主從式架構下基於晶格之通行碼認證金鑰交換協定之研究 - 政大學術集成

全文

(1)國立政治大學資訊科學系 Department of Computer Science National Chengchi University. 碩士論文 Master’s Thesis. 立. 政治大. ‧ 國. 學. 主從式架構下基於晶格之通行碼認證金鑰交換. ‧. 協定之研究. y. Nat. er. io. sit. A Study of Password-based Authenticated Key. n. v i Exchange froma lLattices for Client/Server Model n Ch U engchi 研究生：鄭逸修指導教授：左瑞麟博士. 中華民國一百零六年六月 June 2017.

(2) 誌謝首先要誠摯的感謝我的指導教授左瑞麟老師，讓我在資訊安全領域學習到許多相關的知識，左老師在我的論文寫作上也十分耐心的與我討論、修改和修訂英文，讓我能夠順利的完成我的碩士論文。在此也要特別感謝蒞臨指導的口試委員: 羅乃維教授、范俊逸教授、王智弘教授、吳牧恩教授與秦華旺教授，對於我的論文給予許多寶貴的意見，幫助我的論文更加的完整。. 政治大. 在攻讀碩士學位的這些日子裡，感謝實驗室的學長們的協助與諮詢，讓我獲. 立. 益良多，也要感謝學弟妹們的鼓勵和幫助，讓我在遇到瓶頸時能夠有動力去突破，. ‧ 國. 學. 謝謝實驗室每一個人的陪伴，讓我的碩士班生活十分的精采、充實。. ‧. sit. y. Nat. 最後我要感謝我的爸爸媽媽，沒有你們無條件的支持，我想我也不能夠走到. io. al. n. 順利的拿到碩士學位。. er. 今天，當我無助、徬徨時總是給我最大的關懷，陪我度過種種的難關，讓我得以. Ch. engchi. I. i n U. v.

(3) 摘要基於通行碼之認證金鑰交換協定(Password-based Authenticated Key Exchange) 為一項使要進行交換訊息之雙方做相互驗證並產生一把共享金鑰的技術。藉由通訊雙方共享一組通行碼做為身份驗證的依據，並且在驗證結束後產生一把僅有雙方才知道的祕密通訊金鑰，往後進行傳遞機密資訊時即可透過此金鑰建立安全的通訊管道。本篇論文提出一個在主從式架構(Client/Server model)下基於晶格(lattice)之通. 政治大. 行碼認證金鑰交換協定，用戶端只需記錄與伺服器共享之通行碼，而伺服器端除. 立. 了通行碼外擁有屬於自己的公私鑰對，雙方間透過共享之通行碼進行相互驗證，. ‧ 國. 學. 並且在兩個步驟內完成認證及金鑰交換。在安全性上基於晶格密碼系統之難問題，. ‧. 若未來量子電腦問世能夠抵擋其強大運算能力之攻擊，達到安全且有效率之通行. al. er. io. sit. y. Nat. 碼認證金鑰協議。. v. n. 關鍵詞 : 基於通行碼之認證金鑰交換協定，晶格，誤差學習難問題，金鑰交換. Ch. engchi. 協定，雙向驗證機制，主從式架構. II. i n U.

(4) Abstract The password-based authenticated key exchange is a technology that allows both parties to perform mutual authentication and generate a shared session key. They through the shared password as the basis for authentication and generate a session key that is only known by both parties. At last, they can use this key to establish a secure channel to transmit secret message. We propose a password-based authenticated key exchange from lattices for. 政治大. Client-Server model. The client only need to remember the password rather than the. 立. private key, and the server except keep the password and its own public/private key. ‧ 國. 學. pair. Both parties execute the mutual authentication via the shared password and. ‧. accomplish the key exchange within two steps. The security of our protocol is based. y. sit. io. n. al. er. computer.. Nat. on LWE problem for lattices, so it is secure even an attacker uses a quantum. Keywords:. PAKE,. Lattice,. Ch. i n U. e nKey hi g c Exchange,. LWE,. Client/Server model. III. v. Mutual. Authentication,.

(5) Table of Contents 誌謝 ......................................................................................................................................................................... I 摘要 ........................................................................................................................................................................ II Abstract................................................................................................................................................................ III Table of Contents .............................................................................................................................................. IV List of Figures................................................................................................................................................... VII List of Tables..................................................................................................................................................... VII Chapter 1 Introduction ...................................................................................................................................... 1. 政治大. 1.1 Research Background ........................................................................................................................... 1. 立. 1.2 Organization............................................................................................................................................. 7. ‧ 國. 學. Chapter 2 Background Knowledge ............................................................................................................... 8 2.1 Lattice ........................................................................................................................................................ 8. ‧. 2.2 Learning with Error ............................................................................................................................... 8. y. Nat. er. io. sit. 2.3 Ring Learning with Error .................................................................................................................... 9. al. 2.4 NTRU Cryptosystem ......................................................................................................................... 10. n. v i n C......................................................................................................... 2.4.1 Initial Parameters Setting 10 hengchi U 2.4.2 Key Generation ........................................................................................................................... 11 2.4.3 Encryption .................................................................................................................................... 11 2.4.4 Decryption .................................................................................................................................... 11. Chapter 3 Related Works............................................................................................................................... 12 3.1 Identity-based Password-Authenticated Key Exchange for Client/Server Model.......... 12 3.1.1 Protocol Execution..................................................................................................................... 12 3.2 Anonymous Authentication Scheme based on NTRU for the Protection of Payment Information in NFC Mobile Environment .......................................................................................... 13 3.2.1 System Parameters Setting ...................................................................................................... 14 IV.

(6) 3.2.2 User Registration Phase ........................................................................................................... 14 3.2.3 User Identity Proof Phase ........................................................................................................ 15 3.2.4 Bank Identity Proof Phase ....................................................................................................... 16 3.3 Security Analysis of a NTRU-based Mutual Authentication Scheme ................................ 18 3.4 A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem ......................................................................................................................................................... 20 3.4.1 Protocol Execution..................................................................................................................... 20 3.5 Authenticated Key Exchange from Ideal Lattices .................................................................... 21 3.5.1 Protocol Execution..................................................................................................................... 22. 政治大. 3.6 Key Exchange ...................................................................................................................................... 23. 立. 3.7 Implicit Key Authentication v.s. Explicit Key Authentication.............................................. 24. ‧ 國. 學. Chapter 4 Proposed Scheme ........................................................................................................................ 26. ‧. 4.1 Architecture ........................................................................................................................................... 26. y. Nat. 4.1.1 System Parameters Setting ...................................................................................................... 26. sit. 4.1.2 Protocol Execution..................................................................................................................... 27. n. al. er. io. 4.1.3 Password Update ........................................................................................................................ 28. i n U. v. 4.2 Correctness ............................................................................................................................................ 29. Ch. engchi. 4.2.1 Signal Functions ......................................................................................................................... 29 4.2.2 Robust Extractors ....................................................................................................................... 29 Chapter 5 Security Analysis ......................................................................................................................... 32 5.1 Oracle Definition................................................................................................................................. 32 5.2 Advantage of the Adversary............................................................................................................. 33 5.2.1 Fresh Definition .......................................................................................................................... 33 5.2.2 Succ Definition ........................................................................................................................... 33 5.3 Experiment Definition ....................................................................................................................... 34 5.4 NTRU ..................................................................................................................................................... 38 V.

(7) 5.5 Comparison with Related Works .................................................................................................... 39 Chapter 6 Experimental Results.................................................................................................................. 41 Chapter 7 Conclusion ..................................................................................................................................... 46 References.......................................................................................................................................................... 47. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. VI. i n U. v.

