Efficient authentication protocol with anonymity and key protection for mobile Internet users

Efficient authentication protocol with anonymity and key protection for mobile Internet users

Journal Pre-proof Efficient authentication protocol with anonymity and key protection for mobile Internet users Yan Jiang, Youwen Zhu, Jian Wang, Yong...
Download PDF
1MB Sizes 0 Downloads 48 Views
Report

Journal Pre-proof Efficient authentication protocol with anonymity and key protection for mobile Internet users Yan Jiang, Youwen Zhu, Jian Wang, Yong Xiang

PII: DOI: Reference:

S0743-7315(19)30310-7 https://doi.org/10.1016/j.jpdc.2019.11.010 YJPDC 4155

To appear in:

J. Parallel Distrib. Comput.

Received date : 23 April 2019 Revised date : 19 November 2019 Accepted date : 20 November 2019 Please cite this article as: Y. Jiang, Y. Zhu, J. Wang et al., Efficient authentication protocol with anonymity and key protection for mobile Internet users, Journal of Parallel and Distributed Computing (2019), doi: https://doi.org/10.1016/j.jpdc.2019.11.010. This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

© 2019 Elsevier Inc. All rights reserved.

Journal Pre-proof

pro of

Efficient authentication protocol with anonymity and key protection for mobile Internet users Yan Jianga , Youwen Zhua,c,d,∗, Jian Wanga , Yong Xiangb a College

of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China of Information Technology, Deakin University, Melbourne, VIC 3125, Australia c Collaborative Innovation Center of Novel Software Technology and Industrialization, Nanjing 210023, China d Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, Guilin 541004, China b School

re-

Abstract

To preserve user privacy and guarantee data confidentiality on the mobile Internet, it is crucial to secure communication between the mobile devices held by users and a remote server. In real applications, a serious threat against

lP

communication security is exposure of secret keys, due to the compromise of the mobile devices storing the key. One method of preserving key exposure is to use protected hardware or smart-cards, but they are costly and impractical. Another method is to utilize secret sharing to share secret key across multiple devices. Nevertheless, secret sharing schemes guarantee security only

urn a

if the adversary cannot access at least one share in its entirety. In this paper, we present a remote authentication protocol, which resists key exposure. Further, we present a zero-knowledge protocol based on SDH assumption that can achieve anonymity. We formally prove our proposed solution is secure under the decision linear assumption and the qs -mSDH assumption in the random oracle model. Finally, we show our solution can achieve higher efficiency and stronger anonymity comparing with existing schemes, and thus the proposed solution is

Jo

more suitable for real-world environments. Keywords: anonymity, key protection, zero-knowledge protocols, mobile ∗ Corresponding

author Email address: [email protected] (Youwen Zhu)

Preprint submitted to Journal of LATEX Templates

November 19, 2019

Journal Pre-proof

Internet

pro of

1. Introduction With the high-speed growth of mobile Internet and wireless communication, intelligent terminal devices (e.g., mobile phones) have become more and more popular. For example, the number of Chinese users in the mobile Internet has 5

reached 817 million [1]. There are many kinds of mobile applications for Internet users, such as instant message, online shopping and mobile payment.

A general mobile Internet is described in Fig. 1. Mobile devices are able to gather, transmit and store personal data, which may contain user privacy such

10

re-

as living habits [2]. The data is vulnerable to an eavesdropper, impersonation and replay attack since the open channel is insecure. Thus, it is necessary to

Mobile User

lP

protect the security of mobile devices and communication.

Attacker

Server

Open Channel

urn a

Mobile User

Figure 1: Workflow of mobile Internet facilities

Authentication of the participants is significant in mobile Internet-based applications to establish trust relations (e.g., a shared key). The importance of preserving user privacy in the authentication mechanism has been pointed out by the European Union [3], especially data privacy [4, 5]. Anonymous authen-

Jo

15

tication is an effective method to protect user privacy by enabling secure authentication and anonymity. Furthermore, a perfect anonymous scheme should provide user anonymity and unlinkability [6]. For example, consider an online

2

Journal Pre-proof

mall that tracks a buyer prior purchases and shopping habits. The seller has 20

more information about what the buyer is willing to pay, but the buyer is not

pro of

aware of this asymmetry. In traditional authenticated key exchange protocols, users authenticate with the private key but pay no attention to protection of the key. In particular, mobile devices may be corrupted in some physical way (e.g., lost), enabling an 25

attacker to recover the key using mobile forensic tools [7]. Therefore, anonymous authentication with key protection technology is highly desired.

To enhance the protection of users’ private key, Shamir [8] proposes a (t, n) secret sharing scheme by distributing the key between n parties and meeting that

30

re-

t parties or more can restore the key, but less than t parties cannot get anything. Such protocol enables users holding an entire private key could authenticate themselves while protecting the key. However, the method has an inherent limitation on the reconstruction process, i.e., an attacker could still imitate others, if one who holds the key is compromised.

35

lP

Another approach is to utilize secure multiparty computation (MPC) [9], where participants jointly calculate a function while keeping their inputs private. Lindell [10] proposes a standard digital signature scheme with distributed key generation between two parties. In our work, we use the same method

urn a

to generate an authentication key, except for replacing Paillier cryptography. Other ways of protecting the secret key include the use of program obfusca40

tion [11, 12] or key-insulated cryptosystem[13, 14], but these ways are either impractical or not resistant to active attacks [15]. This paper seeks to remedy these problems by using zero-knowledge proofs and two-party protocols. For this reason, we present an efficient authentication protocol for the mobile Internet, which can provide both anonymity and key protection. Subsequently, we provide formal security proof for the security of the presented solution. Lastly, we show the performance of presented protocols

Jo

45

by comparing with previous protocols for the mobile Internet. A summary of the main contributions is provided as follows:

3

Journal Pre-proof

• We plan a new method to generate an authentication key by using linear 50

encryption and two-party protocols.

pro of

• At the core of our mutual authentication phase, we give a variant signature of knowledge of Dan et al. [16] by using short signature method [17].

The remaining part of the paper proceeds as below. In Section 2, we give a context of related work. In Section 3, we present preliminaries and model 55

description. In Section 4, we specify the presented solutions. In Section 5, we prove our protocols secure via formal analysis, and in Section 6 we show the performance of our solutions. In Section 7, we conclude our solution and draw

re-

some future work. In Appendix A, we present zero-knowledge proofs for three relations and a commitment scheme.

60

2. Related Work

lP

In practice, a serious threat of an authentication protocol is exposure of secret key, due to the compromise of machine storing the key. The threats are growing with users using mobile devices to access remote servers. Two methods can be considered to deal with the threat. One method is to 65

use protected smart-cards [18] or hardware to protect secret key, but these can

urn a

be costly or impractical. The other method is to suppose that key exposure will be inevitable and explores for ways to weaken the risk of an adversary obtaining the key. Secret sharing [8], proactive cryptography [19], threshold cryptography [20, 21], and secure multiparty computation [9], can be seen as different ways 70

of dealing with the threat.

The most feasible solution is to combine different approaches. One promising approach has been proposed by Lindell [10] via using a secure two-party

Jo

protocol. However, his scheme consists of Paillier encryption that is more expensive than elliptic curve operations. Subsequently, Doerner et al. [22] propose

75

a solution via invoking an oblivious transfer (OT) scheme to solve the difficulty. Lindell [23] points out that Doerner et al.’s scheme has much higher bandwidth

4

Journal Pre-proof

than [10], but also presents a protocol to replace the Paillier encryption with ElGamal encryption in the exponent. With the help of distributing key gener-

80

pro of

ation, a series of schemes [24, 25, 26] to protect secret key have been proposed. A very recent work of Wu et al. [24] implements and uses similar ideas to ours, i.e., two-party singing in [10]. However, their scheme depends upon ”Paillier encryption” and thus their constructions may sustain an efficiency loss compared to elliptic curve operations. Moreover, their solution cannot provide unlinkability that users’ online identity is not linked to his real-world identity. 85

Table 1 compares our proposed solution with previous work on authentication protocols and the two party case in terms of techniques, anonymity,

re-

unlinkability and the notion of security.

Table 1: Features of authentication protocols and the two party case Scheme

Techniques

Anonymity

Unlinkability

X

X

SIM

×

×

GB/SIM

×

SIM

LE PE

Wu et al. [24]

PE

He et al. [25]

X

lP

This work Lindell [10]

Zhang et al. [26]

×

DS

×

PE

×

×

Security

GB GB

X: Support the feature; ×: Not support the feature. GB and SIM indicate game-based and simulatability-based security notions. LE, PE and DS are

urn a

linear encryption, paillier encryption and distributed signing, respectively.

3. Preliminaries and Model description We will introduce notations defined in Table 2 and show the building blocks 90

in our approach: preliminaries and model description. 3.1. Preliminaries

Jo

3.1.1. Mathematical assumption

Definition 1. (Bilinear Pairings): Let G1 , G2 , and GT be three groups, and their order is q. The generators of G1 and G2 is P1 and P2 , respectively. e is a

95

map: G1 × G2 → GT , which is computable and has the properties below: 5

Journal Pre-proof

Table 2: notations in the scheme Description

p, q

two big primes

Z∗ q

a group of prime order

Fp

a prime finite field

E Fp

an elliptic curve E over Fp

G1 , G2

two cyclic groups

e

a computable map: G1 × G2 → GT

pro of

Notation

generators of G1 , G2 , respectively.

hi for i = (1, . . . , 6)

secure hash functions

IDi

identity of user i

DAi , DBi

two devices of user i

PIDi

public key of user i

kDAi , kDBi

private key of user i

γ, µ

private key of servers

u ˆ, v ˆ, u, v

public key of servers

r, s, a, b, c, d

re-

P1 , P2

random elements of Z∗ q

• Bilinearity: ∀M ∈ G1 , ∀N ∈ G2 , ∀c, d ∈ Z∗q , e(c · M, d · N ) = e(M, N )cd .

lP

• Non-degeneracy: e(P1 , P2 ) 6= 1.

• Computation: ∀Q ∈ G1 , ∀R ∈ G2 , there exists a procedure to calculate e(Q, R). 100

Definition 2. (Decision linear Assumption (Decision-LA)). Given u, v, h, ue , v f , hg ∈

urn a

G1 , it is hard to determine whether e+f = g, for e, f, g ∈ Z∗q . Note that Decision linear assumption holds in generic bilinear groups [16][Section 8].

Definition 3. The modified Decision linear assumption (Decision-mLA) is hard to differentiate (M, N, P, c · M, d · N, (c + d) · P ) from (M, N, P, c · M, d · N, η)

105

for M, N, P, η ∈ G1 , c, d ∈ Z∗q .

1

Definition 4. The qs -SDH assumption [17] is hard to compute (c, g1x+c ) ∈ qs

Zq × G1 for c ∈ Z∗q \{−x} when given (g1 , g1x , . . . , g1x , g2 , g2x ) ∈ Gq1s +1 × G22 ,

Jo

where the generators of G1 and G2 are g1 and g2 , respectively.

