586
3, MARCH 2018
A Novel NTRU-Based Handover Authentication Scheme for Wireless Networks
Rui Chen and Dezhong Peng
Abstract— A well-designed anonymous handover
authentication (AHA) protocol is essential to enable mobile
nodes to roam securely and seamlessly across multiple access
points. In recent years, several protocols based on bilinear
pairing and elliptic curve cryptosystem have been presented.
However, their security are based on the discrete logarithm on
elliptic curve, which has been proven unsafe by the emergence
of quantum computers. To address the issue, we propose a
new lightweight AHA scheme based on the number theory
research unit public key cryptosystem for wireless networks.
Security analysis and simulation experiment results show that
in addition to achieving mutual authentication and greater
security to resist known attacks, the proposed protocol has
lower implementation complexity in comparison with up-to-date
handover authentication schemes.
Index Terms— Wireless networks, handover authentication,
number theory research unit, privacy preservation.
I. I NTRODUCTION
I N THE complex network environment, the communication
parties are faced with various security risks [1]. An effi-
ciently designed AHA protocol allows mobile nodes(MNs) to
roam across multiple access points(APs) while ensuring the
security of both communication parties. After registration to
the authentication server (AS), the MN can access the network
service from associated AP. When a MN leaving the cur-
rent AP, handover authentication will be performed for identity
authentication and a shared session key will be established
to protect the information transmitted between the MN and
the AP. Handover authentication in wireless environments has
attracted significant research attention in the last several years.
However, the broadcast nature of wireless networks and the
limited resources of mobile devices make designing a secure
and efficient roaming AHA protocol challenging.
Recently, many interesting protocols have been proposed
employing different methods ([2]–[7]). In 2012, He et al. [2]
presented a novel protocol, named PairHand, which makes
use of bilinear pairings and identity-based signature to achieve
mutual authentication and key establishment. Unfortunately,
He et al. [3] found their protocol is vulnerable to the private
key compromised attack.
Manuscript received October 11, 2017; revised November 26, 2017;
accepted December 14, 2017. Date of publication December 22, 2017; date
of current version March 8, 2018. This work was supported in part by the
National Natural Science Foundation of China under grants U1435213 and
61172180, and Chengdu International Cooperation Project under grants
2016-GH02-00048-HZ and 2015-GH02-00041-HZ. The associate editor coor-
dinating the review of this letter and approving it for publication was
A. Mourad. (Corresponding author: Dezhong Peng.)
R. Chen is with the College of Computer Science, Sichuan University,
Chengdu 610065, China, and also with the College of Computer Science,
Sichuan Normal University, Chengdu 610066, China (e-mail: crs1934@
hotmail.com).
D. Peng is with the College of Computer Science, Sichuan University
Chengdu 610065, China, and also with Chengdu Ruibei Yingte Informa-
tion Technology Ltd. Company, Chengdu 610094, China (e-mail: pengdz@
scu.edu.cn).
Digital Object Identifier 10.1109/LCOMM.2017.2786228
1558-2558 © 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
IEEE COMMUNICATIONS LETTERS, VOL. 22, NO.
Subsequently, Li et al. [4] presented a privacy-aware
AHA scheme without bilinear pairing operation. However,
Chaudhry et al. [5] and Xie et al. [6] indicated that the
scheme of Li et al. [4] cannot provide mutual authenti-
cation and is prone to potential fraud attacks. Then they
proposed their improved scheme respectively. Most recently,
He et al. [7] summarized the basic security requirements of
handover authentication protocols and proposed a novel batch
verification AHA protocol.
However, these protocols ([2]–[7]) are based on bilinear
pairing or elliptic curve cryptosystem(ECC), as such, their
implementation calls for complex and time-consuming opera-
tion, such as bilinear pairing operations and point multiplica-
tion. Hence, these protocols are unsuitable for use in mobile
environment with limited resources. Furthermore, according to
the polynomial-time algorithm of Shor [8], [9], these protocols
are prone to quantum attacks because their security systems
is relied on the discrete logarithm problem on an elliptic
curve. Therefore, it is essential to design an anti-quantum
and efficient handover authentication protocol to strengthen
information security.
