A Lattice-Based Group Authentication Scheme

Abstract

Authentication has been adopted in many areas, but most of these authentication schemes are built using traditional cryptographic primitives. It is widely believed that such primitives are not resistant to quantum algorithms. To deal with those quantum attacks, lattice-based cryptography was introduced by Ajtai in 1996. To the best of our knowledge, the existing lattice-based authentication schemes are based on a lattice-based public key encryption called NTRU: a ring-based public key cryptosystem, proposed by Hoffstein, Pipher, and Silverman in 1998. However, these schemes only support the case of a single user. In view of the aforementioned issue, we propose the first lattice-based group authentication scheme. The proposed scheme is secure against replay attacks and man-in-the-middle attacks. Moreover, compared with the existing lattice-based authentication schemes, ours provides the most efficient method to agree upon a session key among a group of users after mutual authentication.

1. Introduction

Nowadays, authentication has been adopted in many areas, such as radio frequency identification (RFID), cloud computing, wireless sensor networks, internet of things (IoT), etc. Authentication schemes can be separated into two types: one is individual-oriented authentication, and another is group-oriented authentication. The scenario of individual-oriented authentication is one-to-one communication. There are only two users needing to authenticate each other. In group-oriented authentication, there are more than two users in a group. They build a private network and share messages among the group. Such a cryptographic primitive can be applied heavily to many-to-many network environments, e.g., Internet of Things or RFID.

However, most of these authentication schemes are built on traditional cryptographic primitives, e.g., RSA and ElGamal, where the cryptosystems are constructed based on discrete logarithm or factorization. It is widely believed that such primitives are not resistant to quantum algorithms. For instance, the algorithm proposed by Shor [1] in 1994 is a quantum algorithm that solves discrete logarithm problems and factorization problems in subexponential time complexity. To deal with those quantum attacks, lattice-based cryptography was introduced by Ajtai [2] in 1996. A lattice can be represented as a matrix which has a periodic structure in dimensional space. There are two central hard problems in lattice-based cryptography: the shortest vector problem (SVP) and the closest vector problem (CVP). The shortest vector problem (SVP) is, given a base of a lattice, to find the smallest possible nonzero vector of the lattice. The closest vector problem (CVP) is, given a base of a lattice and a vector which does not belong to the lattice, to find a vector belonging to the lattice that is the closest vector to the given vector. Both SVP and CVP are believed to be invulnerable to quantum attacks such as Shor’s algorithm. As a powerful and promising quantum-resistant primitive, it has been adopted in lots of applications, such as public key cryptosystems and sieve algorithms.

To the best of our knowledge, the existing lattice-based authentication schemes [3,4] are based on a lattice-based public key encryption called NTRU encryption [5], proposed by Hoffstein, Pipher, and Silverman in 1998. However, these two schemes support only the case of a single user. Another intuitive way to achieve group authentication is by using a lattice-based group signature. Nevertheless, a signature scheme is an asymmetric cryptographic primitive, which is usually more costly than a symmetric one. Besides this, group signatures support additional but unnecessary properties, such as the anonymity of signers, which may not be a desired property in RFID or IoT. Therefore, in view of the aforementioned issues, we will propose a new construction for lattice-based authentication. The proposed scheme also supports group authentication.

Contributions

In this manuscript, we propose a lattice-based authentication scheme supporting group authentication. Compared with the existing lattice-based authentication schemes, our scheme provides the most efficient authentication protocol in terms of the total cost to generate a session key among a group of users after mutual authentication.

2. Preliminaries

In this section, we review some preliminaries, including the definition of lattices, two standard worst-case approximation problems on lattices, the SampleD algorithm, and the BasisDel algorithm.

