Abstract
This paper presents a novel, yet efficient secret-key authentication and MAC, which provide post-quantum security promise, whose security is reduced to the quantum-safe conjectured hardness of Mersenne Low Hamming Combination (\(\mathsf {MERS}\)) assumption recently introduced by Aggarwal, Joux, Prakash, and Santha (CRYPTO 2018). Our protocols are very suitable to weak devices like smart card and RFID tags.
Houda Ferradi—This work was done while the first author was at NTT Secure Platform Laboratories – Tokyo
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Later, Katz, Shin, and Smith gave simplified security proofs of them [26].
- 2.
- 3.
For example, n can be 2, 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279, 2203, 2281, 3217, 4253, 4423, 9689, 9941, 11213, 19937, 21701, 23209, 44497, 86243, 110503, 132049, 216091, 756839, 859433, and so on. Mersenne-756839 employed \(n = 756839\) and Ramstake employed \(n = 216091\) and 756839.
- 4.
In the original definition, a is chosen from \(\{0,1\}^n\). This change introduces only negligible distance.
- 5.
The Mersenne Low Hamming Ratio Assumption states that, given an n-bit Mersenne prime \(p=2^n-1\) and an integer h, any PPT adversary cannot distinguish between \(F/G \bmod {p}\) with \(F, G \leftarrow _{\$}\mathfrak {H}_{n,h}\), and \(R \leftarrow \mathbb {Z}_p\) with non-negligible advantage.
References
Aggarwal, D., Joux, A., Prakash, A., Santha, M.: A new public-key cryptosystem via Mersenne numbers. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 459–482. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_16
Aggarwal, D., Joux, A., Prakash, A., Santha, M.: Mersenne-756839. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Armknecht, F., Hamann, M., Mikhalev, V.: Lightweight authentication protocols on ultra-constrained RFIDs - myths and facts. In: Saxena, N., Sadeghi, A.-R. (eds.) RFIDSec 2014. LNCS, vol. 8651, pp. 1–18. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13066-8_1
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bernstein, D.J., Lange, T.: Never trust a bunny. In: Hoepman, J.-H., Verbauwhede, I. (eds.) RFIDSec 2012. LNCS, vol. 7739, pp. 137–148. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36140-1_10
Beunardeau, M., Connolly, A., Géraud, R., Naccache, D.: On the hardness of the Mersenne low hamming ratio assumption. In: Lange, T., Dunkelman, O. (eds.) LATINCRYPT 2017. LNCS, vol. 11368, pp. 166–174. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25283-0_9
Blum, A., Furst, M., Kearns, M., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_24
Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003). https://doi.org/10.1145/792538.792543
de Boer, K., Ducas, L., Jeffery, S., de Wolf, R.: Attacks on the AJPS Mersenne-based cryptosystem. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 101–120. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_5
Bos, J.W., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: Efficient SIMD arithmetic modulo a Mersenne number. In: Proceedings of the 2011 IEEE 20th Symposium on Computer Arithmetic, ARITH 2011, pp. 213–221. IEEE Computer Society, Washington, DC (2011). https://doi.org/10.1109/ARITH.2011.37
Bringer, J., Chabanne, H., Dottax, E.: HB\(^+\): a lightweight authentication protocol secure against some attacks. In: Proceedings of the Second International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, SECPERU 2006, pp. 28–33. IEEE Computer Society, Washington, DC (2006). https://doi.org/10.1109/SECPERU.2006.10
Cash, D., Kiltz, E., Tessaro, S.: Two-round man-in-the-middle security from LPN. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 225–248. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_10
Coron, J.S., Gini, A.: Improved cryptanalysis of the AJPS Mersenne based cryptosystem. In: Number-Theoretic Methods in Cryptology 2019 - NutMiC 2019 (2019). https://eprint.iacr.org/2019/610
Dodis, Y., Kiltz, E., Pietrzak, K., Wichs, D.: Message authentication, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 355–374. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_22
Duc, D.N., Kim, K.: Securing HB\(^+\) against GRS man-in-the-middle attack. In: SCIS 2007, The 2007 Symposium on Cryptography and Information Security, pp. 2B3-4. IEICE, Sasebo, 23–26 January 2007
Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_17
Ferradi, H., Naccache, D.: Integer reconstruction public-key encryption. Cryptology ePrint Archive, Report 2017/1231 (2017). https://eprint.iacr.org/2017/1231
