Communications among multiparty must be fast, cost effective and secure. Today’s computing environments such as internet conference, multiuser games and many more applications involve multiparty. All participants together establish a common session key to enable multiparty and secure exchange of messages. Multiparty passwordbased authenticated key exchange scheme allows users to communicate securely over an insecure network by using easytoremember password. Kwon
et al.
proposed a practical threeparty passwordbased authenticated key exchange (3PAKE) scheme to allow two users to establish a session key through a server without presharing a password between users. However, Kwon
et al.
's scheme cannot meet the security requirements of key authentication, key confirmation and anonymity. In this paper, we present a novel, simple and efficient multiparty passwordbased authenticated key exchange (
M
PAKE) scheme based on the elliptic curve cryptography for mobile environment. Our proposed scheme only requires two roundmessages. Furthermore, the proposed scheme not only satisfies security requirements for PAKE scheme but also achieves efficient computation and communication.
1. Introduction
P
assword authenticated key exchange (PAKE) studies how to establish secure communications between two or more parties solely based on their password. The key challenge with passwordbased schemes is that the memorable password, associated with each user, has low entropy. It is not easy to protect the password information against dictionary attacks whereby an adversary ends up with the correct password after exhaustively testing all possible passwords against known password verifiers. Therefore, the intrinsic problem in designing PAKE schemes is to preserve password security against dictionary attacks.
In 1992, Bellovin and Merritt first proposed the twoparty PAKE protocol (2PAKE)
[1]
, where two entities A and B share a humanmemorable password to establish a common session key. Because 2PAKE protocol is not suitable for the large peertopeer architecture, many researchers on the topic have concentrated on proposing schemes that either extend Bellovin and Merritt’s scheme into threeparty applications or have better performance. Threeparty passwordbased authenticated key exchange protocol (3PAKE) is a simple and an important mechanism that allows each user to choose his own password and to share with the server. In a 3PAKE scheme, it requires a trusted server which shares an easytoremember password with each user. However, as a result of limited ability of memory of human, people prefer natural language phrases as their own secret passwords. This will make 3PAKE scheme becomes vulnerable to password guessing attacks
[2]
. Furthermore, the number of transmission rounds and computational complexities are two important criteria of 3PAKE for describing the system performance
[3

5]
.
Based on DiffieHellman key exchange concept, Steiner
et al.
proposed a 3PAKE protocol
[6]
in 1995. Thereafter, Ding
et al.
[2]
and Sun
et al.
[7]
pointed out that Steiner
et al.
’s scheme is vulnerable to undetectable online password guessing attacks. Moreover, Lin
et al.
[8]
further showed that Steiner
et al.
’s scheme suffers not only undetectable online password guessing attacks but also offline password guessing attacks. To eliminate these flaws, Sun
et al.
and Lin
et al.
separately utilized public key cryptographic technology to prevent undetectable online password guessing attacks and offline password guessing attacks. However, the public key technologies need to take more computational complexities in current 3PAKE protocol.
Chang and Chang proposed a robust and efficient 3PAKE protocol by using trapdoor oneway function
[9]
in 2004. Later, Chen
et al.
[10]
and Yoon
et al.
[11]
pointed out that Chang and Chang’s scheme cannot resist undetectable online password guessing attacks and proposed an enhancement schemes to solve the security problem separately. However, Lo and Yeh
[12]
pointed out that both of these two schemes proposed by Chen
et al.
and Yoon
et al.
are still vulnerable against the undetectable online password guessing attacks.
In 2005, Abdalla
et al.
proposed a formal security model of 3PAKE with different passwords
[13]
. From the viewpoint of the rounds/computational complexities, Abdalla
et al.
’s scheme requires six rounds and more than 17 modular exponentiations per user in the standard model. To improve the efficiency of the above scheme, Abdalla
et al.
presented a tailormade protocol
[14]
. But they fail to resist to undetectable online dictionary attack. The authors count this attack in the number of queries for message modifications which are limited to certain numbers.
In 2008, Kwon
et al.
proposed a passwordbased 3PAKE scheme with different passwords that achieves forward secrecy in the standard model
[15]
. Their scheme requires four rounds to achieve authentication between users and the server. Besides, their scheme does not provide key authentication, key confirmation and user anonymity. In 2012, we proposed a PAKE scheme for multiparty setting to meet the above security requirements and the efficiency is greatly
[16]
. The latest survey of 3PAKE issues is presented in
[17

