Code-Based Secret Handshake Scheme, Revisited

Abstract

Secret handshake (SH) allows two users to authenticate each other anonymously only when they are in the same group. Recently, due to the concern of developments on large-scale quantum computers, designing post-quantum SH has been investigated and three constructions were proposed: One is code-based [21] and two others are lattice-based [1, 2]. However, it turns out that the code-based construction [21] has a security flaw that the adversary easily impersonates an honest user to activate a handshake.

In this paper, we show how to construct a code-based SH scheme in the framework of CA-oblivious encryption by utilizing the recently proposed code-based signature scheme, called LESS-FM, whose security is based on the hardness of the code equivalence problem. Our proposed scheme is the first secure code-based SH and has the smallest communication cost among all known post-quantum SH schemes. For example, for 80-bit security, our scheme has communication costs of about 260 KB and 3.4 KB when instantiated with Classic McEliece and BIKE, respectively, while other existing post-quantum constructions have communication costs of megabytes or gigabytes.

Appendices

A Definitions for Digital Signatures

A signature scheme \(\textsf{Sig}=(\textsf{KeyGen}, \textsf{Sign}, \textsf{Verify})\) consists of the following three polynomial-time algorithms:

• \(\textsf{KeyGen}(\lambda )\rightarrow (\textsf{sk}, \textsf{pk})\): On input a security parameter \(\lambda \), it returns a pair of secret and public keys \((\textsf{sk}, \textsf{pk})\).

• \(\textsf{Sign}(\textsf{sk}, \textsf{msg})\rightarrow \sigma \): Given the secret key \(\textsf{sk}\) and a message \(\textsf{msg}\), it returns a signature \(\sigma \).

• \(\textsf{Verify}(\textsf{pk}, \sigma , \textsf{msg})\rightarrow 1/0\): Given the public key \(\textsf{pk}\), a signature \(\sigma \), and a message \(\textsf{msg}\), it returns 1 (accept) or 0 (reject).

We say that a signature scheme \(\textsf{Sig}=(\textsf{KeyGen}, \textsf{Sign}, \textsf{Verify})\) is correct if for any security parameter \(\lambda \) and message \(\textsf{msg}\), it always holds that

$$\begin{aligned} \textsf{Verify}(\textsf{pk}, \sigma , \textsf{msg}) = 1 \end{aligned}$$

where \(\textsf{KeyGen}(\lambda )\rightarrow (\textsf{sk}, \textsf{pk})\) and \(\textsf{Sign}(\textsf{sk}, \textsf{msg})\rightarrow \sigma \).

EUF-CMA Security. A digital signature scheme is existentially unforgeable against chosen message attacks (EUF-CMA) if for any PPT adversary \(\mathcal {A}\) its advantage in the following experiment is negligible in the security parameter \(\lambda \):

\(\underline{\textsf {Exp}_{\mathcal {A}, \textsf{Sig}}^{\text {EUF-CMA}}(\lambda )}\)

• \(\textsf{KeyGen}(\lambda )\rightarrow (\textsf{sk}, \textsf{pk})\)

• \(\mathcal {A}^{\mathcal {O}^{\textsf{Sign}(\textsf{sk}, \cdot )}}(\textsf{pk})\rightarrow (\textsf{msg}^*, \sigma ^*)\)

where \(\mathcal {O}^{\textsf{Sign}(\textsf{sk}, \cdot )}\) is the signing oracle that takes a message as an input and returns a signature of input message under the secret key \(\textsf{sk}\). There is a restriction that \(\textsf{msg}^*\) should not be queried to \(\mathcal {O}^{\textsf{Sign}(\textsf{sk}, \cdot )}\). The advantage of \(\mathcal {A}\) in the above experiment is defined as \(\textbf{Adv}_{\!\mathcal {A},\textsf{Sig}}^{\text {EUF-CMA}}(\lambda ):=\Pr [\textsf{Verify}(\textsf{pk}, \sigma ^*, \textsf{msg}^*)\rightarrow 1]\).

B Proof of Lemma 2

Consider the OW-CPA security experiment between \(\mathcal {A}\) and \(\mathcal {S}\) where \(\mathcal {A}\) may generate the event that \(\mathcal {B}\) aborts as in the security game of the proof of Theorem 1 and \(\mathcal {S}\) is a PPT adversary who wants to break the EUF-CMA security of LESS-FM. Let \(\mathcal {C}_{L}\) be the challenger who interacts with \(\mathcal {S}\) in the EUF-CMA security experiment of LESS-FM.

