Post-quantum Provably-Secure Authentication and MAC from Mersenne Primes

Abstract

This paper presents a novel, yet efficient secret-key authentication and MAC, which provide post-quantum security promise, whose security is reduced to the quantum-safe conjectured hardness of Mersenne Low Hamming Combination (\(\mathsf {MERS}\)) assumption recently introduced by Aggarwal, Joux, Prakash, and Santha (CRYPTO 2018). Our protocols are very suitable to weak devices like smart card and RFID tags.

Houda Ferradi—This work was done while the first author was at NTT Secure Platform Laboratories – Tokyo

A Proof of Lemma 7.1

Lemma A.1

(Lemma 7.1, restated). Consider the two games \(\mathsf {Real}\) and \(\mathsf {Rand}\) between a challenger and an adversary \(\mathcal {B}\) defined in Fig. 9. Assume that the problem is \((t,Q,\epsilon )\)-hard. Then, for all \((t',Q)\)-adversary \(\mathcal {B}\) with \(t' \approx t\), we have

$$ \left|\Pr [\mathsf {Real}_{\mathcal {B}}(\kappa ) \Rightarrow 1] - \Pr [\mathsf {Rand}_{\mathcal {B}}(\kappa ) \Rightarrow 1] \right|\le 2 \mu \epsilon . $$

The proof is almost same as that in [28].

For \(i = 0,\dots ,\mu \) and \(A \in \{0,1\}^\mu \), we define A[1..i] as the i-bit string \(A_1 \dots A_i \in \{0,1\}^i\). (We let \(A[1..0] = \bot \).) For \(i = 0,\dots ,\mu \), \(\mathsf {RF}_i, \mathsf {RF}_i' :\{0,1\}^i \rightarrow \mathbb {Z}_p\) be two random functions. (If \(i = 0\), then \(\mathsf {RF}_0(\bot ) = b'\) for some random \(b' \leftarrow _{\$}\mathbb {Z}_p\).)

We define the line of games as follows:

• \(G_0\): this game is the same as \(\mathsf {Real}\) except that

  • in the beginning, we sample \(2\mu \) elements \(s_{1,0},\dots ,s_{\mu ,0},s_{1,1},\dots ,s_{\mu ,1}\) from \(\mathbb {Z}_p\) instead of \(\mu +1\) elements \(s_0,s_1,\dots ,s_\mu \) from \(\mathbb {Z}_p\).

  • in the computation of \(S_A\), we compute \(S_A := \sum _{j=1}^{\mu } s_{j,A[j]}\) instead of \(S_A := s_0 + \sum _{j=1}^\mu A[j] \cdot s_j\). (We also replace the computation of \(S_{A^*}\).)

• \(G_{1,i}\) for \(i = 0,\dots ,\mu \): this game is the same as \(G_0\) except that

  • in the oracle \(\mathsf {Chal}\), we let \(s_0' := \mathsf {RF}_i(A^*[1..i])\)

  • in the oracle \(\mathsf {Eval}\), we compute \(B := \mathsf {RF}_i(A[1..i]) + R S_{A} + E\) instead of \(B := s_0' + R S_{A} + E\).

• \(G_2\): this game is the same as \(G_{1,\mu }\) except that

  • in the oracle \(\mathsf {Chal}\), we sample \(B^* \leftarrow _{\$}\mathbb {Z}_p\) instead of \(B^* := s_0' + R^* \cdot S_{A^*}\)

  • in the oracle \(\mathsf {Eval}\), we compute \(B := \mathsf {RF}_\mu (A)\) instead of \(B := \mathsf {RF}_\mu (A) + R S_{A} + E\).

Lemma A.2

\(\Pr [G_0= 1] = \Pr [\mathsf {Real} \Rightarrow 1]\).

