Advanced
A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment
A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment
KSII Transactions on Internet and Information Systems (TIIS). 2015. Feb, 9(2): 811-829
Copyright © 2015, Korean Society For Internet Information
  • Received : August 20, 2014
  • Accepted : December 16, 2014
  • Published : February 28, 2015
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Hongfeng Zhu

Abstract
One-way authenticated key agreement protocols, aiming at solving the problems to establish secure communications over public insecure networks, can achieve one-way authentication of communicating entities for giving a specific user strong anonymity and confidentiality of transmitted data. Public Key Infrastructure can design one-way authenticated key agreement protocols, but it will consume a large amount of computation. Because one-way authenticated key agreement protocols mainly concern on authentication and key agreement, we adopt multi-server architecture to realize these goals. About multi-server architecture, which allow the user to register at the registration center ( RC ) once and can access all the permitted services provided by the eligible servers. The combination of above-mentioned ideas can lead to a high-practical scheme in the universal client/server architecture. Based on these motivations, the paper firstly proposed a new one-way authenticated key agreement scheme based on multi-server architecture. Compared with the related literatures recently, our proposed scheme can not only own high efficiency and unique functionality, but is also robust to various attacks and achieves perfect forward secrecy. Finally, we give the security proof and the efficiency analysis of our proposed scheme.
Keywords
1. Introduction
A uthenticated key exchange (AKE) is one of the most important cryptographic components which is used for establishing an authenticated and confidential communication channel. Based on the number of participants, we can divide AKE protocols into three categories: two-party AKE protocols [1 - 3] , three-party AKE protocols [4] , and N -party AKE protocols [5 - 7] . Furthermore, based on the respective features in detail, the previous AKE protocols [3 - 17] can be classified many categories, we use two-party AKE protocols to set an example: such as using smart card [1] , password-based [1 - 2] , chaotic map-based [3] , ID-based [7] , anonymity [4 , 8] , secret sharing [9] and so on. Recently many researchers achieve AKE in the multi-server environment called multi-server authenticated key agreement (MSAKA) protocols. MSAKA protocols allow the user to register at the registration center (RC) once and can access all the permitted services provided by the eligible servers. In other words, users do not need to register at numerous servers repeatedly. MSAKA protocols mainly want to solve the problems in a traditional single server with authentication schemes [10] which lead to the fact that user has to register to different servers separately. On a macro level MSAKA protocols can be divided into three phases in chronological order: Creative Phase : The pioneer work in the field was proposed by Li et al. [11] in 2001. However, Lin et al. [12] pointed out that Li et al.’s scheme takes long time to train neural networks and an improved scheme based on ElGamal digital signature and geometric properties on the Euclidean plane has also been given. Development Phase : the main work in this phase is amended repeatedly. For example, Tsai [13] also proposed an efficient multi-server authentication scheme based on one-way hash function without a verification table. Because Tsai’s scheme only uses the nonce and one-way hash function, the problems associated with the cost of computation can be avoided in the distributed network environment. However, the literature [14] pointed out that Tsai’s scheme is also vulnerable to server spoofing attacks by an insider server and privileged insider attacks, and does not provide forward secrecy. Diversification Phase : the research emphasis shifts to functionality. Therefore, identity-based MSAKA protocols, based on bilinear pairings or elliptic curve cryptosystem (ECC) MSAKA protocols, dynamic identity-based MSAKA protocols and other MSAKA protocols came up recently [14] . Fig. 1 shows the history of AKE protocols development.
PPT Slide
Lager Image
History of AKE protocols development
However, most existing AKE or MSAKA protocols have emphasized mutual authentication, in which both parties authenticate themselves to their peer. There are many scenes need not mutual authentication at all and we just need one-way authentication. We can take some facts as examples which are shown in the Fig. 2 . (1) Readers-to-journalists model: Readers act upon the perceived reputation of a news source, so reputation is a valuable commodity for journalists. No further authentication is required and since the information is public, channel secrecy is not required and does not affect the actions of either party. (2) Patient-to-expert model: On Internet, patients requiring medical advice may wish to do so anonymously, while still ensuring the confidentiality of their request and assurance that the medical advice received comes from an authentic, qualified source.
PPT Slide
Lager Image
No need for mutual authentication environment on Internet
The key idea of one-way AKE is that one party wishes for no one to be able to determine his/her identity, including all the authorities. However, only a few protocols have considered the problem of one-way authentication. Goldberg [15] gave a specialized one-way AKE security definition for the Tor 1 authentication protocol. The literature [16] described an identity-based anonymous authenticated key exchange protocol but with a limited session key secrecy definition based on key recovery, not indistinguishability. Morrissey et al. [17] analyzed the security of the Transport Layer Security (TLS) protocol in the context of one-way authentication, but with specialized security definitions. Recently, Goldberg and Stebila [18] provided an intuitive set of goals and present a formal model that captures these goals. Usually, public key encryption can be used for one-way AKE protocols, for example by having the client encrypt a session key under the server's public key. This mechanism is widely used, for example in the RSA-based cipher suites in TLS [19] and in the KAS1 protocol in NIST SP800-56B [20] .
