Message Authentication Scheme Based on Chaotic Quantum Cryptosystem

2016 International Conference on Wireless Communication and Network Engineering (WCNE 2016) ISBN: 978-1-60595-403-5

Message Authentication Scheme Based

on Chaotic Quantum Cryptosystem

Hang ZHANG

, Tian-yu CAI

and Tian-bo WU

1

School of Information Science & Engineering, Central South University, Changsha Hunan

2_{School of Software, Central South University, Changsha Hunan}

Keywords: Authentication, Chaotic system, Quantum encryption, MITM attack.

Abstract. How to ensure the reliability of the data translated in some insecure channel has been a big problem, which influences the communication quality deeply. To solve that, the concept of message authentication is proposed which has been widely used and proved efficient. In this thesis, we proposed a message authentication scheme based on chaotic quantum cryptosystem in this scheme. And the security and reliability is analyzed which shows that this scheme could guarantee the message security validly against different kinds of attack. We hope this will do some favor to the future of communication security.

Introduction

When two remote parties communicate with each other, especially in an insecure channel, the reliability of the message is the biggest problem. At this time the message sender may take some strategies to realize the data-integrity and identity-legality protection of the message. That’s authentication which has been widely used in current communication protocol in both classical and quantum field.

In 1990s, researchers proposed the concept of message authentication to ensure the integrity of a transmitted message. Since then, many authentication schemes based on Hash function and public key encryption system have been proposed[1]. In 2000, Bourennane et al. [2] proposed an authentication scheme based on quantum key distribution (QKD) and led authentication into quantum field. Soon after, Curty and Santos[3] proposed a quantum authentication scheme, aiming to make a message authentication in quantum channel. Their scheme is based on a pre-sharing of maximum entanglement states and every single message needs an EPR pair. Furthermore, Barnum[4] put forwards a noninteractive scheme, which uses quantum stabilizer codes to achieve the aim of authentication. Times later, X. Lv et al. [5] proposed an improved version of Barnum’s scheme, which reduces the quantity of keys shared between two communication parties. Until now hundred of papers about authentication have been published with many different ideas. Recently many researchers are trying to take some new technology of basic field, Chaos in statistics for example, into quantum authentication scheme to enhance the security and improve the efficiency.

In this paper, we propose a simple authentication scheme to guarantee the integrity and legality of the messages transmitted in insecure channel based on a quantum encryption algorithm. Different from the ones before, key string here is yielded from a chaotic system, which is extremely sensitive to the initial condition and system parameter.

The paper is arranged as follows. In section 2, we make an investigation on the chaotic system used in our scheme and then a brief demonstrate of its characteristics. In section 3, encryption algorithm will be introduced in detail. Then the authentication scheme follows in section 4, which consists of initial & encryption phase and verification phase. At last we make a security analysis of the authentication scheme and a conclusion in section 5 and section 6.

Chaotic System

with just one initial parameter and one system parameter to show our authentication scheme, which is just an example and modeled by:

xn+1 = muxn(1 − xn) (1)

Where n denotes times of iteration and mu denotes the system parameter. The initial parameter here is limited between 0 and 1 aiming to narrow down the value of 𝑥_𝑛+1 to avoid 𝑥_𝑛+1 becoming extremely huge, which will be useless and troublesome to the scheme. With the initial parameter 0 < 𝑥₀< 1, 0.5 for example, we may get a sequence consists of decimals between 0 and 1 as shown in (a) of Figure1. Once initial parameter has a tiny change, even a deference as 0.000001, the sequence will be totally different as shown in (b) below.

However, decimals are useless here. We need a further operation to transform them into integers as below:

k_i = round(x_i) (2) where 𝑟𝑜𝑢𝑛𝑑(𝑥) denotes an operation results in the integer nearest to x. With this operation, we get a string 𝑘_𝑖 , which consists of integer 0 and 1. For example, when 𝑥₀= 0.05 and mu = 4,

𝑘_𝑖 =00110110101000001...

