Mutual Authentication Scheme Based on Lattice for

Research Article Mutual Authentication Scheme Based on Lattice for NFC-PCM Payment Service Environment Sung-Wook Park and Im-Yeong Lee Department of Computer Engineering, Soonchunhyang University, Asan-si 336-745, Republic of Korea Correspondence should be addressed to Im-Yeong Lee; [email protected] Received 3 March 2016; Accepted 4 May 2016 Academic Editor: Fan Wu Copyright © 2016 S.-W. Park and I.-Y. Lee. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. In recent years, the incorporation of NFC (Near Field Communication) technology into mobile devices has led to changes in payment system environments. Currently, the NFC mobile payment service is leading the mobile payment market. In particular, most electronic payment services, such as those used by Google Inc. and Apple Inc., are adopting payment methods based on NFC to replace credit cards. In addition, related groups from the Republic of Korea have enhanced safety in communication by using standard techniques for activating NFC services. However, various security threats are still present in electronic payment methods that use NFC. In this paper, we propose a mutual authentication scheme based on a lattice for conditional anonymity in NFC-PCM (Near Field Communication-Passive Communication Mode) payment services environments.

1. Introduction The inclusion of NFC (Near Field Communication) technology in mobile devices has resulted in changes in payment system environments that have been maintained over the past few years. As a result, payment methods based on NFC are currently leading the mobile payment market. In particular, companies such as Google, Apple, and Samsung have established new mobile payment services that have attracted attention as the means for replacing preexisting payment methods requiring the use of credit cards. Currently, most mobile payment services provide such services through the FIDO (Fast Identity Online) standard and tokenization technology. FIDO enables secure communication between mobile devices using wireless communication technology and supports the use of NFC. The disadvantage of mobile payment services is that such services cannot be used when the power is interrupted. Therefore, industry and academia have been conducting research on payment services that use NFCPCM (Near Field Communication-Passive Communication Mode). In payment services that use PCM, NFC tags draw their operating power from the electromagnetic field received from the reader of the NFC initiating device. A problem

that might be encountered with this method would be low computing power and limited storage space in the NFC device. In particular, if the NFC-based device used in the payment service environment operates only through XOR, AND, and add operations, providing security for payment information might be difficult. Therefore, research that resolves this problem is understandably urgent. In recent years, many incidents related to privacy have occurred. Accordingly, companies that provide online services are demanding the appropriate level of information required to render the particular service they provide. That is, some companies do not require user information; for example, when registering in some domestic portal sites, these sites do not require social security numbers and may prefer to discard the social security numbers they have collected. Thus, personal information has emerged as an important social issue. Given the importance of privacy, problems associated with the disclosure of financial information can be seen as significant. According to the “Final Report of Measures on NFC Personal Information Protection” published by the Korea Internet and Security Agency, the information used for an NFC mobile credit card payment is collected and stored at shops, VAN (value-added network) companies, and card companies through networks. Thus, if POS (point-of-sale)

2 terminals in shops are hacked, personal financial information can be stolen. In one case, the credit card information of almost 100,000 persons was leaked via the aforementioned attack method [1]. Even if an encryption algorithm with high cryptographic strength were to be applied, user identification or financial information could be exposed to a variety of attacks. Therefore, it is necessary to consider the application of anonymous authentication techniques that do not expose sensitive personal information. Anonymous authentication technology is a type of technology that proves that the relevant parties have reasonable qualifications without the need for these parties to share any privacy information. Initial anonymous authentication technology was mainly utilized for the use of electronic money exchange or electronic voting. In recent years, research has been conducted on authentication methods for protecting personal information. Anonymous authentication techniques can distinguish between users depending on the level of anonymity provided by each technique. The anonymity level is determined by the availability of related information and the degree of anonymity required. In addition, related information can be divided into two categories: identifying information and connection information. Identifiable information is the information used by individuals who want to identify themselves, such as their name, social security number, and email address. Connection information is the information related to party-certification process handling. Examples of connection information are PKI-based digital signatures, where the name listed in the certificate can be considered an identity. The signature value generated from using the certificate cannot be easily decrypted by the user. Instead, the use of a signature value would require the generation of the same key to enable the recipient to access the connection information. Ki et al. [2] composed an anonymity level in six steps in order to separate the two types of information into complete, conditional, and no exposure. In this paper, we propose a new mutual user authentication scheme for privacy detection in NFC-PCM mobile payment environments. The remainder of this paper is organized as follows. Section 2 presents background research on lightweight NFC authentication for low-cost environments and NFC operating modes. Section 3 provides an analysis of the security requirements of NFC payment services. Section 4 proposes lightweight mutual authentication for NFC-PCM environments. Section 5 presents the security requirements and our analysis of the proposed scheme, and Section 6 concludes the paper.

