Oblivious Transfer via Lossy Encryption from Lattice-Based Cryptography

Li, Zengpeng; Xiang, Can; Wang, Chengyu

doi:https://doi.org/10.1155/2018/5973285

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Rethinking Authentication on Smart Mobile Devices

View this Special Issue

Research Article | Open Access

Volume 2018 | Article ID 5973285 | https://doi.org/10.1155/2018/5973285

Oblivious Transfer via Lossy Encryption from Lattice-Based Cryptography

Zengpeng Li,¹Can Xiang,²and Chengyu Wang³

Academic Editor: Jian Shen

Received09 Apr 2018

Accepted10 Jul 2018

Published02 Sept 2018

Abstract

Authentication is the first defence line to prevent malicious entities to access smart mobile devices (or SMD). Essentially, there exist many available cryptographic primitives to design authentication protocols. Oblivious transfer () protocol is one of the important cryptographic primitives to design authentication protocols. The first lattice-based framework under universal composability (UC) model was designed by dual mode encryption and promoted us to find an alternative efficient scheme. We note that “lossy encryption” scheme is an extension of the dual mode encryption and can be used to design UC-secure protocol, but the investigations of via lossy encryption over the lattice are absent. Hence, in order to obtain an efficient authentication protocol by improving the performance of the UC-secure protocol, in this paper, we first design a multibit lossy encryption under the decisional learning with errors () assumption and then design a new variant of UC-secure protocol for authenticated protocol via lossy encryption scheme. Additionally, our protocol is secure against semihonest (static) adversaries in the common reference string (CRS) model and within the UC framework.

1. Introduction

Oblivious transfer () is an important cryptographic primitive which can be used for designing secure multiparty computing and privacy-preserving schemes, such as authenticated key exchange and password-based authentication key exchange (PAKE) [1]. Apparently, authentication is the first line of defence to prevent unauthorized access from illegitimate entities (including both devices and users). Very recently, the issues of privacy-preserving for smart mobile devices (SMD), Internet of things (IoTs), wireless sensor networks (WSNs), and cloud storage auditing are arousing the public attention [2–4]. In this case, it is becoming more important to protect the private information for mobile computing environments by utilizing the technique of authentication [5, 6]. However, the literature which focuses on the problem of how to use the basic cryptographic primitive to design authentication protocols is relatively few and the research of improving the performance of the primitives is fewer. Thus, to design the efficient authentication protocols in the future, this paper focuses on how to improve the performance of universal composable- (UC-) secure protocol via lattice-based cryptography.

To our knowledge, protocol was originally proposed by Rabin [7]. Since then various cryptography schemes and protocols are designed by using , e.g., [1, 8]. Informally speaking, there exist two players (the sender and the receiver ) in protocol. On the one hand, the sender can send two (or more) values to the receiver. However, the sender does not know which value will be received by the receiver, and the receiver only knows the received value and remains oblivious to the other values. In a word, they are oblivious to other’s true behaviour.

Importantly, Gertner et al. [9] pointed out the relationship between the public key encryption scheme and the protocol at FOCS’00. In some indistinguishability against chosen plaintext attack (IND-CPA) secure schemes, if the public key generated by the key generation algorithm is indistinguishable from the public key sampled from a uniform distribution, then we can use the scheme to design an protocol [9]. In this setting, Peikert-Vaikuntanathan-Waters [10] has constructed an efficient, universally composability and generally realizable via “dual mode encryption” under worst-case lattice assumption at CRYPTO’08. Loosely speaking, there are two types of public key in “dual mode encryption”. One type is injective keys; it is real public key and behaves normally. The other one is “lossy” or “messy” key, it is lossy public key, and it loses some information of the plaintext. Moreover, there exist two important properties for the dual mode encryption. The first one is statistically close; namely, the distributions of ciphertext for any two plaintexts under a lossy key are statistically close. The second one computationally indistinguishable; namely, the injective key is computationally indistinguishable from the lossy key. (Importantly, no efficient adversary can tell the difference between normal keys and lossy keys.)

