Key-reusable dynamic group key exchange from lattice with quantum rsistance

Abstract

Recently, several key reuse attacks against Ding Key Exchange, NewHope and other lattice-based key exchange schemes using Peikert's key reconciliation mechanism were suggested. But all known key reuse attacks are designed for two-party setting instead of group key exchange. On the other hand, all previous known lattice-based group key exchanges are designed for static setting. This paper is organized in three folds. We present the first key reuse attack called {one, two}-neighbour attack against lattice-based group key exchanges, namely Ding $et$ $al$.'s group key exchange scheme in 2012 and Apon $et$ $al$.'s group key exchange scheme from PQCrypto 2019. We consider that the adversary manipulates {one or two} neighbour parties $P_{N-2}$ (and $P_{N-3}$ for two-neighbour attack) of the last party $P_{N-1}$ to recover the secret key of the last party $P_{N-1}$ among $N$ parties. We also suggest several constructions of dynamic group key exchange protocols that could be instantiated by lattice. As a countermeasure of our attack, we design the first key-reusable group key exchange based on {lattice}. where GKE protocol $\Pi_\textsf{GKE}$ is {key-reusable} if the protocol participants of $\Pi_\textsf{GKE}$ can re-use their public key. By adopting existing pasteurization technique for two-party key exchange from lattice, our protocol becomes resistant to known key reuse attacks. We give a rigorous proof of our protocol in the random oracle model. Our underlying dynamic group key exchange protocol is the modification of Dutta-Barua protocol in RLWE setting.