coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial

Browse Source
This commit is contained in:
Cole Leavitt
2026-01-07 11:40:09 -07:00
parent 44e60097e3
commit 9be4bcaf7d
4 changed files with 1222 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
SECURITY_PROOF.md
View File

@@ -1,6 +1,7 @@
# UC Security Proof for Lattice-Based OPAQUE
This document provides a formal security proof for the opaque-lattice implementation in the Universal Composability (UC) framework.
This document provides a formal security proof for the opaque-lattice implementation in the Universal Composability (UC)
framework.
## Table of Contents
@@ -19,6 +20,7 @@ This document provides a formal security proof for the opaque-lattice implementa
### 1.1 Protocol Summary
opaque-lattice implements a post-quantum secure OPAQUE protocol using:
- **Ring-LPR OPRF**: Oblivious PRF based on Ring Learning Parity with Rounding
- **ML-KEM (Kyber768)**: Key encapsulation for authenticated key exchange
- **ML-DSA (Dilithium3)**: Digital signatures for server authentication
@@ -26,19 +28,21 @@ opaque-lattice implements a post-quantum secure OPAQUE protocol using:
### 1.2 Security Goals
We prove the protocol realizes the ideal functionality F_aPAKE (asymmetric Password-Authenticated Key Exchange) with the following properties:
We prove the protocol realizes the ideal functionality F_aPAKE (asymmetric Password-Authenticated Key Exchange) with the
following properties:
| Property | Description |
|----------|-------------|
| **Password Obliviousness** | Server learns nothing about password during OPRF |
| **Forward Secrecy** | Compromise of long-term keys doesn't reveal past session keys |
| Property | Description |
|----------------------------------|------------------------------------------------------------------|
| **Password Obliviousness** | Server learns nothing about password during OPRF |
| **Forward Secrecy** | Compromise of long-term keys doesn't reveal past session keys |
| **Server Compromise Resistance** | Attacker cannot offline-attack passwords after server compromise |
| **Quantum Resistance** | Security holds against quantum adversaries |
| **Verifiability** | Client can verify server used consistent OPRF key |
| **Quantum Resistance** | Security holds against quantum adversaries |
| **Verifiability** | Client can verify server used consistent OPRF key |
### 1.3 Security Model
We work in the UC framework of Canetti [Can01] with:
- **Global Random Oracle Model (GROM)**: Hash functions H₁, H₂, H₃ modeled as random oracles
- **Adaptive Corruptions**: Adversary can corrupt parties at any point
- **Static Compromise**: Adversary learns all internal state upon corruption
@@ -49,32 +53,37 @@ We work in the UC framework of Canetti [Can01] with:
### 2.1 Notation
| Symbol | Meaning |
|--------|---------|
| λ | Security parameter (128 bits) |
| R | Ring Z[x]/(x^n + 1) where n = 256 |
| R_q | Ring R modulo q (q = 4 in our construction) |
| ⌊·⌋₁ | Deterministic rounding: ⌊x⌋₁ = ⌊x/2⌋ mod 2 |
| k ←$ S | Sample k uniformly from set S |
| negl(λ) | Negligible function in λ |
| poly(λ) | Polynomial function in λ |
| Symbol | Meaning |
|---------|---------------------------------------------|
| λ | Security parameter (128 bits) |
| R | Ring Z[x]/(x^n + 1) where n = 256 |
| R_q | Ring R modulo q (q = 4 in our construction) |
| ⌊·⌋₁ | Deterministic rounding: ⌊x⌋₁ = ⌊x/2⌋ mod 2 |
| k ←$ S | Sample k uniformly from set S |
| negl(λ) | Negligible function in λ |
| poly(λ) | Polynomial function in λ |
### 2.2 Computational Assumptions
**Definition 2.1 (Ring-LPR Problem)**
For a ∈ R₂, s ∈ R₂, the Ring Learning Parity with Rounding problem states that:
```
(a, ⌊a·s mod 4⌋₁) ≈_c (a, ⌊u⌋₁)
```
where u ←$ R₄ is uniform random.
**Definition 2.2 (Dihedral Coset Problem)**
Given quantum states encoding cosets of a hidden subgroup in the dihedral group D_n, find the hidden subgroup generator. Time complexity: O(e^n) even for quantum computers.