Along with this line, the notation of “lossy encryption” was proposed by Bellare, Hofheinz, and Yilek (BHY) [11] on EUROCRYPT’09. Actually, the lossy encryption is an extension of the meaningful/meaningless encryption [12] and dual mode encryption [10]. In a nutshell, a “lossy” (or “messy” in [10]) cryptosystem is one which also has two modes according to two types of public keys. Concretely, (1) In the normal mode, the ciphertext is generated by encrypting the plaintext under an injective key. (2) In the lossy (or “messy”) mode, the ciphertext is independent of the plaintext. Actually, the operability property was proposed by [11]; they basically can open a ciphertext generated under a lossy key for any plaintext by adopting a possibly inefficient algorithm. Meanwhile, the injective key is computationally indistinguishable from the lossy key. Actually, our work is along this line and we embark on this question: How to design a (string) protocol via multibit lattice-based “lossy encryption” rather than “dual mode encryption”?

To solve this issue, we note that, after the polynomial time solvers in the nonclassical quantum computation model was pointed out by Shor [13] for discrete logarithm and integer factorization, most researchers seek to find the various alternative computational assumption; thus lattice-based (e.g., learning with errors, ) cryptography draws attention. Over the last decade, lattice has emerged as a very attractive foundation separately for cryptography. Specially, Regev scheme [14] and Gentry-Peikert-Vaikutanathan (GPV, a.k.a., dual Regev) scheme [15] are important lattice-based schemes to remain secure even against quantum computer attacks.

From the above observations and inspired by the work of Peikert et al. [10], we still work along this line and construct a multibit -based lossy encryption scheme which has two types of public keys.

1.1. Our Contributions and Techniques Overview

Although many would consider protocol a breakthrough for multiparty computation, nowadays, protocols are plagued by several well-known pain-points among which performance (string ) and security (postquantum attacks) are perhaps the most visible and most often debated points. However, most existing protocols adopt a variety of standard number-theoretic assumptions; only a few works focus on designing the protocol under worst-case lattice assumption such as [10, 16, 17]. Here we fill in some of the missing details in the high-level description.(1)We use the lossy encryption scheme to replace the dual mode encryption, then we design the protocol via lossy encryption over the lattice. More concretely, we note that, Peikert et al. [10] proposed the framework of protocol by using dual mode cryptography. Actually, the lossy encryption is an extension of the meaningful/meaningless encryption [12] and dual mode encryption [10] and has the obvious property of two types of public keys. The crux of this issue is how to obtain multibit lossy encryption scheme. In this paper, we construct lossy encryption via multibit Gentry-Peikert-Vaikuntanathan (, a.k.a., dual Regev scheme), i.e., scheme. In particular, the public key in with many instances rather than a simple matrix of instance.(2)Moreover, we design a multibit public key encryption scheme (i.e., scheme) by following the methodology of Li et al. [18]. Actually, the semantically secure multibit public key encryption scheme via subset sum problem () proposed by Lyubashevsky et al. [16] and multiple secrets Gentry-Sahai-Waters scheme via assumption proposed by Li et al. [19] promoted us to explore the functions of the public key with a sequence of instances. Importantly, the public matrix contains many instances, each one is used to protect the secret key. In this setting, the decrypter can decrypt the plaintext in a bit-by-bit manner.(3)Lastly, we attempt to explore the potential application of our UC-secure OT protocol for PAKE in SMDs. To our knowledge, PAKE is an important tool to design authentication protocol, which can help SMDs to enable adequate user authentication and prevent unauthorized use of an unattended and lost, etc. Inspired by the OT-based PAKE [1], extending our multibit OT protocol via lossy encryption to multibit PAKE is a natural result. This solution is aimed at helping us apply SMDs for authentication and other security services.

1.2. Paper Organization

In Section 2 we formally define and present some related notations. In Section 3 we describe our multibit encryption scheme (hereafter ) via assumption. In Section 4 we describe our lossy encryption scheme (hereafter ) via scheme. In Section 5 we describe a oblivious transfer protocol via the constructed scheme. In Section 6, we explore the potential application PAKE in SMDs. Finally, we give a conclusion in Section 7.

2. Preliminaries

Below, we introduce some necessary notations.