2. Related Work In this section, we describe related authentication schemes based on NFC operating modes and low-cost NFC authentication methods. 2.1. NFC Operating Modes. NFC is generally divided into PCM and ACM (Active Communication Mode). PCM is a method that enables a passive target device (e.g., an RFID tag) to respond to the initiator of the communication by

International Journal of Distributed Sensor Networks Initiator

Target 13.56 MHz RF ASK modulation

NFC

Load modulation Smart phone (active device)

Reader/writer mode

NFC tag (passive device)

13.56 MHz RF ASK modulation

Smart phone (active device)

Peer-to-peer mode

Smart phone (active device)

13.56 MHz RF ASK modulation Load modulation NFC reader (active device)

Card emulation mode

Smart phone (passive device)

Figure 1: NFC communication modes.

using operating power obtained from the electromagnetic field provided by the initiator. In contrast, ACM is a method that enables communication between an initiator and a target device, both of which must be ACM-enabled such that both devices actively generate their own RF field on an alternating basis when communicating. While the target device waits for the initiator to send data through ACM, its RF field is temporarily deactivated. NFC-enabled devices can operate in three different communication modes, as depicted in the illustration in Figure 1. However, NFC mobile payment environments are required for payment services that use PCM-based NFC payment services. Nevertheless, PCMbased NFC mobile services are unsafe and can lead to privacy breaches. Our research focuses on PCM-based mutual authentication in low-cost NFC payment environments. 2.2. Business Models. The “LoopPay” solution is a solution for processing payments via electromagnetic waves in a noncontact manner, unlike traditional magnetic cards. It was developed in the US by the start-up company “LoopPay”, and the service is currently restricted to the United States. The characteristic of “LoopPay” is its ability to store multiple groups of plastic cards on one small payment device. It is known to be developed in a separate H/W and S/W system and is relatively safe in terms of security incidents. However, the internal structure of the system is not known. The COIN service was developed by the company “Only Coin” in San Francisco and is used in a similar manner as “LoopPay.” Such services are an example of the business model proposed in the present study. 2.3. Threat Models. Various studies [3, 4] have exposed security threats in the NFC service environment. In particular,

International Journal of Distributed Sensor Networks

3

③ Malicious service access

③ Proper services access

Malicious server

Legal server Network

Request to personal information

④ A variety of possible attacks

Multilingual voice services

④ Provide services

Providing false information

Text services NFC ① Attempt to connect to the service

Wrong location information

Map information service

Allowing unauthorized access to payment

Tourist information service

② Transfer to malicious URL information

② Transfer to normal URL information NFC

NFC

Physical area

Figure 2: NFC tag attack scenario.

the vulnerability of this study environment is attributable to the use of modulated NDEF (NFC Data Exchange Format) data. The exploitation of this vulnerability for attacks is possible because the user is required to make visual decisions. Accordingly, it is impossible to verify the reliability of a tag that is used to perform the payment. It would be possible to identify a genuine tag through the use of an authentication infrastructure and digital signature of an acceptable standard. However, this approach would be costly. Threats to which an NFC tag-based service is exposed are shown in Figure 2. Therefore, an NFC-PCM-based scheme should offer protection against the following security threats [5]. 2.4. Related Work on Low-Cost NFCs. In most RFID application service environments, passive tags cannot easily perform complex calculations because of their limited processing capability. Consequently, a hash function-based protocol and lightweight cryptosystem technology have been proposed for solving the security and privacy issues of low-end RFID systems. Kaya et al., Batina et al., and Lee et al. [6–8] proposed an elliptic curve cryptography-based RFID authentication protocol. However, their proposal did not prove whether actual implementation is possible. In addition, their proposed methods have not been accepted by both NFC standards, and thus they are practically impossible to implement because of efficiency issues in RFID environments. In authentication studies conducted by Sekino et al. [9], the passive tag was enabled such that it has the ability to support the hash function to store information in large matrices and perform

