CN110519219B - Lattice-based password authentication key exchange method and system - Google Patents

Lattice-based password authentication key exchange method and system Download PDF

Info

Publication number
CN110519219B
CN110519219B CN201910610724.0A CN201910610724A CN110519219B CN 110519219 B CN110519219 B CN 110519219B CN 201910610724 A CN201910610724 A CN 201910610724A CN 110519219 B CN110519219 B CN 110519219B
Authority
CN
China
Prior art keywords
value
server
client
ring
gamma
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910610724.0A
Other languages
Chinese (zh)
Other versions
CN110519219A (en
Inventor
杨颖珊
顾小卓
王斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910610724.0A priority Critical patent/CN110519219B/en
Publication of CN110519219A publication Critical patent/CN110519219A/en
Application granted granted Critical
Publication of CN110519219B publication Critical patent/CN110519219B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

The invention discloses a lattice-based password authentication key exchange method and a lattice-based password authentication key exchange system. The invention uses error coordination mechanism AKC, when two parties exchange information seed, yCAnd ySAnd respectively calculating two approximate values sigma according to the informationCAnd σSFrom which the same coordination values can be coordinated for subsequent authentication and session key derivation. The signal value generated by AKC is independent of the coordination value, and the coordination value is uniformly distributed, so that the information of the coordination value cannot be deduced from the signal value even if an adversary acquires the signal value, and the safety of the scheme is ensured. The invention greatly improves the response efficiency of the server, and enables the scheme to be more suitable for the high concurrency condition that a large number of clients are connected with the server at the same time.

