Research Article | Open Access
A Lattice-Based Authentication Scheme for Roaming Service in Ubiquitous Networks with Anonymity
In the ubiquitous networks, mobile nodes can obtain roaming service that enables them to get access to the services extended by their home networks in the field of foreign network. To provide secure and anonymous communication for legal mobile users in roaming services, there should be a mutual authentication between mobile user and foreign agent with the help of home agent. There are many roaming authentication schemes which have been proposed; however, with the progress of quantum computation, quantum attack poses security threats to many traditional public key cryptography-based authentication schemes; thus, antiquantum attack roaming authentication schemes need to be investigated. On account of the limitation of computational resources for mobile nodes, a lightweight anonymous and antiquantum authentication schemes need to be developed to enable mobile nodes to roam across multiple service domains securely and seamlessly. In consideration of the advantages of lattice in antiquantum, an NTRU-based authentication scheme with provable security and conditional privacy preservation is proposed to remedy these security weaknesses. Compared with the existing scheme, the proposed scheme not only improves efficiency but also can resist the quantum attack.
With the advance of the wireless Internet access technology  and the popularity of smart mobile devices, the ubiquitous network has been widely used in our daily life, providing people with a more convenient life. Ubiquitous network enables people to access network services, such as online shopping and mobile payment. However, the mobile device is prone to suffer from various security and privacy challenges in ubiquitous network environment due to its inherent openness and computation limitation. For instance, an attacker can intercept the transmission data, and then analyze or tamper these data, which would cause user data pollution and privacy leakage .
Authentication is an essential security technique to prevent attacker in roaming service of ubiquitous network, and great efforts have been made in this field in the past years. However, most of the existing authentication schemes [3–23] are built using conventional cryptographic approaches. It is widely believed that such primitives cannot resist to quantum attack. For instance, discrete logarithm problems and factorization problems can be resolved using the polynomial time algorithm proposed by Shor . In addition, the computation cost or communication cost of the existing authentication scheme are relatively high, which makes many of these schemes not practical for the wireless network since most of them are equipped with resource-constrained devices [25–29]. Therefore, it is of great significance to design efficient and antiquantum roaming authentication schemes. However, the openness of ubiquitous network and dynamic nature makes it extremely challenging to design a secure and effective roaming authentication protocol.
1.1. Related Work
In recent years, many roaming authentication protocols [5–23, 30–36] have been proposed to achieve secure information acquisition for mobile users with smart card in the ubiquitous network. In 2004, a roaming authentication protocol for the ubiquitous network was proposed by Zhu and Ma , which aims to preserve the privacy of mobile users. However, Lee et al.  proved that Zhu and Ma  fails to provide backward security and cannot resist forgery attack. To eliminate these defects, an improved roaming authentication protocol was proposed by Lee et al. . Later, Wu et al.  pointed out that the anonymity of users cannot be preserved in the protocols of Zhu and Ma  and Lee et al. , while the latter also fails to guarantee backward security. In addition, to remedy the shortcomings the abovementioned, Wu et al.  proposed an improved scheme. In 2012, Mun et al.  demonstrated that the user anonymity and perfect forward security have not been achieved in Wu et al. , and then they proposed an enhanced authentication protocol to remedy these weaknesses. Unfortunately, Kim and Kwak  found that Mun et al.  is vulnerable to replay attacks and man-in-middle attacks. In addition, Zhao et al.  also pointed out that Mun et al.  is vulnerable to various attacks.
In 2011, a lightweight anonymous authentication protocol was proposed by He et al.  for roaming service. However, in 2013, Jiang et al.  showed that He et al.  cannot resist various attacks such as offline password guessing and replay attacks. To address these problems, they proposed an enhanced anonymous authentication scheme. Wen et al.  subsequent study shows that Jiang et al.  is vulnerable to replay attacks and cannot provide forward security. In 2014, an authentication scheme based on elliptic curve was proposed by Kuo et al.  to achieve anonymity. However, Lu et al.  proved that the protocol of Kuo et al.  has many security problems, such as the vulnerability from internal attacks, and Zhang et al.  also found that Kuo et al.  may cause the leakage of the secret value of mobile terminal MU. Subsequently, Xu et al.  and Srinivas  pointed out that Zhang et al.  is vulnerable to offline guessing attacks and replay attacks and cannot guarantee the anonymity of users.