1. 1.

   Once the target parameter \(\textsf{pp},\textbf{G}\) and public key \(\textsf{pk}^*=(\textbf{G}_1, \ldots , \textbf{G}_r)\) of LESS-FM are given to \(\mathcal {S}\), set \(\textsf{params}=(\lambda , \textsf{pp}, \textbf{G})\) and \(\textsf{pk}_{\textsf{CA}}=\textsf{pk}^*\). Then, \(\mathcal {S}\) passes \(\textsf{params}\) and \(\textsf{pk}_{\textsf{CA}}\) to \(\mathcal {A}\).

2. 2.

   For \(\mathcal {A}\)’s queries, \(\mathcal {S}\) responds as follows:

   • \(\mathcal {H}_1\) and \(\mathcal {H}_2\) queries: For \(\mathcal {H}_1\) and \(\mathcal {H}_2\) queries, the list List is initialized as an empty set and \(\mathcal {S}\) performs as follows:

     • \(\mathcal {H}_1\) queries: On input \(((\tilde{\textbf{G}}_{j,i})_{1\le i\le t}, \textsf{ID}_j)\),

       1. (a)

          Request a \(\widehat{\mathcal {H}}\) query on \(((\tilde{\textbf{G}}_{j,i})_{1\le i\le t}, \textsf{ID}_j)\) to \(\mathcal {C}_{L}\) and obtain \(\textbf{h}_j\) which is corresponded to \(\widehat{\mathcal {H}}((\tilde{\textbf{G}}_{j,i})_{1\le i\le t}, \textsf{ID}_j)\) in LESS-FM.

       2. (b)

          Search the list List if a pair of \((\textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j})\) was already generated. If it exists, take and use it for the following steps. Otherwise, run and use \(\textsf{PKE}.\textsf{KeyGen}(\lambda )\rightarrow (\textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j})\).

       3. (c)

          Pick a random \(rv_j\) from \(\{0, 1\}^{\ell }\) and compute \(c_j=rv_j\oplus \textsf{pk}_{\textsf{ID}_j}\).

       4. (d)

          Store \(\langle \textsf{ID}_j, \textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j}, (\textbf{G}_{j,i})_{1\le i\le t}, c_j, rv_j, \textbf{h}_j\rangle \) at List and return \(rv_j\) to \(\mathcal {A}\).

       We note that at this point \(\mathcal {H}_2(c_j, \textsf{ID}_j)\) is determined as \(\textbf{h}_j\) as well as \(\mathcal {H}_1((\tilde{\textbf{G}}_{j,i})_{1\le i\le t}, \textsf{ID}_j)\) is determined as \(rv_j\).

     • \(\mathcal {H}_2\) queries: On input \((c_j, \textsf{ID}_j)\), \(\mathcal {S}\) checks if a tuple \(\langle \textsf{ID}_j, \cdot , \cdot , \cdot , c_j, \cdot , \textbf{h}_j\rangle \) already exists. If it exists, return the corresponding \(\textbf{h}_j\). Otherwise, \(\mathcal {S}\) performs as follows:

       1. (a)

          Check the list List if a pair of \((\textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j})\) was already generated. If it exists, take and use it for the following step. Otherwise, run and use \(\textsf{PKE}.\textsf{KeyGen}(\lambda )\rightarrow (\textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j})\).

       2. (b)

          Pick \(\textbf{h}_j{\mathop {\leftarrow }\limits ^{\$}}\mathbb {Z}_{r+1, w}^t\), store \(\langle \textsf{ID}_j, \textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j}, -, c_j, -, \textbf{h}_j\rangle \) at List where − indicates an empty string, and return \(\textbf{h}_j\) to \(\mathcal {A}\) .

   • \(\textsf{Certify}\) queries: For \(\mathcal {A}\)’s request on \((\textsf{tr}_{\textsf{ID}_j}, \textsf{cert}_{\textsf{ID}_j})\) of any ID string \(\textsf{ID}_j\) under \(\textsf{pk}_{\textsf{CA}}\), \(\mathcal {S}\) performs as follows:

     1. (a)

        Request a signing query on message \(\textsf{ID}_j\) to obtain the LESS-FM signature \(((\textbf{R}_{j,i})_{1\le i\le t}, \textbf{h}_j)\) for message \(\textsf{ID}_j\).

