New Authentication Algorithm Based on Verifiable Encryption with Digital Identity

Abstract

We propose a new authentication algorithm for small internet of things (IoT) devices without key distribution and secure servers. Encrypted private data are stored on the cloud server in the registration step and compared with incoming encrypted data without decryption in the verification step. We call a set of encryptions that can verify two encrypted data items without decryption a verifiable encryption (VE). In this paper, we define VE, and claim that several cryptosystems belong to the VE class. Moreover, we introduce an authentication algorithm based on VE, and show an example of the algorithm and discuss its performance and security. As the algorithm neither shares any secret keys nor decrypts, its computation time becomes very small.

1. Introduction

Besides the recent development of network services and internet of things (IoT) devices, an efficient processing technology for encrypted big data is required. For this purpose, speed and security should be balanced reasonably. One of the well-known methods to achieve this is searchable encryption (SE) where one can search keywords on encrypted messages without obtaining more information than search results. SE has been studied for about 20 years, and it is expected as a possible solution applicable to cloud services [1,2]. In recent years, SE focused on IoT and big data has also been actively studied [3,4,5,6]. SE is provided between users and servers with the special function for encryption. There are several algorithms of SE [7,8,9,10,11], and one can calculate the distance between two ciphered texts without decryption, where the distance is equivalent to that between the original plain texts. However, in each case, the requirement of resource costs, for example, computational power, time, and memory size, is expensive.

In this paper, we propose a class of cryptosystems where the distance is calculated on the space of ciphered texts, the so-called verifiable encryption (VE). We also construct a fast and secure authentication algorithm based on the VE. The known authentication algorithms, viz., Fiat–Shamir [12] and Schnorr [13], are shown to be included in the class of VE. Moreover, we provide the implementation of one of the new authentication algorithms and demonstrate its performance.

2. Digital Identity and Authentication

Digital information generated from personal information is the so-called digital identity, and it is utilized everywhere; e.g., internet shopping, unlocking smartphones, and transactions. The following materials are used as digital identity:

• appearance information (fingerprints, facial features, biometrics, etc.)
• certificates published by credential service providers
• cards issued by trusted institutions (credit cards, debit cards, driving license cards, etc.)
• personal memories (passwords and secret questions)

In many cases, the digital identity is stored on network storage, for example, a cloud server that belongs to the service provider. However, users do not pay much attention to security and its management, including advertisement use, because they ordinarily trust the service provider.

Security problems are based on two different factors. One is the identification method and the other is the cryptosystem. The identification problem arises from the registration step in authentication. For instance, the service provider queries the issuer as to whether the customer’s information is authentic the first time. Queries are sent via an insecure network; then the authentication requires a cryptographic system, which is a public key agreement (PKA), and the trusted third party for the preparation of parameters such as a certificate authority (CA). The digital identity must be encrypted before sending, and the secret keys must also be distributed. Therefore, the process generates some time cost and consumes computational resources. In many cases, identification algorithms based on interactive proof are applied to authentication. One of the well-known authentication algorithms is based on zero-knowledge proof [12,13]. Because digital identity is static material for each service, it is not necessary to be queried every time. To unlock our smartphones, we just put our finger or look at the display for face recognition. Digital identity is stored in the local storage, and never sent via the network. There are two usages of digital identity:

• authentication via network
• unlocking local devices

These usage methods are used independently. However, the usage of digital identity has spread widely to several markets, for example, in entering a workplace, concert hall, checkout-free shopping store, and private residence without receptions. In these cases, the following third usage of digital identity is required:

• unlock local devices via network

However, local devices do not always have enough computational power, and customers do not want to wait for several minutes to unlock them.

3. Verifiable Encryption

The comparison of two encrypted data items is generally performed after decryption. Homomorphic encryption, for example, RSA encryption [7], Elgamal encryption [8], and fully homomorphic encryption [9], can perform numerical addition or multiplication in the space of cipher texts. A cryptosystem that is operable without decryption is expected to contribute to the ubiquitous network society. According to this viewpoint, we propose a class of cryptosystems, VE, which calculates the distance between two plain texts without decryption. In this section, we describe mathematical notations and VE. Moreover, we show cryptosystems belonging to VE.

3.1. Cryptosystem and Authentication Algorithm

Let ${\mathbb{Z}}_n$ be a finite field for a positive integer n.

Let $\mathcal{P},\mathcal{C},\mathcal{K}$ be spaces of plain texts, cipher texts, and keys, respectively. A set $\mathcal{E}$ of encryptions and a set $\mathcal{D}$ of decryptions are given by

$$\begin{array}{cc}\hfill \mathcal{E}& =\{E_k:\mathcal{P}\to \mathcal{C}|E_k(p)=c,\forall p\in \mathcal{P},k\in \mathcal{K}\},\hfill \\ \hfill \mathcal{D}& =\{D_k:\mathcal{C}\to \mathcal{P}|D_k(c)=p,\forall c\in \mathcal{C},k\in \mathcal{K}\}.\hfill \end{array}$$

Definition 1.

A 5-tuple $(\mathcal{P},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D})$ is called a cryptosystem if

$$\forall p\in \mathcal{P},\exists k_1,k_2\in \mathcal{K},D_{k_2}(E_{k_1}(p))=p.$$

Usual well-known methods for authentication via the network are described by the interactive proof, which is a mathematical model of a common procedure for the exchange of messages between Alice and Bob. The process has two parts, viz., registration and verification:

Registration 

Distribute the secret information by public key distribution

Verification 

Verify the information using an authentication algorithm.