1 Definition 5. The modified qs -mSDH assumption is hard to compute (m, x+m P1 ) ∈

110

Zq × G1 for m ∈ Z∗q \{−x} when given (P1 , xP1 , x2 P1 , . . . , xqs P1 , P2 , xP2 ) ∈ Gq1s +1 × G22 , where P1 , P2 are generators of groups G1 , G2 , respectively. 6

Journal Pre-proof

3.1.2. Zero-Knowledge (ZK) Proofs ZK proofs of knowledge show that a prover knows a witness x for which

115

pro of

(x, X) ∈ R without revealing anything, where R denotes a relation, X is a statement. In this paper, we define zero-knowledge proofs for three relations as follows:

(1) Zero-knowledge equality of linear encryption and discrete logarithm: Define the relation

REQ = {(G1 , P1 , q, pk = (M, N ), A, B, C), (kB , m, r, s)| DB = kB · P1 ∧ (A, B, C) = Encpk (m; r, s)}

that shows knowledge of discrete logarithm and values that are encrypted

re-

in a linear encryption ciphertext. In Appendix A.1, we specify the protocol for this relation.

(2) Knowledge of discrete logarithm: Define the relation

120

lP

RDL = {(G1 , P1 , q, DA ), kA |DA = kA · P1 } of discrete logarithm values. In Appendix A.2, we specify the protocol for this relation.

(3) Knowledge of a solution to an qs -mSDH problem: Define the relation

urn a

RSDH = {(G1 , G2 , P1 , P2 , q, R, u ˆ, vˆ, u, v), (m, r, σ)| e(σ, u + m · P2 + r · v) = e(R, P2 )}

for σ = (γ + m + r · µ)−1 · R. In Appendix A.3, we specify the protocol for this relation.

3.1.3. Linear Encryption

Let G1 be a group, whose order is q, and P1 is a corresponding generator. In our construction, we use linear decryption, that its result is actually an element

Jo

125

of G1 . Encryption of a value m ∈ Z∗q is as follows: R

• L.Gen(1λ ): Given a secure parameter 1λ , choose xe , ye ← − Z∗q , and output pk = (M, N ) = (xe · P1 , ye · P1 ), dk = (xe , ye ). 7

Journal Pre-proof

R

130

• L.Enc((pk, m)): Given pk = (M, N ), m, choose r, s ← − Z∗q and output c = (r · M, s · N, (r + s) · P1 + m · P1 ).

pro of

• L.Dec(dk, c): Given dk = (xe , ye ) and c = (T1 , T2 , T3 ), output m0 · P1 = T3 − (xe )−1 T1 − (ye )−1 T2 .

A ciphertext (T1 , T2 , T3 ) multiplied by a scalar w is (w · T1 , w · T2 , w · T3 ) = ((w · r) · M, (w · s) · N, (w · (r + s)) · P1 + (w · m) · P1 ) = Encpk (w · m). This can R

be combined with re-randomization by selecting ∆r, ∆s ← − Z∗q , i.e., c0 = (wT1 + ∆r · M, wT2 + ∆s · N, wT3 + (∆r + ∆s)P1 ) + (w · m)P1 )

re-

= ((wr + ∆r)M, (ws + ∆s)N, ((wr + ∆r) + (ws + ∆s))P1

which is viewed as the encryption of w · m. 135

3.2. Model description

lP

We show the system model and formalize security models for authenticated key exchange protocols by [27] and anonymity by [6] in this section. 3.2.1. System Model

A system model of our protocol is shown as Fig. 2, in which the participants involve in a server S and two devices DA and DB.

urn a

140

• S: It is a trusted remote server that produces system public parameters and the master keys γ, µ. In addition, S responds to registration requests for users (i.e., DA and DB).

• DA: It is one of users’ mobile devices that store part of a private key to generate an authentication key.

• DB: It is one of users’ mobile devices. In addition to generate an entire

Jo

145

authentication key, DB is as the master device to authenticate with S.

8

Journal Pre-proof

Server

Insecure Channel

key tial nel Par han C e ur Sec

pro of

Mobile device A

Sec

ure Ch a Par tial nnel key

Output

Authentication key

re-

Mobile device B

Figure 2: An overview of the authentication key generation

3.2.2. AKE Security

lP

150

Let A be an adversary who has access to communication transcripts. We Qk S use U to define the user U 0 s k-th session, where U ∈ {U1 , U2 , . . . , Un } S.

A is required to make the following queries for polynomial time. The allowed queries are as follows:

urn a

• hi (ej ): The query simulates the ability of A to get access the oracles. When A makes a hash query for ej , the oracles return a random value fi ,

155

and record (ej , fj ) in a table Lhi .

• Extract(ID): The query simulates the ability of A to obtain the long-term private key.

• Execute(Ui , S): The query simulates the ability of A to obtain the tran-

Jo

scripts between Ui and S.

160

Qk • Send( U ,M): The query simulates the ability of A to play as a legitimate user.

9

Journal Pre-proof

• Reveal(

Qk

U ):

The query simulates the ability of A to know session key.

That is to return the session key to A if the oracle knows.

165

pro of

• Corrupt(IDi ): The query simulates the ability of A to obtain the longterm secret key held by Ui .

Qk • Test( U ): The query simulates the security of session key. The oracle chooses b ∈ {0, 1} and the session key is returned to A if b = 1; otherwise,

returns a random value if b = 0.

AKE security. A can make any polynomial times for hi (ej ), Extract, Execute, 170

Send, Reveal and Corrupt queries, but can only make once for Test query. Fi-

re-

nally, A outputs a b0 . Let AdvAKE Π,A denote the advantage of A, meaning that

0 AdvAKE Π,A = Pr[b = b] − 1/2. A protocol Π is said to AKE secure if for all

poly-time adversary A the function AdvAKE Π,A is negligible.

3.2.3. Anonymity

The anonymity property means that the server should not know which user

lP

175

it is interacting with. To model the anonymity against a corrupted server, the adversary is given a corrupted server’s private-key [6]. Additionally, a Reg oracle is given to model registration phase. An experiment for anonymity between a

180

urn a

adversarial server A and a user Ui from a set of n-authorized users {U1 , . . . , Un } is as follows:

• Reg(IDi ): If i ∈ {1, . . . , n}, the oracle computes what the registration phase says to and sends back the server’s secret key to A.

• Send(Ut ,M ): A message M is to instance user Ut calculates what the mutual authentication & key exchange phase says to and sends back the result to A. In particular, an authentication key (rt , σut ) is sent to A.

Jo

185

• Change(IDi0 ,IDi1 ,M ): If i0 , i1 ∈ {1, . . . , n}, the oracle processes as follows. First, the oracle generates two authentication keys σuio , σui1 as the challenge messages for linear encryption. The linear encryption changer

10

Journal Pre-proof

R

returns a linear encryption of σuib for b ← − {0, 1}. Then, the oracle in190

stances what the remaining parts of the protocol Π says to and returns

pro of

the results to A.

Anonymity. Finally, A outputs a bit b0 . Let Advanon Π,A denote the advantage

0 of A, meaning that Advanon Π,A = Pr[b = b] − 1/2. A protocol Π is said to be

anonymous if for all poly-time A the function Advanon Π,A is negligible. 195

4. Our Protocol

We present an efficient authentication protocol with distributed key gener-

re-

ation for mobile devices. Our scheme is composed of initialization phase, registration phase and mutual authentication & key exchange phase. The framework is as shown in Fig. 3.

DB

DA

Server

System parameter 𝔾1 , 𝔾2 , 𝑃1 , 𝑃2 , 𝑞, ℎ1 , ⋯ ℎ6 , 𝑢, ො 𝑣, ො 𝑢, 𝑣

lP

System Initialization

Registration phase

System private keys 𝛾, 𝜇 Linear encryption key pair 𝑝𝑘, 𝑑𝑘 Partial keys 𝑘𝐷𝐴 , 𝑘𝐷𝐵 𝑘𝐷𝐵 , 𝑝𝑘, 𝑑𝑘

𝑘𝐷𝐴 , 𝑝𝑘

𝑐1

urn a

Mutual Authentication & Key Exchange phase

𝑘𝐴

𝑐1 = 𝐸𝑛𝑐𝑝𝑘 𝑘𝐷𝐵 𝑘𝐵

Simulatable DH key exchange

Jo

𝑅 = 𝑘𝐴 ⋅ 𝑘𝐵 ⋅ 𝑃1 Homomorphically compute 𝐸𝑛𝑐𝑝𝑘 𝜎 ′ = 𝐸𝑛𝑐𝑝𝑘 𝑘𝐴 ⋅ 𝑘𝐷𝐴 ⋅ 𝑘𝐷𝐵

𝑅 = 𝑘𝐵 ⋅ 𝑘𝐴 ⋅ 𝑃1

𝐸𝑛𝑐𝑝𝑘 𝜎 ′

𝜎 = 𝑘𝐵 ⋅ 𝐷𝑒𝑐𝑑𝑘 𝐸𝑛𝑐𝑝𝑘 𝜎 ′ Signature of knowledge 𝜎𝑢

Verify 𝑀 Compute 𝑆𝐾𝑈

Message 𝑀

Figure 3: The framework of our protocol

11

Verify 𝜎𝑢 Compute 𝑆𝐾𝑆

Journal Pre-proof

200

4.1. Initialization phase In this phase, the server S produces system parameters as follows:

pro of

(1) Let G1 , G2 , and GT be three groups, and their order is q. The generators of G1 and G2 is P1 and P2 , respectively. e is a map: G1 × G2 → GT , which is computable. 205

(2) S chooses six secure hash functions h1 , ..., h6 , where h1 : {0, 1}∗ → Z∗q ,

h2 : G1 × G1 × G1 × G1 × ×G1 × G1 × G1 × G1 × G1 × G1 × G1 → Z∗q , h3 : G1 × G1 × G1 × G1 × {0, 1}∗ × {0, 1}∗ × {0, 1}∗ × {0, 1}∗ × {0, 1}∗ → Z∗q ,

h4 : G1 × G1 × G1 → Z∗q , h5 : G1 × G1 × G1 × G1 × G1 × {0, 1}∗ → Z∗q ,

210

re-

h6 : G1 × G1 × G1 × G1 × {0, 1}∗ → Z∗q .

