A novel offload-server PAKE scheme usingnew theorem of chaotic maps towards multiple server blockchain architecture

, ,

(Software College, Shenyang Normal University, Shenyang 110034, China)

Abstract: Nowadays, the distributed password-authenticated key agreement schemes become more and more popular. Compared with the three traditional architectures (client/server, two clients/server and multi-server), the distributed architecture can solve problems of single-point of security, single-point of efficiency and single-point of failure. Moreover, it has the characteristics of scalability, flexibility and fairness. In the paper, we proposed a new Provably Secure and Distributed Privacy-Protection scheme using chaotic maps. The advantage of this scheme is that the linked block-chain can be unloaded from the server after the user registers. It achieves mutual authenticated among three nodes in three rounds with privacy protection firstly, and at the same time, the unregistered server can store a temporary authenticator for a while for improving the efficiency. Security of the scheme is based on chaotic maps hard problems and a secure one way hash function. Compared with the related literatures in recent years, our proposed scheme can not only own high efficiency and unique functionality, but is also robust to various attacks and achieves perfect forward secrecy. Finally, we give the security proof and the efficiency analysis of our proposed scheme.

Key words: Privacy-protection; key agreement; distributed architecture; chaotic maps

CLCnumber: TP319Documentcode: A

doi: 10.3969/ j.issn.1673-5862.2019.04.011

Receiveddate: 2019-03-06.

Supported: Project supported by Plan of Natural Science Foundation of Liaoning Province(201602680,20180550536,2019).

Biography: LIU Tianhua(1966-), male, was born in Shenyang of Liaoning province, professor of Shenyang Normal University, Ph.D.Corresponding author: ZHU Hongfeng(1978-), male, was born in Panjin of Liaoning province, professor of Shenyang Normal University, Ph.D.

文章編號(hào):1673-5862(2019)04-0345-11

利用混沌映射的新定理提出了一種面向多服務(wù)器區(qū)塊鏈架構(gòu)的卸載服務(wù)器PAKE方案

劉天華, 趙婧月, 朱宏峰

(沈陽(yáng)師范大學(xué) 科信軟件學(xué)院, 沈陽(yáng) 110034)

摘 要:目前,分布式密碼認(rèn)證密鑰協(xié)議方案越來(lái)越受歡迎。與傳統(tǒng)的3種體系結(jié)構(gòu)(客戶(hù)機(jī)/服務(wù)器、2種客戶(hù)機(jī)/服務(wù)器和多服務(wù)器)相比,分布式體系結(jié)構(gòu)可以解決單點(diǎn)安全、單點(diǎn)效率和單點(diǎn)故障問(wèn)題。此外,它還具有可擴(kuò)展性、靈活性和公平性。提出了一種新的基于混沌映射的分布式安全保護(hù)方案。該方案的優(yōu)點(diǎn)是,在用戶(hù)注冊(cè)之后可以從服務(wù)器卸載鏈接的塊鏈。它首先在3輪中實(shí)現(xiàn)了3個(gè)節(jié)點(diǎn)之間的互認(rèn)證,保護(hù)了隱私,同時(shí)未注冊(cè)的服務(wù)器可以暫時(shí)存儲(chǔ)一個(gè)臨時(shí)認(rèn)證器,以提高效率。該方案的安全性是基于混沌映射的硬問(wèn)題和一個(gè)安全的單向哈希函數(shù)。與相關(guān)文獻(xiàn)相比,提出的方案不僅具有高效、獨(dú)特的功能,而且對(duì)各種攻擊具有魯棒性,實(shí)現(xiàn)了完美的正向保密。最后,給出了該方案的安全性證明和有效性分析。