(8) List of Figures Figure 1. The Situation of PAKE .............................................................................................. 7 Figure 2. Xun's Protocol ........................................................................................................... 13 Figure 3. User Registration Phase .......................................................................................... 17 Figure 4. User Identity Proof Phase ...................................................................................... 17 Figure 5. Bank Identity Proof Phase ..................................................................................... 17 Figure 6. Impersonation Attack .............................................................................................. 19 Figure 7. Ding's Protocol .......................................................................................................... 21 Figure 8. Zhang's Protocol ....................................................................................................... 23 Figure 9. Our Scheme ................................................................................................................ 28. 治政大 Figure 11. The parameters in the scheme (n = 256).......................................................... 42 立in the scheme (n = 512) ......................................................... 42 Figure 12. The parameters Figure 10. Password Update Phase........................................................................................ 29. ‧ 國. 學. Figure 13. The parameters in the scheme (n = 1024) ....................................................... 43 Figure 14. The parameters in the scheme (n = 2048) ....................................................... 43. ‧. Figure 15. Client Interface (PC) ............................................................................................. 44 Figure 16. Client Interface (Mobile Simulator) ................................................................. 44. Nat. sit. n. al. er. io. List of Tables. y. Figure 17. Server Interface....................................................................................................... 45. i n U. v. Table 1 Analysis of NTUR with Other Public Key Cryptosystem ............................... 39. Ch. engchi. Table 2. Comparison with Related Works ........................................................................... 40. VII.

(9) Chapter 1 Introduction 1.1 Research Background With the booming development of computer technology, people can carry out sundry services via the Internet such as file transfer, on-line shopping, cloud computing and others. The Client-Server model is frequently adopted among above services which clients are served by the great computational power and storage capability of remote central servers. Under such framework, the servers usually have. 政治大. powerful calculate capability and enormous storage space so that the clients can. 立. reduce the computational costs and save the memory capacity by outsourcing them to. ‧ 國. 學. servers. Because the network is an opening environment, in order to ensure that the. ‧. confidential information is not stolen by malicious attackers during the. sit. y. Nat. communication processes, two basic secure requirements must be satisfied: the. io. n. al. er. authentication of identity and the confidentiality of the transmitted data. Identity. i n U. v. authentication means that the participants in the communication can verify the legality. Ch. engchi. of each other so that illegal participants will be ruled out. The confidentiality means that except for the legal participants of the communication, other people can't get the secret from the transmitted data. Several cryptosystems like digital signature and other technologies are necessary in order to achieve above secure requirements. In general, cryptosystem can be divided into symmetric cryptosystem and public key cryptosystem. Symmetric cryptosystem is that both parties of the communication use the same secret key to perform encryption and decryption, in this case, if the key was stolen then the 1.

(10) protected information will be known to the attacker. In order to solve this problem, the public key cryptosystem was proposed. Public cryptosystem means that both parties of the communication have their own public/private key pair, the public key is published while the secret key is kept privately. Assuming Alice wants to send a secret message to Bob, she needs to use Bob's public key to encrypt the message, then Bob decrypts the encrypted message. Because the public key cryptosystem is less efficient in the operation, so the applications usually use it to transmit the session key. The. 政治大. symmetric cryptosystem is mainly adopted while choosing a cryptosystem.. 立. Meanwhile, the key exchange protocols play a vital role in the symmetric. ‧ 國. 學. cryptosystem because they are designed to establish a shared secure session key. ‧. which will be utilized for further encryptions for both sides of the communication.. sit. y. Nat. In 1976, Whitfield Diffie and Martin Hellman proposed the famous. io. n. al. er. Diffie-Hellman key exchange protocol[1]. It is a well-known pioneer which provides. i n U. v. secure and reliable key exchange. However, the user authentication is not included in. Ch. engchi. the original design so that it unavoidably faces the man-in-middle attack. Therefore, authenticated key exchange (AKE) schemes were proposed [2][3][4][5][6]. In AKE schemes, two parties aim to authenticate each other and establish a shared session key if the authentication successes. In the current network, most services such as e-mail system, on-line shopping, social networking etc authenticate users through the password-based system. The aforementioned authentication mechanism combined with the key exchange is called the password-based authenticated key exchange (PAKE)[7][8][9][10]. It is different 2.

(11) from the AKE using public key certificate, the both parties only need to use the shared password to accomplish the mutual authentication. This method can reduce the additional burden on issuance and management of certificate, the user can freely set the password that is easy to remember by himself/herself and use the password to establish a highly secure mutual authentication channel. In 2012, Xun et al.[10] proposed a password-based authenticated key exchange in the Client-Server model. The users under the protocol only need to remember the. 政治大. password rather than the private key. Both parties execute mutual authentication via. 立. the password and generate a shared session key. The security of their protocol is. ‧ 國. 學. guaranteed by the discrete logarithm problem in the number theory. However, a. ‧. mathematician Peter Shor proposed an algorithm in 1994 which can solve the difficult. sit. y. Nat. problem from number theory in polynomial time by the quantum computer in the. io. n. al. er. future since the quantum computers are able to effectively execute a great amount of. i n U. v. computations in parallel, it means that current cryptosystems and secure protocols. Ch. engchi. will be broken. Many scholars began to study the post-quantum cryptography to find the. solutions,. it. was. found. that. the. lattice-based. cryptosystems. [11][12][13][14][15][16][17][18] cannot being computed in parallel so that they are secure even in front of the quantum computer. In 2013, Park et al.[19] proposed a mutual authentication mechanism based on NTRU cryptosystem[11]. NTRU is a lattice-based public key cryptosystem whose security is based on the Shortest vector problem over lattices. This mechanism is built on the NFC mobile payment environment, it make banks and customers perform the 3.

(12) mutual authentication to verify each other’s identity to ensure the security of the transaction phase. However, Tso et al. [20] proposed an attack method for Park's mechanism. In addition to the registration phase, the other phases are performed in an opening environment. An attacker can firstly eavesdrop the communication and get the message, including the certificate issued by the bank and the authenticated parameters based on NTRU. Then, the attacker can launch an impersonation attack to pass the verify from legal participants. In this mechanism, in addition to the lack of. 政治大. security, the participants didn't generate a shared session key.. 立. In 2012, Ding et al. [21] proposed a lattice-based key exchange. The security of. ‧ 國. 學. protocol is based on the LWE problem on lattices, so it can resist the attacks from the. ‧. quantum computers. They designed a method which can let similar parameters turn. sit. y. Nat. into the same value and then use the value to establish a shared session key.. io. n. al. er. Nevertheless, this protocol could not provide mutual authentication, so it only can. i n U. v. achieve passive security but still may be attacked by man-in-the-middle or other active attacks.. Ch. engchi. In order to improved Ding's method, Zhang et al. [22] proposed a new lattice-based key exchange with authentication in 2015. They continuously employed the method of shared parameters to establish the shared session keys and added an authentication mechanism which utilizes participant's public/private key to accomplish implicit key authentication. However, we advocate the clients of Client-Server model do not need to keep his/her own public/private key pair, it can be divided into the following three cases: 4.

(13) (1) There is no public/private key pair on both parties: Because both parties have no public/private key that can represent their identity, so they can't perform authentication by encryption, decryption and certificates. Therefore, they need a fair third party to assist authentication between them. This method will add extra steps to reduce the overall efficiency. (2) Both parties have their own public/private key pair: They can use the public key of each other to encrypt the message, and verify each other by the key certificate.. 政治大. However, the client of C/S model in different service needs to generate different. 立. key pairs, so he/her needs to spend additional resources on the key storage and. ‧ 國. 學. management.. ‧. (3) Only the server has the public/private key pair: The server usually has powerful. sit. y. Nat. computational capability and enormous storage space and it must need to. io. n. al. er. communicate with many different users, so the server keeps its own key pair is. i n U. v. reasonable. The user just uses the shared password which is registered by the user. Ch. engchi. to perform mutual authentication, he/she doesn't need to keep its own public/private key. This method can reduce the additional burden on management of key pair for client.. Our paper proposes a password-based authenticated key exchange based on lattice in the Client/Server model. This scheme has the following characteristics: (1) The security of our scheme is based on learning with error problem for lattice, which belongs to the application of post-quantum cryptography so it can resist the 5.

