An Efficient Identification Scheme Based on Bivariate Function Hard Problem

Abstract

Symmetric cryptography allows faster and more secure communication between two entities using the identical pre-established secret key. However, identifying the honest entity with the same secret key before initiating symmetric encryption is vital since the communication may be impersonated. Tea and Ariffin, in 2014, proposed a new identification (ID) scheme based on the Bivariate Function Hard Problem (BFHP) that proved secure against impersonation under passive, active and concurrent attacks via the BFHP-hardness assumption. In this paper, we upgrade the ID scheme and improve some of its settings. Next, we provide the security proof against impersonation under active and concurrent attacks in the random oracle model via the hardness assumption of the One-More BFHP. Finally, we include an additional discussion about the computational efficiency of the upgraded ID scheme based on BFHP and present its comparison with other selected ID schemes.

1. Introduction

Symmetric cryptography allows users to perform encryption and decryption using the identical pre-established secret key. It enables simpler and quicker encryption since users do not have to authenticate the agreed secret key from any authority like those in public-key cryptography. Current practical symmetric-key algorithms include the Data Encryption Standard (DES) such as 3DES and the widely used Advanced Encryption System (AES) such as AES-128, AES-192, and AES-256, which target block ciphers. In contrast, RC4 deals with stream cipher in its symmetric encryption. Besides having a faster encryption speed, AES-256, in particular, is considered to be quantum resistant. Although faster and having a more secure encryption than public-key cryptography, identifying the honest users over the virtual network is crucial prior to initiating the encryption. As impersonation by an unauthorized entity may occur during the communication, both users should identify and prove to each other that they possess the same secret key before the encryption begins.

The main objective of an identification (ID) scheme is to enable an entity to prove and verify that it knows a secret to another entity without having to reveal it during the interaction. The protocol commonly begins with the commitment initiated by the prover that binds the interaction. Next, a challenge issuance by the verifier to the prover. Finally, a prover’s responses to the challenge, followed by the verification and decision output by the verifier.

The first ID scheme [1] utilized the quadratic residuosity (QR) or square root modulo as their fundamental primitive. Its security rests on the difficulty of solving the integer factorization problem (IFP). Later, ref. [2] presented an ID scheme using the RSA encryption technique in the protocol with underlying security associated with the hardness of solving the eth-root of RSA. In the subsequent year, another novel ID scheme [3] featured the utilization of the discrete logarithm problem (DLP) in the design. However, the concrete proof of security in cryptography was formally described only after 2000s. Many ID schemes were then proposed based on various primitives and their variants surrounding IFP and DLP. For example, the elliptic curve discrete logarithm (ECDLP) in [4] and the bilinear Diffie-Hellman (BDH) problem in [5] with their security proofs in the standard model.

Besides number-theoretic problems, there are non-number-theoretic problems from the NP-class were utilized in designing ID schemes, such as in [6,7,8], to name a few. Furthermore, some of the design proposals from these problems are categorized as post-quantum candidates. For instance, the multivariate quadratic (MQ) polynomial as in [9] relies on the intractability of the MQ polynomial. On the other hand, the lattice-based identification schemes proposed, respectively, [10,11] consider the hardness of solving the shortest vector problem (SVP) in lattices. The recently proposed code-based ID scheme by [12] features the hardness assumption of solving a variant of a syndrome decoding (SD) problem.

Ref. [13] in 2013 proposed an ID scheme based on the Diophantine Equation Hard Problem (DEHP), which claimed to be secure against impersonation under passive attack via the hardness assumption of DEHP. However, by carefully choosing the correct interval of the solutions of DEHP, successful impersonation is possible even without knowing the secret parameters, which results in acceptance with non-negligible probability. Later, ref. [14] proposed a new ID scheme based on the Bivariate Function Hard Problem (BFHP), a specific problem of two variables derived from DEHP [15]. With the hardness assumption of solving the BFHP to obtain the preferred private solution, the proposed ID scheme was proven secure against impersonation under passive, active and concurrent attacks.

In this paper, we upgrade the ID scheme based on BFHP from [14]. First, we refine the definition of the Bivariate Function Hard Problem (BFHP) and its underlying hardness assumption of One-More BFHP. Next, we present the upgraded ID scheme and the corresponding security proof against impersonation under active and concurrent attacks in the random oracle model via the difficulty of solving the One-More BFHP. Finally, we add on some efficiency analyses about our upgraded ID scheme.

The layout of the paper is as follows. Section 2 reviews preliminaries related to the ID scheme and its security model. Next, we outline the upgraded ID scheme based on BFHP, and formally describes the security proof of our ID scheme against impersonation under active and concurrent attacks in the random oracle model in Section 3. Section 4 includes a discussion about the efficiency of ID schemes. Lastly, we draw our conclusion in Section 5.

2. Preliminaries

2.1. Mathematical Background

This section reviews the Bivariate Function Hard Problem (BFHP) and all the related essential works to our proposal. We begin with the famous theorem due to Minkowski and its implication for the solution of modular linear equations [16].

Theorem 1.

(Minkowski). In an ω-dimensional lattice L, there exists a non-zero vector υ with

$$\Vert \upsilon \Vert \le \sqrt{\omega }\det {\left(L\right)}^{\frac{1}{\omega }}.$$

Ref. [16] addressed the problem of solving modular linear equation

$$f\left(x_1,x_2,\dots ,x_m\right)=a_1{x}_1+a_2{x}_2+\dots +a_m{x}_m\equiv 0\left(\mathrm{mod}N\right)$$

for some N with unknown factorization. Although such an equation has infinitely many solutions of $(y_1,y_2,\dots ,y_m)\in {\mathbb{Z}}_N^m$, one can expect a unique solution if ${\prod }_i^m{X}_i\le N$, where $X_i$ is the upper bound of each solution $\left|y_i\right|<X_i$ for $i=1,\dots ,m$. This unique solution $y_i$ can be recovered heuristically by computing the shortest vector in an m-dimensional lattice. In addition, if in turn ${\prod }_i^m{X}_i>N^{1+ϵ}$, then the linear equation has $N^{ϵ}$ many solutions, which are exponential in the bit-size of N, and one has no hope of improving the bound in general. That is, there exists no efficient algorithm to output all the roots in polynomial time.