23]
.
With the emergence of mobile environment, conventional 3PAKE protocols face two common problems. The first problem is that the server and users are not in the same domain, and therefore, the shared authenticated keys may be unknowingly compromised. In addition, conventional 3PAKE protocols require higher online communication cost and computational cost during session key agreement, which can create excessive overheads for user using device with low computational capacity.
Despite recent researches aimed at reducing the computation and energy costs of public key operations/protocols, which are successfully applied in traditional wired networks, are not suitable in low‐power devices, such as mobile networks/WSNs
[24
,
25]
. Although RSA is well established, the elliptic curve cryptography (ECC) is still more commercial importance and has attracted attention because of a smaller key size, reducing storage, low on CPU consumption, and transmission requirements
[26]
.
In this paper, we will propose a multiparty PAKE (MPAKE) scheme based on the ECC for mobile environment. Our proposed scheme achieves better performance by requiring only two roundmessages and meets security requirements. The proposed scheme is more efficient than previously proposed schemes in terms of the computational complexities and the communication costs. Furthermore, our proposed scheme provides security from entity authentication, confidentiality of private/session key, forward secrecy, user anonymity, key authentication, and key confirmation.
Organization of this paper is sketched as follows. Section 2, we revisit the passwordbased 3PAKE scheme of Kwon
et al.
We then present our proposed scheme in Section 3. The security analysis and the performance evaluation will in Section 4. Finally, a conclusion is given in Section 5.
2. Revisiting Kwonet al.’s 3PAKE scheme
In this section, we show that the 3PAKE scheme
[15]
of Kwon
et al.
Their scheme requires four rounds to achieve authentication between users and the server.

Initialization.Each userUi∈Ufori∈{1,2} obtainspwiin the beginning of the scheme by using a password generation algorithmPG(1k). Based on the decisional DiffieHellman assumption, letp'andq'be safe primes such thatp'=2q'+1. Letg1andg2be generators of a finite cyclic groupGhaving orderq'. LetH( ) be a hash function,F( ) be a secure pseudorandom function family, andMACK(m) be a message authentication code function, wheremis a message andKis a key. Assume that each userUiand serverShave sharedmodp'the public information (G,p',q',g1,g2,H(),F()), and the identities of users exchanging a session key.

Round 1.Each userUichooses a random numbercomputesPWimodp'and sends (Ii,XiS) to the ServerS, whereIiis the identity information of the userUi. Then,Schooses random numbercomputesPWimodp'fori= {1,2}, and broadcasts (IS,XS1,XS2), whereISis the identity information of the serverS.

Round 2.Upon receiving (IS,XS1,XS2) from the serverS, the userUicomputesKiS= (XSi/PWi)ximodp'andaiS=MACKiS(Ii║IS║XiS║XSi). Then,Uisends (Ii,aiS) toS.

Round 3.Upon receiving (Ii,aiS),ScomparesaSi=MACKSi(Ii║IS║XiS║XSi), whereKSi= (XiS/PWi)yimodp'fori= {1,2}. IfaSiandaiSare identical,aiSis verified. If botha1Sanda2Sare verified,Schooses a random numbercomputesmodp'andaSi=MACKSi(Ii║Ii+1║YSi), and sends (IS║YSi║aSi) to each userUi.

Round 4.Upon receiving (IS║YSi║aSi), each userUicomparesaSiwithMACKiS(Ii║IS║XiS║XSi). IfaSiandaiSare identicalUicomputesKi= (YSi)ximodp'and the session keyski=FKi(I1,IS,I2), whereFKi() is a secure pseudorandom function andI1
Kwon
et al.
's scheme does not provide key authentication, key confirmation and user’s anonymity. The identity
I_{i}
of user
U_{i}
is transmitted in plaintext. Accordingly, the user privacy can be intruded upon easily, especially in mobile environment. In terms of key confirmation, after the session key
sk
is distributed to each user
U_{i}
, Kwon
et al.
's scheme is not convinced that
U_{i}
actually possesses the session key
sk
. In addition, for mobile environment the efficiency of authenticated key exchange should be one of the core considerations. Nevertheless, the modulus operation used in Kwon
et al.
's scheme is expensive.
3. The Proposed Scheme
In this section, we present the proposed
M
PAKE scheme with privacy preservation for mobile environment. The logical architecture for proposed
M
PAKE scheme is shown in
Fig. 1
. Without loss of generality, let
U
= {
U
_{1}
,
U
_{1}
,...,
U_{n}
} be a set of
n
users,
S
be a trusted server, and
M
=
n
+ 1 be the total amount of the communication parties. Using users’ password
PW
_{1}
,
PW
_{2}
,...,
PW_{n}
secretly shared with server
S
, the users in the set
U
can cooperate to generate a valid session key. The notations used in the proposed
M
PAKE scheme are listed in
Table 1
. The proposed
M
PAKE scheme consists of three phases: the system setup, the user registration, and the multiparty PAKE. We outline these phases shown in the proposed scheme, and detailed descriptions of these phases are given below subsessions.
Logical architecture for proposed MPAKE scheme
Notations

Phase 1.System setup phase: The trusted server defines system parameters and generates his private/public keypair. Finally, the trusted server publishes the system parameters and keeps private key secret.