(14) threat from quantum computers. (2) The key exchange only needs a two-pass communication. (3) We adopt the Client/Server model so that there is no need for clients to keep his/her own public/private key pair. This method can reduce the additional burden on management of key pair for client. (4) Client can set the password that is easy to remember by himself/herself and use the password to establish a highly secure mutual authentication scheme.. 政治大. (5) We utilize the explicit key authentication so that the participants of. 立. communication can perform the mutual authentication.. ‧ 國. 學 ‧. In our scheme, client and server use the password which is registered by the user. sit. y. Nat. to perform mutual authentication. The client just uses server's public key to generate. io. n. al. er. the secret authentication message, he/she does not need to keep his/her own. i n U. v. public/private key pair. This method belongs to the explicit key authentication,. Ch. engchi. participants can directly know communicate with whom and ensure both of them have the same shared session key after finish the key exchange. According to the aforementioned characteristics, our scheme is an efficient, secure password-based authenticated key exchange in lattices.. 6.

(15) 政治大 Figure 立 1. The Situation of PAKE. ‧ 國. 學. 1.2 Organization. Our research is divided into six chapters, the contents of which are as follow :. ‧. Chapter 1: We introduce the research background, research motivation and purpose of. y. Nat. er. io. sit. this paper.. Chapter 2: We introduce the background knowledge, including lattice, learning with. al. n. v i n Clattice-based error problem and the h e n g ccryptosystem h i U NTRU.. Chapter 3: We introduce several previous related literatures about PAKE and propose where we think should be modified. Chapter 4: We propose a new PAKE in lattices in the client/server model, which is the core contribution of this paper. Chapter 5: We perform security and feature analyses of the proposed protocol. Chapter 6: We simulated the protocol executing on the computer and the mobile simulator. 7.

(16) Chapter 2 Background Knowledge The security of our scheme is based on learning with error problem from lattice, and use the lattice-based public key cryptosystem NTRU. In this section, we will introduce the lattice, learning with error problem and the NTRU.. 2.1 Lattice The concept of Lattice [23] was firstly proposed by Joseph Louis Lagrange and Carl Friedrich Gauss. It refers to the aggregation generated by a set of linearly. 政治大. independent basis in the n-dimensional space and including all linear combinations.. 立. Given a set of basis B = {b1, b2, ..... , bn}, it could be expressed via the following. ‧ 國. 學. mathematic formulas:. ‧. 𝐿(𝐵) = { ∑𝑛𝑖=1 𝑐𝑖 𝑏𝑖 , ∀c𝑖 ϵ Z , ∀b𝑖 ϵ B , 𝑖 = 1,2, … , n }. sit. y. Nat. We can regard it as a set of discrete points, these points look like crystal lattice. n. al. er. io. when distributed in space so named it lattice. Several types of difficult problem in. Ch. i n U. v. lattice are found by scholars, and they used it to develop the lattice-based. engchi. cryptosystems. Unlike the cryptosystems based on discrete logarithm problem (ElGamal) or factoring problem(RSA), lattice-based cryptosystems is secure even an attacker uses a quantum computer.. 2.2 Learning with Error Learning with Error problem [24] was proposed by Oded Regev in 2005. Given an integer with q ≥ 2, χ be the distribution on Zq and α referring to the standard 8.

(17) deviation of distributions, then we can define the distribution As,χ on Zqn x Zq by the following formula: b1 = < s, a1 > + e1 b2 = < s, a2 > + e2 : To define two type of LWE problem via the multiple pairs (ai,bi). Among that, ai ∈ Zqn is the public vector of n-dimension, s ∈ Zqn is the secret vector of n-dimension. 政治大. and ei refers to the noise value selected from the distribution χ.. 立. (1)Search: Given the multiple pairs (ai,bi), it is difficult to find the secret vector s.. ‧ 國. 學. (2)Decision: Given the multiple pairs (ai,bi), it is difficult to distinguish whether bi. ‧. was belongs to the distribution As, χ or uniformly random in Zqn x Zq .. 1. sit. y. Nat. io. n. al. er. 2.3 Ring Learning with Error. i n U. v. Given an integer coefficients polynomial ring Rq = Zq[x]/f(x), q is a prime integer, n. Ch. engchi. f(x) = x +1, n is power of 2 which define the degree of polynomial, χ be the distribution on R q and α referring to the standard deviation of distributions, then we can define the distribution and two type of problem like LWE by following formula : bi(x) = (ai(x)‧s(x)) + ei(x) and ai(x) can expressed as : a(x) = a0 + a1x + a2x + … + an-2xn-2+an-1xn-1 Among that, ai(x) ∈ Rq is the public polynomial, s(x) ∈ Rq is the secret polynomial and ei(x) refers to the noise polynomial selected from the distribution χ. 9.

(18) (1)Search: Given the multiple pairs (ai(x),bi(x)), it is difficult to find the secret 1. polynomial s(x).. (2)Decision: Given the multiple pairs (ai,bi), it is difficult to distinguish whether bi(x) were constructed as bi(x) = (ai(x)‧s(x)) + ei(x) or uniformly random in Rq .. 2.4 NTRU Cryptosystem. 政治大. NTRU (N-th degree truncated polynomial ring) is a public key cryptosystem [11],. 立. which selected integer coefficient polynomial from polynomial ring R=Z[X]/(XN-1). ‧ 國. 學. to perform addition, multiplication and modulo operation of the polynomial. ‧. coefficients, so it has a very fast speed. The security of NTRU is based on. y. sit. io. n. al. er. computers.. Nat. SVP(Shortest Vector Problem) of lattices, so it can resistant to attack by quantum. i n U. v. We assume that Alice (A) wants to send encrypted messages to Bob (B), the. Ch. engchi. entire encryption and decryption process can be divided into four stages : (1)Initial parameter setting (2)Key Generation (3)Encryption (4)Decryption.. 2.4.1 Initial Parameters Setting In this phase, Bob sets up three integers(N, p, q) and four integer coefficients polynomial sets(Lf , Lg , Lr , Lm) from R = Z[X] / (XN - 1). • N is prime and define the degree of polynomial N - 1 • p and q need not be prime but need be coprime, g(p, q)=1 • q is always larger than p 10.

(19) 2.4.2 Key Generation To generate key pair, Bob dose the following step 1. B choose two random polynomials f ∈ Lf , g ∈ Lg, f must satisfy the requirement that it have inverse modulo q and modulo p fq * f ≡ 1 (mod q) fp * f ≡ 1 (mod p) 2. Bob computes its public key h h ≡ fq * g (mod q). 3. The private key is (f, fp). 立. 政治大. ‧ 國. 學. 2.4.3 Encryption. Alice use Bob's public h to encrypt a message m ∈ Lm to get the ciphertext e. ‧. e ≡ pr * h + m (mod q). sit. y. Nat. 2.4.4 Decryption. io. n. al. a ≡ f * e (mod q). Ch. engchi. er. Bob use its private key to decrypt the cipher e to recover the original message m. i n U. a ≡ f * ( pr * h + m ) (mod q). a ≡ f * ( pr * fq * g + m ) (mod q) a ≡ pr * g + f * m (mod q) b ≡ pr * g + f * m (mod p) b ≡ f * m (mod p) c ≡ fp * b (mod p) c ≡ m (mod p) .. 11. v.

(20) Chapter 3 Related Works In this section, we will introduce the lattice-based applications, several key exchange studies and the definition of implicit key authentication and explicit key authentication.. 3.1 Identity-based Password-Authenticated Key Exchange for Client/Server Model In 2012, Xun et al. [10] proposed an identity-based password-authenticated key. 政治大. exchange for client/server mode. The user under the protocol is only required to. 立. remember the password and the server except keep the password and its own. ‧ 國. 學. public/private key. Both parties execute mutual authentication via the password and. ‧. generate a shared session key in the last. The security of their protocol is guaranteed. sit. y. Nat. by the discrete logarithm problem in number theory, which is easily attacked by a. n. 3.1.1 Protocol Executiona l. er. io. quantum computer in future. Figure 7 shows the overall process.. Ch. engchi. i n U. v. Before the protocol execution, both parties share a public parameter g Step1 : The client randomly select secret parameters α to compute the gα . After that, it employs server's public key pkS to make authentication message AuthC = EIDs[H(gα|IDC|pw)]. Then send AuthC, IDC and gα together to the Server. Step2 : After receiving AuthC, the Server shall employ its own private key skS for decryption to verify the Hash value and. After passing the verification, the server shall randomly select secret parameters β to compute the gβ, then it can 2. compute the shared session key skS=g ks . Finally, the server make a 12.