matrix operations. However, this method cannot be easily applied to a low-cost tag. Moreover, attackers can perform denial-of-service attacks on tags in low-cost environments. In particular, NFC storage, which accounts for high costs in terms of hardware, acts as a very important part of the same problems indicated above. 2.4.1. Jung. Jung [10] indicated that there is a risk for disguised attacks because user payment information remains on the tag reader. For low-cost NFC environments, Jung proposed an authentication mechanism that reduces the amount of computation through the use of the hash function and XOR operations. The objective of their proposed method was to employ the nonce value to prevent replay attacks. Because the nonce value changes in every session, the communication between devices is secured. However, the results from the XOR operations and simple hash function cannot easily provide safety to payment environments. Satisfying the various security requirements in payment environments is difficult. In addition, various similar studies were carried out, but their methods are not suitable for application in the NFCPCM payment service environment [1, 11, 12]. 2.4.2. Abughazalah et al. Abughazalah et al. [13] proposed a protocol for the CasperFDR method that protects personal information and stores key information into the cloud. Their approach was to apply encryption using a certificate for the data exchange phase of every step of the protocol. However, this method is much less efficient in payment

4

International Journal of Distributed Sensor Networks Table 1: NTRU key features.

Benefits

Fast processing speed

Safety

Easy implementation

Cost

Details (i) Providing faster than traditional methods (ii) RSA, ECC: exponentiation (iii) NTRU: polynomial (convolution add) (i) NP-hard: CVP, SVP (ii) IEEE 1363.1 Standard Designation (iii) X9.98 Standard Designation in ASC X9 (i) Addition, multiplication, and shift operation (ii) Most developers find NTRU easy to understand (i) RSA, ECC (partially): license fees required (ii) NTRU: open source (license-free)

environments compared to nonpayment environments, and it is not applicable to the PCM environments proposed in this study. 2.5. NTRU. NTRU was proposed by Jeffrey Hoffstein during the Crypto Lump session of 1996. The public-key encryption scheme used by NTRU is based on a lattice problem. The basic operation is composed of a polynomial ring; the scheme was designated as a public-key encryption standard by IEEE as P1363.1. NTRU provides stability comparable to RSA and ECC, and its encryption and decryption speed is high (Table 1). Therefore, NTRU encryption technology is highly suitable for USN environments and devices with limited computational abilities that require lightweight encryption algorithms. ASC X9 in the United States has been designated as the standard with X.9.98 NTRUEncrypt for financial transaction data protection.

3. Security Requirements NFC payment services should be provided with user authentication, integrity, and confidentiality functions in order to exchange data with external devices [10]. In addition, we need to consider the operational efficiency and safety of existing methods for PCM-based NFC environments. Therefore, our proposed scheme should satisfy the basic low-cost tag payment service security requirements of PCM-based NFC mobile payment environments. These requirements are as follows [14, 15]. (i) Confidentiality. Because the data used for communication include sensitive billing information, only the legitimate communication object must be able to share this data. Even if sensitive data are exposed, an attacker should not be able to infer the value of the data. (ii) Integrity. It should not be possible to easily forge the data transmitted during communication because

such data are the basis for financial transactions, for example, billing. (iii) Conditional Anonymous. The verifier should not need a separate verification protocol to be able to determine the personal information. (iv) Mutual Authentication. The idea is to provide mutual authentication of both communicating parties for legitimate user verification. (v) Safety. The idea is to satisfy basic requirements by providing a mutual authentication protocol and to maintain a high level of safety when communicating secret information. (vi) Efficiency. The idea is to provide high efficiency in terms of the amount of computation required by devices with limited computational abilities.

4. Proposed Schemes In this section, we use the characteristics of the convolution multiplication operation of a polynomial to propose a latticebased mutual authentication scheme for low-cost NFCPCMs. Our approach involves changing the method according to which the polynomials 𝑓, 𝑔 are generated to create the user’s secret key. The existing NTRU method chooses two small polynomials 𝑓, 𝑔 from the truncated polynomial ring 𝑟; however, the existing method only calculated the inverse of 𝑓, whereas the proposed protocol requires the inverse of 𝑔. The parameter setting that was used for selecting 𝑓 was also applied for selection of the precise small polynomial when 𝑔 was generated. 4.1. System Parameters. The system parameters used in the proposed scheme are as follows: (i) ∗: object (𝐴: user, 𝐵: bank or electronic payees), (ii) 𝐻( ): hash function, (iii) 𝑍: set of integers, (iv) 𝑔: group generator (primitive root), (v) 𝐿 𝑓 , 𝐿 𝑔 : subset of 𝑅 (truncated polynomial ring), (vi) 𝑓, 𝑔: private key polynomials of ∗ (𝑓∗ ∈ 𝐿 𝑓 , 𝑔∗ ∈ 𝐿 𝑔 ), (vii) 𝑝, 𝑞: large prime numbers that satisfy 𝐺𝐶𝐷(𝑝, 𝑞) = 1, 𝑝 > 𝑞, (viii) 𝑔∗𝑝 −1 , 𝑔∗𝑞 −1 : inverse polynomials of 𝑔, (ix) 𝑓∗𝑝 −1 , 𝑓∗𝑞 −1 : inverse polynomials of 𝑓, (x) 𝐼: the user’s identity, (xi) V∗ : public key on truncated polynomial 𝑅 (V∗ = 𝑝𝑓∗𝑞 −1 ⋅ 𝑔∗ ∈ 𝑍𝑞 [𝑋]/(𝑋𝑁 − 1)), (xii) 𝑝: prime (1024 bits), (xiii) rot( ): rotate function; rot(𝑥, 𝑦) is defined as “left rotating the value of 𝑤(𝑦) with 𝑥,” where 𝑤(𝑦) is the hamming weight of 𝑦 [5].