Next, we lay out the definition of BFHP from the previous work in [14], and further refine the hardness of the bivariate function and its corresponding assumption. We firstly review the proper analytic description related to BFHP.

Proposition 1.

Let $F\left(x_1,x_2,\dots ,x_n\right)$ be a multiplicative one-way function that maps $F:\mathbb{Z}\to \left(2^{m-1},2^m-1\right)$ for some $m\in \mathbb{Z}$. Let $F_1$ and $F_2$ be such functions (either identical or non-identical) such that $A_1=F_1\left(x_1,x_2,\dots ,x_n\right)$, $A_2=F_2\left(x_1,x_2,\dots ,x_n\right)$ and $gcd\left(A_1,A_2\right)=1$. Let $\{u,v\}\in \left(2^{n-1},2^n-1\right)$. Let $F\left(x,y\right)=A_{1}x+A_{2}y$. Let $k=n-m-1$ where $2^k$ is exponentially large for any probabilistic polynomial time (PPT) adversary to sieve through all possible answers, then it is infeasible to determine $\{u,v\}$ over $\mathbb{Z}$ from $F\left(u,v\right)$.

Proof. 

To prove that solving the Diophantine equation given by $F\left(u,v\right)$ is infeasible, consider the general solution for $F\left(x,y\right)=A_{1}x+A_{2}y$ given by $x=x_0+A_{2}j$ and $y=y_0-A_{1}j$ for any $j\in \mathbb{Z}$, where $x_0$ and $y_0$ are initial solutions for the linear Diophantine equation $F\left(x,y\right)$. Then $F\left(u,v\right)$ is said to be solved when the private preferred solution pair $\{u,v\}$ is found within the stipulated interval $\{u,v\}\in \left(2^{n-1},2^n-1\right)$. In other words, one must search for specific integer j such that $2^{n-1}<u<2^n-1$ holds, that is $u=x_0+A_{2}j$. This gives, $\frac{2^{n-1}-x_0}{A_2}<j<\frac{2^n-1-x_0}{A_2}$.

Then the difference between the upper and the lower bounds of j is approximately $2^{n-m-2}$. Since $k=n-m-1$ where $2^k$ is exponentially large for any probabilistic polynomial time (PPT) adversary to sieve through all possible answers. We conclude that the difference is very large, and finding the correct j is infeasible. This applies to the case of v too.    □

We put forward an example to demonstrate the hardness of finding the preferred private solution from the exponentially many choices of j.

Example 1.

Let $A_1=191$ and $A_2=229$. Let u = 41,234 and v = 52,167, then $F\left(u,v\right)=$ 19,821,937. Here we take $m=8$ and $n=16$. We now construct the parametric solutions for this BFHP. The initial points are $u_0$ = 118,931,622 and $v_0=-$99,109,685. Then general parametric solutions are $u=u_0+A_{2}j$ and $v=v_0-A_{1}j$. There are approximately $286\approx 2^9$, about $\left(\frac{2^{16}}{229}\right)$ values of j to try (i.e., the difference between upper and lower bounds), while at minimum, the value of $j\approx 2^{16}$. In fact, the correct value is $j=$ 519,172 $\approx 2^{19}$.

Definition 1.

(Bivariate Function Hard Problem (BFHP)). Let $F\left(x,y\right)=A_{1}x+A_{2}y$ be a bivariate function where $x,y$ are unknown integers of n-bits, $A_1,A_2$ are public m-bits integers with $gcd\left(A_1,A_2\right)=1$ and $2^k$ is exponentially large for $k=n-m-1$. Given $F\left(u,v\right)=A_{1}u+A_{2}v$, the BFHP is the problem in identifying the unique solution pair $F\left(u,v\right)$ which is known as the preferred private solution.

Definition 2.

(BFHP Assumption). Suppose a BFHP experiment ${\mathsf{BFHP}}_{\mathcal{A},\mathcal{G}}\left(n\right)$ with parameter generator $\mathcal{G}$, algorithm $\mathcal{A}$ and security parameter $1^n$ (i.e., security parameter of length n written in unary [17]) is defined as follows:

1 

Runs $\mathcal{G}\left(1^n\right)$ to obtain $F\left(x,y\right)=A_{1}x+A_{2}y$.

2 

Choose $F^{*}$ such that $F^{*}=A_{1}u+A_{2}v$.

3 

$\mathcal{A}$ is given $\left(F\left(x,y\right),F^{*}\right)$ and outputs $\{u,v\}\in \left(2^{n-1},2^n-1\right)$.

4 

The output of the experiment is defined to be 1, i.e., $\left[{\mathsf{BFHP}}_{\mathcal{A},\mathcal{G}}\left(n\right)=1\right]$ if $F\left(u,v\right)=F^{*}$ with correct preferred private solution pair $\{u,v\}$. Otherwise defined to be 0.

Then the BFHP is hard relative to $\mathcal{G}$ if for all probabilistic polynomial-time algorithm $\mathcal{A}$, there exists a negligible function $\mathsf{negl}\left(n\right)$ such that,

$$\mathrm{Pr}\left[{\mathsf{BFHP}}_{\mathcal{A},\mathcal{G}}\left(n\right)=1\right]\le \mathsf{negl}\left(n\right).$$

Definition 3.