In 2015, Farash et al.  pointed out that the scheme of Wen et al.  is vulnerable to offline guessing attack and forgery attack. And then, Farash et al.  and Gope and Hwang , respectively, proposed enhanced anonymous roaming authentication schemes to resist various attacks in ubiquitous networks. However, Wu et al.  showed that there are many security defects in Farash et al.  and Gope and Hwang , and the session keys of their schemes can be exposed to HA. In addition, Chaudhry et al.  also pointed out some security risks in Farash et al. , such as the inability to guarantee user anonymity and the leakage of mobile user session key. In 2017, Xie et al.  designed a first roaming authentication scheme which takes the advantage of the chaotic maps for key agreement in ubiquitous network. Subsequently, in 2019, Ostad-Sharif et al.  found that Xie et al.  cannot resist the known session-specific information attack. In 2018, Lee et al.  claimed that Chaudhry et al.  is vulnerable to many attacks such as user forgery attacks and device theft attacks [37–40]. Then, Lee et al.  proposed an improved biometric-based [40, 41] authentication scheme for roaming in ubiquitous networks. They claimed that their scheme is secure against the various known attacks with conditional anonymous [37, 39, 42–46] and is lightweight compared with the earlier scheme. In 2019, Lu et al.  found some weaknesses in Gope and Hwang  authentication scheme for roaming users and proposed a new roaming user authentication scheme using ECC and claimed that their proposal extends required security features and resists known attacks. Very recently, in 2020, Alzahrani et al.  show that the roaming scheme in Lu et al.  cannot protect the remote user against Stolen Verifier and Traceability attacks. Then, Alzahrani et al.  proposed an improved scheme based on ECC which is designed under the proposal of Lu et al. . However, in the same year, Khatoon and Singh Thakur  found that Lee et al.  is vulnerable offline dictionary attack, replay attack, etc.
Lattice is a promising tool to develop various postquantum cryptography schemes, which has been put forward for a long time. In 1997, the first lattice-based cryptosystem constructed by Ajtai and Dwork  appeared, followed by the NTRU cryptosystem constructed by Hoffstein  in 1998. In 2009, Gentry  constructed the first fully homomorphic cryptography scheme based on lattice cryptography. In 2015, the postquantum cryptography report  released by the national institute of standards and technology of the United States pointed out that, owing to the rapid development of quantum computing technology, the existing public key cryptography standard will no longer be safe under quantum computing. As early as 1997, Shor  proposed a quantum algorithm to solve the large number factorization problem in polynomial time; therefore, many conventional cryptosystems, for instance, those based on large integer factorization and discrete logarithm assumption, would face great security challenges with the advance of quantum computation.
In recent years, many authentication protocols from lattices have been developed [28, 47–62]. Specially, many lattice-based key exchange protocols have been proposed [53–57] and some of them have been used by Microsoft and Google  as alternatives to the prequantum key agreements in the TLS handshake protocol, which means that lattice-based key exchange protocols can be practical in many contexts and offer credible alternatives to schemes such as ECDH.
However, these existing lattice-based key exchange protocols [47, 63–66] are unsuitable to wireless environment with limited resources since they are built from LWE or RLWE. NTRU, first proposed by Hoffstein , is a lightweight public key encryption algorithm. When compared with other public key encryption mechanism, NTRU possesses more distinct advantages such as cheap memory and computation consumption, fast speed of encryption/decryption , and signature/verification . NTRU has been widely used in wireless environment such as wireless sensor networks , cellular networks [60, 61], and opportunistic networks  due to its low computational cost. Therefore, it is a desirable tool to construct roaming authentication scheme for ubiquitous network.
