A Lattice-Based Authentication Scheme for Roaming Service in Ubiquitous Networks with Anonymity

Zhou, Yousheng; Wang, Longan

doi:https://doi.org/10.1155/2020/2637916

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Analysis Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 2637916 | https://doi.org/10.1155/2020/2637916

A Lattice-Based Authentication Scheme for Roaming Service in Ubiquitous Networks with Anonymity

Yousheng Zhou^1,2and Longan Wang²

Academic Editor: Mamoun Alazab

Received22 Oct 2019

Revised16 May 2020

Accepted23 May 2020

Published28 Jun 2020

Abstract

In the ubiquitous networks, mobile nodes can obtain roaming service that enables them to get access to the services extended by their home networks in the field of foreign network. To provide secure and anonymous communication for legal mobile users in roaming services, there should be a mutual authentication between mobile user and foreign agent with the help of home agent. There are many roaming authentication schemes which have been proposed; however, with the progress of quantum computation, quantum attack poses security threats to many traditional public key cryptography-based authentication schemes; thus, antiquantum attack roaming authentication schemes need to be investigated. On account of the limitation of computational resources for mobile nodes, a lightweight anonymous and antiquantum authentication schemes need to be developed to enable mobile nodes to roam across multiple service domains securely and seamlessly. In consideration of the advantages of lattice in antiquantum, an NTRU-based authentication scheme with provable security and conditional privacy preservation is proposed to remedy these security weaknesses. Compared with the existing scheme, the proposed scheme not only improves efficiency but also can resist the quantum attack.

1. Introduction

With the advance of the wireless Internet access technology [1] and the popularity of smart mobile devices, the ubiquitous network has been widely used in our daily life, providing people with a more convenient life. Ubiquitous network enables people to access network services, such as online shopping and mobile payment. However, the mobile device is prone to suffer from various security and privacy challenges in ubiquitous network environment due to its inherent openness and computation limitation. For instance, an attacker can intercept the transmission data, and then analyze or tamper these data, which would cause user data pollution and privacy leakage [2].

Authentication is an essential security technique to prevent attacker in roaming service of ubiquitous network, and great efforts have been made in this field in the past years. However, most of the existing authentication schemes [3–23] are built using conventional cryptographic approaches. It is widely believed that such primitives cannot resist to quantum attack. For instance, discrete logarithm problems and factorization problems can be resolved using the polynomial time algorithm proposed by Shor [24]. In addition, the computation cost or communication cost of the existing authentication scheme are relatively high, which makes many of these schemes not practical for the wireless network since most of them are equipped with resource-constrained devices [25–29]. Therefore, it is of great significance to design efficient and antiquantum roaming authentication schemes. However, the openness of ubiquitous network and dynamic nature makes it extremely challenging to design a secure and effective roaming authentication protocol.

1.1. Related Work

In recent years, many roaming authentication protocols [5–23, 30–36] have been proposed to achieve secure information acquisition for mobile users with smart card in the ubiquitous network. In 2004, a roaming authentication protocol for the ubiquitous network was proposed by Zhu and Ma [5], which aims to preserve the privacy of mobile users. However, Lee et al. [6] proved that Zhu and Ma [5] fails to provide backward security and cannot resist forgery attack. To eliminate these defects, an improved roaming authentication protocol was proposed by Lee et al. [6]. Later, Wu et al. [7] pointed out that the anonymity of users cannot be preserved in the protocols of Zhu and Ma [5] and Lee et al. [6], while the latter also fails to guarantee backward security. In addition, to remedy the shortcomings the abovementioned, Wu et al. [7] proposed an improved scheme. In 2012, Mun et al. [8] demonstrated that the user anonymity and perfect forward security have not been achieved in Wu et al. [7], and then they proposed an enhanced authentication protocol to remedy these weaknesses. Unfortunately, Kim and Kwak [9] found that Mun et al. [8] is vulnerable to replay attacks and man-in-middle attacks. In addition, Zhao et al. [10] also pointed out that Mun et al. [8] is vulnerable to various attacks.

In 2011, a lightweight anonymous authentication protocol was proposed by He et al. [11] for roaming service. However, in 2013, Jiang et al. [12] showed that He et al. [11] cannot resist various attacks such as offline password guessing and replay attacks. To address these problems, they proposed an enhanced anonymous authentication scheme. Wen et al. [13] subsequent study shows that Jiang et al. [12] is vulnerable to replay attacks and cannot provide forward security. In 2014, an authentication scheme based on elliptic curve was proposed by Kuo et al. [14] to achieve anonymity. However, Lu et al. [15] proved that the protocol of Kuo et al. [14] has many security problems, such as the vulnerability from internal attacks, and Zhang et al. [21] also found that Kuo et al. [14] may cause the leakage of the secret value of mobile terminal MU. Subsequently, Xu et al. [22] and Srinivas [23] pointed out that Zhang et al. [21] is vulnerable to offline guessing attacks and replay attacks and cannot guarantee the anonymity of users.

In 2015, Farash et al. [16] pointed out that the scheme of Wen et al. [13] is vulnerable to offline guessing attack and forgery attack. And then, Farash et al. [16] and Gope and Hwang [17], respectively, proposed enhanced anonymous roaming authentication schemes to resist various attacks in ubiquitous networks. However, Wu et al. [18] showed that there are many security defects in Farash et al. [16] and Gope and Hwang [17], and the session keys of their schemes can be exposed to HA. In addition, Chaudhry et al. [19] also pointed out some security risks in Farash et al. [16], such as the inability to guarantee user anonymity and the leakage of mobile user session key. In 2017, Xie et al. [35] designed a first roaming authentication scheme which takes the advantage of the chaotic maps for key agreement in ubiquitous network. Subsequently, in 2019, Ostad-Sharif et al. [33] found that Xie et al. [35] cannot resist the known session-specific information attack. In 2018, Lee et al. [20] claimed that Chaudhry et al. [19] is vulnerable to many attacks such as user forgery attacks and device theft attacks [37–40]. Then, Lee et al. [20] proposed an improved biometric-based [40, 41] authentication scheme for roaming in ubiquitous networks. They claimed that their scheme is secure against the various known attacks with conditional anonymous [37, 39, 42–46] and is lightweight compared with the earlier scheme. In 2019, Lu et al. [34] found some weaknesses in Gope and Hwang [36] authentication scheme for roaming users and proposed a new roaming user authentication scheme using ECC and claimed that their proposal extends required security features and resists known attacks. Very recently, in 2020, Alzahrani et al. [31] show that the roaming scheme in Lu et al. [34] cannot protect the remote user against Stolen Verifier and Traceability attacks. Then, Alzahrani et al. [31] proposed an improved scheme based on ECC which is designed under the proposal of Lu et al. [34]. However, in the same year, Khatoon and Singh Thakur [32] found that Lee et al. [20] is vulnerable offline dictionary attack, replay attack, etc.