Description

Lattice-based password authentication key exchange method and system
Technical Field
The invention belongs to the technical field of passwords, and relates to a password authentication key exchange method and system based on lattices.
Background
Since most public key cryptographic algorithms are slower than symmetric cryptographic algorithms, key exchange remains an important issue in the process of secure communication. Meanwhile, authentication is required to prevent attacks such as impersonation, tampering, repudiation and the like during communication. The authentication and the key exchange are combined together to generate an authentication key exchange protocol, the identity of a communication party is authenticated first, and a used session key is generated for the next safe communication on the basis of successful authentication.
Password authenticated key exchange refers to protocol participants establishing a common session key by sharing a low-entropy, easy-to-remember password to enable secure and secure communications over an insecure channel. The password is used as a long-term key of a protocol participant, and is used for mutual authentication of two parties and establishment of a session key under the condition that the password is not leaked or stolen. Because the low-entropy password is used in the identity verification process, the password authentication key exchange avoids using extra equipment and public key infrastructure, does not need to communicate with a trusted third party, and is based on direct trust between the server and the client, so that the authentication process is more flexible and simpler. The method is a very practical key exchange protocol and has wide application prospect.
With the development of quantum computers, many cryptographic primitives may be threatened by quantum adversaries. This makes cryptographic protocols that are resistant to quantum computer attacks a research focus, called post-quantum cryptography. Lattices are one of the most common mathematical techniques for post-construction quantum cryptography. The Ring-LWE problem on an ideal lattice is more general and efficient than other difficult assumptions. Defining an integer coefficient polynomial ring
Figure BDA0002122148380000011
Wherein n represents the dimension of the polynomial and takes the value of the power of 2, q is a positive integer, and let χ be RqFrom RqWhere a is chosen randomly, secret s and error e are chosen according to the distribution χ, an example of the Ring-LWE problem is (a, b as + e) e Rq×Rq
The Ring-LWE problem introduces an error term, and both communication parties can only calculate approximately equal values, so that the handling of errors becomes an important problem to be solved by the lattice-based cryptographic scheme. One way is to use a wrong coordination mechanism, similar to a fuzzy extractor, which can extract the same coordination value from approximately equal values. The asymmetric key consensus AKC is an error coordination mechanism, which comprises two functions (k)1,v)←Con(σ1Params) and k2←Rec(σ2V, params), wherein
Figure BDA0002122148380000012
(q, t, g, d, aux) represents a relevant parameter, (q, t, g, d) are all positive integers and satisfy 2 ≦ t, g ≦ q, and
Figure BDA0002122148380000013
aux is an auxiliary parameter determined by (q, t, g, d), which may be set to null,
Figure BDA0002122148380000014
is the value of the signal that assists in the coordination,
Figure BDA0002122148380000021
is a coordination value, when |. sigma12|qWhen d is less than or equal to d, k1=k2. If the parameters of AKC satisfy (2d +1) t<q (1-t/g), AKC is correct and safe, and v is independent of k1. The specific procedure is as follows, and the Con and Rec functions can be extended to the polynomial by applying them separately to each coefficient of the polynomial:
Con(σ1params): input sigma1And params, from
Figure BDA0002122148380000022
In randomly selecting k1Calculating
Figure BDA0002122148380000023
And outputting v.
Rec(σ2V, params): input sigma2And params, calculation
Figure BDA0002122148380000024
Output k2
At present, the password authentication key exchange protocols based on grids are relatively few, most of the protocols are based on CRS, and in order to achieve the security under the standard model, complex password components are often needed, so that the efficiency is not high. The ROM-based method can make the protocol design simpler and more efficient, but the existing structure causes the loss of performance and safety because the analysis of the error coordination mechanism is not compact enough. In addition, when a large number of clients are connected with the server at the same time and high concurrency exists, the load of the server is large, and the existing post-quantum password authentication key exchange is not efficient enough and is not enough to be applied to the scene.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention aims to provide a lattice-based password authentication key exchange method and a lattice-based password authentication key exchange system, so that communication participants can negotiate out a common session key on an unsafe channel and perform mutual authentication through a low-entropy password; this key will be used in subsequent symmetric ciphers to establish a secure communication channel.
