Professional Documents
Culture Documents
Post-Quantum Lattice-Based Secure Reconciliation Enabled Key Agreement Protocol For IoT
Post-Quantum Lattice-Based Secure Reconciliation Enabled Key Agreement Protocol For IoT
3, 1 FEBRUARY 2023
Abstract—The authenticated key agreement is one of the major the wireless communication is used in IoT applications and
security services that can be used to secure an Internet of Things it suffers various risks where the users/devices are vulnerable
(IoT) environment, where the devices collect the data and the to the privacy, security, and control of data being circulated
data is then aggregated at the cloud server, and then a user
needs to access the data stored at the server(s) securely. For over the public network.
this purpose, after a mutual authentication performed between Upsurge growth in a wireless communication network has
a user and the accessed server, a session key needs to be estab- been witnessed in smart living standards, which necessitates
lished among them for secure communication. In this article, we the usage of low-cost IoT devices. Almost any smart device
design an efficient lattice-based authenticated key exchange pro- user is keen about his/her user privacy when using data on
tocol using ring-based version of learning with errors assumption
for the IoT-enabled smart devices. The proposed protocol is basi- Internet platforms, such as mail, broadcast, and so on. The
cally a key exchange that uses the reconciliation mechanism. The breach of confidentiality and anonymity of smart device users
detailed security analysis under the standard model has been in a wireless network are all dependent on the provision of
performed along with the informal security analysis to show user anonymity, authentication, and confidentiality. If a device
that the proposed protocol is robust against different attacks. is hacked and the hacker recovers the saved credentials, user
We then simulate the proposed protocol under the NS-3 sim-
ulator to measure the network performance parameters like anonymity is important in wireless communication.
network throughput and latency. A comparative analysis shows IoT-based devices have recently become increasingly com-
that the proposed protocol has superior security, less computa- mon in the development of communication technologies. IoT
tional cost, and comparable communication cost when compered devices, such as cellphones, tablets, and personal digital assis-
these parameters with the other competing schemes. tants, can handly integrate to the cloud server with ease.
Index Terms—Authentication and key agreement, Internet of Security and privacy have become more primary concerns as
Things (IoT), lattice-based cryptography, security, simulation. this data transmission process takes place over an open wire-
less channel. The most prevalent cryptographic system is now
an authentication protocol for IoT devices, which provides
I. I NTRODUCTION secure connection between devices and servers.
HE Internet of Things (IoT) has dramatically revolu-
T tionized many different fields. It enables the sensors to
measure with more accuracy in an online healthcare appli-
Several cryptographic techniques have emerged lately to
ensure that all extant smart device end-users in a wireless
system can transferring data in a secure manner. Many authen-
cation. It also improves the quality of multimedia content tication and session key agreement scheme architectures, on
transferred through IoT objects. It has been observed that the other hand, are based on hard problem number theoretic.
Shor’s algorithms [1], [2] pose a severe security threat to these
Manuscript received 18 July 2022; revised 23 September 2022; accepted
9 October 2022. Date of publication 12 October 2022; date of current version schemes. The concept of a lattice-based cryptosystem, which
24 January 2023. This work was supported in part by the Basic Science was first suggested in the 18th century by mathematicians,
Research Program through the National Research Foundation of Korea (NRF) such as Lagrange, Gauss, and later Minkowski, could be ben-
funded by the Ministry of Education under Grant 2020R1I1A3058605; in
part by the Blockchain Project under the Ripple Centre of Excellence (CoE) eficial in overcoming these security difficulties in smart device
Scheme, CoE in Blockchain, IIIT Hyderabad, India, under Grant IIIT/R&D authentication and session key agreement. For creating a new
Office/Internal Projects/Ripple/2021-22/009; and in part by the Deanship of cryptographic primitive, Ajtai [3] made a progress by invent-
Scientific Research at King Khalid University under Grant R.G.P. 2/86/43.
(Corresponding authors: Ashok Kumar Das; Youngho Park.) ing a tool. In the advent of quantum computation, contribute to
Dharminder Dharminder and Challa Bhageeratha Reddy are with the a better understanding of grid problem and their interactions to
Department of Computer Science and Engineering, Amrita School of cryptography. Post-quantum cryptography is made much easier
Computing, Amrita Vishwa Vidyapeetham, Chennai 601 103, India (e-mail:
c_dharminder@ch.amrita.edu; ch.en.u4cys20009@ch.students.amrita.edu). and more efficient by using lattice architectures. Their security
Ashok Kumar Das is with the Center for Security, Theory and Algorithmic is built on a worst-case scenario. Other known cryptographic
Research, International Institute of Information Technology Hyderabad, hard problems, such as factorization and discrete logarithm
Hyderabad 500 032, India (e-mail: iitkgp.akdas@gmail.com).