2.1. Notation

We denote the set of integers modulo q by ${\mathbb{Z}}_q$. Column vectors are represented by lower-case bold letters and matrices by upper-case bold letters. For a matrix S $\in {ℝ}^{m_1\times m_2}$, we say the norm of S is $\parallel S\parallel =\underset{1\le i\le m_2}{\mathit{max}}\parallel s_i\parallel$, where $\parallel s_i\parallel$ denotes the ${\ell }_2$-norm (Euclidean norm) of the column vector $s_i$. We let $\tilde{S}\in {ℝ}^{m_1\times m_2}$ denote the matrix whose columns ${\tilde{s}}_1$, …, ${\tilde{s}}_{m_2}$ represent the Gram–Schmidt orthogonalization of the vectors $s_1$, …, $s_{m_2}$ taken in the same order. Let $\parallel \tilde{S}\parallel$ denote the Gram–Schmidt norm of $S$. Let f(n) and $g\left(n\right)$ denote two positive real-valued functions. We say that f = O($g$) if there exist two constants $c_1$, $c_2$ such that $f\left(n\right)<c_1·g\left(n\right)$ for all $n\ge c_2$; $f=\mathsf{\Omega }\left(g\right)$ if $g=O\left(f\right)$; and $f=\Theta \left(g\right)$ if $f=\mathsf{{\rm O}}\left(g\right)$ and $g=O\left(f\right)$. We say $f=\tilde{O}\left(g\right)$ if $f=O\left(g·poly\left(\mathit{log}g\right)\right)$ and $f=\tilde{\mathsf{\Theta }}\left(g\right)$ if $f=\mathsf{\Theta }\left(g·poly\left(\mathit{log}g\right)\right)$.

2.2. Lattices

Based on [6], the definitions are shown as following:

Definition 1.

Let${ℝ}^m$be the m-dimensional Euclidean space. A lattice $\Lambda \subseteq {ℝ}^m$ is a set

$$\mathsf{\Lambda }=\{{\displaystyle \sum }_{i=1}^k{c}_i{\mathit{b}}_i|ci \in \mathbb{Z} \mathrm{and} {\mathit{b}}_{\mathbf{1}}, \dots , {\mathit{b}}_{\mathit{k}}\in {ℝ}^m\}$$

of all integral combinations of k linearly independent vectors ${\mathit{b}}_{\mathbf{1}},\dots ,{\mathit{b}}_{\mathit{k}}$ in ${ℝ}^m (m>k)$. The integers k and m are called the rank and dimension of the lattice, respectively. The vector set $\left\{{\mathit{b}}_{\mathbf{1}},\dots , {\mathit{b}}_{\mathit{k}}\right\}$ is called a basis of the lattice.

Definition 2.

Let$\mathit{A} \left(\mathit{A}\in {\mathbb{Z}}^{m\times n}\right)$be a basis. The integers m and n are called the dimension and rank;$\mathit{y}$and t are column vectors; and q is a prime number.

$$\mathsf{\Lambda }\left(\mathit{A}\right)=\{\mathit{y}\in {\mathbb{Z}}^m|\mathit{y}=\mathit{A}\mathit{t}\mathrm{mod}q,\mathit{t}\in {\mathbb{Z}}^n\}$$

$${\mathsf{\Lambda }}^{\perp }\left(\mathit{A}\right)=\{\mathit{y}\in {\mathbb{Z}}^m|{\mathit{A}}^{⊺}\mathit{y}=0\mathrm{mod}q\}$$

Definition 3

(TrapGen($1^{⋋}$) [7,8]). There is a probabilistic polynomial-time (PPT) algorithm that, on input of a security parameter $1^{⋋}$, an odd prime q = poly($⋋$), and two integers $n=\Theta (⋋)$ and $m\ge 6n\mathit{log}q$, outputs a matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ statistically close to uniform, and a basis ${\mathit{T}}_{\mathit{A}}$ for ${\mathit{\Lambda }}^{\perp }\left(\mathit{A}\right)$ with overwhelming probability such that $\parallel {\tilde{\mathit{T}}}_{\mathit{A}}\parallel \le \tilde{\Theta }\left(\sqrt{m}\right)$.

Definition 4

(The Shortest Vector Problem (SVP) [3]). Given a base B (a set of vectors linearly independent) of a lattice L, find the smallest possible nonzero vector of L.