(One-More BFHP). Let $F\left(x,y\right)=A_{1}x+A_{2}y$ be a bivariate function with $\{A_1,A_2\}\in \left(2^{m-1},2^m-1\right)$ such that $gcd\left(A_1,A_2\right)=1$ and $\{x,y\}\in \left(2^{n-1},2^n-1\right)$. An adversary is given a challenge oracle ${\mathcal{O}}_{\mathsf{cha}}$ that produces a random integer $F_i\in \left(2^{m+n-1},2^{m+n}-1\right)$ when queried and BFHP oracle ${\mathcal{O}}_{\mathsf{BFHP}}$ that provides the preferred private primitives $\{x_i,y_i\}$ correspond to the query $F_i=A_{1}x+A_2$. The adversary is said to win if after i queries to ${\mathcal{O}}_{\mathsf{cha}}$, it can solve all the i challenges with strictly at most $i-1$ queries to the ${\mathcal{O}}_{\mathsf{BFHP}}$. Take note that $F_i=F\left(x_i,y_i\right)$.

2.2. Identification Scheme and Security Model

An ID scheme comprises triple probabilistic polynomial-time algorithms, described as a series of challenge-and-response interactions between two entities: the Prover and the Verifier.

• Setup: On input of security parameter $1^n$, the algorithm generates public system and secret parameters. On termination, it publicizes the public system parameters and keeps the secrets securely.
• Prove: A probabilistic algorithm that firstly outputs a random commitment $\left(\mathsf{Cmt}\right)$ to bind the interaction and subsequently replies to the challenge via a response $\left(\mathsf{Rsp}\right)$.
• Verify: A probabilistic algorithm that firstly outputs a random challenge $\left(\mathsf{Cha}\right)$ to the bound commitment and next output decision based on the received response.

The security of an ID scheme lies in the advantage of an adversary (impersonator) being accepted after a certain number of interactions, either passively or actively. This is often described as a two-phase impersonation game between adversary and simulator. We outline the model to define an adversary’s advantage in the security game.

• Setup: A simulator takes in the security parameter $1^n$ and generates random public system and secret parameters. The public system parameters are given to the adversary while secrets are kept securely.
• Phase 1 (Training): The adversary undergoes training based on different attackers’ environments: (i) Passive: Adversary queries to the simulator, returned with valid conversation transcripts containing information about commitment, challenge, and response. (ii) Active and concurrent: Adversary takes the role of the cheating verifier and requests the simulator to prove itself. This environment works exactly like in the ID protocol.
• Phase 2 (Impersonation): The adversary now acts as a cheating prover. It outputs a commitment that it wishes to impersonate. The impersonation is said to be successful if the adversary can convince the simulator and results in acceptance of the decision.

Definition 4.

An ID scheme is defined to be $\left(t,q_t,ϵ\right)$-secure against impersonation under passive, active or concurrent attacks if an adversary $\mathcal{A}$ who runs the ID protocol in time t and makes at most $q_t$ queries has the negligible advantage such that

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathsf{imp}-\mathsf{pa}/\mathsf{aa}/\mathsf{ca}}\left(n\right)\le ϵ\left(n\right),$$

where ${\mathrm{Adv}}_{\mathcal{A}}^{\mathsf{imp}-\mathsf{pa}/\mathsf{aa}/\mathsf{c}}\left(n\right)=\mathrm{Pr}\left[\mathcal{A}\mathrm{success}\mathrm{impersonates}\right]$.

Lastly, we address the Reset Lemma by [18], which provides a better bound and simpler proof in relating two probabilities in the security game of an ID scheme. Under resetting the challenge by the verifier, the cheating prover yields two valid conversation transcripts that convince the verifier to accept him.

Lemma 1.

(Reset Lemma). Let P be a prover in a canonical ID protocol with V a verifier represented by $\left(\mathsf{ChaSet},\mathsf{Dec}\right)$, and $\left(\mathcal{P},\mathcal{V}\right)$ be inputs for the prover P and verifier V, respectively. Let $\mathsf{acc}\left(\mathcal{P},\mathcal{V}\right)$ be the probability that V accepts in its interaction with P, i.e.,

$$\mathsf{acc}\left(\mathcal{P},\mathcal{V}\right)=\mathrm{Pr}\left[{\mathsf{Dec}}_V\left(\mathsf{Cmt},\mathsf{Cha},\mathsf{Rsp}\right)=1\right]$$

and $\mathsf{res}\left(\mathcal{P},\mathcal{V}\right)$ be the probability that V accepts its interaction with P in the reset game, i.e.,

$$\begin{array}{c}\hfill \mathsf{res}\left(\mathcal{P},\mathcal{V}\right)=\mathrm{Pr}\left[\begin{array}{c}{\mathsf{Dec}}_V\left(\mathsf{Cmt},{\mathsf{Cha}}_1,{\mathsf{Rsp}}_1\right)=1\wedge \\ {\mathsf{Dec}}_V\left(\mathsf{Cmt},{\mathsf{Cha}}_2,{\mathsf{Rsp}}_2\right)=1\wedge \\ \left({\mathsf{Cha}}_1\ne {\mathsf{Cha}}_2\right)\end{array}\right].\end{array}$$

Then,

$$\mathsf{acc}\left(\mathcal{P},\mathcal{V}\right)\le \sqrt{\mathsf{res}\left(\mathcal{P},\mathcal{V}\right)}+\frac{1}{\left|{\mathsf{ChaSet}}_V\right|},$$

where $\mathsf{Cha}\in {\mathsf{ChaSet}}_V$.

Proof. 

See [18].    □

3. Results: The Design and Security Analysis

3.1. Efficient Identification Scheme Based on BFHP

This section presents the ID scheme based on BFHP by [14] with some upgrades to improve the setting. Two new hash functions are introduced in the Algorithm 1, with one used to mask the secret, and the other used for integrity check purposes.

Algorithm 1 Modified ID Scheme Based on BFHP.

