this is for holding javascript data
Scott Fluhrer edited untitled.tex
over 8 years ago
Commit id: ff82c5104e8ced111ad88df9e14bfdbfaac5179f
deletions | additions
diff --git a/untitled.tex b/untitled.tex
index 9b29757..ec3312f 100644
--- a/untitled.tex
+++ b/untitled.tex
...
\section{Abstract}
This paper shows how several ring-LWE based key exchange protocols can be broken, under the assumption that the same key share is used for multiple exchanges. This indicates that, if these key exchange protocols are used, then it will be necessary for a fresh key share be generated for each exchange, and that these key exchange protocols cannot be used as a drop in replacement
for protocols which
uses use Diffie-Hellman static key shares.
\section{Introduction}
Key agreement protocols are one of the oldest public key protocols known, dating back to the Diffie-Hellman protocol\cite{Diffie_1976}. In a key agreement protocol, each side selects private values, and exchange public values (key shares); in most such protocols, each side sends a single message. Then, both side do computations based on their private values and the other side's public key shares, and derive the same secret value. The security goal is that someone just listening into the exchanged public key shares would find it infeasible to derive that secret value.
...
\subsection{Basic Oracle Query}
To make a query, Eve mostly follows the protocol; she selects small $s', e'$ values (albeit not randomly), she computes $v'$, and generates the error-reconcilation vector $c$ honestly, except for one location.
She deliberately selects $s', e'$ so that coefficient 0 of Alice's computation of $us$ is near 0; for coefficient 0, Eve sets it so that the values in $[0, p/2]$ are mapped to 0, while values in $[p/2, p-1]$ are mapped to 1.
As Eve is able to compute correctly all the other bits of the shared secret (as she is performing the rest of the protocol honestly), this gives her a way to test the sign of that one intermediate value.
...