Encryption & Decryption Algorithm

Encryption Algorithm

In this algorithm we take two Pauli matrices σ𝑥,σ𝑧 to denote corresponding Pauli gates, and |P⟩ =⊗_𝑖=12𝑛 |𝑃𝑖⟩ denotes the original quantum message, where |𝑃𝑖⟩ = α𝑖|0⟩ + β𝑖|1⟩ and α_𝑖2+ β_𝑖2 = 1. And the encryption algorithm is modeled by:

Figure 1. The value mapping between 𝑥(𝑛) and iteration times n in Logistic system with different initial parameter.

𝑥(0) in (a) is 0.05, while (b) 0.050001.System parameter mu are both 4.

E_ki(|P⟩) =⊗_i=1n _σ x k4i−3_σ

h k4i−1_|P

2i−1⟩ ⊗i=1n σz k4i−2_σ

v k4i_|P

2i⟩ (3)

where 𝐸𝑘𝑖(|𝑃⟩) denotes the cipher, and σℎ , σ𝑣 another two kind of operation gates, where σ_ℎ = 1

√2(𝜎𝑥+ 𝜎𝑧) and σ𝑣 = 1

√2(𝜎𝑥− 𝜎𝑧) . k𝑖 denotes the key string and is yielded from the

chaotic system above. It is obvious that one can neither obtain the exact relationship σ𝑥𝜎ℎ= ± σℎ𝜎𝑥 nor σ𝑧𝜎𝑣 = ± σ𝑣𝜎𝑧 due to the properties of Pauli operations. Furthermore, accurate

calculations show that one can’t achieve the relationship σ𝑥𝜎ℎσ𝑧𝜎𝑣 = ± σ𝑣𝜎𝑧 σℎ𝜎𝑥 [6]. And the

features could enhance the security to authentication scheme.

Decryption Algorithm

The decryption algorithm is similar to the encryption one as below:

|P⟩ =⊗_i=1n σ_Hk4i−1 _σ

x k4i−3_|E

2i−1⟩ ⊗i=1n σV k4i _σ

z k4i−2_|E

2i⟩ (4)

multiplies its inverse matrix, it’ll result in a unit matrix, which wouldn’t make any difference to a matrix after a product operation between them. With this property, we could recover the plain-text string |P⟩.

Authentication Scheme

There are lots of authentication protocols, however, as a secure authentication scheme, it should satisfy at least the constraints below: Guarantee of the data integrity and identity-legality of the message. Secondly, neither sender nor receiver can disavow the message.

Assume original message from Alice is |P⟩ =⊗_𝑖=12𝑛 |𝑃_𝑖⟩ and n is large enough to obtain a lower error probability in verification phase, where |𝑃𝑖⟩ = α𝑖|0⟩ + β𝑖|1⟩ and α𝑖2 + β𝑖2 = 1. The scheme

in detail is as follow:

Figure 2. Brief diagram of the authentication process from Alice to Bob, which mainly consists of two phases.

Initializing & Encryption Phase

Step1. Alice shares her initial parameter x₀𝑎 with Trent and gets a random number Q in return through a quantum key distribution (QKD) protocol, which is proved to be unconditionally secure[7,8] . Likewise, Bob also shares his initial parameter x₀𝑏 _{with Trent. Here note that 0 <x}

0 𝑎 , x₀𝑏 < 1 through requirement of Logistic system.

Step2. Alice transforms the message string |P⟩ into a message authentication code (MAC) string

MAC(|P⟩) = E_𝑘𝑎(|P⟩) with the key string k_𝑎 yielded from chaotic system with her initial parameter x₀ 𝑎 . Here note that quantum state of string |P⟩ is known, and then Alice could prepare several copies of |P⟩ to achieve a lower error probability of comparing operation for unknown quantum state in verification phase and finally reduce failure probability.