5

4.2. Registration Phase. During initial registration, the user would be required to perform the steps indicated below on a dedicated application (app). The user uses the app to store their payment card information in the NFC tag. This information can later be changed if necessary. If the user’s smartphone is shut down, it would be possible to use a credit card through the PCM that was set last. The following example considers a situation in which a user registers their mobile device with the bank to set up the device for making future payments. Step 1. The user chooses the secure key 𝑓𝐴, 𝑔𝐴 and inverse function 𝑓𝐴𝑝 −1 , 𝑓𝐴𝑞 −1 of 𝑓𝐴. Subsequently, the user computes his/her public key V𝐴:

𝐵 󳨀→ 𝐴 : 𝑒. Step 3. The user computes 𝑦 through 𝑓𝐴, 𝑟𝐴 and random polynomial 𝑒 and transmits this information to the bank: 𝐴 : 𝑒 ←󳨀 𝐻𝑘𝑡 (𝑒) 𝐴 : 𝐸 = 𝐵2𝑃 (𝑒) 𝐴 : 𝑟𝑡 = 𝑒[0,𝑠−1]

(5)

Mathematical Background. Consider the following: (i) rot𝑖 (𝑓) = 𝑥𝑖 ⋅ 𝑓 mod(𝑥𝑁 − 1),

𝐴 󳨀→ 𝐵 : UserInfo, V𝐴

(ii) 𝑥𝑁 ⋅ 𝑓 mod(𝑥𝑁 − 1) = 𝑓,

(iii) 𝑓󸀠 ⋅ 𝑔 = 𝑥𝑖 ⋅ 𝑓 ⋅ 𝑔 mod(𝑥𝑁 − 1), 𝑓󸀠 ⋅ 𝑔 = 𝑥𝑖 ⋅ (𝑓 ⋅ 𝑔)mod(𝑥𝑁 − 1), 𝑓󸀠 ⋅ 𝑔 = rot𝑖 (𝑓 ⋅ 𝑔)mod(𝑥𝑁 − 1), (iv) rot𝑖 (𝑓 ⋅ 𝑔) = rot𝑖 (𝑓) ⋅ 𝑔, (v) 𝑓 ⋅ 𝑔 + rot𝑖 (𝑓 ⋅ 𝑔) = (𝑓 + rot𝑖 (𝑓)) ⋅ 𝑔, (vi) 𝑦𝐴 = 𝑓𝐴𝑆 ⋅𝑔𝐴 +𝑒 = (𝑋𝐻𝑊(𝑟𝑡) +1)⋅𝑓𝐴 ⋅𝑔𝐴 +𝑒 mod(𝑋𝑁−1).

(2)

Step 4. The bank verifies the user’s identity by checking whether 𝑦 ⋅ V𝐴 = 𝑥𝐴 (𝑒): 𝐵 : 𝑦𝐴 ⋅ V𝐴 = 𝑥𝐴 (𝑒)

𝐵 : generate Cert (𝐼, V𝐴) .

