CN113094722B - Three-party password authentication key exchange method - Google Patents

Abstract

The invention discloses a three-party password authentication key exchange method, which designs an implicit three-party authentication method, simplifies an authentication structure and reduces the hash times and the communication traffic compared with the prior common explicit authentication method which needs hash operation for many times and has large message transmission quantity. Secondly, the invention considers the condition of modular multiplication of two polynomials, carries out a more convergent parameter analysis mode, balances the variance, the module, the dimension, the sampling parameter and the error rate, and greatly reduces the modulus, thereby ensuring that the key exchange is more efficient. Due to the central binomial distribution of the parameter d, the standard deviation is

The discrete Gaussian distributions are similar, and timing attack can be prevented, so that the central binomial distribution which can be more efficiently realized on hardware and software is selected during sampling. The sampling mode is simpler, a large table does not need to be introduced, high-precision calculation is not needed, and the sampling efficiency is higher.

Description

Three-party password authentication key exchange method

Technical Field

The invention belongs to the technical field of passwords, and relates to a three-party password authentication key exchange method based on RLWE (Ring Learning with Errors, on-Ring error Learning).

Background

Key exchange allows two or more communicating entities to share a common key in an insecure channel. Key exchange that does not support authentication can only provide passive attack security, while authenticated key exchange can ensure that a participant in a session can share a session key with another honest participant against an active attack. Compared with other key exchange modes, the password-based authentication key exchange does not need a public key infrastructure or a user to store a long symmetric key, but allows all parties to share a simple, low-entropy and easy-to-remember password, has the advantages of small data volume, high speed and the like, and is widely applied.

Most of the existing key exchanges only aim at the situation of two-party communication, and in the actual scene of the internet, along with the increasing number of business participants, such as communication among a mobile phone terminal, a local server and a remote server, and interference among buyers, sellers and third-party platforms in electronic commerce, the insecurity of the application scenes makes the research of three-party key exchange necessary. When the number of communication entities increases, the number of passwords that need to be prestored in the entire network increases, and a 2 token (Password Authenticated Key Exchange) Key agreement manner is not suitable for a user-user communication scenario. Specifically, if n users participate in the communication, and every two users negotiate and share a session key, n (n-1)/2 passwords need to be prestored in the whole communication network. In order to solve the limitation of 2PAKE, a cryptologist proposes Three-way Password Authenticated Key Exchange (3 PAKE), introduces a trusted server, each client only needs to share the Password with the server, and information of other clients does not need to be prestored, so that the problems of Password storage, management and updating are reduced. The server stores the password hash values of all the clients, authenticates the identity of both communication parties and helps them to generate a session key.

At present, the security of the 3PAKE protocol mainly depends on the difficulty of classical mathematical problems such as large integer decomposition and discrete logarithm. With the development of quantum computing, most of the classical problems can be solved in polynomial time through quantum computing, which brings challenges to 3PAKE under the traditional public key cryptosystem. Therefore, it is important to design an authenticated key exchange protocol with post-quantum security. The lattice-based cryptographic algorithm has excellent performance in the aspects of flexibility, safety, calculation amount and the like, and is one of the most common mathematical bases of the post-quantum cryptographic algorithm. Due to the fact that R is based on ideal latticeIn the key agreement constructed by the LWE difficult problem, each participant will randomly introduce a small error item to ensure the post-quantum security, so an error coordination mechanism is needed to restore the approximate key containing errors to a consistent session key. In the Peikert error coordination mechanism, a rounding function [ x ] is defined]₂:＝[2x/q]mod2, cross rounding function

Random doubling function

And a recovery function

Wherein the modulus q is a prime number, Z is an integer set, and the interval I₀＝{0,1,...,[q/4]-1}，I₁＝{-[q/4],.., -1}, an error interval E [ -q/8, q/8) # Z (modq)),

is a uniform random value independent of v. In conjunction with the above functions, one can define:

calculation of the coordination function (k, ω) ═ HelpRec (v)

Signal values to assist coordination

Coordination value

And (k, ω) is returned.

Recovery function k' ═ Rec (2w, ω): the w and ω are input, and the coordination value k' is returned.

In a polynomial ring R_q＝Z_q/(Xⁿ+1), for two approximate ring elements v ═ (v)₀,...,v_n-1)∈R_q，w＝(w₀,...,w_n-1)∈R_qThe calculation of (k, b) ═ hellpec (v) } hellpec (v) can be performed₀),...,HelpRec(v_n-1)). According to binary coordination vector b ═ b₀,...,b_n-1)∈{0,1}ⁿIt is possible to calculate k' ═ Rec (2w, b) ═ Rec (v)₀,b₀),...,Rec(v_n-1,b_n-1)). As long as the error of two ring elements satisfies | | w-v | | luminance_∞<q/8, the same k-k' can be obtained by the above function.

