Lattice-Based Secret Handshakes with Reusable Credentials

Abstract

Secret handshake, as a fundamental privacy-preserving primitive, allows members in the same organization to anonymously authenticate each other. Since its proposal in 2003, numerous schemes have been presented in terms of various security, efficiency, and functionality. Unfortunately, all of the contemporary designs are based on number theoretic assumptions and will be fragile in the setting of quantum computations. In this paper, we fill this gap by presenting the first lattice-based secret handshake scheme with reusable credentials. More precisely, we utilize the verifier-local revocation techniques for member secession, such that users’ credentials support reusability rather than one-time usage. To build an interactive authentication protocol, we subtly modify a Stern-type zero-knowledge argument by use of a key exchange protocol, which enables users to negotiate a session key for further communication. The security of our scheme relies on the Short Integer Solution (\(\mathsf {SIS}\)) and Learning With Errors (\(\mathsf {LWE}\)) assumptions.

Appendices

Appendix 1. Impersonator Resistance (Proof of Theorem 1)

Proof

Suppose that \(\mathcal A\) succeeds in experiment \(\mathbf {Exp}^{\mathsf {IR}}_{\mathcal A}\) with non-negligible advantage \(\epsilon \). Then we can build a PPT algorithm \(\mathcal F\) that solves \(\mathsf {SIS}_{n,(l+1)\cdot m,q,2\beta }^\infty \) problem with non-negligible probability.

Given an \(\mathsf {SIS}\) instance \(\mathbf{C}=[\mathbf {C}_0|\mathbf {C}_1|\ldots |\mathbf {C}_\ell ]\in \mathbb {Z}_q^{n\times (\ell +1)m}\), the goal of \(\mathcal F\) is to find a non-zero vector \(\mathbf{y} \in \mathbb Z^{(\ell +1)\cdot m}\) such that \(\mathbf{C}\cdot \mathbf{y}=\mathbf{0} \mod q\) and \(\Vert {\mathbf{y}} \Vert _\infty \le 2\beta \). Toward this goal, \(\mathcal F\) first generates the public parameters \(\mathsf {par}\) as we do in \(\mathsf {Setup}\), and proceeds as described in experiment \(\mathbf {Exp}^{\mathsf {IR}}_{\mathcal A}\). Note that \(\mathcal F\) can consistently answer all the oracle queries made by \(\mathcal A\). In particular, \(\mathcal F\) randomly picks \(i \in [q_{G}]\) where \(q_{G}\) is the number of queries to oracle \(\mathsf {KeyP}\), then it performs the following steps at the i-th query to oracle \(\mathsf {KeyP}\) to bulid a group \(G^{(i)}\):

• Sample vector \(\mathbf{z}=(\mathbf {x}_0|\mathbf {x}_1|\ldots |\mathbf {x}_\ell ) \in \mathbb Z^{(\ell +1)\cdot m}\) from \(D_{\mathbb Z^{(\ell +1)\cdot m},\sigma }\). If \(\Vert {\mathbf{z}} \Vert _\infty > \beta \), repeat the sampling. Otherwise, compute \(\mathbf{u}=\mathbf{C}\cdot \mathbf{z} \mod q\).

• Get \(\ell \) pairs \(\{(\mathbf{F}_i,\mathbf{R}_i)\}_{i\in [\ell ]}\) by invoking algorithm \(\mathsf {GenTrap}(n,m,q)\) for \(\ell \) times.

• Choose a target identity \(d^*\,{\mathop {\leftarrow }\limits ^{\$}}\, \{0,1\}^\ell \), and define \(\mathbf{A}=[\mathbf {A}_0|\mathbf {A}_1^0|\mathbf {A}_1^1|\ldots |\mathbf {A}_\ell ^0|\mathbf {A}_\ell ^1] \in \mathbb {Z}_q^{n\times (2\ell +1)m}\) by setting \(\mathbf{A}_0=\mathbf{C}_0\), \(\mathbf{A}_i^{d^*[i]}=\mathbf{C}_i\) and \(\mathbf{A}_i^{1-d^*[i]}=\mathbf{F}_i\) for \( i \in [\ell ]\).

• Define the secret key and revocation token of member \(d^*\) as follows:

  1. i:

     \(\mathsf {usk}[d^*]=(\mathbf {x}_0 \Vert \mathbf {x}_1^0 \Vert \mathbf {x}_1^1\Vert \ldots \Vert \mathbf {x}_\ell ^0 \Vert \mathbf {x}_\ell ^1) \in \mathbb {Z}^{(2\ell +1)m}\), where \(\mathbf {x}_0 = \mathbf {z}_0\), \(\mathbf{x}_i^{d^*[i]}=\mathbf{z}_i\) and \(\mathbf{x}_i^{1-d^*[i]}=\mathbf{0}^m\) for all \( i \in [\ell ]\).