Lattice is a promising tool to develop various postquantum cryptography schemes, which has been put forward for a long time. In 1997, the first lattice-based cryptosystem constructed by Ajtai and Dwork [47] appeared, followed by the NTRU cryptosystem constructed by Hoffstein [48] in 1998. In 2009, Gentry [49] constructed the first fully homomorphic cryptography scheme based on lattice cryptography. In 2015, the postquantum cryptography report [30] released by the national institute of standards and technology of the United States pointed out that, owing to the rapid development of quantum computing technology, the existing public key cryptography standard will no longer be safe under quantum computing. As early as 1997, Shor [24] proposed a quantum algorithm to solve the large number factorization problem in polynomial time; therefore, many conventional cryptosystems, for instance, those based on large integer factorization and discrete logarithm assumption, would face great security challenges with the advance of quantum computation.

In recent years, many authentication protocols from lattices have been developed [28, 47–62]. Specially, many lattice-based key exchange protocols have been proposed [53–57] and some of them have been used by Microsoft and Google [62] as alternatives to the prequantum key agreements in the TLS handshake protocol, which means that lattice-based key exchange protocols can be practical in many contexts and offer credible alternatives to schemes such as ECDH.

However, these existing lattice-based key exchange protocols [47, 63–66] are unsuitable to wireless environment with limited resources since they are built from LWE or RLWE. NTRU, first proposed by Hoffstein [48], is a lightweight public key encryption algorithm. When compared with other public key encryption mechanism, NTRU possesses more distinct advantages such as cheap memory and computation consumption, fast speed of encryption/decryption [48], and signature/verification [59]. NTRU has been widely used in wireless environment such as wireless sensor networks [28], cellular networks [60, 61], and opportunistic networks [58] due to its low computational cost. Therefore, it is a desirable tool to construct roaming authentication scheme for ubiquitous network.

1.2. Motivation and Contributions

Although many authentication schemes have been proposed, a promotion in security and performance remains a challenge to develop a practical authentication for roaming services in ubiquitous networks. Furthermore, the potential threat of quantum attack makes it necessary to develop efficient antiquantum attack roaming authentication protocols. Motivated by this, a novel roaming authentication scheme based on NTRU is proposed in this paper. Our contributions are as follows:(1)We put forward an NTRU-based authentication scheme with conditional anonymity for mobile users to roaming securely in ubiquitous network, the most significant merit of which is antiquantum attack(2)Formal and informal security analysis is conducted for the proposed scheme to demonstrate that it can meet all security requirements(3)Furthermore, we perform the comparisons in terms of the computational and communication cost to show the feasibility and efficiency of the proposed scheme

1.3. Organization

The rest of this paper is organized as follows. Section 2 introduces the basic knowledge of lattice and the NTRU public key encryption algorithm. Section 3 illustrates the scheme in detail. Section 4 presents the formal security proof for the proposed scheme. The comparison of performance and security characteristics of the proposed scheme are given in Section 5, and the paper is concluded in Section 6.

2. Preliminaries

In Section 2, we will briefly introduce the basic knowledge of lattice cryptography [50] and NTRU public key encryption algorithm [48].

2.1. Lattice

Definition 1. Given linearly independent vectors , the lattice generated by them is defined as follows:We say that the rank of the lattice is n and its dimension is and as a basis of the lattice. If we define B as matrix whose columns are , then the lattice generated by is(1)In equation (2), stands for ordinary matrix multiplication.(2)Lattice is a discrete additive group of , closed under addition operation, and there is space between points.

Definition 2. (the shortest vector problem ()). Given a lattice basis to find a nonzero lattice vector , so for all such that .

Definition 3. (the closest vector problem ). Given a lattice basis and a target vector , to find a lattice vector Bx that close to the target vector , so for all such that .
Both the CVP and the SVP are difficult computational problems; the two are interchangeable with the same difficulty, and there is no effective algorithm to solve these two problems.

2.2. NTRU

2.2.1. Definition of Algorithm

Definition 4. (polynomial ring). A polynomial with respect to over a ring has a form, , . A ring formed by a set of these polynomials is called a polynomial ring, denoted as , simply for short.
The parameters of NTRU mainly include three integers and four integer coefficient polynomial sets , , , and with dimension, and are not required as prime numbers, while they should satisfy the equation , and is greater than . Definite polynomial , if , can be denoted as . Definite is multiplication operation over polynomial ring; if , , and , then

Definition 5. (truncated polynomial ring). The system consists of the convolution operations defined above, and the addition operations in ordinary polynomial rings are called the truncated polynomial ring.
The polynomial ring used in NTRU is truncated polynomial ring, denoted as , and is polynomial ring of modular . When performing the product result , we reduce all the polynomial coefficients by , so the result is in the ring .

2.2.2. Key Creation

The two communication parties are Bob and Alice. To generate a key, Bob randomly chooses two polynomials and ; the polynomial should have inverses modulo and modulo , and we will write these inverses as and :

Then, Bob computes the public key , and the private key pair of Bob is .

2.2.3. Encryption

Alice chooses her plaintext m from the set and a random polynomial from ; then, she uses Bob’s public key to encrypt the message and sends it to Bob. In addition, in order to strengthen the feasibility and security of the scheme, this scheme adopts the encryption security enhancement variant proposed by Hoffstein and Silverman [51].

2.2.4. Decryption

Bob uses his private key to decrypt the encrypted message from Alice. Firstly, Bob computes the intermediate polynomial a by

The coefficients of a are in the interval . Then, a is used for modulus operation. Finally, Bob uses his private key multiply polynomial to recover the plaintext:

In order to reduce the decryption time and speed up the decryption operation [51, 52], we set . Then, Bob can decrypt plaintext m successfully after computing m = a mod p.

2.2.5. Parameter Choices

Message space is composed of polynomial of modular , where and

Similarly, other sample spaces can be described in the following way:

We choose three positive integers and then we use these symbols to denote polynomial : , , and

Since f is expected to be invertible, the number of −1 should not equal the number of 1.

3. Concrete Construction

3.1. System Model

This section illustrates the concrete construction of the proposed authentication scheme for mobile user roaming in ubiquitous network. Ubiquitous network provides roaming services for mobile users, enabling them to obtain extended services of home agents whenever they enter into a foreign agent field, no matter where they are [8–10]. In the proposed scheme, there are three types of entities:(1)MU (mobile user): uses mobile phone with smart card to get services in ubiquitous network(2)FA (foreign agent): provides roaming services for mobile users(3)HA (home agent): provides authentication for MU and FA

When a mobile user (MU) enters the foreign agent area, MU should be authenticated under the collaboration between the home agent and the foreign agent. A general framework of roaming service is shown in Figure 1. MU has to register itself during the initialization of the system. Afterwards, with the help of HA, MU and FA can perform mutual authentication when necessary. Only when MU and FA confirm each other’s identities can they communicate with each other. In order to ensure the identity legitimacy of the involved entities and the message validity, a mutual authentication mechanism is designed to achieve authorization when realizing roaming service, and the message security is satisfied through key agreement protocol [3, 4, 25].

