A Protocol for Provably Secure Authentication of a Tiny Entity to a High Performance Computing One

The problem of developing authentication protocols dedicated to a specific scenario where an entity with limited computational capabilities should prove the identity to a computationally powerful Verifier is addressed. An authentication protocol suitable for the considered scenario which jointly employs the learning parity with noise (LPN) problem and a paradigm of random selection is proposed. It is shown that the proposed protocol is secure against active attacking scenarios and so called GRS man-in-the-middle (MIM) attacking scenarios. In comparison with the related previously reported authentication protocols the proposed one provides reduction of the implementation complexity and at least the same level of the cryptographic security.


Introduction
Expansion of Internet of Things (IoT) and Machine-to-Machine (M2M) communications has implied additional challenges regarding the information security issues.In a number of scenarios at least one of the entities involved is a tiny device with very limited computational capabilities and heavy restriction regarding power consumption.Accordingly, a challenge is developing of the information security techniques which minimize the computational and power consumption overheads implied by the security requirements.
Authentication of one entity, called Prover, to another, called Verifier, has been well recognized as one of the cornerstones for achieving the desired level of information security (as well as cybersecurity).Authentication protocols for restricted implementation scenarios have been considered in a number of papers including [1][2][3].This is also in line with a discussion recently reported in [4].
This paper considers an authentication approach suitable for scenarios where an entity with highly constrained computational capabilities should in a secure way perform authentication to the verification party with high performance computational capabilities.
The reported protocols appear as not enough suitable because either (i) they are not enough lightweight for a tiny party of an authentication protocol and do not take into account the asymmetrical implementation constraints (ii) or/and they do not provide the desired level of cryptographic security.
Consequently, in this paper, we jointly employ certain elements of the reported protocols to achieve our main goal: development of the authentication protocols with asymmetric implementation complexity at Prover and Verifier sides which provides desired provable level of cryptographic security.

Background
2.1.Family of HB Authentication Protocols.The origin of a family of authentication protocols based on hardness of learning parity with noise (LPN) problem is a lightweight 2 Mathematical Problems in Engineering two-pass authentication protocol called the HB protocol reported in [5].Simplicity of the approach and its provable security implied by the fact that the LPN problem is NPcomplete (see [6]) have attracted much interest.The HB protocol requires only basic AND and XOR operations and it has been proved to be secure against passive attacks via reduction to the LPN problem.However, it is insecure against a stronger adversary, active adversary, who has ability to impersonate a reader and interact with legitimate tags.In order to address this weakness, a modified HB protocol called the HB+ protocol has been reported in [7][8][9].The HB+ protocol has been proved to be secure against active attacks, but it has been shown in [10] that the HB+ protocol is insecure against a man-in-the-middle (MIM) attack.Specifically, in [10], a linear time MIM attack against the HB+ protocol that is called the GRS-MIM attack has been reported.Later on a number of variants of the HB+ protocol have been proposed to prevent the GRS-MIM attack (including [11,12]), but all of them were shown to be insecure later.After a number of unsuccessful attempts, [13] has extended the HB+ protocol and proposed a new protocol called the HB# that only requires three-pass communication and is secure against GRS-MIM attacks.While two vectors are shared by the Prover and the Verifier as the secret keys in the HB+ protocol, two matrices are shared by the parties as the secret keys in the HB# protocol: by increasing the size of secret keys, the HB# protocol achieves stronger security and reduces the communication complexity.However, [14] has described an MIM attack against the HB# protocol.After that, several three-pass protocols that resist MIM attacks were proposed.Three-pass authentication protocols which have stronger security had been well studied.From a practical aspect, however, two-pass authentication protocol is more desirable than three-pass authentication protocol.Construction of a two-pass authentication scheme with even the active security had been open problem for a long time.In [15] a twopass authentication protocol called the AUTH protocol has been proposed.The AUTH protocol is the first two-pass protocol which achieves the active security and yields a large improvement in terms of round complexity.Also [15] has reported two variants of the AUTH protocol, which could be called the AUTH+ protocol and the AUTH# protocol.In the AUTH+ protocol, the computational complexity decreases in exchange for increasing the number of secret keys.In the AUTH# protocol, the communication complexity decreases in exchange for the increasing the size of secret keys like the HB# protocol.Later on in [16] the active security of the AUTH# protocol has been proved employing a modular approach, which simplifies the proof: for this proof, a new computational assumption has been introduced and called the MSLPN assumption.