(3) S chooses two random elements γ, µ ∈ Z∗q , computes u ˆ = γ · P1 , vˆ = µ · P1 , u = γ ·P2 , v = µ·P2 as its public keys. Then, S publishes the system param-

eters {G1 , G2 , P1 , P2 , q, h1 , . . . , h6 , u ˆ, vˆ, u, v} and holds the system private

lP

keys (γ, µ) securely. 4.2. Registration phase 215

A user Ui asks for the registration requests, and S returns private keys to DA, DB. As described in Table 3, the details are as follow:

urn a

Table 3: Registration phase

DAi

S

DBi

IDi

params, γ, µ

IDi IDi

Randomly Choose ri , ti ∈ Z∗ q Compute

mi =h1 (IDi ) −1

· (γ + mi + ri µ)

−1

· (γ + mi + ri µ)

kDB 1 =ti i

kDB 2 =ti

Jo

Generate

i

−1

kDAi =ti mod q linear encryption

−1

key

P1

pair

(pk, dk)

ri , kDB 1 , kDB 2 , pk, dk

kDAi , pk

i

i

store (ri , kDB 1 , kDB 2 , pk, dk)

store (kDAi , pk)

i

12

i

Journal Pre-proof

R

(1) S chooses ti , ri ← − Z∗q , and computes mi = h1 (IDi ). Then, S sets kDBi = −1 (ri , kDBi1 , kDBi2 ) = (ri , ti−1 · (γ + mi + ri µ)−1 , t−1 · P1 ) as i · (γ + mi + ri µ)

pro of

DBi ’s shared key and kDAi = ti mod q as DAi ’s shared key. R

220

(2) S chooses xe , ye ← − Z∗q and sets M = xe · P1 , N = ye · P1 , sends the keys (kDBi , pk = (M, N ), dk = (xe , ye )) to DBi and the other keys (kDAi , pk = (M, N )) to DAi .

(3) S computes PIDi = (γ + mi + ri µ)P2 = u + mi P2 + ri v as Ui ’s public key. Note that, the private key of Ui is (ri , ti · kDBi2 ) = (ri , (γ + mi + ri µ)−1 P1 ). 4.3. Mutual Authentication & Key Exchange phase

re-

225

In this phase, Ui and S are mutual authentication and then establish a session key. As described in Table 4, the details are presented as follows: (1) Round 1 : R

lP

(a) DBi chooses kB ← − Z∗q , and computes DB = kB · P1 . R

230

(b) DBi picks r, s ← − Z∗q and calculates c1 = L.Encpk (kDBi1 ; r, s) = (A, B, C). R

EQ (c) DBi transmits (com−prove, sidk1, (DB , c1 ), (kB , kDBi1 , r, s)) to Fcom−zk

(i.e., DBi provides a commitment to DB , c1 and a proof for the relation

urn a

REQ , described in Appendix A.4).

(2) Round 2 : 235

R

EQ (a) DAi obtains (proof − receipt, sidk1) from Fcom−zk .

R

(b) DAi chooses kA ← − Z∗q and computes DA = kA · P1 . RDL (c) DAi sends (prove, sidk2, DA , kA ) to Fzk .

Jo

(3) Round 3 :

RDL (a) DBi gets (proof, sidk2, DA ) from Fzk ; If not, it aborts.

240

R

EQ (b) DBi transmits (decom − proof, sidk1) to Fcom−zk .

13

Journal Pre-proof

Table 4: Mutual authentication & Key agreement phase DAi

DBi

S

kDAi , pk

kDBi , pk, dk

γ, µ

R

pro of

Select kB ←− Z∗ q

Compute DB =kB · P1 c1 =Encpk (kDB 1 ) i

=(A, B, C) Compute proof π1

Compute commitment to DB , c1 , π1 commit R

Choose kA ←− Z∗ q

Compute DA = kA · P1 Compute proof π2 DA , π2 Verify proof π2

Select a, b ←−

re-

Decommit to DB , c1 , π1 R

Z∗ q

Compute with re-randomization

c2 = (ti kA · A + a · M, ti kA · B + b · N, ti kA · C + (a + b) · P1 )

c2

lP

Compute σi =kB · L.Decdk (c2 ) R =kB · DA Verify e(σi , PIDi ) = e(R, P2 ) Compute proof π3

Compute signature of knowledge

Jo

urn a

σu = (R, T1 , T2 , T3 , π3 ) {σu , TSM1 } Verify σu R

Select c, d ←− Z∗ q Compute −1

σi =T3 − (γ)

−1

T2

−1

T1 + (µ)

T4 =c · M T5 =d · N T6 =(c + d) · P1 ν =h5 (R, σi , T1 , T2 , (γ) SKS =h6 (T4 , T5 , T6 , σi , ν) {T4 , T5 , ν, TSM2 }

Compute ν 0 = h5 (R, σi , T1 , T2 , (α + β) · P1 , TSM2 ) Verify ν 0 = ν Compute

T1 − (µ)

0

T6 =(xe )

−1

−1

T4 + (ye )

T5

0 SKUi =h6 (T4 , T5 , T6 , σi , ν)

14

−1

T2 , TSM2 )

Journal Pre-proof

(4) Round 4 : R

EQ ; if not, it (a) DAi receives (decom − proof, sidk1, DB , c1 ) from Fcom−zk

pro of

aborts. R

(b) DAi chooses a, b ← − Z∗q and re-randomizes c2 = (E, F, Y ) = (ti kA · A + 245

a · M, ti kA · B + b · N, ti kA · C + (a + b) · P1 ). (c) DAi sends c2 to DBi . (5) Round 5 :

(a) DBi computes R = kB ·DA , σi = kB ·L.Decdk (c2 ) = (γ+mi +ri µ)−1 ·R.

250

re-

(b) DBi verifies that (R, P2 , σi , PIDi ) is a DDH tuple under (P1 , P2 , u, v, ri , mi ) by testing whether e(σi , PIDi ) = e(σi , u + mi · P2 + ri · v) = e(R, P2 ). If not, it aborts.

RSDH (c) DBi sends (prove, sidk4, (R, u ˆ, vˆ, u, v, P2 ), (mi , ri , σi )) to Fzk .

(6) Round 6 : 255

lP

(d) DBi sends {TSM1 } to S (where TSM1 is the current time stamp).

RSDH (a) S receives (proof, sidk4, (R, u ˆ, vˆ, u, v, P2 ) from Fzk and checks the

fresh of TSM1 ; if not, it aborts. R

urn a

(b) S chooses c, d ← − Z∗q and computes T4 = c·M , T5 = d·N and T6 = (c+ d) · P1 . Then, S parses signature of knowledge σu = (R, T1 , T2 , T3 , π3 )

and computes σi = L.Dec(γ,µ) (T1 , T2 , T3 ) and ν = h5 (R, T1 , T2 , γ −1 T1 +

260

µ−1 T2 , σi , TSM2 ) (where TSM2 is current time stamp).

(c) S computes the session key SKS = h6 (T4 , T5 , T6 , σi , ν) and sends {T4 , T5 , ν, TSM2 } to DBi .

Jo

(7) Output:

(a) DBi checks the fresh of TSM2 and whether the equation ν 0 = h5 (R, (α+

265

β) · P1 , T1 , T2 , σi , TSM2 ) holds; if not, it aborts.

15

Journal Pre-proof

(b) DBi computes T60 = (xe )−1 T4 + (ye )−1 T5 and the session key SKUi =

Correctness. It is easy for DAi to compute

pro of

h6 (T4 , T5 , T60 , σi , ν 0 ).

c2 = (ti kA A + aM, ti kA B + bN, ti kA C + (a + b)P1 ) = ((ti kA r + a)M, (ti kA s + b)N, ((ti kA r + a)

−1 + (ti kA s + b)P1 + (ti kA t−1 P1 )) i (γ + mi + ri µ)

Then, DBi can compute σi =kB · L.Decdk (c2 )

re-

=(kB kA (γ + mi + ri µ)−1 ) · P1 =(γ + mi + ri µ)−1 ) · R and verify

(R = kA · kB · P1 ).

e(σi , u + mi + ri v) = e(R, P2 )

5. Security Proofs 270

lP

For server side, its correctness follows the completeness of protocol A.C.

We theoretically prove the proposed scheme to be secure under the Decision

urn a

linear assumption and qs -mSDH assumption in the random oracle. Let F1 , F2 be two forgers. We prove the AKE security (Theorem 1) via two lemmas. In Lemma 1, we prove that no F1 can forge authentication keys in the case of a corrupted DAi or DBi . In Lemma 2, we show that no F2 can forge users 275

authentication transcripts by combining with the result of Lemma 1. By using these results (Lemma 1 and Lemma 2), Theorem 1 can be easy to prove. Lemma 1. Assume that linear encryption is semantically secure and the qs -

Jo

mSDH assumption holds. If an (t0 , 0 )-adversary A that forges authentication

keys. Then an (t, )-attacker B that breaks the hardness of the qs -mSDH as-

280

sumption, where  = 21 (0 − qs /q) (or 12 (0 /qs − 1/q)) and t = t0 + Θ(qs2 ).

16

Journal Pre-proof

Proof. Let A be an adversary who has corrupted DAi or DBi (at most one who consider the case where DBi is corrupted.

pro of

is controlled); then we build an attacker B for the qs -mSDH assumption. First B is given an instance (P1 , xP1 , x2 P1 , . . . xqs P1 , P2 , xP2 ) of the qs -mSDH

1 assumption for unknown x ∈ Z∗q , and then B aims to produce (m, x+m P1 )

for m ∈ Z∗q . B begins by choosing randomly ω1 , ω2 , . . . , ωqs ∈ Z∗q . Letting Qqs −1 Pqs −1 f (X) = i=1 (X + ωi ) = i=0 αi X i , B computes P10 =

qX s −1

αi (X i P1 ) = f (X)P1

i=0

u, vˆ) ∈ G21 and returning Then, B creates a public key by picking µ ∈ Z∗q , (ˆ

re-

A the public key (P10 , P2 , u ˆ, vˆ, u = xP2 , v = µP2 ). Next, B should generate an authentication key (ri , σi ) on mi where mi = h1 (IDi ). Letting fi (X) = Qqs −1 Qqs −2 j f (X)/(X + ωi ) = j=1,j6 =i (X + ωj ) = j=0 βj X , B computes σi0 =

qX s −2

βj (xj P1 ) = fi (x)P1 =

B also chooses ri ∈

lP

j=0

1 P0 x + ωi 1

Z∗q

such that mi + µri = ωi . In principle, B computes

σi = ϕi σi0 by picking ϕi ∈ Z∗q . Then, (σi , ri ) is a valid authentication key on mi since

urn a

e(σi , u + mi P2 + ri v) =e(σi , u + (mi + ri µ) · P2 ) =e(σi , u + ωi · P2 ) = e(ϕi · P10 , P2 )

B returns P 0 IDi = u + mi P2 + ri v to A and responds A as follows: 285

1. B gets (1λ , pk = (M, N )), where pk denote the public key without knowing the corresponding private key.

2. B calls A on input (1λ , pk) and simulates the response of oracle Π, answering as follows:

Jo

(a) B parses the first message into the form (com−porve, sidk1, (DB , c1 ),

290

eq (kB , kDBi1 , r, s)) that DBi sends to Fcom−zk . If DB = kB · P10 and

−1 c1 = Encpk (kDBi1 ; r, s) then B sets DA = kB ·ϕi P10 ; else DA is chosen

randomly. B sets the response of the oracle to be (proof, sidk2, DA ). 17

Journal Pre-proof

(b) B parses the second message into the form (decom − proof, sidk1) from A. If DB 6= kB · P10 or c1 6= Encpk (kDBi1 ; r, s) then B simulates R

DBi aborting and the experiment finishes. If not, B selects a, b ← −

pro of

295

−1 −1 Z∗q , calculates c2 = (a·M, b·N, (a+b)·P10 +kB ·σi ) = Encpk (kB ϕi (x+

mi + µri )−1 ; a, b), and sets the response of the oracle to be c2 .