Firstly, in order to improve the efficiency and the practicability of password authentication key exchange in a client-server scene, the invention provides an efficient password authentication key exchange method, comprehensively considers the safety and the performance, gives specific parameter selection, further improves the safety intensity of a protocol, and simultaneously reduces the size of transmitted messages. The method is not constructed by using the CRS, so that the low efficiency caused by using a complex password component in the CRS construction is avoided, and the method is simpler and more efficient. In the authentication process, the client and the server respectively hold hash values of the low-entropy password and the password, when the low-entropy password and the password are matched, the same verification value can be calculated, the client and the server can successfully authenticate, and a consistent session key can be obtained for subsequent secret communication.
The technical scheme of the invention is as follows:
a lattice-based password authentication key exchange method includes the steps of:
1) the client C randomly selects a seed and generates a common parameter a, and then a slave ring RqChoosing secret s from the central binomial distributionCAnd error eCCalculating yC=asC+eC,γ=H1(pwC),m=yC+ gamma, then will<Cid,m,seed>Sending the data to a server S; wherein pwCA password for client C;
2) the server S receives the message sent by the client C<Cid,m,seed>Thereafter, m is checked first, if not at ring RqIf so, the protocol is terminated, otherwise, a common parameter a is generated according to the seed and a ring R is usedqUpper central binomial distribution selection secret sSAnd error eS、eσ(ii) a Then calculate yS=asS+eS、yC=m+γ′、σS=yCsS+eσAnd is to σSCoordinating to obtain a coordination value kσAnd a signal value v; then, the verification value k is calculated as H2(Cid,Sid,m,yS,kσY') and a verification value k ″ ═ H3(Cid,Sid,m,yS,kσGamma') of a reaction of<yS,v,k>Sending the data to a client C; wherein, the ring RqIs an integer coefficient polynomial ring, and gamma' is a password hash value of the client C held by the server S; for l ∈ {2,3,4}, the hash function Hl:{0,1}*→{0,1}λλ denotes the bit length of the final shared session key, H2And H3For verification, H4For key derivation, CidRepresenting a client identity;
3) client C receives the message<yS,v,k>Then, first check ySIf not in the ring RqIf so, the protocol terminates, otherwise σ is calculatedC=ySsCCalling the coordination function Rec (σ)CV) to obtain the coordinated value k'σ=「t(v/g-σ2/q) modt "; then calculating gamma' ═ gamma, and converting H2(Cid,Sid,m,yS,kσY ') are compared with k, if not identical the protocol is terminated, otherwise k' is calculated as H3(Cid,Sid,m,yS,k′σγ') to obtain the final session key skC=H4(Cid,Sid,m,yS,k′σγ '), and sends k' to the server S; wherein t is 2. ltoreq. t, g. ltoreq. q and
Figure BDA0002122148380000031
Sidthe identifier of the server S is g, q, d and t are positive integers;
4) the server S verifies whether k' is equal to k ", and if so, the final session key sk is calculatedS=H4(Cid,Sid,m,yS,kσ,γ′)。
A password authentication key exchange system based on grids is characterized by comprising a server and a plurality of clients; wherein the content of the first and second substances,
a server S for receiving the message sent by the client C<Cid,m,seed>And checking m if m is not in ring RqIf so, the protocol is terminated, otherwise, a common parameter a is generated according to the seed and a ring R is usedqCentral two points ofCloth selection secret sSAnd error eS、eσ(ii) a Then calculate yS=asS+eS、yC=m+γ′、σS=yCsS+eσAnd is to σSCoordinating to obtain a coordination value kσAnd a signal value v; the verification value k ═ H is then calculated2(Cid,Sid,m,yS,kσY') and a verification value k ″ ═ H3(Cid,Sid,m,yS,kσGamma') of a reaction of<yS,v,k>Sending the data to a client C; and receiving k ' sent by the client and verifying whether k ' is equal to k ', if so, calculating to obtain a final session key skS=H4(Cid,Sid,m,yS,kσ,γ′);
A client C for randomly selecting seed and generating a common parameter a, and then selecting a ring RqChoosing secret s from the central binomial distributionCAnd error eCCalculating yC=asC+eC,γ=H1(pwC),m=yC+ gamma, then will<Cid,m,seed>Sending the data to a server S; and receiving the message<yS,v,k>Post-inspection ySWhether or not in the ring RqIf not at ring RqIf so, the protocol terminates, otherwise σ is calculatedC=ySsCCalling the coordination function Rec (σ)CV) obtaining the harmony value
Figure BDA0002122148380000032
Then calculating gamma' ═ gamma, and converting H2(Cid,Sid,m,yS,kσY ') are compared with k, if not identical the protocol is terminated, otherwise k' is calculated as H3(Cid,Sid,m,yS,k′σγ') to obtain the final session key skC=H4(Cid,Sid,m,yS,k′σγ '), and sends k' to the server S;
wherein, pwCFor client CPassword, ring RqIs an integer coefficient polynomial ring, and gamma' is a password hash value of the client C held by the server S; for l ∈ {2,3,4}, the hash function Hl:{0,1}*→{0,1}λλ denotes the bit length of the final shared session key, H2And H3For verification, H4For key derivation; t is not less than 2, g is not more than q and