Input: Security parameter $1^n$. Output: System parameters $\left\{H_1,H_2,v_1,v_2,v_3,x,e,f\right\}$. Setup:  1: On input of security parameter $1^n$, generates secret parameters of $\left\{v_1,v_2,x\right\}\in \left(2^{n-1},2^n-1\right)$ 2: Generates the following hash functions such that: (a)   $H_1:{\left\{0,1\right\}}^n\to {\left\{0,1\right\}}^n$, (b)   $H_2:{\left\{0,1\right\}}^{2n}\to {\{0,1\}}^{2n}$, 3: Computes the following parameters: (a)   $e=v_1+v_2$ (b)   $X=H_1\left(x\right)$, (c)   $v_3\equiv {\left(1-X\right)}^{-1}\left(\mathrm{mod}e\right)$, (d)   $f=v_3-v_1$. 4: Publicize $\left\{H_1,H_2,e,f\right\}$ as public system parameters and keep $\left\{v_1,v_2,v_3,x\right\}$ as secrets. Identification Protocol:  1: Prover P picks a random integer $y\in \left(2^{n-1},2^n-1\right)$ and computes $Y=y+v_2$. Sends Y as a commitment to Verifier V. 2: V picks a random challenge $c\in \{0,1\}$ and sends it to P. 3: Upon receiving challenge c, P responds V with: (a)   $z=v_3{X}^c-y-v_{3}x$, (b)   $\sigma =H_2\left(v_{3}x\right)$. 4: V computes and verifies if one of the following holds: (a)   For $c=0$, if $\mathcal{V}\equiv f-z-Y\left(\mathrm{mod}e\right)$ and $H_2\left(\mathcal{V}\right)=\sigma$, (b)   For $c=1$, if $\mathcal{V}\equiv f-z-Y\left(\mathrm{mod}e\right)$ and $H_2\left(\mathcal{V}-1\right)=\sigma$, then accept P. Otherwise, reject P.

Proof of correctness. 

$$\begin{array}{ccc}\hfill \mathcal{V}& =& f-z-Y\hfill \\ & =& \left(v_3-v_1\right)-\left(v_3{X}^c-y-v_{3}x\right)-\left(y+v_2\right)\hfill \\ & =& v_3-v_1-v_3{X}^c+y+v_{3}x-y-v_2\hfill \\ & =& v_3-v_3{X}^c-v_1-v_2+v_{3}x\hfill \\ & =& v_3\left(1-X^c\right)-\left(v_1+v_2\right)+v_{3}x\hfill \\ & \equiv & v_3\left(1-X^c\right)+v_{3}x\left(\mathrm{mod}e\right)\hfill \\ & \equiv & \left\{\begin{array}{cc}{v}_3\left(1-X^0\right)+v_{3}x\hfill & \left(\mathrm{mod}e\right);for c=0,\hfill \\ v_3\left(1-X^1\right)+v_{3}x\hfill & \left(\mathrm{mod}e\right);for c=1,\hfill \end{array}\right.\hfill \\ & \equiv & \left\{\begin{array}{cc}{v}_3\left(1-1\right)+v_{3}x\hfill & \left(\mathrm{mod}e\right);for c=0,\hfill \\ v_3\left(1-X\right)+v_{3}x\hfill & \left(\mathrm{mod}e\right);for c=1,\hfill \end{array}\right.\hfill \\ & \equiv & \left\{\begin{array}{cc}{v}_{3}x\hfill & \left(\mathrm{mod}e\right);for c=0,\hfill \\ 1+v_{3}x\hfill & \left(\mathrm{mod}e\right);for c=1.\hfill \end{array}\right.\hfill \end{array}$$

Since $v_1+v_2=e$ and $v_1+v_2\equiv 0\left(\mathrm{mod}e\right)$, it is easy to verify for $c=0$, the resulting $\mathcal{V}\equiv v_{3}x\left(\mathrm{mod}e\right)$ produces a valid $H_2\left(\mathcal{V}\right)=\sigma$. For the case of $c=1$, since $v_3\equiv {\left(1-X\right)}^{-1}\left(\mathrm{mod}e\right)$ from Setup: 3(c), we have

$$\begin{array}{ccc}\hfill \mathcal{V}& =& v_3\left(1-X\right)+v_{3}x\hfill \\ & =& {\left(1-X\right)}^{-1}\left(1-X\right)+v_{3}x\hfill \\ & \equiv & 1+v_{3}x\left(\mathrm{mod}e\right)\hfill \end{array}$$

that produces a valid $H_2\left(\mathcal{V}-1\right)=\sigma$. □

Remark 1.

The public system parameters $\{e,f\}$ are protected by Theorem 1 since the sizes of $v_1,v_2,v_3,e,f$ are of $2^n$ and the product $v_1·v_2>e$ and $v_1·v_3>f$. This results infinitely many solutions to the linear equation in which finding the correct preferred private solutions of $\{v_1,v_2\}$ and $\{v_1,v_3\}$ are infeasible. This is indeed the BFHP defined in Definition 1

Remark 2.

It is the prover’s main objective to prove that he knows the secret x (i.e., step 3 in the identification protocol) without relaying it to the verifier. Since the published public system parameters $\{e,f\}$ contain secret parameters of $\{v_1,v_2,v_3\}$, it should be infeasible for an adversary to extract $\{v_1,v_2,v_3\}$ from $\{e,f\}$. Observe that from Setup:

$$\begin{array}{ccc}\hfill e& =& v_1+v_2\hfill \\ \hfill f& =& v_3-v_1,\hfill \end{array}$$

each individual equation has the secret parameters protected by the BFHP with three unknown variables $\{v_1,v_2,v_3\}$. If these secret variables are solved from the public system parameters, then the preferred private solution is found.

Remark 3.

In this case, one can treat all (or part of) the secret parameters $\left\{v_1,v_2,v_3,x\right\}$ as the agreed symmetric keys (cipher keys) between two users. Once both users succeed in identifying each other that they acquired the identical secret keys, they can next perform encryption using some practical symmetric encryption available.

3.2. Security Proof of The Identification Scheme Based on BFHP

In this section, we construct the security proof of the upgraded ID scheme based on BFHP with the refined One-More BFHP assumption (Definition 3). We considers the security against impersonation under active and concurrent attacks as this is a more relevant and stronger security notion. In addition, we refer to the Reset Lemma [18] for the probability analysis.

Theorem 2.

