Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange

Authenticated key exchange (AKE) plays a fundamental role in modern cryptography. Up to now, the HMQV protocol family is among the most efficient provably secure AKE protocols, which has been widely standardized and in use. Given recent advances in quantum computing, it would be desirable to develop lattice-based analogue of HMQV for the possible upcoming post-quantum era. Towards this goal, a family of AKE schemes from ideal lattice was recently proposed at Eurocrypt 2015 [Z ZD+15], which could be seen as an HMQV-analogue based on the ring-LWE (RLWE) problem. It consists a two-pass variant Pi(2) and a one-pass variant Pi(1). As a supplement to its security analysis, we propose an efficient attack against Pi(1), which is referred to as the small field attack (SFA) since it fully utilizes the algebraic structure of the ring R-q in RLWE. The SFA attack can efficiently recover the static private key of the victim party in Pi(1), provided adversaries are allowed to register their own public keys. Such an assumption is reasonable in practice, but may not be allowed in the security model of Pi(1) [ZZD+15]. We also show that it is hard for the victim party to even detect the attack in practice.