Youngho Park is with the School of Electronics Engineering, Kyungpook issues, are predicated on some average-case assumption, such
National University, Daegu 41566, South Korea (e-mail: parkyh@knu.ac.kr). as discrete logarithm problem (DLP). Authentication protocols
Sajjad Shaukat Jamal is with the Department of Mathematics, College for IoT devices are typically based on number theoretic hard
of Science, King Khalid University, Abha 62529, Saudi Arabia (e-mail:
shussain@kku.edu.sa). problems. Although, with the advent of the quantum age, new
Digital Object Identifier 10.1109/JIOT.2022.3213990 attacks will be launched against them, posing a major danger
2327-4662
c 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
DHARMINDER et al.: POST-QUANTUM LATTICE-BASED SECURE RECONCILIATION 2681
to established approaches. Any probabilistic polynomial time takes the form xi = a.ri + 2fi , where a is an element of the
(PPT) opponent can breach the classic mathematical assump- ring. The number of steps to retrieve the private key can be
tion using the Shor algorithms. As a result, post-quantum reduced to (q/2) + 4 for the simplified case.
cryptography, which can withstand quantum computer attacks, For the quantum world, Ding et al. [16] developed a high-
has emerged as a new dimension in encryption. entropy and key exchange protocol based on RLWE over
The National Institute of Standards and Technology (NIST) a public channel. However, their protocol [16] suffers from
had started a program in 2016 with the goal of develop- signal leakage attack. For mobile devices, Feng et al. [20]
ing and evaluating new cryptographic primitives to withstand developed an anonymous authenticated key exchange system.
quantum assaults. There are various known approaches for They also compared their technique with others and provided
dealing with these problems. All of these strategies, however, security proofs in the random oracle model. Using the lattice
are no longer applicable in the presence of a quantum com- hard problem, Islam [21] devised an authentication technique
puter. Ideal lattices are a subset of lattices that are useful for the post-quantum era. But, this protocol can not resist
for generating “efficient cryptographic primitives with some signal leakage attack [19]. Dharminder and Chandran [22]
additional algebraic structure for quantum computer attack suggested a lattice-based mobile device authentication system
resistance.” The lattice-based cryptographic hard assumptions based on the RLWE problem. Unfortunately, their protocol
can withstand quantum assaults effectively. The shortest vec- suffers from both signal leakage attack and incorrect verifica-
tor problem (SVP), short integer solution (SIS), closest vector tion during the key exchange phase. Rana and Mishra [23]
problem (CVP), and “ring learning mistake” are all names for proposed a post-quantum key exchange protocol using the
the hard assumption of the ring learning with error (RLWE). ring version of learning with error (LWE) assumption for
Key management, authentication, access control, and intru- IoT-enabled smart devices. However, they observed that the
sion detection are the important security services in wireless protocol [23] suffers some errors during authenticated key
sensor networks and IoT [4], [5], [6], [7], [8], [9]. When agreement.
compared to traditional cryptographic systems, ideal lattice-
based cryptographic systems [10] have reduced processing
costs. First, an ideal lattice and RLWE protocols [10], [11] A. Research Gap and Contributions
are presented, and it is demonstrated that it is as chal- Based on the literature, it becomes essential to understand
lenging as other worst-case hard problems on ideal lattices. the advanced threats if a quantum computer comes in to exis-
Zhang et al. [11] developed an authenticated key exchange tence. The most of authentication protocols based on number
system for the perfect lattice, which is theoretically straight- theoretic assumptions like RSA/discrete logarithm are vulner-
forward and resembles “Diffie–Hellman (DH)-based protocols able to quantum attacks due to Shor’s algorithm. Although,
like HMQV (CRYPTO’05)” [12] and “optimal authenticated there are many post-quantum secure authentication protocols,
key exchange” OAKE (ACM CCS’13) [13], which is a but they have their own drawbacks. For example, the proto-
high-performance secure DH protocol. Alkim et al. [14] orig- cols [20], [21], [22] can not resist signal leakage attack as
inally proposed a post-quantum key exchange mechanism. explained in [19], and the protocol [23] is mathematically
Ding et al. [15] went to describe a key exchange and authenti- incorrect. It is analyzed that the protocol cannot establish
cation mechanism based on ring learning with an error issue. authenticated key because of an error factor added in the
Furthermore, Ding et al. [16] provided security against post- hashing with reconciliation. Therefore, we aim to propose
quantum attacks, where the RLWE-based key exchange can a new authenticated key agreement protocol for IoT smart
provide a strong security with a small key size. devices. The proposed design is based ring version of the ideal-
Taking inspiration from Fluhrer [17], Ding et al. [18] based key exchange for IoT devices. The proposed design
introduced the idea of signal leakage attack for RLWE-key possesses provably security. The formal security analysis and
exchange reusing public/private keys. In this idea, an adver- comparative performance ensure its security and efficiency as
sary analysis the output of the signal function, and he recovers well.
the private key by establishing multiple sessions with the hon-
est party. The main advantage of this idea is its applicability
when the session key is established using least significant bits B. Paper Outline
of approximately equal bit lengths. In Section II, we discuss some basic knowledge of lattice-
The number of steps required is 2q to retrieve the private based RLWE problem and state the proposed assumptions.
key of the server, where q is the prime modulus. In the next The system models, including the network and threat models
year 2018, Ding et al. [19] introduced on the advantage of are discussed in Section III. In Section IV, we state vari-
this attack is less number of steps required to retrieve the ous phases related to our authentication scheme. Section V-A
private key of an honest party. The original signal leakage demonstrates the proof of the proposed scheme. In Section V,
attack requires 2q steps, but the improved signal leakage attack we discuss the security analysis of our scheme against vari-
requires q + c steps, where c is some constant. Therefore, the ous threats. In Section VI, we do a comparative performance
signal leakage attack is as follows. At first, the honest party analysis of the proposed scheme with some other relevant
does not add the errors fs during the computation of secret authentication schemes. In Section VII, we provide the simu-
key sks . The adversary sets his private key ri = 0 where the lation results using the widely accepted discrete event network
corresponding public value is a constant. The public value simulator, NS-3. Finally, Section VIII concludes this article.