Given quantum states encoding cosets of a hidden subgroup in the dihedral group D_n, find the hidden subgroup generator.
Time complexity: O(e^n) even for quantum computers.
**Theorem 2.1 (Security Reduction Chain)**
```
Ring-LPR → LPR → LWR → G-EDCP → DCP
```
Each reduction is polynomial-time. The DCP problem is believed quantum-hard with time complexity O(e^n).
**Definition 2.3 (ML-KEM Security)**
@@ -86,18 +95,23 @@ ML-DSA (Dilithium3) is EUF-CMA secure under the Module-LWE and Module-SIS assump
### 2.3 Building Blocks
**PRF Construction (Ring-LPR)**
```
F_k(x) = H₂(⌊k · H₁(x) mod 4⌋₁)
```
where:
- H₁: {0,1}* → R₂ (hash-to-ring)
- H₂: R₁ → {0,1}^512 (ring-to-output hash)
- k ∈ R₂ (secret key)
**Key Commitment**
```
Commit(k; r) = H₃(k || r)
```
where r ←$ {0,1}^256 is randomness.
---
@@ -368,6 +382,7 @@ Login Simulation (Corrupted Client):
**Theorem 6.1 (UC Security)**
The opaque-lattice protocol UC-realizes F_aPAKE in the (F_VOPRF, F_RO)-hybrid model, assuming:
1. Ring-LPR is pseudorandom (Definition 2.1)
2. ML-KEM is IND-CCA2 secure
3. ML-DSA is EUF-CMA secure
@@ -375,10 +390,12 @@ The opaque-lattice protocol UC-realizes F_aPAKE in the (F_VOPRF, F_RO)-hybrid mo
5. HKDF is a secure PRF
The advantage of any PPT adversary A in distinguishing real from ideal execution is:
```
Adv(A) ≤ q_pwd · Adv_LPR + q_KEM · Adv_IND-CCA + q_SIG · Adv_EUF-CMA
+ q_AEAD · Adv_AEAD + q_sessions · negl(λ)
```
where q_* denotes the number of respective queries.
### 6.2 Proof by Game Sequence
@@ -388,10 +405,12 @@ The real execution of opaque-lattice with adversary A.
**Game 1 (Random Oracle Instrumentation)**
Replace hash functions H₁, H₂, H₃ with random oracles maintained by simulator.
- Indistinguishable by random oracle assumption
**Game 2 (OPRF Simulation)**
Replace real OPRF evaluations with queries to F_VOPRF.
- For honest server: outputs are random (Ring-LPR pseudorandomness)
- For corrupted server: extract key, compute real evaluation
@@ -399,6 +418,7 @@ Replace real OPRF evaluations with queries to F_VOPRF.
**Game 3 (KEM Simulation)**
Replace KEM encapsulation with F_KEM ideal functionality.
- Honest parties: shared secret is random
- Corrupted parties: extract/inject values
@@ -406,6 +426,7 @@ Replace KEM encapsulation with F_KEM ideal functionality.
**Game 4 (Signature Simulation)**
Replace signatures with F_SIG ideal functionality.
- Verify signatures using committed public key
- Reject any forgeries
@@ -413,6 +434,7 @@ Replace signatures with F_SIG ideal functionality.
**Game 5 (Envelope Simulation)**
Replace AEAD with ideal encryption.
- Envelope contents are hidden until rw is known
- Tampering detected by INT-CTXT
@@ -420,6 +442,7 @@ Replace AEAD with ideal encryption.
**Game 6 (Password Test Restriction)**
Enforce that adversary must make explicit TestPwd query to F_aPAKE.
- Each online session allows at most one password test
- Offline dictionary attack requires OPRF evaluation
@@ -427,6 +450,7 @@ Enforce that adversary must make explicit TestPwd query to F_aPAKE.
**Game 7 (Ideal Execution)**
Execute with F_aPAKE and simulator SIM.
- Session keys are random unless compromised
- Password never revealed to honest parties
@@ -435,9 +459,11 @@ Execute with F_aPAKE and simulator SIM.