2.1. Notation

Throughout our paper, vectors is denoted by bold lower-case letters, e.g., , and matrices were denoted by upper-case letters, e.g., . The matrix contains linearly independent vectors. The basis can be used to generate the -dimensional lattice as follows:

Below we give a variant of leftover hash lemma.

Lemma 1 (see [20] Lemma 2.1). We first denote the statistical distance between the distribution and by . If the parameters satisfy the following conditions, i.e., , , , , is a uniform random matrix over , and . Then we have that

2.2. Gaussian Distribution

We denote the truncated discrete Gaussian distribution over with parameter by and let be -bounded.

Remark 2. If define , then . Throughout the paper, we suppose . Therefore, if then we have, on average, that .

2.3. Learning with Errors

Definition 3 (LWE distribution). The distribution over is sampled by sampling uniformly, choosing , and outputting for a secret vector .

Below we describe the decision version.

Definition 4 (decision-). Sampled samples independently over . For every sample the following distributions are indistinguishable (with nonnegligible advantage). , sampled from the uniform distribution.

2.4. Inhomogeneous Short Integer Solution

In this subsection, we review the Inhomogeneous Short Integer Solution (ISIS) problem as follows.

Definition 5 (ISIS). Given an integer , a public matrix , a vector , and a real , then find an integer vector such that and .

2.5. Lossy Encryption

Definition 6 ((perfectly) lossy encryption [21]). An encryption scheme is called “lossy” if there exists a probabilistic polynomial time () algorithm that takes as input and outputs such that (i)the distribution is computationally indistinguishable from a public key generated by ;(ii)for every two equal-length messages and , the distributions and are identically distributed for every .

Remark 7. If an encryption scheme is lossy then it is semantically secure.

It is given by a tuple of algorithms The details are as follows:(i) takes as input a security parameter and outputs either the real public key along with the secret key or the injective key.(ii) takes as input and outputs a lossy public key and instead of , i.e., .(iii) takes as input either or and message and outputs a ciphertext .(iv) takes as input a secret key and a ciphertext and outputs either a message or .

Lemma 8 (see [15]). If consider all but a fraction of all matrix over along with any and , then the distribution of is statistically close to uniform over , where .

Lemma 9 (see [22]). We first denote the distribution over with min-entropy . If is a uniform matrix and is sampled from the distribution for any and , then the joint distribution of is -close to the uniform distribution over .

Lemma 10 (see [22]). Consider a distribution “Lossy” for . If given and , there exists for . Then the Lossy distribution is as follows:(i)Choose , , and , where and .(ii)Let .(iii)Output .

2.6. The Universal Composability (UC) Framework

The UC framework first defines a environment machine and then uses the machine to oversee the execution of a protocol in one of two worlds. The detailed description of the executions was presented by Canetti [23], and there exist two world ensembles and for real world and ideal world, respectively.

Definition 11 (see [10] Def.2.1). If there exists a simulator for any adversary such that for all environments then we can say that a protocol is UC-realize a functionality .

3. Multibit GPV Scheme

This paper aims to obtain an efficient multibit OT protocol via the multibit lossy encryption. But before designing the multibit lossy encryption scheme, we first present how to obtain the building block multibit GPV scheme of the lossy encryption scheme. Below, we follow the multibit FHE framework of Li et al. [22], and we first develop the multibit GPV scheme. Notably, most of existing -based encryption schemes focus on how to enrich the functions of the single-bit encryption that was originally proposed by Regev [14], such as chosen-plaintext-attacker () secure schemes [10, 24], chosen-ciphertext-attacker () secure schemes [25, 26], fully homomorphic encryption () schemes [20], and oblivious transfer [10, 17].

Notably several recent works (such as [10, 27]) have formally shown the properties of multibit encryption. Fortunately, a multibit Regev [14] scheme was provided by Peikert et al. [10], which is called “pack ciphertext method” and was used as a crux tool to construct multibit schemes [27]. Similarly, many works extended the work of Gentry-Peikert-Vaikutanathan () to the multibit scheme in the same way [18]. Along with this line, Lindner and Peikert [24] considered a new scheme under the multibit setting, where it is possible to encrypt multiple bits at one-time and makes even more efficient. However, all of the mentioned schemes are constructed by a straightforward concatenation method with the inefficient performance. An important question is raised naturally. Is it possible to explore a new method to design the multiple bits encryption under the assumption instead of the method of straightforward concatenation?