The main contributions are shown as below: The paper firstly presents a new one-way authentication key agreement scheme towards multi-server architecture. Furthermore, the proposed protocol is based on chaotic maps without using modular exponentiation and scalar multiplication on an elliptic curve. In Security aspect, the protocol can resist all common attacks, such as impersonation attacks, man-in-the-middle attacks, etc. About functionality, the protocol also has achieved some well-known properties, such as perfect forward secrecy and execution efficiency.
The rest of the paper is organized as follows: Some preliminaries are given in Section 2. Next, a one-way AKE towards multi-server architecture is described in Section 3. Then, the security analysis and efficiency analysis are given in Section 4 and Section 5. This paper is finally concluded in Section 6.
The Onion Router, an anonymous Internet communicaton system.
2. Preliminaries
- 2.1 Multi-server architecture
Fig. 3 shows the multi-server environment. In the multi-server environment [11] , each user must perform authentication procedure to login the server for a transaction. If the user is in a single authentication architecture, then the user must register at various servers and memorize the corresponding identifications and passwords, which could not be convenient for a user. In order to make the registration to various servers easier for users, each user must register with the registration center to obtain a secure account. Then the user uses the secure account to perform the login and authentication procedures with various servers.
PPT Slide
Lager Image
The multi-server communication architecture
- 2.2 Security requirements
Secure communication schemes for remote one-way authentication and session key agreement for the multi-server architecture should provide security requirements [24] :
(1) One-way authentication and key agreement: One-way authentication and key agreement refers to only one party authenticating the other suitably and getting the session key simultaneously.
(2) Impersonation attack: An impersonation attack is an attack in which an adversary successfully assumes the identity of one of the legitimate parties in a system or in a communications protocol.
(3) Man-in-the-middle attack: The man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
(4) Replay attack: A replay attack is a form of network attack in which a valid data transmission is repeated or delayed maliciously or fraudulently.
(5) Known-key security: Known-key security is that a protocol can protect the subsequent session keys from disclosing even if the previous session keys are revealed by the intendant user.
(6) Perfect forward secrecy: An authenticated key establishment protocol provides perfect forward secrecy if the compromise of both of the node’s secret keys cannot results in the compromise of previously established session keys.
(7) Session key security: A communication protocol exhibits session key security if the session key cannot be obtained without any long-term secrets.
(8) Resistance to stolen-verifier attacks: An adversary gets the verifier table from servers or RC by a hacking way, and then the adversary can launch any other attack which called stolen-verifier attacks.
(9) No verification table: there is no verification table at the RC or the server at all.
(10) Securely chosen password and time synchronization: Guarantee securely chosen password and no need for time synchronization among parties.
(11) Authentication: one way authentication or mutual authentication in different phase in our protocol.
3. The Proposed One-Way AKE towards Multi-Server Architecture
In this section, under the multi-server architecture, a chaotic maps-based one-way authentication key agreement scheme is proposed which consists of two phases: the servers registration phase, one-way authentication key agreement phase.
Remark 1 : Because our proposed protocol is a one-way authentication scheme, there is no password update phase for users in our protocol.
- 3.1 Notations and Chebyshev chaotic maps
In this section, any server i has its identity IDsi . Only RC has its identity IDRC and public key ( x , Tk ( x )) and a secret key k based on Chebyshev chaotic maps, a secure one-way hash function H (·), and a pair of secure symmetric encryption/decryption functions EK () / DK () with key K . The concrete notations used hereafter are shown in Table 1 .
Notations
PPT Slide
Lager Image
Notations
Let n be an integer and let x be a variable with the interval [-1,1] . The Chebyshev polynomial [21] Tn ( x ) : [-1,1] → [-1,1] is defined as Tn ( x ) = cos( n cos -1 ( x )). Chebyshev polynomial map Tn : R R of degree n is defined using the following recurrent relation:
PPT Slide
Lager Image
The first few Chebyshev polynomials are:
T 2 ( x ) = 2 x 2 - 1, T 3 ( x ) = 4 x 3 - 3 x , T 4 ( x ) = 8 x 4 - 8 x 2 + 1, ……
One of the most important properties is that Chebyshev polynomials are the so-called semi-group property which establishes that
PPT Slide
Lager Image
An immediate consequence of this property is that Chebyshev polynomials commute under composition
PPT Slide
Lager Image
In order to enhance the security, Zhang [22] proved that semi-group property holds for Chebyshev polynomials defined on interval (-∞,+∞). The enhanced Chebyshev polynomials are used in the proposed protocol:
PPT Slide
Lager Image
where n = ≥ 2, x ∈ (-∞,+∞), and N is a large prime number. Obviously,
PPT Slide
Lager Image
Definition 3.1. Semi-group property of Chebyshev polynomials:
Trs ( x ) = Tr ( Ts ( x )) = cos( r cos -1 ( s cos -1 ( x ))) = cos( rs cos -1 ( x )) = Ts ( Tr ( x )) = Tsr ( x )
Definition 3.2. Given x and y , it is intractable to find the integer s , such that Ts ( x ) = y . It is called the Chaotic Maps-Based Discrete Logarithm problem (CMBDLP).