The lattice-based public key cryptography scheme is power-
ful against quantum adversaries. NTRU is a lightweight public
key cryptography algorithm based on lattice theory, which
was first presented by Hoffstein et al. [10]. Compared with
other public key encryption systems, NTRU has many distinct
advantages, such as less memory and computing requirements
and higher encryption/decryption and signature/verification
speed while providing a high level of security, which is more
applicable to the resource-limited wireless communication
environment. In this letter, we design a lightweight AHA
protocol based on the NTRU public key algorithm. The
proposed scheme can meet many security requirements, such
as user anonymity and untraceability, mutual authentication,
and fair session key generations, which makes it very suitable
for wireless environment.
In addition to the authentication methods mentioned above,
there is another way to authenticate users by using social
approaches, such as trust and reputation models ([11], [12]).
The schemes based on trust and reputation models have a
large number of applications in the field of open distributed
system and Internet of Things (IoT), and have achieved fruitful
research results.
The above two kinds of approaches have different areas of
the application, and each has its own merits and defects.
The remarkable merit of trust and reputation models is that
it can predict the future behavior of nodes based on interaction
history and resist collusion group’s fraud behavior. However,
such approach generally needs to acquire and process a huge
amount of data, such as evaluation data and interactive data.
The data handling have great capacity and the data relation
complicacy is to makes this models suitable for the scenario
CHEN AND PENG: NOVEL NTRU-BASED HANDOVER AUTHENTICATION SCHEME FOR WIRELESS NETWORKS
where deploys a large number of nodes with a huge amount
of interactive historical data, such as the field of e-commerce
and Vehicular Ad Hoc Network(VANET).
The network model of our protocol includes only a single
MN and AP. Instead of selecting only trusted APs and commu-
nicating with them, the MN roams randomly throughout the
network and enters into the different APs, and then performs
handover authentication with them. The advantage of our
method is of low computation cost, high efficiency and easy
implementation. The disadvantage is that it cannot predict the
misbehaving nodes and prevent the collusion attacks due to
the lack of trust and reputation evaluation mechanism. The
correctness of authentication protocol can only rely on the
certification results of both parties. Therefore, our method is
suitable for the scenario of single authentication model with
a few participants, such as mobile wireless networks.
II. P RELIMINARIES
We first give a brief review of NTRU cryptosystem. More
details can be found in previous studies [10].
The NTRU cryptosystem works over the ring Rq =
Z q [X]/(X N − 1) and has a security system based on hard
problems associated with lattice, such as closest vector prob-
lem (CVP) and shortest vector problem (SVP). The NTRU
cryptosystem depends on three integer parameters (N, p, q),
where N is a prime, p and q are coprime integers, it uses
four sets of polynomials (L f , L g , L r , L m ) of degree N − 1
at most and which consist of many polynomials with small
integer coefficients, such as binary {0, 1} or triples {−1, 0, 1}.
The NTRU algorithm works as follows:
System Parameters
(1) N is a positive prime.
(2) p and q are coprime, namely, gcd( p, q) = 1.
(3) q is considerably greater than p, normally p = 2 or 3.
Key Generation
(1) Two polynomials f ∈ L f and g ∈ L g , are selected such
that there exist Fp ∈ Rq and Fq ∈ Rq , which satisfy
Fq ∗ f ≡ 1(mod q), Fp ∗ f ≡ 1(mod p)
(2) The public key is calculated as follows
h ≡ Fq ∗ g (mod q).
Where h is the public key, and the corresponding private
key is ( f, Fp ).
Encryption
(1) The polynomials m ∈ L m are obtained for the plain
message M by making use of the public hash function
(2) A polynomial r ∈ L r , is chosen, and then the ciphertext
e is calculated as
e ≡ pr ∗ h + m(mod q)
Decryption
(1) We first compute a polynomial a
a ≡ f ∗ e(mod q) ≡ pr ∗ g + f ∗ m(mod q)
The coefficients of a must be between −q/2 and q/2
(2) The plain information m is calculated by
m ≡ Fp ∗ a(mod p)
III. P ROPOSED H ANDOVER AUTHENTICATION P ROTOCOL
The new AHA protocol comprises two phases: system
setup phase and handover authentication phase. Specifically,
the detailed description of those phases is as follows:
587
A. System Setup Phase
Let (N, p, q) be the three security integer parameters and
{L f , L g , L r , L m } be the four sets of polynomials, which
all satisfy the requirements of the NTRU algorithm. In the
system setup phase, the AS is responsible for initializing the
identity-authenticated public and private system parameters as
follows:
(1) A polynomials g AS ∈ L g and a secure hash function H1
are selected, where H1 : {0, 1}∗ → Z q∗ ;
(2) AS publishes system parameters as
{N, p, q, L f , L g , L r , L m , H1 } and keeps g AS secret.