Definition 5

(The Closest Vector Problem (CVP) [3]). Given a base B of a lattice L and a vector $𝔃\notin L$, find a vector $\upsilon \in L$ that is the closest to $𝔃$.

2.3. The Gaussian Sampling Algorithm: SampleD(B, s, c, t)

Based on [9], the definitions are shown as following:

Definition 6.

There is a PPT algorithm that, given a basis B of an m-dimensional lattice $\Lambda$, a parameter $\mathrm{s}\ge \parallel \tilde{B}\parallel · \omega \left(\sqrt{\mathit{log}m}\right)$, and a center $\mathit{c}\in {ℝ}^m$, outputs a sample from a distribution that is statistically close to $D_{\Lambda ,s,c}$, where $D_{\Lambda ,s,c}$ is a discrete Gaussian distribution with Gaussian parameter s and center c.

Definition 7.

The Gaussian Sampling Algorithm: SampleD(B, s, c, t) (B is a trapdoor basis of the lattice. A is also a basis of the lattice but not a trapdoor).

• Input:

  1. 

  A basis B of a lattice$\Lambda \in {ℝ}^m$;

  2. 

  A positive real parameter$\mathrm{s}\ge \parallel \tilde{\mathit{B}}\parallel ·\omega \left(\sqrt{\mathit{log}m}\right)$;

  3. 

  A center vector$c\in {ℝ}^n$;

  4. 

  A vector$\mathit{t}\in {\mathbb{Z}}_q^n$.

• Output:
  A fresh random lattice vector$x\in \Lambda$drawn from a distribution statistically close to$D_{\Lambda }$, s, c, such that $\mathit{A}\mathit{x}=\mathit{t}$ mod q.

Definition 8

([10]). SampleD is said to be one-way if, given (s, c, t), there is no polynomial-time adversary that outputs x such that $x\in D_{\Lambda }$, s, c and $\mathit{A}\mathit{x}=\mathit{t}$ mod q (where A is a basis).

2.4. The Basis Delegation Algorithm: BasisDel$\left({\mathit{T}}_{\mathit{A}},\mathit{A},\overline{\mathit{A}}\right)$

Definition 9

([11]). The Basis Delegation Algorithm: BasisDel$\left({\mathit{T}}_{\mathit{A}}, \mathit{A}, \overline{\mathit{A}}\right)$

• Input:

  1. 

  An arbitrary$\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$such that A is primitive;

  2. 

  An arbitrary basis${\mathit{T}}_{\mathit{A}}$of${\Lambda }^{\perp }\left(\mathit{A}\right)$;

  3. 

  An arbitrary$\overline{A}\in {\mathbb{Z}}_q^{n\times \overline{m}}$.

• Output:
  A basis${\mathit{T}}_{{\mathit{A}}^{\prime }}$of${\Lambda }^{\perp }\left({\mathit{A}}^{\prime }=\mathit{A}\parallel \overline{\mathit{A}}\right)\in {\mathbb{Z}}^{m+\overline{m}}$such that$\parallel {\tilde{\mathit{T}}}_{{\mathit{A}}^{\prime }}\parallel =\parallel {\tilde{\mathit{T}}}_{\mathit{A}}\parallel$.

3. Our Construction

In this section, we present a lattice-based authentication scheme. The proposed scheme consists of four phases: Setup, Registration, Group Joining, and Authentication. The notation used in the proposed scheme is defined in

Table 1. The notation.

Notations	Meaning
$\parallel \tilde{\mathit{B}}\parallel$	The Gram–Schmidt norm
$1^{\lambda }$	Security parameter
$n$	An integer
$q$	Prime $q=poly\left(n\right)$
$m$	Dimension $m\ge 6n\log q$
$m^{\prime }$	$m^{\prime }= poly\left(\lambda \right)$$ϵ \mathbb{N}$
$L$	$O\left(\sqrt{m}\right)$
$s$	Gaussian parameter $s\ge L·\omega \left(\sqrt{\log \left(m+m^{\prime }\right)}\right)$
$M$	A message set, $M=\left\{B_1,\dots ,B_Q \in {\mathbb{Z}}^{n\times m^{\prime }}\right\}$
$Q$	$Q= poly\left(\lambda \right)$
$Q^{\prime }$	$Q^{\prime }$$ϵ \left[Q\right]$
$\mathrm{A}$	Public key
$T_A$	Secret key
$B_i$	Exclusive matrix of $use{r}_i$
$H( )$	Convert a vector into a key of symmetrical encryption

.