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
2682 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 3, 1 FEBRUARY 2023
II. P RELIMINARIES We now discuss two functions Cha and Mod2 over the
The design has been simplified in short notations, symbols, finite ring Rq . Let “c = c0 + c1 .x +c2 .x2 +c3 .x2 + · · · +
and definitions in this part of the present lattice-based tech- cn−1 .xn−1 ∈ R,” where c = (c0 , c1 , c2 , c3 , . . . , cn−1 )
nique [24]. Lattices are very good sources of quantum-safe denotes a tuple. If u = {u0 , u1 , u2 , . . . , un−1 } ∈
cryptographic assumptions, and resistance toward the quan- {0, 1}n is a random vector, a relation between two
tum attacks in modern cryptography. The constructions based functions is defined by Cha{c} = (Cha{c0 }, Cha{c1 },
on lattices have received good enough mathematical security Cha{c3 }, . . . , Cha(cn−1 )), and Mod2 (c, u) = (Mod2 (c0 , u0 ),
proofs. The security of lattice-based cryptographic algorithms Mod2 (c1 , u2 ), Mod2 (c2 , u2 ), . . . , Mod2 (cn−1 , un−1 )).
is based on the hard assumptions, such as finding integer
short vector/short independent vectors in an n-dimensional
Euclidean space Rn as shown in [25], where R denotes the B. Assumptions
set of reals. In the following, we discuss some assumptions, and termi-
nologies based on the ideal generated lattices.
A. Basics of RLWE 1) RLWE: The RLWE is a mathematical assumption As,χβ
This section focuses to discuss the background of the ring possessing uniform distribution (c, c.s + e) ∈ Rq × Rq ,
version of LWE and its few fundamental assumptions. We such that c, s ← Rq are random and the small error
demonstrate some of mathematical hard assumptions to prove e ← χβ is chosen independently from c. The ring-based
both security and correctness of the proposed design. LWE, RLWEq,α is hard to distinguish As,χβ for any
Consider q > 2 is an odd prime number, R denotes the PPTs adversary from uniform distribution followed on
set of reals, and Z denotes the set of all integers. Suppose Rq × Rq .
Z[x] and Zq [x] denote two different rings of polynomials 2) Pairing With Errors (PWE): The mapping described by
over Z and Zq , respectively. We have considered two dif- ψ(y, s) = Mod2 (y · s, Cha(y · s)), such that y and s are
ferent rings of polynomials R = (Z[x]/(xn + 1)) and Rq = two members of Rq . Then, the PWE assumption is to
(Zq [x]/(xn + 1)). An arbitrary element chosen from the ring compute ψ(y, s), if c, y, z ∈ Rq are known and z =
of polynomials is denoted by c = c0 + c1 x + c2 x2 + c3 x2 + c · s + 2 · e such that s, e ∈ χβ are unknown.
· · · + cn−1 .x
n−1 ∈ R. The Euclidean length/norm computed 3) Decision PWEs (DPWE): The decision version of the
by ||c|| = c0 2 + c1 2 + c2 2 + · · · + cn−1 2 and the infinity PWE assumption is to distinguish k = y.s + 2e and
norm/length L∞ is ||c∞ || = max{c0 , c1 , c2 , c3 , . . . , cn−1 }. Let z = c.s + 2.e, such that s, e , e ∈ χβ are secret or (k, z)
β > 0 be a real number and χβ be the Gaussian over Rq . follows uniform distribution on Rq × Rq [24].
Lemma 1 [11]: If we consider two ring elements c and d
from the ring R, the following relations hold:
√ III. S YSTEM M ODELS
c · d ≤ n · ||c|| · ||d||
This section explains both the network and adversary mod-
||c · d||∞ ≤ n · ||c|| · ||d||.
els that are essential to design and analysis of the proposed
Lemma 2 [19]: Let β > 0 be a real number such √ that scheme in this article.
β = ω log(n), then the probability Prc←χβ [ ||c|| > β n ] ≤
2−n+1 .
Consider that the mid portion of Zq = A. Network Model
{−((q − 1)/2), . . . , ((q − 1)/2)} is denoted by M, which is An IoT-based network model considered for the proposed
defined M = {−(q/4) , . . . , (q/4) }. The characteristic scheme is shown in Fig. 1. There are various IoT applications,
map Cha consists the complements of the set M ∀ x ∈ Zq , such as smart home, smart agriculture, smart healthcare, and
where so on. In each application, IoT smart devices are deployed
0, if x ∈ M to monitor the surrounding information and send their nearby
Cha(x) =
1, otherwise. gateway node. In turn, the gateway nodes send the aggregated
The auxiliary mod function is denoted as follows: data to the cloud server(s) via the base station. For security
reasons, the sensing information must be securely sent to the
Mod2 : Zq × {0, 1} → {0, 1} gateway nodes and the aggregated data needs to be securely
and defined by sent to the cloud server(s). Now, assume that there is a user
who wants to access the stored data at the cloud server(s).
q−1
Mod2 (a, b) = a + b · (mod q) (mod 2) However, before granting access to the data by an accessed
2 cloud server, a mutual authentication needs to be executed
where a ∈ Zq and b is corresponding to the output of among the user and the server to confirm that there are legiti-
characteristic map of a satisfying b = Cha(a). mate, and after the successful mutual authentication a session
Lemma 3 [19]: Let q > 2 be a large prime, and two key needs to be established among them for future secure
random elements c and e of the finite ring Rq , where e fol- transmission of the accessed data. This is done by design-
lows the inequality |e| < (q/8). Then, the modular mapping ing a new lattice-based authenticated key agreement scheme
Mod2 (c, Cha(c)) = Mod2 (ω, Cha(c)) satisfies ω = c + 2e. in the IoT scenario.
