A New Password-Authenticated Module Learning With Rounding-Based Key Exchange Protocol: SABER.PAKE

Abstract

In this paper, a new lattice-based password-authenticated key exchange protocol (PAKE) is proposed for the post-quantum era. The constructed Saber.PAKE is designed as a PAKE version of Saber (D'Anvers, in: International conference on cryptology in Africa, Springer, Cham, 2018), one of the finalist key encapsulation mechanisms of the National Institute of Standards and Technology's post-quantum secure standardization process. It is designed as a three-pass protocol and follows an explicit authentication approach. The hardness assumption is based on the module learning with rounding (MLWR) problem. To obtain post-quantum secure lattice-based PAKE, the password-authenticated key exchange (PAK) (MacKenzie, in: a P1363. submission to the IEEE P1363 Working Group, 2002) design idea is adapted to MLWR. To the best of our knowledge, Saber.PAKE is the first PAKE protocol based on (ring/module) learning with rounding ((R/M)LWR) problems. By considering the reconciliation bounds, the correctness analysis of Saber.PAKE is presented. The robustness against dictionary and common attacks are examined in the random oracle model. The proposed PAKE also provides perfect forward secrecy and mutual authentication. The experimental results show that it has the relatively smallest CPU cycles, message size, and runtime than the other lattice-based PAKE protocols.