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gilbert, H., Robshaw, M.J.B., Seurin, Y.: Good variants of HB+ are hard to find. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 156–170. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85230-8_12
Gilbert, H., Robshaw, M.J.B., Seurin, Y.: HB\(^{\#}\): increasing the security and efficiency of HB\(^{+}\). In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 361–378. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_21
Gilbert, H., Robshaw, M.J.B., Sibert, H.: Active attack against HB+: a provably secure lightweight authentication protocol. Electron. Lett. 41(21), 1169–1170 (2005). https://doi.org/10.1049/el:20052622. https://eprint.iacr.org/2005/237
Heyse, S., Kiltz, E., Lyubashevsky, V., Paar, C., Pietrzak, K.: Lapin: an efficient authentication protocol based on ring-LPN. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 346–365. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_20
Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_4
Juels, A., Weis, S.A.: Authenticating pervasive devices with human protocols. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 293–308. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_18
Katz, J., Shin, J.S., Smith, A.: Parallel and concurrent security of the HB and HB+ protocols. J. Cryptol. 23(3), 402–421 (2010). https://doi.org/10.1007/s00145-010-9061-2
Kiltz, E., Pietrzak, K., Cash, D., Jain, A., Venturi, D.: Efficient authentication from hard learning problems. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 7–26. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_3
Kiltz, E., Pietrzak, K., Venturi, D., Cash, D., Jain, A.: Efficient authentication from hard learning problems. J. Cryptol. 30(4), 1238–1275 (2017). https://doi.org/10.1007/s00145-016-9247-3
Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_24
Lyubashevsky, V., Masny, D.: Man-in-the-middle secure authentication schemes from LPN and weak PRFs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 308–325. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_18
Mol, P., Tessaro, S.: Secret-key authentication beyond the challenge-response paradigm: definitional issues and new protocols. unpublished manuscripts (2012). https://homes.cs.washington.edu/~tessaro/
Munilla, J., Peinado, A.: HB-MP: a further step in the HB-family of lightweight authentication protocols. Comput. Netw. 51(9), 2262–2267 (2007). https://doi.org/10.1016/j.comnet.2007.01.011
Preneel, B.: Hash functions and MAC algorithms based on block ciphers. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 270–282. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0024473
Rubinfeld, R.: Randomness and computation. Course, MIT (2012). https://people.csail.mit.edu/ronitt/COURSE/S12/handouts/lec5.pdf
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). https://doi.org/10.1137/S0097539795293172
Szepieniec, A.: Ramstake. Technical report. National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Tiepelt, M., Szepieniec, A.: Quantum LLL with an application to Mersenne number cryptosystems. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 3–23. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_1
Vaudenay, S.: On privacy models for RFID. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 68–87. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_5
Acknowledgment
The first author would like thank to Krzysztof Pietrzak for fruitful discussions during the first stage of this project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Lemma 7.1
A Proof of Lemma 7.1
Lemma A.1
(Lemma 7.1, restated). Consider the two games \(\mathsf {Real}\) and \(\mathsf {Rand}\) between a challenger and an adversary \(\mathcal {B}\) defined in Fig. 9. Assume that the problem is \((t,Q,\epsilon )\)-hard. Then, for all \((t',Q)\)-adversary \(\mathcal {B}\) with \(t' \approx t\), we have
The proof is almost same as that in [28].
For \(i = 0,\dots ,\mu \) and \(A \in \{0,1\}^\mu \), we define A[1..i] as the i-bit string \(A_1 \dots A_i \in \{0,1\}^i\). (We let \(A[1..0] = \bot \).) For \(i = 0,\dots ,\mu \), \(\mathsf {RF}_i, \mathsf {RF}_i' :\{0,1\}^i \rightarrow \mathbb {Z}_p\) be two random functions. (If \(i = 0\), then \(\mathsf {RF}_0(\bot ) = b'\) for some random \(b' \leftarrow _{\$}\mathbb {Z}_p\).)
We define the line of games as follows:
-
\(G_0\): this game is the same as \(\mathsf {Real}\) except that
-
in the beginning, we sample \(2\mu \) elements \(s_{1,0},\dots ,s_{\mu ,0},s_{1,1},\dots ,s_{\mu ,1}\) from \(\mathbb {Z}_p\) instead of \(\mu +1\) elements \(s_0,s_1,\dots ,s_\mu \) from \(\mathbb {Z}_p\).