Figure BDA0002122148380000041
Cidrepresenting client identification, and g, q, d and t are positive integers.
Further, the server S is selected from
Figure BDA0002122148380000042
In randomly selecting kσCalculating
Figure BDA0002122148380000043
Obtain the coordination value kσAnd a signal value v.
Further, | σ |CS|q=|eSsC-eCsS-eσ|q≤d,(2d+1)t<q(1-t/g)。
Further, the server S generates a common parameter a using the pseudo random generator Gen and the seed; and if the output value a of the Gen is greater than or equal to 5q, regenerating a, otherwise, subtracting q from the currently generated a loop until the updated value a is less than or equal to q, and taking the finally obtained result as the common parameter a.
Further, by calculating
Figure BDA0002122148380000044
Obtaining central binomial distribution; wherein xiAnd xi' are uniformly independent bits.
The method is constructed based on the Ring-LWE difficulty problem on an ideal lattice, so that the method can resist quantum adversaries and is safe in a quantum environment. The scheme is proved to be safe under the BPR model, can resist security threats such as dictionary attack, session key loss and the like, and has forward confidentiality.
By using the error coordination mechanism AKC, when the two parties exchange the information seed, yCAnd ySAnd respectively calculating two approximate values sigma according to the informationCAnd σSFrom which the same coordination values can be coordinated for subsequent authentication and session key derivation. The signal value generated by AKC is independent of the coordination value, and the coordination value is uniformly distributed, so that the information of the coordination value cannot be deduced from the signal value even if an adversary acquires the signal value, and the safety of the scheme is ensured. By increasing the parameter m, the bit length of a single tune-out can be increased without significantly degrading performance. The characteristic of AKC allows the server to pre-calculate a part of intermediate results in idle time, store the intermediate results, and directly use the intermediate results when interacting with the client, so as to reduce the load on the server, thereby improving the response efficiency of the server, and enabling the scheme to be more suitable for the high concurrency condition that a large number of clients are connected with the server at the same time.
By regenerating the public parameters every time, trap doors are prevented from being implanted in the public parameters, and an all-for-the-price-of-one attack is prevented from being launched by an adversary when the safety of the scheme only depends on one example, a good enough lattice basis is found, and the communication process is cracked. And at each connection, randomly selecting a small seed again, and expanding the seed into the required common parameters through a pseudo random generator. Noise sampling is carried out in the central binomial distribution, the distributed samplers can be efficiently realized on software and hardware, the mode does not obviously affect the safety of the scheme, the low efficiency of high-precision sampling from Gaussian distribution is avoided, and meanwhile timing attack can be prevented.
Drawings
FIG. 1 is a schematic diagram of a lattice-based password authentication key exchange method according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings.
Gen is a pseudo-random generator that expands small seeds into a loop RqElement of (A) and (B)1~H4Representing four different hash functions, H1:{0,1}*→RqFor l ∈ {2,3,4}, Hl:{0,1}*→{0,1}λλ denotes the bit length of the final shared session key, H2And H3For verification, H4For key derivation. In particular implementations, H can be instantiated using an XOF function, such as SHAKE-1281Separately for H, hash functions such as SHA3-256 are usedlTo be instantiated, e.g. Hl(x)=SHA3-256(x,l),l∈{2,3,4}。ψbRepresents a ring RqCentral binomial distribution of (a) and standard deviation of
Figure BDA0002122148380000051
Client C holds password pwCObtaining the server identifier SidThereafter, a seed is randomly selected, and a common parameter a is generated from the ring R using a pseudo-random generator GenqChoosing secret s from the central binomial distributionCAnd error eCCalculating yC=asC+eC,γ=H1(pwC),m=yC+ gamma, will<Cid,m,seed>Is sent to a server S, where CidRepresenting the client identity. The method flow of the invention is shown in figure 1, and the steps comprise:
1) the server S holds the hash value γ' ═ H of the client password1(pwC) On receipt of the message sent by client C<Cid,m,seed>Thereafter, m is checked first, if not at ring RqIf so, the protocol is terminated, otherwise the common parameter a is generated using the pseudo-random generator Gen and the seed, according to the ring RqUpper central binomial distribution selection secret sSAnd error eS,eσCalculating yS=asS+eS,yC=m+γ′,σS=yCsS+eσBy the function Con vsSTo coordinate, i.e. from
Figure BDA0002122148380000052
(i.e. small)Non-negative integer of t) as a polynomial kσN coefficients of (i)
Figure BDA0002122148380000053
And for each coefficient, calculating
Figure BDA0002122148380000054