We describe the proposed protocol in ubiquitous networks as follows. Please refer to Table 1 for notation guide.

3.2. Registration

Home agent (HA) mainly authenticates the real identity of roaming mobile user (MU) and the identity of foreign agent (FA) and then sends the authentication results to FA and MU, respectively. Therefore, a mobile phone user must register himself with his home agent before roaming. Figure 2 shows the registration stage of the proposed scheme, and the main steps of registration are as follows:(1)HA broadcasts public parameters and then calculates and sends his public key to registered MU, where is HA’s public key(2)MU randomly selects a random number and a legal login password ; then, MU computes and and then sends to HA through a secure channel(3)After receiving the registration request from , ; if the verification holds, then compute the identification of MU , is the timestamp of MU registration, and no one except HA can forge or calculate . Then, HA stores parameters into the smart card and assigns the smart card to MU.

Assume that a symmetric key has been previously shared between the home agent and the foreign agent, and each home agent has a list of public keys corresponding to ID. Home agent (HA) has a list of public and private keys for relative roaming user (MU), see Table 2. Home agent (HA) has a list of public and private keys for foreign agent (FA), see Table 3.

3.3. Login and Authentication Phase

As shown in Figure 3, when the mobile terminal completes the registration, it can perform the login and authentication process. In this process, the mobile terminal completes the negotiation of the session key and authentication with the foreign agent with the help of the local agent:(1) The mobile user MU first enters its real identity and password into the smart card; then, the smart card computes and verifies ; if the verification holds, then the ID of MU is valid; smart card allows user to login in; otherwise, the smart card denies the user login request. MU selects two random polynomials and , computes , then encrypts and , , , and , computes , and then sends to FA.(2) When FA receives , it first verifies whether the timestamp is valid. If so, it saves first and retrieves the locally stored shared secret key with HA according to , then computes , and sends to HA.(3)

When HA receives the message from FA, HA verifies the timestamp first and then verifies the validity of and :(1)HA calculates the message verification code according to stored in HA and verifies if the equation holds or not; if it holds then HA believes is legal.(2)HA uses his private key to decrypt and to obtain and , then uses to find stored in HA, and verifies and ; if all equation hold, then HA believes is valid.(3)HA selects a random polynomial , computes , , , and then sends to FA.(4) After receiving from HA, FA decrypts and and computes to verify whether the anonymous identity of MU received from HA is equal to received in step 1. If it holds, FA believes MU’s anonymous identity is legitimate. FA selects two random polynomials, then computes , computes session key , then encrypts and uses equation , , and finally sends to MU.(5)After receiving from FA, MU obtains and from decrypting and and verifies ; if it holds, MU trusts the legitimacy of FA. Then, computes and the session key . MU verifies in the end; if the equation holds, then the session key negotiation is successful.

To facilitate the understanding of the proposed protocol, the following three steps will describe the calculation process of public key generation, decryption, and key agreement in detail.(1)Public key generation: according to the key generation algorithm in Definition 2, three entities generate their own public keys with the following way, respectively:(2)Decryption: with the encrypted message according to Definition 3, the entities can decrypt the message according to Definition 4. Here, we take and as examples to explain the decryption process.①When HA receives , it first computes a temporary polynomial .②Then, performs modular p operation on to obtain .③Afterwards, it computes and to obtain and .(3)Session key generation: with the help of HA, MU and FA trust each other; then, they will exchange secret parameters to compute the shared session key. Because , no one can compute or obtain and except MU and HA. Therefore, only MU and FA can generate the shared session key:

3.4. Password Update

In order to prevent password cracking, this scheme provides the operation of updating user password, and the password change phase is invoked by the mobile terminal, and the user performs the following steps on the smart card:(1)Mobile user inputs his and ; smart card computes and verifies whether ; if the equation holds, user login in successful; otherwise, the smart card terminates the login process.(2)The user sends the operation request of updating login password according to the system prompt, and the smart card will send the prompt of updating password to the user after receiving the request.(3)User selects a new password and new random number , then computes , and replaces by .

3.5. Session Key Update

MU and FA need to renew session key for security reasons if user is always within the same FA. However, initializing a new session to execute key exchange protocol is time consuming. For the sake of security and efficiency, we provide the update operation of the session key. If the roaming mobile user needs to update the session key established with the foreign agent before, as shown in Figure 4, the following steps should be performed.

MU randomly selects a polynomial from , then MU computes and sends to FA. is the session key established with foreign agent before, is a timestamp. is a flag for request of updating session key.

When the foreign agent FA receives the message from the roaming user MU, FA performs the following steps:(1)Verifies , is a timestamp(2)If the equation above holds, uses to decrypt and then verifies the legitimacy of (3)If is valid, FA selects a random polynomial from and then computes , is the new session key(4)FA computes and sends to MU

When MU receives the message , MU verifies and , if they are valid then computes , and verifies ; if this equation holds, then the new session key is updated.

4. Analysis

4.1. Correctness

BAN logic model was first proposed by Burrows et al. [67] in 1990, which is a simple and powerful tool for analyzing the correctness of authentication schemes. In this section, we first describe the basic knowledge of the BAN logic model. Then, we will use the BAN logic model to analyze the correctness of the proposed protocol.

4.1.1. Definition of BAN Logic Model

(1) Notations and Semantics. In the following, we briefly describe the BAN logic model from notations and semantics:(1) and denote the communication entity(2) denotes the shared session key of communication entity(3) denote the public key of communication entity(4) and denote the secret key of communication entity(5) and denote the message passed in the protocol(6): believes message is true(7): once received a message containing (8): once sent a message including (9): controls (10) denotes that the message is fresh(11): and use the shared symmetric to communicate with each other(12) represents the ciphertext obtained by encrypting message with secret key (13) denotes the combination of and , that is, is a secret value, whose presence represents the identity of the owner of (14) denotes the connection between and (15) means that can be derived from

(2) Inference Rules. In order to use BAN logic for correctness analysis, we will describe some related inference rules of BAN logic model as follows: (1)Message-meaning rule: If believes the shared session key between and and receives a message encrypted by , then believes that once sent the message .(2)Nonce verification rule: If believes the message is fresh, also believes has said message , then believes .(3)Jurisdiction rule: If believes has jurisdiction over , and believes that believes , then believes message.(4)Freshness rule: If believes is fresh, then believes is fresh.(5)Belief rule: If believes message collection of and , then believes in each individual message.(6)Session key rule: If believes the shared key is fresh, and also believes that believes message , then believes .(7)Seeing rule:

If receives a message and knows the related key about the message, then receives component of the message.