-
in the computation of \(S_A\), we compute \(S_A := \sum _{j=1}^{\mu } s_{j,A[j]}\) instead of \(S_A := s_0 + \sum _{j=1}^\mu A[j] \cdot s_j\). (We also replace the computation of \(S_{A^*}\).)
-
-
\(G_{1,i}\) for \(i = 0,\dots ,\mu \): this game is the same as \(G_0\) except that
-
in the oracle \(\mathsf {Chal}\), we let \(s_0' := \mathsf {RF}_i(A^*[1..i])\)
-
in the oracle \(\mathsf {Eval}\), we compute \(B := \mathsf {RF}_i(A[1..i]) + R S_{A} + E\) instead of \(B := s_0' + R S_{A} + E\).
-
-
\(G_2\): this game is the same as \(G_{1,\mu }\) except that
-
in the oracle \(\mathsf {Chal}\), we sample \(B^* \leftarrow _{\$}\mathbb {Z}_p\) instead of \(B^* := s_0' + R^* \cdot S_{A^*}\)
-
in the oracle \(\mathsf {Eval}\), we compute \(B := \mathsf {RF}_\mu (A)\) instead of \(B := \mathsf {RF}_\mu (A) + R S_{A} + E\).
-
Lemma A.2
\(\Pr [G_0= 1] = \Pr [\mathsf {Real} \Rightarrow 1]\).
Proof
In \(G_0\), we replace the computation of \(S_A\). We note that if we set \(s_0 := \sum _{j=1}^{\mu } s_{j,0}\) and \(s_{j}: = s_{j,1} - s_{j,0}\), we have \(S_A = s_0 + \sum _{j=1}^{\mu } A[j] \cdot s_{j} = \sum _{j}^{\mu } s_{j,A[j]}\). In addition, if we choose \(s_{j,k}\) uniformly at random, then \(s_0,s_1,\dots ,s_\mu \) are also distributed according to the uniform distribution over \(\mathbb {Z}_p\). Hence, the two games are equivalent. \(\square \)
Lemma A.3
We have \(\Pr [G_0 = 1] = \Pr [G_{1,0}=1]\).
Proof
\(G_0\) is the same as \(G_{1,0}\), since \(s_0'\) can be interpreted as \(\mathsf {RF}_0(\bot )\) [28]. \(\square \)
Lemma A.4
Let \(\mathcal {B}\) be a (t, Q)-adversary in Fig. 9. For all \(i \in \{0,\dots ,\mu -1\}\), there exists a \((t',Q)\)-adversary \(\mathcal {D}\) such that
Proof
Notice that for arbitrarily fixed \(b \in \{0,1\}\) and two random functions \(\mathsf {RF}_i\) and \(\mathsf {RF}_i'\), we can define a new random function \(\mathsf {RF}_{i+1}\) by
Our adversary \(\mathcal {D}\) guesses \(b \leftarrow _{\$}\{0,1\}\) as the prediction of \(A^*[i+1]\) and simulates the oracles by using the above observation. We construct a distinguisher \(\mathcal {D}\) as follows:
-
1.
Given \(1^\kappa \), \(\mathcal {D}\) prepares parameter values as follows:
-
Sample \(b \leftarrow \{0,1\}\) and initialize \(L := \emptyset \) and \(L_i := \emptyset \).
-
Choose \(s_{j,\beta } \leftarrow \mathbb {Z}_p\) for all \(j \in [1,\mu ]\) and \(\beta \in \{0,1\}\) except for \(s_{i+1,1-b}\).
-
Query to its oracle for Q times and obtain the answers \((R_j,B_j')\) for \(j \in \{1,2,\dots ,Q\}\).
-
-
2.
\(\mathcal {D}\) runs \(\mathcal {B}\) and simulates \(\mathsf {Eval}\) and \(\mathsf {Chal}\) as follows:
-
Simulation of \(\mathsf {Eval}\) on input \(A \in \{0,1\}^\mu \):
-
(a)
Update \(L := L \cup \{A\}\)
-
(b)
If \(A[i+1] = b\), then \(R \leftarrow _{\$}\mathbb {Z}_p\), \(E \leftarrow _{\$}\mathfrak {H}_{n,h}\), compute \(B := \mathsf {RF}_i(A[1..i]) + R \cdot (\sum _{j=1}^{\mu } s_{j,A[j]}) + E\) and return (R, B).