關(guān) 鍵 詞:隱私保護(hù); 密鑰協(xié)議; 分布式架構(gòu); 混沌映射

0 Introduction

Nowadays, authentication key exchange is one of the most popular technologies, more and more people like surfing the Internet, and these users also care about their privacy. The mutual authentication key protocol (MAKA) is one of the most important encryption components[1-2]that can establish authenticated and secure communication channels. Many literatures adopt multi-server architecture (MSA)[3-4]in order to reduce the number of user registration, while literature can[4]achieve privacy protection without using symmetric cryptography to reduce the amount of calculation. In order to seek a common computing environment, Zhu proposed a AKE[5]protocol in different areas, which enables both parties in the two fields to negotiate session keys in the standard model. Of course, a group key protocol scheme with privacy protection can be proposed in[6]. The multi-server architecture makes the registry the focus of hackers. In addition, single point efficiency and single point failure have been troubling the registry.

A good architecture can make some hard problems easier. For example, distributed architectures can solve problems with centralized architectures. Zhu[7]first proposed a new distributed architecture, which refers to the multi-server to Server architecture (MSTSA). In the random[7]oracle model, the first verifiable secure and flexible cryptographic authentication key protocol scheme[8-9]based on chaotic mapping is proposed[10]. Then, Zhu and MSTSA[1]proposed another cryptographic key protocol scheme, and verified the security of the scheme in the standard model. But there are two major problems with the two distributed schemes using chaotic maps: there is no privacy protection and there are multiple rounds of communication. Therefore, this paper proposes a new distributed scheme to solve these two main problems. Because chaos mapping has many advantages such as sensitivity to initial parameters, unpredictability and jumping, we use chaotic mapping. At the same time, the chaotic series produced by the chaotic system has the characteristics of non-periodicity and pseudo-randomness.

The main contributions are as follows: 1) a new cryptographic authentication key exchange scheme is proposed to protect the privacy of multiple server-to-server architectures. 2) the scheme is verified through three rounds and three sets of nodes, and the privacy is protected. 3) this scheme can temporarily store the unregistered server as a temporary authenticator to avoid repeatedly involving the registered server. 4) this scheme is mainly based on chaotic mapping and does not use modular exponential operation and scalar multiplication on elliptic curve.In terms of security, the protocol can resist all common attacks, such as mock attacks, man-in-the-middle attacks, and so on. 5) in terms of functions, the protocol also implements some well-known features, such as perfect forwarding confidentiality and execution efficiency.

Therefore, this paper proposes that the multi-server authentication framework is mainly composed of three entities: user (Ui), server (Sj) and registry (RC).To benefit from the services provided by the various servers, users first register with theRC. Therefore, theUiandSjcan either directly (that is, use rc-offline authentication/ mrc-off) or indirectly (use rc-online authentication/ mrc-on) for authentication.In addition, in MRCOn mode, the user performs authentication with the server throughRC, but in mrc-off mode, the user and the server can authenticate directly withoutRC. As shown in the Fig.1.

Fig.1 Registration certification and without the third party

Remark:

1) User Registration

2) Server Registion

3) Login Request

4) Authentication Response

5) Verification Response

6) Verification Request

Offload the server of registration centre and negotiate the authentication key directly with another server.

When the useruses for the first time, they can sign up forS, and after bridging, they can no longer use it, andUcan directly communicate with anotherS′.

The advantage of this paper is that on the basis of the whole process of privacy protection, the block chain server can be unloaded, and any server can be logged in, finally achieving the effect of multiple servers. To sum up, a two-party key negotiation protocol based on chaotic mapping for authentication between a user and multiple servers.

The rest of the paper is organized as follows: Some preliminaries are given in Section 1. Next, a distributed privacy-protection scheme is described in Section 2. Then, the security analys is and efficiency analysis are given in Section 3 and Section 4. This paper is finally concluded in Section 5.

1 Preliminaries

1.1 Theorems of Chaotic maps problems

LetPandQbe integers andpbe a prime. The general second-order linear recurrence relation is of the form:

Ta(x)=P×Ta-1(x)+Q×Ta-2(x)(a≥2)

WhereTa(x)∈GF(p) for alla.