3.1. The Proposed Scheme

3.1.1. Setup

Key generation center (KGC) performs the following operations [2]:

• Choose a security parameter $1^{\mathsf{\lambda }}$ $\left(\mathsf{\lambda }\in \mathbb{N}\right)$.
• Choose integers $n$ and q $\left(\mathrm{a}\mathrm{prime}\right)$, $q=poly\left(n\right)$.
• Choose dimension $m\ge 6n\log q$ and a bound $L=O\left(\sqrt{m}\right)$.
• Choose a Gaussian parameter $s\ge L·\mathsf{\omega }\left(\sqrt{\log \left(m+m^{\prime }\right)}\right)$, where $m^{\prime }=poly\left(\mathsf{\lambda }\right)\in \mathbb{N}$.
• Choose a set $M=\left\{{\mathit{B}}_{\mathbf{1}},\dots ,{\mathit{B}}_{\mathit{Q}} ϵ {\mathbb{Z}}^{n\times m^{\prime }}\right\},$ where $Q= poly\left(\lambda \right)$ and ${\mathit{B}}_{\mathit{i}}$ is independently chosen with uniform distribution. Note that ${\mathit{B}}_{\mathit{i}}$ is the public parameter for user $i$.
• Let $H( )$ denote the function which converts a vector into a key of symmetric encryption.
• Let $E_k$ denote the symmetric encryption.
• Publish system parameters chosen as above.

3.1.2. Registration

KGC performs the algorithm TrapGen$\left(1^{\lambda }\right)$ [7,8] to generate $\left(\mathit{A}, {\mathit{T}}_{\mathit{A}}\right)$ (where $\mathbf{A}\in {\mathbb{Z}}^{n\times m}$ and ${\mathit{T}}_{\mathit{A}}$ is a short basis of ${\mathsf{\Lambda }}^{\perp }\left(\mathit{A}\right)$).

3.1.3. Group Joining

Let group $X=\left\{{\mathit{B}}_{\mathbf{1}},\dots ,{\mathit{B}}_{{\mathit{Q}}^{\prime }}\right\}$ for some $Q^{\prime }\in \left[Q\right]$ $\left(X\subset M\right)$.

• A$use{r}_i$ sends ${\mathit{B}}_{\mathit{i}}$ via a security channel to a group manager.
• After receiving ${\mathit{B}}_{\mathit{i}}$, the manager computes $Ac{c}_x=[{\sum }_{{\mathit{B}}_{\mathit{i}}\in X}{\mathit{B}}_{\mathit{i}}]\in {\mathbb{Z}}^{n\times m^{\prime }}$, ${\mathit{F}}_{{\mathit{B}}_{\mathit{i}}}=[\mathit{A}||{\sum }_{1\le j\left(\ne i\right)\le Q^{\prime }}{\mathit{B}}_{\mathit{j}}]\in {\mathbb{Z}}^{n\times \left(m+m^{\prime }\right)}$, and ${\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}={\mathit{T}}_{{\mathit{F}}_{{\mathit{B}}_{\mathit{i}}}}=\mathrm{BasisDel}\left({\mathit{T}}_{\mathit{A}}, \mathit{A}, {\sum }_{1\le j\left(\ne i\right)\le Q^{\prime }}{\mathit{B}}_{\mathit{j}}\right)$.
• Then, the manager sends ${\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}$ via a secure channel to $use{r}_i$.