Note that, we prove that the joint distributions over A’s view and DAi ’s output are the same in the above simulation and a real world. The main difference is R

300

DA : DAi chooses kA ← − Z∗q and computes DA = kA · P10 , whereas B computes

−1 DA = kB · ϕi P10 . Since ϕi is chosen randomly, the distributions over kA ·

−1 P10 and kB · ϕi P10 are identical. Therefore, the only difference is c2 : c2 =

re-

−1 Encpk (kB ϕi (x + mi + µri )−1 ) = Encpk (φ1 ) in the simulation, whereas c2 =

Encpk (ti kA ·kDBi1 ) = Encpk (kA ·(x+mi +µri )−1 ) = Encpk (φ2 ) in a real execution. 305

As long as the linear encryption key is valid, the distribution of φ2 in a real world is as above. Therefore, we just show that c2 is a legitimate ciphertext in the

lP

simulation and a real execution by deciding the equations e(σi , PIDi ) = e(R, P2 )

(resp., e(σi , P 0 IDi ) = e(ϕi P10 , P2 )). If the equation holds, the distributions over φ1 and φ2 are indistinguishable. Thus, the joint distributions over A’s view and

310

DAi ’s output are identical.

Finally, if B is not interrupted, A outputs a valid forgery (m∗ , r∗ , σ∗ ). There

urn a

are two types of forgery:

• If m∗ + µr∗ ∈ / {ω1 , . . . , ωqs }. For any valid pair (m, e re, σ e), σ e is uniquely 315

identified by m e and re. The remainder of the proof follows a similar approach to Opener of [28]. Suppose that Opener is a unbound algorithm

that, given (P10 , u, v, µ), a pair (m∗ , r∗ , σ∗ ), will output ϕ∗ ∈ Z∗q such that

e(σ∗ , u + m∗ P2 + r∗ v) = e(σ∗ , u + (m∗ + µr∗ )P2 ) = e(ϕ∗ · P10 , P2 ). That is, the algorithm will find the correct random number ϕ∗ so that the equation

Jo

holds. Let ω∗ = m∗ +µr∗ , f (X) = f 0 (X)(X +ω∗ )+ρ for some ρ ∈ Z∗q , and Pqs −2 f (x) 1 · P10 = (x+ω · P1 = f 0 (X) = j=0 τj X j . Note that, (ϕ∗ )−1 · σ∗ = (x+ω ∗) ∗)

320

ρ 1 (f 0 (x) + (x+ω ) · P1 . B computes x+ω · P1 = ((ϕ∗ )−1 σ∗ − f 0 (x) · P1 ) · ρ−1 ∗) ∗ P qs −2 1 j with f 0 (x) · P1 = j=0 τj (x · P1 ). B outputs (ω∗ , x+ω∗ · P1 ) as the

18

Journal Pre-proof

solution to the qs -mSDH problem. If A is (, t)-adversary that forge an authentication key, then B wins with same probability  in time t + Θ(qs2 ).

pro of

• If m∗ + µr∗ = ω∗ for some i ∈ {1, . . . , qs }. B chooses γ ∈ Z∗q , (ˆ u, vˆ) ∈ G21

and returns (P10 , P2 , u ˆ, vˆ, u = γP2 , v = xP2 ) to A. B defines ri = (γ +

mi )/ωi , σi = ϕi σi0 by picking ϕi ∈ Z∗q , and records (mi , ri , ϕi , mi P2 + ri v) to a table L. Then, ((ri )−1 · σi , ri ) is a valid authentication key on mi since

e((ri )−1 · σi , u + mi P2 + ri v) =e((ri )−1 · σi , γP2 + mi P2 + ri v) =e(σi , (ri )−1 (γ + mi ) · P10 + v)

325

re-

=e(σi , ωi + v) = e(ϕi · P10 , P2 )

If (m∗ , r∗ , σ∗ ) is a valid, B finds (mj , rj , ϕj , mj P2 + rj v) on the table L such that mj P2 + rj (xP2 ) = m∗ P2 + r∗ (xP2 ), namely mj + rj x = m∗ + r∗ x. Because mj 6= m∗ and rj 6= r∗ (otherwise, (m∗ , r∗ , σ∗ ) is the

lP

same authentication key that B computes before), B computes x = (m∗ − mj )/(rj − r∗ ). Therefore, B can forge a solution to the qs -mSDH problem 330

on any identity. If A is (, t)-adversary that forges an authentication key,

then B wins with probability  − qs /q in time t + Θ(qs2 ).

B can guess what kind of forgery is 1/2, then assuming the use of more pes-

urn a

simistic cases prove the Lemma 1. Therefore, B obtains an instance of the qs -mSDH problem with 21 ( − qs /q) in time t + Θ(qs2 ).

335

Next, we consider a corrupt DAi . We use the same method as a corrupted DBi , with one difference. That is, the ciphertext may be incorrectly computed by A, and B cannot detect this (since B is not aware of the private key). We deal with this issue by setting some points to simulate DAi aborting. Namely, B chooses a random i ∈ {1, 2, . . . , qs }, where qs − 1 is the number queries of A to Π. If B chooses correctly, the simulation is perfect. Intuitively, the successful

Jo

340

probability is

1 qs .

(1) B receives (1λ , pk), where pk denote the public key without knowing the corresponding private key. 19

Journal Pre-proof

(2) Suppose that A makes multiply queries for Π. Then, B chooses a random 345

i ∈ {1, 2, . . . , qs }.

pro of

(3) B calls A on input (1λ , pk) and simulates the response of oracle Π, answering as follows:

(a) B parses the first message into the form (prove, sidk2, DA , kA ) that

RDL DAi sends to Fzk . B verifies that DA = kA · P10 ; otherwise, it simu-

350

lates DAi aborting. B computes DB = (kA )−1 ϕi P10 , c1 = Encpk (k] DBi1 )

R − Z∗q , and fixes the response of the oracle to be (decom − for k] DBi1 ←

proof, sidk1, DB , c1 ).

re-

(b) B parses the second message into c2 . If this is i-th query that was made by A to Π, then B simulates DBi aborting. Otherwise, it continues. 355

B guesses j that DBi does not obtain a valid authentication key (ri , σi ) with

ϕi P10 . Similarly, the distributions over kB · P10 and (kA )−1 ϕi P10 are identical.

lP

Then, if j = i, the only difference is ciphertext c1 : c1 = Encpk (kDBi1 ) in a real ] execution, whereas c1 = Encpk (k] DBi1 ) for a random kDBi1 in the simulation. Just the public key pk is valid, the indistinguishability of c1 can reduce to 360

the indistinguishability of linear encryption scheme. Nevertheless, B has no information about the private key for linear encryption. Hence, B guesses j = i 1 qs .

If A is (, t)-adversary that forges authentication keys,

urn a

with probability

B outputs an instance of the qs -mSDH problem by using same strategy with probability

1 1 qs 2 (

− qs /q) = 12 (/qs − 1/q) in time t + Θ(qs2 ).

Lemma 2. Assume that linear encryption is semantically secure and the qs mSDH assumption holds. If an adversary A1 can forge user’s authentication messages in time t with probability . Suppose that qh1 , qh4 , qS and qE are the number of queries made by A1 to h1 , h4 , Send and Extract, respectively.

Jo

Then an attacker B1 that breaks the hardness of the qs -mSDH assumption. In

particularly, we have s 2qh1 qh4 qE (AdvBqs1−mSDH (t) + qqs ) qs ≤ + 4qs + Adv F orge1 (t) q (qh1 + 1 − qs )(qE + 1 − qs ) 20

Journal Pre-proof

365

Where Adv F orge1 (t) is the maximum advantage of any F1 with time t, AdvBqs1−mSDH (t) is the advantage for the qs -mSDH assumption.

pro of

Proof. Suppose A1 is a forger algorithm that forges authentication messages. Consider the following two cases: one is to output authentication transcripts by forging authentication keys (r, σ), and the other is to output a forgery based on 370

users’ transcripts. We deal with each of these two cases as follows.

For the first case, we can create a Forger F1 to run A1 as a subroutine to generate authentication keys (r, σ). F1 follows the Appendix A.3 procedure with the keys to get a signature σu on m, and return < σu , TSM1 > to A. Let F orge1 denote the event that A1 can successfully output authentication keys.

F orge1 The advantage of F1 satisfies P rA1 [F orge1 ] ≤ AdvF (t) ≤ Adv F orge1 (t). 1

re-

375

By Lemma 1, P rA1 [F orge1 ] is negligible.

Next, consider the second case. We can build an algorithm B1 that solves the hardness of the qs -mSDH assumption. Given an instance of the qs -mSDH

380

lP

1 problem (P1 , xP1 , . . . , xqs P1 , P2 , xP2 ), the goal of B1 is to output (m, x+m P)

for some m ∈ Z∗q . Suppose that B1 considers the more pessimistic case to set the public parameters (P10 , P2 , u ˆ, vˆ, u = γP2 , v = xP2 ) (known γ), and returns

to A1 . B1 also creates a list L of tuple (mi , ri , ϕi , σi , mi P2 + ri v). B1 defines the event IDi = ? indicates that the (r? , (ri )−1 σ? ) is not known. B1 begins by

385

urn a

interacting with A1 as follow:

• h1 -query: When A1 makes an h1 -query IDi , if IDi 6= ?, then B1 finds (mi , ri , ϕi , σi , mi P2 + ri v) in L, returns mi and records (IDi , mi ) to Lh1 .

Otherwise, B1 aborts.

• hi -query (i = 2, 3, 4): When A1 makes an hi -query ej , then B1 returns R

fj for fj ← − Z∗q and records (ej , fj ) to Lhi .

• Extract-query: When A1 makes an Extract query, if IDi 6= ?, B1 finds

Jo

390

(mi , ri , ϕi , σi , mi P2 + ri v) in L and returns (ri , (ϕi ri )−1 σi ) to A1 . Other-

wise, B1 aborts.