Proof

In \(G_0\), we replace the computation of \(S_A\). We note that if we set \(s_0 := \sum _{j=1}^{\mu } s_{j,0}\) and \(s_{j}: = s_{j,1} - s_{j,0}\), we have \(S_A = s_0 + \sum _{j=1}^{\mu } A[j] \cdot s_{j} = \sum _{j}^{\mu } s_{j,A[j]}\). In addition, if we choose \(s_{j,k}\) uniformly at random, then \(s_0,s_1,\dots ,s_\mu \) are also distributed according to the uniform distribution over \(\mathbb {Z}_p\). Hence, the two games are equivalent.    \(\square \)

Lemma A.3

We have \(\Pr [G_0 = 1] = \Pr [G_{1,0}=1]\).

Proof

\(G_0\) is the same as \(G_{1,0}\), since \(s_0'\) can be interpreted as \(\mathsf {RF}_0(\bot )\) [28].    \(\square \)

Lemma A.4

Let \(\mathcal {B}\) be a (t, Q)-adversary in Fig. 9. For all \(i \in \{0,\dots ,\mu -1\}\), there exists a \((t',Q)\)-adversary \(\mathcal {D}\) such that

Proof

Notice that for arbitrarily fixed \(b \in \{0,1\}\) and two random functions \(\mathsf {RF}_i\) and \(\mathsf {RF}_i'\), we can define a new random function \(\mathsf {RF}_{i+1}\) by

$$ \mathsf {RF}_{i+1}(A[1..i+1]) := {\left\{ \begin{array}{ll} \mathsf {RF}_{i}(A[1..i]) &{} \text {if A[i+1] = b} \\ \mathsf {RF}_{i}(A[1..i]) + \mathsf {RF}_i'(A[1..i]) &{} \text {o.w.} \end{array}\right. } $$

Our adversary \(\mathcal {D}\) guesses \(b \leftarrow _{\$}\{0,1\}\) as the prediction of \(A^*[i+1]\) and simulates the oracles by using the above observation. We construct a distinguisher \(\mathcal {D}\) as follows:

1. 1.

   Given \(1^\kappa \), \(\mathcal {D}\) prepares parameter values as follows:

   • Sample \(b \leftarrow \{0,1\}\) and initialize \(L := \emptyset \) and \(L_i := \emptyset \).

   • Choose \(s_{j,\beta } \leftarrow \mathbb {Z}_p\) for all \(j \in [1,\mu ]\) and \(\beta \in \{0,1\}\) except for \(s_{i+1,1-b}\).

   • Query to its oracle for Q times and obtain the answers \((R_j,B_j')\) for \(j \in \{1,2,\dots ,Q\}\).

2. 2.

   \(\mathcal {D}\) runs \(\mathcal {B}\) and simulates \(\mathsf {Eval}\) and \(\mathsf {Chal}\) as follows:

   • Simulation of \(\mathsf {Eval}\) on input \(A \in \{0,1\}^\mu \):

     1. (a)

        Update \(L := L \cup \{A\}\)

     2. (b)

        If \(A[i+1] = b\), then \(R \leftarrow _{\$}\mathbb {Z}_p\), \(E \leftarrow _{\$}\mathfrak {H}_{n,h}\), compute \(B := \mathsf {RF}_i(A[1..i]) + R \cdot (\sum _{j=1}^{\mu } s_{j,A[j]}) + E\) and return (R, B).

     3. (c)

        Else, that is, if \(A[i+1] = 1-b\), then

        1. i.

           If \(L_i\) contains \((A[1..i],(R_j,B_j'))\) for some j, then let \((R,B') := (R_j,B_j')\).

        2. ii.

           Else, use a next fresh pair, that is, \((R,B') := (R_j,B_j')\) for the first j. Add \((A[1..i],(R_j,B_j'))\) to the list \(L_i\).

        3. iii.

           Compute \(B := \mathsf {RF}_i(A[1..i]) + R \cdot (\sum _{j=1,j\ne i+1}^{\mu } s_{j,A[j]}) + B'\) and return (R, B).