We formally explore this important question in this section and we believe that the multibit GPV based on the public key with a sequence of instances might offer many advantages over other approaches. The main ideas behind our method to design the scheme is described in following sections.

3.1. Scheme

Below we describe the scheme and its properties.(i):(1)Take as input and output the common parameter , and let . We remark that this algorithm is identical to the GPV [15] scheme except that we let a parameter be the number of secret keys.(ii):(1)Sample , and output , and the -th position is .(2)Choose a matrix and compute , then we set .(3)Output and .(iii):(1)Set , and define .(2)Sample , then choose .(3)Compute , where the size of ciphertext is .(iv):(1)In order to make the reader understand the structure of the secret ky matrix , the detailed form of the matrix is as follows: (2)Then compute and output We note that the magnitude of the vector can be regarded as the form of for . If , then set and otherwise set . Output .

Remark 12. We stress that the ciphertext can be decrypted in a bit-by-bit manner. Once we have the secret key matrix , we can choose the -th column of to recover the -th bit of the plaintext. In more detail,(1)we use -th column vector from to get the -th position bit of message;(2)compute and output . If , then set and otherwise set . Output .

3.2. Correctness

In this subsection, we analyze the magnitude of the noise.

Lemma 13 (correctness). Consider the decryption algorithm decrypts in a bit-by-bit manner. If the ciphertext is under the -th column secret key , then we have that with . Hence, for the secret key matrix , we get the following result: with . Hence, there exists .

Proof. Consider the following parameters and , (where ). Thus, we can get with ; the norm of is bounded by , where is denoted as the norm of error elements.
Hence, we can easily obtain the result for .

3.3. Security

Theorem 14. Regarding the following two distributions and , (i)the distribution is denoted as matrices on , where is a uniform matrix for all , , and is sampled from .(ii)the distribution is denoted as the uniform on . If the - assumption is hard for the parameters , , , and being an integer, then the distribution is computationally indistinguishable from .

The following theorem formalizes the key result used to show the security of scheme. We show the scheme is secure by using Theorem 14.

Theorem 15. If the assumption and assumption hold for the parameters , then the scheme is -secure.

Proof. The high-level proof is as follows: (i)Firstly, armed with the assumption, the matrix is computationally indistinguishable from a uniform random matrix by applying the Theorem 14.(ii)Secondly, the matrix is indistinguishable from uniform under the assumption and the leftover hash lemma. This concludes the proof of the theorem.

3.4. Oblivious Transfer via

In this subsection, we instantiate the protocol under the assumption that provides security for the sender against an honest-but-curious receiver and security for the receiver against a cheating sender.

OT protocol contains two phases, as shown in Figure 1, the initialization phase (i.e., ) and the transfer phase (i.e., ) [10].(i)The phase: the sender owns 2 elements and . The receiver samples a choice bit .(ii)The phase:(1)At the beginning of each transfer, the receiver has an input choice bit , and he invokes the algorithm and outputs a pair , then he draws a vector as from the distribution , then sends the pair to the sender .(2)Upon receiving the pair , the sender inputs 2 elements and and invokes the algorithm to encrypt them under the , respectively, then outputs the ciphertext and and sends back to the receiver .(3)Upon receiving the pair , the receiver invokes the algorithm and outputs .

3.5. Security

The protocol is a simple application of scheme.

Theorem 16 (see [16] Theorem 5.2). We say that the OT protocol is secure for the receiver if the problem is hard.

Proof. The above security proof is simple, so we omit further details and recommend the reader to find further details from the proof of Theorem 5.2 in Lyubashevsky et al. at TCC’10 [16].

Theorem 17 (see [16] Theorem 5.3). We say that the above OT protocol is secure for the sender against an honest-but-curious receiver, if the assumption is hard for the input message length of the sender.

Proof. The detailed proof can be found from the Theorem 5.3 in Lyubashevsky et al. at TCC’10 [16].