Well-known algorithms are proposed by Fiat–Shamir [12] and Schnorr [13]. Both algorithms are based on zero-knowledge proof [14,15,16], and repeated until Bob becomes convinced. Let $\mathcal{P}$ be a space of plain texts, $f,g:\mathcal{P}\to \mathcal{P}$ be functions, and $w\in \mathcal{P}$ be an initial message. For a positive integer m, let $(f\leftrightarrow g)\equiv a_1{a}_2\cdots a_m$ be message streams holding

$$\begin{array}{cc}\hfill a_1& =f(w)\hfill \\ \hfill a_2& =g(w,a_1)\hfill \\ \hfill ⋮& \\ \hfill a_{2i+1}& =f(w,a_1,\dots ,a_{2i})\hfill \\ \hfill a_{2i+2}& =g(w,a_1,\dots ,a_{2i+1})(2i+2<m),\hfill \end{array}$$

and the output after m rounds $Ou{t}_f(f\leftrightarrow g)(w)\equiv f(w,a_1,\dots ,a_m)\in \{0,1\}.$

3.2. Verifiable Encryption

Let $V:\mathcal{P}\times \mathcal{P}\to {\mathbb{R}}_{+}(=[0,+\infty ))$ be a metric between two texts.

Definition 2.

For a given metric V and two cryptosystems $C_1=(\mathcal{P},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D})$, $C_2=(\mathcal{P},\mathcal{C},{\mathcal{K}}^{\prime },{\mathcal{E}}^{\prime },{\mathcal{D}}^{\prime })$, we call a set $(\mathcal{E},{\mathcal{E}}^{\prime })$ a VE, if for all $p_1,p_2\in \mathcal{P}$, there exists a map $F:\mathcal{C}\times \mathcal{C}\to \mathcal{C}$, a map $D:\mathcal{C}\to {\mathbb{R}}_{+}$, and two keys $(k,k^{\prime })\in \mathcal{K}\times {\mathcal{K}}^{\prime }$ such that

$$D_{k,k^{\prime }}(F(E_k(p_1),E_{k^{\prime }}^{\prime }(p_2)))=V(p_1,p_2),$$

where $E\in \mathcal{E}$ and $E^{\prime }\in {\mathcal{E}}^{\prime }$.

The plain texts $p_1$ and $p_2$ are encrypted with different keys k and $k^{\prime }$, respectively. Two cipher texts $E_k(p_1)$ and $E_{k^{\prime }}^{\prime }(p_2)$ are verified by the composition map $D\circ F$ because decrypting $F(E_k(p_1),E_{k^{\prime }}^{\prime }(p_2))$ with the keys k and $k^{\prime }$ is always equal to $V(p_1,p_2)$.

It should be noted that $F(E_k(p_1),E_{k^{\prime }}^{\prime }(p_2))$ is encrypted; hence, one can send it via the network. This property helps to increase security against plain-text attack.

4. Cryptosystems Belonging to the VE Class

Here, we review authentication algorithms of Fiat–Shamir [12] and Schnorr [13], and derive the inclusion relation between several cryptosystems and the VE class.

4.1. Fiat–Shamir’s Algorithm

Let p and q be two prime numbers such that $p\ne q$. The number $n=pq$ is opened to the public. Let $k_A(=k_B)$ be secret information distributed at the registration step. In Fiat–Shamir’s algorithm, Alice and Bob repeat the following steps for m rounds to prove Alice’s authenticity:

Step 1

Alice chooses random number $r\in {\mathbb{Z}}_n$ arbitrarily. Then Alice calculates $x:=r^{2}modn$, and sends x to Bob.

Step 2

Bob chooses a random number $e\in \{0,1\}$ arbitrarily, and sends e to Alice.

Step 3

Alice calculates $y:=r{k}_A^{e}modn$ by using secret information $k_A$ of Alice, and sends y to Bob.

Step 4

Bob calculates and checks that $y^{2}modn$ is equal to $x{k}_B^{2e}modn$.

At step 4, if $k_A$, possessed by Alice, is the same as the secret information $k_B$ possessed by Bob, the following equation holds:

$$\begin{array}{cc}\hfill y^{2}modn& ={(r{k}_A^e)}^{2}modn\hfill \\ & =r^2{k}_A^{2e}modn\hfill \\ & =x{k}_A^{2e}modn\hfill \\ & =x{k}_B^{2e}modn.\hfill \end{array}$$

Otherwise, the equation does not hold, and Bob rejects Alice.

This algorithm contains two cryptosystems $C_1=(\mathcal{P},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D})$ by Alice, $C_2=(\mathcal{P},\mathcal{C},{\mathcal{K}}^{\prime },{\mathcal{E}}^{\prime },{\mathcal{D}}^{\prime })$ by Bob where

$$\begin{array}{cc}\hfill \mathcal{E}& =\{E_r|E_r(k_A)=r{(k_A)}^{e}modn,\forall r\in \mathcal{K}={\mathbb{Z}}_n,k_A\in \mathcal{P}\},\hfill \\ \hfill {\mathcal{E}}^{\prime }& =\{E_x^{\prime }|E_x^{\prime }(k_B)=x{(k_B)}^{2e}modn,\forall x\in {\mathcal{K}}^{\prime }={\mathbb{Z}}_n,k_B\in \mathcal{P}\},\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill \mathcal{D}& =\{D_r|D_r(c)=\frac{c}{r}modn,c\in \mathcal{C}\},\hfill \\ \hfill {\mathcal{D}}^{\prime }& =\{D_x^{\prime }|D_x^{\prime }(c)=\sqrt{\frac{c}{x}}modn,c\in \mathcal{C}\}.\hfill \end{array}$$

We show that the set $(\mathcal{E},{\mathcal{E}}^{\prime })$ can be called a VE under some conditions.

Theorem 1.

If $x=r^{2}modn$ and $e=1$, then Fiat–Shamir’s cryptosystem belongs to the class of VE.

Proof. 

