Security analysis and enhancements of a three-party authenticated key agreement protocol

Three-party authenticated key agreement (3PAKA) protocol is an important cryptographic mechanism for secure communication, which allows two clients to generate a shared session key with the help of the server. Recently, Tan proposed a communication and computation-efficient 3PAKA protocol. Compared with related protocols, Tan’s protocol requires fewer rounds, lower communication cost and smaller computation cost. Tan claimed that his protocol was secure against various attacks. Unfortunately, we found that his protocol cannot withstand the key compromise impersonation attack. To improve security, we proposed a new 3PAKA protocol. Security analysis and performance analysis show our 3PAKA protocol could overcome weakness in Tan’s protocol at the cost of increasing the computational cost slightly.


Introduction
The three-party authenticated key agreement (3PAKA) protocol is a variation of the two-party authenticated key agreement (2PAKA) protocol.In such protocol, each client shares a secret value with the server.Using the secret value, two clients could generate a shared session key for future communication with the server's help.
Bellare and Rogaway proposed the first 3PAKA protocol (CHANG et al., 2011).Since then, many 3PAKA protocols (CHANG;CHANG, 2004;CHEN et al., 2008;LO;YEH, 2009;DING;MA, 2010;YANG;CAO, 2012;YANG;CHANG et al., 2011;TAN, 2010;CHEN et al., 2008;TAN, 2013) were proposed to improve security and performance.Generally speaking, these 3PAKA protocols could be divided into three classes: the password-based 3PAKA protocols (CHEN et al., 2008;DING;MA, 2010;LO;YEH, 2009;YANG;CAO, 2012), the public key infrastructure (PKI)-based 3PAKA protocols (CHANG;CHANG, 2004;YANG;CHANG, 2009;TAN, 2010) and the identity (ID)-based 3PAKA protocols (CHEN et al., 2008;TAN, 2013).In the password-based 3PAKA protocol, each client shares an easy-to-remember password.Using shared passwords, two clients generate a session key with the help of the server.In such protocols, the server has to maintain a password table.The system will be broken totally once the password table is lost.In the PKI-based 3PAKA protocol, a certificate generated by the certificate authority is needed to bind the client's identity and his public key.The management of certificates becomes more and more difficult with the increase of the clients' number.The ID-based 3PAKA protocols could overcome the above weaknesses since no password table or certificate is needed in such protocols.Chen et al. (2008) proposed the first ID-based 3PAKA protocol.However, Yang and Chang (2009) pointed out that Chen et al.'s scheme is not secure against the stolen-verifier attack.Very recently, Tan (2013) proposed a new ID-based 3PAKA protocol.Compared with previous protocols, Tan's protocol is more practical since it requires fewer rounds, lower communication cost and smaller computation cost.Tan claimed his protocol could withstand various attacks.However, in this paper, we will point out that his protocol is vulnerable to the key compromise impersonation attack.We also propose an improved scheme to enhance security.
The rest of this paper is organized as follows.Tan's 3PAKE protocol is introduced and analyzed in Section 2 and Section 3 separately.Then, our 3PAKE protocol is proposed in Section 4. The security and performance are discussed in Section 5 and Section 6 separately.At last, some conclusions are given in Section 7.

Review of Tan's 3PAKA protocol
In this section, we review Tan's 3PAKA protocol.His protocol consists of two phases, i.e. the initialization phase and the authenticated key exchange phase.The detail is described as follows.

The initialization phase
In this phase, the server S generates the system parameters first.Then, both of the clients A and B get their private key through registering in the server.
S chooses two prime numbers , p n and a elliptic curve E defined by the equation

The authenticated key exchange phase
As shown in Figure 1, the client A and B generate a shared session key with the help of the server S .
and the session key Weakness of Tan's 3PAKA protocol It is well known that a 3PAKA protocol could provide five basic security attributes, i.e. knownkey security, perfect forward secrecy, keycompromise impersonation resilience, unknown key-share resilience and no key control (CHEN;HAN, 2013;HE et al., 2014;HE et al. 2015, HE;ZEADALLY, 2015, MENEZES et al., 1997;TAN, 2013;).In the 3PAKA, key-compromise impersonation resilience means that the adversary A cannot impersonate the client B and the server S to the client A when he gets A 's private key.In this section, we will show that Tan's protocol cannot provide key-compromise impersonation resilience by proposing a concrete key compromise impersonation attack.Once A gets A 's private key ( || ) , he could carry out the attack as follows.1) A generates a random number ID ID e to B and S separately, where Request is a request that A wants to generate a session key with B . 2 and the session key A sends 6 { } e to A . 4) Upon receiving , then A could impersonate B to generate a shared session key with A .Therefore, Tan's protocol cannot withstand the key compromise impersonation attack.