3.1.4. Authentication

• First, the manager sends $t_i\in {\mathbb{Z}}_q^n$ to $use{r}_i$.
• After receiving $t_i$, $use{r}_i$ computes ${\mathit{d}}_{{\mathit{B}}_{\mathit{i}}}=\mathrm{SampleD}\left({\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}, s, 0, t_i\right)$, and then chooses a number $r_i$ randomly, and computes $k_i=H\left({\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}\right)$, $a_i=E_{k_i}\left({\mathit{d}}_{{\mathit{B}}_{\mathit{i}}}, r_i\right)$.
• The $use{r}_i$ sends $a_i$ to the manager.
• After receiving $a_i$ from each user, the manager performs the following: for $i=1$ to $Q^{\prime }$, the manager computes $\left({\mathit{d}}_{{\mathit{B}}_{\mathit{i}}}, r_i\right)=D_{H\left({\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}\right)}\left(a_i\right)$ and ${\mathit{F}}_{{\mathit{B}}_{\mathit{i}}}=\left[A\left|\right|\left(Ac{c}_x-{\mathit{B}}_{\mathit{i}}\right)\right]\in {\mathbb{Z}}^{n\times \left(m+m^{\prime }\right)}$, then checks if ${\mathit{F}}_{{\mathit{B}}_{\mathit{i}}}{\mathit{d}}_{{\mathit{B}}_{\mathit{i}}}=t_i$ mod $q$. If the check passes, the user is authenticated; otherwise, the manager aborts the session.
• Next, the manager performs as follows according to $Q^{\prime }$.

Case 1$(Q^{\prime }>1)$:

• First, the manager computes $R_i=r_1\oplus r_2\oplus \dots \oplus r_{i-1}\oplus r_{i+1}\dots \oplus r_{Q^{\prime }}$ for $i=1$ to $Q^{\prime }$, $sk=r_1\oplus r_2\oplus \dots \oplus r_{Q^{\prime }}$, $k_i=H\left({\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}\right)$, and $b_i=E_{k_i}\left(sk , R_i\right)$.
• The manager sends $b_i$ to each $use{r}_i$.
• After receiving $b_i$, $use{r}_i$ computes $\left(s{k}^{\prime } , {R_i}^{\prime }\right)=D_{ki}\left(b_i\right)$, and then checks if $s{k}^{\prime }={R_i}^{\prime }\oplus r_i$. If it is true, the manager is authenticated. Then, $use{r}_i$ sets the session key $sk= s{k}^{\prime }$.

Case 2$\left(Q^{\prime }=1\right)$:

• First, the manager chooses a number $r^{\prime }$ randomly.
• Then, the manager computes $k_i=H\left({\omega }_{B_i}\right)$, $b=E_{k_i}\left(r^{\prime } , H\left(r_i\right)\right)$ and the manager sends $b$ to $use{r}_i$.
• After receiving $b$, $use{r}_i$ computes $\left(r^{″}, h\right)=D_{ki}\left(b\right)$. The $use{r}_i$ checks if $h= H\left(r_i\right)$. If it is true, the manager is authenticated. Then, $use{r}_i$ sets the session key $sk=r^{″}\oplus r_i$.

4. Security Analysis

• In this section, we provide the security analyses, which include the analyses on the replay attacks, the man-in-the-middle attacks, and the secure mutual authentication, where the detailed security proofs are shown in Appendix A. Replay Attacks:

In the proposed scheme, each user chooses a number $r_i$ randomly and sends $r_i$ to the manager. The random number $r_i$ is different in every authentication round. Hence, there is no chance that an attacker can succeed in replay attacks in the proposed scheme.

• Man-in-the-Middle Attacks:

In the proposed scheme, we use a secure symmetric encryption algorithm to encrypt data in every data flow of the authentication phase. If there is an attacker wanting to intercept messages $a_i$ or $b$, there is no chance that the attacker can obtain the plaintext without the symmetric key. In Steps 1–4 of the authentication phase, $d_{B_i}$ and $r_i$ are protected by the secret key $k_i$, and in Step 5 of the authentication phase, $sk$, $R_i$, $r^{\prime },$ and $H\left(r_i\right)$ are protected by the secret key $k_i,$ too.

