Authenticated Diffie-Hellman Key Agreement Scheme That Protects Client Anonymity and Achieves Half-Forward Secrecy

Hindawi Publishing Corporation Mobile Information Systems Volume 2015, Article ID 354586, 7 pages http://dx.doi.org/10.1155/2015/354586

Research Article Authenticated Diffie-Hellman Key Agreement Scheme that Protects Client Anonymity and Achieves Half-Forward Secrecy

Hung-Yu Chien

Department of Information Management, National Chi-Nan University, 470 University Road, Puli, Nantou, Taiwan

Correspondence should be addressed to Hung-Yu Chien; [email protected]

Received 3 January 2015; Revised 30 March 2015; Accepted 12 April 2015

Academic Editor: Francesco Gringoli

Copyright © 2015 Hung-Yu Chien. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Authenticated Diffie-Hellman key agreement (D-H key) is the de facto building block for establishing secure session keys inmany security systems. Regarding the computations of authenticated D-H key agreement, the operation of modular exponentiation is the most expensive computation, which incurs a heavy loading on those clients where either their computational capacities or their batteries are limited and precious. As client’s privacy is a big concern in several e-commerce applications, it is desirable to extend authenticated D-H key agreement to protect client’s identity privacy. This paper proposes a new problem: the modified elliptic curves computational Diffie-Hellman problem (MECDHP) and proves that the MECDHP is as hard as the conventional elliptic curves computational Diffie-Hellman problem (ECDHP). Based on the MECDHP, we propose an authenticated D-H key agreement scheme which greatly improves client computational efficiency and protects client’s anonymity from outsiders. This new scheme is attractive to those applications where the clients need identity protection and lightweight computation.

1. Introduction their computing capacities or their batteries are limited. Such clients are called thin clients in the rest of this paper. Even Authentication is an essential security; however, many exis- a native D-H key scheme (not including authentication of tent authentication schemes either did not provide key communicating parties) that uses the CDHP requires of each agreement during authentication [1–3], did not protect client party two modular exponentiations, and the corresponding privacy [4], or required many expensive modular expo- version over elliptic curves would require of each party two nentiations [4–16]. Authenticated key agreement aims at point multiplications. Generally an authenticated version simultaneously providing authentication of communicating of D-H key scheme or an extended version of D-H key parties and establishing secure session keys. Nowadays it is very easy for any network operators or even outsiders to scheme which protects client’s anonymity would require collect users’ behavior and violate their privacy when they more modular exponentiations or more point multiplications surf the Internet if key agreement schemes do not protect [9–12, 14–16, 20], respectively. It is, therefore, important to users’ identities. It is, therefore, imperative to design key reduce the number of exponentiation computations/point mul- agreement schemes which protect client’s identity. With such tiplications for those thin clients.In2014,Chien[4]formulated schemes, users’ privacy can be protected when they enjoy the modified computational D-H problem (MCDHP) and Internet activities, e-commerce or m-commerce transactions. proposed an authenticated D-H key agreement scheme, using Conventionally, the computational Diffie-Hellman prob- theMCDHP.Thescheme[4] effectively reduced the number lem over Galis field (called CDHP) and the same problem of modular exponentiations but it did not protect client’s over elliptic curves (called ECDHP) are the most popu- anonymity. lar building blocks for many authenticated key agreement Conventionally, key agreement schemes transmit par- schemes [4–8, 10–19], owing to their hardness. However, ticipants’ identities in plaintext. As privacy has been a big the modular exponentiation computations over Galis field concern in many applications, it is desirable to protect or the point multiplications over elliptic curves impose a participants’ identities during the key agreement process. heavy computational stress on those clients where either Such kinds of key agreement schemes are called authenticated 2 Mobile Information Systems