Finally obtaining a coordination value kσSum signal value v ═ v (v)1,...,vn) Separately, the verification values k ═ H are calculated2(Cid,Sid,m,yS,kσY') and a verification value k ″ ═ H3(Cid,Sid,m,yS,kσGamma') of a reaction of<yS,v,k>And sending the data to the client C.
2) Client receives message<yS,v,k>Then, first check ySIf not in the ring RqIf so, the protocol terminates, otherwise σ is calculatedC=ySsCCalling the coordination function Rec (σ)CV) obtaining the harmony value
Figure BDA0002122148380000061
Calculating gamma' ═ gamma, and converting H2(Cid,Sid,m,yS,kσY ') are compared with k, if not identical the protocol is terminated, otherwise k' is calculated as H3(Cid,Sid,m,yS,k′σγ'), the final session key skC=H4(Cid,Sid,m,yS,k′σγ '), k' is sent to the server S.
3) The server verifies whether k' is equal to k ", if not, the protocol is terminated, otherwise the final session key sk is calculatedS=H4(Cid,Sid,m,yS,kσ,γ′)。
Client C holds password pwCThe server holds the hash value of the password. 1) Authentication of the server: when sending a message, the client adds the hash value of the password to the original message, only when the server savesAnd when the corresponding hash value exists, the correct original message can be obtained. Once the server has no hash value of the password, it cannot compute the correctly computed original message, and the subsequent verification value k will be compared with the client computed H2(Cid,Sid,m,yS,kσγ'), authentication to the server fails and the protocol will terminate. 2) Authentication of the client: when the password held by the client does not correspond to the hash value stored by the server, the calculated k 'will not coincide with the k' calculated by the server, the authentication to the client fails, and the protocol terminates.
When sigmaCS|q=|eSsC-eCsS-eσ|qWhen d is less than or equal to d, the client and the server can obtain the same coordination value kσAnd the protocol can be executed correctly according to the flow, if the passwords of the two parties are matched with the password hash value and the authentication is successfully completed, the communication parties hold (C)id,Sid,m,yS,kσγ') are completely identical, the obtained session key skC=skSAnd the key exchange is successful, and the two parties can utilize the obtained session key to carry out subsequent communication. The error rate is related to the selected parameters, on one hand, the parameters need to satisfy t is more than or equal to 2, g is more than or equal to q,
Figure BDA0002122148380000062
(2d+1)t<q (1-t/g), ensuring the correctness and safety of AKC, and on the other hand, selecting d as large as possible to ensure that the error rate of the whole scheme is as low as possible. When the standard deviation is selected to be
Figure BDA0002122148380000063
When the dimension n is 1024, the modulus q is 12289, the AKC-related parameter t is 2, and g is 64, the maximum d satisfying the condition is calculated to be 2975, and | e is obtainedSsC-eCsS-eσ|qCan obtain a scheme error rate of 2-41For most key exchange scenarios, this is sufficient.
Regenerating the common parameters every session may yield slight performance penaltyInfluence. In order to minimize the performance loss, the present invention does not need to transmit the common parameter a, but only transmits the seed for generating a and assumes that the generated a is directly in the NTT domain to reduce the number of times of using NTT. Meanwhile, the invention adopts the following measures to reduce the sampling rejection rate of a to accelerate the generation: when generating the common parameter a from the small seed extension, if the output value of Gen is greater than or equal to 5q, rejecting the value and regenerating, otherwise, circularly subtracting q from the value until the value is within q, and taking the result as the coefficient of the common parameter. Central binomial distribution psikCan be calculated by
Figure BDA0002122148380000071
To obtain wherein xiAnd xi' are uniformly independent bits.
In the Ring-LWE problem based approach, polynomial computation is the most time consuming operation. The present invention selects the dimension n 1024, which is a suitable choice for long-term security and performance. The modulus q-12289 is the smallest prime number satisfying q ≡ 1mod2n, so polynomial multiplication can be accelerated using NTT, which can greatly improve the calculation speed. Meanwhile, the polynomial can be smaller due to smaller modulus, and the communication overhead of the protocol can be reduced. Since the security level increases with the noise-to-modulus ratio, selecting a small modulus can increase security strength while increasing compactness and efficiency.
Although specific details of the invention, algorithms and figures are disclosed for illustrative purposes, these are intended to aid in the understanding of the contents of the invention and the implementation in accordance therewith, as will be appreciated by those skilled in the art: various substitutions, changes and modifications are possible without departing from the spirit and scope of the present invention and the appended claims. The invention should not be limited to the preferred embodiments and drawings disclosed herein, but rather should be defined only by the scope of the appended claims.