Definition 3.3. Given x , Tr ( x ) and Ts ( x ), it is intractable to find Trs ( x ). It is called the Chaotic Maps-Based Diffie-Hellman problem (CMBDHP).
- 3.2 Servers registration phase
Concerning the fact that the proposed scheme mainly relies on the design of Chebyshev chaotic maps-based in multi-server architecture, it is assumed that the servers can register at the registration center in some secure way or by secure channel. The same assumption can be set up for servers. Fig. 4 illustrates the server registration phase.
PPT Slide
Lager Image
Server or a authenticated expert registration phase
Step 1. When a server(or an expert) wants to be a new legal service provider, she chooses her identity IDsi with her identification card in law. Then the server submits IDsi to the RC via a secure channel.
Step 2. Upon receiving IDsi from the server, the RC computers R = H ( IDsi || k ), where k is the secret key of RC . Then the server stores R in a secure way via a secure channel.
- 3.3 One-way authenticated key agreement phase
In this phase, one-way authenticated means that the server or the RC can be authenticated by the other two peers, but the user can not be authenticated by the the server or the RC to keep the user complete anonymity in the multi-server architecture. This concrete process is presented in the following Fig. 5 .
PPT Slide
Lager Image
One-way authenticated key agreement phase
Step 1. If Alice(assume Alice as an anonymous user) wishes to consult some personal issues establish with Si (or an expert) in a secure way, she will choose a random integer number a and a temporary session SIDA . Then the device of Alice will compute KA-RC = TaTk ( x ), HA = H ( SIDA || IDsi || Ta ( x ))), C 1 = EKA-RC ( SIDA || IDsi || HA ). After that, Alice sends m 1 = { SIDA , Ta ( x ), C 1 } to Si where she wants to get the server’s service.
Step 2. After receiving the message m 1 = { SIDA , Ta ( x ), C 1 } rom Alice, Si will do the following tasks to ask RC for helping Alice to authenticate itself: Si selects random ri and computes Tri ( x ) and C 2 = H ( IDSi )|| m 1 || R || Tri ( x )). And then sends the message m 2 to RC .
Step 3. Next, RC will help Alice to authenticate Si and verify the temporary information by helping them to compute the session key. After receiving the message m 2 = { IDSi , Tri ( x ), C 2 , m 1 }, RC will do the following tasks:
1) Authenticate Si : Based on IDSi , RC can compute R' = H ( IDSi || k ). Then RC computes C' 2 = H ( IDSi || m 1 || R' || Tri ( x )) and check if C' 2 ? = C 2 . If above equation holds, that means Si are legal participants in this instance because only Si own R .
(2) Confirm Si is the server that Alice wants to consult with: RC computes KRC-A = TkTa ( x ) and then decrypts C 1 to get SIDA || IDSi || HA . Next RC computes H'A = H ( SIDA || IDSi || Ta ( x )). RC verifies H'A ? = HA and checks if IDSi in the C 1 equals to IDSi in plaintext or not. If holds, that means Si is the server that Alice wants to consult with.
(3) Help Si and Alice to get the session key: RC computes C 3 = H ( IDRC || IDSi || m 1 || R || Tri ( x )), C 4 = EKRC-A ( IDRC || IDSi || m 1 || R || Tri ( x )|| HRC ) and HRC = H ( SIDA || IDSi || IDRC || Tri ( x )). Then RC sends the message IDRC , C 4 to Alice and sends the message IDRC , C 3 to Si .
If any authenticated process does not pass, the protocol will be terminated immediately.
Step 4. For Alice: After receiving the message IDRC , C 4 , Alice uses KA-RC to decrypt C 4 . Next Alice computes H'RC = H ( SIDA || IDSi || IDRC || Tri ( x )). Check if H'RC = HRC . If holds, Alice computes SK = TaTri ( x ). For Si : After receiving the message IDRC , C 3 , Si , computes C' 3 = H ( IDRC || IDSi || m 1 || R || Tri ( x )) and checks if C' 3 = C 3 . If holds, then Si computes SK = TriTa ( x ).