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
DHARMINDER et al.: POST-QUANTUM LATTICE-BASED SECURE RECONCILIATION 2683
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
2684 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 3, 1 FEBRUARY 2023
TABLE I
S YMBOLS AND T HEIR D ESCRIPTIONS
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
DHARMINDER et al.: POST-QUANTUM LATTICE-BASED SECURE RECONCILIATION 2685
To update the password of a registered user Ui locally 3) Finally, MDi replaces the old credentials G2 , αU ∗ ,G
i v
without further contacting the respective registered server with the new credentials G2 , αUi , Gv in his/her mobile
n n n
Sj , Ui proceeds with the following steps. Note that the device MDi .
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
2686 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 3, 1 FEBRUARY 2023
Mu = Mod2 (Ku , Cu )
= Mod2 Ku , Cu
= Mu . (6)
To prove Theorem 1, we discuss below the difference the process whenever collision occur between messages
lemma. (Gz , Gw ) and (G1 , Gv ). The advantage in terms of proba-
Lemma 4 (Difference Lemma): Let A, B, and C be three bilities of collisions during queries to the oracle is given
events such that they are defined in some probability distribu- by at most (qh 2 /(2l + 1)) and (((qe + qs )2 )/q). The
tion. If A∧¬C ⇔ B∧¬C , |Pr[A] − Pr[B]| ≤ Pr[C], where Pr[X] ordered pair (Xu , Xs ) is chosen from standard Gaussian
denotes the probability of an event X. χβ for standard deviation β. Then, we define the term
Theorem 1: The security of the introduced protocol relies P2 as modulus of probabilities is at most as given below.
on the “RLWE assumption,” and if the advantage gain by an It is worth noticing that P2 is obtained by applying the
adversary ADVRLWEAd
(t), then a PPT adversary Ad solves the difference lemma stated in Lemma 4
RLWE assumption bounded time t is
qh 2 (qe + qs )2
qh2 (qe + qs ) 2 P2 = |Pr Ad1 − Pr Ad2 | ≤ + .
ADV (t) ≤ + + (qe + qs )ADVRLWE (t). 2l+1 q
Ad l Ad
2 q (9)
Proof: We have simulated the proposed protocol with a
4) G3 : Here, we have assumed that the session key SK
number of games that stimulates Ad . We have denoted the
is revealed without the simulation of hashing oracles.
games by the indexing (0 ≤ i ≤ 4). The adversary Ad
In the given design, the value of the session key
wins the only if he guesses the bit c in the test query. One
is SK = (G1 ||Xu ||Xs ||Mu ||Ms ||T1 ||T2 ), where Mu =
of the events Sj happens, and its probability is defined by
Mod2 (ri .Pi , Cha(Ku )) and Ms = Mod2 (rs Xu , Cha(Ks )).
Pr(succ( Ad )).
It is very impossible to find the solution of the RLWE
1) G0 : If someone tries to simulate the real attack on the
assumption. But, if the adversary Ad correctly guesses
proposed protocol in the random oracle, then we define
SK, then the challenger solves the RLWE assumption.
the advantage
If we apply the difference lemma stated in Lemma 4, it
1 follows that:
ADV Ad (t) = Pr(succ Ad0 − .
2
P3 = |Pr Ad2 − Pr Ad3 |
Now, we can do further simplification as follows:
≤ (qe + qs )ADVRLWE (t). (10)
Ad
ADV Ad (t) = Pr succ Ad0 − Pr succ Ad4
5) G4 : In this particular game, if the adversary Ad sub-
1 mits hashing queries to the oracle with the inputs
+ Pr succ Ad4 − “G1 , Xu , Xs , Mu , Ms ,” the “probability of guessing a bit
2
c in tests queries in hashing is at most (qh 2 /(2l + 1)).”
= Pr succ Ad0 − Pr succ Ad4 By applying the difference lemma stated in Lemma 4
and the birthday paradox, it follows that:
+ Pr succ Ad3 − Pr succ Ad3
1 qh 2
+ Pr succ Ad4 − (7) P4 = |Pr Ad3 − Pr Ad4 |≤ l . (11)
2 2 +1
4
1
Otherwise, Ad gains no advantage during the games
= Pi + Pr succ Ad4 − .
2 played. The probability of getting SK from any random
i=1
string
The values Pi denote the modulus of difference of
1
probabilities of success for Adi−1 and Adi such that Pr|Pr Ad4 |= . (12)
Pi = |Pr( Adi−1 ) − Pr( Adi )|. 2
2) G1 : The adversary Ad submits hashing queries those Now, by solving (7)–(12), it follows that:
are simulated by the hashing list Hl . The table Hl is
taken empty, and it is consisted of ordered pairs (x, y) qh 2 (qe + qs )2
ADV (t) ≤ + + (qe + qs )ADVRLWE (t).
satisfying the relation y = h(x) that is output of hashing. Ad
2l q Ad
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
2688 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 3, 1 FEBRUARY 2023
masks the user’s identity and delink any two information 1) If the adversary Ad achieves G2 , Gv from the devices
which is depicted as follows. or earlier communicated messages.
1) The adversary tries to get RIDUi from the message G3 , 2) To find SK = (G1 ||Xu ||Xs ||Mu ||Ms ||T1 ||T2 ), he needs
and h(Ku ⊕ Mu ⊕ Xu ), then he needs to compute G3 = random samples for each sessions Ks , Xs , and ri , fi to
RIDUi ⊕ h(Mu ⊕ Xu ). compute SK.