  2. ii:

     \(\mathsf {urt}[d^*]=\mathbf{A}_0 \cdot \mathbf{x}_0 \mod q \in \mathbb Z^n_q\).

• For member’s identity \(d\ne d^*\), generate its secret key and revocation token as follows:

  1. 1.

     Since \(d\ne d^*\), there exists an index p being the first index of LTR-order such that \(d[p]\ne d^*[p]\). Then it holds that \(\mathbf{A}_p^{d[p]}=\mathbf{A}_p^{1-d*[p]}=\mathbf{F}_p\).

  2. 2.

     Sample \(\ell \) vectors \(\mathbf{x}_0,\mathbf{x}_1^{d[1]},\ldots ,\mathbf{x}_{p-1}^{d[p-1]},\mathbf{x}_{p+1}^{d[p+1]},\ldots ,\mathbf{x}_\ell ^{d[\ell ]} \hookleftarrow D_{\mathbb {Z}^m,\sigma }\), and set \(\mathbf{s}^{(d)}=\mathbf{u}-(\mathbf{A}_0\cdot \mathbf{x}_0+ \sum _{i\in [\ell ],i\ne b}(\mathbf{A}_i^{d[i]}\cdot \mathbf{x}_i^{d[i]}))\mod q\).

  3. 3.

     Sample \(\mathbf{x}_p^{d[p]}\hookleftarrow \mathsf {SamplePre}(\mathbf{R}_p,\mathbf{F}_p,\mathbf{s}^{(d)},\sigma )\).

  4. 4.

     Set \(\mathbf{x}^{(d)}=(\mathbf {x}_0 \Vert \mathbf {x}_1^0 \Vert \mathbf {x}_1^1\Vert \ldots \Vert \mathbf {x}_\ell ^0 \Vert \mathbf {x}_\ell ^1) \in \mathbb {Z}^{(2\ell +1)m}\), where \(\mathbf{x}_i^{1-d[i]}=\mathbf{0}^m\) for all \( i \in [\ell ]\). Repeat the sampling if \(\Vert {\mathbf{x}^{(d)}} \Vert _\infty > \beta \). Otherwise, let \(\mathsf {usk}[d]=\mathbf{x}^{(d)}\) and \(\mathsf {urt}[d]=\mathbf{A}_0\cdot \mathbf{x}_0 \mod q\).

• Set \(\mathsf {gpk}=(\mathbf{A},\mathbf{u})\), \(\mathsf {gsk}=(\mathbf{R}_i,\mathsf {grt})\), and \(\mathsf {usk}=\{\mathsf {usk}[k]\}_{k=1}^{N}\). Note that, by construction, the distribution of \((\mathsf {gpk,grt,usk})\) is statistically close to that of the real scheme, and the choice of \(d^*\) is hidden from the adversary.

Eventually, \(\mathcal A\) wins with its output \(\mathtt {PROOF}^*=(\overline{cmt}^*,ch^*,\{rsp_k^*\}_{k=1}^t,\rho ^*,\mathbf{w}^*)\). Since the involved user outputs 1 after a handshake with \(\mathcal A\), we know that he must have retrieved the right hidden matrix \(\mathbf{C}^*\). This fact also means that the recovered commitments \(cmt'^*\) is equal to the original one \(cmt^*\). Now it can be deduced that the \(\mathsf {NIZKAoK}\) \((cmt^*,ch^*,\{rsp_k^*\}_{k=1}^t)\) is a valid one generated by \(\mathcal A\) via the underlying \(\mathsf {ZK}\) protocol. Then we can argue that \(\mathcal A\) must have queried \(\mathcal H_0\) on input \((\mathbf{A},\mathbf{u},\mathbf{W}^*,\mathbf{w}^*,cmt^*)\) (denoted as \(\eta ^*\)), as otherwise, the probability that \(ch^*=\mathcal H_0(\eta ^*)\) is at most \(3^{-t}\). Thus, with probability at least \(\epsilon -3^{-t}\), there exists some \(\kappa ^* \le q_{\mathcal H}\) such that the \(\kappa ^*\)-th hash query involves the tuple \(\eta ^*\), where \(q_{\mathcal H}\) is the number of queries to random oracle \(\mathcal H_0\).