Remark 2 : We can view the servers and RC as an integrated system for the user, so from the perspective of the user, we adopt one-way authentication, that means only user authenticated the integrated system (the server and RC) but there is no authentication for the user. However, from the inside integrated system, for providing the reliable service in multi-server architecture, and we must make the server and RC to authenticate each other, that is the mutual authentication.
4. Security Analysis
The section analyzes the security of our proposed protocol. Let us assume that there are three secure components, including the two problems CMBDLP and CMBDHP cannot be solved in polynomial-time, a secure one-way hash function, and a secure symmetric encryption. Assume that the adversary has full control over the insecure channel including eavesdropping, recording, intercepting, modifying the transmitted messages.
- 4.1 Security proof of the proposed scheme
- (1) One-way authentication and key agreement
Definition 4.1. One-way authentication and key agreement refers to only one party authenticating the other suitably and getting the session key simultaneously.
Theorem 4.1. The proposed protocol can achieve one-way authentication and key agreement .
Proof: In our proposed protocol, one-way authentication means that RC helps Alice (an anonymous user) to authenticate Si . So we can divide the one-way authentication process into three steps:
(a) Alice authenticates RC : Because only RC has the secret k , RC can computes KRC-A = TkTa ( x ) which equals to KA-RC = TaTk ( x ). So if Alice decrypts C 4 to get the ecessary information and check if H'RC = HRC . If above equation is equal, then that means Alice authenticates RC .
(b) RC and Si authenticate each other: We can use the shared key R to achieve the task. Firstly, based on IDSi , RC can compute R' = H ( IDSi || k ) by its private key k . Then RC computes C' 2 = H ( IDSi || m 1 || R' || Tri ( x )) and checks if C' 2 = C 2 . If above equation is equal, then that means RC authenticates Si . After receiving the messages { IDRC , C 3 }, Si . computes C' 3 = H ( IDRC || IDSi || m 1 || R || Tri ( x )) and chesks if C' 3 = C 3 . If holds, we can say Si authenticates RC .
(c) Alice authenticates Si : If Alice already authenticates RC , then she can authenticate Si based on the information IDRC || IDSi || m 1 || Tri ( x )|| HRC which were decrypted by RC in C 4 . The trust flow is Alice → RC Si .
As for the key agreement, after authenticating each other, the temporary Ta ( x ), Tri ( x ) and the SIDA || IDSi || IDRC were already authenticated by RC . So finally Alice and Si can make the key agreement simultaneously.
- (2) Impersonation attack
Definition 4.2. An impersonation attack is an attack in which an adversary successfully assumes the identity of one of the legitimate parties in a system or in a communications protocol.
Theorem 4.2. The proposed protocol can resist impersonation attack .
Proof: An adversary cannot impersonate anyone of the Si and RC . The proposed scheme has already authenticated each other between Si And RC , and Alice authenticates Si and RC (in section 4.1.(1)) based on the secrets k , R and the nonces a , ri . So there is no way for an adversary to have a chance to carry out impersonation attack.
Remark 3 : Because Alice is an anonymous user, an adversary impersonates “Alice” is meaningless for the Si and RC .
- (3) Man-in-the-middle attack
Definition 4.3. The man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
Theorem 4.3. The proposed protocol can resist Man-in-the-middle attack .
Proof: Because Ci (1 ≤ i ≤ 4) contain the participants’ identities or an anonymous user’s temporary session ID, a man-in-the-middle attack cannot succeed
- (4) Replay attack
Definition 4.4. A replay attack is a form of network attack in which a valid data transmission is repeated or delayed maliciously or fraudulently.
Theorem 4.4. The proposed protocol can resist replay attack .
Proof: That any message of Alice was replayed by an adversary is meaningless. Because “Alice” is an anonymous user, the adversary can as an anonymous user to initiate the protocol legally as his wish.
For the messages between Si and RC , an adversary cannot start a replay attack against our scheme because there were the fresh nonces a , ri in each session. If Ta ( x ) and Tri ( x ) have appeared before or the status shows in process, any of the participants in instance protocol will reject the session request. If the adversary wants to launch the replay attack successfully, it must compute and modify Ta ( x ) and Tri ( x ) and Ci (1 ≤ i ≤ 4) correctly which is impossible.
- (5) Known-key security
Definition 4.5. Known-key security is that a protocol can protect the subsequent session keys from disclosing even if the previous session keys are revealed by the intendant user.
Theorem 4.5. The proposed protocol can achieve known-key security .
Proof: Since the session key SK = Ta Tri ( x ) = Tri Ta ( x ) is depended on the random nonces a and ri , and the generation of nonces is independent in all sessions, an adversary cannot compute the previous and the future session keys when the adversary knows one session key. And in the secrets update phase, any session key is only used once, so it has known-key security attribute.