(21) authentication message AuthS = g h(g. α |gβ |ID |pw )+k s s. then send it back to the. client with IDS, gβ. Step3 : After receiving AuthS, the Client firstly verifies it. If the verification is 2. 2. successful, the Client can compute the shared session key skC = g kC = g ks = skS to complete the authenticated key exchange of both parties.. 立. 政治大. er. io. sit. y. ‧. ‧ 國. 學. Nat. Figure 2. Xun's Protocol. n. a. v. l C 3.2 Anonymous Authentication Scheme based n i on NTRU for the. hengchi U. Protection of Payment Information in NFC Mobile Environment In 2013, Park et al. [19] proposed a mutual authentication mechanism based on NTRU cryptosystem. This mechanism is built on the NFC mobile payment environment, it makes bank and customer perform the mutual authentication to verify each other identity to ensure the security of the transaction phase. In addition to verify the identity of customers, but also to allow customers to verify the bank. The authentication process can be divided into three steps : (1)System parameters 13.

(22) setting(2)User Registration Phase (3)User identity proof phase(4)Bank identity proof phase.. 3.2.1 System Parameters Setting • A : NFC mobile payment user • B : Bank • R : Polynomial ring • Z : Set of integers • N : dimension of polynomial, is a prme • Lf, Lg : Subset of R. 政治大. 立. ‧ 國. 學. • p,q : Two large prime number where gcd(p, q) = 1, p > q • f,g : Private key polynomial(f∈Lf, g∈Lg). ‧. • fp, fq : Inverse polynomial of f mod p and mod q. y. Nat. er. io. • v : Public key polynomial. n. al. • I : User identity. sit. • gp, gq : Inverse polynomial of g mod p and mod q. Ch. engchi. i n U. v. • Cert : Certificate generated by the certificate authority • H : Secure hash function. 3.2.2 User Registration Phase If a user wants to use the NFC mobile payment, he needs to register with bank, and Figure 2 shows the overall process: Step1: The user picks fA, gA from Lf, Lg then computes inverses fAq, fAp and public key vA where vA = pfAp * gA ∈ Zq[x]/(xN-1) 14.

(23) Step2: User sends its identity information IA and public key vA to the bank. Bank verifies the identity of the user, if the verification succeed then bank will generate a certificate Cert(IA, vA). At last, bank returns Cert(IA, vA) to the user and stores the user information in the bank.. 3.2.3 User Identity Proof .Phase After registration, user allows the bank to verify his identity, and Figure 3 shows the overall process:. 政治大 transmitted I , v , Cert(I ,v ) and x to the bank for authentication. 立. Step1: User picks a random polynomial rA and computes xA = gA * rA, then he A. A. A. A. A. ‧ 國. 學. Step2: After receiving the data from step 1, the bank verifies the integrity of Cert(IA,vA). If passed, the Bank picks a random polynomial eB from Le and. ‧. sends it back to the user.. y. Nat. er. io. sit. Step3: The user computes yA = fA * rA * eB and returns yA to the bank. Step4: With (vA, xA, yA, eB), the bank verifies the user by checking yA * vA = xA * eB. n. al. or not.. Ch. engchi. i n U. v. • Left side of the operation: yA * vA = (fA * rA * eB)*(fAp * gA) = gA * rA * eB • Right side of the operation: xA * eB = (gA * rA) * eB = gA * r A * e B If the user is legal, then the operation results are equal. Indicating that the user 15.

(24) through the verification of the bank.. 3.2.4 Bank Identity Proof .Phase Bank allows the user to verify its identity, and Figure 4 shows the overall process : Step1: Bank picks a random polynomial rB and computes xB = gB * rB, then he transmitted eB, IB, vB, Cert(IB,vB) and xB to the user for authentication. Step2: After receiving the data from step 1, the user verifies the integrity of Cert(IB,vB). If passed, the user picks a random polynomial eA from Le and sends it back to the bank.. 立. Step3: The bank computes yB = fB. 政治大 * r * e and returns y to the user. B. A. B. ‧ 國. 學. Step4: With (vB, xB, yB, eA), the user can verifies the bank by checking yB * vB = xB * eA or not.. ‧. • Left side of the operation:. y. Nat. n. al. er. io. = gB * rB * eA. sit. yB * vB = (fB * rB * eA)*(fBp * gB). • Right side of the operation:. Ch. engchi. i n U. v. xB * eA = (gB * rB) * eA = gB * rB * eA If the bank is legal, then the operation results are equal. Indicating that the bank through the verification of the user and finish the mutual authentication.. 16.

(25) Figure 3. User Registration Phase. 立. 政治大. ‧. ‧ 國. 學 sit. y. Nat. n. al. er. io. Figure 4. User Identity Proof Phase. Ch. engchi. i n U. v. Figure 5. Bank Identity Proof Phase. 17.

(26) 3.3 Security Analysis of a NTRU-based Mutual Authentication Scheme The mutual authentication mechanism proposed by the Park is based on NTRU cryptosystem, which allows mutual authentication between the user and the bank by the public/private key pair, certificate, authentication parameters and random polynomials. In the verify phase, both parties through the certificate to verify each other. The verification side checks the certificate in the first step, if passed then they. 政治大. continue to transmit the authentication parameters and do the final verification. 立. intercept by attacker and perform the impersonation attack.. 學. ‧ 國. operation. Because the general certificate is not limited to use only once, which may. ‧. Tso et al. [20] proposed an attack method for Park's mechanism. Assume an. sit. y. Nat. attacker A' who can eavesdrop the communication between the user and the bank,. io. n. al. er. then A' can have the following information v, I, Cert(I,v), x, e, y. With these. i n U. v. information, the attacker can launch an impersonation attack. Figure 5 shows the overall process.. Ch. engchi. Step1 : The attacker A' computes xA' = xA * eB and then sends IA, vA, Cert(IA,vA) with xA' to the bank. Step2 : After receiving the data from step 1, the bank will verify the integrity of Cert(IA,vA). If passed, the Bank will select a random polynomial eB' from Le and sends it back to the attacker. Step3: The attacker computes yA' = yA * eB' and returns it back to the bank. Step4: With (vA, xA', yA', eB'), the bank authenticates the attacker by checking yA' * vA 18.

(27) = xA' * eB' or not. • Left side of the operation: yA' * vA = (yA * eB')*(fAp * gA) = (fA * rA * eB * eB')*(fAp * gA) = gA * rA * eB * eB' • Right side of the operation: xA' * eB'= xA * eB * eB' = (gA * rA) * eB * eB'. 立. 政治大. = gA * rA * eB * eB'. ‧ 國. 學 ‧. In this way, the attack successfully passes the authentication from the bank and can. sit. y. Nat. impersonate as the victim user A. This may cause many serious problems when the. io. n. al. er. scheme is used for mobile e-commerce.. Ch. engchi. i n U. Figure 6. Impersonation Attack. 19. v.