HB# Authentication
Protocol.HB# authentication protocol is a three-round challenge-response protocol which has been proposed and analyzed in [13].Random-HB# is a generalization of HB+ where the form of the secrets x and y has been changed from -bit vectors into (  × )and (  × )-binary matrices X and Y. Random-HB# protocol is displayed as follows.
Parameters:   ,   , , , For an additional explanation of the notations, please refer to Section 3.2.
While Random-HB# has a number of similarities with the HB+ protocol, there are important differences as well.In particular, the final verification by the reader consists of the comparison of two -bit vectors a ⋅ X ⊕ b ⋅ Y and z.

Authentication Employing Random Selection.
Design and security evaluation of authentication protocols based on random selection paradigm have been initially reported in [17][18][19].The principle of random selection can be described as follows.Suppose that the Verifier Alice and the Prover Bob run a challenge-response authentication protocol which uses a lightweight symmetric encryption operation of block length , where K denotes an appropriate key space.Suppose further that  is weak in the sense that a passive adversary can efficiently compute the secret key  ∈ K from samples of the form (,   ()).This is obviously the case if  is linear.Random selection denotes a method for compensating the weakness of  by using the following mode of operation.Instead of holding a single  ∈ K, Alice and Bob share a collection  1 , . . .,   of keys from K as their common secret information, where  > 1 is a small constant.

Security Evaluation of an Authentication Protocol.
The common scenarios for security evaluation against impersonation attacks are as follows.The basic one is a passive attack scenario which proceeds in two phases: in the first phase the adversary eavesdrops a (large) number of interactions between  and  and then attempts to cause  to accept the authentication response in the second phase (where  is no longer available).In an active attack, the adversary is additionally allowed to interact with  in the first phase.The strongest and most realistic attack model is a man-in-themiddle attack (MIM), where the adversary can arbitrarily interact with  and  (with polynomially many concurrent executions allowed) in the first phase.

Proposal of a Dedicated Authentication Technique
This section proposes an authentication protocol with asymmetric implementation complexity which is suitable for authentication of a Prover with low computational capabilities to a Verifier with high performance computational capabilities.
3.1.Underlying Ideas for Design.Taking into account results on the authentication protocols reported in [13,[17][18][19][20], this paper proposes a novel authentication protocol which is based on a nontrivial hybridization and upgrading of certain previously reported results.
The initial observations regarding certain previously reported protocols are the following ones: (i) The protocols reported in [13,20] provide a number of interesting framework elements for developing highly secure authentication protocols, but they appear as not light enough for a number of M2M authentication scenarios and do not take into account asymmetric implementation constraints.It is desirable to reduce implementation complexity of certain authentication protocols with implementation potential in tiny Provers, like HB# authentication protocol [13].
(ii) The protocols reported in [17][18][19] employ an interesting paradigm of random selection but do not provide the desired level of cryptographic security.
Accordingly, the underlying ideas for developing the novel authentication protocols were the following ones: (i) Employ framework elements of HB# authentication protocol and modify it in order to fit into implementation restrictions at a tiny Prover and asymmetric implementation and execution capabilities of Prover and Verifier sides.
(ii) Do not employ elements of the reported protocols which do not support lightweightness of the authentication at the party (usually the Prover) with tiny capabilities.
(iii) Employ the power of random selection approach to enhance cryptographic security of the protocol at the tiny party as a trade-off between the cryptographic security of the protocol and its increased implementation complexity at the more powerful party (usually the Verifier).
Particularly, note the following: (i) Instead of employment of two secret keys X and Y as in the source HB# protocol, we propose employment of one secret key and the random selection paradigm for achieving the same security goals.