4.1.2. Correctness Analysis

The correctness of the scheme can be proved as follows:(1)Idealized protocol model:(1)(2)(3)(4)(2)Initial assumptions:

There are three communication entities in the proposed scheme: MU (mobile user), HA (home agent), and FA (foreign agent). The three entities generate all the authentication messages of the proposed scheme, so we need to make initial assumptions through three aspects.(1)MU: The above formula A1∼A6 means the following: A1: MU believes and own its own real identity A2: MU believes the anonymous its own identity A3: because MU registered to HA before authentication phase, so MU believes the real identity of HA A4: MU believes the random number it chooses A5: MU knows the public key of HA A6: MU owns its identity certificate because HA has computed and sent it to MU in the registration phase(2)HA: The above formula B1∼B8 means the following: B1: HA believes and owns its own real identity B2: HA believes the key shared with FA B3: because MU has sent to HA in the registration phase, so HA owns the real identity of MU B4: HA owns the public key of MU because MU once sent it to HA in the registration phase B5: HA owns identity certificate of MU because HA has computed in the registration phase B6: HA owns the real identity of FA(3)FA: The above formula C1∼C6 means the following: C1: FA believes and owns its own real identity C2: FA owns the real identity of HA C3: FA believes the random number it chooses C4: FA believes the key shared with HA(3)Goals to be achieved:

To provide secure and anonymous communication for legal mobile users in roaming services, there is a mutual authentication between the mobile user and foreign agent with the help of the home agent in the proposed protocol. Then, MU and FA generate a shared session key for the safety of subsequent communication. This means that the proposed scheme can achieve the goals listed above. In the following, we will give explanations for the goals listed above: G1: HA believes the real identity of FA G2: HA believes the anonymous identity of MU G3: FA believes that HA believes the anonymous identity of MU G4: MU believes that HA believes the real identity of FA G5: MU believes the shared session key between MU and FA, which means MU and FA generated the shared session key successfully G6: FA believes the shared session key between FA and MU, which means FA and MU generated the shared session key successfully

5. Correctness Verification

In this section, we analyze the proposed protocol using the BAN logic model to validate the security and correctness claim of the proposed protocol. The following are the detailed steps to prove that the proposed protocol can reach the goals shown above.

From the message , on verifying the timestamp of FA and applying Seeing rule , we obtain the following:

From V2 and B2, on applying Message-meaning rule , we obtain

From V4, on applying Freshness rule , we obtain

From V5 and V6, on applying Nonce verification rule , we obtain

From V7, on applying Belief rule , we obtain

From V1, on verifying the timestamp of MU and applying Seeing rule , we obtain

From B3, V11, V12, and V13, on verifying and applying Seeing rule , we can say

From V14, V15, and V17 Belief rule , we obtain

From message , on verifying the timestamp of MU applying Seeing rule , we obtain

From message , on applying Seeing rule and , we obtain

From C4, V19, and V24, on verifying and applying Message-meaning rule , we obtain

From V20, on applying Freshness rule , we obtain

From V25 and V29, on applying Nonce verification rule , we obtain

From message , on applying Seeing rule and , we obtain

From A4 and A6, MU verifies , and on applying Belief rule , we can obtain

Because is a random timestamp selected by MU, so we can say

From V37, on applying Freshness rule , we obtain

From V31, V32, and V33, on verifying and applying Belief rule , we can conclude

From V39 and V40, on applying Session key rule , we obtain

From V29, on applying Freshness rule , we obtain

From V28 and both FA, compute in the same way:

From V42 and V43, on applying Session key rule , we obtain

Thus, the proposed can reach the goals G1∼G6 through the analysis of the above steps, and it can be concluded that the proposed protocol provides mutual authentication and session key establishment.

5.1. Security

5.1.1. Formal Security Proof

(1) Security Model. This section defines the security model of lattice-based authentication protocol, which is based on the security model proposed by Bellare et al. [63–65]. The attack capability of the adversary is defined by a series of oracle queries and security assumptions. proceeds an interaction experiment by performing a series of oracle queries with any participant instances in the protocol . In the course of interaction, is given the ability to attack protocols. The security of the key exchange means that any adversary cannot distinguish between session keys and random strings generated by honest protocol participant polynomial time random prediction queries. An honest protocol participant U has different instances , and it can execute the protocol concurrently. The adversary can use the following predictors to interact with different instances of honest players: (i): queries the random oracle for the hash result. The random oracle returns the result which is existing in the list; else, it chooses a random number r, records () in a hash table and then returns r.(ii): this query models the adversary’s ability to eavesdrop passively on the protocol, can eavesdrop on the honest protocol execution process. The output consists of messages exchanged during protocol execution.(iii): this query models the adversary’s ability to actively attack a protocol, can intercept a message and change it, or simply forward it to a target instance. The input is the message sent by the adversary to , and the output is the corresponding message generated by based on the message .(iv): this query models the ability of adversary to corrupt the protocol participant U and returns the user’s password.(v): obtains the session key possessed by . This query models a session key leak.(vi): this query relates to the semantic security of the session key SK. This query was made after many other queries had been made by . The random oracle selects a random bit . If , the oracle returns a random value of the same length as the session key, and if , the oracle returns the real session key held by .

Semantic security: considering executes the key exchange protocol P, interacts with Execute, Send, Reveal, and Test oracles, and finally outputs the bit value as a guess of b. If , the adversary is considered successful. Let Succ denote the event that the adversary is successful. Then, the advantage of the adversary successfully breaking the protocol P is defined as follows:

This authenticated key exchange protocol is considered secure if is negligible.

(2) Security Proof.

Theorem 1. An adversary makes , , , and queries of type , , , and in time , respectively, and queries to the random oracles:

Proof. We use seven experiments , ,…, , to prove the security of the protocol, which has , and is negligible values in .

. This experiment represents an original protocol execution.

. In this experiment, we simulated Send, Reveal, Test, and Execute queries as Tables 4 and 5 show, and , , , and are also simulated by maintaining hash list , , , and :

Proof. In the proposed protocol, , , , and act as random oracles, so cannot distinguish random values and the output of hash function: : if there is a record in the list , returns r. If not, choose a random string , add to the list , and then return . : if there is a record in the list , returns r. If not, choose a random string , add to the list , and then return . : if there is a record in the list , return r. If not, choose a random string , add to the list , and then return . : if there is a record in the list , return r. If not, choose a random string , add to the list , and then return.