1.2. Motivation and Contributions
Although many authentication schemes have been proposed, a promotion in security and performance remains a challenge to develop a practical authentication for roaming services in ubiquitous networks. Furthermore, the potential threat of quantum attack makes it necessary to develop efficient antiquantum attack roaming authentication protocols. Motivated by this, a novel roaming authentication scheme based on NTRU is proposed in this paper. Our contributions are as follows:(1)We put forward an NTRU-based authentication scheme with conditional anonymity for mobile users to roaming securely in ubiquitous network, the most significant merit of which is antiquantum attack(2)Formal and informal security analysis is conducted for the proposed scheme to demonstrate that it can meet all security requirements(3)Furthermore, we perform the comparisons in terms of the computational and communication cost to show the feasibility and efficiency of the proposed scheme
The rest of this paper is organized as follows. Section 2 introduces the basic knowledge of lattice and the NTRU public key encryption algorithm. Section 3 illustrates the scheme in detail. Section 4 presents the formal security proof for the proposed scheme. The comparison of performance and security characteristics of the proposed scheme are given in Section 5, and the paper is concluded in Section 6.
Definition 1. Given linearly independent vectors , the lattice generated by them is defined as follows:We say that the rank of the lattice is n and its dimension is and as a basis of the lattice. If we define B as matrix whose columns are , then the lattice generated by is(1)In equation (2), stands for ordinary matrix multiplication.(2)Lattice is a discrete additive group of , closed under addition operation, and there is space between points.
Definition 2. (the shortest vector problem ()). Given a lattice basis to find a nonzero lattice vector , so for all such that .
Definition 3. (the closest vector problem ). Given a lattice basis and a target vector , to find a lattice vector Bx that close to the target vector , so for all such that .
Both the CVP and the SVP are difficult computational problems; the two are interchangeable with the same difficulty, and there is no effective algorithm to solve these two problems.
2.2.1. Definition of Algorithm
Definition 4. (polynomial ring). A polynomial with respect to over a ring has a form, , . A ring formed by a set of these polynomials is called a polynomial ring, denoted as , simply for short.
The parameters of NTRU mainly include three integers and four integer coefficient polynomial sets , , , and with dimension, and are not required as prime numbers, while they should satisfy the equation , and is greater than . Definite polynomial , if , can be denoted as . Definite is multiplication operation over polynomial ring; if , , and , then
Definition 5. (truncated polynomial ring). The system consists of the convolution operations defined above, and the addition operations in ordinary polynomial rings are called the truncated polynomial ring.
The polynomial ring used in NTRU is truncated polynomial ring, denoted as , and is polynomial ring of modular . When performing the product result , we reduce all the polynomial coefficients by , so the result is in the ring .
2.2.2. Key Creation
The two communication parties are Bob and Alice. To generate a key, Bob randomly chooses two polynomials and ; the polynomial should have inverses modulo and modulo , and we will write these inverses as and :
Then, Bob computes the public key , and the private key pair of Bob is .
Alice chooses her plaintext m from the set and a random polynomial from ; then, she uses Bob’s public key to encrypt the message and sends it to Bob. In addition, in order to strengthen the feasibility and security of the scheme, this scheme adopts the encryption security enhancement variant proposed by Hoffstein and Silverman .
Bob uses his private key to decrypt the encrypted message from Alice. Firstly, Bob computes the intermediate polynomial a by
The coefficients of a are in the interval . Then, a is used for modulus operation. Finally, Bob uses his private key multiply polynomial to recover the plaintext:
2.2.5. Parameter Choices
Message space is composed of polynomial of modular , where and
Similarly, other sample spaces can be described in the following way:
We choose three positive integers and then we use these symbols to denote polynomial : , , and
Since f is expected to be invertible, the number of −1 should not equal the number of 1.
3. Concrete Construction
3.1. System Model
This section illustrates the concrete construction of the proposed authentication scheme for mobile user roaming in ubiquitous network. Ubiquitous network provides roaming services for mobile users, enabling them to obtain extended services of home agents whenever they enter into a foreign agent field, no matter where they are [8–10]. In the proposed scheme, there are three types of entities:(1)MU (mobile user): uses mobile phone with smart card to get services in ubiquitous network(2)FA (foreign agent): provides roaming services for mobile users(3)HA (home agent): provides authentication for MU and FA
When a mobile user (MU) enters the foreign agent area, MU should be authenticated under the collaboration between the home agent and the foreign agent. A general framework of roaming service is shown in Figure 1. MU has to register itself during the initialization of the system. Afterwards, with the help of HA, MU and FA can perform mutual authentication when necessary. Only when MU and FA confirm each other’s identities can they communicate with each other. In order to ensure the identity legitimacy of the involved entities and the message validity, a mutual authentication mechanism is designed to achieve authorization when realizing roaming service, and the message security is satisfied through key agreement protocol [3, 4, 25].