Claims (10)

1. A lattice-based password authentication key exchange method includes the steps of:
1) the client C randomly selects seeds and generates a public keyWith a parameter a, then from ring RqChoosing secret s from the central binomial distributionCAnd error eCCalculating yC=asC+eC,γ=H1(pwC),m=yC+ gamma, then will<Cid,m,seed>Sending the data to a server S; wherein pwCA password for client C;
2) the server S receives the message sent by the client C<Cid,m,seed>Thereafter, m is checked first, if not at ring RqIf so, the protocol is terminated, otherwise, a common parameter a is generated according to the seed and a ring R is usedqUpper central binomial distribution selection secret sSAnd error eS、eσ(ii) a Then calculate ys ═ asS+eS、yC=m+γ′、σS=yCsS+eσAnd is to σSCoordinating to obtain a coordination value kσAnd a signal value v; then, the verification value k is calculated as H2(Cid,Sid,m,yS,kσY') and a verification value k ″ ═ H3(Cid,Sid,m,yS,kσGamma') of a reaction of<yS,v,k>Sending the data to a client C; wherein, the ring RqIs an integer coefficient polynomial ring, and gamma' is a password hash value of the client C held by the server S; for l ∈ {2,3,4}, the hash function Hl:{0,1}*→{0,1}λλ denotes the bit length of the final shared session key, H2And H3For verification, H4For key derivation, CidRepresenting a client identity;
3) client C receives the message<yS,v,k>Then, first check ySIf not in the ring RqIf so, the protocol terminates, otherwise σ is calculatedC=ySsCCalling the coordination function Rec (σ)CV) obtaining the harmony value
Figure RE-FDA0002122148370000011
Then calculating gamma' ═ gamma, and converting H2(Cid,Sid,m,yS,kσY ') are compared with k, if not identical the protocol is terminated, otherwise k' is calculated as H3(Cid,Sid,m,yS,k′σγ') to obtain the final session key skC=H4(Cid,Sid,m,yS,k′σγ '), and sends k' to the server S; wherein t is 2. ltoreq. t, g. ltoreq. q and
Figure RE-FDA0002122148370000012
Sidthe identifier of the server S is g, q, d and t are positive integers;
4) the server S verifies whether k' is equal to k ", and if so, the final session key sk is calculatedS=H4(Cid,Sid,m,yS,kσ,γ′)。
2. The method of claim 1, wherein in step 1), σ is measuredSThe method for coordinating comprises the following steps: from
Figure RE-FDA0002122148370000014
In randomly selecting kσCalculating
Figure RE-FDA0002122148370000013
Obtain the coordination value kσAnd a signal value v.
3. The method of claim 1, wherein | σCS|q=|eSsC-eCsS-eσ|q≤d,(2d+1)t<q(1-t/g)。
4. The method of claim 1, wherein in step 1), the common parameter a is generated using a pseudo-random generator Gen and a seed; and if the output value a of the Gen is greater than or equal to 5q, regenerating a, otherwise, subtracting q from the currently generated a loop until the updated value a is less than or equal to q, and taking the finally obtained result as the common parameter a.
5. The method of claim 1, characterized by calculating
Figure RE-FDA0002122148370000021
Obtaining central binomial distribution; wherein xiAnd xi' are uniformly independent bits.
6. A password authentication key exchange system based on grids is characterized by comprising a server and a plurality of clients; wherein the content of the first and second substances,
a server S for receiving the message sent by the client C<Cid,m,seed>And checking m if m is not in ring RqIf so, the protocol is terminated, otherwise, a common parameter a is generated according to the seed and a ring R is usedqUpper central binomial distribution selection secret sSAnd error eS、eσ(ii) a Then calculate yS=asS+eS、yC=m+γ′、σS=yCsS+eσAnd is to σSCoordinating to obtain a coordination value kσAnd a signal value v; the verification value k ═ H is then calculated2(Cid,Sid,m,yS,kσY') and a verification value k ″ ═ H3(Cid,Sid,m,yS,kσGamma') of a reaction of<yS,v,k>Sending the data to a client C; and receiving k ' sent by the client and verifying whether k ' is equal to k ', if so, calculating to obtain a final session key skS=H4(Cid,Sid,m,yS,kσ,γ′);
A client C for randomly selecting seed and generating a common parameter a, and then selecting a ring RqChoosing secret s from the central binomial distributionCAnd error eCCalculating yC=asC+eC,γ=H1(pwC),m=yC+ gamma, then will<Cid,m,seed>Sending the data to a server S; and receiving the message<yS,v,k>Post-inspection ySWhether or not in the ring RqIf not at ring RqIf so, the protocol terminates, otherwise σ is calculatedC=ySsCCalling the coordination function Rec (σ)CV) obtaining the harmony value
Figure RE-FDA0002122148370000022
Then calculating gamma' ═ gamma, and converting H2(Cid,Sid,m,yS,kσY ') are compared with k, if not identical the protocol is terminated, otherwise k' is calculated as H3(Cid,Sid,m,yS,k′σγ') to obtain the final session key skC=H4(Cid,Sid,m,yS,k′σγ '), and sends k' to the server S;
wherein, pwCFor client C password, ring RqIs an integer coefficient polynomial ring, and gamma' is a password hash value of the client C held by the server S; for l ∈ {2,3,4}, the hash function Hl:{0,1}*→{0,1}λλ denotes the bit length of the final shared session key, H2And H3For verification, H4For key derivation; t is not less than 2, g is not more than q and
Figure RE-FDA0002122148370000025
Cidrepresenting client identification, and g, q, d and t are positive integers.
7. The system of claim 6, wherein the server S is selected from
Figure RE-FDA0002122148370000023
In randomly selecting kσCalculating
Figure RE-FDA0002122148370000024
Obtain the coordination value kσAnd a signal value v.
8.The system of claim 6, wherein | σCS|q=|eSsC-eCsS-eσ|q≤d,(2d+1)t<q(1-t/g)。
9. The system of claim 6, wherein the server S generates the common parameter a using a pseudo-random generator Gen and a seed; and if the output value a of the Gen is greater than or equal to 5q, regenerating a, otherwise, subtracting q from the currently generated a loop until the updated value a is less than or equal to q, and taking the finally obtained result as the common parameter a.
10. The system of claim 6, wherein the computing is performed by
Figure RE-FDA0002122148370000031
Obtaining central binomial distribution; wherein xiAnd xi' are uniformly independent bits.
CN201910610724.0A 2019-07-08 2019-07-08 Lattice-based password authentication key exchange method and system Active CN110519219B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910610724.0A CN110519219B (en) 2019-07-08 2019-07-08 Lattice-based password authentication key exchange method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910610724.0A CN110519219B (en) 2019-07-08 2019-07-08 Lattice-based password authentication key exchange method and system