• Send-query: When A1 makes an Send query, if IDi 6= ?, B1 finds 21

Journal Pre-proof

(mi , ri , ϕi , σi , mi P2 +ri v) in L, and follows Π procedure with ((ri , (ri )−1 σi ) 395

to obtain a signature σu = (ϕi P10 , T1 , T2 , T3 , π3 ) and returns (σu , TSM1 ) to

pro of

A1 . Otherwise, B1 uses the protocol Appendix A.3 simulator to obtain a transcript (R, T1 , T2 , T3 , ψ1 , c, ψ2 ), where ψ1 = (R1 , R2 , R3 , R4 , R5 , R6 , R7 ), ψ2 = (sα , sβ , sm , sr , sδ1 , sδ2 , sδ3 , sδ4 ). Then, B1 sets a signature σu = (R, T1 , T2 , T3 , c, ψ2 ). In addition, we have to make the oracle h4 at (ϕi P10 , 400

T1 , T2 , T3 , R1 , R2 , R3 , R4 , R5 , R6 , R7 ) to be the same with c. The probability that it would encounter a collision is

2 (qh4 qS +qS ) q 11

(assuming qS 

qh4  q, this probability is negligible). If the collision happens, B1 aborts. Otherwise, B1 returns (σu , TSM1 ) to A1 .

405

re-

Finally, if B1 does not aborts, A outputs a valid authentication message tuple < σu∗ , TSM1 > with probability , without access to the oracle h4 . By using

4

lP

the extractor of the protocol Appendix A.3 and the method of the Forking qs − 1 Lemma [29], B1 obtains an pair (m, e re, σ e) with probability (1 − )(1 − qh1 2 qs −1 (/qs −1/q) (this is the use of Boneh et al. [16][Theorem 5.3]). The reqE ) 32qh mainder of the Lemma 2 follows closely the methodology of the Lemma 1. Thus, B1 outputs an instance to the qs -mSDH problem with probability at least 2 qs − 1 s −1/q) (1 − )(1 − qsq−1 ) (/q32q − qqs . Note that, an instance of qs -mSDH E h 4 qh1 problem can be turned into qs − 1 SDH pairs.

urn a

410

Theorem 1. Assume that linear encryption is semantically secure and the qs mSDH assumption holds. If an adversary A2 with time t that breaks the proposed protocol Π. Then Π is AKE secure under the Decision linear and qs -mSDH assumptions provided that AKE AdvΠ,A ≤ 2

(qh1

Decision−LA qh1 qE qC (qS )2 (qR )2 AdvG (t) 1 +Adv F orge2 (t) + 1 − qs )(qE + 1 − qs )(qC + 1 − qs )(qR − 1)(qs − 1)

Decision−LA Where Adv F orge2 (t) is the advantage of F2 , AdvG is the advantage 1

Jo

for the Decision linear assumption, and qS , qE , qC and qR are the quantity of

415

queries provided by A2 to Send, Extract, Corrupt and Reveal, respectively. Proof. Let A2 be an adversary for Π. Consider the following two cases: one is to break the protocol by forging authentication transcripts, and the other is 22

Journal Pre-proof

to break the protocol but not deviate from it. We deal with each of these two cases as follows. For the first case, we can construct an Forger F2 that runs A2 as a subrou-

pro of

420

tine to generate a valid transcript (σu , TSM1 ). F2 generates system parameters and private keys that Π required, and simulates the response of the oracle to Π. Let F orge2 denote the event that A2 outputs a valid authentication messages.

F orge2 The advantage of F2 satisfies P rA2 [F orge2 ] ≤ AdvF (t) ≤ Adv F orge2 (t). 2 425

By Lemma 2, P rA2 [F orge2 ] is negligible.

Next, consider the second case. We build an attacker B2 that breaks the Decision linear assumption. Given an instance of the qs -mSDH problem (P1 , xP1 , . . . ,

re-

xqs P1 , P2 , xP2 ), assume that B2 considers the more pessimistic case to set the

public parameters (P10 , P2 , u ˆ, vˆ, u = γP2 , v = xP2 ) (known γ), and returns to 430

A1 . B2 also creates a list L of tuple (mi , ri , ϕi , σi , mi P2 + ri v) for i ∈ [qs − 1]. B2 defines the event IDi = ? indicates that the (r? , (ri )−1 σ? ) is not known.

Given an instance of the Decision linear assumption (M, N, P, c · M, d · N, η),

lP

the goal of B2 is to distinguish η = (c + d) · P from a random element of G1 .

B2 guesses j such that A2 makes an Test query in the j-th session. B2 returns 435

(M, N, P ) to A2 and begins by interacting with A2 as follows: • h1 (IDi )-query: When A2 makes a query, if IDi 6= ?, then B2 finds

urn a

(mi , ri , ϕi , σi , mi P2 + ri v) in L, returns mi and records (IDi , mi ) to Lh1 . Otherwise, B aborts.

• hi (ej ) (i = 2, 3, 4, 5, 6): When A2 makes a query, then B2 returns fj for R

440

fj ← − Z∗q and records (ej , fj ) to Lhi .

• Send: there exists two types of send queries: Qk (1) Send( U , M): The query follows closely the approach of the Lemma

Jo

2 (Send query). Finally, B2 outputs < σu , TSM1 > and returns to A2 . Qk (2) Send( S , M): If the query < σu = (R, T1 , T2 , T3 , π3 ), TSM1 > is made

445

in the j-th session and j ∈ [qs −1], B2 finds (mj , rj , ϕj , σj , mj P2 +rj v) in L, computes T 0 = T3 − σj , ν = h5 (R, T1 , T2 , T 0 , σj , TSM2 ) and 23

Journal Pre-proof

returns < T4 , T5 , ν, TSM2 > and adds ν to L (where T4 = c · M , and returns < T4 , T5 , ν, TSM2 >. 450

pro of

T5 = d · N ); else B2 aborts. If not, B2 chooses randomly T4 , T5 , ν, • Execute(U, S): When A2 makes a query, B2 responds transcripts << σu , TSM1 >, < T4 , T5 , ν, TSM2 >> by employing the results of the above queries.

• ExtractIDi : When A2 makes a query, if IDi 6= ?, B2 finds (mi , ri , ϕi , σi ,

mi P2 + ri v) in L and returns (ri , (ϕi ri )−1 σi ) to A2 . Otherwise, B2 aborts.

455

• CorruptIDi : When A2 makes a query, if IDi 6= ?, B2 finds (mi , ri , ϕi , σi , • Reveal

Qk

U:

re-

mi P2 + ri v) in L and returns (ri , (ϕi ri )−1 σi ) to A2 . Otherwise, B2 aborts. When A2 makes a query, if this is j-th session, then B2 aborts

and exits. Otherwise, B2 runs Π to obtain the session key of an instance and returns to A2 .

• Test: When A2 makes a query, if this is j-th session, B2 finds ((mj , rj , ϕj ,

lP

460

σj , mj P2 + rj v), ν) in L, and returns h6 (T4 , T5 , η, σj , ν) as the session key. Otherwise, B2 declares fair and exits. If A2 succeeds the game with probability , then B2 can decide whether η = 465

urn a

(c+d)·P or not. Let qS , qE , qC and qR be the quantity of queries provided by A2 to Send, Extract, Corrupt and Reveal, respectively. If B2 does not abort, the probability is (1−(qs −1)/qh1 )(1−(qs −1)/qE )(1−(qs −1)/qC )(1−1/qR )(1/qR ) = (qh1 +1−qs )(qE +1−qs )(qC +1−qs )(qR −1) . qh1 qE qC (qR )2

In the above game, B2 correctly guesses the

probability of j and j ∈ [qs − 1] is the Decision linear problem at least

In the end, we obtain the advantage of A2 in the second case is bounded by Decision−LA qh1 qE qC (qS )2 (qR )2 AdvG (t) 1 (qh1 +1−qs )(qE +1−qs )(qC +1−qs )(qR −1)(qs −1) .

Jo

470

1 qs −1 qS qS . Thus, B2 outputs a solution to (qh1 +1−qs )(qE +1−qs )(qC +1−qs )(qR −1)(qs −1) . qh1 qS qE qC (qR )2 (qS )2

Theorem 2. Assume that linear encryption is semantically secure, then our protocol guarantees the anonymity provided that Advanon (A) = Advss Π Decision-mLA (B). 24

Journal Pre-proof

Where Advss Decision-mLA (B) is the advantage for linear encryption. Proof. Let A be an attacker who breaks anonymity of the proposed protocol 475

pro of

with . We build B as the attacker on linear encryption with probability at least .

First, B is given (P, M, N ) from its own challenger. It generates the remaining system parameter by following the initialization and registration phase. Next, B runs the Π, provides A the public parameter (P, M, N, u ˆ, vˆ, u, v, PIDi ) and the users’ private authentication key (ri , σi ). In addition, A is given the 480

server secret key γ, µ from the Reg oracle. When the random oracle h4 is queried from A, B returns a random element of Z∗q . A provides two identity IDi0 and

re-

IDi1 . B generates the corresponding private key σi0 , σi1 and outputs (ri0 , σi0 ), (ri1 , σi1 ) to its own challenger. The linear encryption changer returns a linear R

encryption of σuib for b ← − {0, 1}. B runs the protocol Appendix A.3 simulator 485

with (T1 , T2 , T3 ), and returns a signature σu to A. In the end, A outputs b0 as

lP

its guess, B sets b0 as the response. Therefore, A wins that breaks anonymity with probability  leads to B as the attacker on linear encryption with the same advantage.

5.1. Informal security analysis

The proposed solution for mobile Internet should achieve security properties

urn a

490

below, except for the above security analysis. • Mutual authentication: From Lemma 1 and Theorem 1, we show that no adversary successfully forges authentication transcripts of users and servers. Thus, the proposed authentication protocol can obtain mutual authenti-

495

cation.

Jo

• Unlinkability: This property describes that no adversary who can view the Internet traffic is able to track which servers/services a given user is communicating with [6]. Even if a server is controlled by an adversary, it will get nothing. Suppose that an adversary is given the private key of servers,

25

Journal Pre-proof

500

he can only obtain an authenticated key by decrypting a ciphertext. Thus, the proposed protocol can obtain unlinkability.

pro of

• Session key exchange: Section 4 shows that users and servers can compute the same T6 = (xe )−1 T4 + (ye )−1 T5 (resp., T6 = (c + d) · P1 ), and the common shared key SK = h6 (T4 , T5 , T6 , σi , ν). Therefore, the presented 505

protocol can obtain session key exchange.

• Resist man-in-the-middle attack: A aims to forge valid messages << σu , TSM1 > , < T4 , T5 , ν, TSM2 >>.

From Lemma 1, we show that an adversary

cannot forge user’s authentication transcripts. To forge a transcript < R

T4 , T5 , ν, TSM2 >, A chooses c, d ← − Z∗q and computes T4 = c · M , T5 =

d · N , σi = T3 − (γ)−1 T1 − (µ)−1 T2 , ν = h5 (R, σi , T1 , T2 , (γ)−1 T1 +

re-

510

(µ)−1 T2 , TSM2 ). However, it is difficult for A to compute without the private key γ, µ of a server. Thus, the proposed protocol can stand up to

lP

man-in-middle attack.

