分野別セミナー

In this lecture, we present practical and provably secure (authenticated) key exchange protocols over (ideal) lattices, which is conceptually simple and has similarities to the Diffie-Hellman and the related protocols such as HMQV. Our method does not involve other cryptographic primitives — in particular, it does not use signatures for the authenticated version — which simplifies the protocol and enables us to base the security directly on the hardness of the (ring) learning with errors problem. The security is proven in the Bellare-Rogaway model with weak perfect forward secrecy in the random oracle model for the authenticated version. Several concrete choices of parameters are provided, and a proof-of-concept implementation shows that our protocols are indeed practical.