. This game simulates all oracles as expects the cancelation of the game when guesses the password correctly. This modification increases the adversary’s chances at breaking the game, but the adversary’s advantage is still negligible:

Proof. (1)Since is invisible to the adversary , the adversary can only log in by guessing , and this probability is (2) needs to query random oracles to distinguish from , and this probability is If event.1 and event.2 do not happen, and and are indistinguishable, so

is almost identical to , but once honest parties choose random seen previously in the execution, this game will be forcefully ceased:

Proof. SID is a string of length generated by , which cardinal is . is generated after , and queries. The probability of generating this value in previous Send, Execute, or random oracle query is ; therefore, the probability of being not unique is .

. making the following changes to the Send queries, replace with random values to compute . For the messages that contain , use random values computes then responds to . Since the two values are randomly selected in the polynomial space and the secret values are transmitted through encryption and are invisible to the , this modification does not increase the probability of the in violating protocol:

Proof. is encrypted and decrypted by NTRU algorithm. The related information about plaintext cannot be obtained by adversary who only holds public key and ciphertext without private key. Construct an algorithm to run adversary to break the encryption scheme.
sends and to algorithm . selects one of them to execute encryption and then sends ciphertext to adversary. guesses the encryption result and outputs a bit . If parameters are selected properly, the advantage of the adversary is negligible.

. In order to increase the adversary’s chances at winning the game, we simulate all oracles nearly identical to except that there are collision events happen on the transcript in the output of hash queries during the execution of protocol. The adversary perform a polynomial number queries of , , , and to catch collision:

Proof. Since authentication messages are generated with random numbers, so authentication messages are different at every authentication phase. If the are collision events happen, the adversary succeeds. According to Gardy et al. [66] birthday attack, and are distinguishable when collisions occur, and the probability of collisions happened is . , , , and are the size of the dictionary space corresponding to the hash function show above, and , , , and .

. All passwords in the protocol are saved by an internal password oracle, and it accepts queries to test the given password for MU is correct or not. The internal password oracle is invisible to the adversary and generates all passwords during initialization:

Proof. The adversary cannot obtain their corresponding private keys by attacking the public keys of MU and FA, so the private key of MU and FA are invisible to the adversary, and in previous games, is calculated with randomly selected values. The session key is a random value at this time, and the information held by the adversary is irrelevant to the session key, so the can only attack the protocol by guessing the bit or attack the protocol by attacking the user’s password online. We denote the event that adversary succeeding in by ; represents the event that adversary attack protocol by guessing the password. We can easily bound the probability of success in created by adversary as the following equation:Note that , if these passwords are chosen randomly from a dictionary of and the event does not happen, and the only way for adversary to succeed is to guess bit through Test query. Therefore, .By the above calculation, we conclude thatFinally, it can be computed that the advantage of the adversary is ignorable by analyzing , , …, , . Hereby, Theorem 1 is concluded.

5.1.2. Informal Security Analysis

Security analysis:(i)Conditional anonymity: the identity information of the roaming terminal MU is invisible to the foreign agent FA. MU only communicates with the field agent FA through the pseudorandom , and will vary every one authenticated process. Therefore, the roaming terminal MU is strongly anonymous to the foreign agent FA. If there is a malicious roaming terminal MU in the system, it is necessary to find out its real identity information in time. Since each authentication process requires participation of the home agent HA, and the home agent HA establishes the association between and before. Hence, HA can reveal the user’s real identity through .(ii)Forward security: forward security means that even though an attacker obtains the private keys of roaming mobile user MU and home agent FA through some means, he cannot calculate the previous session key successfully negotiated between MU and FA. Since , where is related to randomly selected . value is different in each authentication process.(iii)Untraceability: even if the adversary can intercept all the information exchanged between protocol participants, it cannot track the behavior information of the roaming terminal MU. All exchanged messages and generated by the roaming terminal MU during each interaction are all random values, so untraceable properties are satisfied in the proposed scheme.(iv)Mutual authentication: in this scheme, the adversary cannot participate in the generation and response of protocol authentication messages. The scheme participants are the roaming terminal MU, the foreign agent FA, and the home agent HA, respectively, where the authentication messages generated by MU and FA can only be decrypted by the legitimate home agent HA. Then, the legitimate home agent HA helps them perform the authentication process and generate the session key correctly only if the three parties trust each other.(v)User login authentication: in order to improve the security of scheme, the smart card should verify the validity of user when login. In the proposed scheme, the user enters the identity and password when logging in. The smart card SC calculates and verifies its validity. If the equation holds, the identity of MU is valid and SC allow user to login in; otherwise, SC denies the login request.(vi)Resistance to replay attacks: in the proposed scheme, the messages for authentication that are sent by mobile user MU and foreign agent contain timestamps; when FA and HA execute authentication process, each entity firstly verifies the validity of timestamp contained in messages, and then proceeds subsequent operations. Furthermore, the random numbers ensures that the authentication information is varies in every authentication process so that the adversary cannot perform the replay attacks with the exchanged messages sent before.(vii)Resistance to man-in-the-middle attack: in the proposed scheme, suppose that an attacker exists in a communication channel who attempts to execute man-in-the-middle attack by intercepting and tampering with communication messages. If he or she tries to tamper with the message , he or she must first tamper with the encrypted messages and , which are encrypted by NTRU encryption mechanism. Due to SVP and CVP, the attacker cannot get the private key to decrypt the message, so the adversary cannot tamper with the message successfully. While other messages contain information generated by One-way Hash functions, the attacker needs to solve the anticollision problem of Hash functions to tamper with the message, so the attacker will also fail.(viii)Resistance to device-stealing attacks: even if adversaries get user’s mobile device, he cannot recover user’s password and identity information from the user’s smart card, and he can only log in the device by guessing the user’s password and identity, so our scheme can resist device-stealing attacks.(ix)Resistance to privileged-inside attack: in the registration stage, MU sends HA the registration information . HA cannot extract MU’s password information from the registration information. In addition, MU can also update passwords on smart card without the participation of HA. Finally, the session key negotiated by MU and FA is not visible to HA, so this scheme is resistant to privileged-inside attacks.(x)Secure user password change: mobile user executes password change phase when the mobile user wants to change the password for the purpose of security. After passing the authentication of smart card, the old password will be replaced by a new password selected by user only in password change phase, FA and HA will not participate in this phase. Therefore, our password change phase is reasonable and security.

Based on the analysis of the security of the proposed scheme, we conduct security comparison with related scheme as in Table 6. The results show that only the proposed scheme provides all the required features and resists known attacks, whereas competing schemes lack either some features or ensuring against some known attack. In addition, the proposed scheme can also resist to quantum attack, while the related schemes lack this feature.

5.2. Performance

In this section, the proposed scheme of this paper is compared with the presented authentication schemes in related studies [12, 13, 16–18, 20, 31–34] in terms of both communication cost and computational complexity. Since the related schemes are the most recent or influential works in this field that improved either the security or efficiency of their previous schemes, therefore, we will compare our scheme with them.