Subsequently, AS computes the private and public keys for
the identity authentication of all MNs and APs.
• For each mobile node M Ni with identity I Di , AS chooses
a set of unrelated PIDs for M Ni . For each P I Dk ∈ P I D,
the AS chooses f k,AS ∈ L f and computes the public key
−1 −1
h k,AS = fk,AS,q ∗ g AS (mod q), where f k,AS,q is the inverse of
f k,AS in ring Rq . The public and private key tuples for P I Dk
−1
is {h k,AS , ( f k,AS , fk,AS,q )}. Then AS sends all the public and
private key tuples along with the PIDs to M Ni through a
secure channel.
• For each access point instance A P j , AS chooses f j,AS ∈
−1
L f and computes the public key h j,AS = f j,AS,q ∗g AS (mod q)
−1
for A P j , where f j,AS,q is the inverse of f j,AS in
ring Rq . Then AS sends public and private key tuples
−1
{h j,AS , ( f j,AS , f j,AS,q )} to A P j via a secure chann el.
B. Handover Authentication Phase
Each AP must periodically broadcasts a beacon message
includes its identity I D A P , the public key h A P,AS and other
relevant network information. The handover authentication
phase is performed when a MN(M Na ), enters in the coverage
of a new AP( A Pb ), the M Na first extracts I Db and h b,AS from
the beacon message and performs the handover authentication
phase. The handover authentication process is depicted in the
Fig. 1. The details are described as follows:
1) M Na ⇒ A Pb : {Ma , Auth 1 }: The M Na randomly
selects a polynomials ra ∈ L r and computes the encrypting
message ea = ph b,AS ∗ ra + h a,AS (mod q). Then the M Na
−1
generates the identity authentication code I ACa = f a,AS,q ∗
h b,AS using his/her pre-allocated private key and the public key
of A Pb . Subsequently, M Na randomly chooses an unused PID
pi da and generates the message Ma = ( pi da  I Db  ea  ta )
where ta is the current timestamp. Next M Na computes the
shared session key S K a−b = H1 ( pi da  I Db  I ACa ) and the
authentication message Auth 1 = H1(Ma  S K a−b ) Finally,
M Na sends {Ma , Auth 1 } to A Pb .
2) A Pb ⇒ M Na : {Auth 2 }: Upon receipt of the request
message {Ma , Auth 1 }, A Pb first verifies the timestamp ta and
aborts the message if ta is not fresh. Otherwise, A Pb computes
the M Na ’s pre-allocated public key h a,AS by decrypting ea ,
and uses it to compute its identity authentication code I ACb =
−1
f b,AS,q ∗h a,AS . Then the A Pb calculates the shared session key
S K b−a = H1( pi da  I Db  I ACb ) and compares H1 (Ma 
S K b−a ) with received Auth 1 . If they match, then A Pb verifies
if M Na is a legal registered user of AS. If the result is
negative, then this message is rejected. Later, A Pb computes
588
Fig. 1. The handover authentication process.
Mb = ( pi da  I Db  I ACb ) and Auth 2 = H1 (Mb  S K b−a )
and sends Auth 2 to M Na .
3) M Na Verification: After receiving the message from
A Pb , M Na first checks the identities pi da , I Db to prevent
replay attacks, then computes H1( pi da  I Db  I ACb 
S K b−a ) and compares it with Auth 2 . If verification is success-
ful, M Na believes that A Pb is a legal service provider, Other-
wise, M Na terminates the session. The mutual authentication
is then finished, and an encrypted communication channel is
established between M Na and A Pb using the shared session
key S K a−b or S K b−a .
IV. S ECURITY AND P ERFORMANCE A NALYSES
A. Security Analysis
1) Mutual Authentication and Key Agreement: The two
communicating parties share the same certified key:
−1
I ACa = f a,AS,q ∗ h b,AS (modq)
−1
= f b,AS,q ∗ h a,AS (modq) = I ACb
During the first step of the handover phase, M Na generates
the shared session key S K a−b = H1( pi da  I Db  I ACa )
and authentication information Auth 1 = H1(Ma  I ACa ).
Next, A Pb can computes the shared session key S K b−a =
H1( pi da  I Db  I ACb ) and authenticate M Na by checking
whether the received Auth 1 is equal to H1(Ma  S K b−a ).
−1
Only legitimate A Pb has the private key f b,AS,q to generate
the correct certified key I ACb and Auth 2 , allowing M Na to
authenticate A Pb through I ACa and Auth 2 . Moreover, both
M Na and A Pb can generate the same secret sharing key:
S K a−b = H1( pi da  I Db  I ACa )
= H1( pi da  I Db  I ACb ) = S K b−a
−1 −1
Without knowing the secret key fa,AS,q or fb,AS,q , no one can
generate a legitimate session key. Hence, the new protocol can
provide mutual authentication and session key establishment.
2) User Anonymity: The M Na uses a family of unlinkable
PIDs to communicate with A Pb , and each PID is only use
once during the handover authentication stage. Furthermore,
the login message {Ma , Auth 1 } of M Na will change each
IEEE COMMUNICATIONS LETTERS, VOL. 22, NO. 3, MARCH 2018
TABLE I
T IME C OST OF C RYPTOGRAPHY O PERATIONS R ELATED TO ECC (ms)
TABLE II
T IME C OST OF C RYPTOGRAPHY O PERATIONS R ELATED TO NTRU (ms)
time because the polynomial ra is randomly selected by M Na
during each session run. An adversary who intercepts the login
message can obtain the PID from Ma , but he/she cannot obtain
MN’s real identity from PID. Moreover, the adversary cannot
trace the MN’s movement route by using the acquired PID.
Therefore, the proposed scheme can provide user anonymity.
3) Resistance to Replay Attacks: In our scheme, the A Pb
can quickly detect the replay attack and terminate the session
by verifying the freshness of timestamp ta , which is included
in the login request message. Similarly, the M Na can also
rapidly detect the replay attack because the authentication code
Auth 2 contains the one-time PID of M Na and the identity
of A Pb . Thus, the new protocol is able to resist the replay
attacks.
4) Resistance to Impersonation Attacks: The public and pri-
vate keys are randomly generated by AS and delivered through
a secure channel. Hence, an adversary cannot forge I ACa =
−1 −1
f a,AS,q ∗ h b,AS (mod q) or I ACb = f b,AS,q ∗ h a,AS (mod q)
−1 −1
without the private key f a,AS,q and f b,AS,q . Thus, he/she can-
not forge legitimate shared session key S K a−b = H1( pi da 
I Db  I ACa ). Without knowing the shared session key
S K a−b , the adversary cannot forge a valid message to launch
impersonation attacks.
B. Comparison of Computation Costs
To show the performance comparisons, we first introduce
some notations as follows:
• TB P : The time for a bilinear pairing operation.
• T P M : The time for a point multiplication based on pairing.
CHEN AND PENG: NOVEL NTRU-BASED HANDOVER AUTHENTICATION SCHEME FOR WIRELESS NETWORKS
TABLE III
T HE C OMPARISONS OF C OMPUTATION C OST (ms)
• T P A : The time for a point addition based on pairing.
• TM T P : The time for a map-to-point hash operation.
• TE P M : The time for an ECC point multiplication.
• TE P A : The time for an ECC point addition
• TE N : The time for an NTRU encryption operation.
• TD EC : The time for an NTRU decryption operation.
• TMU L :The time for a polynomial multiplication operation.
Table I shows the execution time of the bilinear pair-
ing (PBC) and elliptic curve operations(MIRACL) while
Table II summarizes the execution time of NTRU opera-
tions(libntru librarie). We assume that the AP runs on an Intel
Core i5 2.4 GHz processor and the MN runs on an 0.8 GHz
processor, and the operating system is Ubuntu 16.04 with 3 GB
of RAM.
Table III lists the comparison result of the proposed protocol
and the related works ([2], [6], [7]). From Table III, it can be
seen that the computation cost of PairHand is large than 8ms
while the running time of iPAHA even large than 20ms. On the
contrary, the proposed protocol only takes 0.396ms, which
reduces 95.5%, 99.9% and 90% respectively when compared
with the protocols of PairHand, iPAHA and He et al.’s [7].