(28) 3.4 A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem In 2012, Ding et al. [21] proposed a lattice-based key exchange. The security of protocol is guaranteed on the LWE problem on lattices, so it can against the attack from the quantum computers. They also designed a method which can let two similar parameters turn into the same value and then use the value to establish a shared session key. Nevertheless, this protocol could not provide mutual authentication, so it. 政治大. may be attacked by man-in-the-middle or other active attacks. Figure 6 shows the. 立. 學. ‧ 國. overall process.. 3.4.1 Protocol Execution. Before the protocol execution, both parties share a public parameter m. ‧. Step1: Partyi randomly select secret parameters including si, ei, then compute pi = msi. y. Nat. er. io. sit. + 2ei and send pi to the Partyj.. Step2: After receiving the message from step 1, Partyj first compute pj = msj + 2ej by. al. n. v i n C h including s ,Ue . Then it choose a random randomly select secret parameters engchi j. j. parameter ej' to compute the key element Kj = pisj + 2ej' with received pi and secret sj. Step2.2 : The Partyj input Kj into signal function Sig() to get бj = Sig(Kj), and then input Kj, бj into function Extr() to get the shared session key skj = Extr(Kj, бj). Finally, Partyj send pj, бj back to the Partyi Step3: Partyi first choose a random parameter ei' to compute the key element Ki = pjsi + 2ei' with received pj and secret si, then input Ki and бj into function Extr() to 20.

(29) get the shared session key ski = Extr(Ki, бj) = Extr(Kj, бj) = skj to complete the authenticated key exchange of both parties.. 政治大. Figure 7. Ding's Protocol. 立. ‧ 國. 學. 3.5 Authenticated Key Exchange from Ideal Lattices. In order to improved Ding's method, Zhang et al. [22] proposed a new. ‧. lattice-based key exchange with authentication mechanism in 2015. Their protocol. y. Nat. er. io. sit. refers to the parameters extraction method proposed by the Ding and used participant's public/private key to accomplish implicit authentication. The implicit. al. n. v i n C h of authentication authentication refers to the achievement e n g c h i U without the assistance with. encryption or certificates. The security of Zhang's protocol is also based on LWE problem like Ding and added the authentication mechanism, so it not only can resistant to attack by quantum computer, but also resistant to passive and active attack. However, we think the clients of Client-Server model do not need to keep his/her own public/private key pair . They just use the shared password to execute the mutual authentication with Servers, this method can reduce the additional burden on management of key pair for client. Figure 7 shows the overall process. 21.

(30) 3.5.1 Protocol Execution Before the protocol execution, both parties share a public parameter a Step1: Partyi randomly select secret parameters including ri, fi, then compute Xi = ari + 2fi and send Xi to the Partyj. Step2.1: After receiving the message from step 1, Partyj first compute Yj = arj + 2fj by randomly select secret parameters including rj, fj. Then it choose a random parameter gj to compute the key element Kj= (pic+Xi)(sjd+rj)+2cgj with. 政治大. received Xi , Partyi's public key pi and it's private key sj, where c = H(i,j,Xi) , d = H(i,j,Xi,Yj).. 立. ‧ 國. 學. Step2.2: The Partyj input Kj into signal function Cha() to get wj = Cha(Kj), and then input Kj, wj into function Mod2() to get the key parameter бj = Mod2(Kj,. ‧. wj). Finally, Partyj compute the shared session key skj = H(i,j,Xi,Yj,wj,бj). y. Nat. er. io. Partyi first choose a random parameter gi to compute the key element Ki=. al. v i n C hreceived Y , PartyU's public key p and it's private (p d+Y )(s c+r )+2dg with engchi n. Step3 :. sit. and send Yj, wj back to the Partyi.. j. j. i. i. i. j. j. j. key si. then input Ki and received wj into function Extr() to get the key parameter бi = Mod2(Ki, wj). Finally, Partyi compute the shared session key ski = H(i,j,Xi,Yj,wj,бi) = H(i,j,Xi,Yj,wj,бj) = skj to complete the authenticated key exchange of both parties.. 22.

(31) Figure 8. Zhang's Protocol. 立. 3.6 Key Exchange. 政治大. ‧ 國. 學. Key exchange is a protocol which can make both parties in communication share a secret session key. This session key can not be known to anyone other than the. ‧. participants. The famous key exchange was proposed by Whitfield Diffie and Martin. y. Nat. er. io. sit. Hellman in 1976(Diffie-Hellmen key exchange), it became the basis of many key exchange protocol. However, the authentication mechanism was not provided in the. al. n. v i n D-H key exchange, so it may beC attacked or other active attacks. h e nbygman-in-the-middle chi U Therefore, a secure key agreement must ensure that people other than the participants are unable to know the parameters of the generated key during the exchange process, and that all participants have the same key after finish the key exchange. The following basic security requirements must be satisfied: . Known Session Key Security : Even if an attacker can intercept the current session key, he can't figure out the key used in the past and the key that will be generated in the future. 23.

(32) . Forward & Backward Secrecy : Even if an attacker can intercept the password, the keys that are produced before are remained secure.. . Off-line dictionary attack resistance : It does not leak any information of password from the public messages.. . Impersonation attack : An attacker could not fake a legal user to communicate with another person.. . Man-in-the-middle attack resistance : An attacker can't relays and alters the communication. between. 立. 政parties治who 大believe. two. they. are. directly. communicating with each other.. ‧ 國. 學 ‧. 3.7 Implicit Key Authentication v.s. Explicit Key Authentication. sit. y. Nat. The implicit key exchange is to assume that the identity of participants in. io. n. al. er. communication are legal, they only need to follow the execution of protocol then they. i n U. v. can get a shared session key. The famous DH that is a kind of implicit key exchange,. Ch. engchi. but it doesn't provide authentication mechanism, so the participants can't verifies the identity of each other and they may face the Man-in-Middle attack. In the above related work, Zhang's protocol also belongs to the implicit key exchange, but it have the authentication. Their protocol didn't transmit the information about identity, but in session key generation, the key parameter Kj=(pic+Xi)(sjd+rj)+2cgj and Ki= (pjd+Yj)(sic+ri) + 2dgi including the public key of each other p = as + 2e, and s is the corresponding private key. An attacker intercepts the public key to forge a message to perform the impersonation attack, but it didn't know the private key s, so it can't get 24.

(33) the correct key parameter and the session key. However, the transmitted message didn't have the information about identity of participants, so they can't directly know communicate with whom. This method requires additional steps to ensure both of participants have the same shared session key after finish the key exchange. The explicit key authentication means that the participants of communication has transmit the information about identity, so they can use this information to verify the identity of each other. Compared to the implicit key authentication, the explicit. 政治大. authentication can directly know communication with whom. Our scheme belongs to. 立. explicit key authentication, the participants transmit the authenticated message. ‧ 國. 學. including the shared password.. ‧. n. er. io. sit. y. Nat. al. Ch. engchi. 25. i n U. v.

(34) Chapter 4 Proposed Scheme In this section, we will introduce our scheme, which can be divided into the system parameters setting phase, protocol execution phase and the parameters correctness.. 4.1 Architecture We propose a password-based authenticated key exchange from lattices for Client-Server model. The client only has to remember the password shared with the. 政治大. server, and the server records the password in addition to its own public/private key. 立. pair. They just use the shared password to execute the mutual authentication and. ‧ 國. 學. accomplish the key exchange within two steps. Our security is based on LWE from. ‧. lattice and perform the explicit authentication with server's public key, so it can resist. sit. y. Nat. attacks from quantum computers. Figure 7 shows the overall process.. al. n. • n is a power number of 2. er. io. 4.1.1 System Parameters Setting. Ch. engchi. i n U. v. • q is a prime number greater than 8, and satisfy q mod 2n = 1 • Rq is a polynomial ring with modular q and Rq = Zq[X]/(Xn+1) • χ is the Gaussian discrete distribution over Rq. • γ is the standard deviation of χ • pw is the password shared by Client/Server • g is the public parameters shared by both parties • (PubKeys, PriKeys) are the public/private key pair of the Server • IDC、IDS are the identity information of the Client and the Server 26.