4. Lossy Encryption ( Scheme)

The notation of “lossy encryption” was proposed by Bellare-Hofheinz-Yilek (BHY) [11]. Actually, the lossy encryption is an extension of the meaningful/meaningless encryption [12] and dual mode encryption [10]. At a high level, a “lossy” (or “messy” in [10]) cryptosystem is one which also has two modes according to two types of public keys. Concretely, (1) in the normal mode, the ciphertext is generated by encrypting the plaintext under an injective key. (2) In the lossy (or “messy”) mode, the ciphertext is independent of the plaintext. Actually, the operability property was proposed by [11]; they basically allow a possibly inefficient algorithm to open a ciphertext generated under a lossy key to any plaintext. Meanwhile, the injective key is computationally indistinguishable from the lossy key.

4.1. Multibit Lossy Encryption Scheme

Gentry et al. [15] proposed the dual Regev scheme to design the identity-based encryption () with the random oracle. Then, Agrawal et al. [28] used it to design the scheme in the standard model. In this paper, we construct the -based lossy encryption from multiple bits . However, the process of encryption is different from . In our construction, we only sample the noise vector one-time rather than twice in the scheme. The concrete construction is as follows:(i):(1)Set and secure parameter . Since Lemma 10, we set , , , , , , and . To satisfy these requirements, should be superpolynomial of the secure parameter , moreover, as described in scheme.(2)Output and , where .(ii):(1)For , , then we have that . Compose all together, then we have that .(2)Hence, .(3)Output as described above.(iii):(1)Choose , , , and , where .(2)Output , .(iv):(1)Denote .(2)Choose random vectors , .(3)Compute and output ciphertexts: .(v): Compute and output: .

In order to construct the oblivious transfer, we need to design a verification algorithm for the sender , who is similar to the in [10], and will use the to verify that the public key from the receiver is or , in more detail:(i): for , the key generation takes a chosen decryptable branch as a parameter, and the resulting secret key corresponds to branch of public key . Then, we use to distinguish the two messages. Actually, messages encrypted on branch can be decrypted using , while those on the other branch cannot.

Below, we show that this scheme fulfills the properties of lossy encryption.

Proposition 18. Correctness on Real Keys. For all generated by and all message , the algorithm will get the correct message with overwhelming probability.

We need to remark that, considering the parameters and which were denoted in [15]. Then decrypts correctly with overwhelming probability (over the random choices of and .

Proposition 19. Lossiness of Encryption with Lossy Keys. In more detail Parse public key as and , by Lemma 10, since , and by Lemma 9, given , is -close to . When , given . Therefore, , given , i.e., for any lossy keys generated by and any two messages , holds

Proposition 20. Indistinguishability between Real Public Key and Lossy Public Key. is , and is . Since , by Lemma 8, sample and . Under the hardness of LWE, , i.e., and are computationally indistinguishable.

5. OT via Lossy Encryption

In this section, inspired by David et al. [21] UC-secure OT protocol via lossy encryption using the McEliece assumption over code-based cryptography, we present an UC-secure OT protocol via lattice-based lossy encryption using and assumption.

5.1. Our Construction: UC-Secure for Ideal Functionalities

Before describing our construction, we first denote the ideal functionalities and . In more detail, the CRS functionality outputs a string with a fixed distribution as depicted in Algorithm 1.

is parameterized by an algorithm , and can interact with parities .
(i) Upon receiving a command from the party , first let , then
send the message to and send the message to the adversary;
(ii) Upon receiving a command from the party (and only ), then send
and the adversary the message , and halt.

As shown in Algorithm 2, the two-party functionality contains a sender with input and receiver with an input . Importantly, the functionality captures requirement of specification.

interacts with a receiver and a sender .
(i) Upon receiving a command from , store the pair for
. (Notably, the length of the string is fixed and all parties know);
(ii) Upon receiving a command from , then check if was
previously sent and send the message to , and send the adversary the
message and halt. Otherwise, send nothing to .

5.2. Our Construction: from Lossy Encryption

Below we describe our main contribution, a various protocol from lossy encryption in Figure 2.

Simulating the communication with : the simulator writes every input value from into the input tape of the adversary . copies every output value written by to his output tape. The environment can read the output tap.