The recurrence relation function of chaotic maps is defined with initial conditionsT0(x)=1 andT1(x)=x. It is easy to see that the chaotic maps function is a special type of second-order linear recurrence relation as defined withP=2xandQ=-1.

Theorem 1.1 Letf(x)=t2-2xt+1 andα,βbe two roots off(x). Ifx=1/2(α+β), then the number of solutions satisfy.

ProofSinceαandβare the roots of the characteristic polynomialf(x) of the recurrence

f(x)=t2-2xt+1

we get two different solutions from

Assumingc1andc2are two random numbers, we can get the following properties according:

P(c1αn-1+c2βn-1)-Q(c1αn-2+c2βn-2)=c1αn+c2βn

From this, whenT0=c1+c2,T1=c1α+c2β, any recurrence relation ofTa(x) that can satisfy is of the formc1αn+c2βn. So the recurrence relation ofTa(x) is defined with the coefficientc1=c2=1/2:

Therefore,

Theorem 1.2 Ifaandbare two positive integers anda>b, thenTa+b(x)+Ta-b(x)=2Ta(x)Tb(x).

ProofWe can prove the theorem 1.2 as follows:

1.2 Threat Model

The threat model should be adopted the widelyaccepted security assumptions about password based authentication schemes[10-11].

1) The useriholds the uniformly distributed low-entropy password from the small dictionary. The server keeps the private key. At the time of registration, the server sends the personalized security parameters to the useriby secure channel and the userishould keep the personalized security parameters safe.

2) An adversary and a useriinteract by executing oracle queries that enables an adversary to perform various attacks on authentication protocols.

3) The communication channel is controlled by the adversary who has the capacity to intercept, modify, delete, resend and reroute the eavesdropped messages.

In the password authenticated protocol ∏, each participant is either a userui∈Uor a trusted serverSinteract number of times. Only polynomial number of queries occurs between adversary and the participant’s interaction. This enables an adversary to simulate a real attack on the authentication protocol. The possible oracle queries are as follows:

Definition 6. Consider an execution of the authentication protocol ∏ by an adversaryA, in which the latter is given access to the Execute, Send, and Test oracles and asks at most single Test query to a fresh instance of an honest client. Letb′ be his output, ifb′=b, wherebis the hidden bit selected by the Test oracle. LetDbe user’s password dictionary with size |D|. Then, the advantage ofAin violating the semantic security of the protocol ∏ is defined more precisely as follows:

Adv∏,D(A)=[2Pr[b′=b]-1]

The password authentication protocol is semantically secure if the advantageAdv∏,D(A) is only negligibly larger thanO(qs)/|D|, whereqsis the number of active sessions.

1.3 Blockchain

Academia for there is no unified definition of block chain technology, but it is generally believed that block chain is a kind of according to the time sequence data block combination in the form of the chain to form a specific data structure, and ensure the tamper-resistant in cryptography and unforgeable decentralized, distributed Shared general ledger to trust system from the point of view of the data, chain block is a kind of practical distributed database could not be changed the traditional distributed database only to maintain the data by a central server node, other nodes stored only data backup and block chain “distributed” is not only embodied in distributed data backup storage, also in number According to the records of the distributed, that is, jointly by all the nodes involved in data maintenance. A single node of the data been tampered with or damaged will not affect block the data stored by chain, and to realize the data from the technical point of view, the secure storage of the block is not a single chain of technological innovation,It is a distributed ledger technology realized by the deep integration of P2P network technology, asymmetric encryption technology, consensus mechanism, script and other technologies[12]. chain technology using encryption chain the block structure to validate and store data, using the P2P technology, consensus mechanism to implement distributed nodes Verification, communication and the establishment of trust relationship, the script can be achieved using chain complex business logic function with the data automation of operation, thus forming a new data record, store, and express the basic framework of the method of block chain. The basic framework of blockchain mainly consists of data layer, network layer, consensus layer and application layer.