2) To attain the values h(Mu ⊕ Xu ), Xu = c.ri + 2.fi , Ku = 3) To obtain RIDUi from G3 , Ad needs h(Mu ⊕ Xu ) as
ri .Pi and Cu = Cha(Ku ), the adversary needs to compute G3 = RIDUi ⊕ h(Mu ⊕ Xu ).
h(Mu ⊕ Xu ) ⊕ G3 . 4) To compute h(Mu ⊕ Xu ), Ad needs Ku = ri .P and
3) To get IDUi , the adversary Ad needs to compute the Cu = Cha(Ku ).
values Xu , Ku that is not possible due to ring version of 5) Ad computes h(Mu ⊕ Xu ) and SK =
LWE assumption. (G1 ||Xu ||Xs ||Mu ||Ms ||T1 ||T2 ) using compromised
4) For each of session, both user and server sample ran- master key x of the server. As G1 = h(IDUi ||x), he
dom short values ri , fi from the Gaussian, and the user needs IDUi .
computes the value Xu = c.ri + 2.fi . Proposition 4: The proposed schemes preserve the fresh-
5) To compute the values ri , fi with the help of ness of the established session key between a user Ui and its
information Xu , Gw , G3 , Cu , h(Mu ⊕Xu ), one needs accessed server Sj .
to compute G3 = RIDUi ⊕ h(Mu ⊕ Xu ) that is not Proof: The session key may be compromised if the same
possible due to anonymity. distribution is used again and again. But, the uniqueness of
6) The adversary needs Mu for computing the value random samples ensures different keys for every new session.
h(Mu ⊕ Xu ) such that ri , and fi are known. This property can ensure the freshness of the session key.
Proposition 2: The man-in-the-middle attack is not possible Proposition 5: The proposed scheme achieves the mutual
in the proposed design. authentication between a user Ui and its accessed server Sj .
Proof: Suppose an adversary Ad is capturing all the Proof: The server Sj and the user Ui authenticate each
messages communicated between Sj and Ui on the public other with the help of equations: Gw = h(G3 ||Xu ||Mu ||RIDUi
channel. ||T1 ) and Gz = h(SK ||G1 ||Xs ||Ms ||Mu ||T2 ), where the value
1) Ad captures the user’s message Xu , Gw , G3 , Cu from of the session key is SK = (G1 ||Xu ||Xs ||Mu ||Ms ||T1 ||T2 ). The
the public channel, and tries to gain some useful user Ui computes Gw and Gz with the long-term secrets ri , fi .
information. The server Sj retrieves RIDUi with the help of RIDUi = G3 ⊕
2) The adversary Ad changes the message Xu , Gw , G3 , h(Mu ⊕ Xu ), such that Ku , and Mu are random numbers that
Cu by changing Cu with Cu∗ , such that Cu∗ = ri .Pi or need to be computed. Therefore, the server Sj and the user Uj
random ri . For this attempt, the adversary Ad needs can verify themselves.
to compute Ku∗ = ri∗ P that is not possible without the Proposition 6: The replay attack is resisted in the proposed
knowledge random samples ri , fi . As we know the scheme.
user chooses random samples, and he computes Xu = Proof: The replay attack happens when a third party gets
c.ri + 2.fi such that c is only known to Sj . Therefore, the the authenticated messages from an earlier session and he uses
adversary cannot get login. these messages in a fresh session playing the role of a legal
3) If the adversary Ad intercepts Xu , Gw , G3 , Cu and user. In the designed protocol, the user takes random ri , rs
restores it with previously sent messages. However, this and the server takes random fi , fs , respectively. In addition, all
attempt fails due to random samples ri , fi discussed the communicated messages, namely, authentication request
above. message Xu , Gw , G3 , Cu , T1 and authentication reply mes-
If the adversary Ad intercepts responder messages sage Gz , Cs , Xs , T2 , involve the current timestamps T1 and
Gz , Cs , Xs , he modifies and restores it. T2 , respectively. The validation of the attached timestamps in
1) If the adversary Ad modifies Gz , Cs , Xs , and he the messages by the respective receiver will ensure whether a
replaces Cs with Cs∗ = Cha(Ks ), where Ks is gen- message is old and replayed one. This avoids the reply attack
erated rs .Xu , then he needs Gz = h(SK ||G1 ||Xs during verification.
||Ms ||Mu ||T2 ) such that Mu∗ = Mod2 (Ks , Cs ), where Proposition 7: The impersonation attack is resisted in the
SK = (G1 ||Xu ||Xs ||Mu ||Ms ||T1 ||T2 ). The adversary can- proposed scheme.
not compute the session key SK without G1 , that is Proof: In the proposed design, the adversary Ad is not
hidden with some operations with RIDUi . capable of generating legal messages Gw and Gz . This is
2) If the adversary Ad replaces Gz , Cs , Xs with another because of anonymity of the proposed protocol and the secret
legal messages, then he needs to validate the condition number Ku that contains a random number ri . It helps to
Gz = Gz . avoid the impersonation attack on messages traveling through
Proposition 3: The proposed protocol achieves forward a public channel.
secrecy. Proposition 8: The proposed scheme is secure against
Proof: If the secret x of Sj leaked by any of the offline password dictionary attack.
means, then the adversary Ad constructs session key SK = Proof: If an adversary gets the stored information
(G1 ||Xu ||Xs ||Mu ||Ms ||T1 ||T2 ). G2 , αU ∗ , G inside the mobile device MD of a registered
i v i
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
DHARMINDER et al.: POST-QUANTUM LATTICE-BASED SECURE RECONCILIATION 2689
TABLE II
C OMMUNICATION AND S TORAGE C OMPARISON W ITH Gaussian distribution log(δ) = 17.01, where q is an “odd
C LASSICAL A PPROACH prime” and δ is the “standard deviation.”