𝐵 : (𝑓𝐴𝑆 ⋅ 𝑟𝐴) ⋅ (𝑓𝐴𝑞 −1 ⋅ 𝑔𝐴) = 𝑔𝐴 ⋅ 𝑟𝐴 (𝑒)

4.3. User Verifying Phase. The user performs the steps indicated below in order to prove that he/she has valid financial payment information during financial transactions. rot( ) is shown in Figure 3. rot(𝑥, 𝑦) is defined as “left rotating the value of 𝑤(𝑦) with 𝑥,” where 𝑤(𝑦) is the hamming weight of 𝑦. Step 1. The user selects a random polynomial 𝑟𝐴 . Then, the user stores this polynomial safely by calculating the secret information 𝑥 = 𝑔𝐴 ⋅ 𝑟𝐴 used to prove the user’s identity. Subsequently, the user transmits identity 𝐼, user public key V𝐴, and certificate Cert(𝐼, V𝐴) to the bank: 𝐴 : 𝑟𝐴 ∈ 𝐿 𝑟 𝐴 : 𝑥𝐴 = 𝑔𝐴 ⋅ 𝑟𝐴

(4)

(1)

Step 2. The user submits the user information and user public key V𝐴 to the bank, and the bank verifies the user’s identity. The bank generates a public key certificate Cert(𝐼, V𝐴) through the user identity and public key V𝐴 generated by the user’s information and issues it to the user. Next, the bank retains the user information:

𝐵 : generate 𝐼 using Identity

𝐵 : 𝑒 ∈ 𝐿𝑒

𝐴 : 𝑦𝐴 = 𝑓𝐴𝑆 ⋅ 𝑟𝐴 + 𝑒.

𝑍𝑞 [𝑋] 𝐴 : V𝐴 = 𝑝𝑓𝐴𝑝 −1 ⋅ 𝑔𝐴 ∈ . (𝑋𝑁 − 1)

𝐵 : Identity = True?

𝐵 : Cert (𝐼, V𝐴) = True?

𝐴 : 𝑓𝐴𝑆 ⋅ 𝑟𝐴 = 𝑓𝐴 ⋅ 𝑟𝐴 + rot (𝑓𝐴 ⋅ 𝑟𝐴 , ⌈log2 (2𝑞 − 1)⌉ 𝑟𝑡)

𝐴 : 𝑓𝐴 ∈ 𝐿 𝑓 , 𝑔𝐴 ∈ 𝐿 𝑔 𝐴 : 𝑓𝐴𝑝 −1 , 𝑓𝐴𝑝 −1

signature system by selecting random polynomial 𝑒 transmitted to the user:

(3)

𝐴 󳨀→ 𝐵 : 𝐼𝐴 , V𝐴, Cert (𝐼𝐴, V𝐴) , 𝑥𝐴 . Step 2. The bank verifies the validity of identity 𝐼 and user public key V𝐴 using certificate Cert(𝐼, V𝐴) and the public

󸀠

𝐵 : 𝑓𝐴 ⋅ 𝑟𝐴 + rot (𝑓𝐴 ⋅ 𝑟𝐴 , ⌈log2 2𝑞 − 1⌉ 𝑟𝑡) ⋅ (𝑓𝐴𝑞 −1 ⋅ 𝑔𝐴) = 𝑔𝐴𝑆 ⋅ 𝑟𝐴 = 𝑔𝐴𝑆 ⋅ 𝑟𝐴 󸀠

+ rot (𝑔𝐴𝑆 ⋅ 𝑟𝐴, ⌈log2 2𝑞 − 1⌉ 𝑟𝑡)

(6)

𝐵 : ((𝑋𝐻𝑊(𝑟𝑡) − 1) ⋅ 𝑓𝐴 ⋅ 𝑟𝐴 ⋅ (𝑓𝐴𝑞 −1 ⋅ 𝑔𝐴)) = 𝑔𝐴𝑆 ⋅ 𝑟𝐴 = ((𝑋𝐻𝑊(𝑟𝑡) − 1) ⋅ 𝑔𝐴𝑆 ⋅ 𝑟𝐴) mod (𝑋𝑁 − 1) 𝐵 : (𝑋𝐻𝑊(𝑟𝑡) − 1) ⋅ 𝑔𝐴𝑆 ⋅ 𝑟𝐴 = (𝑋𝐻𝑊(𝑟𝑡) − 1) ⋅ 𝑔𝐴𝑆 ⋅ 𝑟𝐴 . 4.4. Bank Authentication and Key Update Phase. The bank performs the steps indicated below in order to prove that it was the object of legitimate users. In this procedure, the bank generates new verification information based on user information by conducting the verification method provided in Step 4 in Section 4.3 and delivers the verification information to the user. Moreover, the user verifies the communication object that employs the information received from the bank.