     2. (b)

        Check the list List if a tuple \(\langle \textsf{ID}_j, \textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j}, \cdot , \cdot , \cdot , \cdot \rangle \) is stored. If it exists, take and use \((\textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j})\) for the following steps. Otherwise, run and use \(\textsf{PKE}.\textsf{KeyGen}(\lambda )\rightarrow (\textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j})\).

     3. (c)

        Pick a random \(rv_j\) from \(\{0, 1\}^{\ell }\) and compute \(c_{j}=\textsf{pk}_{\textsf{ID}_j}\oplus rv_j\).

     4. (d)

        Store \(\langle \textsf{ID}_j, \textsf{pk}_{\textsf{ID}_j}, \textsf{sk}_{\textsf{ID}_j}, -, c_{j}, rv_j, \textbf{h}_j\rangle \) at List. Set and return \(\textsf{tr}_{\textsf{ID}_j}=\textsf{sk}_{\textsf{ID}_j}\), \(\textsf{cert}_{\textsf{ID}_j}=(c_{j},(\textbf{R}_{j,i})_{1\le i\le t})\).

3. 3.

   Once \(\mathcal {A}\) submits a pair of target ID string and certificate \((\textsf{ID}_{\!\mathcal {A}}, \textsf{cert}_{\textsf{ID}_{\!\mathcal {A}}})\) where \(\textsf{cert}_{\textsf{ID}_{\!\mathcal {A}}}=(c_{\textsf{ID}_{\!\mathcal {A}}}, (\textbf{R}_{\textsf{ID}_{\!\mathcal {A}}, i})_{1\le i\le t})\), \(\mathcal {S}\) performs as follows:

   1. (a)

      Check the list List if \(\langle \textsf{ID}_{\!\mathcal {A}}, \textsf{pk}_{\textsf{ID}_{\!\mathcal {A}}}, \textsf{sk}_{\textsf{ID}_{\!\mathcal {A}}}, \cdot , \cdot , \cdot , \cdot \rangle \) is stored. If it exists, take and use \((\textsf{pk}_{\textsf{ID}_{\!\mathcal {A}}}, \textsf{sk}_{\textsf{ID}_{\!\mathcal {A}}})\) for the following steps. Otherwise, run and use \(\textsf{PKE}.\textsf{KeyGen}(\lambda )\rightarrow (\textsf{pk}_{\textsf{ID}_{\!\mathcal {A}}}, \textsf{sk}_{\textsf{ID}_{\!\mathcal {A}}})\).

   2. (b)

      Store \(\langle \textsf{ID}_{\!\mathcal {A}}, \textsf{pk}_{\textsf{ID}_{\!\mathcal {A}}}, \textsf{sk}_{\textsf{ID}_{\!\mathcal {A}}}, -, c_{\textsf{ID}_{\!\mathcal {A}}},-, -\rangle \) at List.

   3. (c)

      Select a random message \(m\in \mathcal {M}\) and run \(\textsf{PKE}.\textsf{Enc}(\textsf{pk}_{\textsf{ID}_{\!\mathcal {A}}},m)\rightarrow \textsf{CT}^*\). Return \(\textsf{CT}^*\) to \(\mathcal {A}\).

4. 4.

   For \(\mathcal {A}\)’s queries, \(\mathcal {S}\) responds as Step 2.

5. 5.

   Finally, once \(\mathcal {A}\) outputs \(m'\), \(\mathcal {S}\) selects \(\textbf{h}\) randomly in the last column of List and returns a message \(\textsf{ID}_{\mathcal {A}}\) and a pair of \(((\textbf{R}_{\textsf{ID}_{\!\mathcal {A}}, i})_{1\le i\le t},\textbf{h})\) as the corresponding signature.

We first consider the case that the above simulation fails. It may occurs when \(\mathcal {H}_1\) and \(\mathcal {H}_2\) queries are operated incorrectly. In the simulation, suppose that \((c_{j}, \textsf{ID}_j)\) was requested to the \(\mathcal {H}_2\) oracle first, and a value for \(\mathcal {H}_2(c_{j}, \textsf{ID}_j)\) was assigned. Later, once \(((\textbf{G}_{j,i})_{1\le i\le t}, \textsf{ID}_j)\) is requested to the \(\mathcal {H}_1\) oracle, \(\mathcal {S}\) requests a value to \(\mathcal {C}_{L}\) and receives \(\textbf{h}'\). Then, \(\mathcal {S}\) selects a random \(rv_{j}\), computes \(c_{j}=rv_{j}\oplus \textsf{pk}_{\textsf{ID}_j}\), and returns \(rv_{j}\). In this process, if \((c_{j}, \textsf{ID}_j)\) was already stored and the value for \(\mathcal {H}_2(c_{j}, \textsf{ID}_j)\) is different from \(\textbf{h}'\), then the simulation fails. On the one hand, \(rv_{j}\)’s are randomly selected from \(\{0, 1\}^\ell \) whose cardinality \(2^\ell \) is exponential in the security parameter \(\lambda \) and so the probability that a collision occurs among up to \(2^{\ell /2}\) randomly selected elements is less than 1/2. On the other hand, the number of queries allowed to \(\mathcal {A}\) is polynomial in the security parameter. Thus, the probability that the above simulation fails is less than 1/2.