   • Simulation of \(\mathsf {Chal}\) on input \(R^*\) and \(A^*\):

     1. (a)

        If \(A^*[i+1] \ne b\), abort.

     2. (b)

        Else, define \(S_{A^*} := \sum _{j}^{\mu } s_{j,A^*[j]}\).

     3. (c)

        Return \(B^* := R^* \cdot S_{A^*} + \mathsf {RF}_i(A^*[1..i])\).

3. 3.

   Finally, \(\mathcal {B}\) will outputs its decision d and stops. \(\mathcal {D}\) outputs \(d \wedge (A^* \not \in L)\).

Suppose that the guess b is correct. This happens with probability 1/2. If so, \(\mathcal {D}\) perfectly simulates \(\mathsf {Chal}\), since \(\mathsf {RF}_{i+1}(A^*[1..(i+1)]) = \mathsf {RF}_i(A^*[1..i])\) if \(A^*[i+1] = b\). We next analyze the simulation of \(\mathsf {Eval}\): If \(A[i+1] = b\), then we have \(\mathsf {RF}_{i+1}(A[1..(i+1)]) = \mathsf {RF}_i(A[1..i])\). Thus, the distributions of E are the same in both games. Otherwise, that is, if \(A[i+1] = 1-b\), then we consider two cases: If the oracle outputs \(B' := R s + E\) with \(E \leftarrow _{\$}\mathfrak {H}_{n,h}\), then we have

$$\begin{aligned} B&:= \mathsf {RF}_i(A[1..i]) + R \cdot \left( \sum _{j=1,j\ne i+1}^\mu s_{j,A[j]}\right) + R \cdot s + E \\&= \mathsf {RF}_i(A[1..i]) + R \cdot \left( \sum _{j=1}^\mu s_{j,A[j]}\right) + E \end{aligned}$$

by letting \(s_{i+1,1-b} := s\). Therefore, if the oracle is \(\mathcal {O}_{s,n,h}\), then \(\mathcal {D}\) perfectly simulates \(G_i\). On the other hand, if the oracle is \(\mathcal {U}\), that is, \(B' = Rs + E + U\) with \(E \leftarrow _{\$}\mathfrak {H}_{n,h}\) and \(U \leftarrow _{\$}\mathbb {Z}_p\), then we have

$$\begin{aligned} B&:= \mathsf {RF}_i(A[1..i]) + R \cdot \left( \sum _{j=1,j\ne i+1}^\mu s_{j,A[j]} \right) + R \cdot s + E + U \\&= \mathsf {RF}_i(A[1..i]) + U + R \cdot \left( \sum _{j=1}^\mu s_{j,A[j]} \right) + E. \end{aligned}$$

By letting \(U := \mathsf {RF}_i'(A[1..i])\), we observe that \(\mathcal {D}\) perfectly simulates \(G_{i+1}\).

Therefore, we have

as we wanted.    \(\square \)

Lemma A.5

We have \(\Pr [G_{1,\mu } = 1] = \Pr [G_{2}=1]\).

Proof

This is almost obvious. Notice that every query A to \(\mathsf {Eval}\) and \(\mathsf {Chal}\) should be fresh. Thus, in both cases, \(\mathsf {RF}_{\mu }(A)\) makes B (and \(B^*\)) random.    \(\square \)

Lemma A.6

We have \(\Pr [G_{2}=1] = \Pr [\mathsf {Rand} \Rightarrow 1]\).

Proof

In \(G_2\), all returned values (R, B) from \(\mathsf {Eval}\) and \(B^*\) from \(\mathsf {Chal}\) are fresh and random if \(A^* \not \in L\). We also know that in \(\mathsf {Rand}\), all values are fresh and random if \(A^* \not \in L\), because \(s_0'\) is random and kept secret. Therefore, there are no difference between \(G_2\) and \(\mathsf {Rand}\) if \(A^* \not \in L\). This completes the proof.    \(\square \)