6


Bank (B)

Userr ((A) A)

A : fA ∈ L f , gA ∈ L g

Identity, A

A : fAP −1 , fAP −1 A : A = pfAP

−1

B : Identity = True? B : generate I using Identity B : generate Cert (I, A )

N

· gA ∈ Zq[X]/(X − 1)

Registration phase

Cert (I, A ), I

Secure channel

A : rA ∈ L r A : xA = gA · rA

IA , A , Cert (I, A ), xA B : Cert (I, A ) = True? B : e ∈ Le

A : e ← Hkt (e)

eB

A : E = B2P(e) A : rt = e[0,s−1] A : fAS · rA = fA · rA + rot (fA · rA , ⌈log2 (2q − 1)]rt) A : yA = fAS · rA + e

B : yA · A = xA (e)

yA

−1 B : (fAS · rA ) · (fAq · gA ) = gA · rA (e)

Mathematical background

−1 B : fA · rA + rot (fA · rA , ⌈log2 2q − 1⌉󳰀 rt · (fAq · gA )) =

(i) roti (f) = xi · f mod (xN − 1)

gAS · rA = gAS · rA + rot (gAS · rA , ⌈log2 2q − 1⌉󳰀 rt)

(ii) xN · f mod (xN − 1) = f 󳰀

i

User verifying phase

−1 · gA )) = B : ((XHW(rt) − 1) · fA · rA · (fAq

N

(iii) f · g = x · f · g mod (x − 1) f󳰀 · g = xi · (f · g) mod (xN − 1)

gAS · rA = ((XHW(rt) − 1) · gAS · rA ) mod (XN − 1)

f󳰀 · g = roti (f · g) mod (xN − 1)

B : (XHW(rt) − 1) · gAS · rA = (XHW(rt) − 1) · gAS · rA

(iv) rot i (f · g) = roti (f) · g (v) f · g + roti (f · g) = (f + roti (f)) · g

B : r 󳰀 ∈ L r󳰀

(vi) yA = fAS · gA + e = (XHW(rt) + 1) · fA · gA + e mod (XN − 1)

󳰀 B : zB = rot (x, x) ⊕ (rA or x󳰀 )

zB , z1B

󳰀 A : rA or x󳰀 = zB ⊕ rot (x, x)

󳰀 or x󳰀 ) B : zB = rot (gA · rA , gA · rA ) ⊕ (rA 󳰀 B : z1B = H(yA ‖ rA or x󳰀 )

󳰀 or x󳰀 = zB ⊕ rot (gA · rA , gA · rA ) A : rA

7 6 5 4 3 2 1 0 0 0 0 1 0 1 1 1

A : verify z1B

Key update phase

󳰀 A : update rA or x󳰀

0 0 1 0 1 1 1 0 “left rotating the value of w(y) with x,” where w(y) is the hamming weight of y

Figure 3: Proposed scheme.

Step 1. The bank transmits the verification information to the user using 𝑥 = 𝑔𝐴 ⋅ 𝑟𝐴 shared with the user. 𝑟𝐴󸀠 is new random polynomial information generated by the bank; this information is used in the future transaction steps:

Step 2. The user verifies 𝑧𝐵 using 𝑥 and 𝑦𝐴 stored in the memory of his/her device. The hash information is verified; then, the user updates the received information 𝑟𝐴󸀠 and proceeds to the current transaction:

𝐵 : 𝑟󸀠 ∈ 𝐿 𝑟󸀠 𝐵 : 𝑧𝐵 = rot (𝑥, 𝑥) ⊕ (𝑟𝐴󸀠 or 𝑥󸀠 ) 𝐵 : 𝑧𝐵 = rot (𝑔𝐴 ⋅ 𝑟𝐴, 𝑔𝐴 ⋅ 𝑟𝐴 ) ⊕ (𝑟𝐴󸀠 or 𝑥󸀠 )

𝐴 : 𝑟𝐴󸀠 or 𝑥󸀠 = 𝑧𝐵 ⊕ rot (𝑥, 𝑥) (7)

𝐴 : 𝑟𝐴󸀠 or 𝑥󸀠 = 𝑧𝐵 ⊕ rot (𝑔𝐴 ⋅ 𝑟𝐴 , 𝑔𝐴 ⋅ 𝑟𝐴)

𝐵 : 𝑧1𝐵 = 𝐻 (𝑦𝐴 ‖ 𝑟𝐴󸀠 or 𝑥󸀠 )

𝐴 : verif y 𝑧1𝐵

𝐵 󳨀→ 𝐴 : 𝑧𝐵 , 𝑧1𝐵 .

𝐴 : update 𝑟𝐴󸀠 or 𝑥󸀠 .

(8)

Auth.

Reg.

Reg. Auth.