Phase 2.User registration phase: Each user must register in trusted server before multiparty PAKE. The trusted server cooperates with the registering user to generate the shared password between the registering user and the trusted server.

Phase 3.Multiparty PAKE phase: Using only two roundmessages, all participating users will cooperative with the trusted server to generate the secret session key.

● Each participating user sends his authenticator and session key contribution to trusted server. The trusted server can authenticate the legitimacy of all participating users and generate the session key derivation information.

● The trusted server sends his authenticator and session key information to each participating user. All participating users can authenticate the legitimacy of the server and explicitly verify the authenticity of the established session key.
 3.1 System setup phase
Initially, the server
S
determines a large prime
p
and a nonsupersingular elliptic curve
EC_{p}
(
a,b
) as
y
^{2}
=
x
^{3}
+
ax
+
b
(mod
p
), where
a,b
∈
_{R}
Z
^{*}
_{p}
and 4
a
^{3}
+ 27
b
^{2}
mod
p
≠ 0. The server
S
further determines a large prime
q
and a base point
G
of order
q
over
EC_{p}
(
a,b
), where
q
is a divisor of the number of points on the elliptic curve
EC_{p}
(
a,b
). Let
O
be a point at infinity over
EC_{p}
(
a,b
)
Q_{i,x}
/
Q_{i,y}
be the
x
coordinate/
y
coordinate of the point
Q_{i}
, and
H
_{1}
,
H
_{2}
,
H
_{3}
,
H
_{4}
be secure oneway hash functions that accepts a variable length input and produces a fixed length output which is over GF(
q
). The private and public keys for the server
S
are respectively defined as
x_{s}
and
Y_{S}
, where
x_{s}
∈
_{R}
Z_{q}
and
Y_{S}
=
x_{s}G
. Let
E/D
be the secure symmetric encryption/decryption function. Finally, the server
S
publishes (
p,qEC_{p}
(
a,b
),
O
,
H
_{1}
,
H
_{2}
,
H
_{3}
,
H
_{4}
,
G,Y_{S},E,D
) while keeps
x_{s}
secret.
 3.2 User registration phase
When a user
U_{i}
wants to use the multiparty PAKE service, he has to register beforehand to the trusted server
S
. The user
U_{i}
obtains
pw_{i}
at the start of the scheme by using a password generation algorithm
PG
(1
^{l}
), where
l
is the bit length of password
pw_{i}
When subscribing to the multiparty PAKE service, the user
U_{i}
will receive the
pw_{i}
=
H
_{1}
(
I_{i}
║
I_{S}
║
pw_{i}
)
G
secretly shared between the user and the server, the identity
I_{i}
and the public information (
p,q,EC_{p}
(
a,b
),
O
,
H
_{1}
,
H
_{2}
,
H
_{3}
,
H
_{4}
,
G,Y_{S},E,D
).
 3.3 Multiparty PAKE phase
The multiparty PAKE phase requires only two roundmessages. Without loss of generality, let
U
= {
U
_{1}
,
U
_{1}
,...,
U_{n}
} be the set of
n
users that want to agree on a secret session key shared among them. All the users will cooperative with a trusted server
S
to generate the secret session key. The procedure for the
M
PAKE phase is stated as follows (as depicted in
Fig. 2
).
The multiparty PAKE phase

Step 1.Each userUichooses a random numberand computesRi=riG,Ai=riYS,maci=H2(Ai.x║PWi,x║Ii║ti),mi=maci║Ii,Ci=EAi.x(mi). Finally,Uisends his authenticator/session key contribution (Ri,Ci,ti) to trusted serverS, wheretiis the current timestamp.

Step 2.The trusted serverSauthenticates the legitimacy of all participating users and generates the session key derivation information by performing the following substeps.

Step 21.Upon receiving (Ri,Ci,ti) fromUiat the timeTi, (fori= 1,2,...n)Sverifies the validity of the time interval betweentiandTi. If (Titi) ≥ ΔTthenSrejects the request, where ΔTdenotes the expected valid time interval for transmission delay.