Notations.
We use the following notations: (i) Z  2 and Z × 2 denote, respectively, set of all dimensional binary vectors and set of binary matrices  × .
(ii) We use normal, bold, and capital bold letters such as , x, and X to denote single elements, vectors, and matrices.
(iii) For a vector x, x[] denotes the th element of x.
(iv) x ⊕ y is the bitwise XOR operation of two vectors x and y; that is, , for all .Similarly, X⊕Y is defined as bitwise XOR of two binary matrices X and Y.
(v) ‖x‖ denotes the Hamming weight of binary vector x, which is the number of its nonzero elements x[].
(vi)  $ ←   is the operation of sampling a value  from the uniform distribution on the finite set . (viii) e ← Ber   means that the vector e was randomly chosen among all the vectors of length , such that [] ← Ber  and  ∈ (0, 1/2), for 0 ≤  ≤  − 1.
(ix) Let e * be a vector of length  and weight Δ.A circulant matrix E * = Circ  (e * ) over the vector e * is a matrix with  columns, whose first column is e * , and each next column is produced by a rotation of the previous column one position downwards.
The elements of the set E * ,,Δ of circulant matrices with  columns, generated over vectors of length  and weight Δ, can be ordered in the array (x) ( × )-binary Toeplitz matrix is a matrix where for each diagonal from upper-left to lower-right all the elements on the diagonal have the same value.Note that the entire matrix is specified by the top row and the first column, so it can be parametrized by  +  − 1 bits.Note that circulant matrices are also a kind of Toeplitz matrices.Toeplitz matrices can be generated efficiently and have good statistical properties [13].
An algorithm  is probabilistic if it makes random choices during its execution.A probabilistic algorithm  is probabilistic polynomial-time (PPT) if for any input the computation of algorithm terminates in at most polynomial number of steps in the length of input.We also use the term efficient algorithm as a synonym for PPT algorithm.A function () is negligible if for every positive polynomial , with  being large enough, it holds that () < 1/().(ii)  ∈ (0, 1/4): parameter of the Bernoulli distribution (Ber  );

Proposal of the Authentication
(iii) thr: the acceptance threshold, such that thr ≪ /2.
Key Generation.Algorithm KG(1  ) samples a random matrix as a secret key and returns it to P and V.

Protocol Specification
Phase I: the protocol initialization, executed by Phase II: challenge generation, executed by V a $ ←  Z  2 ; a  → P (V sends message a to P).Let us discuss the error rates of the protocol.The false rejection happens when a legitimate Prover gets rejected by the Verifier, that is, when the weight of vector e ← Ber   generated in the response phase is greater than thr value.Therefore, the probability of this event (the completeness error) is The false acceptance occurs when an illegitimate Prover sends a randomly chosen response to the Verifier and gets authenticated, which happens with the following probability (the soundness error): taking into account the number of binary vectors of length  whose weight is at most thr and (  Δ ) different acceptance subcriteria of the Verifier.
Protocol Storage Optimization.Following the proposal in [13], the storage cost of the secret key Y may be reduced to +−1 bits, by using a Toeplitz matrix as Y instead of the random matrix.This type of storage reduction was applied in [13] to the Random-HB# protocol, resulting in the HB# protocol, which uses two Toeplitz matrices X and Y as secret keys.The security of HB# is based on the conjecture about hardness of the so-called Toeplitz-MHB Puzzle.In our case, the security of this optimized protocol version is based on the analogously plausible conjecture about hardness of the Toeplitz-MLPN problem (see Note 1, Section 5).

The Security Evaluation Framework
We consider two types of attack scenarios for our protocol: active and GRS-MIM scenarios.Both of them consist of two phases: the so-called learning and forgery phases.In the first phase, the adversary interacts with the Prover and/or Verifier, learning the information she needs in order to be successful in the second phase, where she interacts with the verifier trying to make him output IND = 1.
Definition 1.The active attack is being executed in two phases.
Phase 1.The adversary interacts only with the honest Prover P for a polynomial number of times .
Phase 2. The adversary interacts with the Verifier trying to impersonate the Prover.Definition 2. GRS-MIM attack is being executed in two phases.
Phase 1.The adversary interferes in  executions of the protocol.The adversary can eavesdrop or modify all messages between the honest Prover and honest Verifier and also gets the Verifier's decision, on each execution of protocol.
Phase 2. The adversary interacts with the Verifier trying to impersonate the Prover.
Let ⟨T, V⟩ denote a complete execution of NHB# protocol between a party T and the Verifier V and say that ⟨T, V⟩ takes value 1 if the execution ends with Verifier's acceptance (i.e., IND = 1) and takes value 0 otherwise (IND = 0).
Then we define the advantage of an active adversary A as and the advantage of a GRS-MIM adversary A as . ( If this advantage is nonnegligible, we say that the adversary A is successful in the given attack scenario against the protocol.The protocol is secure against active attacks if, for all efficient active adversaries A, the advantage Adv active A (, thr, , , ) is negligible.Similarly, the protocol is secure against MIM attacks if, for all efficient MIM adversaries A, the advantage Adv MIM A (, thr, , ) is negligible.