The DH-based protocols take |τ | = log(τ ) bits as in Table II
that vary with the length of the parameter in binary representa-
tion, i.e., τ ≈ 2λ , where λ is the security parameter to analyse
the storage comparison between classical and post-quantum
environment.
Various cryptographic operations have been described as
follows. The notation tδ stands for average cost used to
sample from Gaussian χδ , tsm is for average cost of single
multiplication with scalar in Qq , tom is for average cost of
single multiplication in Qq , tam is for cost of one multiplica-
user Ui , then he requires to compute the value Gu to guess
tion and addition in Qq , tch denotes cost for characteristics
the password PWi . If the adversary does not know the
function, th1 and th2 denote the costs of the functions H1
identity IDUi , then it becomes impossible to verify Ui ’s iden-
and H2 , respectively, used by Dabra et al. [36]. We have,
tity. Therefore, it is not feasible to apply offline dictionary
th1 ≈ 0.258tam , th2 ≈ 3.25tam [36] for server side and
attack.
th1 ≈ 0.185tam , th2 ≈ 4.3209tam [36] for user side. tmod
Proposition 9: The proposed scheme is secure against
denotes mod function cost, where tmod ≈ 3.30414tam [36]
privileged-insider attack through stolen mobile device attack.
for user and tmod ≈ 1.524tam [36] for sever. tha is the cost
Proof: Suppose the adversary Ad has attained the stolen
for hashing. The costs of each operation on server side are
mobile device MDi of a legal registered user Ui . Additionally,
tom ≈ 0.000307, tam ≈ 0.002549, tδ ≈ 0.073503, tsm ≈
assume that during the user registration phase, the adver-
0.000298, tch ≈ 0.000689, tha ≈ 0.01409, th1 ≈ 0.000657,
sary Ad has the information RIDUi , Gu ⊕ rnUi , where
th2 ≈ 0.00827, and tmod ≈ 0.003882 microsecond (μs).,
RIDUi = h(IDUi ||αUi ) and Gu = h(IDUi ||PWi ). Thus, using
∗ , G stored in the mobile respectively. Each of the operations on the user side costs
the extracted credentials G2 , αU v
i tam ≈ 0.029505, tch ≈ 0.035515, tδ ≈ 0.561483, tsm ≈
device MDi , the adversary Ad may try to guess a pass-
0.006655, tha ≈ 0.180964, th1 ≈ 0.0054644, th2 ≈ 0.1274900,
word. However, the guessed password verification can not be
tom ≈ 0.0013052, and tmod ≈ 0.09749 μs, respectively, [20],
successful using Gu , G2 , and Gv because the secrets rnUi ,
[23], [36].
αUi , IDUi , and G1 = h(RIDUi ||x) are unknown to the adver-
The cost of each operation follows: 1) Lattice-crypto
sary Ad . This clearly shows that the privileged-insider attack
library and 2) Miracle libraries [github.com/miracl/MIRACL].
through the stolen mobile device attack is not possible in the
The implementation of related operations are performed
proposed design.
on (server side) Dell PC, Windows-10, [c and c++] lan-
Proposition 10: The proposed scheme is secure against
guages, operating-system with [3.4 GHz], 8-GB RAM, Intel’s
ESL attack.
i-7, whereas on user end is on Samsung mobile 1.4 GHz,
Proof: In the proposed design, after mutual authentica-
operating-systems 4.3, 1-GB RAM, processors Exnoys-4412,
tion, a user Ui establishes the session key shared with its
respectively [11], [20].
accessed server Sj as SK = h(G1 ||Xu ||Xs ||Mu ||Ms ||T1 ||T2 ),
In the proposed protocol, user side executes five hashing,
and the server Sj establishes the same session key shared with
two sampling from the Gaussian distribution, two multipli-
Ui as SK = (G1 ||Xu ||Xs ||Mu ||Ms ||T1 ||T2 ). It is noted that
cation in Qq , one addition and multiplication in Qq , one
the session key SK (= SK) relies on two types of secrets:
scalar multiplication, one characteristic function, one char-
1) short-term (temporal) secrets Ku and Ks and 2) long-term
acteristic function, two modulo functions, that is, in a total
secret G1 containing the master secret key x of the server Sj
of 5tha + 2tδ + 2tom + tam + tsm + tch + 2tmod .
and RIDUi of Ui . Now, with having both types of secrets,
So, the execution cost for user side becomes 2.2970514 μs.
it is not possible to derive the session key by the adversary
Server side executes five hashing, two sampling from the
Ad . Moreover, due to chosen random samples, the session
Gaussian distribution, two multiplication in Qq , one addi-
keys established in each session between Ui and Sj are dis-
tion and multiplication, one scaler multiplication, two modulo
tinct and unique. Therefore, according to the CK-adversary
functions, and one characteristic function, that is, a total of
model described in the threat model (see Section III-B), the
5tha + 2tδ + 2tom + tam + tsm + 2tmod + tch . Thus, the
ESL attack is resisted in the proposed design.
total cost for server side is 0.22937 μs. Therefore, the total
execution time for the proposed protocol is 2.5264214 μs.
