KR101411970B1 - Method for authenticating between objects - Google Patents

Abstract

The present invention relates to a method of performing authentication between objects performing cryptographic communication, and more particularly, to a scheme of securing security even in a so-called worst case when authentication between objects, which precedes the cryptographic communication performed between the objects, is performed. An authentication method disclosed includes the following steps of: a) inquiring a secret value possessed by an object (certifier) when an object (verifier) performing authentication receives an authentication request from the verifier who will be authenticated; b) transmitting an application result of a learning with error (LWE) problem to the secret value to the verifier by the certifier; and c) finally determining whether the certifier is authenticated by using the result by the verifier.

Description

[0001] The present invention relates to a method for authenticating between objects,

The present invention relates to an inter-object authentication method for performing cryptographic communication, and more particularly, to a method for inter-object authentication in which, in a so-called " worst case " security.

For inter-object (eg client-server) cryptographic communication, inter-object authentication must be preceded by a public channel. An inter-object authentication method using a challenge-response is a method in which an object to be authenticated (hereinafter referred to as a "prover") directly exposes its secret value to an object (hereinafter referred to as a "verifier" This is an authentication method that proves that the secret value of the verifier is known.

On the other hand, the security of the inter-object authentication scheme is proved by a computationally difficult NP problem (Nondeterministic Polynomial time problem). In other words, it proves the thesis that 'if the authentication technique is unsafe, the NP problem can be solved', it shows that the authentication technique is safe if its NP controposition thesis is difficult. The security of the authentication techniques used so far has been proved mainly based on the fact that the problem of subnormal number resolution and discrete logarithm is difficult to solve. However, recent advances in computing power have proven that this safety can be compromised. For example, with advances in quantum computing technology and steady research, it is possible to achieve the above two problems in a quantum computing environment at a meaningful time (Which can be solved within realistic time or polynomial time) (Shu-Shun Li et al., "Quantum computing," Proceedings of the National Academy of Sciences the United States of America, vol. 98, pp. 11847-11848, 2001). This means that it is impossible to use the inter-object authentication technique based on the difficulty of solving the above-mentioned problems in a high-performance computing environment including a quantum computing environment.

Patent Document 10-1999-0053065 'Digital Multiple Signature Method Based on Discrete Logarithm Problem' (July 15, 1999)

The present invention has been made in recognition of the above problems, and it is an object of the present invention to provide a method and apparatus for securing the security of authentication between objects in a worst case (any case) in a high performance computing environment including a quantum computing environment Object authentication system and method therefor.

According to an aspect of the present invention, there is provided an authentication method, which is a method for solving the above-mentioned problems, comprising the steps of: a) when an object (authenticator) performing authentication performs a request for authentication from an object (authenticator) ; b) transmitting to the verifier a result of applying the Learning With Error (LWE) problem to the secret value; And c) finally verifying whether the verifier authenticates the verifier using the result.

Since the present invention performs inter-object authentication based on the LWE problem, it reduces the cost of authentication (encryption) between objects required for inter-object cryptographic communication, There is no possibility of leakage to the outside. Therefore, in the worst case in a high performance computing environment including a quantum computing environment, safety in authentication can be absolutely ensured.

1 and 2 are views showing the flow of the present invention.
3 is a view showing one embodiment of the present invention.

Prior to the description of the concrete contents for carrying out the present invention, for the sake of understanding, an outline of a solution to the problem to be solved by the present invention will be given first.

As mentioned above, the problem of small scale decomposition and discrete algebra is very difficult to solve in average-case, but it is very easy to solve in worst-case. For example, the factoring problem is solved very easily when one prime number is very small. In addition, the cryptosystem based on the problem of decomposition of small numbers and the difficulty of the discrete algebra problem is not only costly in terms of the complexity of the cryptosystem itself, and, above all, If it is discarded, the answer of the problem (the secret value of each object) becomes known to the outside, and it causes a serious result that the safety is deteriorated.

To cope with this, a cryptosystem based on a lattice model has been introduced, which is known to be safe in high performance computing environments including a quantum computing environment, and is known to maintain safety even in the worst case (Daniele Micciancio and Oded Regev, "Lattice-based cryptography," In Post-Quantum Cryptography, pp 147-191, Springer, 2009).

In addition, LWE (Learning With Errors) problem was introduced because of the problem that is equivalent to hard problem in Lattice model. Using the LWE problem for encryption increases the efficiency of cryptographic system design because the cryptographic scheme based on the LWE problem is very simple to implement. However, even if the condition of the LWE problem is easily set up, such as the simple form of the secret value by some accidental reason, there is no possibility that the answer of the problem (the secret value of each object) (Cryptosystem) which must be absolutely required.