Among them, the data layer includes the underlying data block and its chain structure, supported by hash algorithm, time stamp, Merkle tree, asymmetric encryption and other related technologies, so as to protect the integrity and traceability of block data; The network layer includes data transmission mechanism and transaction verification mechanism, which are supported by P2P network technology to complete data transmission and verification between distributed nodes. The consensus layer mainly includes the consensus mechanism, through various consensus algorithms to achieve the consistency and authenticity of data between distributed nodes. Some blockchain systems, such as bitcoin, also include the distribution mechanism and incentive mechanism, integrate economic factors into the blockchain technology, so as to reach a stable consensus among nodes. Application layer can achieve various top block chain application scenarios and the implementation of related system and fall to the ground, through the script block chain support all kinds of chain algorithm and intelligent contracts to support, provides programmable block chain on the basis of the framework, based on the timestamp of the chain block structure, based on P2P network data transmission mechanism, the consensus of the distributed node mechanism and flexible programmable chain script is the most representative block chain technology innovations.

2 The Proposed Privacy Protection scheme with Multiple servers to server Architecture

This paper proposes that the multi-server authentication framework is mainly composed of three entities: user (Ui), server (Sj) and registry (RC). To benefit from the services provided by the various servers, users first register with theRC.Therefore, theUiandSjcan either directly (that is, use rc-offline authentication/mrc-off) or indirectly (use rc-online authentication/mrc-on) for authentication. In addition, in MRCOn mode, the user performs authentication with the server throughRC, but in mrc-off mode, the user and the server can authenticate directly withoutRC. Offload the server of registration centre and negotiate the authentication key directly with another server.

1) Distributed architecture: The trusted server defines system parameters and generates his private/public key-pair. The trusted server then publishes system parameters and keeps the private key secret. Next, each user must register in trusted server before PAKE. Finally, the trusted server cooperates with the registering user to generate the shared password between the registering users.

Due to space limitations, this section just gives an instance for sharing the password in distributed architecture: a) any user must take his/her identities card as the authenticator and transfer it to the server by a secure channel; b) the server uses his private/public key-pair to sign some messages for authenticating itself; c) after mutual authentication, a user must leave his/her private cell-phone number as a secure receiver for receive any temporary shared password which is sent by the server.

2) Agreement architecture: In this architecture, there is no the trust third party involved. The two users will exchange the shared password by a secure channel. The main methods are: public-key cryptosystem, phone calls or secure instant messaging software, or exchange password face to face, and so on.

2.1 User registration phase

The concrete notations used hereafter are:IDSimeans identity of the ith server;IDAmeans the identity of Alice;a,a1,ra,riare all nonces; (x,Tki(x)), the public key based on Chebyshev chaotic maps of the ith server;ki, the secret key based on Chebyshev chaotic maps of the ith server;H,Asecure one-way hash function.H: {0,1}*→ {0,1}lfor a constantl;‖ means concatenation operation.

Fig.2 illustrates the user registration phase.

Fig.2 A premium user registration phase

Remark:

Step 1 When a user wants to be a new legal user, she chooses her identityIDA, a random numberra, and computesH(ra‖PW). Then Alice submitsIDA,H(ra‖PW) to theRCvia a secure channel.

Step 2 Upon receivingIDA,H(ra‖PW) from Alice, theRCcomputesB=H(IDA‖ki)⊕H(ra‖PW), wherekiis the secret key ofSi. Then Alice stores {IDA,ra,B} in a secure way.

2.2 The user negotiates directly with Sj authentication

Fig.3 illustrates the process of authenticated key agreement phase.

Fig.3 The user negotiates directly with Sj authentication

Step 1 If Alice wishes to consult some personal issues establish withSjin a secure way, she will input password and computeB*=H(ki), and then choose two random integer numbersa2and computeTa(x),CA1=Ta1Tki(x)IDA,CA2=TaTB*(x)IDSj,VA=Ta+H((B*)‖IDA‖IDSj)(x)+Ta-H((B*)‖IDA‖IDSj)(x). After that, Alice sendsm1={Ta1(x),CA1,CA2,VA} toSiwhich she has registered.