Step 22.The serverScomputesAi=xsRi,mi=DAi,x(Ci) and verifies the legitimacy of the userUi. Ifmaci=H2(Ai.x║PWi,x║Ii║ti) does not hold,Srejects the request.

Step 23.The serverSchooses a random numberand computesYS,i=rsRi,K=H3(RS║Y(S,1).x║Y(S,2).x║…║Y(S,n).x║tS).δi=H4(Ai.x║K║IS). Finally,Ssends his authenticator/session key related informationts,(Ys,i,δi)i=1,2,...,nto each userUi, wheretSis the current timestamp.

Step 3.Upon receivingts,(Ys,i,δi)i=1,2,...,nat the timeTi', each userUiverifies the validity of the time interval between tS andTi'. If(Ti'tS) ≥ΔT, whereΔTdenotes the expected valid time interval for transmission delay, thenUirejects the request. If it holds, userUicomputes),K=H3(RS║Y(S,1).x║Y(S,2).x║…║Y(S,n).x║tS), and verifies. If it holds,Uiaccepts the session keyK. Otherwise,Uirejects the request.
4. Security Analysis and Performance Evaluation
 4.1 Security analysis
The security of the proposed scheme is based on the elliptic curve discrete logarithm problem (ECDLP)
[27

29]
and the oneway hash function (OWHF) assumption
[30
,
31]
.
Elliptic curve discrete logarithm problem (ECDLP):
We assume that the elliptic curve contains a large prime subgroup of order
p
(>=160 bits) which is large enough to make solving discrete logarithms in the finite field GF(
p
) infeasible. Suppose we have two points
P, Q
of an elliptic curve and let
Q
=
xP
, where
x
is an integer. It is computationally infeasible to find an integer
x
from
Q
=
xP
.
One way hash function (OWHF) assumption:
If a hash function
h
is oneway, it must satisfy the following conditions:

It is computationally infeasible to find a messagemfrom its hash valueh(m).

For any messagem1, it is computationally infeasible to find another messagem2such thath(m2) =h(m1).