At present, the grid-based password authentication key exchange protocols are relatively few, and most of the two parties need to pre-share the password hash values of all users communicating with the grid-based password authentication key exchange protocols, so that the resource and security loss is caused on the storage, updating and management of the password, and the grid-based password authentication key exchange protocols are not suitable for the scenes of more users and user-user communication.

Disclosure of Invention

Aiming at the problems in the prior art, the invention aims to provide an implicit three-party password authentication key exchange method based on the RLWE problem.

Firstly, in order to reduce the communication complexity of password authentication and key exchange in a client-server-client scene and improve the protocol operation efficiency, the invention designs an implicit three-party authentication method, and compared with the current common display authentication method which needs to carry out hash operation for many times and has large message transmission quantity, the scheme of the invention simplifies the authentication structure and reduces the hash times and the communication traffic. Secondly, the invention considers the condition of modular multiplication of two polynomials, carries out a more convergent parameter analysis mode, balances the variance, the module, the dimension, the sampling parameter and the error rate, and greatly reduces the modulus, thereby ensuring that the key exchange is more efficient. Due to the central binomial distribution of the parameter d, the standard deviation is

The discrete Gaussian distributions are similar and can prevent timing attacks, so that the method can select more efficiently during samplingThe central two-term distribution realized on hardware and software. The sampling mode is simpler, a large table does not need to be introduced, high-precision calculation is not needed, and the sampling efficiency is higher. Meanwhile, the scheme can be combined with an NTT-based Fast Lattice Library to accelerate the polynomial multiplication process and further improve the calculation efficiency of the whole protocol.

Each time a new key exchange session is performed, the server generates a new seed, and then extends it to a public parameter a (the public parameter a is used for generating various keys, for example, p ═ as + e, s and e are secrets, and p is a key) by using a pseudo-random function (such as a hash function), instead of using a fixed public parameter. The output of the hash function is expanded into a, so that the situation that an untrustworthy party selects a with a specific structure, and an adversary guesses the secret value of a protocol party through a trapdoor attack and an all-for-the-price-of-one attack can be avoided. Meanwhile, the method uses a Peikert error coordination mechanism to coordinate the two approximate keys into the same coordination value. The Peikert coordination mechanism defines a random multiply-add function, where

The probability of (a) is 1/2,

the probability of (2) is 1/4, the output of the multiplication function is randomly uniform, so that the generated signal values are uniformly and randomly distributed, and the two parties can directly obtain uniform common bits. Even if the adversary obtains the signal value, the advantage of deducing the coordination value from it is negligible, thus ensuring the safety of the error coordination mechanism.

The technical scheme of the invention is as follows:

a three-party password authentication key exchange method comprises the following steps:

1) when the client A and the client B have a session each time, the client A sends a message to the server S<ID_A,ID_B>To initiate a session; wherein, ID_AIdentity information and ID of user logged in by client A_BIdentity information of a user who logs in a client B, and a password verification of each user stored in a server SCertificate value, ID_SIdentity information for the server S;

2) the server S randomly generates a random number seed for the current session, then calculates and publishes a public parameter a according to the random number seed, and generates a random number S₁,s₂,e₁,e₂,e_SA,e_SB(ii) a Then calculate

The server S will then

Respectively sending the data to a client A and a client B;

password pw of user logged in for client A_AThe verification value of (a) is set,

password pw of user logged in for client B_BA verification value of (a);

3) client A computation

And generates a random number s_A,e_A(ii) a Client a checks what is received

If it is not

The client a terminates the interaction; otherwise, client A calculates

p_A＝as_A+e_A、

(σ_AS,ω_AS)＝HelpRec(k_AS)、

And sends to the server S<x_AS,ω_AS>(ii) a Client B computation

And generates a random number s_B,e_BChecking received

Whether or not to satisfy

If not, terminating the interaction; otherwise, client B calculates

p_B＝as_B+e_B、

(σ_BS,ω_BS)＝HelpRec(k_BS)、

And will be<x_BS,ω_BS>Sending the data to a server S; wherein the hash function H₁、H₂、H₃、H₄Is defined as H₁:{0,1}^*→R_q、H₂:{0,1}^*→R_q、H₃:{0,1}^*→R_q、H₄:{0,1}^*→{0,1}^λλ represents the number of bits of the session key that are finally shared;