(35) • Tcur is current time • TS is timestamp. 4.1.2 Protocol Execution Step1: The client randomly selects secret parameters including fC, α and Nonce from distribution χ, then compute the authentication parameter X = gα + 2fC. After that, it employs pkS to make AuthC = Epks[H(X|IDC|pw|Nonce|TS1),Nonce]. Then send AuthC, IDC, X and TS1 together to the Server.. 政治大 compares the timestamp TS with current time T 立. Step2.1: 2.1 to 2.3 is done by the server. After receiving AuthC, the server firstly 1. cur. , if the time gap is more. ‧ 國. 學. than limit ∆T, then the server rejects this request. After that, the server employ its own private key skS for decryption to verify the Hash value and. ‧. get Nonce. After passing the verification, the server shall randomly selects. y. Nat. er. io. 2fS.. sit. secret parameters β and fS to compute the authentication parameter Y = gβ +. al. n. v i n C hthe received X, βUand the random number r Step2.2: The server shall employ engchi. S. to. compute KS = Xβ + 2rS. Then, the server inputs KS to get wS = Sig(KS) and in addition compute the key element ρS = Extr(KS, wS). Finally, the shared key is skS = H(IDC|IDS|X|Y|wS|Nonce|ρS). Step2.3: The server generates AuthS=H(Y|IDS|pw|wS|Nonce+1|TS2) and then sends it together with IDS, Y, wS and TS2 back to the client. Step3: After receiving AuthS, the client firstly compares the timestamp TS2 with current time Tcur , if the time gap is more than limit ∆T, then the client rejects 27.

(36) this request. After that, the client verifies the AuthS, if the verification is successful, the client shall select a random number rC to compute KC = Yα + 2rC, then uses KC, wS to get the key element ρC = Extr(KC, wS). In the end, they could get the key skC= H(IDC|IDS|X|Y|wS|Nonce|ρC) = skS to complete the authenticated key exchange of both parties.. 立. 政治大. ‧. ‧ 國. 學. n. Figure 9. Our Scheme. Ch. engchi. er. io. sit. y. Nat. al. i n U. v. 4.1.3 Password Update If the client wants to update the shared password, he/she can use the established session key to encrypt the new password then send to server. After receiving the encrypted message, the server use shared session key for decryption to obtain the new password and record it, then both parties complete the update of password and need to revoke the current session key.. 28.

(37) Figure 10. Password Update Phase. 4.2 Correctness Our protocol refers to the parameters extraction method proposed by the Ding et. 政治大. al. [21] to establish the shared secrete session key. This will be achieved via two. 立. functions including Sig and Extr. The text below will introduce the frameworks of Sig. ‧ 國. 學. and Extr in detail.. 4.2.1 Signal Functions q−1. q−1. 2. 2. , . . . ,. }, E =. y. q. Nat. q. ‧. Suppose q is a prime number greater than 2, Zq = {−. 0, 𝑥 ∈ E. er. io. sit. {−⌊ 4 ⌋, . . . , ⌊ 4 ⌋ }, then the Signal Function Sig(x) shall be defined as below:. n. a l Sig(x) = {1, 𝑜𝑡herwise i v n Ch U 4.2.2 Robust Extractors engchi. Suppose q is an odd number greater than 8, then the function Extr() shall be defined as below: Extr(x,б) = ( x + б‧. q−1 2. mod q ) mod 2, where б = Sig(x). Given two numbers x,y ∈ Zq, x - y = 2ε and |2ε| ≤. q 4. − 2, then the following. equations shall be satisfied: q−1. Extr(x,б) = ( x + б‧ = ( y + б‧. 2. q−1 2. 29. mod q ) mod 2, where б = Sig(y) + 2ε mod q ) mod 2.

(38) q−1. = ( y + б‧ = ( y + б‧. 2 q−1 2. mod q ) + 2ε mod 2 mod q ) mod 2. = Extr(y,б) Now, we will proof two facts: (1) why two similar values with error tolerance 2ε ≤. q 4. − 2 can turn into a same value; (2) how to select parameters to satisfies the error. tolerance.. 政治 mod大q + 2ε | ≤. Proof 1.[21] First, we need to limit | y + б‧. 立. q−1. q. 2. 2. − 1, it means y. pluses 2ε is still in the Zq. Second, it can follow the Sig definition to see that | y + б‧ q. ‧ 國. mod q | ≤ 4 + 1. According to the above two inequalities to deduce | y + б‧ q 4. + 1 + |2ε| ≤. q 2. q. − 1, so we can proof 2ε ≤. − 2.. Nat. y. 4. 2. ‧. mod q + 2ε | ≤. q−1. io. er. Lemma 1.[26] For any s ≧ ω√log n, we have. sit. 2. 學. q−1. n. a l𝐱←𝐃𝐏𝐫 [‖𝐱‖ > 𝐬√𝐧] ≦ 𝟐−𝐧 i v n Ch U engchi 𝐙 𝐧 ,𝐬. Proof 2. This proof is to show the correctness of the proposed scheme. Firstly, the key parameters Kc, Ks of our scheme can be expanded as follows: KC = Yα + 2rC = ( gβ + 2fS )α + 2rC = gαβ + 2( αfs + rc ) KS = Xβ + 2rS = ( gα + 2fC )β + 2rS = gαβ + 2( βfC + rS ) Then we can see the error tolerance of Kc, Ks is : KC = KS + 2( αfs + rc - βfC - rS ) 30.

(39) Where the parameters α, β, f, r are selected from the distribution χγ, so we can obtain the following inequality from Lemma1: q − 2 4. ‖2( αfS + rC − βfC − rS )‖ ≤ 8nγ2 ≤. By selecting the parameters n = λ, q = λ4, γ= λ, it will satisfy above the above inequality.. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 31. i n U. v.

(40) Chapter 5 Security Analysis In this section, we refer to the PAKE security model proposed by Xun et al. [10], Bellare et al. [27] and Katz et al. [8] to analysis the security of our scheme. We first define some oracle which can be used by adversary to attack the communication, and then we can analysis whether vulnerabilities exist in our scheme. Next, we define the advantage of the adversary. Finally, we set up several different experiments to simulate and prove the security of our scheme.. 政治大. The password of each session and the public/private key pairs of each server are. 立. independent and randomly generated in our scheme. Without lose the generality, we. ‧ 國. 學. only proof for the communication between one user and a server. Ci and Si are refered. ‧. to the Client and Server in the i-th communication, that is, C and S are in state i.. sit. y. Nat. 5.1 Oracle Definition. n. al. er. io. Suppose that there is an adversary A can control all communication channels of. Ch. the protocol and query following oracles:. engchi. i n U. v. Send(Ui, M): Adversary can send the specified message to U, and intercept the message return message returned from U(U can be client or server). Execute(Ci, Si): Adversary can let the user execute the i-th communication with server, then he can intercept the message from it. Corrupt(C): Adversary can get the previous password from client Corrupt(S): Adversary can get the private key from Server, it is equivalent to get the previous password from server. 32.

(41) Reveal(Ui) : Adversary can get the session key from any side of communication parties. Test(Ui) : Adversary can test the security of U by this oracle's output b, b is a random bit 0 or 1. If b = 0, the adversary gets the session key sk, and if b = 1 the adversary gets a random session key sk'.. 5.2 Advantage of the Adversary. 政治大. We can use Test(Ui) output b to determine whether the adversary successfully. 立. attacks the i-th protocol, but U's state must be fresh, it means U will not be queried by. ‧ 國. 學. certain specific oracle. So, we need to define the fresh state before experiments.. 5.2.1 Fresh Definition. ‧. We define the state is fresh if two following conditions hold:. y. Nat. er. io. sit. (1) The adversary never queried Reveal(C) or Reveal(S) to get the session key. (2) The adversary never queried Reveal Corrupt(C) or Corrupt(S) to get the password. n. al. Ch. engchi. from client or the private key from sever.. i n U. v. 5.2.2 Succ Definition In this section, we define the successful attack state of the adversary. Suppose that there is an adversary who tries to attack the protocol, it wins if all following rules are satisfied: (1) The adversary only queried Test(Ui) once time in protocol. (2) When adversary queried Test(Ui), the i-th protocol was done and the session key has been generated. 33.