- (6) Perfect forward secrecy
Definition 4.6. An authenticated key establishment protocol provides perfect forward secrecy if the compromise of both of the node’s secret keys cannot results in the compromise of previously established session keys.
Theorem 4.6. The proposed protocol can achieve perfect forward secrecy .
Proof: In the proposed scheme, the session key SK = Ta Tri ( x ) = Tri Ta ( x ) is related with a and ri , which were randomly chosen by Alice and the server Si respectively. So any session key has not related with the secret key (such as k ) of each of participants. Furthermore, because of the intractability of the CMBDLP and CMBDHP problem, an adversary cannot compute the previously established session keys.
- (7) Session key security
Definition 4.7. A communication protocol exhibits session key security if the session key cannot be obtained without any long-term secrets.
Theorem 4.7. The proposed protocol can achieve session key security .
Proof: In the authenticated key agreement phase, a session key SK is generated from a and ri . These parameter values are different in each session, and each of them is only known by Alice and Si . Whenever the communication ends between Si and Alice, the key will immediately self-destruct and will not be reused. Therefore, assuming the attacker has obtained a session key, and Alice will be unable to use this session key to decode the information in other communication processes. Because the random point elements a and ri are all generated randomly and are protected by the CMBDLP, CMBDHP, and the secure symmetric encryption, a known session key cannot be used to calculate the value of the next session key. Additionally, since the values a and ri of the random elements are very large, attackers cannot directly guess the values a and ri of the random elements to generate session key. Therefore, the proposed scheme provides session key security.
- (8) Resistance to stolen-verifier attacks
Definition 4.8. An adversary gets the verifier table from servers or RC by a hacking way, and then the adversary can launch any other attack which called stolen-verifier attacks.
Theorem 4.8. The proposed protocol can resistance to stolen-verifier attacks .
Proof: In the proposed scheme, neither the server nor the registration center maintains any verification table. Thus, the stolen-verifier attack is impossible to initiate in the proposed scheme.
Remark 4: One-way authentication AKE means that there is no verification table at the RC or the server at all. And securely chosen password is also no need for our protocol. Because our protocol is based on nonces, there is no need for time synchronization.
From the Table 2 , we can see that the proposed scheme can provide secure session key agreement, perfect forward secrecy and so on. As a result, the proposed scheme is more secure and has much functionality compared with the recent related scheme.
Security of our proposed protocol
PPT Slide
Lager Image
Security of our proposed protocol
Remark 5: Some qualitatively discuss about the difference between the proposed scheme and [26 - 29] as followed: (1) Our protocol is one way authentication AKE for users, so only servers need to registration at the RC . (2) About authentication, one-way authentication for users and mutual authentication for server and RC (see Remark 2 ). (3) Our proposed protocol can hold the security S1-S12 , but the [26 - 29] have some defects. (4) Our protocol is anonymity, and [28 - 29] only assure ID hiding, and [26 - 27] have no privacy protect at all. The main differences about anonymity and ID hiding, and please see the Appendix.
- 4.2 The provable security of the proposed scheme
We recall the definition of session-key security in the authenticated-links adversarial model of Canetti and Krawczyk [25] . The basic descriptions are shown in Table 3 .
Descriptions the model of Canetti and Krawczyk
PPT Slide
Lager Image
Descriptions the model of Canetti and Krawczyk
We allow the adversary access to the queries SessionStateReveal, SessionKeyReveal , and Corrupt .
(1) SessionStateReveal(s) : This query allows the adversary to obtain the contents of the session state, including any secret information. s means no further output.
(2) SessionKeyReveal(s) : This query enables the adversary to obtain the session key for the specified session s , so long as s holds a session key.
(3) Corrupt(Pi) : This query allows the adversary to take over the party Pi , including long-lived keys and any session-specific information in Pi ’s memory. A corrupted party produces no further output.
(4) Test(s) : This query allows the adversary to be issued at any stage to a completed, fresh, unexpired session s . A bit b is then picked randomly. If b = 0, the test oracle reveals the session key, and if b = 1, it generates a random value in the key space. The adversary Λ can then continue to issue queries as desired, with the exception that it cannot expose the test session. At any point, the adversary can try to guess b . Let GoodGuess Λ ( k ) be the event that the adversary Λ correctly guesses b , and we define the advantage of adversary Λ as
PPT Slide
Lager Image
where k is a security parameter.
A session s is locally exposed with Pi : if the adversary had issued SessionStateReveal(s) , SessionKeyReveal(s) , Corrupt(Pi) before s would have expired.
Definition 4.9. An authenticator exchange protocol ∏ 1 in security parameter k is said to be authentication secure in the adversarial model of Canetti and Krawczyk if for any polynomial-time adversary Λ,
PPT Slide
Lager Image
(1) If two uncorrupted parties have completed matching sessions, these sessions produce the same key as output;
(2) Advantage Λ ( k ) is negligible.