### 6.3 Verifiability Proof
**Theorem 6.2 (VOPRF Soundness)**
For any PPT adversary A, the probability that A produces a valid proof π for an evaluation y = F_k(x) where k differs from the committed key is negligible.
For any PPT adversary A, the probability that A produces a valid proof π for an evaluation y = F_k(x) where k differs
from the committed key is negligible.
*Proof Sketch:*
1. By binding property of commitment: A cannot open to different k
2. By soundness of sigma protocol: A cannot forge proofs
3. By Fiat-Shamir security: Non-interactive proofs are sound in ROM
@@ -446,6 +472,7 @@ For any PPT adversary A, the probability that A produces a valid proof π for an
The sigma protocol proof reveals nothing about k beyond the validity of the statement.
*Proof Sketch:*
1. Construct simulator S that generates accepting proofs without k
2. S samples response z uniformly, computes mask m = z - e·k_dummy
3. By rejection sampling analysis: real and simulated distributions are statistically close
@@ -457,38 +484,38 @@ The sigma protocol proof reveals nothing about k beyond the validity of the stat
### 7.1 Parameter Selection
| Parameter | Value | Security Level |
|-----------|-------|----------------|
| Ring dimension n | 256 | 128-bit post-quantum |
| Ring modulus q | 4 | Minimal for rounding |
| KEM security | Kyber768 | NIST Level 3 |
| Signature security | Dilithium3 | NIST Level 3 |
| Hash output | 512 bits | Collision resistance |
| Commitment nonce | 256 bits | Binding security |
| Parameter | Value | Security Level |
|--------------------|------------|----------------------|
| Ring dimension n | 256 | 128-bit post-quantum |
| Ring modulus q | 4 | Minimal for rounding |
| KEM security | Kyber768 | NIST Level 3 |
| Signature security | Dilithium3 | NIST Level 3 |
| Hash output | 512 bits | Collision resistance |
| Commitment nonce | 256 bits | Binding security |
### 7.2 Concrete Advantages
Assuming λ = 128 security parameter:
| Component | Advantage Bound |
|-----------|-----------------|
| Ring-LPR PRF | 2^(-128) (DCP hardness) |
| ML-KEM IND-CCA | 2^(-128) (MLWE hardness) |
| ML-DSA EUF-CMA | 2^(-128) (MLWE+SIS hardness) |
| AEAD (AES-GCM) | 2^(-128) |
| HKDF-SHA512 | 2^(-256) |
| Component | Advantage Bound |
|--------------------|---------------------------------|
| Ring-LPR PRF | 2^(-128) (DCP hardness) |
| ML-KEM IND-CCA | 2^(-128) (MLWE hardness) |
| ML-DSA EUF-CMA | 2^(-128) (MLWE+SIS hardness) |
| AEAD (AES-GCM) | 2^(-128) |
| HKDF-SHA512 | 2^(-256) |
| Commitment binding | 2^(-128) (collision resistance) |
| ZK soundness | 2^(-128) (sigma protocol) |
| ZK soundness | 2^(-128) (sigma protocol) |
### 7.3 Attack Complexity
| Attack | Complexity | Mitigation |
|--------|------------|------------|
| Offline dictionary | Requires OPRF oracle | One guess per session |
| Online brute force | O(2^128) sessions | Rate limiting |
| Quantum OPRF attack | O(e^256) | DCP hardness |
| Server compromise | No offline attack | OPRF obliviousness |
| Forward secrecy break | O(2^128) per session | Ephemeral KEM keys |
| Attack | Complexity | Mitigation |
|-----------------------|----------------------|-----------------------|
| Offline dictionary | Requires OPRF oracle | One guess per session |
| Online brute force | O(2^128) sessions | Rate limiting |
| Quantum OPRF attack | O(e^256) | DCP hardness |
| Server compromise | No offline attack | OPRF obliviousness |
| Forward secrecy break | O(2^128) per session | Ephemeral KEM keys |
---
@@ -496,7 +523,8 @@ Assuming λ = 128 security parameter:
[Can01] R. Canetti. "Universally Composable Security: A New Paradigm for Cryptographic Protocols." FOCS 2001.
[JKX18] S. Jarecki, H. Krawczyk, J. Xu. "OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks." Eurocrypt 2018.
[JKX18] S. Jarecki, H. Krawczyk, J. Xu. "OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks."