We describe the proposed protocol in ubiquitous networks as follows. Please refer to Table 1 for notation guide.
Home agent (HA) mainly authenticates the real identity of roaming mobile user (MU) and the identity of foreign agent (FA) and then sends the authentication results to FA and MU, respectively. Therefore, a mobile phone user must register himself with his home agent before roaming. Figure 2 shows the registration stage of the proposed scheme, and the main steps of registration are as follows:(1)HA broadcasts public parameters and then calculates and sends his public key to registered MU, where is HA’s public key(2)MU randomly selects a random number and a legal login password ; then, MU computes and and then sends to HA through a secure channel(3)After receiving the registration request from , ; if the verification holds, then compute the identification of MU , is the timestamp of MU registration, and no one except HA can forge or calculate . Then, HA stores parameters into the smart card and assigns the smart card to MU.
Assume that a symmetric key has been previously shared between the home agent and the foreign agent, and each home agent has a list of public keys corresponding to ID. Home agent (HA) has a list of public and private keys for relative roaming user (MU), see Table 2. Home agent (HA) has a list of public and private keys for foreign agent (FA), see Table 3.
3.3. Login and Authentication Phase
As shown in Figure 3, when the mobile terminal completes the registration, it can perform the login and authentication process. In this process, the mobile terminal completes the negotiation of the session key and authentication with the foreign agent with the help of the local agent:(1) The mobile user MU first enters its real identity and password into the smart card; then, the smart card computes and verifies ; if the verification holds, then the ID of MU is valid; smart card allows user to login in; otherwise, the smart card denies the user login request. MU selects two random polynomials and , computes , then encrypts and , , , and , computes , and then sends to FA.(2) When FA receives , it first verifies whether the timestamp is valid. If so, it saves first and retrieves the locally stored shared secret key with HA according to , then computes , and sends to HA.(3)
When HA receives the message from FA, HA verifies the timestamp first and then verifies the validity of and :(1)HA calculates the message verification code according to stored in HA and verifies if the equation holds or not; if it holds then HA believes is legal.(2)HA uses his private key to decrypt and to obtain and , then uses to find stored in HA, and verifies and ; if all equation hold, then HA believes is valid.(3)HA selects a random polynomial , computes , , , and then sends to FA.(4) After receiving from HA, FA decrypts and and computes to verify whether the anonymous identity of MU received from HA is equal to received in step 1. If it holds, FA believes MU’s anonymous identity is legitimate. FA selects two random polynomials, then computes , computes session key , then encrypts and uses equation , , and finally sends to MU.(5)After receiving from FA, MU obtains and from decrypting and and verifies ; if it holds, MU trusts the legitimacy of FA. Then, computes and the session key . MU verifies in the end; if the equation holds, then the session key negotiation is successful.
To facilitate the understanding of the proposed protocol, the following three steps will describe the calculation process of public key generation, decryption, and key agreement in detail.(1)Public key generation: according to the key generation algorithm in Definition 2, three entities generate their own public keys with the following way, respectively:(2)Decryption: with the encrypted message according to Definition 3, the entities can decrypt the message according to Definition 4. Here, we take and as examples to explain the decryption process.①When HA receives , it first computes a temporary polynomial .②Then, performs modular p operation on to obtain .③Afterwards, it computes and to obtain and .(3)Session key generation: with the help of HA, MU and FA trust each other; then, they will exchange secret parameters to compute the shared session key. Because , no one can compute or obtain and except MU and HA. Therefore, only MU and FA can generate the shared session key:
3.4. Password Update
In order to prevent password cracking, this scheme provides the operation of updating user password, and the password change phase is invoked by the mobile terminal, and the user performs the following steps on the smart card:(1)Mobile user inputs his and ; smart card computes and verifies whether ; if the equation holds, user login in successful; otherwise, the smart card terminates the login process.(2)The user sends the operation request of updating login password according to the system prompt, and the smart card will send the prompt of updating password to the user after receiving the request.(3)User selects a new password and new random number , then computes , and replaces by .