Our 3PAKA protocol
In Tan's scheme, the adversary does not need the server's private key to generate the response message for the user A if he gets A 's private key.Therefore, the adversary could impersonate B to A .To overcome such weakness, we should let the server's private play an important role in generating response message.Based on the observation, we propose an improved 3PAKA protocol to overcome weakness in Tan's protocol.Like his protocol, our protocol also consists of two phases, i.e. the initialization phase and the authenticated key exchange phase.The detail is described as follows.

The initialization phase
In this phase, the server S generates the system parameters first.Then, both of the clients A and B get their private key through registering in the server.
S chooses two prime numbers , p n and a elliptic curve E defined by the equation checks whether both of the two equations   Security analysis of our 3PAKA protocol Security model for 3PAKA protocol In this subsection, we proposed a security model for 3PAKA protocol based on Chang et al.'s security mode for password-based 3PAPA protocol (CHANG et al., 2011).
∏ represents the i th instance of a participant U .The security of a 3PAKA protocol is defined by a game between a challenger C and an adversary A .There are two phases in the game.During the first phase, A could issue the following queries at his will.
( ) Hash m : C maintains an initially empty table where k is a security parameter.Definition 1.A 3PAKA protocol is said to be secure if: (1) In the presence of a benign adversary on , ∏ always agree on the same session key, and this key is distributed uniformly at random.

Security analysis
To prove the security of our 3PAKA protocol in the random oracle model (HE et al., 2012(HE et al., , 2013)), we treat h as a random oracle.For the security, the following lemmas and theorems are provided.
Lemma 1.If two oracles ∏ are matching, both of them will be accepted and will get the same session key which is distributed uniformly at random in the session key sample space.
Proof.From the description of our 3PAKA protocol, we know if two oracles i A ∏ and j B ∏ are matching, then both of them are accepted and have the same session key.The session keys are distributed uniformly since a and b are selected uniformly during the execution of our 3PAKA protocol.
Lemma 2. Assuming that the computational Diffie-Hellman (CDH) problem is hard, the advantage of any adversary against our 3PAKA protocol is negligible.
Proof.Suppose there is an adversary A could win the game described in Section 5.2 with a nonnegligible advantage ε .We will show that there is an algorithm C could solve the CDH problem using A 's ability.
Given an instance , where se q denotes the number Send query.C keeps x as the master key and use it to generate all participants' private keys.Then, C sends params to A , and answers A 's queries.
C answers all A 's queries according the description of our 3PAKA protocol, except the j th Send query.In the j th Send query, C embeds to say some queries of format (*, , ) A B Hash ID ID has been asked.If there is no such query has been asked, C sops the simulation; otherwise, C chooses a random on of such format and return * as the solution of the CDH problem.
In our simulation, the hash function h is treated as a random oracle.Then we could conclude that if A could know the session key sk corresponding to the j th Send query, he must have asked a (*, , ) , where h q is the number of Hash query.The probability that C guesses the correct moment when A wins the game is 1 se q since it equal the probability that C guesses the correct j .Therefore, C could solve the CDH problem with a non-negligible advantage 1 se h q q η ε = since ε is non-negligible.This contradicts with the hardness of the CDH problem.
From the above three lemmas, we can get the following theorem.
Theorem 1. Assuming that the computational Diffie-Hellman (CDH) problem is hard, Our protocol is a secure 3PAKA protocol in the random oracle model.