Let ${\displaystyle \epsilon ={\mathrm{Adv}}_{\mathcal{I}}^{\mathsf{imp}\text{-}\mathsf{aa}/\mathsf{ca}}\left(n\right)}$ be the advantage of impersonation under active and concurrent attacks by impersonator $\mathcal{I}$, and ${\displaystyle {\epsilon }^{\prime }={\mathrm{Adv}}_{{\mathcal{A}}^{\prime }}^{\mathsf{One}-\mathsf{More}\mathsf{BFHP}}\left(n\right)}$ be the advantage of algorithm ${\mathcal{A}}^{\prime }$ solving the One-More BFHP. Then the identification scheme based on BFHP is $\left(t,q_I,\epsilon \right)$-secure against impersonation under active and concurrent attacks in the random oracle model if solving the One-More BFHP is $\left(t,q_I,{\epsilon }^{\prime }\right)$-hard where:

$$\epsilon \le \frac{1}{2}+\sqrt{\left({\epsilon }^{\prime }-\frac{1}{2^{n-2}}\right)·\left(\frac{2^{n-2}}{2^{n-2}-q_I}\right)},$$

with $q_I$ denotes the number of identification queries.

Proof. 

We assume that if there exists an Impersonator $\mathcal{I}$ who can $\left(t,q_I,\epsilon \right)$-break the scheme, then there exists an efficient probabilistic polynomial-time algorithm ${\mathcal{A}}^{\prime }$ that can $\left(t,q_I,{\epsilon }^{\prime }\right)$-solve the One-More BFHP. ${\mathcal{A}}^{\prime }$ attempts to simulate a challenger for $\mathcal{I}$.

1.

Setup: ${\mathcal{A}}^{\prime }$ firstly access to ${\mathcal{O}}_{\mathsf{Cha}}$ which output the following initial challenge set:

$$\begin{array}{ccc}\hfill X& =& H_1\left(x\right)\hfill \\ \hfill e_0& =& v_{0,1}+v_2\hfill \\ \hfill v_3& \equiv & {\left(1-X\right)}^{-1}\left(\mathrm{mod}{e}_0\right).\hfill \\ \hfill f& =& v_3-v_{0,1}\hfill \end{array}$$

(1)

together with two hash functions $H_1:{\{0,1\}}^n\to {\{0,1\}}^n$ and $H_2:{\{0,1\}}^{2n}\to {\{0,1\}}^{2n}$. The public system parameters $\{H_1,H_2,e_0,f\}$ is passed to ${\mathcal{A}}^{\prime }$. These $\{H_1,H_2,e_0,f\}$ is then sent to $\mathcal{I}$, with $H_1$ and $H_2$ modeled as random oracles controlled by ${\mathcal{A}}^{\prime }$. Note that ${\mathcal{A}}^{\prime }$ does not know the secret parameters of $\{v_{0,1},v_2,v_3,x,X\}$.

2.

Query phase: The interaction between ${\mathcal{A}}^{\prime }$ and $\mathcal{I}$ involves the simulation of random oracles and identification queries.

(a)

Random oracle query: ${\mathcal{A}}^{\prime }$ initially prepare two empty lists of $H_1$-list and $H_2$-list, which function to receive and reply queries from $\mathcal{I}$.

i

$H_1$-list: This list has the form of $⟨x_i,H_1\left(x_i\right)⟩$. When $\mathcal{I}$ queries $x_i$, ${\mathcal{A}}^{\prime }$ checks whether such $H_1\left(x_i\right)$ is in the list. If it does, it replies it to $\mathcal{I}$. Otherwise, ${\mathcal{A}}^{\prime }$ randomly samples $H_1\left(x_i\right)\leftarrow {\{0,1\}}^n$ and replies it to $\mathcal{I}$. Lastly, ${\mathcal{A}}^{\prime }$ stores the new pair of $⟨x_i,H_1\left(x_i\right)⟩$ into $H_1$-list.

ii

$H_2$-list: This list is in the form of $⟨x_i,H_2\left(x_i\right)⟩$. When $\mathcal{I}$ queries $x_i$, ${\mathcal{A}}^{\prime }$ checks if such $H_2\left(x_i\right)$ exists. If it does, it replies it to $\mathcal{I}$. Otherwise, ${\mathcal{A}}^{\prime }$ randomly chooses $H_2\left(x_i\right)\leftarrow {\{0,1\}}^{2n}$ and replies it to $\mathcal{I}$. ${\mathcal{A}}^{\prime }$ lastly stores the new pair of $⟨x_i,H_2\left(x_i\right)⟩$ into $H_2$-list.

Notice that ${\mathcal{A}}^{\prime }$ simulates the above two random oracle queries perfectly, as both the replied answers are uniformly distributed.

(b)

Identification query: $\mathcal{I}$ acts as cheating verifier and requests ${\mathcal{A}}^{\prime }$ to prove itself:

i

Commitment: Upon query by $\mathcal{I}$, ${\mathcal{A}}^{\prime }$ query ${\mathcal{O}}_{\mathsf{Cha}}$ for random challenge of $e_k=v_{k,1}+v_2$ and replies to $\mathcal{I}$.

ii

Challenge: $\mathcal{I}$ outputs a random challenge $c_k\in \{0,1\}$ upon receiving $e_k$ and sends it to ${\mathcal{A}}^{\prime }$.

iii

Response: After receiving the challenge c from $\mathcal{I}$, ${\mathcal{A}}^{\prime }$ queries $(f-e_k-c_k-x_k)$ such that $x_k{\leftarrow }_R{\{0,1\}}^{2n}$ to the ${\mathcal{O}}_{\mathsf{BFHP}}$ which replied with a response $z_k=v_3{\left(H_1\left(x\right)\right)}^{c_k}-v_{k,1}-x_k$ and ${\sigma }_k=H_2\left(x_k\right)$. This $\left(z_k,{\sigma }_k\right)$ is then sent to $\mathcal{I}$. ${\mathcal{A}}^{\prime }$ next increases k by 1.