• Resist replay attack: As can be seen from section 4, users and a server can 515

re-select new random number (kA , kB , a, b, c, d) for each communication. Furthermore, the timestamps (TSM1 , TSM2 ) are used to check the freshness of message between users and a server. Therefore, the presented protocol

urn a

is able to resist replay attack.

6. Performance Analysis 520

We show the performance analysis for mobile Internet including computation and communication costs. The presented solution is to deal with security issues for mobile Internet. Here, we compare our solutions with the previous solutions

Jo

with anonymity and key protection [24] to show the advantage of our scheme. 6.1. Computation Cost

525

We compare computational cost analysis by calculating the sum time con-

sumption of each scheme’s basic operations. Since Wu et al. [24] have calculated

26

Journal Pre-proof

the performing time of cryptographic operations used a personal computer as the server and a mobile device as the user, we will directly use their parameters

530

pro of

for the comparison. The configurations of these devices and their experiment results are shown in Table 5 and Table 6, respectively. Table 5: Testing devices Devices

Operation system

Dell

Window 8

Samsung Galaxy

Android 4.4.2

Processor

Inter(R) Core(TM)

i5-4460S@ 2.90GHz Quad-core 2.45G

Notions

Descriptions

Samsung Galaxy

Dell

Tsm

point multiplication on G1 , G2

13.405 ms

2.165 ms

TA

point addition G1 , G2

0.081 ms

0.013 ms

Te

bilinear pairing on GT

32.713 ms

5.427 ms

Th

general hash function

0.056 ms

0.007 ms

TE

exponentiation on Z∗ q

2.249 ms

0.339 ms

lP

re-

Table 6: Experiment results in [24]

Tm

multiplication on Z∗ q

0.008 ms

0.001 ms

log p

Bits length of a prime p

512 bits

512 bits

log q

Bitslength of a prime q

160 bits

160 bits

|G1 |

the length of an element on G1

1024 bits

1024 bits

the length of an element on G2

1024 bits

1024 bits

|Z|

the length of an element on Zp

160 bits

160 bits

the length of a time stamp

32 bits

32 bits

|G2 |

urn a

|TSM |

In our protocol, users need to compute thirteen point multiplication operations, one multiplication operation, six point addition operations for (c1 , c2 , σ) and three point multiplication operations for (R, DA , DB ), respectively. Users also need to calculate four multiplication operations, twenty-one point multipli535

cation operations, six hash function operations, nine point addition operations for commitment, FReq , FRDL , and two bilinear pairing operations for verify-

Jo

ing an authenticated key. To compute σi , ν 0 , T60 , SKUi , users need to deal with

sixteen point multiplication operations, sixteen multiplication operations, six point addition operations, five bilinear pairing operations, five exponentiation

540

operations and three hash function operations. Thus, the total time consump27

Journal Pre-proof

tion is 53Tsm + 21TA + 21Tm + 9Th + 7Te + 5TE ≈952.444ms for users side. For the server side, a server executes fifteen point multiplication operations, seven

pro of

point addition operations, five exponentiation operations, five bilinear pairing operations, four multiplication operations, three hash function operations for 545

verifying a signature of knowledge σu and computing (σi , ν, SKS ). Thus, it totally needs 19Tsm + 9TA + 7Te + 6TE + 5Tm + 3Th ≈73.301ms. In particular, the parings e(P1 , u), e(P1 , P2 ) and e(P1 , v) can be precomputed and stored by both users and servers. Accordingly, the total time consumption is cut down by 3Te =98.139ms, and the total is 854.305ms for users. For the server side, the

550

total is reduced to 57.02ms.

re-

Table 7, Fig. 4 and Fig. 5 clearly present that, for Ui side, our protocol has lower computational cost than [24]. For servers side, our computation cost is higher than that in [24]. In the case of the above, It is more suitable for some scenarios where users use mobile devices to access remote servers.

Protocols

lP

Table 7: comparison of computation time (millisecond) Computation

Precomputation

Computation

(Ui )

(Ui )

(S)

Precomputation (S)

none

8.688

none

1197

53Tsm + 21TA +

53Tsm + 21TA +

19Tsm + 9TA +

19Tsm + 9TA +

Ours

21Tm + 9Th + 7Te

21Tm + 9Th + 4Te

7Te + 6TE + 4Tm

4Te + 6TE + 4Tm

+5TE ≈ 952.4

+5TE ≈ 854.3

+3Th ≈ 73.3

+3Th ≈ 57.02

urn a

[24]

Table 8: comparison of communication cost (bits)

Protocols

Communication (Ui )

Communication (S)

Sum

[24]

2400

1216

3616

2|G1 | + |Z| + 32 = 2240

7808

Ours

6.2. Communication Cost

Jo

555

2|G1 | + 2|G2 |+

9|Z| + 32 = 5568

Let |G1 |, |G2 |, |Z| denote the length of values in |G1 |, |G2 |, |Z|, respectively.

Thus, |G1 | = |G2 |=1024 bits and |Z|=160 bits. Assume that the length of the

identity and time stamp are 32 bits, and the hash functions output space is

28

Journal Pre-proof

pro of

1,200

1,100

1,000

re-

900

Ours

[24]

Ours with precomputation

lP

Figure 4: Computation time at the user side (ms)

urn a

60

40

20

Jo

[24]

Ours

Ours with precomputation

Figure 5: Computation time at the server side (ms)

29

Journal Pre-proof

160 bits. In our proposed protocol, the communication cost of Ui and S is 560

2|G1 | + 2|G2 | + 9|Z| + 32 = 5568 bits, 2|G1 | + |Z| + 32 = 2240 bits, respectively.

pro of

Thus, the total communication consumption is 5568 + 2240 = 7808 bits. Table 8 shows that the communication cost of Ui and S are slightly higher than [24]. However, our protocol can achieve unlinkability, which is better to protect user privacy. Thus, the proposed protocol is better suitable for real 565

world scenarios. 7. Conclusion

Motivated by the practical needs to secure communication on the mobile

re-

Internet, we proposed a novel anonymous authentication protocol with key protection. Further, we achieved the anonymity by translating a proof of knowledge 570

to a signature of knowledge. We theoretically prove the presented solution to be secure under the Decision linear assumption and the qs -mSDH assumption in

lP

the random oracle. The results of an instance show that the presented scheme is practically efficient. In future, we will consider anonymous authentication with different key protection methods, such as ratcheted key exchange [30].

575

Acknowledgment

urn a

This work is in part supported by the National Key Research and Development Program of China (No. 2017YFB0802300), the Natural Science Foundation of China (No. 61602240), and the Research Fund of Guangxi Key Laboratory of Trusted Software (No. kx201906).

580

References

[1] CNNIC, the 43th statistical report on internet development in china,

Jo

https://en.pingwest.com/w/424 (2019).

[2] Y.-N. Liu, Y.-P. Wang, X.-F. Wang, Z. Xia, J.-F. Xu, Privacy-preserving raw data collection without a trusted authority for iot, Computer Networks

585

148 (2019) 340–348. doi:10.1016/j.comnet.2018.11.028. 30

Journal Pre-proof

[3] T. E. Parliament, the Council of the European Union, Directive 2009/136/ec,

https://eur-lex.europa.eu/legal-content/EN/TXT/

pro of

?qid=1551962644264&uri=CELEX:32009L0136 (2009). [4] X. Li, Y. Zhu, J. Wang, Z. Liu, Y. Liu, M. Zhang, On the soundness and 590

security of privacy-preserving svm for outsourcing data classification, IEEE Transactions on Dependable and Secure Computing 15 (5) (2018) 906–912. doi:10.1109/TDSC.2017.2682244.

[5] Y. Zhu, Y. Zhang, X. Li, H. Yan, J. Li, Improved collusion-resisting secure nearest neighbor query over encrypted data in cloud, Concurrency 595

and Computation: Practice and Experience (2018) e4681doi:10.1002/

re-

cpe.4681.

[6] Y. Lindell, Anonymous authentication, Journal of Privacy and Confidentiality 2 (2) (2007) 4. doi:10.29012/jpc.v2i2.590.

600

lP

[7] K. Barmpatsalou, T. Cruz, E. Monteiro, P. Simoes, Current and future trends in mobile device forensics: A survey, ACM Computing Surveys (CSUR) 51 (3) (2018) 46. doi:10.1145/3177847. [8] A. Shamir, How to share a secret, Communications of the ACM 22 (11)

urn a

(1979) 612–613. doi:10.1145/359168.359176. [9] A. C. Yao, Protocols for secure computations, in: Foundations of Computer 605

Science, 1982. SFCS’08. 23rd Annual Symposium on, IEEE, 1982, pp. 160– 164.

[10] Y. Lindell, Fast secure two-party ecdsa signing, in: Annual International Cryptology Conference (CRYPTO’17), Springer, 2017, pp. 613–644. doi: 10.1007/978-3-319-63715-0_21. [11] B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vad-

Jo

610

han, K. Yang, On the (im) possibility of obfuscating programs, in: Annual International Cryptology Conference, Springer, 2001, pp. 1–18. doi: 10.1145/2160158.2160159. 31

Journal Pre-proof

[12] M. Zhang, Y. Zhang, Y. Jiang, J. Shen, Obfuscating eves algorithm and its 615

application in fair electronic transactions in public clouds, IEEE Systems

pro of

Journaldoi:10.1109/JSYST.2019.2900723. [13] Y. Dodis, J. Katz, S. Xu, M. Yung, Key-insulated public key cryptosystems, in: International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 2002, pp. 65–82. doi:10.1007/ 620

3-540-46035-7_5.

[14] Y. Dodis, J. Katz, S. Xu, M. Yung, Strong key-insulated signature schemes, in: International Workshop on Public Key Cryptography, Springer, 2003,

re-

pp. 130–144. doi:10.1007/3-540-36288-6_10.

[15] M. Bellare, S. Duan, A. Palacio, Key insulation and intrusion resilience 625

over a public channel, in: Cryptographers Track at the RSA Conference, Springer, 2009, pp. 84–99. doi:10.1007/978-3-642-00862-7_6.

lP

[16] D. Boneh, X. Boyen, H. Shacham, Short group signatures, in: Annual International Cryptology Conference (CRYPTO’04), Springer, 2004, pp. 41–55. doi:10.1007/978-3-540-28628-8_3. 630

[17] D. Boneh, X. Boyen, Short signatures without random oracles and the sdh

urn a

assumption in bilinear groups, Journal of cryptology 21 (2) (2008) 149–177. doi:10.1007/s00145-007-9005-7. [18] D. N. Hoover, B. Kausik, Software smart cards via cryptographic camouflage, in: Proceedings of the 1999 IEEE Symposium on Security and 635

Privacy (Cat. No. 99CB36344), IEEE, 1999, pp. 208–215. doi:10.1109/ SECPRI.1999.766915.

[19] R. Ostrovsky, M. Yung, How to withstand mobile virus attacks, in: PODC,

Jo

Vol. 91, 1991, pp. 51–59. doi:10.1145/112600.112605.

