Chapter 1 Introduction
1.1 Research Background
computing and others. The Client-Server model is frequently adopted among above services which clients are served by the great computational power and storage capability of remote central servers. Under such framework, the servers usually have powerful calculate capability and enormous storage space so that the clients can reduce the computational costs and save the memory capacity by outsourcing them to servers. Because the network is an opening environment, in order to ensure that the confidential information is not stolen by malicious attackers during the communication processes, two basic secure requirements must be satisfied: the authentication of identity and the confidentiality of the transmitted data. Identity authentication means that the participants in the communication can verify the legality of each other so that illegal participants will be ruled out. The confidentiality means that except for the legal participants of the communication, other people can't get the secret from the transmitted data.
Several cryptosystems like digital signature and other technologies are necessary in order to achieve above secure requirements. In general, cryptosystem can be divided into symmetric cryptosystem and public key cryptosystem. Symmetric cryptosystem is that both parties of the communication use the same secret key to perform encryption and decryption, in this case, if the key was stolen then the
‧
the public key cryptosystem was proposed. Public cryptosystem means that both parties of the communication have their own public/private key pair, the public key is published while the secret key is kept privately. Assuming Alice wants to send a secret message to Bob, she needs to use Bob's public key to encrypt the message, then Bob decrypts the encrypted message. Because the public key cryptosystem is less efficient in the operation, so the applications usually use it to transmit the session key. The symmetric cryptosystem is mainly adopted while choosing a cryptosystem.Meanwhile, the key exchange protocols play a vital role in the symmetric cryptosystem because they are designed to establish a shared secure session key which will be utilized for further encryptions for both sides of the communication.
In 1976, Whitfield Diffie and Martin Hellman proposed the famous Diffie-Hellman key exchange protocol[1]. It is a well-known pioneer which provides secure and reliable key exchange. However, the user authentication is not included in the original design so that it unavoidably faces the man-in-middle attack. Therefore, authenticated key exchange (AKE) schemes were proposed [2][3][4][5][6]. In AKE schemes, two parties aim to authenticate each other and establish a shared session key if the authentication successes.
In the current network, most services such as e-mail system, on-line shopping, social networking etc authenticate users through the password-based system. The aforementioned authentication mechanism combined with the key exchange is called the password-based authenticated key exchange (PAKE)[7][8][9][10]. It is different
‧
from the AKE using public key certificate, the both parties only need to use the shared password to accomplish the mutual authentication. This method can reduce the additional burden on issuance and management of certificate, the user can freely set the password that is easy to remember by himself/herself and use the password to establish a highly secure mutual authentication channel.
In 2012, Xun et al.[10] proposed a password-based authenticated key exchange in the Client-Server model. The users under the protocol only need to remember the password rather than the private key. Both parties execute mutual authentication via the password and generate a shared session key. The security of their protocol is guaranteed by the discrete logarithm problem in the number theory. However, a mathematician Peter Shor proposed an algorithm in 1994 which can solve the difficult problem from number theory in polynomial time by the quantum computer in the future since the quantum computers are able to effectively execute a great amount of computations in parallel, it means that current cryptosystems and secure protocols will be broken. Many scholars began to study the post-quantum cryptography to find the solutions, it was found that the lattice-based cryptosystems [11][12][13][14][15][16][17][18] cannot being computed in parallel so that they are secure even in front of the quantum computer.
In 2013, Park et al.[19] proposed a mutual authentication mechanism based on NTRU cryptosystem[11]. NTRU is a lattice-based public key cryptosystem whose security is based on the Shortest vector problem over lattices. This mechanism is built on the NFC mobile payment environment, it make banks and customers perform the
‧
mechanism. In addition to the registration phase, the other phases are performed in an opening environment. An attacker can firstly eavesdrop the communication and get the message, including the certificate issued by the bank and the authenticated parameters based on NTRU. Then, the attacker can launch an impersonation attack to pass the verify from legal participants. In this mechanism, in addition to the lack of security, the participants didn't generate a shared session key.In 2012, Ding et al. [21] proposed a lattice-based key exchange. The security of protocol is based on the LWE problem on lattices, so it can resist the attacks from the quantum computers. They designed a method which can let similar parameters turn lattice-based key exchange with authentication in 2015. They continuously employed the method of shared parameters to establish the shared session keys and added an authentication mechanism which utilizes participant's public/private key to accomplish implicit key authentication. However, we advocate the clients of Client-Server model do not need to keep his/her own public/private key pair, it can be divided into the following three cases:
‧
authentication by encryption, decryption and certificates. Therefore, they need a fair third party to assist authentication between them. This method will add extra steps to reduce the overall efficiency.
(2) Both parties have their own public/private key pair: They can use the public key of each other to encrypt the message, and verify each other by the key certificate.
However, the client of C/S model in different service needs to generate different key pairs, so he/her needs to spend additional resources on the key storage and management.
(3) Only the server has the public/private key pair: The server usually has powerful computational capability and enormous storage space and it must need to communicate with many different users, so the server keeps its own key pair is reasonable. The user just uses the shared password which is registered by the user to perform mutual authentication, he/she doesn't need to keep its own public/private key. This method can reduce the additional burden on management of key pair for client.
Our paper proposes a password-based authenticated key exchange based on lattice in the Client/Server model. This scheme has the following characteristics:
(1) The security of our scheme is based on learning with error problem for lattice, which belongs to the application of post-quantum cryptography so it can resist the
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
6
threat from quantum computers.
(2) The key exchange only needs a two-pass communication.
(3) We adopt the Client/Server model so that there is no need for clients to keep his/her own public/private key pair. This method can reduce the additional burden on management of key pair for client.
(4) Client can set the password that is easy to remember by himself/herself and use the password to establish a highly secure mutual authentication scheme.
(5) We utilize the explicit key authentication so that the participants of communication can perform the mutual authentication.
In our scheme, client and server use the password which is registered by the user to perform mutual authentication. The client just uses server's public key to generate the secret authentication message, he/she does not need to keep his/her own public/private key pair. This method belongs to the explicit key authentication, participants can directly know communicate with whom and ensure both of them have the same shared session key after finish the key exchange. According to the aforementioned characteristics, our scheme is an efficient, secure password-based authenticated key exchange in lattices.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
7
Figure 1. The Situation of PAKE