Simulating is corrupted: simulates the view of the receiver without considering which mode of the protocol and does the following: running the algorithm in messy mode and letting . If the parties query the , then it obtains the feedback .(i)Once the adversary generates a message , extracts the choice bit of the corrupted receiver and lets , then sends the command to the , then returns the output to , and then stores it along with .(ii)Once the dummy simulator is activated by the command , then simulates the ’s behaviour, and looks up the corresponding bit for and and then computes and and sends to .

Simulating is corrupted: does the following without considering which mode of the protocol: running the real (injective) mode algorithm and letting . If the parties query the ideal functionality , then returns to them.(i)Once the dummy is activated on by the command , then simulates the behaviour of and computes and , and then sends to and stores .(ii)When replies with a message , the looks up the corresponding and , computes for each , and returns to .

Simulating the remaining cases: once both parties are corrupted by the adversary, then runs . More concretely, internally runs the on input ; meanwhile, it runs the honest on input and honest no matter which party is corrupted. When the corresponding dummy party is activated in the ideal execution, activates the appropriate algorithm and delivers all messages between its internal and .

Caim. If corrupts in an execution of , i.e., in lossy mode, then we have

Proof. Below we give a formal proof, in more detail: (i)The real world execution can be viewed as the proceed of the following game.(a)Firstly, obtain by invoking the algorithm .(b)Secondly, the environment can schedule subsessions arbitrarily. Notably, in each subsession,(1) can choose an arbitrary message for the honest sender ;(2)the honest sender sends the ciphertext for each to .(ii)The ideal world execution can be viewed as the proceed of the following game:(a)Firstly, obtain by running the algorithm .(b)Secondly, the environment schedules subsessions arbitrarily, in each subsession,(1) can input an arbitrary and the arbitrary input message for the dummy sender ;(2) can run the verification algorithm to and learn from . It then sends the and . We stress that the only difference between the ideal world execution and the real world execution is the generation of in each subsession. But by lossy key generation in Proposition 19, hence the above two games are statistically indistinguishable.

Claim. If, in an execution of (i.e., in real mode), corrupts then we have

Proof. Below we give a formal proof, in more detail: (i)The real world execution can be viewed as the proceed of the following game:(a)Firstly, .(b)Secondly, the environment arbitrarily schedules some number of subsessions. In each subsession,(1) chooses an input for the honest , who generates , and sends , to ;(2)then proceeds arbitrarily to the honest outputs .(ii)The ideal world execution can be viewed as the proceed of the following game:(a)Firstly, .(b)Secondly, the environment arbitrarily schedules subsessions, in each subsession,(1) outputs arbitrary which is not known to ;(2) then runs and and sends , to ;(3)lastly, receives the arbitrary ciphertext tuple from .

Remark 21. Actually, the dummy entity queries the value of from the ideal functionality, then the simulator provides the messages .

The only difference between the two games is method of the public and secret keys. The above two games are statistically indistinguishable by the lossy key generation in Proposition 20.

Claim. There exists the following result: for any protocol in the -hybrid model.

Proof. In the lossy encryption, the output of is computationally indistinguishable from since the indistinguishability of modes. Moreover, can run the protocol and can receive a polynomial number of samples from either or . Thus, the above two executions are indistinguishable by a standard hybrid argument.

5.3. Performance

Lattice-based cryptography has been subjecting of intense research appearing recently, bringing groundbreaking advance to the understanding of the subjacent questions. One of the main characteristics of lattice-based cryptography is worst-case to average-case reductions, which provides stronger security against quantum computer attacks. In this paper, we construct a lossy encryption scheme via a variant of multibit scheme, then we construct the universal composable secure protocols based on assumption by utilizing the lossy encryption as the building block. Below, a comparison of some related works with our scheme is provided in the Table 1.

As shown in the Table 1, we can easily obtain the following conclusion. We follow the methodology of Li et al. [18] and design a multibit public key encryption scheme, i.e., scheme. Importantly, the public matrix contains many instances; each one is used to protect the secret key. In this setting, the decrypter can decrypt the plaintext either in a bit-by-bit manner or in a one-time manner. Meanwhile, compared the magnitude of ciphertext of PVW scheme [10] with ours, it is easy to see the two schemes with the same magnitude of ciphertext . Although the public key size of PVW depends on the parameter and our scheme’s public key size depends on , the bit decryption of our scheme implies flexible decryption (i.e., multibit decryption), which means that our scheme is more practical in reality.