To employ the Improved Forking Lemma [22], \(\mathcal F\) reinvokes \(\mathcal A\) polynomial times with the same random tape and input as in the original run, until the \(\kappa ^*\) query, that is, from the \(\kappa ^*\) query onwards, \(\mathcal F\) answers \(\mathcal A\) with fresh and independent values \(\rho _{\kappa ^*},\ldots ,\rho _{q_{\mathcal H}}\, {\mathop {\leftarrow }\limits ^{\$}}\, \{1,2,3\}^t\). By the aforementioned Forking Lemma, with probability \(\ge \frac{1}{2}\), \(\mathcal F\) obtains 3-fork \(\{\rho _{\kappa ^*}^{1},\rho _{\kappa ^*}^{2},\rho _{\kappa ^*}^{3}\}\) involving the same tuple \(\eta ^*\) after less than \(32\cdot q_{\mathcal H}/(\epsilon -3^{-t})\) executions of \(\mathcal A\). Then we have \(\{\rho _{\kappa ^*}^{1}(i),\rho _{\kappa ^*}^{2}(i),\rho _{\kappa ^*}^{3}(i)\}=\{1,2,3\}\) for some \(i \in [t]\) with probability \(1-(\frac{7}{9})^t\). Having such index i, \(\mathcal F\) can parse the 3 forgeries from the fork branches to obtain 3 valid responses \((rsp^*_i(1),rsp^*_i(2),rsp^*_i(3))\) w.r.t. 3 different challenges for the same commitment \(cmt^*_i\). By Theorem 1 in [18], we can extract vectors \(\mathbf{x}=(\mathbf {x}_0 \Vert \mathbf {x}_1^0 \Vert \mathbf {x}_1^1\Vert \ldots \Vert \mathbf {x}_\ell ^0 \Vert \mathbf {x}_\ell ^1) \in \mathbb {Z}^{(2\ell +1)m}\) and \(\mathbf{e}^* \in \mathbb Z^m\) such that:

1. 1.

   \(\Vert {\mathbf{x}} \Vert _\infty \le \beta \), the following \(\ell \) blocks are zero-blocks \(\mathbf{0}^m\): \(\mathbf{x}_1^{1-d[1]},\ldots ,\mathbf{x}_\ell ^{1-d[\ell ]}\) for some \(d\in \{0,1\}^\ell \);

2. 2.

   \(\mathbf{A}\cdot \mathbf{x}=\mathbf{u} \mod q\);

3. 3.

   \(\Vert {\mathbf{e}'} \Vert _\infty \le \beta \) and \(\mathbf{w}^*=\mathbf{W}^*\cdot (\mathbf{A}_0\cdot \mathbf {x}_0)+\mathbf{e}^* \mod q\).

Now we consider two cases:

• If \(G^*\) is not created at the i-th query to oracle \(\mathsf {KeyP}\) or \(d\ne d^*\), which happens with probability at most \(\frac{N\cdot q_G-1}{N\cdot q_G}\), then algorithm \(\mathcal F\) fails and aborts.

• If \(d= d^*\) belongs to \(G^{(i)}\), set \(\mathbf{x}^*=(\mathbf {x}_0 \Vert \mathbf {x}_1^{d[1]} \Vert \ldots \Vert \mathbf {x}_\ell ^{d[\ell ]})\in \mathbb Z^{(\ell +1)m}\). Then by construction it holds that \(\mathbf{C}\cdot \mathbf{x}^*=\mathbf{A}\cdot \mathbf{x}=\mathbf{u} \mod q\). Furthermore, experiment \(\mathbf {Exp}^{\mathsf {IR}}_{\mathcal A}\) ensures that \(\mathcal A\) has never requested the user secret key \(\mathsf {usk}[d^*]\), so that \(\mathbf{z}\) is unknown to \(\mathcal A\). In this case, because \(\mathbf{z}\) has large min-entropy given \(\mathbf{u}\) (see Lemma 1), we have \(\mathbf{x}^*\ne \mathbf{z}\) with overwhelming probability.

  Now let \(\mathbf{y}=\mathbf{x}^*-\mathbf{z}\), then we get the following facts: i) \(\mathbf{y}\ne \mathbf{0}\); ii) \(\mathbf{C} \cdot \mathbf{y}=\mathbf{0} \mod q\); iii) \(\Vert \mathbf{y} \Vert _\infty \le \Vert \mathbf{x}^* \Vert _\infty +\Vert \mathbf{z} \Vert _\infty \le \beta +\beta =2\beta \). So \(\mathcal F\) finally outputs the vector \(\mathbf{y}\), which is a solution to the related \(\mathsf {SIS}_{n,(l+1)\cdot m,q,2\beta }^\infty \) problem.

In summary, the probability that \(\mathcal F\) does not abort and solve the \(\mathsf {SIS}_{n,(l+1)\cdot m,q,2\beta }^\infty \) assumption is larger than \((1-(\frac{7}{9})^t)/2(N\cdot q_G)\). This concludes the proof.