Let $p_1,p_2\in \mathcal{P}$ be two plain texts, $(r,x)\in \mathcal{K}\times {\mathcal{K}}^{\prime }$ be two keys, and

$$\begin{array}{cc}\hfill c_1& =E_r(p_1)=r{(p_1)}^{e}modn\in \mathcal{C},\hfill \\ \hfill c_2& =E_x^{\prime }(p_2)=x{(p_2)}^{2e}modn\in \mathcal{C}.\hfill \end{array}$$

Here we give a metric V as $V(p_1,p_2)=|p_1-p_2|$. We construct a map $F:\mathcal{C}\times \mathcal{C}\to \mathcal{C}$ and $D:\mathcal{C}\to {\mathbb{R}}_{+}$ by the following:

$$\begin{array}{cc}\hfill F(c_1,c_2)& :=c_1-\sqrt{c_2}modn,\hfill \\ \hfill D_{r,x}(c)& :=\frac{1}{r}|c|,c\in \mathcal{C}.\hfill \end{array}$$

If $e=0$, we calculate

$$\begin{array}{cc}\hfill D_{r,x}(F(c_1,c_2))& =\frac{1}{r}|(F(c_1,c_2))|\hfill \\ & =\frac{1}{r}|c_1-\sqrt{c_2}|\hfill \\ & =\frac{1}{r}|(r{p}_1^e-\sqrt{x{(p_2)}^{2e}})|\hfill \\ & =\frac{1}{r}|r-\sqrt{x}|.\hfill \end{array}$$

Suppose $x=r^{2}modn$; then we have

$$\begin{array}{cc}\hfill \frac{1}{r}|r-\sqrt{x}|& =\frac{1}{r}|r-\sqrt{r^2}|\hfill \\ & =\frac{1}{r}|r-r|\hfill \\ & =0.\hfill \end{array}$$

In this case, for all $p_1$ and $p_2$, $D_{r,x}(F(c_1,c_2))=0(\ne V(p_1,p_2))$.

If $e=1$, the equation becomes

$$\begin{array}{cc}\hfill D_{r,x}(F(c_1,c_2))& =\frac{1}{r}|(F(c_1,c_2))|\hfill \\ & =\frac{1}{r}|c_1-\sqrt{c_2}|\hfill \\ & =\frac{1}{r}|(r{p}_1^e-\sqrt{x{(p_2)}^{2e}})|\hfill \\ & =\frac{1}{r}|(r{p}_1-\sqrt{x{(p_2)}^2})|.\hfill \end{array}$$

Suppose $x=r^{2}modn$; then we have

$$\begin{array}{cc}\hfill \frac{1}{r}|(r{p}_1-\sqrt{x{(p_2)}^2})|& =\frac{1}{r}|r{p}_1-\sqrt{r^2{(p_2)}^2}|\hfill \\ & =\frac{1}{r}|r{p}_1-r{p}_2|\hfill \\ & =\frac{1}{r}|r(p_1-p_2)|\hfill \\ & =|p_1-p_2|\hfill \\ & =V(p_1,p_2).\hfill \end{array}$$

In the case of $e=1$, $D_{r,x}(F(E_r(p_1),E_x^{\prime }(p_2)))=V(p_1,p_2)$ for all $p_1,p_2\in \mathcal{P}$ with the keys $(r,x)=(r,r^2)modn$. Therefore, Fiat–Shamir’s algorithm belongs to the class of VE in the case of $x=r^{2}modn$ and $e=1$. □

4.2. Schnorr’s Algorithm

Let p and q be two prime numbers holding $q|(p-1)$ and $g\in {\mathbb{Z}}_p$ with order q such that $g\ne 1$, where $x|y$ means x is divisible by y. The numbers $p,q,g$ are public information. Let $k_A(=k_B)$ be secret information that is registered. In Schnorr’s algorithm, Alice proves to Bob that Alice owns $k_A$, which is equal to $k_B$ possessed by Bob. Repeat the following steps for m rounds until Bob is satisfied:

Step 1

Alice chooses random number $r\in {\mathbb{Z}}_q$ arbitrarily. Then Alice calculates $a:=g^{r}modp$, and sends a to Bob.

Step 2

Bob chooses random number $e\in \{0,1\}$ arbitrarily, and sends e to Alice.

Step 3

Alice calculates $x:=r-e{k}_{A}modq$ by using secret information $k_A$ of Alice, and sends x to Bob.

Step 4

Bob confirms that $a=g^{r}modp$ is equal to $g^x{g}^{e{k}_B}$ mod p.

If Alice has $k_A$ that is equal to Bob’s $k_B$ at step 4, the following equation is obtained:

$$\begin{array}{cc}\hfill g^x{g}^{e{k}_B}modp& =g^{r-e{k}_A}{g}^{e{k}_B}modp\hfill \\ & =g^{r+e(k_B-k_A)}modp\hfill \\ & =g^{r}modp\hfill \\ & =amodp.\hfill \end{array}$$

Let $n=pq$. Schnorr’s algorithm has two cryptosystems $C_1=(\mathcal{P},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D})$ by Alice and $C_2=(\mathcal{P},\mathcal{C},{\mathcal{K}}^{\prime },{\mathcal{E}}^{\prime },{\mathcal{D}}^{\prime })$ by Bob where

$$\begin{array}{cc}\hfill \mathcal{E}& =\{E_r|E_r(k_A)=r-e{k}_{A}modn,\forall r\in \mathcal{K}={\mathbb{Z}}_n,k_A\in \mathcal{P}\},\hfill \\ \hfill {\mathcal{E}}^{\prime }& =\{E_x^{\prime }|E_x^{\prime }(k_B)=g^x{g}^{e{k}_B}modn,\forall x\in {\mathcal{K}}^{\prime }={\mathbb{Z}}_n,k_B\in \mathcal{P}\},\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill \mathcal{D}& =\{D_r|D_r(c)=r-cmodn,c\in \mathcal{C}\},\hfill \\ \hfill {\mathcal{D}}^{\prime }& =\{D_x^{\prime }|D_x^{\prime }(c)=log\frac{c}{g^x}modn,c\in \mathcal{C}\}.\hfill \end{array}$$

Theorem 2.