6. Potential Application: Password-Based Authenticated Key Exchange for Smart Mobile Devices

Nowadays, SMDs, IoTs, and WSNs within the workplace are expanding rapidly. Obliviously, these devices are becoming important tools that offer competitive advantages for the mobile workforce. But they also might be endangered by the information they can access remotely. In this case, enabling user authentication for SMDs is the first line of defence to prevent the malicious unauthorized user.

Most of related works [5, 29] focus on how to use PAKE as the basic tool to achieve the authentication for SMDs. In particular, Wei et al. [5] proposed a PAKE protocol for wireless body area networks. He et al. [29] proposed an authentication protocol for mobile wireless networks with conditional privacy preservation. However, to our knowledge, related works of lattice-based PAKE for SMDs authentication are limited. Hence, in this section, we explore how to implement PAKE via our OT protocol. Because details of the design and implementation are beyond the scope of the discussion of this paper, thus, we just give a brief of description for the technical line as follows. In more detail, following the technical line of Canetti et al. [1], we first realize OT-based PKAE via LWE assumption instead of computational Diffie-Hellman (CDH) assumption and the hardness of factoring. Next, we can extend the PAKE protocol for privacy-preserving authentication schemes for SMDs.

7. Conclusion

In this paper, we have investigated one of the hot but hard topics in authentication of SMDs, IoTs, and WSNs. As an important building block, can be used for designing privacy-preserving authentication protocols. Thus, we focus on an important question how to design on an efficient UC-secure OT protocol for PAKE which can be used to achieve authentication for SMDs. However, an important question that remain is how to implement OT-based PAKE under the LWE assumption following our presented brief technical line. Meanwhile, we believe that this result enriched the postquantum protocols. However, it remains open to be secure against adaptive adversaries under the lossy encryption and its variants. We leave these topics for future research.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

The research was supported by the National Natural Science Foundation of China (nos. 61802214 and 11701187) and the PhD Start-up Fund of the Natural Science Foundation of Guangdong Province of China (no. 2017A030310522).