Appendix 2. Detector Resistance (Proof of Theorem 2)

Proof

We define a sequence of hybrid games where the first is \(\mathbf {Exp}^{\mathsf {DR-0}}_{\mathcal A}\) and the last is \(\mathbf {Exp}^{\mathsf {DR-1}}_{\mathcal A}\). Then we prove that these games are indistinguishable. For i-th game, denote the output of \(\mathcal A\) by \(R_i\). The concrete games are described as follows.

• Game 0: This is exactly the original game \(\mathbf {Exp}^{\mathsf {DR-0}}_{\mathcal A}\).

• Game 1: This game is the same as Game 0 except that it generates a simulated proof for the interactive handshake between \(\mathcal A\) and the chosen user \(\mathsf {ID}^*\), via running the simulator of the underlying argument for every repetition, and then generates the corresponding challenge via oracle \(\mathcal H_0\). Since the hidden vector \(\mathbf{C}\) is also generated randomly by an \(\mathsf {LWE}\) function, the view of adversary \(\mathcal A\) is statistically indistinguishable between Game 1 and Game 2 by zero-knowledge property of underlying \(\mathsf {ZK}\) protocol. So \(\mathrm {Pr}[R_1=1]\approx \mathrm {Pr}[R_2=1]\).

• Game 2: This game is the same as Game 1 with only one modification: for token embedding, we compute the \(\mathsf {LWE}\) function using a random nonce \(\mathbf{s}\) instead of the revocation token \(\mathsf {urt}[\mathsf {ID}^*]\), namely, \(\mathbf{w}=\mathbf{W}\cdot \mathbf{s}+\mathbf{e}^* \mod q\) where \(\mathbf{s} \,{\mathop {\leftarrow }\limits ^{\$}}\, \mathbb Z_q^n\). Recall that the token \(\mathsf {urt}[\mathsf {ID}^*]=\mathbf{A}_0\cdot \mathbf{x}_0\) is statistically close to uniform over \(\mathbb Z_q^n\). In this way, we have \(\mathrm {Pr}[R_2=1]\approx \mathrm {Pr}[R_1=1]\).

• Game 3: This game follows Game 2 with one change: we make \(\mathbf{w}\) uniformly sampled from \(\mathbb Z_q^m\). Note that in the previous game, \(\mathbf{W}\) is uniformly random over \(\mathbb Z_q^{m\times n}\), so the pair \((\mathbf{W},\mathbf{w})\) is a valid \(\mathsf {LWE}_{n,q,\chi }\) instance and its distribution is computationally close to the uniform distribution over \(\mathbb Z_q^{m\times n} \times \mathbb Z_q^m\). Thus, it holds that \(\mathrm {Pr}[R_3=1]-{Pr}[R_2=1]=\mathsf {negl}(\lambda )\).

• Game 4: This game switches back to use a random nonce to produce \(\mathbf{w}\), and this \(\mathsf {LWE}\) function is for an arbitrary user \(\mathsf {ID}_r\), i.e., \(\mathbf{w}=\mathbf{W}\cdot \mathbf{s}+\mathbf{e}_r \mod q\). Since \(\mathbf{e}_r\hookleftarrow \chi ^m\) is \(\beta \)-bounded, the output \(\mathtt {PROOF}\) is computationally close to that in Game 3. Hence we have \(\mathrm {Pr}[R_4=1]-{Pr}[R_3=1]=\mathsf {negl}(\lambda )\).

• Game 5: In this game, we generate \(\mathbf{w}\) with another user’s revocation token \(\mathsf {urt}[\mathsf {ID}_r]\), namely, \(\mathbf{w}=\mathbf{W}\cdot \mathsf {urt}[\mathsf {ID}_r]+\mathbf{e}_r \mod q\). Since \(\mathsf {urt}[\mathsf {ID}_r]\) is statistically close to uniform over \(\mathbb Z_q^n\), this change makes no difference to the view of \(\mathcal A\). Therefore, it holds that \(\mathrm {Pr}[R_5=1]\approx \mathrm {Pr}[R_4=1]\).

• Game 6: This game is exactly the experiment \(\mathbf {Exp}^{\mathsf {DR-1}}_{\mathcal A}\). We generate the real argument for the handshake between \(\mathcal A\) and \(\mathsf {ID}_r\), the transcript is statistically indistinguishable from that of Game 5 by the zero-knowledge property of the utilized \(\mathsf {ZKAoK}\). In this way, we have \(\mathrm {Pr}[R_6=1]\approx \mathrm {Pr}[R_5=1]\).

Combining the above analysis, we have that \(|\mathrm {Pr}[\mathbf {Exp}^{\mathsf {DR-1}}_{\mathcal A}=1]-\mathrm {Pr}[\mathbf {Exp}^{\mathsf {DR-0}}_{\mathcal A}=1]|=\mathsf {negl}(\lambda ).\) This concludes the proof.