Eurocrypt 2018.
[Lyu09] V. Lyubashevsky. "Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures." ASIACRYPT 2009.
@@ -519,11 +547,13 @@ Assuming λ = 128 security parameter:
The Fast OPRF eliminates Oblivious Transfer by leveraging algebraic structure:
**Public Parameters:**
- `A ∈ R_q` (random ring element, derived from CRS)
- `q = 12289` (NTT-friendly prime)
- `n = 256` (ring dimension)
**Key Generation:**
```
ServerKeyGen():
k ←$ D_{σ_k}^n // Small secret from discrete Gaussian, σ_k = 3
@@ -533,6 +563,7 @@ ServerKeyGen():
```
**Client Blind:**
```
Blind(password):
s = H_small(password) // Deterministic small element, ||s||_∞ ≤ 3
@@ -542,6 +573,7 @@ Blind(password):
```
**Server Evaluate:**
```
Evaluate(sk, C):
V = k · C
@@ -550,6 +582,7 @@ Evaluate(sk, C):
```
**Client Finalize:**
```
Finalize(state, pk, V, h):
W = s · B // = s·A·k + s·e_k
@@ -563,10 +596,12 @@ Finalize(state, pk, V, h):
**Theorem 8.1 (Obliviousness under Ring-LWE)**
For any PPT adversary A, the advantage in distinguishing between:
- REAL: `C = A·s + e` where `s, e` derived from password
- IDEAL: `C ←$ R_q` (uniform random)
is bounded by:
```
Adv^{obliv}_A ≤ Adv^{RLWE}_{B}(n, q, σ)
```
@@ -576,32 +611,36 @@ Adv^{obliv}_A ≤ Adv^{RLWE}_{B}(n, q, σ)
We construct a reduction B that uses A to break Ring-LWE.
**Reduction B:**
1. B receives Ring-LWE challenge `(A, b)` where either:
- `b = A·s + e` for small `s, e` (LWE case)
- `b ←$ R_q` (uniform case)
- `b = A·s + e` for small `s, e` (LWE case)
- `b ←$ R_q` (uniform case)
2. B simulates the OPRF for A:
- Set public parameter as the challenge `A`
- When A queries `Blind(password)`:
- If this is the challenge query: return `C = b` (the Ring-LWE challenge)
- Otherwise: compute `C = A·s + e` honestly
- Set public parameter as the challenge `A`
- When A queries `Blind(password)`:
- If this is the challenge query: return `C = b` (the Ring-LWE challenge)
- Otherwise: compute `C = A·s + e` honestly
3. When A outputs a guess g ∈ {REAL, IDEAL}:
- If g = REAL: B outputs "LWE"
- If g = IDEAL: B outputs "Uniform"
- If g = REAL: B outputs "LWE"
- If g = IDEAL: B outputs "Uniform"
**Analysis:**
- If `b = A·s + e`: A sees a valid OPRF blinding → more likely to output REAL
- If `b ←$ R_q`: A sees random → more likely to output IDEAL
- Advantage of B = Advantage of A
**Corollary 8.1:** Under the Ring-LWE assumption with parameters (n=256, q=12289, σ=3), the Fast OPRF achieves 128-bit obliviousness security.
**Corollary 8.1:** Under the Ring-LWE assumption with parameters (n=256, q=12289, σ=3), the Fast OPRF achieves 128-bit
obliviousness security.
### 8.3 Pseudorandomness Proof
**Theorem 8.2 (Pseudorandomness under Ring-LWE)**
For any PPT adversary A without access to the server key k, the OPRF output is computationally indistinguishable from random:
For any PPT adversary A without access to the server key k, the OPRF output is computationally indistinguishable from
random:
```
{Eval(k, password)} ≈_c {U}
@@ -612,6 +651,7 @@ where U is uniform random in {0,1}^256.
**Proof:**
Consider the output computation:
```
V = k · C = k · (A·s + e) = k·A·s + k·e
W = s · B = s · (A·k + e_k) = s·A·k + s·e_k
@@ -624,13 +664,16 @@ The reconciled output depends on `k·A·s` which requires knowledge of k.