[20] A. De Santis, Y. Desmedt, Y. Frankel, M. Yung, How to share a function

640

securely, in: Proceedings of the twenty-sixth annual ACM symposium on

32

Journal Pre-proof

Theory of computing, ACM, 1994, pp. 522–533. doi:10.1145/195058. 195405.

pro of

[21] Y. Desmedt, Y. Frankel, Threshold cryptosystems, in: Conference on the Theory and Application of Cryptology (CRYPTO’89), Springer, 1989, pp. 645

307–315. doi:10.1007/0-387-34805-0_28.

[22] J. Doerner, Y. Kondi, E. Lee, A. Shelat, Secure two-party threshold ecdsa from ecdsa assumptions, in: 2018 IEEE Symposium on Security and Privacy (SP), IEEE, 2018, pp. 980–997. doi:10.1109/SP.2018.00036. [23] Y. Lindell, A. Nof, Fast secure multiparty ecdsa with practical distributed key generation and applications to cryptocurrency custody, in: Pro-

re-

650

ceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (ACM CCS’18), ACM, 2018, pp. 1837–1854. doi: 10.1145/3243734.3243788.

655

lP

[24] L. Wu, J. Wang, K.-K. R. Choo, D. He, Secure key agreement and key protection for mobile device user authentication, IEEE Transactions on Information Forensics and Security 14 (2) (2019) 319–330. doi:10.1109/ TIFS.2018.2850299.

urn a

[25] D. He, Y. Zhang, D. Wang, K.-K. R. Choo, Secure and efficient two-party signing protocol for the identity-based signature scheme in the ieee p1363 660

standard for public key cryptography, IEEE Transactions on Dependable and Secure Computingdoi:10.1109/TDSC.2018.2857775. [26] Y. Zhang, D. He, S. Zeadally, D. Wang, K.-K. R. Choo, Efficient and provably secure distributed signing protocol for mobile devices in wireless networks, IEEE Internet of Things Journaldoi:10.1109/JIOT.2018.2865247. [27] K. Y. Choi, J. Y. Hwang, D. H. Lee, I. S. Seo, Id-based authenticated

Jo

665

key agreement for low-power mobile devices, in: Australasian Conference on Information Security and Privacy (ACISP’05), Springer, 2005, pp. 494– 505. doi:10.1007/11506157_41. 33

Journal Pre-proof

[28] M. Bellare, D. Hofheinz, S. Yilek, Possibility and impossibility results for 670

encryption and commitment secure under selective opening, in: Annual

pro of

International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’09), Springer, 2009, pp. 1–35. doi:10.1007/ 978-3-642-01001-9_1.

[29] D. Pointcheval, J. Stern, Security arguments for digital signatures and blind 675

signatures, Journal of cryptology 13 (3) (2000) 361–396. doi:10.1007/ s001450010003.

[30] M. Bellare, A. C. Singh, J. Jaeger, M. Nyayapati, I. Stepanovs, Ratcheted encryption and key exchange: The security of messaging, in: An-

680

re-

nual International Cryptology Conference, Springer, 2017, pp. 619–650. doi:10.1007/978-3-319-63697-9_21.

[31] A. Fiat, A. Shamir, How to prove yourself: Practical solutions to iden-

lP

tification and signature problems, in: Conference on the Theory and Application of Cryptographic Techniques, Springer, 1986, pp. 186–194. doi:10.1007/3-540-47721-7_12.

Appendix A. Zero-knowledge protocols

urn a

685

We will describe zero-knowledge protocols for our protocols that we need in this Appendix.

Appendix A.1. Zero-knowledge equality of linear encryption and discrete logarithm - REQ

We propose the relation of the protocol that follows

Jo

Req = {(G1 , P1 , q, pk = (M, N ), (DB , A, B, C), (kB , m, r, s)|

DB = kB · P1 ∧ (A, B, C) = Encpk (m; r, s)}

690

that shows knowledge of discrete logarithm and values that are encrypted in a linear encryption ciphertext. Note that (A, B, C) = Encpk (m; r, s), meaning 34

Journal Pre-proof

that A = r · M , B = s · N and C = (r + s) · P1 + m · P1 . The joint input (G1 , P1 , q, pk, A, B, C) and witness (kB , m, r, s) for the prover are described as

R

695

pro of

follows: (1) The prover P selects α, β, γ, τ ← − Z∗q , and computes W = α · P1 , X = β · M , Y = γ · N , and Z = (β + γ) · P1 + τ · P1 . (2) P sends (W, X, Y, Z) to the verifier V. R

(3) V picks c ← − Z∗q , and sends to P.

(4) P computes z1 = α + c · kB , z2 = β + c · r, z3 = γ + c · s and z4 = τ + c · m. (5) P sends (z1 , z2 , z3 , z4 ) to V.

re-

700

(6) V accepts if the following holds: (a) z1 · P1 = W + c · DB ,

lP

(b) z2 · M = X + c · A , (c) z3 · N = Y + c · B , 705

(d) (z2 + z3 ) · P1 + z4 · P1 = Z + c · C . We describe the security of the protocol through the following three proper-

urn a

ties: completeness, soundness and zero-knowledge. Completeness:

z1 · P1 = (α + c · kB ) · P1 = α · P1 + c · kB · P1 = W + c · DB ,

so a) holds. For analogous reason b) and c) hold. Finally, (z2 + z3 ) · P1 + z4 · P1

Jo

=(β + c · r + γ + c · s) · P1 + (τ + c · m) · P1 =β · P1 + (c · r) · P1 + γ · P1 + (c · s) · P1 + τ · P1 + (c · m) · P1 =(β · γ) · P1 + τ · P1 + c · ((r + s) · P1 + m · P1 ) =Z + c · C. 35

Journal Pre-proof

so d) holds. Soundness: Given (W, X, Y, Z, c, c0 , z1 , z2 , z3 , z4 , z10 , z20 , z30 , z40 ), we use c 6=

c0 mod q and receive both (W, X, Y, Z, c, z1 , z2 , z3 , z4 ) and (W, X, Y, Z, c0 , z10 , z20 ,

pro of

710

z30 , z40 ) that are valid transcripts. We use this to compute (kB , m, r, s) such that DB = kB · P1 and (A, B, C) = (r · M, s · N, (r + s) · P1 + m · P1 ). If the transcripts are accepting, all four verification equations a)-d) hold.

For simplicity, let ∆c = c − c0 , ∆z1 = z1 − z10 , and similarly for ∆z2 , ∆z3 and ∆z4 . Now consider a) above, we have that both

c · DB =z1 · P1 − W,

re-

c0 · DB =z10 · P1 − W.

Subtracting the equations from each other, we have

(c − c0 ) · DB = (z1 − z10 ) · P1 .

Then, we obtain kB = ∆z1 /∆c mod q. Similarly, we obtain m = ∆z4 /∆c mod q, r = ∆z2 /∆c mod q and s = ∆z3 /∆c mod q such that DB = kB · P1 and

lP

715

(A, B, C) = (r · M, s · N, (r + s) · P1 + m · P1 ).

R

zero-knowledge: The simulator picks c, z1 , z2 , z3 , z4 ← − Z∗q and computes W =z1 · P1 − c · DB ,

urn a

X =z2 · M − c · A, Y =z3 · N − c · B,

Z =(z2 + z3 ) · P1 + z4 · P1 − c · C.

If there exist (kB , m, r, s) such that DB = kB · P1 and (A, B, C) = (r · M, s · N, (r + s) · P1 + m · P1 ), then

W =(z1 − c · kB ) · P1 ,

Jo

X =(z2 − c · r) · M, Y =(z3 − c · s) · N, Z =(z2 − c · r + z3 − c · s) · P1 + (z4 − c · m) · P1 .

36

Journal Pre-proof

Now, set ρ1 = z1 − c · kB , ρ2 = z2 − c · r, ρ3 = z3 − c · s and ρ4 = z4 − c · m. If z1 , z2 , z3 , z4 are randomly chosen, then ρ1 , ρ2 , ρ3 , ρ4 also are random. The

720

pro of

implication is that z1 = ρ1 +c·kB , z2 = ρ2 +c·r, z3 = ρ3 +c·s and z4 = ρ4 +c·m for random ρ1 , ρ2 , ρ3 , ρ4 . Thus, the simulator’s view and verifier’s view in a real execution are identical.

We remark that when using the Fiat-Shamir paradigm [31], P computes c = h2 (P1 , M, N, DB , A, B, C, W, X, Y, Z) and defines the proof to be π1 = (c, z1 , z2 , z3 , z4 ) only. Then, V derives W = z1 · P1 − c · DB , X = z2 · M − c · A, 725

Y = z3 · N − c · B, Z = (z2 + z3 ) · P1 + z4 · P1 − c · C, and verifies the hash. Appendix A.2. Knowledge of discrete logarithm - RDL

re-

We propose the relation of the protocol that follows

RDL = {(G1 , P1 , q, DA ), kA |DA = kA · P1 } of discrete log values are same with Req except that removing the computation

lP

of X,Y ,Z,z2 ,z3 ,z4 and corresponding verification.

We remark that when using the Fiat-Shamir paradigm, P computes c = 730

h4 (P1 , DB , W ) and defines the proof to be π2 = (c, z1 ) only. Then, V derives W = z1 · P1 − c · DB , and verifies the hash.

urn a

Appendix A.3. Knowledge of a solution to an qs -mSDH problem - RSDH We propose the relation of the protocol that follows RSDH = {(G1 , G2 , P1 , P2 , q, R, u ˆ, vˆ, u, v), (m, r, σ)| e(σ, u + m · P2 + r · v) = e(R, P2 )}

for σ = (γ + m + rµ)−1 · R. The joint input (G1 , G2 , P1 , P2 , q, R, u ˆ, vˆ, u, v) and witness (m, r, σ) for the prover P are described below: R

(1) The prover P picks α, β ← − Z∗q , and computes: T1 = α · u ˆ, T2 = β · vˆ,

Jo

735

T3 = (α + β) · P1 + σ. P also computes δ1 = α · m, δ2 = β · m, δ3 = α · r and δ4 = β · r.

37

Journal Pre-proof

(2) P chooses rα , rβ , rm , rr rδ1 , rδ2 , rδ3 and rδ4 at randomly from Z∗q . P computes: R1 = rα · u ˆ, R2 = rβ · vˆ, R3 = e(T3 , P2 )rm · e(T3 , v)rr · e(P1 , u)−rα −rβ ·

pro of

740

e(P1 , P2 )−rδ1 −rδ2 ·e(P1 , v)−rδ3 −rδ4 , R4 = rm ·T1 −rδ1 · u ˆ, R5 = rm ·T2 −rδ2 · vˆ, R6 = rr · T1 − rδ3 · u ˆ, R7 = rr · T2 − rδ4 · vˆ.