(42) (3) U is fresh. (4) The adversary queried Test(Ui) output b' = b, it means adversary get the right session key.. If all rules above are satisfied, it is defined as Succ, and the success probability is p. described as PrA [Succ].. 5.3 Experiment Definition. 立. 政治大. We analyze the security of our protocol by providing oracle accesses to the. ‧ 國. 學. adversary in the different experiment. In the following, we define several experiments. ‧. to discuss, each experiment will follow the setting of the previous experiment and. sit. y. Nat. make some changes.. p. p. al. p. er. io. In each experiment, the advantage of the adversary can be expressed as AdvA (k). v. coin is. n. = 2PrA [Succ] − 1. In general, the probability PrA [Succ] equivalent to throwing a 1. Ch. engchi. i n U. , it means no leakage any secret message in the communication and the key. 2. exchange is safe.. Experiment P0 : We define the real execution of the protocol as experiment P0. The adversary can use any Oracle to query our protocol.. Experiment P1: In experiment P1, an oracle generated message msgC = (IDC、X、 AuthC) or msgS = (IDS、Y、wS、AuthS) and the hash function needs to satisfy the 34.

(43) following two properties : (1) The message msgC or msgS aren’t repeated. That is when i≠j, msgCi≠msgCj and msgSi≠msgSj. (2)The hash function doesn't occur collision, it means that is a cryptographically collision-resistant hash function. In P0, there are no such properties but there is still very small chance that the message will be repeated and the collision of the hash function occurs. The. 政治大. parameters contained in msg were generated by X = gα + 2fC, Y = gβ + 2fS where α, β,. 立. f are randomly selected in χ, so the probability of repeated message is also close to 0,. ‧ 國. 學. and the probability of a collision in the general hash function is also close to 0. So the. ‧. adversary can't determine the difference between P0 and P1, then the advantage. al. er. io. sit. y. Nat. |AdvAP0 (k) − AdvAP1 (k)| is negligible.. v. n. Experiment P2: In experiment P2, the adversary A queried oracle Execute(Ci,Si) to. Ch. engchi. i n U. get the parameter KS = Xβ + 2rS is replaced with a random value KS' from Rq. If KS is an LWE sample, then what A obtains are exactly the same as in P1; if Ks is uniformly random in Rq, then what A obtains are exactly the same as in P2. This implies that if A can distinguish P1 and P2, the he can also solve the Decision LWE. So we can define the advantage |AdvAP1 (k) − AdvAP2 (k)| between P1 and P2 is negligible. Therefore, since KS' is a random value, the ρS' = Extr(KS', wS') is also randomly. The session key sk' is generated by wrong ρS', that is, the generation of sk is not related to the correct KS. 35.

(44) Claim : If the adversary A queried oracle Corrupt(Ui) to get the previous password pwi-1, according to the above proof we can see the session key generation and password are independent, so the adversary is unable to obtain the current session key ski as well as to obtain the new password pwi+1 during the password update phase. In conclusion, the oracle Corrput(Ui) gives no advantage to the adversary.. Experiment P3 : In experiment P3, the adversary A queried oracle Execute(Ci,Si) to. 政治大. get the session key sk C = H(IDC|IDS|X|Y|wS|Nonce|ρC) = H(IDC|IDS|X|Y|wS|Nonce|. 立. ρS) = sk S, among the Nonce value is replaced by a random value Nonce'. If A can. ‧ 國. 學. distinguish sk and sk' by msgC = (IDC|X| Epks[H(X|IDC|pw|Nonce),Nonce]), it means. ‧. he can break the semantic security of cryptosystem. So, we can define the advantage. n. al. er. io. sit. y. Nat. |AdvAP2 (k) − AdvAP3 (k)| between P2 and P3 is negligible.. i n U. v. Experiment P4: In experiment P4, we redefine the successful attack state of the. Ch. engchi. adversary. We first define the message type which is from adversary. (1)oracle-generated : A message is called oracle-generated if it was answered by oracles, and it is generated in accordance with the specification of protocol. (2)adversary-generated : A message is called adversary-generated if it was randomly selected by the adversary. The experiment P4 is only redefined for the (2).. 36.

(45) Then we divide the Send1(S,msgC), Send2(C,msgS) oracles according to the two transmissions in the protocol. If msgC is adversary-generated and it passed the authentication, then it is said to be valid and it means he has the correct password ; if msgS is adversary-generated and pass the authentication, then it said to be valid. Both of these can be considered successful attacks, on the contrary, it is necessary to refer to the definition in P3 to determine whether the attack is successful. We can see the advantage in P4 is more than in P3, that is |AdvAP3 (k) ≤ AdvAP4 (k)|.. 立. 政治大. Experiment P5: In experiment P5, it continued the definition of a successful attack. ‧ 國. 學. from P4. The adversary A queried oracle Send1(S, msgC) to get the msgC = (IDC|X|. ‧. Epks[H(X|IDC|pw|Nonce),Nonce]), among the password pw is replaced with a random. sit. y. Nat. value pw'. If the cryptosystem which we use can satisfy the semantic security, then the. io. al. er. adversary can't reveal the correct pw from AuthC = Epks[H(X|IDC|pw|Nonce),Nonce].. v. n. So we can define the advantage |AdvAP4 (k) − AdvAP5 (k)| between P4 and P5 is negligible. Ch. engchi. i n U. Experiment P6 : In experiment P5, the adversary A queried oracle Execute(Ci,Si) to get the Authentication message AuthS = H(Y|IDS|pw|wS|Nonce+1), among the password pw is replaced with a random value pw''. If the cryptosystem which we use can satisfy the Semantic Security, then the adversary can't reveal the correct session key sk from AuthS and msgC = (IDC|X| Epks[H(X|IDC|pw|Nonce),Nonce]). So we can define the advantage |AdvAP5 (k) − AdvAP6 (k)| between P4 and P5 is negligible 37.

(46) Now We can know the relationship of adversary's advantage from P0 to P6 is |AdvAP0~P5 (k) ≤ AdvAP6 (k)|, it means if the advantage in last experiment P6 is negligible, then the advantage in all previous experiment is negligible too. Finally, we will prove that AdvAP6 (k) is a negligible threat to the security of our protocol. From the above proof, we can know the probability of successful attack in P6 is PrA6 [Succ] =. 1 2. , it means even if the adversary use the oracle to query the secret. parameter in our protocol, he can only achieve the same probability with the random. 政治大. guess. Therefore, we can define the advantage of adversary in last experiment P6 is. 立. AdvA6 (k) = 2PrA6 [Succ] − 1 = 0 , this means our protocol didn't disclose any. ‧ 國. 學. confidential information to the adversary in the communication and it is safe.. ‧ sit. y. Nat. 5.4 NTRU. io. n. al. er. The cryptosystem used in our protocol is NTRU public key cryptosystem which. i n U. v. we have introduced in section 2.4, and it was designated as standard IEEE P1363.1 in. Ch. engchi. 2008. Stehlé et al [28]. proposed a modified version of NTRU in 2011, their protocol replaced the SVP of original security basis to the LWE and modify the key generation. In original NTRU, the private key consists of two polynomial functions with degree less than n and coefficients in {-1, 0, 1}, and the public key is their quotient. Stehlé believes that the key is limited to a small range so that it can't achieve the randomness. To achieve the public/private key pair distribution statistically close to uniform, they sample the private key polynomials according to a discrete Gaussian with standard deviation in LWE. Thus, it can provide the higher secure level than original NTRU. 38.

(47) Nowadays, the original NTRU is still used in most experiment of study, so our paper also takes the original version to experiment. We refer to many literatures on NTRU and other public key cryptosystem to compare their performance and security. Table1 show the NTRU is superior to the other cryptosystems in the same security level. Table 1 Analysis of NTUR with Other Public Key Cryptosystem. 學. ‧ 國. 立. 政治大. • Ops/Sec : operations per second. ‧ sit. y. Nat. 5.5 Comparison with Related Works. io. n. al. er. In this section, we will compare our scheme with other related works in different. i n U. v. items, these papers [10][21][22] are the main reference in our scheme, the paper [18]. Ch. engchi. is also a lattice-based PAKE, and the paper [9] is a secure PAKE based on discrete logarithm problem in number theory, so we refer to these papers as a comparison object. We have defined several comparison items including (1) Security based on which hard problem (2) authentication (3) The number of communications (4) Public/Private key pair.. 39.