If $x=r-e{p}_{1}modn$ and $e=1$, then Schnorr’s algorithm is included in the class of VE.

Proof. 

Let $p_1,p_2\in \mathcal{P}$ be two plain texts, $(r,x)\in \mathcal{K}\times {\mathcal{K}}^{\prime }$ be two keys, and

$$\begin{array}{cc}\hfill c_1& =E_r(p_1)=r-e{p}_{1}modn\in \mathcal{C},\hfill \\ \hfill c_2& =E_x^{\prime }(p_2)=g^x{g}^{e{p}_2}modn\in \mathcal{C}.\hfill \end{array}$$

A metric V is given by $V(p_1,p_2)=|p_1-p_2|$. We compose a map $F:\mathcal{C}\times \mathcal{C}\to \mathcal{C}$ and $D:\mathcal{C}\to {\mathbb{R}}_{+}$ as follows:

$$\begin{array}{cc}\hfill F(c_1,c_2)& :=c_{2}modn,\hfill \\ \hfill D_{r,x}(F(c))& :=|{log}_g(c)|-r.\hfill \end{array}$$

If $e=0$, the equation is

$$\begin{array}{cc}\hfill D_{r,x}(F(c_1,c_2))& =|{log}_g(F(c_1,c_2))|-r\hfill \\ & =|{log}_g(c_{2}modn)|-r\hfill \\ & =|{log}_g(g^x{g}^{e{p}_2}modn)|-r\hfill \\ & =|{log}_g(g^{x}modn)|-r.\hfill \end{array}$$

Suppose $x=r-e{p}_{1}modn$; then the equation becomes

$$\begin{array}{cc}\hfill |{log}_g(g^{x}modn)|-r& =|{log}_g(g^{r-e{p}_1}modn)|-r\hfill \\ & =|{log}_g(g^{r}modn)|-r\hfill \\ & =|r|-r\hfill \\ & =0.\hfill \end{array}$$

In the case of $e=0$, for all $p_1$ and $p_2$, $D_{r,x}(F(c_1,c_2))=0(\ne V(p_1,p_2))$.

If $x=r-e{p}_{1}modn$ and $e=1$, we calculate

$$\begin{array}{cc}\hfill D_{r,x}(F(c_1,c_2))& =|{log}_g(F(c_1,c_2))|-r\hfill \\ & =|{log}_g(c_{2}modn)|-r\hfill \\ & =|{log}_g(g^x{g}^{e{p}_2}modn)|-r\hfill \\ & =|{log}_g(g^{r-e{p}_1}{g}^{e{p}_2}modp)|-r\hfill \\ & =|{log}_g(g^{r-e(p_1-p_2)})modp)|-r\hfill \\ & =|{log}_g(g^{r-(p_1-p_2)})modp)|-r\hfill \\ & =|r-(p_1-p_2)|-r\hfill \\ & =|p_2-p_1|\hfill \\ & =|p_1-p_2|\hfill \\ & =V(p_1,p_2).\hfill \end{array}$$

In this case, $D_{r,x}(F(E_{r,x}(p_1),E_x^{\prime }(p_2)))$ is equal to the metric $V(p_1,p_2)$ for all $p_1,p_2\in \mathcal{P}$.

Therefore, if the key $x=r-e{p}_{1}modn$ and $e=1$, then Schnorr’s cryptosystem belongs to the class of VE. □

4.3. One-Time Pad

A one-time pad cryptosystem C is given as follows:

$$\begin{array}{cc}\hfill C& =(\mathcal{P},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D}),\hfill \\ \hfill where\\ \hfill \mathcal{P}& =\mathcal{C}={\{0,1\}}^n,\hfill \\ \hfill \mathcal{K}& =\{k\in {\{0,1\}}^n|\forall k,P(k)=\frac{1}{2^n}\},\hfill \\ \hfill \mathcal{E}& =\{E_k|E_k(p)=p\oplus k,\forall p\in \mathcal{P},k\in \mathcal{K}\},\hfill \\ \hfill \mathcal{D}& =\{D_k|D_k(c)=c\oplus k,\forall c\in \mathcal{C},k\in \mathcal{K}\}.\hfill \end{array}$$

Note that $P(k)$ is the appearance probability of 0 and 1 in all k and ⊕ means a bitwise exclusive or.

Theorem 3.

The one-time pad cryptosystem belongs to the class of VE.

Proof. 

Let $C_1=(\mathcal{P},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D})$ and $C_2=(\mathcal{P},\mathcal{C},{\mathcal{K}}^{\prime },{\mathcal{E}}^{\prime },{\mathcal{D}}^{\prime })$ be two cryptosystems of the one-time pad. Let $p_1,p_2\in \mathcal{P}$ be two plain texts, $(k,k^{\prime })\in \mathcal{K}\times {\mathcal{K}}^{\prime }$ be two keys, and

$$\begin{array}{cc}\hfill c_1& =p_1\oplus k\in \mathcal{C},\hfill \\ \hfill c_2& =p_2\oplus k^{\prime }\in \mathcal{C}.\hfill \end{array}$$

Here we give a metric V as

$$V(p_1,p_2)=\sum _{i=1}^n{p_1}_i\oplus {p_2}_i,$$

and construct a map $F:\mathcal{C}\times \mathcal{C}\to \mathcal{C}$ and $D:\mathcal{C}\to {\mathbb{R}}_{+}$ as follows:

$$\begin{array}{cc}\hfill F(c_1,c_2)& :=c_1\oplus c_2,\hfill \\ \hfill D_{k,k^{\prime }}(c)& :=\sum _{i=1}^n{c}_i\oplus k_i\oplus k_i^{\prime }.\hfill \end{array}$$