Security Evaluation in the Active Attacking Scenario
LPN Problem.Let x ∈ Z  2 be a secret key, and  ∈ (0, 1/2).We denote by Λ , (x) the probability distribution over Z × 2 whose samples are pairs (a, a ⋅ x ⊤ ⊕ ), where a $ ←  Z  2 ,  ← Ber  .Let Λ , (x) also denote the oracle taking a sample from distribution Λ , (x). +1 is the oracle taking samples from the uniform distribution over Z +1 2 .LPN , problem consists of distinguishing the access to the oracle Λ , (x) from access to the oracle  +1 .
The LPN , advantage of a distinguisher D is defined as  Proof.We slightly adapt the proof of Proposition 2 in [16].As usual, we will assume that there exists a distinguisher D MLPN with MLPN ,, -advantage  and use it as a subroutine to construct a distinguisher D LNP using D MLPN as a subroutine and prove that the corresponding LPN , -advantage is equal to , which contradicts the hardness assumption of LPN , .

. , 𝑛).
For  = 0, . . ., , we denote by   the probability that distinguisher D MLPN outputs 1, when its input is a sample Λ ,, (X): Note that Λ0 ,, (X) is the same as a sample from Ũ+ , and Λ ,, (X) is the same as a Λ,, (X) sample.Therefore Mathematical Problems in Engineering The distinguisher D LPN will forward the samples Λ ,, (X) for  $ ←  {0, . . ., } as input to the distinguisher D MLPN .Each sample will contain a sample from the unknown oracle that D LPN communicates with (Λ , (x) or  +1 ).Then, D LPN will produce the same output as D MLPN .Now follows the precise description of actions taken by D LPN algorithm: (1) Take a sample (a, z) ∈ Z × (3) Make a sample (ã, z), where Thus, distinguisher D LPN achieves LPN , advantage greater or equal to , which contradicts that LPN , is (, , )hard.
Proof.The proof consists of the following four parts: (i) specification of a contradiction scenario which is a framework for security evaluation where an active adversary A exists; (ii) design of a distinguishing algorithm D which provides learning of A for solving a hard problem; (iii) procedure for distinguishing between two oracles; and (iv) estimation of the success rate of D in the distinguishing phase.
(i) We assume the opposite from Theorem 6 statement; that is, the protocol is not actively secure and an active adversary exists achieving a nonnegligible advantage, but that will contradict the hardness assumption of MLPN ,, problem.The addressed scenario is formally specified in the following claim.
Claim.Suppose that there is an active adversary A interacting with Prover P in at most  executions of NHB# protocol, running in time  and achieving advantage Adv active A (, thr, , ) = .Then there exists a PPT algorithm D, running in time O() and making Θ() oracle queries, such that (ii) The learning phase: at first, D initializes the learning phase of the adversary A, while simulating the honest Prover P sim of protocol NHB#: (1) D takes the sample (b, z) from oracle.
(2) D as P sim sends b to adversary A. (5) as P sim sends the value z to active adversary A.
The previous steps are repeated for  times.(iii) The oracle distinguishing phase: D is taking the following actions: (1) initiates a communication with adversary A (after its learning phase) which sends a blinding message b; (2) chooses two different random vectors a 1 , a 2 $ ←  Z  2 ; (3) sends the challenge a 1 to adversary A and receives a response z 1 in return; (4) rewinds A (behind Step (1)), sends another challenge a 2 , and receives the answer z 2 ; (5) receives the answer z 2 from A; (6) for ,  = 1, . . ., ( (2) Suppose that D had access to oracle Λ,, (Y).Then z = bY⊕e, so z = aE * ⊕z = aE * ⊕bY⊕e.Thus, D did simulate the P sim correctly in the learning phase of A, so the adversary authenticates to protocol with the nonnegligible probability .That means that  2 is the probability that for the answers z 1 , z 2 of the adversary produced in Steps ( 3) and ( 4) of the oracle distinguishing phase; it holds that ‖z 1 ⊕ a 1 E * ,,Δ [] ⊕ bY‖ ≤ thr, and ‖z 2 ⊕ a 2 E * ,,Δ [] ⊕ bY‖ ≤ thr for some , .Therefore, by the triangle inequality in the Hamming metrics, we get that Thus, depending on whether D was interacting with the uniform or the MLPN ,, oracle, we estimate the difference in probabilities of D producing IND = 1 as output: Therefore, the distinguisher  is achieving a nonnegligible MLPN ,, advantage, which contradicts the hardness assumption of MLPN ,, problem.