Theorem 4.9. Under the CMBDHP assumption, using the 1 to compute an authenticator is authentication secure in the adversarial model of Canetti and Krawczyk [25] .
Proof. The proof is based on the proof given by Refs. [25] . There are two uncorrupted parties in matching sessions output the same session key, and thus the first part of Definition 4.9. is satisfied. To show that the second part of the definition is satisfied, assume that there is a polynomial-time adversary Λ with a non-negligible advantage ε in standard model. We claim that Algorithm 1 forms a polynomial-time distinguisher for CMBDHP having non-negligible advantage.
Probability analysis . It is clear that Algorithm 1 runs in polynomial time and has non-negligible advantage. There are two cases where the r -th session is chosen by Λ as the test session: (1) If the r -th session is not the test session, then Algorithm 1 outputs a random bit, and thus its advantage in solving the CMBDHP is 0. (2) If the r -th session is the test session, then Λ, will succeed with advantage ε , since the simulated protocol provided to Λ is indistinguishable from the real protocol. The latter case occurs with probability 1/ k , so the overall advantage of the CMBDHP distinguisher is ε / k , which is non-negligible.
Definition 4.10. A composable key exchange protocol П 2 in security parameter k is said to be session-key secure in the adversarial model of Canetti and Krawczyk if for any polynomial-time adversary Λ,
PPT Slide
Lager Image
(3) If two uncorrupted parties have completed matching sessions with pre-distributed parameter, these sessions produce the same key as output;
(4) Advantage Λ ( k ) is negligible.
Theorem 4.10. Under the CMBDHP assumption, using the 2 to compute session key is session-key secure in the adversarial model of Canetti and Krawczyk [25] .
Proof . The proof’s process is similar to Theorem 4.9. The protocol П 2 is the composable instance of protocol multiple П 1 . Since Theorem 4.9 is session-key secure, the protocol П 2 is also session-key secure.
Probability analysis . It is similar to Algorithm 1 . If we assume that Algorithm 2 forms a polynomial-time distinguisher for CMBDHP having non-negligible advantage, the overall advantage of the proposed protocol simulator with authenticated parameter is ε / k which is also non-negligible. Because the protocol П 2 chooses different parameters to structure session keys in different phase which are secure independence of protocol П 1 .
5. Efficiency Analysis
Compared to RSA and ECC, Chebyshev polynomial computation problem offers smaller key sizes, faster computation, as well as memory, energy and bandwidth savings. In our proposed protocol, no time-consuming modular exponentiation and scalar multiplication on elliptic curves are needed. However, Wang [21] proposed several methods to solve the Chebyshev polynomial computation problem. For convenience, some notations are defined as follows.
  • Thash: The time for executing the hash function;
  • Tsym: The time for executing the symmetric key cryptography;
  • TXOR: The time for executing the XOR operation;
  • TExp: The time for a modular exponentiation computation;
  • TCH: The time for executing theTn(x) modpin Chebyshev polynomial using the algorithm in literature[30].
To be more precise, on an Intel Pentium4 2600 MHz processor with 1024 MB RAM, where n and p are 1024 bits long, the computational time of a one-way hashing operation, a symmetric encryption/decryption operation, an elliptic curve point multiplication operation and Chebyshev polynomial operation is 0.0005s, 0.0087s, 0.063075s and 0.02102s separately [30] . Moreover, the computational cost of XOR operation could be ignored when compared with other operations.
Table 4 shows performance comparisons between our proposed scheme and the literature of [26 - 29] in multi-server architecture. Therefore, as in Table 4 the concrete comparison data as follows:
Efficiency of our proposed scheme
PPT Slide
Lager Image
Efficiency of our proposed scheme
(1) The concrete computation cost. Based on the [21] [30] , the conclusions can be drawn with different phase as follows:
Phase A: The computation cost of our proposed protocol is zero. And the computation cost of the literatures [26 - 29] is about 0.001s, 0.001s, 0.0025s, and 0.004s respectively.
Phase B: The computation cost of our proposed protocol is the same as all the related literature [26 - 29] which is about 0.0005s.
Phase C: The computation cost of our proposed protocol is about 1T sym + 1T hash + 1T CH ≈ 0.03022s. And the computation cost of the literatures [26 - 29] is about 0.064075s, 0.0005s, 0.0015s, and 0.0035s respectively.
Phase D: The computation cost of our proposed protocol is about 8T hash +3T CH +2T sym ≈ 0.08443s. And the computation cost of the literatures [26 - 29] is about 0.193725s, 0.008s, 0.0045s, and 0.0075s respectively.
Phase E: The computation cost of our proposed protocol is zero. And the computation cost of the literatures [26 - 29] is about 0.001s, 0.001s, 0.002s, and 0.002s respectively.