We calculate

$$\begin{array}{cc}\hfill D_{k,k^{\prime }}(F(c_1,c_2))& =\sum _{i=1}^{n}F{(c_1,c_2)}_i\oplus k_i\oplus k_i^{\prime }\hfill \\ & =\sum _{i=1}^n({p_1}_i\oplus k_i)\oplus ({p_2}_i\oplus k_i^{\prime })\oplus (k_i\oplus k_i^{\prime })\hfill \\ & =\sum _{i=1}^n({p_1}_i\oplus {p_2}_i)\oplus (k_i\oplus k_i)\oplus (k_i^{\prime }\oplus k_i^{\prime })\hfill \\ & =\sum _{i=1}^n{p_1}_i\oplus {p_2}_i\hfill \\ & =V(p_1,p_2).\hfill \end{array}$$

For all $p_1,p_2\in \mathcal{P}$, there exist keys $k,k^{\prime }$, and the metric $V(p_1,p_2)$ can be achieved. Therefore, the one-time pad cryptosystem belongs to the class of VE. □

It should be noted that it can be configured by only one cryptosystem C in the case of a one-time pad.

4.4. Block Cipher Modes of Operation

A block cipher is the algorithm that encrypts a plain text of fixed length such as 64 bits or 128 bits, called a block, and returns ciphered text of the same length as that of the plain text. A commonly used block cipher is the advanced encryption standard (AES) [17]. The block cipher consists of encryption function $E_k$ and decryption function $D_k$ for each block.

If a plain text is longer than the block length, the following modes, called block cipher modes of operation, are applied:

• Electric code block (ECB) mode divides a plain text into blocks and encrypts in each block.
• Cipher block chaining (CBC) mode calculates the plain text block and preceding ciphered text block by XOR, and then the output is encrypted.
• Output feedback (OFB) mode is used as a pseudorandom number generator that outputs an encrypted initial vector.
• Cipher feedback (CFB) mode calculates the XOR of the modified preceding ciphered text blocks and plain text block.

Remark 1.

The ECB, CBC, and CFB modes do not obviously belong to the class of VE.

Let $C_1=(\mathcal{P},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D})$ and $C_2=(\mathcal{P},\mathcal{C},{\mathcal{K}}^{\prime },{\mathcal{E}}^{\prime },{\mathcal{D}}^{\prime })$ be two cryptosystems of the block cipher. Let $p_1,p_2\in \mathcal{P}$ be two plain texts, $(k,k^{\prime })\in \mathcal{K}\times {\mathcal{K}}^{\prime }$ be two keys, and

$$\begin{array}{cc}\hfill c_1& =E_k(p_1)\in \mathcal{C},\hfill \\ \hfill c_2& =E_{k^{\prime }}^{\prime }(p_2)\in \mathcal{C},\hfill \end{array}$$

where $E_k$ and $E_{k^{\prime }}^{\prime }$ are the same encryption function. Because of the property of the block cipher, any operation except identity mapping is not allowed to be applied to the cipher text in order to decrypt correctly. By the definition of VE, the operation $F:\mathcal{C}\times \mathcal{C}\to \mathcal{C}$ is not an identity mapping. The block cipher does not allow any calculations in cipher text space. Intuitively, there is no F and D to achieve the VE conditions.

On the other hand, the OFB mode performs encryption as follows:

• generate a key stream z of length n

  (a)

  $z_0=IV$

  (b)

  $z_i=E_k(z_{i-1}),i=1,2,\cdots ,n$

  (c)

  $z=z_1{z}_2\cdots z_n$

• calculate $c=p\oplus z$

where $IV\in \mathcal{P}$ is an initialization vector. As can be seen from the above, only the $IV$ is processed with a block cipher; namely, the OFB mode appears to be a pseudo random number generator.

Remark 2.

As the OFB mode is applicable to the one-time pad, it belongs to the class of VE.

5. New Authentication Algorithm Based on VE

Authentication refers to an act by which Bob gives permission to Alice. With the development of information technology, authentication scenes have spread widely.

Table 1. Three types of authentication.

	Type	Examples
1	authentication via network	electronic commerce transaction private information transmission
2	unlocking local devices	unlocking smartphones biometric authentication
3	unlocking local devices via network	entering workplace, concert hall, checkout-free shopping store

lists the three types of authentication explained in Section 2 that we focus on.

Authentication via network is the strictest scheme that protects valuable information, for example, electronic transactions. The second one is for unlocking small devices such as smartphones. Because of usability and frequency of use, the scheme is simple and directed for users. The third one, unlocking local devices via the network, is related to the management of groupware where the user management is operated through the network. Therefore, it should be secure against eavesdroppers and directed for users. The requirements of these schemes, which are a situation of the network, computational power, and convenience of registration and verification, are different from each other. In this section, we discuss these requirements precisely.

Meanwhile, a digital identity in authentication is denoted by information, which is sent to Bob during registration, and presented by Alice during verification. Because personal information is frequently used as the digital identity, it must be protected with suitable secure technologies and embedded into these authentications. In this section, we also present a new secure and no-key-distribution scheme for the third authentication type to unlock local devices via the network.

5.1. Authentication via Network

The first authentication type is observed in the information transmission where the information must be protected, for example, electronic commerce, transaction, and private information transmission. Figure 1 shows the example of an implicit network structure where the user device and server are connected via the Internet. Cipher communication such as SSL/TLS is the most general scheme in authentication via the network. First, however, Bob confirms the genuineness of Alice’s digital identity before authentication because of the possibility of impersonation. This process can provide interactive proof, for example, Fiat–Shamir’s algorithm and Schnorr’s algorithm described in Section 4, for which an expensive CA is required to prepare public parameters; then, an additional cost for security is expected.