4) the server S detects the receipt<x_AS,x_BS,ω_AS,ω_BS>If it is determined that

S terminates the interaction; otherwise calculate

k_SA＝p_A·s₁、k_SB＝p_B·s₂、σ_SA＝Rec(2k_SA,ω_AS)、σ_SB＝Rec(2k_SB,ω_BS)、y_SA＝p_B+H₃(σ_SA) And y_SB＝p_A+H₃(σ_SB) (ii) a Then will be<y_SA,y_SB,x_BS>Sent to the client A and is to be<y_SA,y_SB,x_AS>Sending the data to a client B;

5) client B checks what is received<y_SA,y_SB,x_AS>If, if

B, terminating the interaction; otherwise, p is calculated_A＝y_SB-H₃(σ_BS)、k_B＝p_A·s_BObtaining a signal value omega for coordination, a coordination value k and a session key SK_B＝H₃(ID_A,ID_B,ID_S,x_AS,x_BS,y_SA,y_SBω, k) and sends ω to a;

6) the client A receives<y_AS,y_SB,x_BS,ω>Calculating to obtain a coordination value k and a session key SK_A＝H₃(ID_A,ID_B,ID_S,x_AS,x_BS,y_SA,y_SB,ω,k)。

Further, the server S randomly selects a parameter defined as seed ← {0, 1.., 255}³²The seed of (1); then generating a common parameter a epsilon R according to the seed and the SHAKE-128 function_q。

Further, the signal value ω ← HelpRec (k)_B) The coordination value k is Rec (2 k)_Bω); wherein, HelpRec () is a coordination function and Rec () is a recovery function.

Further, in step 6), the client a first receives the request<y_AS,y_SB,x_BS,ω>Calculating p_B＝y_SA-H₃(σ_AS)、k_A＝p_B·s_AThen, the coordination value k ═ Rec (2 k) is calculated from the signal value ω and the recovery function Rec_Aω), finally the session key SK is obtained_A＝H₃(ID_A,ID_B,ID_S,x_AS,x_BS,y_SA,y_SB,ω,k)。

Further, in step 2), random number s is generated from random sampling on the central binomial distribution₁,s₂,e₁,e₂,e_SA,e_SB(ii) a In step 3), the client A randomly samples from the central binomial distribution to generate a random number s_A,e_A(ii) a The client B randomly samples from the central binomial distribution to generate a random number s_B,e_B。

Further, the central binomial distribution is

Each coefficient for the generated n-dimensional polynomial is taken from a central binomial distribution with an expected value of 0 and a variance of d/2.

Compared with the prior art, the invention has the following positive effects:

in terms of safety, the method selects reasonable parameters meeting the correctness requirement based on the RLWE problem

Under the Dual and Primal attack mode, the post-quantum security of the scheme reaching 255-bit can be analyzed, the quantum adversary can be resisted, and the quantum environment is safe. According to the BPR model in the three-party environment, the method can be proved to be capable of resisting dictionary attack and man-in-the-middle attack, and has mutual authentication security and forward confidentiality.

Drawings

FIG. 1 is a flow chart of a method of the present invention;

fig. 2 is an architectural diagram of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings.

The protocol comprises a client a and a client B and a server S. The server is trusted and stores the hash of each client's password, is responsible for mutual authentication with each client, and passes messages between clients. The client performs authentication with the server through a password and establishes a final session key with other clients with the help of the server S.

In this method, a polynomial ring R_q＝Z_q[x]/(Xⁿ+1). Hash function H₁、H₂、H₃、H₄Is defined as H₁:{0,1}^*→R_q、H₂:{0,1}^*→R_q、H₃:{0,1}^*→R_q、H₄:{0,1}^*→{0,1}^λWhere λ represents the number of bits of the session key that are ultimately shared. The identity information of the client A, the client B and the server S are respectively represented as ID_A、ID_BAnd ID_S. S randomly selects a definition as seed ← {0, 1.., 255}³²The seed of (1). According to the seed and the SHAKE-128 function, each client extends to generate the same public ring element a e R_q. Client A holds password pw_AThe client B holds the password pw_BThe server S stores the password verification hash value of the client a:

password verification hash value of client B:

in the following scheme, s_i∈R_qIs based on central binomial distribution

Randomly sampled secret value, e_i∈R_qIs formed by

The generated random small error terms are sampled. Wherein the content of the first and second substances,

each coefficient of the generated n-dimensional polynomial (ring element) e is taken from a central binomial distribution ψ of an expected value of 0 and a variance d/2_d。

1) And (5) protocol initiation. Client A sends to server S<ID_A,ID_B>To initiate a session; ID_A、ID_BRespectively, the identity information of the user to which client A, B corresponds.