It is computationally infeasible to find a pair of different messagesm1andm2such thath(m1) =h(m2).
In the following, we present the analysis on the security of our proposed scheme. The proposed scheme can withstand possible attacks and satisfies the following security requirements:
 (1) Entity authentication
The proposed scheme provides mutual authentication for verifying the server
S
and user
U_{i}
with each other. To authenticate the legitimacy of user
U_{i}
, the server can check its legitimacy by
The adversary can successfully generate a valid
mac_{i}
for cheating the server only if he knows the user’s password
PW_{i}
. Security of
PW_{i}
is based on the OWHF assumptions as analyzed above.
On the other hand, each user
U_{i}
can authenticate the legitimacy of the server by
The adversary can successfully masquerade as the server for cheating any user
U_{i}
if he can correctly derive
A_{i}
and
PW_{i}
. Security of
A_{i}
and
PW_{i}
is protected under the ECDLP and the OWHF assumption as discussed above.
 (2) Confidentiality of private key
Consider the scenario of a compromising attack that an adversary attempts to derive server’s private key
x_{S}
. With the knowledge of server’s public key
Y_{S}
=
x_{S}G
, the adversary will face the ECDLP to derive
x_{S}
.
 (3) Confidentiality of the established session key
In the proposed scheme, the session key
K
is generated by
K
=
H
_{3}
(
R_{S}
║
Y
_{(}
_{S,}
_{2).x}
║…║
Y
_{(S,n).x}
║
t_{S}
). Only one secret variable
R_{S}
is contributed to key generation. The adversary can successfully compromise
R_{S}
for deriving
K
only if he knows
r_{i}
or
r_{S}
due to
Compromising
r_{i}
from
R_{i}
or
r_{S}
from
Y_{S,i}
is an ECDLP. On the other hand, if the adversary attempts to derive
K
from the intercepted message
δ_{i}
=
H
_{4}
(
A_{i.x}
║
K
║
I_{S}
), he will face the intractability of reversing the oneway hash function (i.e. OWHF problem). Hence, the confidentiality of the session key is protected under the ECDLP or OWHF assumption.
 (4) Confirmation of the established session key
In addition, the proposed scheme provides explicit key authentication (also called key confirmation) in such a way that all users can explicitly verify the authenticity of the established session key. It can see that the message
δ_{i}
is regarded as an authenticator by
δ_{i}
=
H
_{4}
(
A_{i.x}
║
K
║
I_{S}
) for this purpose. If the session key
K
is not correctly computed by
K
=
H
_{3}
(
R_{S}
║
Y
_{(S,1).x}
║
Y
_{(S,2).x}
║...║
Y
_{(S,n).x}
║
t_{S}
), it will fail to the verification of
δ_{i}
by
And if it holds,
K
is the session key shared among all participating users. All participating users can explicitly verify the authenticity of the established session key.
 (5) Session key contribution
We will show that the proposed scheme is a contributory key agreement one which allows every participating users to contribute their shares to the session key generation. It can be seen that the session key is computed by
K
=
H
_{3}
(
R_{S}
║
Y
_{(S,1).x}
║
Y
_{(S,2).x}
║...║
Y
_{(S,n).x}
║
t_{S}
). The secret random number
r_{i}
is secretly determined by user
U_{i}
, and hence contributed to the session key generation. This means that each user equally contributes to the session key and guarantees its freshness in each session key construction, that is to say, no participant user can predetermine the session key. Hence, the proposed scheme is a contributory key agreement one.
 (6) Forward secrecy
The forward secrecy guarantees that an adversary who compromises a private key or one session key must not reveal previously established session keys. As mentioned of the proposed scheme, the session key
K
is generated by
K
=
H
_{3}
(
R_{S}
║
Y
_{(S,1).x}
║
Y
_{(S,2).x}
║...║
Y
_{(S,n).x}
║
t_{S}
). The session key is protected by the secret
R_{S}
. It is easy to see that compromising
r_{s}
from
Y_{S,i}
=
r_{s}R_{i}
is an ECDLP. Although the server’s private key
x_{s}
is disclosed for some reason, the proposed scheme can withstand the attack that any adversary with the knowledge of
x_{s}
attempts to derive one current session key. The adversary cannot compute
K
without knowing
R_{S}
. Hence, the adversary cannot derive any one session key with the compromised private key
x_{s}
.
Consider the scenario that the adversary with compromised one session key attempts to derive any one previously established session key. Since the proposed scheme is a contributory one as mentioned above, the session key for distinct session will be refreshed by the random secret values. The session keys can be regarded as a random number generated by all participating users. Hence, the adversary knowing one session key cannot derive previously established one, which implies the forward secrecy is achieved.
 (7) User anonymity
The user sends the request (
R_{i}
,
C_{i}
,
t_{i}
) to the server in each login. The adversary may analyze the login message. It is infeasible to derive the identity of the user from the login message, where
mac_{i}
=
H
_{2}
(
A_{i.x}
║
PW_{i,x}
║
I_{i}
║
t_{i}
). Since the timestamp
t_{i}
is different for sessions and the identity
I_{i}
is protected by the oneway hash function. Therefore, the adversary cannot identify the person who wants to login.
The identity information
I_{i}
of the user
U_{i}
is encrypted with
C_{i}
. In encrypted message
C_{i}
of the proposed scheme, the identity
I_{i}
is encrypted so that no identityrelated information is leaked. The server can decrypt
I_{i}
on the receipt of message
C_{i}
and then recognize the identity of the participating user
U_{i}
. Any adversary who eavesdrops on the communication channel and wants to recover the identity of the user
U_{i}
faces the intractability of the OWHF assumption. Therefore, user anonymity is achieved through using an encrypted message
C_{i}
.
 (8) Replay attack and impersonation attack
This kind of replay attack, the attacker listens to communication between the sender and the receiver and then replays the same message of the user or the server. Our proposed scheme uses the timestamp to withstand replay attacks. Since the timestamp
t_{i}
or
t_{S}
is included in
mac_{i}
or
K
, the adversary cannot replay the intercepted messages to masquerade as a valid user or server. The attacker cannot work because he will fail the validity of the time interval (
T_{i}