5.2. Unlocking Local Devices

As unlocking local devices is one of the closest authentications, which is approved more than approximately 50 times per day, the faster the speed of the unlocking process, the better (see Figure 2). To increase usability and reduce computational time, authentication just compares the registered digital identity and preserves one for verification without any encryption. Implicitly, the connection between the user and device is supposed to be safe. We usually post our passphrases, pin codes, fingerprints, or biometrics to the device as it is. Because the digital identity is used only to unlock the device, it is not sent somewhere via the network. Authentication via the network pays a significant cost to protect itself, and unlocking the device does not take account of protection. The risk of leaking is obviously higher if the user loses the device or it is hacked. Essentially, it does not follow the general security policy to handle the digital identity.

5.3. Unlocking Local Devices via the Network

With the spread of IoT devices, a ubiquitous network society has steadily been realized [18]. Groupware, smart doors, and smart devices associated with multiple users surround us. In order to achieve the network service accompanying the devices, they require activation managed through the network (see Figure 3). Here, we call this activation unlocking local devices via the network. The devices that are distributed by service providers sometimes belong to them, not the users.

In Figure 3, it is shown that unlocking local devices via the network is required in an environment where multiple users login on one device. The verification process of unlocking local devices via the network is performed as follows:

• The user sends the digital identity to a device.
• The device queries a server via the network, and the server sends back responses.
• The device compares the digital identity with the one from the server.

In step 2, the query associated with the accompanying service indicates the user account. The device can be accessed by anyone because it is not occupied by the individual. As the device is also freely accessible to an eavesdropper, the digital identity must be encrypted and separated from the key.

In Section 3.2, the main purpose of unlocking local devices is to protect the data rather than digital identity. Because the lock prevents the leaking of information in the case of theft, users pay additional cost for it as insurance. The faster process of unlocking the local device via the network is a favorable circumstance for the service provider. The deterioration of usability leads to deterioration in the quality of service. Needless to say, neither the user nor the service provider desires the illegal use of the service. Therefore, the algorithm that maintains security with low cost is ideal for both the user and service provider.

5.4. Algorithm

Here, we construct an authentication algorithm based on the VE for unlocking local devices via the network. Let Alice be the person to be authenticated, and Bob be the authenticator. Taking implementation into account, we assume that the server is an untrusted party. Let $C_1=(\mathcal{P},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D})$ and $C_2=(\mathcal{P},\mathcal{C},{\mathcal{K}}^{\prime },{\mathcal{E}}^{\prime },{\mathcal{D}}^{\prime })$ be two cryptosystems where the set $(\mathcal{E},{\mathcal{E}}^{\prime })$ is a verifiable encryption. Let $p_1,p_2\in \mathcal{P}$ be two plain texts, $(k,k^{\prime })\in \mathcal{K}\times {\mathcal{K}}^{\prime }$ be two keys, and

$$\begin{array}{cc}\hfill c_1& =E_k(p_1)\in \mathcal{C},\hfill \\ \hfill c_2& =E_{k^{\prime }}^{\prime }(p_2)\in \mathcal{C}.\hfill \end{array}$$

• Registration step

  Step 1

  Alice sends $p_1$ to Bob.

  Step 2

  Bob generates k, and calculates $E_k(p_1)=c_1$.

  Step 3

  Bob sends $c_1$ to the server S.

• Verification step

  Step 1

  Alice sends $p_2$ to Bob.

  Step 2

  Bob generates $k^{\prime }$, and calculates $E_{k^{\prime }}^{\prime }(p_2)=c_2$.

  Step 3

  Bob sends $c_2$ to S.

  Step 4

  Server calculates $F(c_1,c_2)=c_d$, and sends $c_d$ to Bob.

  Step 5

  Bob calculates $D_{k,k^{\prime }}(F(c_1,c_2))$, and checks the result.

This algorithm does not require key distribution nor any exchange of messages as in interactive proofs. This algorithm is deterministic, while the authentication using interactive proof is probabilistic.

6. Implementation

In this section, we show an implementation using the one-time pad. Let S be a computation server, A a user, and D the user’s device. We assume that D is the trusted device to generate and manage keys, and the server S belongs to an untrusted party.

Without loss of generality, 128-bit plain texts and random numbers are employed. Although many pseudo random number generators are available, here we use the QP-DYN, which is based on non-commutative algebra and ergodic theory, because of its performance [19,20].

6.1. Algorithm

Here, we show the implementation using the one-time pad. Let $C_1=(\mathcal{P},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D})$ be a cryptosystem of the one-time pad, where a set $(\mathcal{E},{\mathcal{E}}^{\prime })$ is a verifiable encryption. Let $p_1,p_2\in \mathcal{P}$ be two plain texts, $(k,k^{\prime })\in \mathcal{K}\times {\mathcal{K}}^{\prime }$ be two keys, and

$$\begin{array}{cc}\hfill c_1& =E_k(p_1)=p_1\oplus k\in \mathcal{C},\hfill \\ \hfill c_2& =E_{k^{\prime }}^{\prime }(p_2)=p_2\oplus k^{\prime }\in \mathcal{C}\hfill \end{array}$$

be two cipher texts.

• Registration Step

  Step 1

  A sends A’s digital identity $p_1$ to D.

  Step 2

  D generates the key k that is kept only with D. Then D computes $E_k(p_1)=c_1$, and sends the encoded digital identity $c_1$ to S.

  Step 3

  S stores $c_1$ in the database.

• Verification Step

  Step 1

  A sends A’s digital identity $p_2$ to D.