Due to the external impact on message transmission time, this section only considers the message processing time of the client and server in the authentication phase. The proposed scheme includes four operations: hash operation, NTRU encryption and decryption operation, polynomial modulus, and multiplication operation, which are represented by , , , and , respectively. Based on the hardware and software shown in Table 7, these four operations running time of proposed scheme are evaluated. We recorded the operation time of NTRU and the single operation time of elliptic curve obtained by analyzing the related scheme [10, 20, 23, 30–34] in Table 7.

Table 8 shows the authentication time comparison of the proposed scheme with the related scheme. Due to the high performance of NTRU encryption mechanism, the computation time of three entities in proposed scheme is relatively low. As shown in Figure 5, schemes [16, 20] have better execution time; however, they are susceptible to several known attacks and cannot provide the perfect forward secrecy and untraceability respectively. Consequently, for the ubiquitous network environment, our proposed scheme is more practical.

Table 9 and Figure 6 provide comparison of communication overhead between the proposed scheme and related scheme during the authentication phase. The total communication cost of our protocol is 3903 bits, only lower than that of Wu et al. [18]. However, the communication cost of MU is only 974 bits which is lower than that of Grope and Hwang [17], Wen et al. [13], Jiang et al. [12], Alzahrani et al. [31], and Lu et al. [34]. Therefore, the proposed scheme is more friendly to mobile devices with limited resources. With comprehensive consideration from the performance (computational cost and communication cost) and security attributes, the proposed scheme makes a better tradeoff and makes it more suitable to ubiquitous networks.

6. Conclusion

We put forward a lattice-based roaming authentication scheme. We use formal security proofs and informal analysis to prove the security of our scheme. In addition, BAN logic analysis demonstrates that the proposed scheme is correct and mutual authentication is achieved. Through rigorous theoretical analysis and simulation experiments, we prove that the proposed scheme has better performance and feasibility, which can meet the security requirements of the roaming authentication scheme. We concluded that our lattice-based roaming authentication provides fully secured mutual authentication and conditional anonymity, which can also resist different security attacks such as tractability, replay attack, privileged-inside attack, and especially quantum attack. Security and performance results show that the proposed scheme outperforms the existing authentication schemes, but there are still some limitations on the proposed scheme.

The public key encryption algorithm involved in this paper is NTRU encryption algorithm. The designer of NTRU mainly chooses reasonable parameters to avoid decryption errors and does not carry out quantitative theoretical analysis on the decryption errors. This limits the range of parameter selection and affects the wide use of NTRU algorithm.

6.1. Future Work

In our future work, proposing a revised NTRU algorithm would be learned to solve the inherent decryption failure problem of NTRU algorithm. Then, we can extend the proposed authentication schemes in other scenarios based on revised NTRU algorithm, such as opportunistic networks and wireless sensor networks. And simultaneously, lattice-based multifactor authentication schemes for ubiquitous network would be investigated to accommodate to advanced communication and computation technology, for example, 5G and edge computing.

Data Availability

The source code and data used to support the findings of this study have been deposited in the (1) Github repository (https://github.com/tbuktu/ntru), (2) Springer repository (DOI 10.1007/s11277-012-0535-4, DOI 10.1007/s11277-013-1243-4, DOI 10.1007/s11277-015-2344-z, and DOI 10.1007/s12243-016-0547-2), (3) ScienceDirect repository (https://doi.org/10.1016/j.comcom.2007.12.005), (4) Plos one repository (https://doi.org/10.1371/journal.pone.0193366), (5) Symmetry repository (https://www.mdpi.com/2073-8994/12/2/287), (6) CRYPTOLOGIA repository (https://www.tandfonline.com/doi/full/10.1080/01611194.2019.1706061), (7) International Journal of Communication Systems repository ([https://onlinelibrary.wiley.com/doi/abs/10.1002/dac.3904]), and (8) IEEE SYSTEMS JOURNAL repository (DOI 10.1109/JSYST.2018.2883349).

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this article.

Acknowledgments

This work was supported by the Venture & Innovation Support Program for Chongqing Overseas Returnees (No. cx2018122).