Referring to the Response query above, the $\left(f-e_k-c_k-x_k\right)$ queried by ${\mathcal{A}}^{\prime }$ can be re-expressed as

$$\begin{array}{ccc}\hfill \left(f-e_k-c_k-x_k\right)& =& \left(v_3-v_{0,1}\right)-\left(v_{k,1}+v_2\right)-c_k-x_k\hfill \\ & =& v_3-v_{k,1}-\left(v_{0,1}+v_2\right)-c_k-x_k\hfill \\ & =& v_3-v_{k,1}-e_0-c_k-x_k+\left(v_3{\left(H_1\left(x\right)\right)}^{c_k}-v_3{\left(H_1\left(x\right)\right)}^{c_k}\right)\hfill \\ & =& \left(v_3-v_3{\left(H_1\left(x\right)\right)}^{c_k}\right)+\left(v_3{\left(H_1\left(x\right)\right)}^{c_k}-v_{k,1}\right)-e_0-c_k-x_k\hfill \\ & \equiv & \left(v_3-v_3{\left(H_1\left(x\right)\right)}^{c_k}\right)+\left(v_3{\left(H_1\left(x\right)\right)}^{c_k}-v_{k,1}\right)-c_k-x_k\left(\mathrm{mod}{e}_0\right)\hfill \end{array}$$

Since $c_k\in \{0,1\}$, there are two possible cases, i.e.,

$$\begin{array}{cc}& \left(v_3-v_3{\left(H_1\left(x\right)\right)}^{c_k}\right)+\left(v_3{\left(H_1\left(x\right)\right)}^{c_k}-v_{k,1}\right)-c_k-x_k\hfill \end{array}$$

$$\begin{array}{cc}\hfill =& \left\{\begin{array}{cc}\left(v_3-v_3\right)+\left(v_3-v_{k,1}\right)-0-x_k\hfill & ;\mathrm{f}\mathrm{o}\mathrm{r} c_k=0,\hfill \\ \left(v_3-v_3\left(H_1\left(x\right)\right)\right)+\left(v_{3}X-v_{k,1}\right)-1-x_k\hfill & ;\mathrm{f}\mathrm{o}\mathrm{r} c_k=1.\hfill \end{array}\right.\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill =& \left\{\begin{array}{cc}{v}_3-v_{k,1}-x_k\hfill & ;\mathrm{f}\mathrm{o}\mathrm{r} c_k=0,\hfill \\ \left(v_3-v_3\left(H_1\left(x\right)\right)\right)+\left(v_{3}X-v_{k,1}\right)-1-x_k\hfill & ;\mathrm{f}\mathrm{o}\mathrm{r} c_k=1.\hfill \end{array}\right.\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill \equiv & \left\{\begin{array}{cc}{v}_3-v_{k,1}-x_k\hfill & \left(\mathrm{mod}{e}_0\right);\mathrm{f}\mathrm{o}\mathrm{r} c_k=0,\hfill \\ v_{3}X-v_{k,1}-x_k\hfill & \left(\mathrm{mod}{e}_0\right);\mathrm{f}\mathrm{o}\mathrm{r} c_k=1.\hfill \end{array}\right.\hfill \end{array}$$

(4)

From (1), $v_3\equiv {\left(1-\left(H_1\left(x\right)\right)\right)}^{-1}\left(\mathrm{mod}{e}_0\right)$ can be rewritten as $v_3-v_3\left(H_1\left(x\right)\right)\equiv 1\left(\mathrm{mod}{e}_0\right)$, which is then used to simplify further from (3) to (4) for $c_k=1$. Therefore, it implies that $z_k=v_3{\left(H_1\left(x\right)\right)}^{c_k}-v_{k,1}-x_k$ and ${\sigma }_k=H_2\left(x_k\right)$ output by ${\mathcal{O}}_{\mathsf{BFHP}}$ is a valid response. This query phase is carried out for some time t until $\mathcal{I}$ readies to terminate and enter the impersonation phase.

3.

Impersonation phase: Now, $\mathcal{I}$ behaves as cheating prover and tries to convince ${\mathcal{A}}^{\prime }$ to accept it.

(a)

Commitment: $\mathcal{I}$ sends commitment $Y^{*}$ in which he wishes to impersonate to ${\mathcal{A}}^{\prime }$.

(b)

Challenge: ${\mathcal{A}}^{\prime }$ checks if $Y^{*}\notin \{e_1,\dots ,e_t\}$, then it outputs a random challenge $c^{*}\in \{0,1\}$ to $\mathcal{I}$. Otherwise, it aborts.

(c)

Response: $\mathcal{I}$ replies the challenge with response $z^{*}$ and its corresponding signature ${\sigma }^{*}$ to ${\mathcal{A}}^{\prime }$. ${\mathcal{A}}^{\prime }$ checks ${\mathcal{V}}^{*}=f-z^{*}-Y^{*}\left(\mathrm{mod}{e}_0\right)$ and verifies the correctness of signature ${\sigma }^{*}$.

Via resetting $\mathcal{I}$ to two different challenges $c_1$ and $c_2$, ${\mathcal{A}}^{\prime }$ then obtains two valid transcripts of $\{Y^{*},c_1^{*},z_1^{*},{\sigma }_1^{*}\}$ and $\{Y^{*},c_2^{*},z_2^{*},{\sigma }_2^{*}\}$. The validity of the received transcripts can be verified through the protocol, ${\mathcal{A}}^{\prime }$ next search through the $H_2$-list for the $x_i$ that produced the valid signature ${\sigma }_j^{*}$ for $j=1,2$. If such $x_i$ is found, then ${\mathcal{A}}^{\prime }$ proceed to search the $H_1$-list for the corresponding $H_1\left(x_i\right)$. This enables ${\mathcal{A}}^{\prime }$ to extract the secret $X=H_1\left(x_i\right)$ which has the probability at least ${\left(\epsilon -\frac{1}{2}\right)}^2$ following the Reset Lemma [18].