Security Evaluation in the Restricted
Man-in-the-Middle Attacking Scenario We prove the GRS-MIM security following the technique used in [13].
The previous lemma also holds if X is a random Toeplitz matrix (Appendix C, [13]).Theorem 8. Suppose that there exists an efficient GRS-MIM adversary A attacking #(, ℎ, , ) protocol by modifying at most  executions of protocol between the Prover and the Verifier, running in time  and achieving advantage at least .Then, under an easily met condition on the parameter set, there is an active adversary A  attacking #(, ℎ, , ) interacting at most  times with honest Prover, running in time () and achieving a nonnegligible advantage.
Proof.The proof consists of the following two parts: (i) specification of the learning phase of an MIM adversary and (ii) evaluation of the advantage which MIM adversary can achieve after the learning phase.
The Learning Phase of MIM Adversary.In order to provide a valid learning phase for the adversary A, the adversary A  takes the roles of simulated honest Prover and honest Verifier, denoted by P sim and V sim .
The honest Prover P sends a blinding vector b to A  , and A  playing as P sim forwards  to A.
A  playing as V sim sends a random vector a $ ←  Z  2 as a challenge to P sim .
A modifies a to â = a ⊕ a and sends â to P sim , and A  forwards â to the honest P. P returns z = âE * ⊕ bY ⊕ e to A  .
A  as P sim forwards z to V sim .
If a is the all-zero vector, V sim sets IND = 1; otherwise IND = 0.
The previous procedure is being repeated in  iterations.
The Advantage of MIM Adversary.We consider that the adversary A has achieved successful learning if P sim and V sim were executed correctly in each iteration of the learning phase, that is, if they behaved like honest P and V.
Since P sim forwards directly the responses of honest P to the received queries, P sim works correctly in each simulation step.
On the other hand, the behaviours of the honest V and V sim do not have to match in all circumstances.
This happens in two cases: when V sim accepts the response which gets rejected by V, or when V sim rejects the response which gets accepted by V.
In the first situation, since V sim accepts the response, it means that it is the response of honest P which is rejected by V, so the probability of this event is equal to the completeness error of the protocol; that is, Pr [ sim (IND = 1), (IND = 0)] =  FR .
In order that the second term also gets negligible, we choose  ≥  0 such that 1 − / − (/) is always positive; that is, (/) < 1 − / (that condition is easily met for the usual parameter values [13]).
Therefore, we have that the probability of incorrect simulation in a single iteration is ≤  FR +  −(−thr) 2 /2 + 2 −(1−/−(/)) .(18) Thus, the probability that all  iterations are correct, that is, that the learning phase is successfully conducted, is (1 −   )  , which has the asymptotic value of 1.
We conclude that the advantage of the active adversary A  attacking NHB#(, thr, , ) is   = (1 −   )  , which is a nonnegligible value, so this contradicts the active security of that protocol.