-
(c)
Else, that is, if \(A[i+1] = 1-b\), then
-
i.
If \(L_i\) contains \((A[1..i],(R_j,B_j'))\) for some j, then let \((R,B') := (R_j,B_j')\).
-
ii.
Else, use a next fresh pair, that is, \((R,B') := (R_j,B_j')\) for the first j. Add \((A[1..i],(R_j,B_j'))\) to the list \(L_i\).
-
iii.
Compute \(B := \mathsf {RF}_i(A[1..i]) + R \cdot (\sum _{j=1,j\ne i+1}^{\mu } s_{j,A[j]}) + B'\) and return (R, B).
-
i.
-
(a)
-
Simulation of \(\mathsf {Chal}\) on input \(R^*\) and \(A^*\):
-
(a)
If \(A^*[i+1] \ne b\), abort.
-
(b)
Else, define \(S_{A^*} := \sum _{j}^{\mu } s_{j,A^*[j]}\).
-
(c)
Return \(B^* := R^* \cdot S_{A^*} + \mathsf {RF}_i(A^*[1..i])\).
-
(a)
-
-
3.
Finally, \(\mathcal {B}\) will outputs its decision d and stops. \(\mathcal {D}\) outputs \(d \wedge (A^* \not \in L)\).
Suppose that the guess b is correct. This happens with probability 1/2. If so, \(\mathcal {D}\) perfectly simulates \(\mathsf {Chal}\), since \(\mathsf {RF}_{i+1}(A^*[1..(i+1)]) = \mathsf {RF}_i(A^*[1..i])\) if \(A^*[i+1] = b\). We next analyze the simulation of \(\mathsf {Eval}\): If \(A[i+1] = b\), then we have \(\mathsf {RF}_{i+1}(A[1..(i+1)]) = \mathsf {RF}_i(A[1..i])\). Thus, the distributions of E are the same in both games. Otherwise, that is, if \(A[i+1] = 1-b\), then we consider two cases: If the oracle outputs \(B' := R s + E\) with \(E \leftarrow _{\$}\mathfrak {H}_{n,h}\), then we have
by letting \(s_{i+1,1-b} := s\). Therefore, if the oracle is \(\mathcal {O}_{s,n,h}\), then \(\mathcal {D}\) perfectly simulates \(G_i\). On the other hand, if the oracle is \(\mathcal {U}\), that is, \(B' = Rs + E + U\) with \(E \leftarrow _{\$}\mathfrak {H}_{n,h}\) and \(U \leftarrow _{\$}\mathbb {Z}_p\), then we have
By letting \(U := \mathsf {RF}_i'(A[1..i])\), we observe that \(\mathcal {D}\) perfectly simulates \(G_{i+1}\).
Therefore, we have
as we wanted. \(\square \)
Lemma A.5
We have \(\Pr [G_{1,\mu } = 1] = \Pr [G_{2}=1]\).
Proof
This is almost obvious. Notice that every query A to \(\mathsf {Eval}\) and \(\mathsf {Chal}\) should be fresh. Thus, in both cases, \(\mathsf {RF}_{\mu }(A)\) makes B (and \(B^*\)) random. \(\square \)
Lemma A.6
We have \(\Pr [G_{2}=1] = \Pr [\mathsf {Rand} \Rightarrow 1]\).
Proof
In \(G_2\), all returned values (R, B) from \(\mathsf {Eval}\) and \(B^*\) from \(\mathsf {Chal}\) are fresh and random if \(A^* \not \in L\). We also know that in \(\mathsf {Rand}\), all values are fresh and random if \(A^* \not \in L\), because \(s_0'\) is random and kept secret. Therefore, there are no difference between \(G_2\) and \(\mathsf {Rand}\) if \(A^* \not \in L\). This completes the proof. \(\square \)
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Ferradi, H., Xagawa, K. (2020). Post-quantum Provably-Secure Authentication and MAC from Mersenne Primes. In: Jarecki, S. (eds) Topics in Cryptology – CT-RSA 2020. CT-RSA 2020. Lecture Notes in Computer Science(), vol 12006. Springer, Cham. https://doi.org/10.1007/978-3-030-40186-3_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-40186-3_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-40185-6
Online ISBN: 978-3-030-40186-3
eBook Packages: Computer ScienceComputer Science (R0)