References

R. Canetti, D. Dachman-Soled, V. Vaikuntanathan, and H. Wee, “Efficient password authenticated key exchange via oblivious transfer,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 7293, pp. 449–466, 2012.
View at: Google Scholar
D. Wang, N. Wang, P. Wang, and S. Qing, “Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity,” Information Sciences, vol. 321, Article ID 11496, pp. 162–178, 2015.
View at: Publisher Site | Google Scholar
C. Su, B. Santoso, Y. Li, R. H. Deng, and X. Huang, “Universally Composable RFID Mutual Authentication,” IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 1, pp. 83–94, 2017.
View at: Google Scholar
Y. Zhang, J. Yu, R. Hao, C. Wang, and K. Ren, “Enabling Efficient User Revocation in Identity-based Cloud Storage Auditing for Shared Big Data,” IEEE Transactions on Dependable and Secure Computing, pp. 1–1, 2018.
View at: Publisher Site | Google Scholar
F. Wei, P. Vijayakumar, J. Shen, R. Zhang, and L. Li, “A provably secure password-based anonymous authentication scheme for wireless body area networks,” Computers and Electrical Engineering, vol. 65, pp. 322–331, 2018.
View at: Google Scholar
L. Zhang, Z. Zhang, and X. Hu, “UC-secure two-server password-based authentication protocol and its applications,” in Proceedings of the 11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 153–164, June 2016.
View at: Google Scholar
M. O. Rabin, “Probabilistic algorithms in finite fields,” SIAM Journal on Computing, vol. 9, no. 2, pp. 273–280, 1980.
View at: Publisher Site | Google Scholar | MathSciNet
J. Han, W. Susilo, Y. Mu, M. H. Au, and J. Cao, “AAC-OT: Accountable Oblivious Transfer with Access Control,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2502–2514, 2015.
View at: Publisher Site | Google Scholar
Y. Gertner, S. Kannan, T. Malkin, O. Reingold, and Viswanathan. M., “The relationship between public key encryption and oblivious transfer,” in Proceedings of the FOCS 2000, pp. 325–335, IEEE Computer Society Press.
View at: Google Scholar
C. Peikert, V. Vaikuntanathan, and B. Waters, “A framework for efficient and composable oblivious transfer,” Cryptology ePrint Archive 2007/348, https://eprint.iacr.org/2007/348.
View at: Google Scholar
M. Bellare, D. Hofheinz, and S. Yilek, “Possibility and impossibility results for encryption and commitment secure under selective opening,” in Advances in cryptology EUROCRYPT 2009, vol. 5479, pp. 1–35, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
G. Kol and M. Naor, “Cryptography and game theory: designing protocols for exchanging information,” in Theory of Cryptography: Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19–21, 2008. Proceedings, vol. 4948 of Lecture Notes in Computer Science, pp. 320–339, Springer, Berlin, Germany, 2008.
View at: Publisher Site | Google Scholar
P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings of the 35th Annual Symposium on Foundations of Computer Science (SFCS '94), pp. 124–134, IEEE Computer Society Press, 1994.
View at: Publisher Site | Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC '05), pp. 84–93, ACM Press, Baltimore, Md, USA, May 2005.
View at: Publisher Site | Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 14th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 197–206, Victoria, Canada, May 2008.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, A. Palacio, and G. Segev, “Public-key cryptographic primitives provably as secure as subset sum,” in Theory of cryptography, vol. 5978, pp. 382–400, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
B. David, R. Dowsley, and A. Nascimento, “Universally composable oblivious transfer based on a variant of LPN,” in Proceedings of the CANS 2014, pp. 143–158, Springer.
View at: Google Scholar
Z. Li, C. Ma, and H. Zhou, “Multi-key FHE for multi-bit messages,” Science China Information Sciences, vol. 61, article 029101, pp. 1–3, 2018.
View at: Publisher Site | Google Scholar
Z. Li, S. D. Galbraith, and C. Ma, “Preventing Adaptive Key Recovery Attacks on the Gentry-Sahai-Waters Leveled Homomorphic Encryption Scheme,” Cryptology ePrint Archive 2016/1146, https://eprint.iacr.org/2016/1146.
View at: Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS '11), pp. 97–106, Palm Springs, CA, USA, October 2011.
View at: Publisher Site | Google Scholar
B. M. David, A. C. A. Nascimento, and J. Müller-Quade, “Universally composable oblivious transfer from lossy encryption and the McEliece assumptions,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 7412, pp. 80–99, 2012.
View at: Google Scholar
Z. Li, C. Ma, and D. Wang, “Leakage Resilient Leveled FHE on Multiple Bit Message,” IEEE Transactions on Big Data, pp. 1–1.
View at: Publisher Site | Google Scholar
R. Canetti, “Universally composable security: A new paradigm for cryptographic protocols,” in Proceedings of the FOCS, pp. 136–145, IEEE Computer Society Press, 2001.
View at: Google Scholar | MathSciNet
R. Lindner and C. Peikert, “Better key sizes (and attacks) for LWE-based encryption,” Cryptology ePrint Archive 2010/613, https://eprint.iacr.org/2010/613.
View at: Google Scholar
C. Peikert, “Public-key cryptosystems from the worst-case shortest vector problem: extended abstract,” in Proceedings of the STOC 2009, pp. 333–342, ACM Press.
View at: Google Scholar
C. Peikert and B. Waters, “Lossy trapdoor functions and their applications,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 187–196, ACM Press, 2008.
View at: Publisher Site | Google Scholar
R. Hiromasa, M. Abe, and T. Okamoto, “Packing messages and optimizing bootstrapping in GSW-FHE,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E99A, no. 1, pp. 73–82, 2016.
View at: Publisher Site | Google Scholar
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in Advances in Cryptology—EUROCRYPT 2010, vol. 6110 of Lecture Notes in Computer Science, pp. 553–572, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
D. He, D. Wang, Q. Xie, and K. Chen, “Anonymous handover authentication protocol for mobile wireless networks with conditional privacy preservation,” Science China Information Sciences, vol. 60, no. 5, Article ID 052104, 2017.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2018 Zengpeng Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1220

Downloads

990

Citations