A Concluding Discussion
This paper proposes an authentication protocol with asymmetric implementation complexity which is suitable for authentication of a Prover with low computational capabilities to a Verifier with high performance computational capabilities.The protocol is based on a trade-off between the execution overheads at Prover and Verifier: more computational efforts are required at the side of Verifier in order to maintain the desired level of the authentication security.
The proposed protocol originates from HB# protocol [13], but it provides reduction of the required secret key dimension to the half of the one required in HB# protocol.Reduction of the required secret key dimension and the asymmetric computational overheads at Prover and Verifier appear as a consequence of employment the random selection paradigm.Security of the proposed authentication protocol results from joint employment of the LPN problem and random selection paradigms.In this paper, security of the proposed authentication protocol has been proved in active attacking and restrictive MIM (so called GRS-MIM) attacking scenarios.We conjecture that protocol could achieve security in MIM attacking scenarios stronger than GRS-MIM, and this is one of the directions for the related future work.

2 e
Protocol.The authentication protocol NHB# (Nondeterministic HB#) is displayed as follows: Parameters: , , , thr P(secret Y) ← Ber   e * $ ←  Z  2 , ‖e * ‖ = Δ E * = Circ  (e * ) z = aE + bY + e z → ?‖z ⊕ aE * [] ⊕ bY‖ ≤ thr for some , 1 ≤  ≤ (  Δ ), where E * [] = E * ,,Δ [].This authentication protocol NHB# (Nondeterministic HB#) is an interactive protocol being executed between Prover P and Verifier V which are efficient algorithms.They share one secret key, a matrix Y ∈ Z × 2 , which is produced by the key-generation algorithm KG(1  ), for the security parameter .As a result of the protocol execution, Verifier V outputs indicator of acceptance value IND, such that IND = 1 if V confirms that the Prover is valid; otherwise the indicator value is set to IND = 0. Public Parameters (i) ,  ∈ N: dimensions of the secret matrix Y, which depend on the security parameter ; Phase III: response generation, executed by P e ← Ber   ; e * $ ←  Z  2 , ‖e * ‖ = Δ; E * = Circ  (e * ) z fl aE * + bY + e; z  → V (P sends z to V).

( 3 )
The active adversary A forwards a challenge a $ ←  Z  2 to P sim .D is taking the following actions: (4) chooses a vector e * $ ←  Z  2 , ‖e * ‖ = Δ.Then it makes E * = Circ  (e * ) and sets the value z fl aE * + z;

𝑝
= Pr [ sim (IND = 1) ,  (IND = 0)] + Pr [ (IND = 0) ,  sim (IND = 1)] . MLPN ,, problem, that is, the matrix variant of LPN ,, problem, is to distinguish the access to the oracle Λ,, (X) from access to the oracle Ũ+ .For a distinguisher D, we define MLPN ,, advantage of D as In asymptotic terms, MLPN , is hard if all efficient distinguishers D achieve a negligible AdvMLPN ) Definition 3 (LPN problem).LPN , problem is (, , )-hard if for every distinguisher D running in time  and making  queries, the advantage Adv LPN D (, ) is less than .In asymptotic terms, LPN , is hard if for every efficient D, the advantage Adv LPN D (, ) is negligible.Definition 4 (MLPN problem).MLPN ,, problem is (, , )-hard if, for all distinguishers D running in time  and making  queries, the advantage Adv MLPN D (, , ) is less than .D (, , ) advantage.
Δ ) makes values   fl      z 1 ⊕ z 2 ⊕ a 1 E * ,,Δ [] ⊕ a 2 E * ,,Δ []      (13) and sends IND = 1 as output if   ≤ 2 ⋅ thr for some .Otherwise, IND = 0.(iv) The success rate of D in the distinguishing phase: we analyze the success rate of the algorithm D in distinguishing the distribution used by the oracle O.(1) If O uses the uniform distribution, then b, z, and z are uniformly random.D outputs IND = 1 if z 1 and z 2 produced by the adversary A satisfy the condition‖z 1 ⊕ z 2 ⊕ a 1 E * ,,Δ [] ⊕ a 2 E * ,,Δ []‖ ≤ 2⋅ thr for some , .Since A did not learn correctly, we can assume that z 1 and z 2 are random, so the event IND = 1 has a nonnegligible probability ((  Δ ) 2 /2  ) ∑ 2⋅thr =0 (   ).