The comparisons of features and security between the proposed scheme and [3,4] are summarized in

Table 2. Feature and security comparisons.

	Moustaine et al.’s Scheme	Park et al.’s Scheme	Our Scheme
Mutual Authentication	Yes	Yes	Yes
Group Authentication	No	No	Yes
No Replay Attack	Yes	Yes	Yes
No Man-in-the-Middle Attack	Yes	Yes	Yes

.

• Secure Mutual Authentication:

In the Group Joining phase, a group manager will share a long-term secret ${\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}$ with user $i$, which is also a trapdoor to function SampleD. In the Authentication phase, the group manager first sends $t_i$ to user $i$ as a challenge, then user $i$ returns with $a_i=E_{k_i}\left({\mathit{d}}_{{\mathit{B}}_{\mathit{i}}},r_i\right)$, where $k_i=H\left({\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}\right)$. Note that it is necessary to compute ${\mathit{d}}_{{\mathit{B}}_{\mathit{i}}}$ using SampleD with ${\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}$. Therefore, if the check in Step 4 passes, user $i$ is authenticated. On the other hand, if the check in Case 1 (Case 2) passes, then we can assure that the group manager decrypts the ciphertext $a_i$ with $k_i=H\left({\mathit{\omega }}_{{\mathit{B}}_{\mathit{i}}}\right)$ to obtain the correct $r_i$ for user $i$. By the security of the underlying symmetric encryption scheme, we are sure that the group manager is authenticated. If the two entities are both authenticated by each other, then we know that the session key $sk$ can be securely established by the security of SampleD and the underlying symmetric encryption scheme.

5. Performance Comparisons

In this section, our proposed scheme is compared with some existing lattice-based authentication schemes [3,4].

Table 3. The cost comparison of the single-user situation between [3,4] and our scheme.

	Server (Manager/Reader or Back-End/Bank)	User (Tag)
Our Scheme	11,000.52 ms	31.75 ms
Moustaine et al.’s Scheme	15,283.17 ms	0.00259 ms
Park et al.’s Scheme	3820.79 ms	7641.59 ms

and

Table 4. The cost comparison of a $Q^{\prime }+1$ users $\left(Q^{\prime }+1\right)$ situation between [3,4] and our scheme.

	Group Manager	Group Member	Total Cost
Our Scheme	11,000.52$Q^{\prime } \mathrm{ms}$	31.75 $\mathrm{ms}$	11,032.27$Q^{\prime }\mathrm{ms}$
Moustaine et al.’s Scheme	15,283.17$Q^{\prime }\mathrm{ms}$	0.00259 $\mathrm{ms}$	15,283.17$Q^{\prime } \mathrm{ms}$
Park et al.’s Scheme	3820.79$Q^{\prime }\mathrm{ms}$	7641.59 $\mathrm{ms}$	11,462.38$Q^{\prime } \mathrm{ms}$

summarize the comparisons between the proposed scheme and those schemes in performance.

In the authentication phase of the proposed scheme, when there is only one user $\left(Q^{\prime }=1\right)$, the manager uses one symmetric encryption operation, one symmetric decryption operation, and $n\times \left(m+m^{\prime }\right)$ module multiplications. The user performs one SampleD operation, two hashing operations, one symmetric encryption operation, one symmetric decryption operation, and one exclusive-or operation. We adopt AES 256 as the symmetric encryption operation. The cost of AES 256 is 15.875 $\mathrm{ms}$ [12]. The cost of SampleD is 0.00045 $\mathrm{ms}$ [13]. We take SHA-3 256 bits as our hashing operation. According to [14], the time taken to hash a 100-byte message is 0.001295 $\mathrm{ms}$. We use the Montgomery algorithm with 256 bits as our modular multiplication. The time of a modular multiplication is 0.137 $\mathrm{ms}$ [15]. According to [16], we set $n\times \left(m+m^{\prime }\right)=192 \times 417=\mathrm{80,064}$. Hence, the computation time of $n\times \left(m+m^{\prime }\right)$ module multiplications is 0.137 $\mathrm{ms}\times \mathrm{80,064}=\mathrm{10,968.77} \mathrm{ms}$. In conclusion, the total computation cost of the manager is $15.875\times 2+\mathrm{10,968.77}\approx \mathrm{11,000.52}\mathrm{ms}$. The total cost of the user is $0.00045+0.001295\times 2+15.875\times 2\approx 31.753\mathrm{ms}$. When there is more than one user $({\mathrm{Q}}^{\prime }>1)$, the manager uses one symmetric encryption operation, one symmetric decryption operation, one hashing operation, and $n\times \left(m+m\prime \right)$ module multiplications. Each user uses one SampleD operation, one hashing operation, one symmetric encryption operation, and one symmetric decryption operation. The total computation cost of the manager is $15.875\times 2+0.001295+\mathrm{22,446.08}\approx \mathrm{22,477.83}\mathrm{ms}$. The total computation cost of each user is $\approx 31.753\mathrm{ms}$.