The object of the present invention is to reduce the cost required for authentication (encryption) between objects, which is required for cryptographic communication between objects, and to provide an inter-object authentication scheme in order to maintain safety even in the worst case in a high performance computing environment. As shown in FIG.

The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. In the following description, It is to be noted that the same reference numerals are given to the drawings and that elements of other drawings can be cited when necessary in the description of the drawings. In the following description, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

First, the LWE problem on which the present invention is based is briefly described as follows (Oded Regev, "On lattices, learning with errors, random linear codes, and cryptography," In STOC, pages 84-93, ACM, 2005).

Z_q) 이상일 확률은 η이며 정당한 파라미터 값으로 설정하였다는 가정 하에 η은 매우 작은(negligible) 값이다. 따라서 LWE 문제를 풀기는 매우 어렵다. 이러한 사실에 기반하여 LWE 문제의 내용은 다음과 같다.Suppose there is a probability distribution D of the set Z _q (q is a prime number and Z _q = {1, 2, ..., q}). Where the probability distribution D is the distribution of the probability that each number is selected when an arbitrary number is selected in Z _q . According to the LWE problem, if the error value selected in Z _q is an integer E (

Z _q ) is η, and η is a negligible value, assuming that it is set to a valid parameter value. Therefore, it is very difficult to solve the LWE problem. Based on this fact, the contents of the LWE problem are as follows.

Z_q ⁿ), 임의의 n차 벡터 a(

Z_q ⁿ)에 대하여 (a, z)의 독립적인 샘플들 (a₁, z₁), (a₂, z₂), …, (a_n, z_n)이 주어졌을 때[단, z_i = <a, x> + e_i (i는 1 ~ n인 자연수)이며, <a, x>는 벡터 a와 벡터 x의 내적(inner product)을 의미하며, (a, z)는 Z_q ⁿ

Z_q에 속함], 각 샘플 (a₁, z₁), (a₂, z₂), …, (a_n, z_n)이 Z_q ⁿ

Z_q에 속하는 균등한 임의의 분포(uniform random distribution)를 갖는 a₁, a₂, …, a_n와 동일한지 알아내는 것이다. 여기서 균등한 임의의 분포는, 상기한 확률 분포 D의 경우와는 달리, Z_q에서 임의의 수를 선택할 때 각 수가 선택될 확률의 분포가 균등한 분포를 의미한다. a_i은 벡터 a의 각 성분(component)을, z_i은 벡터 z의 각 성분을, e_i은 에러 값 벡터 e의 각 성분을 의미한다. a_i, z_i, e_i은 모두 Z_q의 원소이다.Also solves the problem LWE is n-th secret value that is composed of elements of Z _q vector x (

Z _q ⁿ ), an arbitrary n-order vector a (

With respect to the Z _q ⁿ⁾ (a, independent samples of _{z) (a 1, z 1} ), (a 2, z 2), ... When (a _n, z _n) is given by [stage, z _i = <a, x> + e _i (i is a natural number 1 ~ n), <a, x> is the inner product of the vector a and the vector x (a, z) denotes an inner product, and Z _q ⁿ

Z _q ], each sample (a ₁ , z ₁ ), (a ₂ , z ₂ ), ... , (a _n , z _n ) is Z _q ⁿ

A ₁ , a ₂ , ... with uniform random distribution belonging to Z _q , a _n . Here, unlike the case of the probability distribution D, an arbitrary arbitrary distribution means that the distribution of the probability that each number is selected when an arbitrary number is selected in Z _q is an even distribution. a _i denotes each component of the vector a, z _i denotes each component of the vector z, and e _i denotes each component of the error value vector e. a _i , z _i , and e _i are all elements of Z _q .

The key to solving the LWE problem is to learn the information about the secret value vector x by removing the included error value vector e. The larger the error value, the harder it is to find x. However, when applying this to the authentication scheme, it is very important to select the minimum up-grade value E that guarantees the confidentiality of x because the probability of error in the authentication result becomes very high.