Total: The computation cost of our proposed protocol is 0.11415s. And the computation cost of the literatures [26 - 29] is about 0.2603s, 0.011s, 0.011s, and 0.0175s respectively.
(2) The concrete communication cost. The communication round of our proposed protocol is equal to the literature [28] , and reduced by about 25%, 57%, and 40% with the literature [26] [27] [29] respectively.
(3) Comparisons and Reasons
(a) The total computation cost of our proposed protocol is lower than the literatures [26] . The main reason is that the literatures [26] adopted modular exponentiation computation. At the same time, the literatures [26] cannot provide privacy protection for a user.
(b) The total computation cost of our proposed protocol is higher than the literatures [27 - 29] . Furthermore, the communication round of our proposed protocol is superior to the literature [27] [29] and is equal to the literature [28] . The reasons are: one reason is our protocol mainly adopts Chebyshev chaotic maps but the literatures [27 - 29] mainly adopts one way hash funciton. At the same time, Chebyshev chaotic maps has more attributes which leading to reduce communication rounds. Furthermore, from the perspective of security, our protocol is more secure than the literatures [27 - 29] . From the Table 3 , we can see that the literatures [26 - 29] cannot resist many attacks and the literatures [28 - 29] cannot afford any authentication method. Therefore, as in Table 3 and Table 4 , we can draw a conclusion that the proposed scheme has achieved the balance of efficiency and security.
There are few one-way AKE schemes. The literature [17] was a security analysis of the TLS handshake protocol which has some context was related with one-way AKE protocol, but there was no a concrete protocol process. So this paper choose the literature [18] as a compared paper. For simplify, we just compare with the literature [18] about authentication phase. Table 5 presents the effciency in term of modular exponentiations(T Exp ), chebyshev polynomial(T CH ) and symmetric key cryptography(T sym ) computation of relevant one-way authentication key agreement protocol [18] . Therefore, from Table 5 we can see that the our proposed scheme has achieved the tight security and good efficiency. The tight security will be given in Section 4.2. Our protocol is more efficient than the literature [18] because chebyshev polynomial and symmetric key cryptography computation is more efficient than modular exponentiations computation, and our protocol chooses the former algorithms. Moreover, our proposed scheme possesses expandability because it is realized in multi-server architecture.
Efficiency in terms of modular exponentiations and chebyshev polynomial
PPT Slide
Lager Image
Efficiency in terms of modular exponentiations and chebyshev polynomial
6. Conclusion
This work provides a new approach to one-way authenticated key establishment towards multi-server architecture. The core ideas of the proposed scheme are the mutual authentication between the servers and RC and the anonymity for the users. Subsequently, we explain the practical motivations for authentication and secrecy assurances of parties engaging in one-way AKE protocols and some related terms. Based on our discussion we proposed a suitable protocol that covers those goals and offered an efficient protocol that formally meets the proposed security definition. Finally, after comparing with related literatures (multi-server schemes and one-way protocols) respectively, we found our proposed scheme has satisfactory security, efficiency and functionality. Therefore, our protocol is more suitable for practical applications.
BIO
Hongfeng Zhu obtained his Ph.D. degree in Information Science and Engineering from Northeastern University. Hongfeng Zhu is a full associate professor of the Kexin software college at Shenyang Normal University. He is also a master's supervisor. He has research interests in wireless networks, mobile computing, cloud computing, social networks, network security and quantum cryptography. Other things that interest him are number theory and the investigation of mathematics for designing secure and efficient cryptographic schemes. Dr. Zhu had published more than 60 international journal and international conference papers on the above research fields.