Step 3 After receiving the messagem2={Tr(x),CS1,CS2,VS,VSi} fromSi,SjuseskjandTr(x) to getIDA‖IDSj=CS1/TkjTr(x),Ta(x)=CS2/TkjTr(x), ComputeH(CS1‖CS2)?=VS/TkjTki(x), If yes, that means the verification is successful, to getH(ki)=VSi/TkiTkj(x), Next, putIDSi,IDA,H(ki) in the database, selects randomr1and computesTr1(x),SK=H(Tr1Ta(x)),VSj=H(IDSi‖IDSj‖IDA‖H(ki)). Finally,Sjsendsm3={VSj,Tr1(x)} to Alice.

Step 4 After receiving the messagem3={VSj,Tr1(x)}, Alice check ifH(IDSi‖IDSj‖IDA‖B*)?=VSj. If holds, that means Alice computes the session keySK=H(TaTr1(x)).

If any authenticated process does not pass, the protocol will be terminated immediately.

2.3 Offload the registration server phase

After the user registers on the registration server, if the user wants to log in another server, the registration server only needs to help build the bridge once, and then the user communicates with the other server without registering the server for further participation (offload the registered server).

Fig.4 illustrates the password changing phase. The user shall negotiate withSjcertification directly next time.

Fig.4 Password changing phase

Step 1 When a user wants to change her password, she chooses a new passwordPW′, Select random numbersa,a>H(B*‖Ta(x)) and computesTa(x), then arrived atCA=TaTki(x)IDA,VA=Ta+H(B*‖Ta(x))(x)+Ta-H(B*‖Ta(x))(x). Then Alice sendsm1={Ta(x),VA,CA} toSj.

Step 2 Upon receivingm1={Ta(x),VA,CA} from Alice,Sj(IDSi,IDA,H(ki)) RecoverkjandTa(x), then arrived atIDA=CA/TkjTa(x), Find database, getH(ki), Check 2Ta(x)TH(H(ki)‖Ta(x)(x)?=VA, if yes, Select randomr,r>H(H(ki)‖Tr(x)). ComputeTr(x),VSj=A(H(ki)‖Tr(x)‖Ta(x)),SK=H(TrTa(x)). FinallySjsends {Tr(x),VSj} to Alice.

Step 3 Upon receiving {Tr(x),VSj}, Alice check ifH(B*‖Tr(x)‖Ta(x))?=VSj, If they are equal, thenSK=H(TaTr(x)), and stores in a secure way.

3 Security Analysis

Here we assume that the security of the agreement based on the DLP problems, CDH problem, one-way hash function the intractability of the premise, assuming that the opponent is using a polynomial time and running in Dolev-Yao multi-protocol of computer parallel execution environment, is the communication link has complete control ability, cryptography trained Dolev-Yao under the model of the attacker. The following is the specific protocol security analysis:

3.1 Dictionary attack

This protocol can resist three common dictionary attacks:

2) for predictable and unpredictable online dictionary attack, if the opponent guessing passwords fromSto oneself, because theSin the second round will check card users really solid, if validation failure times more than the predetermined threshold value, thenSwill know which user password has been as a target, and to take corresponding measures.

3.2 Server leakage attack

Situation one: if the opponent obtainsAverification elementYAX(X=1 or 2) ofA(the initiator of the message), if he/she chargesAto communicate with other users, another verification element withoutAcannot pass the verification of serverSin the second round; If you want to fakeAandScommunicating with another user at the same time, but do not have the user’s verification value, there is no way to pass the user’s verification in the second round; If you want to communicate with userAby impersonating other users and serverSat the same time, the second round will also fail to pass the verification ofAdue to the lack of another verification value ofA, unless both key rivals ofAcan be stolen. Case 2: if the enemy hands need toB(should be) the news rangAverification valueYBX(X=1 or 2), if you want to fake communication withA,BEinterceptedSnews sent toB{VSB1VSB2,ZSB,A}, but because of the intractability of DLP problem to calculate theXBX(X=1 or 2), thus unable to correctly calculate the session key. In the same way, even if the adversary gets a verification value for each message originator and message responder, it cannot communicate with the other party unless it can get two verification values for the same user.