This further enables ${\mathcal{A}}^{\prime }$ to compute $v_{0,1},v_2,v_3$ which finally used to solve all $v_{k,1}$ for $1\le k\le t$, i.e.,

$$\begin{array}{ccc}\hfill v_3& \equiv & {\left(1-X\right)}^{-1}\left(\mathrm{mod}{e}_0\right)\hfill \\ \hfill v_{0,1}& =& v_3-f\hfill \\ \hfill v_2& =& e_0-v_{0,1}\hfill \\ \hfill v_{k,1}& =& e_k-v_2.\hfill \end{array}$$

From this point, ${\mathcal{A}}^{\prime }$ has successfully output all the solutions to $(t+1)$ challenges of $\{v_{0,1},v_{1,1},\dots ,v_{t,1}\}$ by querying only t queries of $e_k$ to ${\mathcal{O}}_{\mathsf{BFHP}}$. This completes the simulation.

4.

Probability study: The probability for the ID scheme against impersonation under active and concurrent attacks rests on ${\mathcal{A}}^{\prime }$ winning the game, i.e., the successful impersonation by $\mathcal{I}$ that yield in acceptance which enables ${\mathcal{A}}^{\prime }$ to extract the secret. Consider the following possible scenarios:

(a)

Regardless of whether the game aborts, ${\mathcal{A}}^{\prime }$ guesses the correct $X=H_1\left(x\right)$ from the interval of $\left(2^{n-1},2^n-1\right)$ that output the solutions to the One-More BFHP. The corresponding probability to such an event is therefore

$$\begin{array}{ccc}\hfill \mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{solves}\mathrm{One}-\mathrm{More}\mathrm{BFHP}\right]& =& \mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{solves}{e}_0\mathrm{via}\mathrm{guessing}{H}_1\left(x\right)\right]\hfill \\ & =& \frac{1}{2^n-1-2^{n-1}}\hfill \\ & \approx & \frac{1}{2^{n-2}}.\hfill \end{array}$$

(b)

The game does not abort, and ${\mathcal{A}}^{\prime }$ found the corresponding secret $H_1\left(x\right)$ from the queried $H_1$-list that solves the One-More BFHP. This implies that ${\mathcal{A}}^{\prime }$ successfully found the solution to the One-More BFHP with strictly less queries to ${\mathcal{O}}_{\mathsf{BFHP}}$ than to ${\mathcal{O}}_{\mathsf{Cha}}$. Via Reset Lemma,

$$\begin{array}{ccc}& & \mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{solves}\mathrm{One}-\mathrm{More}\mathrm{BFHP}\right]\hfill \\ & =& \mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{solves}{e}_0\mathrm{via}\mathrm{extracting}{H}_1\left(x\right)\wedge \neg \mathrm{Abort}\right]\hfill \\ & =& \mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{solves}{e}_0\mathrm{via}\mathrm{extracting}{H}_1\left(x\right)|\neg \mathrm{Abort}\right]·\mathrm{Pr}\left[\neg \mathrm{Abort}\right]\hfill \\ & \ge & {\left(\epsilon -\frac{1}{2}\right)}^2·\left(\frac{2^{n-2}-q_I}{2^{n-2}}\right).\hfill \end{array}$$

Since $\mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{wins}\right]={\mathrm{Adv}}_{{\mathcal{A}}^{\prime }}^{\mathsf{One}-\mathsf{More}\mathsf{BFHP}}\left(n\right)={\epsilon }^{\prime }$, putting everything mathematically, we have

$$\begin{array}{ccc}\hfill \mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{wins}\right]& =& \mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{solves}\mathrm{One}-\mathrm{More}\mathrm{BFHP}\right]\hfill \\ & =& \mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{solves}{e}_0\mathrm{via}\mathrm{guessing}{H}_1\left(x\right)\right]\hfill \\ & & +\mathrm{Pr}\left[{\mathcal{A}}^{\prime }\mathrm{solves}{e}_0\mathrm{via}\mathrm{extracting}{H}_1\left(x\right)|\neg \mathrm{Abort}\right]·\mathrm{Pr}\left[\neg \mathrm{Abort}\right]\hfill \\ & \ge & \frac{1}{2^{n-2}}+{\left(\epsilon -\frac{1}{2}\right)}^2·\left(\frac{2^{n-2}-q_I}{2^{n-2}}\right)\hfill \end{array}$$

In other words, we have

$$\begin{array}{ccc}\hfill \frac{1}{2^{n-2}}+{\left(\epsilon -\frac{1}{2}\right)}^2·\left(\frac{2^{n-2}-q_I}{2^{n-2}}\right)& \le & {\epsilon }^{\prime },\hfill \end{array}$$

and that

$$\begin{array}{ccc}\hfill {\left(\epsilon -\frac{1}{2}\right)}^2& \le & \left({\epsilon }^{\prime }-\frac{1}{2^{n-2}}\right)·\left(\frac{2^{n-2}}{2^{n-2}-q_I}\right)\hfill \\ \hfill \epsilon -\frac{1}{2}& \le & \sqrt{\left({\epsilon }^{\prime }-\frac{1}{2^{n-2}}\right)·\left(\frac{2^{n-2}}{2^{n-2}-q_I}\right)}\hfill \\ \hfill \epsilon & \le & \frac{1}{2}+\sqrt{\left({\epsilon }^{\prime }-\frac{1}{2^{n-2}}\right)·\left(\frac{2^{n-2}}{2^{n-2}-q_I}\right)}.\hfill \end{array}$$

This completes the security proof of the upgraded ID scheme. □

4. Discussion

4.1. Computational Cost of The Efficient Identification Scheme Based on BFHP

We analyze the efficiency of the ID scheme based on BFHP, considering the computational cost and its asymptotic complexity order. As the ID scheme mainly consists of simple arithmetic and modular addition and multiplication operations, Table 1 shows the corresponding computational costs for each algorithm. The scheme does not involve modular exponentiation operation, and hence its asymptotic complexity order is bounded only by $\mathcal{O}\left(n^2\right)$, due to modular multiplication and inversion operations.