2) The first response. Server S randomly generates seed ← {0,1, ·,255}³²Calculating and publishing common parameter a ← Parse (SHAKE-128(seed)), and randomly sampling generation from central two-item distribution

Computing

Then, S will

And respectively sending the data to a client A and a client B.

Password pw of user logged in for client A_AThe verification value of (a) is set,

password pw of user logged in for client B_BThe verification value of (1).

3) And (5) responding for the second time. The two clients may respond simultaneously, respectively.Client A computation

Random sample generation from central binomial distribution

Upon receiving a message from S

Then, A checks if

The client a terminates the protocol. Otherwise, A continues to calculate

p_A＝as_A+e_A，

(σ_AS,ω_AS)＝HelpRec(k_AS)，

And sends to the server S<x_AS,ω_AS>. At the same time, client B calculates

Random sample generation from central binomial distribution

Checking received messages

Whether or not to satisfy

If not, the protocol is terminated. Otherwise, B calculates

p_B＝as_B+e_B，

(σ_BS,ω_BS)＝HelpRec(k_BS)，

And will be<x_BS,ω_BS>And sent to the server S. Among them, HelpRec () is a coordination function.

4) And the third response. Receiving messages from A and B at server S<x_AS,x_BS,ω_AS,ω_BS>Then, if received

The S terminates the protocol. Otherwise, S is from message x of client A_ASExtracts the secret key p generated by A_AMessage x from client B_BSSecret key p in which B is calculated_BContinue to calculate k_SA＝p_A·s₁，k_SB＝p_B·s₂，σ_SA＝Rec(2k_SA,ω_AS),σ_SB＝Rec(2k_SB,ω_BS),y_SA＝p_B+H₃(σ_SA)，y_SB＝p_A+H₃(σ_SB). Then, S will<y_SA,y_SB,x_BS>Is sent to A, will<y_SA,y_SB,x_AS>And sending the data to B.

Where Rec () is a recovery function.

5) The fourth response. The client B receives the message from the S<y_SA,y_SB,x_AS>Thereafter, client B first checks if

B is aborted. Otherwise, message y of client B from the server_SBExtracts the secret key p generated by the client A_AAnd calculate k_B＝p_A·s_BThe coordination value and the signal value (k, ω) are obtained as HelpRec (k)_B) Final session key SK_B＝H₃(ID_A,ID_B,ID_S,x_AS,x_BS,y_SA,y_SBω, k) and sends ω to client a.

6) The protocol is complete. Client a receives messages from server S and client B<y_AS,y_SB,x_BS,ω>Thereafter, the client A follows the message y of the server S_SAExtracts the secret key p of the client B_BCalculating k_A＝p_B·s_AThe coordination value k ═ Rec (2 k) is calculated from the signal value ω and the recovery function Rec_Aω), finally the session key SK is obtained_A＝H₃(ID_A,ID_B,ID_S,x_AS,x_BS,y_SA,y_SB,ω,k)。

Authentication of the client: in steps 3, 5 and 6, after receiving the message from the server, only the correct password pw is held_iThe client side i of the hash value belongs to { A, B }, and p can be successfully calculated_iThereby obtaining the harmony value k. If one client does not know the password but participates in the protocol, k' consistent with other honest clients cannot be calculated, key agreement fails, and subsequent communication cannot be carried out.

Authentication of the server: in step 4, the client keys the key p_iHidden in the message to which the password hash value is added. After receiving the message of the client, only the server storing the hash value of the real password can obtain the correct secret information p of the client from the message_iGenerating the correct sigma_SiThereby enabling both parties to obtain a consistent session key.

When the protocol is correctly executed according to the flow, the client A, the client B and the serviceThe passwords of the devices are matched with each other, the authentication is successfully completed, and | | | k_A-k_B||_∞<q/8, two clients can recover the same coordination value k, so that (ID)_A,ID_B,ID_c,x_A,x_B,y_SA,y_SBω, k) are identical and the same session key SK is obtained_A＝SK_B. Both parties can use the session key to realize symmetric encryption so as to ensure the security of subsequent communication.

In cryptographic algorithms based on the RLWE problem, the most time consuming operation is polynomial computation. When n is 1024, the invention selects the modulus q which meets NTT calculation (requirement q is equal to 1(mod2n)) and can ensure the protocol correctness to 12289, so the invention can use NTT-based Fast Lattice Library algorithm to accelerate the polynomial calculation, and combines with a more compact analysis mode and a simplified implicit authentication mode for the modulus, and can greatly improve the calculation speed while ensuring the post-quantum security strength.