References

S. Bhattacharya, S. R. Krishnan S., P. K. R. Maddikunta et al., “A novel PCA-firefly based XGBoost classification model for intrusion detection in networks using GPU,” Electronics, vol. 9, no. 2, p. 219, 2020.
View at: Publisher Site | Google Scholar
C. Iwendi, Z. Jalil, A. R. Javed et al., “KeySplitWatermark: zero watermarking algorithm for software protection against cyber-attacks,” IEEE Access, vol. 8, pp. 72650–72660, 2020.
View at: Publisher Site | Google Scholar
M. Alizadeh, S. Abolfazli, M. Zamani, S. Baharun, and K. Sakurai, “Authentication in mobile cloud computing: a survey,” Journal of Network and Computer Applications, vol. 61, pp. 59–80, 2016.
View at: Publisher Site | Google Scholar
J. Srinivas, D. Mishra, and S. Mukhopadhyay, “A mutual authentication framework for wireless medical sensor networks,” Journal of Medical Systems, vol. 41, no. 5, pp. 1–19, 2017.
View at: Publisher Site | Google Scholar
J. Zhu and J. Ma, “A new authentication scheme with anonymity for wireless environments,” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 233–235, 2004.
View at: Publisher Site | Google Scholar
C.-C. Lee, M.-S. Hwang, and I.-E. Liao, “Security enhancement on a new authentication scheme with anonymity for wireless environments,” IEEE Transactions on Industrial Electronics, vol. 53, no. 5, pp. 1683–1687, 2006.
View at: Publisher Site | Google Scholar
C. C. Wu, W. B. Lee, and W. J. Tsaur, “A secure authentication scheme with anonymity for wireless communications,” IEEE Communications Letters, vol. 12, no. 10, pp. 722-723, 2008.
View at: Publisher Site | Google Scholar
H. Mun, K. Han, Y. S. Lee, C. Y. Yeun, and H. H. Choi, “Enhanced secure anonymous authentication scheme for roaming service in global mobility networks,” Mathematical and Computer Modelling, vol. 55, no. 1-2, pp. 214–222, 2012.
View at: Publisher Site | Google Scholar
J. S. Kim and J. Kwak, “Improved secure anonymous authentication scheme for roaming service in global mobility networks,” International Journal of Security and Its Applications, vol. 6, no. 3, pp. 45–54, 2013.
View at: Google Scholar
D. Zhao, H. Peng, L. Li, and Y. Yang, “A secure and effective anonymous authentication scheme for roaming service in global mobility networks,” Wireless Personal Communications, vol. 78, no. 1, pp. 247–269, 2014.
View at: Publisher Site | Google Scholar
D. He, S. Chan, C. Chen, J. Bu, and R. Fan, “Design and validation of an efficient authentication scheme with anonymity for roaming service in global mobility networks,” Wireless Personal Communications, vol. 61, no. 2, pp. 465–476, 2011.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ma, G. Li, and L. Yang, “An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks,” Wireless Personal Communications, vol. 68, no. 4, pp. 1477–1491, 2013.
View at: Publisher Site | Google Scholar
F. Wen, W. Susilo, and G. Yang, “A secure and effective anonymous user authentication scheme for roaming service in global mobility networks,” Wireless Personal Communications, vol. 73, no. 3, pp. 993–1004, 2013.
View at: Publisher Site | Google Scholar
W.-C. Kuo, H.-J. Wei, and J.-C. Cheng, “An efficient and secure anonymous mobility network authentication scheme,” Journal of Information Security and Applications, vol. 19, no. 1, pp. 18–24, 2014.
View at: Publisher Site | Google Scholar
Y. R. Lu, X. B. Wu, and X. D. Yang, “A secure anonymous authentication scheme for wireless communications using smart cards,” International Journal of Network Security, vol. 17, no. 3, pp. 237–245, 2015.
View at: Google Scholar
M. S. Farash, S. A. Chaudhry, M. Heydari et al., “A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security,” International Journal of Communication Systems, vol. 30, no. 4, p. e3019, 2017.
View at: Publisher Site | Google Scholar
P. Gope and T. Hwang, “Enhanced secure mutual authentication and key agreement scheme preserving user anonymity in global mobile networks,” Wireless Personal Communications, vol. 82, no. 4, pp. 2231–2245, 2015.
View at: Publisher Site | Google Scholar
F. Wu, L. Xu, S. Kumari et al., “An enhanced mutual authentication and key agreement scheme for mobile user roaming service in global mobility networks,” Annals of Telecommunications, vol. 72, no. 3-4, pp. 1–14, 2016.
View at: Publisher Site | Google Scholar
S. A. Chaudhry, A. Albeshri, N. Xiong, C. Lee, and T. Shon, “A privacy preserving authentication scheme for roaming in ubiquitous networks,” Cluster Computing, vol. 20, no. 2, pp. 1223–1236, 2017.
View at: Publisher Site | Google Scholar
H. Lee, D. Lee, J. Moon et al., “An improved anonymous authentication scheme for roaming in ubiquitous networks,” PLoS One, vol. 13, no. 3, Article ID e0193366, 2018.
View at: Publisher Site | Google Scholar
G. Zhang, D. Fan, Y. Zhang, X. Li, and X. Liu, “A privacy preserving authentication scheme for roaming services in global mobility networks,” Security and Communication Networks, vol. 8, no. 16, pp. 2850–2859, 2015.
View at: Publisher Site | Google Scholar
F. Wu, L. Xu, S. Kumari et al., “A novel and provably secure authentication and key agreement scheme with user anonymity for global mobility networks,” Security and Communication Networks, vol. 9, no. 16, pp. 3527–3542, 2016.
View at: Publisher Site | Google Scholar
J. Srinivas, D. Mishra, S. Mukhopadhyay et al., “An authentication framework for roaming service in global mobility networks,” Information Technology and Control, vol. 48, no. 1, pp. 129–145, 2019.
View at: Publisher Site | Google Scholar
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Review, vol. 41, no. 2, pp. 303–332, 1999.
View at: Publisher Site | Google Scholar
M. Numan, F. Subhan, W. Z. Khan et al., “A systematic review on clone node detection in static wireless sensor networks,” IEEE Access, vol. 8, pp. 65450–65461, 2020.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, N. Kumar, and J.-H. Lee, “Anonymous authentication for wireless body area networks with provable security,” IEEE Systems Journal, vol. 11, no. 4, pp. 2590–2601, 2016.
View at: Publisher Site | Google Scholar
J. Shen, S. Chang, J. Shen, Q. Liu, and X. Sun, “A lightweight multi-layer authentication protocol for wireless body area networks,” Future Generation Computer Systems, vol. 78, pp. 956–963, 2018.
View at: Publisher Site | Google Scholar
H. Zhu, Y.-A. Tan, L. Zhu, X. Wang, Q. Zhang, and Y. Li, “An identity-based anti-quantum privacy-preserving blind authentication in wireless sensor networks,” Sensors, vol. 18, no. 5, p. 1663, 2018.
View at: Publisher Site | Google Scholar
D. He and S. Zeadally, “An analysis of RFID authentication schemes for Internet of Things in healthcare environment using elliptic curve cryptography,” IEEE Internet of Things Journal, vol. 2, no. 1, pp. 72–83, 2015.
View at: Publisher Site | Google Scholar
P. Zhang, H. Jiang, J. Cai et al., “Recent research progress of lattice cryptography,” Computer Research and Development, vol. 54, no. 10, pp. 2121–2129, 2017.
View at: Google Scholar
B. A. Alzahrani, S. A. Chaudhry, A. Barnawi, A. Al-Barakati, and M. H. Alsharif, “A privacy preserving authentication scheme for roaming in IoT-based wireless mobile networks,” Symmetry, vol. 12, no. 2, p. 287, 2020.
View at: Publisher Site | Google Scholar
S. Khatoon and B. Singh Thakur, “Cryptanalysis and improvement of authentication scheme for roaming service in ubiquitous network,” Cryptologia, pp. 1–26, 2020.
View at: Publisher Site | Google Scholar
A. Ostad-Sharif, A. Babamohammadi, D. Abbasinezhad‐Mood et al., “Efficient privacy-preserving authentication scheme for roaming consumer in global mobility networks,” International Journal of Communication Systems, vol. 32, no. 5, p. e3904, 2019.