VI. P ERFORMANCE C OMPARISON We now compare the computation costs (see Table III) of
This section describes two essential attributes: 1) com- the proposed scheme with different classical protocols, such as
putation and 2) communication costs of the corresponding Dabra et al. [36], Rana et al. [23], and Feng et al. [20] that are
proposed scheme and analysis on the performance with other based on RLWE. In the protocol of Rana et al. a user needs
related schemes. The existing scheme of Zhang et al. [11] per- execution time 7tha + 2tδ + 2tom + tam + tsm + tch + tmod ≈
formed a crucial role in selecting substitute of parameters in a 2.5614894 μs, where server needs 5tha + 2tδ + 2tom +
lattice generated by an ideal. The descriptions of the proposed tam + tsm + tch + 2tmod ≈ 0.229367 μs. In the scheme
scheme’s parameters taken into account are n = 1024 bits, of Feng et al., a user needs 6tha + 2tδ + 2tom + tam +
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
2690 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 3, 1 FEBRUARY 2023
TABLE III
C OMPARISON B ETWEEN C OMPUTATION AND C OMMUNICATION C OST
TABLE IV
S IMULATION PARAMETERS
Feng et al., and Dabra et al. are 9724, 9724, and 9726 bits,
respectively. Due to the larger key size, the proposed scheme
Fig. 5. Analysis on latency.
requires a slightly higher cost of 9790 bits. This is because we
are using the RLWE. However, one can justify communication
overhead by considering the security against quantum com-
puter attacks as none of existing schemes is secured against
those attacks.
A. Simulation Environment
The experiment was carried out by altering the number
of nodes starting with one and testing up to 60 user nodes.
Fig. 6. Analysis on throughput.
The nodes have been spread across a 100 × 100 m2 region.
Table IV depicts the simulation environment and parameters
tsm + tch + 2tmod ≈ 2.4780154 μs execution time, whereas the configuration.
server needs 5tha + 2tδ + 2tom + tam + tsm + tch + 2tmod ≈
0.22937 μs computation cost. In the scheme of Dabra et al.
[36] user spends 5tha + 3tδ + tom + 3tam + 2tsm + tch + B. Simulation Results
2tmod + th1 + 2th2 ≈ 3.1833386 μs where server spends 1) Analysis on Latency: Latency is refers to the time a data
5tha + 3tδ + tom + 3tam + 2tsm + tch + 2tmod + th1 + packet takes to travel from its origin to destination. Fig. 5
2th2 ≈ 0.325159 μs in computation. illustrates the average latency of the proposed scheme. The
To demonstrate the communication costs (see Table III) of analysis shows that the value of average latency grows with
different relevant protocols, a binary string of password, ran- the number of nodes, because the proposed protocol requires
dom secret, and identity are taken each of 64 bits, where more messages to convey and receive with more nodes.
the timestamp is taken as 32 bits. For hashing we use SHA- 2) Analysis on Throughput: Throughput is measured as
512 with the hash output of 512 bits, 256-bit symmetric key the amount of information efficiently transferred to a cer-
is considered for symmetric encryption/decryption (for exam- tain destination during a particular time period. It determines
ple, Advanced Encryption Standard (AES-256) [37]), 256-bits the quantities of information successfully received by the
chaotic map and an element from Qq is taken as 4094 bits. sink node. Fig. 6 illustrates the average throughput, mini-
One can notice that the communication costs of Rana et al., mum throughput, and maximum throughput for the proposed
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
DHARMINDER et al.: POST-QUANTUM LATTICE-BASED SECURE RECONCILIATION 2691
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.
2692 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 3, 1 FEBRUARY 2023
[26] B. Narwal and A. K. Mohapatra, “A survey on security and authentica- Ashok Kumar Das (Senior Member, IEEE) received
tion in wireless body area networks,” J. Syst. Archit., vol. 113, Feb. 2021, the M.Sc. degree in mathematics, the M.Tech.
Art. no. 101883. degree in computer science and data processing,
[27] D. Dolev and A. Yao, “On the security of public key protocols,” IEEE and the Ph.D. degree in computer science and engi-
Trans. Inf. Theory, vol. IT-29, no. 2, pp. 198–208, Mar. 1983. neering from the Indian Institute of Technology
[28] R. Canetti and H. Krawczyk, “Universally composable notions of Kharagpur (IIT Kharagpur), Kharagpur, India, in
key exchange and secure channels,” in Proc. Int. Conf. Theory Appl. 1998, 2000, and 2008, respectively.
Cryptograph. Techn. (EUROCRYPT), Amsterdam, The Netherlands, He is currently an Associate Professor with
2002, pp. 337–351. the Center for Security, Theory and Algorithmic
[29] S. Challa et al., “An efficient ECC-based provably secure three-factor Research, International Institute of Information
user authentication and key agreement protocol for wireless healthcare Technology Hyderabad, Hyderabad, India. He also
sensor networks,” Comput. Elect. Eng., vol. 69, pp. 534–554, Jul. 2018. worked as a Visiting Faculty with the Virginia Modeling, Analysis, and
[30] S. Mandal, B. Bera, A. K. Sutrala, A. K. Das, K.-K. R. Choo, and Simulation Center, Old Dominion University, Suffolk, VA, USA. His Google
Y. Park, “Certificateless-signcryption-based three-factor user access con- Scholar H-index is 70 and i10-index is 202 with over 13 900 citations. His
trol scheme for IoT environment,” IEEE Internet Things J., vol. 7, no. 4, current research interests include cryptography, system, and network secu-
pp. 3184–3197, Apr. 2020. rity, including security in smart grid, Internet of Things, Internet of Drones,
[31] M. Wazid, A. K. Das, V. Odelu, N. Kumar, and W. Susilo, “Secure Internet of Vehicles, cyber–physical systems and cloud computing, blockchain,
remote user authenticated key establishment protocol for smart home and AI/ML security. He has authored over 320 papers in international jour-
environment,” IEEE Trans. Depend. Secure Comput., vol. 17, no. 2, nals and conferences in the above areas, including over 275 reputed journal
pp. 391–406, Mar./Apr. 2020. papers.