In the authentication phase of Moustaine et al.’s Scheme [3], the reader/back-end executes one NTRU decryption operation, two rotation operations, two exclusive-or operations, one hashing operation, one subtraction, and $2N^2$ multiplications. The tag performs four addition operations, three rotation operations, one hashing operation, and two exclusive-or operations. According to [17], $HMAC\left(K,m\right)= H(\left(K^{\prime }\oplus opad\right) || H(\left(k^{\prime }\oplus ipad\right) \left|\right| m))\approx 2\times$ SHA-3 hashing operations. Thus, the running time of $\mathrm{HMAC}$ is $0.001295\times 2=0.00259\mathrm{ms}$. According to [3], the cost of an NTRU decryption is $2N^2$ modular multiplications $\left(N=167\right)$. Hence, the cost of an NTRU decryption is $2\times 167\times 167\times 0.137\approx 7641.586\mathrm{ms}$. In summary, the cost of the reader/back-end is $7641.586\times 2+0.00259\approx \mathrm{15,283.1746}\mathrm{ms}$. The cost of the tag is $0.00259\mathrm{ms}$.

In the authentication phase of Park et al.’s Scheme [4], the user performs $2N^2$ multiplication operations, one hashing operation, two rotation operations, one exclusive-or operation, and two addition operations. The bank executes $N^2$ multiplication operations, one exclusive-or operation, one rotation operation, and one hashing operation. In conclusion, the cost of the bank is $167\times 167\times 0.137+0.001295\approx 3820.79\mathrm{ms}$. The cost of the user is $2\times 167\times 167\times 0.137+0.001295\approx 7641.59\mathrm{ms}$.

Note that for a single-user situation, the computation cost of the server side is 28% faster than [3], and the computation cost of the user side is 99% faster than [4]. As for the computation cost of the group authentication scenario, we can see that the total cost of the server side and the user side is less than those of [3,4].

6. Conclusions

Most authentication schemes are built on traditional cryptographic primitives. It is widely believed that traditional cryptographic primitives are not resistant to quantum attacks. In 1994, Shor proposed a quantum algorithm that can solve discrete logarithm problems and factorization problems. To deal with those quantum attacks, Ajtai presented lattice-based cryptography in 1996. To the best of our knowledge, there is no lattice-based group mutual authentication scheme which is based on symmetric encryption. There are two lattice-based authentication schemes which use the NTRU asymmetric encryption algorithm in the literature. Usually, the cost of an asymmetric encryption is higher than that of a symmetric encryption. In this manuscript, we have proposed a lattice-based authentication scheme based on symmetric encryption. Additionally, not only does the proposed scheme provide group authentication, but also it resists replay attacks and man-in-the-middle attacks. In the proposed scheme, after making sure of the total number of users in a group, the manager can choose any of them to create an authentication procedure for any subgroups. Besides this, we give a cost comparison between our scheme and the other two NTRU-based mutual authentication schemes in terms of authentication and establishing a session key. Our scheme provides the lowest cost in generating a session key among a group of users after mutual authentication.