Under the wAKE-PFS model,the security of the GC-AKE scheme is reduced to solving DDH-like(decision Diffie-Hellman-like)problems,as well as cracking the security of identity-based signcryption scheme.The analysis shows that the GC-AKE scheme instance achieves perfect forward security,and its computation and communication overheads are relatively low.Meanwhile,the DHKE-like protocol from the ring learning with errors problem(Ring-LWE)provides forward secrecy against future quantum attackers.