2H 7H + 8⊕ Four rounds (secure channel) Four rounds

Symmetric based

× Symmetric based I

Nonce based

× Symmetric based I Providing (shared secret key) △ Providing (MAC based) I

2U 5U + 2E + 2(R𝑇 ∗ E) Two rounds (secure channel) Four rounds

Exponential based

Abughazalah et al. [13] I Certificate based I Providing (public & session key) I Providing (digital signature) I Time stamp based signature I PKI based × — 11E + 6H Two rounds (secure channel) Four rounds

Symmetric based

I Symmetric based I

Nonce based

Sekhar and Sarvabhatla [12] × Symmetric based I Providing (shared secret key) △ Providing (MAC based) I

2E 1U + 7E Two rounds (secure channel) Four rounds

Symmetric based

I Symmetric based I

Nonce based

Pourghomi et al. [11] △ Symmetric based I Providing (shared secret key) △ Providing (MAC based) I

×: no offer, insecure, △: usually offer, I: offer, secure E: symmetric key; H: hash algorithm; U: public key; X: convolution multiplication; and A: addition, ⊕: XOR, and R: rotate functions.

Traffic

Comp. Qty.

Efficiency

Safety

Nonreusable

Integrity

Confidentiality

Mutual authentication

Jung [10]

Table 2: Analysis of proposed scheme.

— 6E + 6H Two rounds (secure channel) Four rounds

Symmetric based

I Symmetric based I

Nonce based

Thammarat et al. [16] × Symmetric based I Providing (shared secret key) △ Providing (MAC based) I

I PKI based I Lattice based (efficiency in RFID card) 2X 3X + 4R + 4A + 4⊕ + 1H Two rounds (secure channel) Four rounds

Nonce based

I Lattice based I Providing (shared secret key) I Providing (digital signature) I

Proposed scheme

International Journal of Distributed Sensor Networks 7

8


5. Proposed Scheme Analysis

6. Conclusions

Our proposed scheme satisfies the following requirements (see Table 2).

In this paper, we proposed a mutual lattice-based authentication scheme for secure financial payment services in NFCPCM payment environments. Although this method is similar to those proposed in previous studies, it is comparatively efficient in terms of computational complexity because most of the proposed operations use lattice-based convolution multiplication. In particular, our proposed method provides a level of safety that is similar to that of the public key-based scheme used in previous studies. Our approach provides safety by using the CVP (Closest Vector Problem) to find the closest vector problem and SVP to find the shortest vector in a largesized lattice. Our proposed method satisfied the conditions NP-hard. Only a BFA (Brute Force Attack) would be possible on devices using our approach. Our method was shown to provide very high efficiency in payment environments using the passive communication mode of NFC.

(i) Confidentiality. The attacker cannot know encrypted 𝑧𝐵 , 𝑦𝑆 between objects. Our idea is to provide confidentiality by using a randomly generated value for 𝑟𝐴 in each session. (ii) Integrity. Data are delivered with certificate Cert𝐴 in order to generate the signature value for the message. Therefore, we can even check forgery attempts through the verification process. (iii) Mutual Authentication. Our idea is to provide mutual authentication through verification of the NTRUbased public key and Cert𝐴 . (iv) Conditional Anonymity. Banks are required to calculate the inverse permutation for each piece of encrypted information in order to find the legal user. In our proposed scheme, the probability of the attacker finding the user information is 1/𝑛 by the safety trapdoor function based on the rot( ) function. Therefore, our proposed approach can provide user anonymity. (v) Safety. The problems associated with finding confidential information about a user are equal to the math problem SVP (Shortest Vector Problem) that finds the shortest vector in a large-sized lattice. Therefore, the proposed method should satisfy the properties of the trapdoor function. In addition, even if 𝑔 were to be exposed, an attacker capable of generating secret information would have to know the inverse function of one of the 𝑔𝑠 . Then, even if the attacker would be able to determine the value of 𝑦 via a combination function, the confidential information would be safe because it would not be possible to know the inverse of the value-generated secret information. (vi) Efficiency. The exponentiation method used in the conventional method is rooted in the discrete logarithm problem. In contrast, our proposed method is based on the lattice problem. In addition, our idea is very efficient in terms of computational complexity because it performs only a simple addition, rotation function, NTRU (convolution multiplication), and hash operation. The feasibility of the method proposed in this paper is based on research suggested by Atici et al. [17]. These authors proved that the NTRU cryptosystem only requires 10.5 kgates for implementation. This is similar to the gate count used to implement a hash function. Therefore, our proposed approach can be used in practical low-cost tag environments.