View at: Publisher Site | Google Scholar
Y. Lu, G. Xu, L. Li et al., “Robust privacy-preserving mutual authenticated key agreement scheme in roaming service for global mobility networks,” IEEE Systems Journal, vol. 13, no. 2, pp. 1454–1465, 2019.
View at: Publisher Site | Google Scholar
Q. Xie, B. Hu, X. Tan, and D. S. Wong, “Chaotic maps-based strong anonymous authentication scheme for roaming services in global mobility networks,” Wireless Personal Communications, vol. 96, no. 4, pp. 5881–5896, 2017.
View at: Publisher Site | Google Scholar
P. Gope and T. Hwang, “Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks,” IEEE Systems Journal, vol. 10, no. 4, pp. 1370–1379, 2016.
View at: Publisher Site | Google Scholar
X. Li, J. Ma, W. Wang, Y. Xiong, and J. Zhang, “A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments,” Mathematical & Computer Modelling, vol. 58, no. 1-2, pp. 85–95, 2013.
View at: Publisher Site | Google Scholar
X. Li, J. Niu, M. Khurram Khan, and J. Liao, “An enhanced smart card based remote user password authentication scheme,” Journal of Network and Computer Applications, vol. 36, no. 5, pp. 1365–1371, 2013.
View at: Publisher Site | Google Scholar
X. Li, Y. Xiong, J. Ma, and W. Wang, “An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards,” Journal of Network and Computer Applications, vol. 35, no. 2, pp. 763–769, 2012.
View at: Publisher Site | Google Scholar
X. Li, J.-W. Niu, J. Ma, W.-D. Wang, and C.-L. Liu, “Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards,” Journal of Network and Computer Applications, vol. 34, no. 1, pp. 73–79, 2011.
View at: Publisher Site | Google Scholar
D. He and D. Wang, “Robust biometrics-based authentication scheme for multiserver environment,” IEEE Systems Journal, vol. 9, no. 3, pp. 816–823, 2015.
View at: Publisher Site | Google Scholar
M. Azees, P. Vijayakumar, and L. J. Deboarh, “EAAP: efficient anonymous authentication with conditional privacy-preserving scheme for vehicular ad hoc networks,” IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 9, pp. 2467–2476, 2017.
View at: Publisher Site | Google Scholar
P. Vijayakumar, V. Chang, L. Jegatha Deborah, B. Balusamy, and P. G. Shynu, “Computationally efficient privacy preserving anonymous mutual and batch authentication schemes for vehicular ad hoc networks,” Future Generation Computer Systems, vol. 78, pp. 943–955, 2018.
View at: Publisher Site | Google Scholar
S. H. Islam, M. S. Obaidat, P. Vijayakumar, E. Abdulhay, F. Li, and M. K. C. Reddy, “A robust and efficient password-based conditional privacy preserving authentication and group-key agreement protocol for VANETs,” Future Generation Computer Systems, vol. 84, pp. 216–227, 2018.
View at: Publisher Site | Google Scholar
P. Vijayakumar, M. Azees, V. Chang, J. Deborah, and B. Balusamy, “Computationally efficient privacy preserving authentication and key distribution techniques for vehicular ad hoc networks,” Cluster Computing, vol. 20, no. 3, pp. 2439–2450, 2017.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad-hoc networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015.
View at: Publisher Site | Google Scholar
M. Ajtai and C. Dwork, “A public-key cryptosystem with worst-case/average-case equivalence,” in Proceedings of the Twenty-Ninth Annual ACM Symposium on Theory of Computing—STOC’97, pp. 284–293, Seattle, WA, USA, May 1997.
View at: Publisher Site | Google Scholar
J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: a ring-based public key cryptosystem,” Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, 1998.
View at: Google Scholar
C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the 41st Annual ACM Symposium on Symposium on Theory of Computing—STOC’09, pp. 169–178, Bethesda, MD, USA, May 2009.
View at: Publisher Site | Google Scholar
D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective, Springer Science & Business Media, Berlin, Heidelberg, 2012.
J. Hoffstein and J. H. Silverman, “Implementation notes for NTRU PKCS multiple transmissions,” Tech. Rep., 1998, NTRU Cryptosystems Technical report.
View at: Google Scholar
J. Hoffstein and J. Silverman, “Optimizations for NTRU,” Public-Key Cryptography and Computational Number Theory, De Gruyter, Berlin, Germany, 2001.
View at: Google Scholar
E. Alkim, L. Ducas, T. Pöppelmann et al., “Post-quantum key exchange—a new hope,” in Proceedings of the 25th USENIX Security Symposium ({USENIX} Security 16), pp. 327–343, Austin, TX, USA, August 2016.
View at: Google Scholar
J. Bos, C. Costello, L. Ducas et al., “Frodo: take off the ring! practical, quantum-secure key exchange from LWE,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1006–1018, ACM, Vienna Austria, October 2016.
View at: Google Scholar
J. W. Bos, C. Costello, M. Naehrig et al., “Post-quantum key exchange for the TLS protocol from the ring learning with errors problem,” in Proceedings of the 2015 IEEE Symposium on Security and Privacy, pp. 553–570, IEEE, San Jose, CA, USA, May 2015.
View at: Publisher Site | Google Scholar
C. Peikert, Lattice Cryptography for the Internet, Springer, Cham, Switzerland, 2014.
A. Fujioka, K. Suzuki, K. Xagawa, and K. Yoneyama, “Strongly secure authenticated key exchange from factoring, codes, and lattices,” Designs, Codes and Cryptography, vol. 76, no. 3, pp. 469–504, 2015.
View at: Publisher Site | Google Scholar
M. Abouaroek and K. Ahmad, “Node authentication using NTRU algorithm in opportunistic network,” Scalable Computing: Practice and Experience, vol. 20, no. 1, pp. 83–92, 2019.
View at: Publisher Site | Google Scholar
J. Hoffstein, N. Howgrave-Graham, J. Pipher et al., NTRUSIGN: Digital Signatures Using the NTRU lattice, Springer, Berlin, Germany, 2003.
T. C. Clancy, R. W. McGwier, and L. Chen, “Post-quantum cryptography and 5G security: tutorial,” in Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, p. 285, ACM, Miami, FL, USA, May 2019.
View at: Google Scholar
S. H. Jeong, K. S. Park, and Y. H. Park, “Quantum resistant NTRU-based key distribution scheme for SIP,” in Proceedings of the 2018 International Conference on Electronics, Information, and Communication (ICEIC), pp. 1-2, IEEE, Honolulu, HI, USA, January 2018.
View at: Google Scholar
T. Espitau, P. A. Fouque, B. Gérard, and M. Tibouchi, “Loop-abort faults on lattice-based signatures and key exchange protocols,” IEEE Transactions on Computers, vol. 67, no. 11, pp. 1535–1549, 2018.
View at: Publisher Site | Google Scholar
M. Bellare, D. Pointcheval, and P. Rogaway, Authenticated Key Exchange Secure against Dictionary Attacks, Springer, Berlin, Germany, 2000.
M. Bellare and P. Rogaway, Entity Authentication and Key Distribution, Springer, Berlin, Germany, 1993.
M. Bellare and P. Rogaway, “Provably secure session key distribution: the three party case,” in Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of computing—STOC’95, pp. 57–66, Las Vegas, NV, USA, May 1995.
View at: Publisher Site | Google Scholar
P. Flajolet, D. Gardy, and L. Thimonier, “Birthday paradox, coupon collectors, caching algorithms and self-organizing search,” Discrete Applied Mathematics, vol. 39, no. 3, pp. 207–229, 1992.
View at: Publisher Site | Google Scholar
M. Burrows, M. Abadi, and R. M. Needham, “A logic of authentication,” Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences, vol. 426, no. 1871, pp. 233–271, 1989.
View at: Google Scholar

Copyright

Copyright © 2020 Yousheng Zhou and Longan Wang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

700

Downloads

744

Citations