International Association for Cryptologic Research

International Association
for Cryptologic Research


Lattice-based Authenticated Key Exchange with Tight Security

Jiaxin Pan , NTNU
Benedikt Wagner , CISPA Helmholtz Center for Information Security and Saarland University
Runzhi Zeng , NTNU
DOI: 10.1007/978-3-031-38554-4_20 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: CRYPTO 2023
Abstract: We construct the first tightly secure authenticated key exchange (AKE) protocol from lattices. Known tight constructions are all based on Diffie-Hellman-like assumptions. Thus, our protocol is the first construction with tight security from a post-quantum assumption. Our AKE protocol is constructed tightly from a new security notion for key encapsulation mechanisms (KEMs), called one-way security against checkable chosen-ciphertext attacks (OW-ChCCA). We show how an OW-ChCCA secure KEM can be tightly constructed based on the Learning With Errors assumption, leading to the desired AKE protocol. To show the usefulness of OW-ChCCA security beyond AKE, we use it to construct the first tightly bilateral selective-opening (BiSO) secure PKE. BiSO security is a stronger selective-opening notion proposed by Lai et al. (ASIACRYPT 2021).
  title={Lattice-based Authenticated Key Exchange with Tight Security},
  author={Jiaxin Pan and Benedikt Wagner and Runzhi Zeng},