  Step 2

  D generates the one-time key $k^{\prime }$ for the only one-time authentication. This one-time key $k^{\prime }$ is never used after finishing this authentication flow. Then D computes $E_{k^{\prime }}(p_2)=c_2$, and sends the encoded digital identity $c_2$ to S.

  Step 3

  S computes the encoded distance $c_d$ between $c_1$ and $c_2$ using map F such that

  $$\begin{array}{cc}\hfill F(c_1,c_2)& =c_1\oplus c_2\hfill \\ & =(p_1\oplus k)\oplus (p_2\oplus k^{\prime })\hfill \\ & =c_d,\hfill \end{array}$$

  and sends encoded distance $c_d$ to D.

  Step 4

  D decodes the encoded distance $c_d$ with the keys k and $k^{\prime }$ to obtain the distance $V(p_1,p_2)$, where

  $$\begin{array}{cc}\hfill D_{k,k^{\prime }}(F(c_1,c_2))& =F(c_1,c_2)\oplus (k\oplus k^{\prime })\hfill \\ & =(c_1\oplus c_2)\oplus (k\oplus k^{\prime })\hfill \\ & =((p_1\oplus k)\oplus (p_2\oplus k^{\prime }))\oplus (k\oplus k^{\prime })\hfill \\ & =(p_1\oplus p_2)\oplus (k\oplus k^{\prime })\oplus (k\oplus k^{\prime })\hfill \\ & =p_1\oplus p_2\hfill \end{array}$$

If $p_1\oplus p_2\le s$, then D returns “OK” to A, otherwise “NG”, where s is the threshold arbitrary chosen by the verifier. Even the case that the plain texts are flexible elements, for example, biometrics the verification step with s can recognize them.

6.2. Environment

The experimental environment is shown in

Table 2. Environment.

Aspect	Specification
OS	Mac OS High Sierra 10.13.5
CPU	Intel Core i7 1.7 GHz
Memory	8 GB
Language	Python

.

6.3. Registered Information

The registered information is shown in

Table 3. Registered information.

Type of Information	Variable	Value
plain text	$p_1$	1001100000011101100101000001100000011100111 1110001110111100010001101111110110100001001 010000010010000001110100101000111101101010
key	$k_1$	1001100110111111111111011001011101010100001 1000010111001110100011011111000110101111011 010001111000001110110000011010100100000101
cipher text	$c_1$	1101000100110100110001111010010001100110 0110011100101100101100001100000011100100 00001101010001111000100110010011001101111

. Let $p_1$ be plain text to be registered, $k_1$ be a secret key for encryption $p_1$, and $c_1$ be a cipher text that encrypts $p_1$.

6.4. Experiment

In what follows, we show the implementation that is changing the content of the plain text. Suppose the encrypted result $c_{d_i}$ equals $c_1\oplus c_{i+1}$, where $i=1,2,3,4$. Moreover, we present necessary times for encryption, verification, and decryption, in the case of the plain text length being changed to 128 bits, 256 bits, 512 bits, 1024 bits, 2048 bits, 4096 bits and 8192 bits, respectively.

• Authentication of same sequences 1    (${\mathit{p}}_{\mathbf{1}}={\mathit{p}}_{\mathbf{2}}$)

We show the first experiment in

Table 4. $p_1=p_2$.

Type of Information	Variable	Value
plain text	$p_2$	1001100000011101100101000001100000011100111 1110001110111100010001101111110110100001001 010000010010000001110100101000111101101010
key	$k_2$	1100010100010110010111101011110011010010110 1010011101100000110110011000010011111010010 000011001010001110000101010101010001111010
cipher text	$c_2$	101110100001011110010101010010011001110001 010001001101110010011111011110010101101101 1010011011000001111110001111101101100010000
encrypted result	$c_{d_1}$	101110010101001101000110010101110000110111 001000101010111001010100011101010101010100 1010010110010000000110101001111110101111111
result	$d_1$	0

; the information to be authenticated is equal to the registered information. Let $p_2$ be plain text to be authenticated, $k^{\prime }$ be a key that is a one-time key for encryption $p_2$, and $c_2$ be a cipher text that encrypts $p_2$.

• Authentication of same sequences 2    (${\mathit{p}}_{\mathbf{1}}={\mathit{p}}_{\mathbf{3}}$)

We show the second experiment, where the information to be authenticated equals the registered information, in

Table 5. $p_1=p_3$.

Type of Information	Variable	Value
plain text	$p_3$	1001100000011101100101000001100000011100111 1110001110111100010001101111110110100001001 010000010010000001110100101000111101101010
key	$k_3$	1100001100110100001000110000010000001000111 0111110101101100011101101010101000111000111 110011011101000010001110001100010111011001
cipher text	$c_3$	1011011001010011011011100011100000101000001 001111011010000001100000101011110011001110 100011001111000011111010100100101010110011
encrypted result	$c_{d_2}$	1011010100010111101111010010011010111001101 111100010100010111110110101101110010111100 100010100101001100111110010110110011011100
result	$d_2$	0

. This is almost the same as the first experiment; however, the encrypted information $c_3$ is different from the first experiment.

• Authentication of different sequences    (${\mathit{p}}_{\mathbf{1}}\ne {\mathit{p}}_{\mathbf{4}}$)

We show the third experiment, where the information to be authenticated is different from the information registered, in

Table 6. $p_1\ne p_4$.

Type of Information	Variable	Value
plain text	$p_4$	1101100110010101011011010011101101011000101 1010110111000101011111000010010001110011010 101101011001111011110000111100011100011000
key	$k_4$	1001101000011010111011010110110101110000110 1101010001001111011011100011011100110100101 011011011011111001000111010100111001011100
cipher text	$c_4$	1000011100011111000000001010110001010000110 111100110001010000100100001001101000111111 110110000010000010110111101000100101000100
encrypted result	$c_{d_3}$	1000010001011011110100111011001011000001010 001111111111000110110010001111101001001101 110111101000001101110011011010111100101011
result	$d_3$	1000001100010001111100100100011010001000100 100111001111001001110101101100111010010011 111101001011111010000100010100100001110010

. These are different sequences, and the hamming distance is 60.