3.5. Session Key Update
MU and FA need to renew session key for security reasons if user is always within the same FA. However, initializing a new session to execute key exchange protocol is time consuming. For the sake of security and efficiency, we provide the update operation of the session key. If the roaming mobile user needs to update the session key established with the foreign agent before, as shown in Figure 4, the following steps should be performed.
MU randomly selects a polynomial from , then MU computes and sends to FA. is the session key established with foreign agent before, is a timestamp. is a flag for request of updating session key.
When the foreign agent FA receives the message from the roaming user MU, FA performs the following steps:(1)Verifies , is a timestamp(2)If the equation above holds, uses to decrypt and then verifies the legitimacy of (3)If is valid, FA selects a random polynomial from and then computes , is the new session key(4)FA computes and sends to MU
When MU receives the message , MU verifies and , if they are valid then computes , and verifies ; if this equation holds, then the new session key is updated.
BAN logic model was first proposed by Burrows et al.  in 1990, which is a simple and powerful tool for analyzing the correctness of authentication schemes. In this section, we first describe the basic knowledge of the BAN logic model. Then, we will use the BAN logic model to analyze the correctness of the proposed protocol.
4.1.1. Definition of BAN Logic Model
(1) Notations and Semantics. In the following, we briefly describe the BAN logic model from notations and semantics:(1) and denote the communication entity(2) denotes the shared session key of communication entity(3) denote the public key of communication entity(4) and denote the secret key of communication entity(5) and denote the message passed in the protocol(6): believes message is true(7): once received a message containing (8): once sent a message including (9): controls (10) denotes that the message is fresh(11): and use the shared symmetric to communicate with each other(12) represents the ciphertext obtained by encrypting message with secret key (13) denotes the combination of and , that is, is a secret value, whose presence represents the identity of the owner of (14) denotes the connection between and (15) means that can be derived from
(2) Inference Rules. In order to use BAN logic for correctness analysis, we will describe some related inference rules of BAN logic model as follows: (1)Message-meaning rule: If believes the shared session key between and and receives a message encrypted by , then believes that once sent the message .(2)Nonce verification rule: If believes the message is fresh, also believes has said message , then believes .(3)Jurisdiction rule: If believes has jurisdiction over , and believes that believes , then believes message.(4)Freshness rule: If believes is fresh, then believes is fresh.(5)Belief rule: If believes message collection of and , then believes in each individual message.(6)Session key rule: If believes the shared key is fresh, and also believes that believes message , then believes .(7)Seeing rule:
If receives a message and knows the related key about the message, then receives component of the message.
4.1.2. Correctness Analysis
The correctness of the scheme can be proved as follows:(1)Idealized protocol model:(1)(2)(3)(4)(2)Initial assumptions:
There are three communication entities in the proposed scheme: MU (mobile user), HA (home agent), and FA (foreign agent). The three entities generate all the authentication messages of the proposed scheme, so we need to make initial assumptions through three aspects.(1)MU: The above formula A1∼A6 means the following: A1: MU believes and own its own real identity A2: MU believes the anonymous its own identity A3: because MU registered to HA before authentication phase, so MU believes the real identity of HA A4: MU believes the random number it chooses A5: MU knows the public key of HA A6: MU owns its identity certificate because HA has computed and sent it to MU in the registration phase(2)HA: The above formula B1∼B8 means the following: B1: HA believes and owns its own real identity B2: HA believes the key shared with FA B3: because MU has sent to HA in the registration phase, so HA owns the real identity of MU B4: HA owns the public key of MU because MU once sent it to HA in the registration phase B5: HA owns identity certificate of MU because HA has computed in the registration phase B6: HA owns the real identity of FA(3)FA: The above formula C1∼C6 means the following: C1: FA believes and owns its own real identity C2: FA owns the real identity of HA C3: FA believes the random number it chooses C4: FA believes the key shared with HA(3)Goals to be achieved:
To provide secure and anonymous communication for legal mobile users in roaming services, there is a mutual authentication between the mobile user and foreign agent with the help of the home agent in the proposed protocol. Then, MU and FA generate a shared session key for the safety of subsequent communication. This means that the proposed scheme can achieve the goals listed above. In the following, we will give explanations for the goals listed above: G1: HA believes the real identity of FA G2: HA believes the anonymous identity of MU G3: FA believes that HA believes the anonymous identity of MU G4: MU believes that HA believes the real identity of FA G5: MU believes the shared session key between MU and FA, which means MU and FA generated the shared session key successfully G6: FA believes the shared session key between FA and MU, which means FA and MU generated the shared session key successfully
5. Correctness Verification
In this section, we analyze the proposed protocol using the BAN logic model to validate the security and correctness claim of the proposed protocol. The following are the detailed steps to prove that the proposed protocol can reach the goals shown above.