It is noted that the disclosed embodiments are intended to aid in further understanding of the invention, but those skilled in the art will appreciate that: various substitutions and modifications are possible without departing from the spirit and scope of the invention and appended claims. Therefore, the invention should not be limited to the embodiments disclosed, but the scope of the invention is defined by the appended claims.

Claims (5)

1. A three-way password authenticated key exchange method, comprising the steps of:

1) when the client A and the client B have a session each time, the client A sends a message to the server S<ID_A,ID_B>To initiate a session; wherein, ID_AIdentity information and ID of user logged in by client A_BIdentity information of a user logged in by a client B, and a verification value and an ID of a password of each user stored in a server S_SIdentity information for the server S;

2) the server S randomly generates a random number seed for the current session, then calculates and publishes a public parameter a according to the random number seed, and generates a random number S₁,s₂,e₁,e₂,e_SA,e_SB(ii) a Then calculate

The server S will then

Respectively sending the data to a client A and a client B;

password pw of user logged in for client A_AThe verification value of (a) is set,

password pw of user logged in for client B_BA verification value of (a);

3) client A computation

And generates a random number s_A,e_A(ii) a Client a checks what is received

If it is not

The client a terminates the interaction; otherwise, client A calculates

p_A＝as_A+e_A、

(σ_AS,ω_AS)＝HelpRec(k_AS)、

And sends to the server S<x_AS,ω_AS>(ii) a Client B computation

And generates a random number s_B,e_BChecking received

Whether or not to satisfy

If not, terminating the interaction; otherwise, client B calculates

p_B＝as_B+e_B、

(σ_BS,ω_BS)＝HelpRec(k_BS)、

And will be<x_BS,ω_BS>Sending the data to a server S; wherein the hash function H₁、H₂、H₃、H₄Is defined as H₁:{0,1}^*→R_q、H₂:{0,1}^*→R_q、H₃:{0,1}^*→R_q、H₄:{0,1}^*→{0,1}^λWhere λ represents the number of bits of the session key that are ultimately shared, R_qIs a polynomial ring, HelpRec () is a coordination function, and Rec () is a recovery function;

4) the server S detects the receipt<x_AS,x_BS,ω_AS,ω_BS>If x is_AS,

S terminates the interaction; otherwise calculate

k_SA＝p_A·s₁、k_SB＝p_B·s₂、σ_SA＝Rec(2k_SA,ω_AS)、σ_SB＝Rec(2k_SB,ω_BS)、y_SA＝p_B+H₃(σ_SA) And y_SB＝p_A+H₃(σ_SB) (ii) a Then will be<y_SA,y_SB,x_BS>Sent to the client A and is to be<y_SA,y_SB,x_AS>Sending the data to a client B;

5) client B checks what is received<y_SA,y_SB,x_AS>If y is_SA,y_SB,

The client B terminates the interaction; otherwise, p is calculated_A＝y_SB-H₃(σ_BS)、k_B＝p_A·s_BObtaining a signal value omega for coordination, a coordination value k and a session key SK_B＝H₃(ID_A,ID_B,ID_S,x_AS,x_BS,y_SA,y_SBω, k) and sends ω to the client a;

6) the client A receives<y_AS,y_SB,x_BS,ω>Calculating to obtain a coordination value k and a session key SK_A＝H₃(ID_A,ID_B,ID_S,x_AS,x_BS,y_SA,y_SB,ω,k)。

2. The method of claim 1, wherein the server S randomly selects one definition as Seed←{0,1,...,255}³²The seed of (1); then generating a common parameter a epsilon R according to the seed and the SHAKE-128 function_q。

3. The method of claim 2, wherein the signal value ω ← HelpRec (k ← HelpRec)_B) The coordination value k is Rec (2 k)_B,ω)。

4. The method of claim 1, wherein in step 6), the client A first receives the request<y_AS,y_SB,x_BS,ω>Calculating p_B＝y_SA-H₃(σ_AS)、k_A＝p_B·s_AThen, the coordination value k ═ Rec (2 k) is calculated from the signal value ω and the recovery function Rec_Aω), finally the session key SK is obtained_A＝H₃(ID_A,ID_B,ID_S,x_AS,x_BS,y_SA,y_SB,ω,k)。

5. The method of claim 1, wherein in step 2), the random number s is generated from random sampling on the central binomial distribution₁,s₂,e₁,e₂,e_SA,e_SB(ii) a In step 3), the client A randomly samples from the central binomial distribution to generate a random number s_A,e_A(ii) a The client B randomly samples from the central binomial distribution to generate a random number s_B,e_B。

Images