Known-key security
The known-key security means that the execution of a protocol should result a unique secret session key and the compromise of this key has no impact on other session keys.
From the description of our 3PAKA protocol, we could get that the client A and B compute Because the random numbers a and b are generated by A and B separately for every session, then the compromise of this key has no impact on other session keys.Therefore, our 3PAKA protocol could provide the known-key security.

Perfect forward secrecy
The perfect forward secrecy means that the previous session keys cannot be compromised even all three parties' long-term private keys are compromised.
In our 3PAKA protocol, the session key is , where K abP = and the random numbers a and b are generated by A and B separately.Even the adversary gets all three parties' long-term private keys, he still cannot compute K abP = from 1 R aP = and 3 R bP = since he will face with the CDH problem.Therefore, our 3PAKA protocol could provide the perfect forward secrecy.

Key-compromise impersonation resilience
The key-compromise impersonation resilience means that the adversary A cannot impersonate the client B and the server S to the client A when he gets A 's long-term private key.
Assume that the adversary could get .Then, he will face with the CDH problem.Therefore, our 3PAKA protocol could provide the keycompromise impersonation resilience.
Unknown key-share resilience The unknown key-share resilience means that the client A believes he generate a session key with the client B , it is impossible that A is tricked to generate a session key with the client C .
In our 3PAKA protocol, the client A and the server S could authenticate each other through checking 3 e and 1 e separately.The client B and the server S could authenticate each other through checking 3 e and 4 e separately.Then, A and B could authenticate each other with the help of S .Therefore, our 3PAKA protocol could provide the unknown key-share resilienc.

No key control
The no key control means that none of three parties cannot force the session key to be a prechoose value.
In our 3PAKA protocol, the session key is , where K abP = and the random numbers a and b are generated by A and B separately.Then, none of A , B and S cannot determine the session key of a execution of our 3PAKA protocol.Therefore, our 3PAKA protocol could provide the no key control.

Performance analysis
In this section, we will compare the performance of our 3PAKA protocol with that of Chen et al.'s protocol (CHEN et al., 2008) and Tan's protocol (TAN, 2013).For convenience, some notations are defined as follows.We assume that the size of p , the output size of hash function, the output size of symmetric encryption/decryption algorithm, the size of timestamp, the size of " Request " and the size of client's identity is 160 bits, 160 bits, 128 bits, 32 bits, 32 bist and 32 bits separately.The comparisons in term of communicational cost and computational cost are listed in Table 1.Our 3PAKA protocol has better performance in term of the communicational cost than Chen et al.'s protocol and Tan's protocol.Tan's protocol has better performance in term of computational cost than our 3PAKA protocol and Chen et al.'s protocol.However, Chen et al.'s protocol and Tan's protocol are vulnerable to the stolenverifier attack and the key compromise impersonation attack separately.Our 3PAKA protocol could overcome security weakness in previous protocols at the cost of increasing computational cost slightly.Therefore, our 3PAKA protocol is more suitable for practical applications.

Conclusion
Due to overcoming weaknesses in the 2PAKA protocol, the 3PAKA protocol attracted wide attentions from all over the world.Many 3PAKA protocols have been proposed for practical applications in last several years.In this paper, we analyze the security of a novel 3PAKA protocol based on the elliptic curve cryptography and point out that it cannot withstand the key compromise impersonation attack.To enhance security, this paper proposes a new 3PAKA protocol based on the elliptic curve cryptography.A security analysis show the proposed 3PAKA protocol could overcome weakness in previous schemes and is provably secure in the random oracle model.A performance analysis shows that the proposed 3PAKA protocol has better communication cost and increases the computation cost slightly.Therefore, the proposed 3PAKA protocol is more practical than previous schemes.

Figure 1 .
Figure 1.Authenticated key exchange phase of Tan's protocol.
is easy to say both of the above two equations hold.Then, A computes 2 K aR′′ = and the session key e R to A and B separately.

Figure 2 .
Figure 2. Authenticated key exchange phase of our 3PAKA protocol.
comparison, we transferred Chen et al.'s protocol into the elliptic curve analogue version.
∏ is fresh and the adversary is only allowed to make Test query one time.At the end of the game, A outputs a guess bit b′ .We say that A wins if and only if UCorrupt ID : Through the query, A could get the private key of participant U with identity