Suppose that the event that \(\mathcal {B}\) aborts occurs in the previous OW-CPA security experiment between \(\mathcal {A}\) and \(\mathcal {B}\). That is, when \(\mathcal {A}\) submits a pair of target ID string and certificate \((\textsf{ID}_{\!\mathcal {A}}, \textsf{cert}_{\textsf{ID}_{\!\mathcal {A}}})\) where \(\textsf{cert}_{\textsf{ID}_{\!\mathcal {A}}}=(c_{\textsf{ID}_{\!\mathcal {A}}}, (\textbf{R}_{\textsf{ID}_{\!\mathcal {A}}, i})_{1\le i\le t})\), each \(\textbf{R}_{\textsf{ID}_{\!\mathcal {A}}, i}\) satisfies \(\tilde{\textbf{Q}}_i = \textbf{R}_{\textsf{ID}_{\!\mathcal {A}}, i}\textbf{Q}_{h_i}\) and \(\tilde{\textbf{G}}_i=\textsf{SF}(\textbf{G}\tilde{\textbf{Q}}_i)\) where \(\textbf{Q}_{h_i}\)’s are in the target secret key of LESS-FM and \(\textbf{h}=(h_1, \ldots , h_t)=\mathcal {H}_2(c_{\textsf{ID}_{\!\mathcal {A}}},\textsf{ID}_{\!\mathcal {A}})\). So, it holds that

$$\begin{aligned} \tilde{\textbf{G}}_i' := \textsf{SF}(\textbf{G}_{h_i} \textbf{R}_{\textsf{ID}_{\!\mathcal {A}},i}) \quad \text {and}\quad \textbf{h}= \mathcal {H}_1(\tilde{\textbf{G}}_1',\ldots ,\tilde{\textbf{G}}_t',\textsf{ID}_{\!\mathcal {A}}) \end{aligned}$$

for some \(\textbf{h}=(h_1, \ldots , h_t)\), which is the same as the verification algorithm of LESS-FM with input signature \(((\textbf{R}_{\textsf{ID}_{\!\mathcal {A}}, i})_{1\le i\le t},\textbf{h})\) of message \(\textsf{ID}_{\!\mathcal {A}}\). Such the \(\textbf{h}\) should appear in List since \(\textbf{h}\) is a hash value if the simulation does not fail.

Now, let us calculate the advantage of \(\mathcal {S}\). Let E be the event that \(\mathcal {B}\) aborts and F be the event that the simulation fails. Then, the advantage of \(\mathcal {S}\) is

$$\begin{aligned} \textbf{Adv}_{\mathcal {S}, \text {LESS-FM}}^{\text {EUF-CMA}}(\lambda ) &= \dfrac{1}{q_{\mathcal {H}_1}+q_{\mathcal {H}_2}}\left( \Pr [E|F]\Pr [F]+\Pr [E|F^c]\Pr [F^c]\right) \\ &\ge \dfrac{1}{q_{\mathcal {H}_1}+q_{\mathcal {H}_2}}\Pr [E|F^c]\Pr [F^c] \ge \dfrac{1}{2(q_{\mathcal {H}_1}+q_{\mathcal {H}_2})}\varepsilon _{\!\mathcal {A}} \end{aligned}$$

where \(\varepsilon _{\!\mathcal {A}}\) is the probability of the event that \(\mathcal {B}\) aborts, and \(q_{\mathcal {H}_1}\) and \(q_{\mathcal {H}_2}\) are the numbers of queries on \(\mathcal {H}_1\) and \(\mathcal {H}_2\) oracles, respectively. Thus, if LESS-FM is EUF-CMA secure, the probability that the event that \(\mathcal {B}\) aborts is negligible in the security parameter.