Publications (2)

Publication Number Publication Date
CN110519219A CN110519219A (en) 2019-11-29
CN110519219B true CN110519219B (en) 2020-05-22

Family

ID=68623783

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910610724.0A Active CN110519219B (en) 2019-07-08 2019-07-08 Lattice-based password authentication key exchange method and system

Country Status (1)

Country Link
CN (1) CN110519219B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111464289B (en) * 2020-01-13 2021-07-27 华中科技大学 Method, equipment and system for realizing post-quantum key exchange protocol
CN113094722B (en) * 2021-03-25 2022-05-24 中国科学院信息工程研究所 Three-party password authentication key exchange method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1645792A (en) * 2004-01-21 2005-07-27 佳能株式会社 Communication apparatus, digital signature issuance method and apparatus, and digital signature transmission method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8755519B2 (en) * 2011-06-29 2014-06-17 International Business Machines Corporation Lattice scheme for establishing a secure multi-identity authentication context

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1645792A (en) * 2004-01-21 2005-07-27 佳能株式会社 Communication apparatus, digital signature issuance method and apparatus, and digital signature transmission method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于格的后量子密钥交换研究;刘亚敏等;《密码学报》;20171031;全文 *

Also Published As

Publication number Publication date
CN110519219A (en) 2019-11-29

Similar Documents

Publication Publication Date Title
US11411738B2 (en) Leveraging multiple devices to enhance security of biometric authentication
CN108111301B (en) Method and system for realizing SSH protocol based on post-quantum key exchange
Agrawal et al. PASTA: password-based threshold authentication
US11722305B2 (en) Password based threshold token generation
CN109450640B (en) SM 2-based two-party signature method and system
Dabra et al. LBA-PAKE: Lattice-based anonymous password authenticated key exchange for mobile devices
EP3871365A1 (en) Computer implemented system and method for distributing shares of digitally signed data
CN110519219B (en) Lattice-based password authentication key exchange method and system
Xu et al. Provably secure three-party password authenticated key exchange protocol based on ring learning with error
Yin et al. Two-round password-based authenticated key exchange from lattices
Nam et al. Password-only authenticated three-party key exchange with provable security in the standard model
Castiglione et al. An efficient and transparent one-time authentication protocol with non-interactive key scheduling and update
Chen et al. An efficient nonce-based authentication scheme with key agreement
Guo et al. A novel RLWE-based anonymous mutual authentication protocol for space information network
CN111245615B (en) Digital signature password reverse firewall method based on identity
Ren et al. Efficient module learning with errors‐based post‐quantum password‐authenticated key exchange
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
CN113094722B (en) Three-party password authentication key exchange method
Schliep et al. Consistent synchronous group off-the-record messaging with sym-gotr
CN114978488A (en) SM2 algorithm-based collaborative signature method and system
Wei et al. A general compiler for password-authenticated group key exchange protocol in the standard model
CN113094721B (en) Post-quantum password authentication key exchange method based on modular error learning
Ni et al. A pairing-free identity-based authenticated key agreement mechanism for sip
CN112636918B (en) Efficient two-party collaborative signature method based on SM2
Šala Attacks and security proofs of authenticated key-exchange protocols

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant