INAKA: Improved Authenticated Key Agreement Protocol Based on Newhope

The Newhope scheme is one of the milestones of the study in key agreement protocol but it lacks the anti-active-attack capability. In this article, we propose a mutual authenticated key agreement scheme named INAKA scheme based on the commitment value and lattice hard problem. This scheme improves the key encapsulation mechanism in the Newhope scheme to generating the commitment values for both communication parties and thus achieves mutual authentication, key agreement and identity privacy protection at the same time. Firstly, the INAKA protocol is combinable, i.e. the common traditional and lattice-based cryptographic algorithms (encryption, decryption, hash operation) can both act as the protocol components. What’s more, the INAKA protocol has been analyzed that it can resist the man-in-the-middle attack, replay attack, and other attacks. This scheme satisfies provable security under eCK and indistinguishable game models. Its anti-attack capability and security are significantly enhanced compared with the Newhope scheme. Besides, the INAKA protocol involves the identity authentication feature but keeps at the same level of computational complexity. None of the existing schemes (such as Ding’s and BCNS) are able to satisfy the above feature. Lastly, the test results in this article show the INAKA protocol only needs 8.131 milliseconds to complete mutual authentication and key agreement. The outcome of our work could provide lower operation overhead, handy code implementation, and better efficiency to meet the industrial practical requirements.


I. INTRODUCTION
Key agreement (KA) protocol is designed to enable two or more participants to negotiate a common session key on an insecure channel, which allows participants to build a secure communication channel through cryptographic techniques. The shared session key can be used to encrypt and authenticate the information, which plays an important role on ensuring the security of data transmitted. The key encapsulation mechanism (KEM) enables the sender and the receiver to share session keys securely. In a KEM, the initiator encapsulates the session key firstly, and the sender runs an encapsulation algorithm to generate the session key and the cipher text, then, the sender deliveries the encapsulated session key to the receiver, finally, the receiver runs the corresponding de-capsulation algorithm to get the same session key as The associate editor coordinating the review of this manuscript and approving it for publication was Weizhi Meng . the sender. Asymmetric encryption methods can be used in most KEMs. During the process of encapsulation and deencapsulation, it is necessary to ensure message's confidentiality and security, and to ensure that the session keys obtained by both participants are consistent. However, implementing different key agreement protocols through KEM is passive security and cannot resist man-in-the-middle attack.
Authenticated key agreement (AKA) protocol, not only can negotiate the session key between different participants, but also can authenticate each other between two users. Besides, AKA is able to resist active attacks on wireless or wire channel. In AKA protocol, each communication participant generates a pair of public key and private key separately to carry out identity authentication and key agreement through a KEM.
In recent years, quantum computing technologies have developed rapidly, and the traditional public key cryptosystems are being threatened. Post-quantum cryptography becomes a very concerned research field because of its resistance to quantum computing attacks [1], [2]. In particular, post-quantum cryptography research has been further promoted by National Security Agency (NSA) and National Institute of Standards and Technology (NIST), which have announced their plans about post-quantum cryptography. However, as so far, there are still rare lattice-based effective AKA protocols with provable security. In order to solve the issue that Newhope protocol cannot resist the active attack, A mutual authenticated key agreement scheme named INAKA is designed, which can be used in the network environment to achieve privacy preservation and mutual authenticated key agreement between communication participants.
Our contributions include, a mutual identity authentication and key agreement protocol is proposed. After message transmission with two rounds, the two participants perform key agreement with identity authentication. Encryption, decryption module and signature for identity authentication are used in the first round. In the second round, SM3 hash operation for authentication is employed. Moreover, the Mask Factor (MF) is proposed and introduced to this protocol to enhance protection for data transmitted.
The structure of this article is as follows: In the first section, the background and development status of the authenticated key agreement protocol are introduced, the basic knowledge on lattice-based cryptography and KEM is introduced in the second and third section. In the fourth section, the specific algorithm and process in INAKA protocol designed are shown. In the fifth section, security proof for this scheme is given. In the sixth section, we introduce the software implementation for the protocol and carry on the performance analysis, the last section is the summary and prospect about our work.

II. RELATED WORK
In 2014, Peikert [3] proposed a KEM based on ideal lattice, which combined the encryption schemes with a reconciliation mechanism by means of RLWE problem, as a result, a KEM based on chosen plaintext attack security (CPA) was constructed. Bos et al. [4] introduced a key exchange protocol RLWE-based (BCNS). In 2017, Ding et al. [5] constructed two lattice-based authenticated key exchange (PAKE) protocols by using a simple and elegant designing idea, which could be regarded as parallel extension of random oracle model (ROM)-based protocols. Alkim et al. [6] proposed a generalizable scheme for BCNS protocol, called Newhope. The main differences between above protocols and Newhope were the generalized coordination mechanism and different error distribution methods. In 2018, Gjøsteen and Jager [7] proposed an AKA protocol based on digital signature which could guarantee forward security in the client-server model, which was simple and easy to implement. In the same year, Bindel et al. [8] described some AKA protocols, such as FSXY, Peikert, ZZDSD, then, some other schemes were described and compared with each other.
About latest achievements about KA's software and hardware implementation, D. Abbasinezhad-Mood's research group has done a lot of work. They [9] proposed an anonymous elliptic curve cryptography-based self-certified key distribution scheme, it was free from the overhead of the certificate management and the key escrow issue, communication and computational costs were comparatively lower. The authors implemented the cryptographic elements on two state-of-the-art ARM chips, which was beneficial for the researches in this field. In 2019, Abbasinezhad-Mood et al. [10] talked about the present key establishment schemes' security weaknesses, indicated that many solutions suffered from known session-specific temporary information attack, private key leakage, key escrow problem. Then, they proposed a key establishment scheme that could be free from these security challenges and key escrow problem, computational and communication costs were also acceptable. The performance analysis had been presented on a NXP LPC1788 ARM chip. In 2019, his team [11] researched the issues on how to securely read the consumption data while putting the least possible overhead on the smart meters. The authors proposed a key establishment protocol, which were both free from the electricity service provider involvement during the key agreement and benefitted from notable reduction in the communication cost. Working efficiency and security analyses had been implemented for proposed security protocol, which got better results. Abbasinezhad-Mood et al. [12] also investigated some typical key management protocols and elaborated the existing errata and security threats, proposed a modified version, which was free from the challenges of these solutions, an anonymous ECC-based self-certified two-factor key management scheme was proposed, which could provide the desired security features, formal security verification and proof also supported their scheme.

III. COMPUTATIONAL PROBLEM ON LATTICES
Let R be a ring, R n denotes the set of units in R with vector v = (ν 1 , . . . , ν n ) ∈ R n . Euclid length of vector v can be denoted by v = n i=1 ν 2 i . Lattice is regarded as a discrete subgroup in finite dimensional Euclidean vector space. Let L ⊂ R n be a lattice, the minimum distance in lattice λ is defined as the Euclidean length of the shortest non-zero vector of the lattice, which can be expressed by a formula λ 1 (L) = min V ∈L\{0} X as introduced in [13] and [14].
The shortest vector problem (SVP) and the closest vector problem (CVP) are two fundamental computational problems in lattices. These problems have been used for great amount of cryptographic applications.
When solving the problem CVP, to basic lattice B and target vector t, shortest non-zero vector v ∈ L(B) can be searched from B, that is v ≤ λ 1 (L(B)), v − t is called the shortest distance. In the CVP γ with approximate factor γ , for the case of γ ≥ 1, it is needed to find a lattice vector v ∈ L(B)

A. LWE PROBLEMS ON LATTICES
Learning with errors (LWE) problem was promoted by Regev [15], which showed a conclusion on quantum computing: solving a random LWE instance was just like to solve a hard lattice problem with the worst case. LWE problem could be regarded as a generalization of learning and noise parity (LNP), and it was associated with the solving hard problems. In general, when a sequence of approximate random linear equations s was given, the secret vector s ∈ Z n q would be restored to solve LWE problem. The non-quantum reduction for variant q was demonstrated from the shortest vector problem to the variant of LWE problem [6]. LWE problems were often employed to construct primitives such as indistinguishability chosen plaintext attack (IND-CPA) or indistinguishability chosen ciphertext attack (IND-CCA) secure public key encryption (PKE), identity based encryption (IBE) and full homomorphic encryption (FHE) schemes. These LWE problems were defined as search LWE problem (sLWE) [6]. The sLWE problem required to distinguish between LWE samples and uniform random samples.

B. LEARNING WITH ERRORS IN A RING(RLWE)
In order to solve the problem of low efficiency in cryptosystems based on LWE problem. In 2010, Lyuhashevsky et al. [17] proposed a variant of LWE problem, namely learning with errors in a ring (RLWE). Two common definitions about RLWE problems in cryptography are given as below.
, a is uniformly randomly selected. e ∈ R is an error vector obeying a normal distribution ψ α . If b ∈ R and b = a · s + e are known, the problem of solving s by a · b is the search RLWE problem.
s is uniformly randomly selected. e ∈ R is an error vector obeying a normal distribution ψ α . When calculating b = a · s + e, b ∈ R, A s,ψ is the distribution of (a, b), the problem of distinguishing the uniform distribution between A s,ψ and R × R is the decision RLWE problem. If the decision RLWE problem is difficult, A s,ψ is pseudo-random.

IV. KEM ANALYSIS A. KEM ANALYSIS IN BCNS PROTOCOL
BCNS protocol was introduced by Bos et al. [4], this protocol was based on R-LWE, which could replace traditional security protocol in transport layer. BCNS protocol was an instantiation of KEM essentially introduced by Peikert [3], KEM based on BCNS depended on the parameters n, q and σ , where q was an odd prime number, n was a specific ratio, and σ defined the domain D σ . The discrete gaussian distribution used by Peikert was the same as the scheme proposed by Bos et al. [4]. As described in [3], KEM BCNS-based was also the core module in Peikert's protocol.

B. KEM ANALYSIS IN NEWHOPE PROTOCOL
Alkim et al. [6] proposed a generalization for the bcns protocol, called Newhope. The main difference between bcns and newhope was the generalized coordination mechanism and the error distributions. In Newhope, the modulus q could be very small. Instead of a bounded Gaussian distribution, a central binomial distribution k was used in Newhope, its security was not reduced. In addition, depend on [18] and [19], to prevent backdoor attacks and one-to-one cost attacks, pseudo-random public polynomials were generated to run KEM in Newhope. A 256-bit seed and hash function, such as SHAKE-128, were recommended to generate the pseudo-random polynomials.

V. INAKA PROTOCOL DESIGN
INAKA protocol is designed in this article based on Newhope's KEM with IND-CCA security, now we describe it with some steps as follows.
1) Build a PKE protocol with IND-CPA security on the basis of Newhope's KEM with IND-CPA security.
3) Build KEM with IND-CCA security Newhope-based by using of PKE with IND-CCA security. Assuming polynomial a is well known by everyone, furthermore, two hash functions are defined: H () : {0, 1} * → {0, 1} 256 . Variables, parameters, and symbols in this scheme can be defined as shown in Table1 by referring the style in [9].
The flow about INAKA protocol is shown in Fig. 1.

A. STEP1: KEY GENERATION
Both Alice and Bob randomly sample 32 integers with the range of 0∼255 as the seeds for random number generator.
Then hash function will be performed for processing on the seeds generated by random sampling. The hash function we used is SM3, which is a commercial hash function recommended by China State Cryptography Administration(CSCA). To the hash function H (l, d), where, l is the number of bits of the input data, and d is the number of bits of the output data. During the process of key generation, the seed is processed by SM3 to get a array z, whose value is in the range of 0∼255. The public/private key pairs for Alice and Bob are (pk A , sk A ) and (pk B , sk B ), which are generated by function GenA() and GenB().
Hash operation will be execute for the identity of Alice ID A to get the identity mask value (MV) of Alice M A . a is a polynomial derived from the seed, which is used to calculate Among them, two confusion factors (CF) ν A and r A are calculated: The confusion factors can resist active attacks in later processes. b A , M A and seed are as input data of hash function. Digital signature value Sig sk A can be obtained by calculating b A , seed, M A and r A with Alice's secret key, after that, the authentication value for Alice Ver A will be computed by encrypting the Sig sk A with Bob's public key as described: Alice sends its authentication value Ver A to Bob.

C. STEP3: BOB VERIFIES ALICE'S IDENTITY
Bob decrypts Ver A by using its secret key, the b A , seed, M A , r A and Hash value H () can be obtained. Bob will recalculate VOLUME 8, 2020 H (b A , M A , seed) and compare it with the decrypted hash value H () from Alice, if these two hash values are same, Alice's identity can be verified by Bob successfully, then, the following steps of authentication and key agreement will be performed, otherwise, the authentication fails and the session is terminated.
Then, Alice runs Hash transformation on M B , b B and r B , then compares the Hash result achieved with Bob's authentication value Ver B , If they are consistent, the verification is success. Otherwise, the authentication fails and the process of authenticated key agreement is stopped.

F. STEP6: KEY AGREEMENT BETWEEN ALICE AND BOB
If Alice verifies Bob's identity successfully, the next steps will be proceed. Alice will calculate v A ← b B • s A , then, Alice and Bob perform Rec() function respectively to get the key k and k .
The final shared session key ss can be obtained by performing Hash transformation respectively on M A , M B , and k, k . The shared session key generated by two participants is same. That is to say, the authentication and key agreement process is success.

VI. SECURITY ANALYSIS A. ANALYSIS TO RESIST DIFFERENT ATTACKS
The correctness of INAKA protocol has been reflected on the above protocol flow. Common security attributes for AKA protocol has been introduced in [22]- [24]. We will analyze pivotal security attributes about this protocol in the following parts.

1) PRIVATE KEY RECOVERY ATTACK
The protocol proposed in this article is based on the RLWE hard problem, that is, the security of our protocol can be reduced to the RLWE problem on the lattice. The public key, private key, and authentication information in this protocol are constructed according to the requirements of the RLWE problem. At present, there is no effective cryptographic algorithm that can solve the RLWE hard problem, so, it is impossible for the adversary to recover the private key by intercepting intermediate parameters in this protocol. In other words, if the adversary might crack this protocol by recovering the private key, the adversary also could crack the RLWE problem on the lattice.

2) MAN-IN-THE-MIDDLE ATTACK
If the adversary attacks the protocol by using the man-inthe-middle, the b and the seed that Bob sent to Alice might be actively attacked by the adversary during the data transmission without identity verification between Alice and Bob. Therefore, data integrity could not be guaranteed. v B or r B also could not be accurately calculated. Finally the key agreement would be failed. In addition, the MFs b, r and M were introduced to data transmission process, even if the adversary acquired the transmitted data, he could not get any useful information about Alice or Bob, because the transmitted data were masked by XOR operation, and could not be directly used for calculation to determine the identity of Alice or Bob. Therefore, in INAKA scheme, the mutual identity authentication for two communication participants and the mask factors prevent the adversary from impersonating any party to destroy the key agreement process. Therefore, INAKA protocol can resist the man-in-the-middle attack.

3) REPLY ATTACK
The replay attack can be regarded as the behavior of an attacker using the public session information that has been intercepted to obtain the secret information in new session. In this protocol, Alice randomly samples 32 integer elements from 0 to 255 as the seed in session, polynomials s A and e A on the domain ψ 16 are valid only in current session, only if the mutual authentication between Alice and Bob is success, the shared key ss in current session would be generated. This scheme can resist replay attack.

4) WEAKLY PERFECT FORWARD SECURITY
During the key agreement process, if a new node joins, the session key generated would be also inconsistent because the random polynomials in key agreement process are different. As a result, the newly joined node could not know the previous session key, therefore this protocol has weakly perfect forward security.

5) UNKNOWN KEY-SHARED ATTACK
Assuming that there was an adversary Eve in the session channel, he might illegally use Bob's long-term public key as his long-term public key. Eve could implement an unknown key sharing attack by following manner.
Suppose Alice would initiate session 1 with Bob. When Alice sent authentication message to Bob, Eve might intercept the message in channel and initiate another session 2 to Bob, and also sent the same authentication message to Bob. Bob performed the verification calculation after receiving the message from Eve, then sent the verification result to Eve, Eve forwarded the verification message to Alice. ''Secure communication'' could be established in session 1, the shared session key could be obtained by both Alice and Eve. In session 2, Eve intercepted the returned value and forwarded it to Bob, ''secure communication'' could also be established between Eve and Bob, and Eve could also get the shared session key. That is, the adversary Eve can intercept the encrypted message from Alice in session 1 and forward it to Bob, since Bob has a shared key with Eve, the message could be correctly decrypted by Bob. As a result, the protocol could be attacked by an unknown shared key.
However, the hash value and digital signature about identity information were added to the calculation process of session key in this scheme, so that the unknown key-shared attack during the communication process was avoided.

B. SECURITY PROOF
The security of this protocol could be proved under the Canetti and Krawczyk (CK) model introduced in [22], [23]. However, one protocol that had been proven security under CK model still could not be guaranteed to resist key compromise impersonation (KCI) attacks and leakage of ephemeral private key (LEP) attacks, moreover, it could not ensure weak perfect forward security of the protocol (wPFS). In order to make up for these shortcomings, the extended CK model (eCK) introduced in [25] was used to prove the security of the protocol. In general, BR, BPR, CK, and eCK are often used as the provable security models for current AKA protocols, among them, the eCK model covers the strongest attack types and attack methods, which has been widely recognized by many researchers. Therefore, the eCK model also is used to prove the security of the INAKA protocol. In this model, a probabilistic adversary Eve could control the communication. Eve could obtain the secret information stored in the participants' memory through an explicit attack. Therefore, the security of the key exchange protocol needed to guarantee the leakage probability of secret values to minimize the impact on the security of other secret items. The adversary Eve could interact with a protocol participant O, the security of INAKA could be proved by using the following queries [9]: 1) Execute (Alice, Bob): This query is used to simulate a passive attack and return exchange messages that belong to the protocol participants during actual execution.
2) h n (a): Eve receives a random number as the Hash value of a by this query. 3

10) Test(O):
This query is used to measure the semantic security of the session key.
Definition 3 (Security of eCK Model): Let ss * represent the session key constructed in the session sid * , sid * is a fresh session. Eve guesses the value of c * , c * ∈ {0, 1}, the value c will be output. When responding to the adversary Eve, if c = 1, sid * returns the value of the real session key; Otherwise, sid * returns a random number with the same length to Eve [25]. The advantage of adversary Eve is: The AKA protocol is secure if and only if: 1). Two honest protocol participants complete a matched session, both sides calculate the same session key, or both sides output an failed execution identifier.
Supposing the advantage probability of the adversary Eve to solve the RLWE hard problem is Adv RLWE (Eve), if the advantage of attacking one protocol by the adversary Eve is negligible, that is Adv RLWE (Eve) ≤ ε, the scheme is secure.
Proof: In order to prove the semantic security of the protocol, game sequence GM 0 to GM 5 are defined. GM 0 is indicative of the real attack, and GM 5 is the game in which Eve has no advantage. Let S i is the corresponding event to the GM i .
Game GM 0 : The simulation of this game is identical to the real attack in the random oracle model. Hence, we have:  Game GM 1 : In this game, the oracles are simulated (see Table 2). Since the oracles Execute, Send, and others are simulated as done in the real attack just as the real execution of the protocol. Therefore, we can conclude: Game GM 2 : The simulation of this game is the same as GM 1 , except that if there is a conflict in the script and the hash query, the game will be terminated. According to the birthday paradox, the probability of hash collision is at most q 2 h /2 l+1 . s A , e A , e A are selected randomly from the domain ψ 16 , the probability of collision in the scripts is at most (q s + q e ) 2 /2p [26], [27]. As a result, we conclude: Game GM 3 : The simulation of this game is consistent with GM 2 , unless Eve is lucky to guess the value of the verifier without asking h oracle and the game is suspended. Therefore, we have: Game GM 4 : In this game, the session key security is considered that Eve cannot achieve the session key unless one of (s A , e A , e A ) or (s B , e B , e B ) are revealed to him. The goal of Eve is to compute the session key in the following four cases by making Execute and h queries.
Case 0: Corrupt(Alice i ) and Corrupt(Bob j ). In this case, Eve achieves the keys of both Alice i and Bob j , i.e., the sk A , sk B , but not their MVs, M A or M B . In all of the aforementioned four cases, Eve cannot compute the k and k . Therefore, the difference between this game and the previous one is negligible. It is concluded that: Game GM 5 : The simulation of this game is the same as the game GM 4 except that this game will be ended if Eve issues h query. Since Eve can achieve the k with probability of at most q 2 h /2 l+1 , we have |Pr [S 5 ] − Pr [S 4 ]| ≤ q 2 h /2 l+1 . Because Eve has no advantage in distinguishing the real session key from a random one without making the h query with the correct input, we have: Combining all the probabilities, It is concluded that INAKA scheme is provable security.

VII. PERFORMANCE ANALYSIS FOR INAKA A. THEORETICAL ANALYSIS
In order to illustrate the advantages of this proposed protocol, we compare the working performance and efficiency between typical KA/AKA schemes, such as Ding scheme [28], BCNS scheme [4], Newhope scheme [6], BCD+ scheme [29], Peiker scheme [3], FSXY scheme [16], ZZDSD scheme [30] and BDK+ scheme [31]. In order to highlight the comprehensive performance of the protocols, we analyze these schemes on the computational complexity, forward security, anti-man-in-the-middle attacks, anti-replay attack, and so on. The compared results are shown in Table 3.

B. PERFORMANCE TEST
The protocol was tested on a computer configured with an Intel Core i7 processor, 8 GB of memory, and Windows 7 64-bit operating system. The software working platform is Microsoft Visual Studio 2010 Professional Edition. In the   actual test, as an example, RSA1024 algorithm is used as encryption/decryption module in INAKA protocol.
The running time in Table 4 is the mean value of 50 actual test results, where, 1. The average time required for Alice to generate (pk A ,sk A ) and identity authentication information Ver A is 0.916 ms while the longest time is 1.636 ms, and the shortest time is 0.884 ms.
2. The average time required for Bob to verify Alice's identity information is 6.864 ms while the longest time is 7.236ms, and the shortest time is 6.730ms.
3. The average time required for Bob to derive the key to generate identity authentication information Ver B is 0.172ms while the longest time is 0.276ms, and the shortest time is 0.167ms. 4. The average time required for Alice to verify Bob's identity information is 0.028ms while the longest time is 0.087ms, and the shortest time is 0.027ms. 5. The average time required for Alice to derive the key is 0.151ms while the longest time is 0.222ms, and the shortest time is 0.148ms.
The average time required to generate the shared key in a complete session is 8.131ms while the longest time is 9.457ms, and the shortest time is 7.956ms.
After actual testing, following results are shown in the Table 5. The length of the seed randomly generated is 384 bits, the length of the public key pk is 14.25 KB, and the private key sk is 28.75 KB, the length of the identity authentication value Ver A that Alice sends to Bob in the first round is 33 KB. In the second round, the length of Bob's identity authentication value Ver B is 33 KB, the length of intermediate vector ct is 17.25 KB, and the session key ss is 256 bits. Fig.2 is line charts of 50 times of efficiency test. Fig.3 is respective time consumption to generate the session key for Alice and Bob.
It can be seen from Fig.2 and Fig.3 that it only costs 8.131 milliseconds to complete the mutual authentication and key agreement through 50 times of actual tests without considering transmission time and delay on the communication link.
Several typical protocols' implementation performance parameters on software platform are presented in Table 6.
It can be seen from Table 6 that, all the schemes, including [9], [11], [12] and INAKA all have better security, which can resist man-in-the-middle attack, anti-replay attack or others, and can satisfy forward security, mutual authentication. The time consumption on private key/signature and public key/verification in INAKA are higher than other schemes owing to different working platforms and configurations. It is worth mentioning that, in this protocol, encryption, decryption and hash operation can be replaced by other traditional or lattice-based cryptographic modules, that is  to say, INAKA protocol is universal combinable. Overall, the communication overhead and calculation overhead of this protocol are comparatively low, which has better practicality on industrial application.

VIII. CONCLUSION
In this article, we propose a common lattice-based combinable authentication and key agreement protocol named INAKA. It combines post-quantum cryptography, identity authentication, commitment value, identity mask values, and mask factors to protect the user's identity privacy. This protocol can achieve mutual identity authentication and key agreement in only two rounds of communication transmission. In the round I, the user receives the sender's authentication message by operating hash, encryption and digital signature. In round II, the user carries out the decryption, digital signature verification, and MFs' XOR computation. This kind of two-rounds message transmission designing reduces the computational burden and improves the AKA protocol's efficiency. The test result indicates that the INAKA protocol only needs 8.131 milliseconds to complete the mutual authentication and key agreement, without considering transmission time and delay in the communication link. It also has been proved that the INAKA scheme meets the security under the eCK and indistinguishable game model. This solution can achieve privacy preservation and mutual authenticated key agreement between communication parties, thus we believe our work can benefit the authenticated network application.
YATAO YANG received the Ph.D. degree from the Beijing University of Posts and Telecommunications, in 2009. He is currently an Associate Professor with the Beijing Electronic Science and Technology Institute. His main research interests include information security, cryptographic protocol, and algorithm.
JIERUN HUANG was born in 1995. She is currently pursuing the master's degree with the Beijing Electronic Science and Technology Institute. Her main research interests include information security, cryptographic protocol, and algorithm.
JIANYUAN CHEN was born in 1997. He is currently pursuing the master's degree with the Beijing Electronic Science and Technology Institute. His main research interests include information security, cryptographic protocol, and algorithm.
XINGUANG HAN was born in 1994. He is currently pursuing the master's degree with the Beijing Electronic Science and Technology Institute. His main research interests include information security, cryptographic protocol, and algorithm.
YANG ZHAO was born in 1995. He is currently pursuing the master's degree with the Beijing Electronic Science and Technology Institute. His main research interests include information security, cryptographic protocol, and algorithm.
ZHANZHEN WEI was born in 1971. He is currently a Professor with the Beijing Electronic Science and Technology Institute. His main research interests include information security and cryptography. VOLUME 8, 2020