Step3. Alice set the number q = 𝑄 to be the serial number for the first message, q + 1 for the next one. And every time she sends a message out in the conversion, she will increase q by one, which leads q to be monotone increasing.

Step4. Alice encrypts |P⟩ , MAC(|P⟩) and serial number q using the key k𝑎, and then sends the

encryption result |M⟩ = E_𝑘𝑎(|P⟩, MAC(|P⟩), q) to Bob through an authenticated channel.

Verification Phase

Step1. Bob performs the encryption operation on |M⟩ with k_𝑏, and then sends the result message

|M′_{⟩ = E}

𝑘𝑏(|M⟩) to Trent through an authenticated channel.

Step2. Trent performs twice decryption on |M′⟩ to get the original message |P⟩ , corresponding

𝑀𝐴𝐶(|𝑃⟩)and serial number q with the key string k𝑎, k𝑏 yielded from chaotic system with initial

parameters x₀ 𝑎 , x₀𝑏 . Then he encrypts |P⟩ with string k_𝑎to obtain MAC(|𝑃⟩)′ = E_𝑘𝑎(|P⟩) . After comparing 𝑀𝐴𝐶(|𝑃⟩) and MAC(|𝑃⟩)′_{, he sets a new flag number F = 1 if two states equal to each}

other; otherwise F = 0.

Step3. When more than one message are to be checked, Trent should take a further step for the authentication if F = 1. Trent would check whether the first serial numbers is Q and whether serial number is monotone increasing. F = 1 will stay the same if and only if both constrains above are satisfied, otherwise Trent would reset F = 0. And then Trent encrypts |P⟩ and F into |S′_{⟩ =} E𝑘𝑏(|M⟩, F) , which will be sent to Bob.

Bob notice Alice to send the message again for a second authentication; otherwise this authentication is successful and Bob can confirm the message is integrated and legal.

Until here, this authentication round is finished. And the one above is just a one-way process, if a bidirectional authentication is needed, an additional inverse process from Bob to Alice like steps above is enough.

Security Analysis

As a protocol or scheme in communication, security is the most important issue invariably. To be a secure authentication scheme, one should satisfy the requirement mentioned before, no disavow and forgery from any participants in the process, and protection of both integrity and legality. Following well make an analysis of our scheme towards some feasible attacks to show its security:

Forgery Attack

In our scheme, message transmitted in channel are encrypted into an integral whole, and no one can decrypt it to get the content inside without the key string. While key string is not transmitted directly in the channel, it’s yielded from the pre-shared initial parameter which is transmitted through an absolutely secure QKD protocol. If Eve tries to forge messages from Alice, then he has to get the initial parameter, which is obvious impossible.

To a malicious Bob, he will have access to plain-text |P⟩ and 𝑀𝐴𝐶|P⟩ in usual schemes. Then he could take advantage of the relationship between |P⟩ and 𝑀𝐴𝐶|P⟩ to perform a forgery attack through suitable matrixes operation without knowing Alice’ key string. Take encryption algorithm in this scheme for example, forgery attack above is shown as below:

Assume forgery message is |P_𝑖′⟩ = |P𝑖⟩ ⊗ M , where M = ⨂𝑖=1𝑛 𝑀 𝑖 is a matrix set consists of 2 ∗ 2 matrixes. Then he can get a forgery MAC through an operation as below:

MAC|P′⟩ = ⨂_i=1n _MAC|P⟩

2i−1M2i−1⨂i=1n MAC|P⟩2iM2i

with which, Bob could get a simple forgery message 𝑆 = (|𝑃′⟩, 𝑀𝐴𝐶|𝑃′_⟩

However, Bob’s forgery attack is useless here. Different from other scheme, Bob won’t get

𝑀𝐴𝐶|𝑃⟩ in this scheme. Even if he gets it, he can’t make a valid secret message for the existence of serial number 𝑞, which is random to him.