From the message , on verifying the timestamp of FA and applying Seeing rule , we obtain the following:
From V2 and B2, on applying Message-meaning rule , we obtain
From V4, on applying Freshness rule , we obtain
From V5 and V6, on applying Nonce verification rule , we obtain
From V7, on applying Belief rule , we obtain
From V1, on verifying the timestamp of MU and applying Seeing rule , we obtain
From B3, V11, V12, and V13, on verifying and applying Seeing rule , we can say
From V14, V15, and V17 Belief rule , we obtain
From message , on verifying the timestamp of MU applying Seeing rule , we obtain
From message , on applying Seeing rule and , we obtain
From C4, V19, and V24, on verifying and applying Message-meaning rule , we obtain
From V20, on applying Freshness rule , we obtain
From V25 and V29, on applying Nonce verification rule , we obtain
From message , on applying Seeing rule and , we obtain
From A4 and A6, MU verifies , and on applying Belief rule , we can obtain
Because is a random timestamp selected by MU, so we can say
From V37, on applying Freshness rule , we obtain
From V31, V32, and V33, on verifying and applying Belief rule , we can conclude
From V39 and V40, on applying Session key rule , we obtain
From V29, on applying Freshness rule , we obtain
From V28 and both FA, compute in the same way:
From V42 and V43, on applying Session key rule , we obtain
Thus, the proposed can reach the goals G1∼G6 through the analysis of the above steps, and it can be concluded that the proposed protocol provides mutual authentication and session key establishment.
5.1.1. Formal Security Proof
(1) Security Model. This section defines the security model of lattice-based authentication protocol, which is based on the security model proposed by Bellare et al. [63–65]. The attack capability of the adversary is defined by a series of oracle queries and security assumptions. proceeds an interaction experiment by performing a series of oracle queries with any participant instances in the protocol . In the course of interaction, is given the ability to attack protocols. The security of the key exchange means that any adversary cannot distinguish between session keys and random strings generated by honest protocol participant polynomial time random prediction queries. An honest protocol participant U has different instances , and it can execute the protocol concurrently. The adversary can use the following predictors to interact with different instances of honest players: (i): queries the random oracle for the hash result. The random oracle returns the result which is existing in the list; else, it chooses a random number r, records () in a hash table and then returns r.(ii): this query models the adversary’s ability to eavesdrop passively on the protocol, can eavesdrop on the honest protocol execution process. The output consists of messages exchanged during protocol execution.(iii): this query models the adversary’s ability to actively attack a protocol, can intercept a message and change it, or simply forward it to a target instance. The input is the message sent by the adversary to , and the output is the corresponding message generated by based on the message .(iv): this query models the ability of adversary to corrupt the protocol participant U and returns the user’s password.(v): obtains the session key possessed by . This query models a session key leak.(vi): this query relates to the semantic security of the session key SK. This query was made after many other queries had been made by . The random oracle selects a random bit . If , the oracle returns a random value of the same length as the session key, and if , the oracle returns the real session key held by .
Semantic security: considering executes the key exchange protocol P, interacts with Execute, Send, Reveal, and Test oracles, and finally outputs the bit value as a guess of b. If , the adversary is considered successful. Let Succ denote the event that the adversary is successful. Then, the advantage of the adversary successfully breaking the protocol P is defined as follows:
This authenticated key exchange protocol is considered secure if is negligible.
(2) Security Proof.
Theorem 1. An adversary makes , , , and queries of type , , , and in time , respectively, and queries to the random oracles:
Proof. We use seven experiments , ,…, , to prove the security of the protocol, which has , and is negligible values in .
. This experiment represents an original protocol execution.