Hereinafter, an implementation process of the present invention will be described in detail.

m 행렬 A(

Z_q ^{n ㅧm}), 임의의 n차 행벡터(row vector) b, 임의의 n차 행벡터 x(

Z_q ⁿ) 및 에러 값 e_i(

Z_q)의 최소 상계 값(Least Upper Bound: LUB, 이와 동일한 의미로 supremum(상한)이란 용어도 사용된다) E(

Z_q)를 객체 간 인증을 위한 비밀 값(secret value)으로 공유한다.Prior to the implementation of the authentication method according to the present invention, the authenticator and the validator first specify and share secret values necessary for performing authentication between objects (S1). Any n consisting proof chairs and verifier element Z _q

m matrix A (

Z _q ^{n ㅧ m} ), an arbitrary n-th row vector b, an arbitrary n-th row vector x

Z _q ⁿ ) and an error value e _i (

Z _q) minimum offset value of: is used as the term is (Least Upper Bound LUB, this supremum (the upper limit in the same sense)) E (

Z _q ) as a secret value for authentication between objects.

Z_q ⁿ)를 생성하고(S21), 생성된 t를 이용하여 벡터 b를 변형시킨 b'를 증명자에게 전송함으로써(S22) 상기한 질의를 수행하게 된다. 여기서 b가 아닌 b'을 전송하는 이유는 비밀 값의 성격을 갖는 b가 전송 과정에서 외부로 유출될 수 있음을 방지하기 위함이다. 이때 b'은 예로써 다음과 같은 식에 의해 생성될 수 있으나 이에 한정되지는 않는다.Next, when the verifier requests authentication from the verifier, the verifier challenges the verifier with the secret value that the verifier has in order to perform authentication between the objects (S2). This is the phase corresponding to the query in the query-response format authentication scheme. When a verifier receives an authentication request from a certifier, it sends an arbitrary n-

Z _q ⁿ ) is generated (S 21), and b 'obtained by transforming the vector b using the generated t is transmitted to the certifier (S 22) to perform the above query. Here, the reason why b 'is transmitted instead of b is to prevent a b having a secret value from being leaked out of the transmission process. Here, b 'can be generated by the following equation as an example, but is not limited thereto.

t. 여기서

는 다음과 같이 정의된다. a = (a₁, …, a_n), b = (b₁, …, b_n)일 때 a

b = (a₁b₁, …, a_nb_n).b '= b

t. here

Is defined as follows. When a = (a ₁ , ..., a _n ) and b = (b ₁ , ..., b _n )

b = (a ₁ b ₁ , ..., a _n b _n ).

The verifier receiving the above query from the verifier transmits the result (response) of the query from the verifier to the verifier (S3), which corresponds to the response in the query-response format authentication scheme.

First, the prover derives t generated by the verifier (S31). The verifier can find t by the following equation.

b^-1. 여기서 b^-1은 b의 역 벡터(reverse vector)를 의미한다.t = b '

b ^-1 . Where b ^-1 denotes the inverse vector of b.

Next, the prover uses m LWE samples (s ₁ , z ₁ ), (s ₂ , z ₂ ), ... , (s _i , z _i ), ... , (s _m , z _m ) (S32). Each sample is generated using an arbitrary n-th row vector s _i [= (s _i1 , ..., s _ii , ..., s _in )], a secret value n-th row vector x and an error value e _i .

(s _i , z _i ) = (s _i , z _i = <s, x> + e _i ). Where 1 ≤ i ≤ m and s _i is an nth order row vector consisting of Z _q elements and z _i is an element of Z _q .

n 행렬 S^T(

Z_q ^m

ⁿ)로 설정하고, z₁, z₂, …, z_i, …, z_m을 행벡터 z로 설정한다(S33).Then the verifier uses the generated m LWE samples to convert each component of s to m

n matrix S ^T (

Z _q ^m

ⁿ ), and z ₁ , z ₂ , ... , z _i , ... , z _m are set to the row vectors z (S33).

Next, the prover generates A ', which is a result of transforming A using the transpose matrix S of S ^T as follows (S34).

Z_q ⁿ

^m).A '= A + S (S

Z _q ⁿ

^m ).

Next, the prover generates z 'using z, S ^T , t (S35).

t^T) (t

Z_q ^m). t^T는 t의 전치 행렬임을 의미한다. 임의로 생성된 벡터 t는 비밀 값 b를 숨기는 역할과 동시에 인증을 수행하는 과정에서 검증자가 보낸 질의 값의 역할도 있다. 이는 질의 값 t를 비밀 값 b로 숨긴다고 대체적으로 말할 수 있다. 이 식은 결론적으로 질의 값 t에 LWE 샘플을 이용하여 생성한 응답 값이 z'라는 의미이다.z '= z + (S ^T

t ^T ) (t

Z _q ^m ). t ^T means the transposed matrix of t. The arbitrarily generated vector t plays a role of hiding the secret value b and also serves as a query value sent by the verifier in performing the authentication. It is generally said that the query value t is hidden by the secret value b. This result implies that the response value generated by using the LWE sample at the query value t is z '.