t_{i}
) ≥ Δ
T
or (
T'_{i}

t_{s}
) ≥ Δ
T
. This also implies the proposed scheme can withstand the impersonation attacks.
On the other hand, the adversary impersonates as the legitimate user and forges the message using the information obtained from the scheme. The adversary needs to guess (
A_{i}
,
mac_{i}
,
m_{i}
) to masquerades as a legitimate user to forge a valid login. The adversary cannot obtain (
A_{i}
,
mac_{i}
,
m_{i}
) from intercepted communication information
R_{i}
,
C_{i}
and
t_{i}
. Therefore, our proposed scheme is secure against impersonation attack.
 (9) Offline dictionary attack
It is hard for any adversary to derive the user password
pw_{i}
or server private key
x_{s}
from recorded messages, because the adversary will face the OWHF assumption and the ECDLP.
 4.2 Performance Evaluation
In this subsection, we will evaluate the performance of the proposed scheme and make comparison with related researches in
Table 2
. The computational complexities represent how many (or how heavy) cryptographic operations such as symmetric encryption or oneway hash function are adopted in the communication protocol. For simplicity, we denote the following notation to evaluate the performance of our proposed scheme and related researches:
Performance comparisons of 3PAKE scheme
Performance comparisons of 3PAKE scheme
T_{Mac}
: the time for performing a strongly unforgeable MAC algorithm computation,
T_{F}
: the time for performing a secure pseudorandom function computation,
T_{H}
: the time for performing a oneway hash function computation (
T_{H}
≈ 4
T_{MUL}
),
T_{EM/EA}
: the time for computing a point multiplication/addition operation over an elliptic curve (
T_{EM}
≈ 29
T_{MUL}
,
T_{EA}
≈ 0.12
T_{MUL}
);
T_{MUL/EXP/INV}
: the time for computing a modular multiplication/exponentiation/inversion (
T_{EXP}
≈ 240
T_{MUL}
,
T_{INV}
≈ 10
T_{MUL}
);
T_{SE/SD}
: the time for performing a symmetric encryption (SE)/decryption (SD) algorithm computation (
T_{SE}
≈
T_{H}
≈ 4
T_{MUL}
,
T_{SD}
≈
T_{H}
≈ 4
T_{MUL}
);
n
: the number of participating users that want to agree on a secret session key shared among them;

a
: the bitlength of a variable
a
.
Table 2
compares the total computation costs required by user and the server in the proposed protocol and that proposed by related researches. Note that the time for computing a modular addition and that for XOR function are ignored here for that they are negligible as compared to the other complexities measures. From
[32