**Game 0:** Real OPRF execution.
**Game 1:** Replace `k·A·s` with random ring element.
- By Ring-LWE: `A·s + e ≈_c uniform`, so `k·(A·s + e) ≈_c k·uniform`
- For small k and uniform input, output is pseudorandom
**Game 2:** Replace final hash output with uniform random.
- H is a random oracle: any non-trivial input distribution yields uniform output
**Bound:**
```
Adv^{PRF}_A ≤ Adv^{RLWE}_B + 2^{-λ}
```
@@ -640,6 +683,7 @@ Adv^{PRF}_A ≤ Adv^{RLWE}_B + 2^{-λ}
**Theorem 8.3 (Correctness)**
The protocol is correct: for honestly generated keys and any password,
```
Pr[Finalize(state, pk, Evaluate(sk, Blind(password))) = F_k(password)] ≥ 1 - negl(λ)
```
@@ -647,6 +691,7 @@ Pr[Finalize(state, pk, Evaluate(sk, Blind(password))) = F_k(password)] ≥ 1 - n
**Proof:**
The reconciliation error is bounded by:
```
V - W = k·C - s·B
= k·(A·s + e) - s·(A·k + e_k)
@@ -655,6 +700,7 @@ V - W = k·C - s·B
```
Since `||k||_∞, ||e||_∞, ||s||_∞, ||e_k||_∞ ≤ 3`:
```
||V - W||_∞ ≤ ||k·e||_∞ + ||s·e_k||_∞
≤ n · ||k||_∞ · ||e||_∞ + n · ||s||_∞ · ||e_k||_∞
@@ -663,11 +709,13 @@ Since `||k||_∞, ||e||_∞, ||s||_∞, ||e_k||_∞ ≤ 3`:
```
With reconciliation helper encoding q/4 = 3072 bits of precision:
```
Pr[correct reconciliation] ≥ 1 - 4608/12289 > 0.62 per coefficient
```
Over 256 coefficients with majority voting:
```
Pr[correct output] ≥ 1 - 2^{-Ω(n)} = 1 - negl(λ)
```
@@ -679,6 +727,7 @@ Pr[correct output] ≥ 1 - 2^{-Ω(n)} = 1 - negl(λ)
### 9.1 Lyubashevsky Rejection Sampling
**Parameters:**
- Gaussian σ = 550 (satisfies σ ≥ 11 · ||c·s||_∞ = 11 · 48 = 528)
- Tailcut τ = 13 (responses bounded by τ·σ = 7150)
- Rejection parameter M = e^{12/ln(2) + 1/(2·ln(2)^2)} ≈ 2.72
@@ -709,6 +758,7 @@ Verify(commitment, x, y, π):
**Theorem 9.1 (Statistical Zero-Knowledge)**
There exists a simulator S such that for any verifier V*:
```
{Real(k, x, y, V*)} ≈_s {S(x, y, V*)}
```
@@ -729,14 +779,17 @@ S(x, y):
**Proof:**
The key insight is that with proper rejection sampling, the distribution of z in real proofs is exactly D_σ^n, independent of k.
The key insight is that with proper rejection sampling, the distribution of z in real proofs is exactly D_σ^n,
independent of k.
**Lemma 9.1 (Rejection Sampling):**
Let m ← D_σ and z = m + v for fixed v with ||v|| < σ/(2τ). After rejection sampling with probability p = D_σ(z)/(M · D_{v,σ}(z)):
Let m ← D_σ and z = m + v for fixed v with ||v|| < σ/(2τ). After rejection sampling with probability p = D_σ(z)/(M · D_
{v,σ}(z)):
The distribution of accepted z is exactly D_σ.
*Proof of Lemma 9.1:*
```
Pr[z accepted] = ∑_z Pr[m = z - v] · p(z)
= ∑_z D_σ(z - v) · D_σ(z) / (M · D_{v,σ}(z))
@@ -746,6 +799,7 @@ Pr[z accepted] = ∑_z Pr[m = z - v] · p(z)
```
For accepted z:
```
Pr[z | accepted] = Pr[z accepted] · Pr[z] / (1/M)
= (D_σ(z)/M) / (1/M)
@@ -758,6 +812,7 @@ In real execution: z is distributed as D_σ after rejection sampling.
In simulation: z is sampled directly from D_σ.