Table 1. Computational cost of the upgraded ID scheme based on BFHP.

Operation	Addition/ Subtraction	Multiplication	Modular Addition/ Subtraction	Modular Multiplication/ Inversion	Hashing
Setup	2	0	1	1	1
Prove	3	2	0	0	1
Verify	1	0	2	0	1

4.2. Comparative Analysis

We next compare our ID scheme with the five selected well-known ID schemes by [1,2,3,9,10]. Our choice is that the former three ID schemes were among the pioneered ID schemes that are number-theoretic based, i.e., quadratic residuosity, $e^{th}$-the root of RSA, and discrete logarithm problem, respectively. The latter two featured post-quantum primitives of non-number theoretic type, i.e., shortest vector problem (SVP) in lattice and multivariate quadratic (MQ) polynomial. To simplify the comparison, we tabulated all the abovementioned ID schemes by considering total computational costs and their asymptotic complexity orders in Table 2.

Table 2. Comparative analysis of selected ID schemes for selected aspects.

ID Schemes	Computational Cost	Particular Parameter Characteristic	Asymptotic Complexity Order	Underlying Security Assumption	Data Size Transmitted
[1]	$1M, 1M_{\mathsf{Mod}},$$3E_{\mathsf{Mod}}$	$N=pq$	$\mathcal{O}\left(n^3\right)$ where $n=logN$	QR	$2n$
[2]	$1M,1M_{\mathsf{Mod}},$$3E_{\mathsf{Mod}}$	$ed\equiv 1\left(\mathrm{mod}\varphi \left(N\right)\right)$ where $N=pq$	$\mathcal{O}\left(n^3\right)$ where $n=logN$	eth-root RSA	$2n$
[3]	$1A_{\mathsf{Mod}},1M_{\mathsf{Mod}},$$3E_{\mathsf{Mod}}$	$p\ge 2^{140},q\ge 2^{512}$ such that $q|p-1$	$\mathcal{O}\left(n^3\right)$ where $n=logq$	DLP	n
3-pass [9]	$2A_{\mathsf{Poly}},6S_{\mathsf{Poly}}$	$\mathcal{MQ}\left(84,80,F_2\right)$	N/A	MQ Polynomial	29,640
5-pass [9]	$1A_{\mathsf{Poly}},6S_{\mathsf{Poly}},$$4M_{\mathsf{Scl}}$	$\mathcal{MQ}\left(45,30,F_{2^4}\right)$	N/A	MQ Polynomial	26,565
[10]	$1A_{\mathsf{Mtx}},3M_{\mathsf{Mtx}}$	$m=⌈4nlogn⌉$	$\mathcal{O}\left(⌈4nlogn⌉logn\right)$	SVP	$⌈4nlogn⌉$
Our ID Scheme	$2A,4S,2M,$ $3S_{\mathsf{Mod}},1I_{\mathsf{Mod}},$$3H$	Group ${\mathbb{Z}}_{\left(2n-1,2n-1\right)}$	$\mathcal{O}\left(n^2\right)$	BFHP	$2n$

Legends: (i) A = Addition, (ii) S = Subtraction, (iii) M = Multiplication, (iv) $A_{\mathsf{Mod}}$ = Modular Addition, (v) $S_{\mathsf{Mod}}$ = Modular Subtraction, (vi) $M_{\mathsf{Mod}}$ = Modular Multiplication, (vii) $I_{\mathsf{Mod}}$ = Modular Inversion, (viii) $E_{\mathsf{Mod}}$ = Modular Exponentiation, (ix) H = Hashing, (x) $A_{\mathsf{Mtx}}$ = Matrix Addition, (xi) $M_{\mathsf{Mtx}}$ = Matrix Multiplication, (xii) $M_{\mathsf{Scl}}$ = Scalar Multiplication, (xiii) $A_{\mathsf{Poly}}$ = Polynomial Addition, (xiv) $S_{\mathsf{Poly}}$ = Polynomial Subtraction, (xv) m = Matrix Dimension.

As the reader may notice from Table 2, we do not include asymptotic complexity orders for the ID scheme by [9] as its efficiencies rely on the system parameters, such as the size of public-private keys and the number of rounds performed. Readers may refer to Section 5.2 [9] for a detailed discussion.

Each of the selected ID schemes in our comparative analysis has its strengths and practical value. The first three ID schemes [1,2,3] based on number-theoretic hard problems are well-established. In comparison, the subsequent two ID schemes [9,10] are constructed using well-agreed post-quantum primitives, which have recently gained much attention in the field. While the primitive used in our ID scheme based on BFHP is immature in that it is not widely studied, it can nevertheless be practical if more research is conducted on it in the future. One benefit of considering BFHP is that it allows two secrets in a single mathematical equation, i.e., $e=v_1+v_2$ and $f=v_3-v_1$ with many possible solutions, different from the conventional mathematical hard problems that permit only single and unique solution. Furthermore, the simpler mathematical structure comprising only modular additions and multiplications significantly reduces the computation time compared to those involving modular exponentiation operations. Hence, besides utilizing it in public-key cryptography (the proposed ID scheme in this paper), such secrets can be used in symmetric encryption schemes.

5. Conclusions

In this paper, we upgraded the ID scheme based on BFHP by [14]. We proved the security of the upgraded ID scheme against impersonation under active and concurrent attacks via the assumption that solving the One-More BFHP is difficult. In addition, the upgraded ID scheme is efficient as it does not involve mathematical operations with higher computational complexity. This is evident in the significant speed-up of the algorithm vis-à-vis the data size transmitted and the simplicity of the mathematical structure for practical deployment, which would give better efficient throughput over the bandwidth. This is clearly explained in Table 2. Once the fundamental security is proven to be secure with desirable characteristics for practical deployment, the next natural way forward would be to analyze physical attacks such as timing attacks, power analysis, power consumption attacks, side-channel analysis, and other directions.