35]
, the time complexities can be respectively regarded as
T
_{EM}
≈ 29
T_{MUL}
,
T
_{EA}
≈ 0.12
T_{MUL}
,
T
_{EXP}
≈ 240
T_{MUL}
,
T
_{INV}
≈ 10
T_{MUL}
, and
T
_{H}
≈ 4
T_{MUL}
. To facilitate the comparisons in
Fig. 3
, we converted the costs of all operations into cost of
T_{MUL}
. The results of the comparisons indicate that the proposed scheme imposes significantly lower computational costs than previously proposed schemes.
Comparison of computational costs
Considering the communication overheads, we let the adopted oneway hash function be SHA1
[36]
(the bit length of the output is 160 bits), 
p’
 = 1024 bits, 
q’
 = 160 bits, 
p
 = 
q
 = 163 bits, respectively. The timestamp
t
, the identity, and the Mac value are all assumed to be 160 bits. We thus compared the size of messages transmitted using the proposed scheme and that proposed by related researches.
Fig. 4
presents the results. In the communication overheads of user
i
, the cost of the proposed scheme is 2*163+2*160+160 bits, whereas in the communication overheads of server
S
, the cost is 4*163+2*160+160 bits. The results of the comparisons indicate that the proposed scheme imposes significantly lower communication costs than previously proposed schemes.
Size comparison of messages transmitted
From
Table 2
,
Fig. 3
and
Fig. 4
, they obviously show that our proposed scheme is more efficient than previously proposed schemes in term of computational complexities and communication overheads.
We also summarize the functionalities of the proposed scheme and make comparison with related researches in
Table 3
. It demonstrates that our scheme can achieve key authentication, key confirmation and user anonymity. The transmission rounds include all independent steps that can be sent and received in parallel. Moreover, our proposed scheme rearranges all independent messages as a round. Our proposed scheme only requires two roundmessages, which is less than required by previously proposed schemes.
Comparisons of main functionalities
Comparisons of main functionalities
5. Conclusion
Recently, several researchers have proposed many 3PAKE protocols. However, we have scrutinized carefully recently published Kwon
et al.
’s protocol, and it has been observed that the same protocol suffers from several security weaknesses such as key authentication, key confirmation and anonymity. To improve the efficiency and solve the security problem of the above 3PAKE scheme, we proposed a multiparty PAKE scheme with privacy preservation based on the ECC.
The ECC is more commercial importance and has attracted attention because of a smaller key size, reducing storage, low on CPU consumption, and transmission requirements. The proposed scheme is to use ECC which provides striking advantage of shorter key size compared to conventional algorithm (e.g., RSA algorithm), while preserving the equivalent security level. Additionally, the proposed scheme requires only two roundmessages and achieves better performance efficiency. Accordingly, the proposed scheme is suitable for applied in mobile environment.
Furthermore, our proposed scheme provides security from entity authentication, confidentiality of private/session key, forward secrecy, user anonymity, key authentication, and key confirmation. The proposed scheme is more efficient than previously proposed schemes and meets security requirements.
The proposed scheme assumes that the server is honest and follows the required security service agreement. However, malicious servers are still possible, and we therefore plan to develop a MPAKE scheme for multiserver mobile networks capable of withstanding malicious attacks even from the servers themselves.
BIO
ChungFu Lu received the B.S. and M.S. degree in Electrical Engineering from National Taiwan University of Science and Technology in 1991 and 1993 respectively. He received the Ph.D degree in information management from the National Taiwan University of Science and Technology, Taiwan in 2011. Since August 2011, he has been the Associate Professor in the Department of Information Management, Chihlee University of Technology, Taiwan. His current research includes cryptography, information security, network security, and mobile commerce.
Bellovin S.M.
,
Merritt M.
“Encrypted key exchange: Passwordbased protocols secure against dictionary attacks,”
in Proc. of 1992 IEEE Computer Society Conference on Research in Security and Privacy
May 46, 1992
72 
84
Ding Y.
,
Horster P.
1995
“Undetectable online password guessing attack,”
ACM SIGOPS Operating Systems Review
29
(4)
77 
86
DOI : 10.1145/219282.219298
Chen H. B.
,
Chen T. H.
,
Lee W. B.
,
Chang C. C.
2008
“Security enhancement for a threeparty encrypted key exchange protocol against undetectable online password guessing attacks,”
Computer Standards & Interfaces
30
(12)
95 
99
DOI : 10.1016/j.csi.2007.08.010
Lee T. F.
,
Hwang T.
,
Lin C. L.
2004
“Enhanced threeparty encrypted key exchange without server public keys,”
Computers and Security
23
(7)
571 
577
DOI : 10.1016/j.cose.2004.06.007
Simon B.W.
,
Alfred M.
“Authenticated DiffieHellman key agreement protocols,”
in Proc. of the 5th Annual Workshop on Selected Areas in Cryptography (SAC'98)
August 1718, 1998
339 
361
Steiner M.
,
Tsudik G.
,
Waidner M.
1995
“Refinement and extension of encrypted key exchange,”
ACM SIGOPS Operating Systems Review
29
(3)
22 
30
DOI : 10.1145/206826.206834
Sun H. M.
,
Chen B. C.
,
Hwang T.
2005