Both distributions are identical! The only difference is:
- Real: t = H(m || m·H(x)) where m = z - c·k
- Simulated: t = H(z - c·k_dummy || (z - c·k_dummy)·H(x))
@@ -769,7 +824,8 @@ Statistical distance: 2^{-100} (from rejection sampling failure probability).
**Theorem 9.2 (Computational Soundness)**
For any PPT adversary A, the probability of producing valid proofs for two different evaluations y₁ ≠ y₂ under the same commitment is negligible:
For any PPT adversary A, the probability of producing valid proofs for two different evaluations y₁ ≠ y₂ under the same
commitment is negligible:
```
Pr[Verify(c, x, y₁, π₁) = Verify(c, x, y₂, π₂) = 1 ∧ y₁ ≠ y₂] ≤ negl(λ)
@@ -781,23 +837,27 @@ Assume A produces accepting proofs (t₁, z₁, c₁) and (t₂, z₂, c₂) for
**Case 1: c₁ ≠ c₂**
From the verification equations:
```
z₁ = m₁ + c₁·k → m₁ = z₁ - c₁·k
z₂ = m₂ + c₂·k → m₂ = z₂ - c₂·k
```
If t₁ ≠ t₂, then m₁ ≠ m₂. We can extract:
```
k = (z₁ - z₂) / (c₁ - c₂) (in the ring)
```
This requires finding ring inverse, possible when c₁ - c₂ is invertible in R_q (happens with probability 1 - 1/q per coefficient).
This requires finding ring inverse, possible when c₁ - c₂ is invertible in R_q (happens with probability 1 - 1/q per
coefficient).
**Case 2: c₁ = c₂**
Then H(c || t₁ || x || y₁) = H(c || t₂ || x || y₂).
Since y₁ ≠ y₂, this is a collision in H, probability ≤ 2^{-128}.
**Combined bound:**
```
Pr[forgery] ≤ 2^{-128} + negl(λ)
```
@@ -809,12 +869,15 @@ Pr[forgery] ≤ 2^{-128} + negl(λ)
### A.1 Ring-LPR Pseudorandomness
**Lemma A.1** For uniformly random k ∈ R₂ and arbitrary x ∈ R₂:
```
{(x, F_k(x))} ≈_c {(x, U)}
```
where U is uniform random output.
*Proof:*
1. F_k(x) = H₂(⌊k·x mod 4⌋₁)
2. By Ring-LPR assumption: ⌊k·x mod 4⌋₁ ≈_c ⌊u⌋₁ for random u
3. H₂ is a random oracle: output is uniformly distributed
@@ -823,34 +886,43 @@ where U is uniform random output.
### A.2 Sigma Protocol Analysis
**Commitment:**
```
t = H(m || m·a)
```
where m ←$ R_q with small coefficients.
**Challenge:**
```
e = H(c || t || x || y)[0:16]
```
(128-bit challenge via Fiat-Shamir)
**Response:**
```
z = m + e·k
```
with rejection if ||z||_∞ > B.
**Rejection Probability:**
By Lemma 4.1 of [Lyu12], if m is sampled from discrete Gaussian with σ > 12·||k||:
```
Pr[rejection] ≤ 2^(-100)
```
**Soundness:**
If adversary produces accepting proofs for (c, x, y₁) and (c, x, y₂) with y₁ ≠ y₂:
```
z₁ - z₂ = e₁·k - e₂·k = (e₁ - e₂)·k
```
Since e₁ ≠ e₂ with overwhelming probability, we can extract k.
**Zero-Knowledge:**
@@ -864,6 +936,7 @@ Statistical distance from real: 2^(-λ) by rejection sampling lemma.
### B.1 Constant-Time Implementation
All operations on secret data must be constant-time:
- Ring multiplication: coefficient-by-coefficient, no early termination
- Rounding: table lookup with constant access pattern
- Comparison: bitwise operations only
@@ -877,6 +950,7 @@ All operations on secret data must be constant-time:
### B.3 Zeroization
All secret values are zeroized after use:
- OPRF keys: `RingLprKey` implements `ZeroizeOnDrop`
- Session keys: explicit zeroize before deallocation
- Intermediate values: scoped to minimize lifetime