• Authentication of different sequences    (${\mathit{p}}_{\mathit{e}\mathit{v}\mathit{e}}=\mathbf{0}$)

We show the fourth experiment, where the information to be authenticated is all 0, in

Table 7. $p_1\ne p_{eve},p_{eve}=0$.

Type of Information	Variable	Value
plain text	$p_{eve}$	0
key	$k_5$	1001001000100111000101111100010100001011101 0101100100100000000010111010000110001001000 111101011011001010101101110001111100010101
cipher text	$c_5$	1001001000100111000101111100010100001011101 0101100100100000000010111010000110001001000 111101011011001010101101110001111100010101
encrypted result	$c_{d_4}$	1001001110000101011111100100101001000011011 0011111101010010110000001010110110000111010 111100110001000101101001000011100101111010
result	$d_4$	1001100000011101100101000001100000011100111 1110001110111100010001101111110110100001001 010000010010000001110100101000111101101010
Hamming distance	h	59

.

These are different sequences and the Hamming distance is 59. In this experiment, a chosen plain-text attack is assumed. As can be seen from the above experimental results, this cipher text $c_{eve}$ is equal to $k_5$; that is, there is a possibility that the key $k_5$ is known to an eavesdropper.

The key generation time is calculated from the environment and the cryptosystem used, hence it is not discussed.

Table 8. Implementation speed.

Length of Plaintext	Encryption	Verification	Decryption
128 bits	0.00095367 ms	0.00095367 ms	0.00095367 ms
256 bits	0.00095367 ms	0.00095367 ms	0.00095367 ms
512 bits	0.00095367 ms	0.00095367 ms	0.00095367 ms
1024 bits	0.00095367 ms	0.00095367 ms	0.00095367 ms
2048 bits	0.00095367 ms	0.00095367 ms	0.00095367 ms
4096 bits	0.00095367 ms	0.00095367 ms	0.00095367 ms
8192 bits	0.00095367 ms	0.00095367 ms	0.00095367 ms

and Figure 4, Figure 5 and Figure 6 shows the speed in each process for different plain text lengths. In this algorithm, the speed of each process has almost the same speed even if the plain text length is changed.

7. Attacks

In this section, the impersonation attack and plain text attack are discussed. As in Section 6, let S be the server, A an user, and D the device. We assume that A trusts D, and S belongs to untrusted party. Let Eve be an eavesdropper.

7.1. Impersonation (Man-in-the-Middle-Attack)

Let $p_1$ be a plain text to be registered, $k_1$ a key for encryption $p_1$, and $c_1=E_{k_1}(p_1)$ a cipher text. Here, we assume that the Eve’s goal is to obtain the plain text $p_1$. The crucial impersonation is to obtain $p_1$ directly. In this case Eve must have full access permission for the device. If Eve has the backdoor of a device which can send the key $k_1$ to her, she can combine $k_1$ to the cipher text $c_1$, then recover $p_1$. Therefore, full access control and backdoor are crucial attacks. The authentication is totally weak against the impersonation. The user realizes these kinds of attacks only after the authentication which does not activate any services. The service provider must pay attention to protect the device and install some security software to detect unauthorized applications and backdoor.

7.2. Plain Text Attack

The Table 7 in Section 6.4 shows the result of the plain text attack where $p_{eve}=0$. Although the cipher text $c_5$ is equal to the key $k_5$, that is $k_5$ is stolen, the algorithm is kept secure because $k_5$ is a one-time key. If attacker holds $k_5$, she can computes

$$\begin{array}{cc}\hfill c_{d_4}\oplus k_5& =(c_1\oplus c_5)\oplus k_5\hfill \\ & =((p_1\oplus k_1)\oplus (0\oplus k_5))\oplus k_5\hfill \\ & =p_1\oplus k_1\hfill \\ & =c_1\hfill \end{array}$$

According to the above equation, the plain text $p_1$ and the key $k_1$ can not be recover from $c_{d_4}$.

The decryption result $d_4$ equals to the registered plaintext $p_1$ as follows:

$$\begin{array}{cc}\hfill d_4& =c_{d_4}\oplus k_1\oplus k_5\hfill \\ & =(c_1\oplus c_5)\oplus k_1\oplus k_5\hfill \\ & =((p_1\oplus k_1)\oplus (0\oplus k_5))\oplus k_1\oplus k_5\hfill \\ & =p_1\oplus (k_1\oplus k_1)\oplus (k_5\oplus k_5)\hfill \\ & =p_1.\hfill \end{array}$$

However, only the device D knows the result $d_4$ insides, does not send to anywhere.

Therefore, the plain text attack for the verification step is not valid.

8. Conclusions

In this paper, we defined verifiable encryption, which is given by a class of the cryptosystem. The class VE $=(\mathcal{E},{\mathcal{E}}^{\prime })$ consists of two cryptosystems and two cipher text spaces. It was shown that the special cases of Fiat–Shamir and Schnorr, and one-time pad (also any stream ciphers) are included in the class of VE. We also constructed an authentication algorithm, which incorporates speed and security without PKA and SSL/TLS, with the one-time pad. The velocity of the protocol is less than 0.003 ms with 8192 bits of key length. If digital identity, such as biometric information, is employed, it is necessary to set a threshold value and calculate the Hamming distance. Moreover, we discussed on the possible attack such as impersonation and plain text attack. The authentication is essentially weak against the impersonation as well as unlocking smartphone, however, strong against plain text attack.