C. Comparison of Communication Cost
In the simulation, we assume that the security level of ECC
is 80 bits. Thus, the size of p is 64 bytes, and the element in
G 1 (bilinear pairing) is 128 bytes; the size of q is 20 bytes,
so the element in G (ECC) is 40 bytes. We have also assumed
that the security level of NTRU is 80 bits. So the length of
ciphertext and public key are about 430 bytes. We suppose
that the length of the output of all hash functions and all
identities are 20 bytes, and the length of the timestamp is
4 bytes. The transmitted messages between M N and A P in
our protocol are {Ma , Auth 1 } and {Auth 2 }; thus, the total size
is 514 bytes. We can similarly compute the communication
cost of the scheme of PairHand, iPAHA and He et al. as
232 bytes, 268 bytes, and 684 bytes, respectively.
These figures show that the communication cost of the
proposed protocol is higher than PairHand and iPAHA, but less
than He et al. [7]. The reason of high communication cost is
the length of ciphertext is too long for using the NTRU public
cryptosystem. Such anti-quantum AHA protocol has not been
appeared yet, it is worth increasing the communication cost.
Furthermore, due to the lower computation cost, the proposed
protocol can make use of the extra time to send or receive
information, or verify the received data.
589
V. C ONCLUSION
In this letter, we first analyzed the security of some existing
protocols and found that them are based on bilinear pair-
ing or elliptic curve cryptosystem. Those AHA schemes have
low computational efficiency and are vulnerable to quantum
attack when the quantum computer appears. Then we present
a new AHA protocol based on NTRU public cryptosystem
for wireless networks. Compared with the previous protocols,
the proposed protocol is not only satisfy the whole security
requirements and withstands well-known security threats, but
also the experimental results show that it has higher operating
speed and computational efficiency. In addition, the proposed
protocol can efficiently withstand quantum computer attack
which will be realized in the near future.
R EFERENCES
[1] J. P. Walters, Z. Liang, W. Shi, and C. Vipin, “Wireless sensor network
security: A survey,” in Security in Distributed, Grid, Mobile, and
Pervasive Computing, vol. 1, Y. Xiao, Ed. Boca Raton, FL, USA: CRC
Press, 2007, pp. 367–404.
[2] D. He, C. Chen, S. Chan, and J. Bu, “Secure and efficient handover
authentication based on bilinear pairing functions,” IEEE Trans. Wireless
Commun., vol. 11, no. 1, pp. 48–53, Jan. 2012.
[3] D. He, C. Chen, S. Chan, and J. Bu, “Analysis and improvement of
a secure and efficient handover authentication for wireless networks,”
IEEE Commun. Lett., vol. 16, no. 8, pp. 1270–1273, Aug. 2012.
[4] G. Li, Q. Jiang, F. Wei, and C. Ma, “A new privacy-aware handover
authentication scheme for wireless networks,” Wireless Pers. Commun.,
vol. 80, no. 2, pp. 581–589, 2015.
[5] S. A. Chaudhry, M. S. Farash, H. Naqvi, S. H. Islam, and T. Shon,
“A robust and efficient privacy aware handover authentication scheme for
wireless networks,” Wireless Pers. Commun., vol. 93, no. 2, pp. 311–335,
2015.
[6] Y. Xie, L. Wu, N. Kumar, and J. Shen, “Analysis and improvement of
a privacy-aware handover authentication scheme for wireless network,”
Wireless Pers. Commun., vol. 93, no. 2, pp. 523–541, 2017.
[7] D. He, D. Wang, Q. Xie, and K. Chen, “Anonymous handover authen-
tication protocol for mobile wireless networks with conditional privacy
preservation,” Sci. China Inf. Sci., vol. 60, no. 5, p. 052104, 2017.
[8] P. W. Shor, “Algorithms for quantum computation: Discrete logarithms
and factoring,” in Proc. IEEE Symp. Found. Comput. Sci., Nov. 1994,
pp. 124–134.
[9] P. W. Shor, “Polynomial-time algorithms for prime factorization and
discrete logarithms on a quantum computer,” SIAM J. Comput., vol. 26,
no. 5, pp. 1484–1509, 1999.
[10] J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: A ring-based public
key cryptosystem,” in Proc. Int. Symp. Algorithmic Number Theory,
1998, pp. 267–288.
[11] O. A. Wahab, J. Bentahar, H. Otrok, and A. Mourad, “A survey
on trust and reputation models for Web services: Single, compos-
ite, and communities,” Decision Support Syst., vol. 74, pp. 121–134,
Jun. 2015.
[12] O. A. Wahab, H. Otrok, and A. Mourad, “A cooperative watchdog model
based on Dempster–Shafer for detecting misbehaving vehicles,” Comput.
Commun., vol. 41, no. 4, pp. 43–54, Mar. 2014.