(3) P sends (T1 , T2 , T3 , R1 , R2 , R3 , R4 , R5 , R6 , R7 ) to V. R

(4) V selects c ← − Z∗q , and transmits to P. 745

(5) P constructs sα , sβ , sm , sr , sδ1 , sδ2 , sδ3 , sδ4 as:

sα = rα + c · α, sβ = rβ + c · β, sm = rm + cm, sr = rr + cr, sδ1 = rδ1 + c · δ1 ,

re-

sδ2 = rδ2 + c · δ2 , sδ3 = rδ3 + c · δ3 and sδ4 = rδ4 + c · δ4 . (6) P sends (sα , sβ , sm , sr , sδ1 , sδ2 , sδ3 , sδ4 ) to V. (7) V accepts if the following holds: (a) sα · u ˆ = c · T1 + R1 ,

lP

750

(b) sβ · vˆ = c · T2 + R2 ,

(c) e(T3 , P2 )sm e(T3 , v)sr e(P1 , u)−sα −sβ e(P1 , P2 )−sδ1 −sδ2 e(P1 , v)−sδ3 −sδ4 c = e(R, P2 )/e(T3 , u) · R3 ,

755

urn a

(d) sm · T1 − sδ1 · u ˆ = R4 , (e) sm · T2 − sδ2 · vˆ = R5 , (f) sr · T1 − sδ3 · u ˆ = R6 , (g) sr · T2 − sδ4 · vˆ = R7 .

We describe the security of the protocol through the following three properties: completeness, soundness and zero-knowledge.

Jo

Completeness:

sα · u ˆ = (rα + c · α) · u ˆ = c · (α · u ˆ) + rα · u ˆ = c · T1 + R1 ,

38

Journal Pre-proof

so a) holds. For same reasons b) holds. Moreover,

pro of

sm · T1 − sδ1 · u ˆ =(rm + cm) · (α · u ˆ) − (rδ1 + cmα) · u ˆ =rm · (α · u ˆ) − rδ1 · u ˆ = R4 , so d) holds. For analogous e)-g) hold. Finally,

e(T3 , P2 )sm · e(T3 , v)sr · e(P1 , u)−sα −sβ · e(P1 , P2 )−sδ1 −sδ2 · e(P1 , v)−sδ3 −sδ4 =e(T3 , P2 )rm +cm · e(T3 , v)rr +cr · e(P1 , u)−rα −rβ −cα−cβ

· e(P1 , P2 )−rδ1 −rδ2 −cmα−cmβ e(P1 , v)−rδ3 −rδ4 −crα−crβ

=e(T3 , P2 )rm · e(T3 , v)rr · e(P1 , u)−rα −rβ · e(P1 , P2 )−rδ1 −rδ2 e(P1 , v)−rδ3 −rδ4

re-

· e(T3 − (α + β)P1 , u)c · e(T3 − (α + β)P1 , mP2 )c · e(T3 − (α + β)P1 , rv)c · e(T3 , u)−c

so c) holds.

lP

760

=e(T3 − (α + β)P1 , u + mP2 + rv)c · e(T3 , u)−c · R3 c = e(σ, u + mP2 + rv)/e(T3 , u) · R3 c = e(R, P2 )/e(T3 , u) · R3 .

Soundness: Given (T1 , T2 , T3 , R1 , R2 , R3 , R4 , R5 , R6 , R7 , c, c0 , sα , sβ , sm , sr , sδ1 , sδ2 , sδ3 , sδ4 , s0α , s0β , s0m , s0r , s0δ1 , s0δ2 , s0δ3 , s0δ4 ), we use c 6= c0 mod q and receive

urn a

both (T1 , T2 , T3 , R1 , R2 , R3 , R4 , R5 , R6 , R7 , c, sα , sβ , sm , sr , sδ1 , sδ2 , sδ3 , sδ4 ) and (T1 , T2 , T3 , R1 , R2 , R3 , R4 , R5 , R6 , R7 , c0 , s0α , s0β , s0m , s0r , s0δ1 , s0δ2 , s0δ3 , s0δ4 ) that are 765

valid transcripts. We use this to compute (m, r, σ) so that e(σ, u+m·P2 +r·v) = e(R, P2 ). If the transcripts are accepting, all seven equations a)-g) hold. For simplicity, let ∆c = c − c0 , ∆sα = sα − s0α , and similarly for ∆sβ , ∆sm , ∆sr , ∆sδ1 , ∆sδ2 , ∆sδ3 and ∆sδ4 . Now consider a) above. Subtracting the two instances, we obtain ∆sα · u ˆ=

∆c · T1 , namely α e = ∆sα /∆c. Similarly, from b), we obtain βe = ∆sβ /∆c.

Consider d) above. Subtracting the two instances gives ∆sm · T1 = ∆sδ1 · u ˆ,

Jo

770

e m, we obtain ∆sδ1 = α e∆sm . Similarly, from e)-g) we deduce that ∆sδ2 = β∆s

e r. ∆sδ3 = α e∆sr and ∆sδ4 = β∆s

39

Journal Pre-proof

Finally, subtracting the two instances of c), we obtain ∆c e(R, P2 )/e(T3 , u)

pro of

=e(T3 , P2 )∆sm · e(T3 , v)∆sr · e(P1 , u)−∆sα −∆sβ · e(P1 , P2 )−∆sδ1 −∆sδ2 · e(P1 , v)−∆sδ3 −∆sδ4

=e(T3 , P2 )∆sm · e(T3 , v)∆sr · e(P1 , u)−∆sα −∆sβ e

e

α∆sm −β∆sm α∆sr −β∆sr · e(P1 , P2 )−e · e(P1 , v)−e

Taking ∆c-th roots, and letting m e = ∆sm /∆c, re = ∆sr /∆c; we obtain e

e α−β e(R, P2 )/e(T3 , u) = e(T3 , P2 )m · e(T3 , v)re · e(P1 , u)−b e

e

re-

αm− e βm e αr e−βe r · e(P1 , P2 )−b · e(P1 , v)−b ,

e 1 , u + mP e(R, P2 ) = e(T3 − (e α + β)P e 2 + rev).

e 1 , we obtain an tuple (m, Letting σ e = T3 − (e α + β)P e re, σ e).

R

R

zero-knowledge: The simulator begins by picking R, σ ← −∈ G1 and α, β ← −

lP

ˆ, T2 = β · vˆ, and T3 = (α + β) · P1 + σ. The simulator picks Z∗q . It sets T1 = α · u R

c, sα , sβ , sm , sr , sδ1 , sδ2 , sδ3 , sδ4 ← −∈ Z∗q and computes R1 = sα · u ˆ − c · T1 R2 = sβ · vˆ − c · T2

urn a

R3 = e(T3 , P2 )sm · e(T3 , v)sr · e(P1 , u)−sα −sβ

c · e(P1 , P2 )−sδ1 −sδ2 e(P1 , v)−sδ3 −sδ4 · e(T3 , u)/e(R, P2 )

R4 = sm · T1 − sδ1 · u ˆ

R5 = sm · T2 − sδ2 · vˆ

R6 = sr · T1 − sδ3 · u ˆ

R7 = sr · T2 − sδ4 · vˆ.

These values clearly satisfy the equation a)-g). Furthermore, the distributions

Jo

775

of R1 , R2 , R3 , R4 , R5 , R6 , R7 are the same as in the real view. We remark that when using the Fiat-Shamir paradigm, P computes c =

h4 (R, T1 , T2 , T3 , R1 , R2 , R3 , R4 , R5 , R6 , R7 ) and defines the proof to be π3 = 40

Journal Pre-proof

f3 = e(T3 , P2 )sm ·e(T3 , v)sr ·e(P1 , u)−sα −sβ ·e(P1 , P2 )−sδ1 −sδ2 e(P1 , v)−sδ3 −sδ4 · sβ ·ˆ v −c·T2 , R c f4 = sm ·T1 −sδ ·ˆ f f6 = sr ·T1 −sδ ·ˆ v, R e(T3 , u)/e(R, P2 ) , R 1 u, R5 = sm ·T2 −sδ2 ·ˆ 3 u,

pro of

780

f1 = sα · u f2 = (c, sα , sβ , sm , sr , sδ1 , sδ2 , sδ3 , sδ4 ) only. Then, V derives R ˆ − c · T1 , R f7 = sr · T2 − sδ · vˆ, and verifies the hash. Moreover, we define signature of R 4 knowledge to be σu = (R, T1 , T2 , T3 , π3 ). Appendix A.4. Commitment

785

The operation of a commitment scheme includes a committer and a verifier. The joint input (P1 , P2 , q, h3 ) and commitment values (DB , c1 , π1 ) for the committer C are described as follows:

R

790

re-

Commit:

c = α · P1 + t · P2 . (1) C picks t ← − Z∗q , and computes α = h3 (DB kc1 kπ1 ), b (2) C sends b c to the verifier V.

lP

Open:

(1) C sends (DB , c1 , π1 , t) to V.

(2) V computes α b = h3 (DB kc1 kπ1 ) and verifies b c=α b ·P1 +t·P2 . If the equation

Jo

urn a

holds, V accepts; otherwise, he rejects.

41

Journal Pre-proof Authors Biography: Yan Jiang is currently working toward the Ph.D. degree at the College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, China. His research interests include privacy-preserving protocols in network systems and clouds.

pro of

Youwen Zhu received his B.E. degree and Ph.D. degree in Computer Science from University of Science and Technology of China, Hefei, China, in 2007 and 2012, respectively. From 2012 to 2014, he is a JSPS postdoc in Kyushu University, Japan. He is currently an Associate Professor at the College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, China. He has published more than 40 papers in refereed international conferences and journals, and has served as program committee member in several international conferences. His research include

identity

authentication,

information

security

and

data

privacy.

re-

interests

Jian Wang received the Ph.D. degrees in Nanjing University in 1998. He is currently a Professor at the College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics. His research interests include

lP

cryptographic protocol and malicious tracking.

urn a

Yong Xiang received his B.E. and M.E. degrees from the University of Electronic Science and Technology of China, China, and PhD degree from The University of Melbourne, Australia. He is a Professor at the School of Information Technology, Deakin University, Australia. He is also the Director of DeakinSouthwest University (SWU) Joint Research Centre on Big Data and the Director of Deakin Blockchain Innovation Lab. He was the Associate Head of School

(Research) (2013-2018) and Director of the Artificial Intelligence and Data Analytics Research Cluster

Jo

(2013-2018).

Journal Pre-proof Highlights:  We propose a novel anonymous authentication protocol with key protection.  The new protocol introduces a novel zero-knowledge proof that can provide stronger anonymity even if the server is compromised.

pro of

 The new protocol enables two devices to jointly compute an authentication key via linear encryption and zero-knowledge proofs.

Jo

urn a

lP

re-

 We implement our protocol and show its efficiency and suitability.

Journal Pre-proof

Conflict of Interest

Jo

urn a

lP

re-

pro of

The manuscript has not been published elsewhere and that it has not been submitted simultaneously for publication elsewhere. We also have no conflicts of interest to disclose.