Competing Interests The authors declare that they have no competing interests.

Acknowledgments This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the MEST (Ministry of Education, Science and Technology) (2013R1A1A2012940) and by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the ITRC (Information Technology Research Center) Support Program (IITP-2016-R0992-16-1006) supervised by the IITP (Institute for Information & Communications Technology Promotion).

References [1] 2014, http://news.donga.com/East/3/all/20140411/62462956/1. [2] J.-H. Ki, J.-Y. Hwang, M.-N. Shim, D.-K. Jeong, and J.-I. Lim, “A study on the applicability of anonymous authentication schemes for fine-grained privacy protection,” Journal of the Korea Institute of Information Security and Cryptology, vol. 20, no. 6, pp. 195–208, 2010. [3] C. Mullioner, “Attacking NFC Mobile Phones,” EUSecWest 2008, 2008. [4] M. Roland and J. Langer, “Digital signature records for the NFC data exchange format,” in Proceedings of the 2nd International Workshop on Near Field Communication (NFC ’10), pp. 71–76, IEEE, April 2010. [5] E. Haselsteiner and K. Breitfuß, “Security in near field communication (NFC),” in Proceedings of the Workshop on RFID Security (RFIDSec ’06), Graz, Austria, July 2006. ¨ Erc¸etin, “Public key [6] S. V. Kaya, E. Savas¸, A. Levi, and O. cryptography based privacy preserving multi-context RFID infrastructure,” Ad Hoc Networks, vol. 7, no. 1, pp. 136–152, 2009. [7] L. Batina, S. Seys, D. Singelee, and I. Verbauwhede, “Hierarchical ECC-based RFID authentication protocol,” in RFID. Security and Privacy: 7th International Workshop, RFIDSec 2011,


[8]

[9]

[10] [11]

[12]

[13]

[14] [15]

[16]

[17]

Amherst, USA, June 26–28, 2011, Revised Selected Papers, vol. 7055 of Lecture Notes in Computer Science, pp. 183–201, Springer, Berlin, Germany, 2011. Y. K. Lee, L. Batina, D. Singelee, and I. Verbauwhede, “Low-cost untraceable authentication protocols for RFID,” in Proceedings of the 3rd ACM Conference on Wireless Network Security (WiSec ’10), Hoboken, NJ, USA, March 2010. T. Sekino, Y. Cui, K. Kobara, and H. Imai, “Privacy enhanced RFID using Quasi-Dyadic fix domain shrinking,” in Proceedings of the IEEE Global Communication Conference (GLOBECOM ’10), Miami, Fla, USA, December 2010. M. S. Jung, “A study on electronic-money technology using near field communication,” Symmetry, vol. 7, no. 1, pp. 1–14, 2015. P. Pourghomi, M. Q. Saeed, and G. Ghinea, “A secure cloudbased NFC mobile payment protocol,” International Journal of Advanced Computer Science and Applications, vol. 5, no. 10, pp. 24–31, 2014. V. C. Sekhar and M. Sarvabhatla, “Secure lightweight mobile payment protocol using symmetric key techniques,” in Proceedings of the International Conference on Computer Communication and Informatics (ICCCI ’12), pp. 8–13, January 2012. S. Abughazalah, K. Markantonakis, and K. Mayes, “Secure mobile payment on NFC-enabled mobile phones formally analysed using CasperFDR,” in Proceedings of the13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom ’14), pp. 422–431, IEEE, Beijing, China, September 2014. Mobile NFC Technical Guidelines, GSMA, 2007. E. El Moustaine and M. Laurent, “A lattice based authentication for low-cost RFID,” in Proceedings of the IEEE International Conference on RFID-Technologies and Applications (RFID-TA ’12), pp. 68–73, Nice, France, November 2012. C. Thammarat, R. Chokngamwong, C. Techapanupreeda, and S. Kungpisdan, “A secure lightweight protocol for NFC communications with mutual authentication based on limited-use of session keys,” in Proceedings of the International Conference on Information Networking (ICOIN ’15), pp. 133–138, Siem Reap, Cambodia, January 2015. ¨ Yalc¸in, A. C. Atici, L. Batina, J. Fan, I. Verbauwhede, and S. B. O. “Low-cost implementations of NTRU for pervasive security,” in Proceedings of the IEEE 19th International Conference on Application-Specific Systems, Architectures and Processors (ASAP ’08), pp. 79–84, IEEE, Leuven, Belgium, July 2008.

9