References
Lamport L 1981 “Password authentication with insecure communication,” Commun ACM 24 (11) 770 - 772    DOI : 10.1145/358790.358797
Katz Jonathan , MacKenzie Philip , Taban Gelareh , Gligor Virgil 2005 “Two-server password-only authenticated key exchange,” Applied Cryptography and Network Security 3531 1 - 16
Baptista M. S. 1998 “Cryptography with chaos,” Physics Letters A 240 (1) 50 - 54    DOI : 10.1016/S0375-9601(98)00086-3
Lee C , Li C , Hsu C 2013 “A three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps,” Nonlinear Dyn 73 125 - 132    DOI : 10.1007/s11071-013-0772-4
Bresson E. , Chevassut O. , Pointcheval D. 2002 “Group Diffie-Hellman key exchange secure against dictionary attack,” Asiacrypt 2501 497 - 514
Li Hui , Wu Chuan-Kun , Sun Jun 2010 “A general compiler for password-authenticated group key exchange protocol,” Information Processing Letters 160 - 167    DOI : 10.1016/j.ipl.2009.11.013
Wu T.Y. , Tseng Y.M. , Tsai T.T. 2012 “A revocable ID-based authenticated group key exchange protocol with resistant to malicious participants,” Computer Networks 56 (12) 2994 - 3006    DOI : 10.1016/j.comnet.2012.05.011
Tseng H , Jan R , Yang W “A chaotic maps-based key agreement protocol that preserves user anonymity,” in Proc. of IEEE International Conference on Communications (ICC09) 2009 1 - 6
Di Raimondo M. , Gennaro R. 2006 “Provably secure threshold password-authenticated key exchange,” System Sci 72 (6) 978 - 1001    DOI : 10.1016/j.jcss.2006.02.002
Khan MK , Zhang J 2007 “Improving the security of a flexible biometrics remote user authentication scheme,” Comput Stand Interfaces 29 (1) 82 - 85    DOI : 10.1016/j.csi.2006.01.002
Li LH , Lin IC , Hwang MS 2001 “A remote password authentication scheme for multi-server architecture using neural networks,” IEEE Transactions on Neural Networks 12 (6) 1498 - 1504    DOI : 10.1109/72.963786
Lin I C , Hwang MS , Li LH 2003 “A new remote user authentication scheme for multi-server architecture,” Future Generation Computer Systems 19 (1) 13 - 22    DOI : 10.1016/S0167-739X(02)00093-6
Tsai JL 2008 “Efficient multi-server authentication scheme based on one-way hash function without verification table,” Comput Secur 27 (3-4) 115 - 121    DOI : 10.1016/j.cose.2008.04.001
Ravi SP , Jaidhar CD , Shashikala T 2013 “Robust Smart Card Authentication Scheme for Multi-server Architecture,” Wireless Pers Commun 72 (1) 729 - 745    DOI : 10.1007/s11277-013-1039-6
Goldberg Ian 2006 “On the security of the Tor authentication protocol, In George Danezis and Philippe Golle,”Privacy Enhancing Technologies (PET) LNCS 4258 316 - 331
Kate Aniket , Zaverucha Greg M. , Goldberg Ian 2010 “Pairing-based onion routing with improved forward secrecy,” ACM Transactions on Information and System Security 13 (4) 29 -    DOI : 10.1145/1880022.1880023
Morrissey Paul , Smart Nigel P. , Warinschi B. “A modular security analysis of the TLS handshake protocol,” Advances in Cryptology-Proc 2008 vol. 5350 55 - 73
Goldberg Ian , Stebila Douglas , Ustaoglu Berkant 2013 “Anonymity and one-way authentication in key exchange protocols,” Codes Cryptogr 67 245 - 269    DOI : 10.1007/s10623-011-9604-z
Dierks Tim , Allen Christopher 1999 The TLS protocol version 1.0
NIST National Institute of Standards and Technology 2009 “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography,” Special Publication 800-56B
Wang X , Zhao J 2010 “An improved key agreement protocol based on chaos,” Commun. Nonlinear Sci. Numer. Simul 15 4052 - 4057    DOI : 10.1016/j.cnsns.2010.02.014
Zhang L 2008 “Cryptanalysis of the public key encryption based on multiple chaotic systems,” Chaos Solitons Fractals 37 (3) 669 - 674    DOI : 10.1016/j.chaos.2006.09.047
Pfitzmann Andreas , Hansen Marit 2010 “A terminology for talking about privacy by dataminimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management,”
Ravi SP , Jaidhar CD , Shashikala T 2013 “Robust Smart Card Authentication Scheme for Multi-server Architecture,” Wireless Pers Commun 72 729 - 745    DOI : 10.1007/s11277-013-1039-6
Canetti Ran , Krawczyk Hugo “Analysis of key-exchange protocols and their use for building secure channels,” EUROCRYPT 2001 Vol. 2045 of Lecture Notes in Computer Science 453 - 474
Chen Te-Yu Chen , Lee Cheng-Chi , Hwang Min-Shiang , Jan Jinn-Ke 2013 “Towards secure and efficient user authentication scheme using smart card for multi-server environments,” J Supercomput 66 (2) 1008 - 1032    DOI : 10.1007/s11227-013-0966-z
Tsai JL 2008 “Efficient multi-server authentication scheme based on one-way hash function without verification table,” Comput Secur 27 (3-4) 115 - 121    DOI : 10.1016/j.cose.2008.04.001
Liao YP , Wang SS 2009 “A secure dynamic ID based remote user authentication scheme for multiserver environment,” Comput Stand Interfaces 31 (1) 24 - 29    DOI : 10.1016/j.csi.2007.10.007
Hsiang HC , Shih WK 2009 “Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment,” Comput Stand Interfaces 31 (6) 1118 - 1123    DOI : 10.1016/j.csi.2008.11.002
Kocarev L , Lian S 2011 “Chaos-Based Cryptography: Theory, Algorithms and Applications,” 53 - 54