3.3 Unknown key sharing and insider attack

3.4 Replay the attack

Scenario 1 the adversary carries out replay attack on userAand sends the old message{VB1,VB2,ZSA} intercepted bySbefore toA. Since t isArandom number selected again every timeAapplies for the session key, it will fail to pass the verification ofAin the second round. Situation two: the opponent replays the attack on userB. If the opponent wants to change the fresh identifiers sent byAtoSandBbefore launching the attack, it will not pass the verification ofSin the second round. If the opponent resends the previous message {VSB1,VSB2,ZSB,A} toB, the same cannot be verified byBdue to the presence of the new identifierSKSB.

3.5 Key confidentiality

Key confidentiality means that the adversary cannot distinguish between a key and a random string with nonnegligible probability. Scenario 1) if the adversary wants to obtain key information fromVA1,VA2,VB1,VB2,VSB1,VSB2, it must solve the CDH problem. However, there is no way to solve this problem in polynomial time. Scenario 2) the adversary hopes to obtain the information of the session key by distinguishing the random number from the session key, which is also difficult to achieve due to the difficulty of the DLP problem. Therefore, this protocol provides key confidentiality.

3.6 Forward security

Since the user selects random numberaandbto participate in the calculation of the session key every time the session key is generated, even if the adversary gets two passwords of a user,PWX1andPWX2, the previous session key of the user cannot be calculated due to the difficulty of DLP problem. Even the loss of a user’s password (one or both) does not affect the security of the user’s previous communications. This agreement therefore provides forward security.

3.7 Known key security

Known key security means that even if an adversary obtains the session key used in a user’s communication, it will not affect the security of the user’s other session keys. In this protocol, there are two independent random Numbersaandbbetween each group of session keys, so each group of keys is independent. For four keys in each set, only one of them cannot be used to deduce any of the other three session keys due to the difficulty of the DLP problem.

3.8 Man-in-the-middle attack

This agreement can effectively prevent man-in-the-middle attacks.

Situation 1 the adversary impersonatorScommunicates with the legitimate user, and cannot pass the user’s verification in the second round without knowing the user’s verification value. Situation two: if you imitate a legitimate user and serverSto communicate, because do not know the password of this user, can not pass the verification ofS.

4 Efficiency Analysis

The efficiency of the key exchange protocol will directly determine its practicability. Although the public-key algorithm has a series of advantages that cannot be compared with the symmetric cipher algorithm, it cannot be widely used in the key exchange protocol due to its high computational cost. The main contents of efficiency comparison include dot multiplication, hash function, exponential operation, number of protocol rounds, etc.Table 1 lists the computation amount required for each session key generated by the protocol.

Table 1 Efficiency of our proposed scheme

As can be seen from the comparison results, compared with the other two protocols, the protocol in this paper improves the computing efficiency at the expense of a certain server storage unit, and also enhances the security of the protocol.

5 Conclusions

In this paper, a new cryptographic key protocol is proposed by using the chaos mapping theorem. After proving the theorem, an example is given in detail. Then, we first proposed a new parameter, called the security/efficiency ratio (S/E ratio), for obtaining both security and efficiency integration performance. Through the security analysis and performance analysis of the new scheme, it is proved that the scheme is a round PAKA scheme which is safe and efficient. Next, the proposed scheme will be expanded from three aspects: 1) introducing smart CARDS or biometrics to the security level. 2) from the perspective of function, the research on issues such as fairness or entanglement is of great significance. 3) from a complex and diverse algorithm perspective, especially building new cryptocurrency/ blockchain is our interest.