“Secure key agreement protocols for threeparty against guessing attacks,”
Journal of Systems and Software
75
(12)
63 
68
DOI : 10.1016/j.jss.2003.11.017
Lin C. L.
,
Sun H.M.
,
Hwang T.
2000
“Threeparty encrypted key exchange: attacks and a solution,”
ACM SIGOPS Operating Systems Review
34
(4)
12 
20
DOI : 10.1145/506106.506108
Chang C. C.
,
Chang Y. F.
2004
“A novel threeparty encrypted key exchange protocol,”
Computer Standards & Interfaces
26
(5)
471 
476
DOI : 10.1016/j.csi.2003.12.001
Chen T. H.
,
Lee W. B.
,
Chen H. B.
2008
“A round and computation efficient threeparty authenticated key exchange protocol,”
Journal of Systems and Software
81
(9)
1581 
1590
DOI : 10.1016/j.jss.2007.11.720
Yoon E. J.
,
Yoo K. Y.
2008
“Improving the novel threeparty encrypted key exchange protocol,”
Computer Standards & Interfaces
30
(5)
309 
314
DOI : 10.1016/j.csi.2007.08.018
Lo N. W.
,
Yeh K. H.
2009
“Cryptanalysis of two threeparty encrypted key exchange protocols,”
Computer Standards & Interfaces
31
(6)
1167 
1174
DOI : 10.1016/j.csi.2009.03.002
Abdalla M.
,
Fouque P. A.
,
Pointcheval D.
“Passwordbased Authenticated Key Exchange in the ThreeParty Setting,”
Public Key Cryptography  PKC 2005
January 2326, 2005
65 
84
Abdalla M.
,
Pointcheval D.
“Interactive DiffieHellman assumptions with applications to passwordbased authentication,”
in Proc. of 9th International Conference on Financial Cryptography  FC 2005
February 28March 3, 2005
341 
356
Kwon J. O.
,
Jeong I. R.
,
Lee D. H.
2008
“Practical PasswordAuthenticated ThreeParty Key Exchange,”
KSII Transactions on Internet and Information Systems
2
(6)
312 
332
DOI : 10.3837/tiis.2008.06.003
Lu C. F.
,
Lin Y. L.
,
Hsu C. L.
“Passwordbased Authenticated Multiparty Key Exchange Scheme with Privacy Preservation,”
in Proc. of 2012 International Conference on eCommerce, eAdministration, eSociety,eEducation, and eTechnology (eCASE & eTech 2012)
March 30April 1, 2012
Wu S.
,
Chen K.
,
Zhu Y.
2013
“Enhancements of a threeparty passwordbased authenticated key exchange protocol,”
The International Arab Journal of Information Technology
10
(3)
215 
221
Hsu C. L.
,
Lin T. W.
“Password authenticated key exchange protocol for multiserver mobile networks based on chebyshev chaotic map,”
in Proc. of 2013 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops)
March 1822, 2013
90 
95
Farash M. S.
,
Attari M. A.
2014
“An enhanced and secure threeparty passwordbased authenticated key exchange protocol without using server's publickeys and symmetric cryptosystems,”
Information Technology And Control
43
(2)
143 
150
DOI : 10.5755/j01.itc.43.2.3790
Lee Y.
2014
“Cryptanalysis and Improvement of a PasswordBased Authenticated ThreeParty Key Exchange Protocol,”
International Journal of Security and Its Applications
8
(4)
151 
160
DOI : 10.14257/ijsia.2014.8.4.14
Amin R.
,
Biswas G. P.
2015
“Cryptanalysis and Design of a ThreeParty Authenticated Key Exchange Protocol Using Smart Card,”
Arabian Journal for Science and Engineering
1 
15
Nam J.
,
Choo K. K. R.
,
Han S.
,
Paik J.
,
Won D.
2015
“Tworound passwordonly authenticated key exchange in the threeparty setting,”
Symmetry
7
(1)
105 
124
DOI : 10.3390/sym7010105
Wei F.
,
Ma J.
,
Ge A.
,
Li G.
,
Ma C.
2015
“A Provably Secure ThreeParty Password Authenticated Key Exchange Protocol without Using Server's PublicKeys and Symmetric Cryptosystems,”
Information Technology And Control
44
(2)
195 
205
Nguyen H. T. T.
,
Guizani M.
,
Minho J.
,
Huh E. N.
2009
“An Efficient SignalRangeBased Probabilistic Key Predistribution Scheme in a Wireless Sensor Network,”
IEEE Transactions on Vehicular Technology
58
(5)
2482 
2497
DOI : 10.1109/TVT.2008.2008191
Nguyen H. T. T.
,
Minho J.
,
Nguyen T. D.
,
Huh E. N.
2012
“A beneficial analysis of deployment knowledge for key distribution in wireless sensor networks,”
Security and Communication Networks
5
(5)
485 
495
DOI : 10.1002/sec.337
Huang L. C.
,
Hwang M. S.
2013
“Twoparty authenticated multiplekey agreement based on elliptic curve discrete logarithm problem,”
International Journal of Smart Home
7
(1)
9 
18
Menezes A. J.
,
Oorschot P. C.
,
Vanstone S. A.
1997
“Handbook of Applied Cryptography,”
CRC Press Inc.
Boca Raton, Florida
IEEE Std 13632000 Working Group
2000
“IEEE Standard Specifications for Public Key Cryptography,”
The Institute of Electrical and Electronics Engineers, Inc.
New York
Menezes A.
1993
“Elliptic curve public key cryptosystems,”
Kluwer Academic Publishers
Norwell, Massachusetts
Blake I.
,
Seroussi G.
,
Smart N.
1999
“Elliptic curves in cryptography,”
Cambridge University Press
Cambridge, United Kingdom
Koblitz N.
,
Menezes A.
,
Vanstone S.
2000
“The state of elliptic curve cryptography,”
Designs, Codes and Cryptography
19
(2)
173 
193
DOI : 10.1023/A:1008354106356
Chen T. S.
,
Hsu E. T.
,
Yu Y. L.
2006
“A New Elliptic Curve Undeniable Signature Scheme,”
International mathematical forum
1
(31)
1529 
1536
Hankerson D.
,
Hernandez J. L.
,
Menezes A.
“Software Implementation of Elliptic Curve Cryptography over Binary Fields,”
in Proc. of Workshop on Cryptographic Hardware and Embedded Systems  CHES 2000
August 1718, 2000
1 
24
Contini S.
,
Lenstra A. K.
,
Steinfeld R.
“VSH, an Efficient and Provable CollisionResistant Hash Function,”
in Proc. of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology  EUROCRYPT 2006
May 28June 1, 2006
165 
182
2015
FIPS PUB 1804, “Secure Hash Standard (SHS),”
Information Technology Laboratory, National Institute of Standards and Technology (NIST)
Gaithersburg, Maryland