Impossibility of Man-in-the-middle Attack

Man-in-the-middle (MITM) attack is a kind of common attack in authentication field, in which attacker Eve could intercept messages from two communication parties and resend them some forgery messages for his benefits. And the attacker here is similar to a repeater. However, both Alice and Bob won’t discover this, and still believe there is a direct actual channel between them which has never been there. MITM attack could be divided into two kinds, one is content-distorted attack and another is content-unchanged attack.

To the content-distorted attack, Eve may intercept the messages from Alice and distort the message before sending them to Bob as Figure3 shows, or even hijack the conversation finally. However, it’s impossible here for two reasons. Firstly, content of message encrypted is unknown to to Eve. Then Eve can’t make a certain distortion on the message. Secondly, once the message is changed, Trent will discover it in verification phase. What’s more, serial number which is a random to Eve may enhance the security.

Figure 3. MITM-Distortion Attack. Eve may change inside content of message

To the content-unchanged attack, Eve may take a disorder or delay operation the messages transmitted in the channel, which won’t be discovered in common authentication schemes, because content is unchanged as Figure4 shows.

Serial number in our scheme is designed to resist attack like this, which is monotone increasing one by one like 1, 2, 3, 4, 5... from Q. Once messages suffer a disorder attack, Trent will find it in Step.3 of verification phase. And then Trent will reset F = 0, which means the authentication round failed and a second time authentication is needed. Delay attack is almost the same and will be detected easily.

Figure 4. MITM-Disorder Attack. Eve may intercept messages M1,M2,M3 and send M2,M1,M3 to Bob, where he hasn’t change any inside content and Trent can’t discover it through a simple comparison test.

Impossibility of Disavowal by Alice and Bob

When Alice and Bob can’t agree with each other, the trusted arbitrator Trent is needed to make a judgment. Firstly, assume Alice disavows that she has sent the message for her benefits, Trent can confirm Alice is telling a lie. Because the message |M⟩ = E_𝑘𝑎(|P⟩, MAC(|P⟩), n) contains key string 𝑘_𝑎of Alice to some extent. That Trent could decode it with Alice’s key means the message is from Alice. Hence, it’s impossible of disavowal by Alice.

While Bob disavows that he has ever received the message for some reason similarly, the probability is also zero. Firstly, the message from Alice is unknown to Bob before authentication by Trent, it’s meaningless to disavow a message that he knows nothing about it, no longer profitable or not. Then when message is transmitted to Trent, there’s no way to disavow anything, because Bob has performed encryption operation on the message which contains his key string 𝑘𝑏.

Conclusion

In this paper, we proposed a tripartite quantum message authentication scheme consisting of two communication parties and a arbitrator, in which chaotic system is used to produce key string. With chaotic system and a single pre-shared initial parameter, you can get a shared key string with arbitrator of random length as you wish. The scheme is also proved secure against normal attack in authentication field.

Acknowledgements

This work was supported by the National Natural Science Foundation of China (61572529), and Defense Basic Research Program (JCKY2014110C004).

References

[1]Qiaoyan Wen, Fei Gao, Fuchen Zhu, Research Situation and Direction of ID Authentication Issue in Quantum Key Distribution, Journal of Beijing University of Posts and Telecommunications,(2004)

[2]M. Nielsen and I. Chuang, Quantum computation and quantum information, Cambridge University Press, Cambridge (2000).

[4]Barnum C., Gottesman D., Smith A., et al. Authentication of quantum messages[A]. Proc 43rd Annum IEEE Symposium on the Foundations of Computer Science (FOCS02)[C]. Vancouver Canada 2002. 449-458

[5]Xin Lv, Zhi Ma, et al. Quantum Message Authentication Protocol, Journal on Communications, 20055(26)44-49.

[6]Ying Guo, Ronghua Shi, et al. An Arbitrated Quantum Signature Scheme in Chaotic Crypotosystem, Journal of Modern Physics (2013).

[7]A. K. Ekert, Quantum cryptography based on Bells theorem, Phys. Rev. Lett. 67, 661(1991).