(48) Table 2. Comparison with Related Works. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 40. i n U. v.

(49) Chapter 6 Experimental Results In this section, we will show the results of our scheme, we through the program to simulate communication between client and server. At last, they will get a same secret session key, and Figure 10,11,12,13,14,15,16 shows the results: . PC environment : •. OS : macOS Sierra10.12.2. • CPU : Intel 5 2.5G/Hz 4 core CPU • RAM : 10GB. 立. •. Program Language: Java. •. Development Tools：Eclipse Neon.3 Release (4.6.3)、 Android Emulator. ‧. ‧ 國. 學. . 政治大. Mobile simulator environment :. y. sit. n. al. er. OS : Android 7.1.1. io. •. Nat. • Mobile phone model : LG Nexus 5X. i n U. v. • CPU : Qualcomm® Snapdragon™ 808 1.8G/Hz 6 core CPU • RAM : 2GB . Ch. engchi. Parameters setting : • q = 40961 •. n = 256, 512, 1024, 2048. 41.

(50) 政治大 Figure 11.立 The parameters in the scheme (n = 256) ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 12. The parameters in the scheme (n = 512). 42.

(51) 立. 政治大. Figure 13. The parameters in the scheme (n = 1024). ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 14. The parameters in the scheme (n = 2048). 43.

(52) 政治大. Figure 15. Client Interface (PC). 立. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. .. Figure 16. Client Interface (Mobile Simulator). 44.

(53) Figure 17. Server Interface. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 45. i n U. v.

(54) Chapter 7 Conclusion In this paper, we proposed a PAKE schene in the Client-Server model. The new scheme is a lattice-based PAKE so it is more secure than traditional schemes which were proved secure based on descrete logarithm problems or factoring problem in number theory. Our scheme is different from previous agreements that users keep their own public and private keys, the only secret that was registed for authentication is user’s password. This method can reduce the burden on key management for the. 政治大. client side. Importantly, it is secure against the adversaries who has computational. 立. powerful devices like quantum computers in the future, and it could be finished. ‧ 國. 學. within just two steps. This is exactly a safe and effective password-based. ‧. authenticated key exchange agreement and we believe the new scheme can be. n. al. er. io. sit. y. Nat. beneficial to the real world.. Ch. engchi. 46. i n U. v.

(55) References [1] Diffie, W., Hellman, M.: New directions in cryptography. In : IEEE transactions on Information Theory, 22(6), pp. 644-654(1976). [2] Shieh, W. G., Wang, J. M.: Efficient remote mutual authentication and key agreement. In : computers & security, 25(1), pp. 72--77 (2006). [3] Seo, B., Lee, S. W., Kim, H.: Authenticated Key Agreement Based on NFC for Mobile Payment. In : International Journal of Computer and Communication Engineering, 5(1), 71(2016).. 立. 政治大. [4] Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure. ‧ 國. 學. against dictionary attacks. In : Advances in Cryptology—EUROCRYPT 2000,. ‧. pp. 139--155. Springer Berlin Heidelberg(2000).. sit. y. Nat. [5] LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key. n. al. er. io. exchange. In : International Conference on Provable Security, pp. 1--16. Springer Berlin Heidelberg(2007).. Ch. engchi. i n U. v. [6] 陳柏諭, “身份認證與免憑證式金鑰交換協議之研究.” 亞洲大學資訊多媒體應用學系碩士班學位論文, 2011. [7] Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In : International Conference on the Theory and Applications of Cryptographic Techniques, pp. 156--171. Springer Berlin Heidelberg(2000). [8] Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In : International Conference on 47.

(56) the Theory and Applications of Cryptographic Techniques , pp. 475--494. Springer Berlin Heidelberg(2001). [9] Hao, F., Ryan, P.: J-PAKE: authenticated key exchange without PKI. In : Transactions on computational science XI , pp. 192--206. Springer Berlin Heidelberg(2010). [10] Xun, Y., Tso, R., Okamoto, E.: Identity-based password-authenticated key exchange for client/server model. In: SECRYPT, pp. 45-51(2012).. 政治大. [11] Hoffstein, J., Pipher, J., Silverman, J.: NTRU: A ring-based public key. 立. cryptosystem. In : Algorithmic number theory, pp. 267--288(1998).. ‧ 國. 學. [12] Hoffstein, J., Pipher, J., Silverman, J. H.: NSS: An NTRU lattice-based signature. ‧. scheme. In : International Conference on the Theory and Applications of. sit. y. Nat. Cryptographic Techniques, pp. 211--228. Springer Berlin Heidelberg(2001).. io. n. al. er. [13] López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty. i n U. v. computation on the cloud via multikey fully homomorphic encryption. In :. Ch. engchi. Proceedings of the forty-fourth annual ACM symposium on Theory of computing, pp. 1219--1234(2012). [14] Lei, X., Liao, X.: NTRU-KE: A Lattice-based Public Key Exchange Protocol. In : IACR Cryptology ePrint Archive, 718(2013). [15] Jun, J. I. A. N. G., Chen, H. E.: A novel mutual authentication and key agreement protocol based on NTRU cryptography for wireless communications. In : Journal of Zhejiang University-SCIENCE A, 6(5), pp. 399—404(2005). [16] Wang, H., Zhao, C., Xu, Q., Wang, Y.: Identity-Based Authenticate Key 48.

(57) Exchange Protocol from Lattice. In : Computational Intelligence and Security (CIS), 2013 9th International Conference on, pp. 564--568. IEEE(2013). [17] Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange-a new hope. In : IACR Cryptology ePrint Archive, 1092(2015). [18] Katz, J., Vaikuntanathan, V.: Smooth projective hashing and password-based authenticated key exchange from lattices. In : International Conference on the Theory and Application of Cryptology and Information Security, pp. 636--652.. 政治大. Springer Berlin Heidelberg(2009).. 立. [19] Park, S. W., Lee, I. Y.: Anonymous authentication scheme based on NTRU for. ‧ 國. 學. the protection of payment information in NFC mobile environment. In : Journal. ‧. of Information Processing Systems, 9(3), 461-476(2013).. sit. y. Nat. [20] Tso, R., Jheng, Y. S.: Security analysis of a NTRU-based mutual authentication. io. n. al. 2016 18th Asia-Pacific, pp. 1--3. IEEE(2016).. Ch. engchi. er. scheme. In : Network Operations and Management Symposium (APNOMS),. i n U. v. [21] Ding, J., Xie, X., Lin, X.: A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem. In : IACR Cryptology EPrint Archive, 688(2012). [22] Zhang, J., Zhang, Z., Ding, J., Snook, M., Dagdelen, Ö .: Authenticated key exchange from ideal lattices. In : Annual International Conference on the Theory and Applications of Cryptographic Techniques , pp. 719--751. Springer Berlin Heidelberg(2015). [23] Lattice, https://en.wikipedia.org/wiki/Lattice_(group). 49.

(58) [24] Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In : Journal of the ACM (JACM), 56(6), 34(2009). [25] Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In : Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 1--23. Springer Berlin Heidelberg(2010). [26] Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures.. In :. 立. 267--302(2007).. SIAM 治 Journal on 政大. Computing, 37(1), pp.. ‧ 國. 學. [27] Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure. ‧. against dictionary attacks. In : Advances in Cryptology—EUROCRYPT 2000,. sit. y. Nat. pp. 139--155. Springer Berlin Heidelberg(2000).. io. n. al. er. [28] Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over. i n U. v. ideal lattices. In : Annual International Conference on the Theory and. Ch. engchi. Applications of Cryptographic Techniques, pp. 27--47. Springer Berlin Heidelberg(2011).. 50.

(59)