The prover concludes the response to the above query by sending A 'and z' to the verifier (S36). On the other hand, the reason why A ', which is a variant thereof instead of A, is transmitted to the verifier is the same as the reason that the verifier transmitted b' instead of b in step S1.

The verifier finally determines whether to authenticate the verifier using the result (A 'and z') received from the verifier (S4).

The verifier obtains A from the verifier A and S from the verifier A with the verifier (S41). S = A '- A.

를 생성한다(S42).

.

은 검증자가 증명자에게 보낸 질의 값에 대하여 정당한 응답 값을 받았는지 검증하기 위한 것이다.Next, the verifier uses the x and t and the acquired S shared by the verifier

(S42).

.

Is to verify that the validator has received a valid response value for the query value sent to the verifier.

의 모든 성분

가 E 이상인지 판단하여(S43) 그 이하가 되는 경우에만 증명자를 정당한 객체로 인증하게 된다. 이 사실은

가 E 이상일 확률은 매우 작다는 LWE 문제에 기반한 것이다. 즉,

가 E 이하이면 증명자가 검증자가 가진 비밀 값을 알고 있다(증명자 자신도 비밀 값을 가지고 있다)는 의미이므로, 증명자가 정당한 사용자로 성공적으로 인증되었음을 의미하는 것이다.Next, the verifier

All components of

Is equal to or greater than E (S43), the authenticator is authenticated as a legitimate object only when it is less than E (S43). This fact

The probability that E is greater than E is based on the LWE problem. In other words,

Is equal to or less than E, it means that the verifier knows the secret value of the verifier (the verifier itself has a secret value), which means that the verifier has been successfully authenticated as a legitimate user.

It can be seen that the secret values of the verifier and the verifier are not exposed to the outside during the authentication process according to the present invention. Therefore, in any case (worst case), safety can be maintained.

FIG. 3 shows an exemplary diagram for facilitating understanding of the present invention.

The method of the present invention can also be embodied as computer readable code on a computer readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like, and also implemented in the form of a carrier wave (for example, transmission over a wired or wireless network) . The computer-readable recording medium may also be distributed over a networked computer system so that computer readable code can be stored and executed in a distributed manner.

The present invention has been described above with reference to preferred embodiments thereof. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. The disclosed embodiments should, therefore, be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

Claims (6)

An inter-object authentication method for performing encrypted communication, the method comprising:
comprising the steps of: a) when an object (authenticator) performing authentication receives a request for authentication from an object (authenticator) to be authenticated, querying the secret value possessed by the authenticator;
b) transmitting to the verifier a result of applying the Learning With Errors (LWE) problem to the secret value; And
c) determining, by the verifier, whether to authenticate the verifier using the result,
The secret value is a random n the verifier and the self-proof element comprised of the step a) and prior to the pre-shared, Z _q

m matrix A, an arbitrary n-th row vector b, an arbitrary n-th row vector x and an error value n each component e _i (

Z _q ) Least Upper Bound (LUB) E (

Z _q ). &_Lt; / RTI &gt;
Where Z _q = {1, 2, ... , q}, and q is a prime number. delete 2. The method of claim 1, wherein step a)
a1) the verifier generates an arbitrary n-th row vector t; And
a2) transmitting, to the verifier, b 'that the verifier has modified b by using the t. 4. The method of claim 3, wherein step b)
b1) the verifier derives t;
b2) the m LWE samples (s ₁ , z ₁ ), ( _n ) based on the LWE problem using the n-th order row vector s, the n-th row vector x and the n s ₂ , z ₂ ), ... , (s _i , z _i ), ... , (s _m , z _m );
b3) the verifier sets each element of s to a matrix S ^T , and z ₁ , z ₂ , ... , z _i , ... , z _m as a row vector z;
b4) the verifier generates A 'modifying the A using the transpose matrix S of S ^T ;
b5) the verifier generates z 'using the z, the S ^T , the t; And
and b6) the verifier transmits the A 'and the z' to the verifier.
Here, z _i = <s, x> + e _i , and <s, x> means the inner product of s and x. 5. The method of claim 4, wherein step c)
c1) the verifier obtaining the S from A 'and A;
c2) the verifier uses x, t, S

; And
c3) the verifier checks the z '

All components of the difference vector of &lt; RTI ID = 0.0 &gt;

Is equal to or greater than the value E, and finally authenticating the authenticator as a legitimate object only when it is equal to or less than the value E. A computer-readable recording medium storing a program for causing a computer to execute the method according to any one of claims 1 to 5.

Images