[32] L. Wu, J. Wang, K. R. Choo, and D. He, “Secure key agreement and Dr. Das was a recipient of the Institute Silver Medal from IIT Kharagpur.
key protection for mobile device user authentication,” IEEE Trans. Inf. He was/is on the editorial board of IEEE S YSTEMS J OURNAL, Journal of
Forensics Security, vol. 14, no. 2, pp. 319–330, Feb. 2019. Network and Computer Applications (Elsevier), Computer Communications
[33] A. K. Das, M. Wazid, N. Kumar, A. V. Vasilakos, and (Elsevier), Journal of Cloud Computing (Springer), Cyber Security and
J. J. P. C. Rodrigues, “Biometrics-based privacy-preserving user Applications (Elsevier), IET Communications, KSII Transactions on Internet
authentication scheme for cloud-based Industrial Internet of Things and Information Systems, and International Journal of Internet Technology
deployment,” IEEE Internet Things J., vol. 5, no. 6, pp. 4900–4913, and Secured Transactions (Inderscience). He also severed as one of the
Dec. 2018. Technical Program Committee Chairs of the first International Congress on
[34] J. Srinivas, A. K. Das, N. Kumar, and J. J. P. C. Rodrigues, Blockchain and Applications (BLOCKCHAIN’19), Avila, Spain, June 2019,
“TCALAS: Temporal credential-based anonymous lightweight authen- International Conference on Applied Soft Computing and Communication
tication scheme for Internet of Drones environment,” IEEE Trans. Veh. Networks (ACN’20), October 2020, Chennai, India, and second International
Technol., vol. 68, no. 7, pp. 6903–6916, Jul. 2019. Congress on Blockchain and Applications (BLOCKCHAIN’20), L’Aquila,
[35] M. Wazid, A. K. Das, N. Kumar, A. V. Vasilakos, and J. J. Italy, October 2020.
P. C. Rodrigues, “Design and analysis of secure lightweight remote
user authentication and key agreement scheme in Internet of Drones
deployment,” IEEE Internet Things J., vol. 6, no. 2, pp. 3572–3584,
Apr. 2019.
[36] V. Dabra, A. Bala, and S. Kumari, “LBA-PAKE: Lattice-Based
Anonymous Password Authenticated Key Exchange for Mobile
Devices,” IEEE Syst. J., vol. 15, no. 4, pp. 5067–5077, Dec. 2021.
[37] “Advanced encryption standard (AES),” Nat. Inst. Stand. Technol.,
U.S. Dept. Commerce, Washingdon, DC, USA, Rep. FIPS PUB 197,
Nov. 2001. Accessed: Jun. 2022. [Online]. Available: http://csrc.nist.
gov/publications/fips/fips197/fips-197.pdf Youngho Park (Member, IEEE) received the B.S.,
[38] “ns-3 Network Simulator.” 2022. Accessed: Jun. 2022. [Online]. M.S., and Ph.D. degrees in electronic engineer-
Available: https://www.nsnam.org/ ing from Kyungpook National University, Daegu,
South Korea, in 1989, 1991, and 1995, respectively.
He is currently a Professor with the School
of Electronics Engineering, Kyungpook National
University. From 1996 to 2008, he was a Professor
with the School of Electronics and Electrical
Dharminder Dharminder received the M.Sc. Engineering, Sangju National University, Sangju,
degree in mathematics and the M.Tech. degree South Korea. From 2003 to 2004, he was a Visiting
in computer science and data processing from Scholar with the School of Electrical Engineering
the Indian Institute of Technology Kharagpur, and Computer Science, Oregon State University, Corvallis, OR, USA. His
Kharagpur, India, in 2012 and 2015, respectively. research interests include computer networks, multimedia, and information
He is currently working as an Assistant security.
Professor with the Department of Computer Science
and Engineering, Amrita Vishwa Vidyapeetham,
Chennai, India. His research interests are number
theory, cryptography, post-quantum cryptography,
and IoT security.
Challa Bhageeratha Reddy is currently pursu- Sajjad Shaukat Jamal received the Ph.D. degree
ing the B.Tech. degree in cyber security with the in mathematics from Quaid-i-Azam University,
Department of Computer Science and Engineering, Islamabad, Pakistan, in 2017.
Amrita Vishwa Vidyapeetham, Chennai, India. He is currently working as an Assistant Professor
His research interests are cryptography, post- with the Department of Mathematics, King Khalid
quantum cryptography, and IoT security. University, Abha, Saudi Arabia. His research
interests include number theory, cryptography, digi-
tal watermarking, steganography, information secu-
rity, multimedia security, and blockchain technology.
He has several journal papers in his research areas.
Authorized licensed use limited to: DELHI TECHNICAL UNIV. Downloaded on October 21,2023 at 08:17:03 UTC from IEEE Xplore. Restrictions apply.