key agreement schemes with client anonymity (or simply the pointatinfinity), where 𝑥, 𝑦𝑃 ∈𝑍 satisfy the equation 2 3 an anonymous authenticated key agreement). Chien [12] 𝑦 ≡𝑥 +𝑎𝑥+𝑏(mod𝑝) (𝑎, 𝑏𝑝 ∈𝑍 are constants, such that classified four types of two-party key agreement schemes, 3 2 4𝑎 + 27𝑏 =0̸ mod 𝑝). Two points 𝑃=(𝑥1,𝑦1) and 𝑄= according to the protection of participants’ anonymity. Type 1: (𝑥2,𝑦2) on the elliptic curve 𝐸 canbeaddedtogetherusing the privacy of identities of two communicating parties is not the following rule: if 𝑥2 =𝑥1 and 𝑦2 =−𝑦1,then𝑃+𝑄=𝑂; protected; this type corresponds to those conventional two- 2 otherwise, 𝑃+𝑄=(𝑥3,𝑦3),where𝑥3 =𝜆 −𝑥1 −𝑥2 mod 𝑝, party key agreement schemes. Type 2: the client’s identity is 𝑦3 = 𝜆(𝑥1 −𝑥3)−𝑦1 mod 𝑝,and𝜆=(𝑦2 −𝑦1)/(𝑥2 −𝑥1) if protected from the outsiders, but the identity of the server 2 𝑃 =𝑄̸ or 𝜆 = (3𝑥1 + 𝑎)/(2𝑦1) if 𝑃=𝑄. isnotprotected.Type3:theclient’sidentityisprotected from the outsiders, but the anonymity of the server is only Definition 1. The computational elliptic curve Diffie-Hellman protected from unregistered entities. The scenarios for such problem (ECDHP) is as follows: given an elliptic curve over a a type are like that; in a mission-oriented ad hoc network, finite field 𝐹𝑝,apoint𝑃∈𝐸(𝐹𝑝) of order q and points 𝐴=𝑎𝑃 the clients and the servers want to protect their identities and 𝐵=𝑏𝑃∈⟨𝑃⟩find the point 𝐶=𝑎𝑏𝑃. from outsiders, while all the preregistered clients know the IP address or MAC address of the servers. Type 4: both Now we formulate a new problem called the modi- the identity of the client and the identity of the server fied computational elliptic curve Diffie-Hellman problem are protected from outsiders. Type 2 is the most popular (MECDHP) as follows. one for authenticated key agreement schemes that protect participant’s anonymity, because it corresponds to the cases Definition 2. The modified computational elliptic curve Diffie- where clients want to protect their anonymity from outsiders. Hellman problem (the MECDHP) is as follows: given an In this paper, we focus on authenticated two-party key elliptic curve over a finite field 𝐹𝑝,apoint𝑃∈𝐸(𝐹𝑝) of order agreement for Type 2 cases and aim to improve client’s 𝑞, 𝑎+𝑥, and points 𝐴=𝑥𝑃and 𝐵=𝑏𝑃∈⟨𝑃⟩find the point computational efficiency. 𝐶=𝑎𝑏𝑃. Authentication with anonymity protection is a popular topic, and there are some popular techniques for achieving WeprovethehardnessoftheMECDHPtobeashardas client’s anonymity during authentication process. Chien [2] the ECDHP as follows. classifies existent techniques into four categories: proba- bilistic encryption-based scheme like the OAKley protocol Theorem 3. The MECDHP is as hard as the ECDHP. [13], pseudonym-based schemes like [20], hash-chain-based scheme like Ohkubo et al.’s scheme [1], and error-correction- Proof. We prove this by reduction. codes-based scheme like [2, 3]. It is challenging to extend (1) The MECDHP Is Reduced to the ECDHP. Givenaninstance the existent CDHP-based key agreement schemes like [5– 𝑥+𝑎 𝑃 𝑥𝑃 𝑏𝑃 7, 13] (or ECDHP-based schemes like [8]) to their anonymous of the MECDHP problem ( , , ,and ), we can compute (𝑥+𝑎)𝑃−𝑥𝑃= 𝑎𝑃and get the instance (𝑃, 𝑎𝑃, versions and reduce the modular exponentiation load (or the 𝑏𝑃 point multiplication load). In this paper, we first formulate a and ) for the ECDHP. Assume there is one oracle that can answer the ECDHP. Now we input the instance (𝑃, 𝑎𝑃,and modified ECDHP (MECDHP) and prove its security. Then 𝑏𝑃 𝑎𝑏𝑃 we propose a new authenticated two-party key agreement ) to the oracle, and we get the answer . scheme with client anonymity, based on the MECDHP (2) The ECDHP Is Reduced to the MECDHP. Assume there is problem and Ohkubo et al.’s hashing chain technique [1]. The one oracle that can answer the MECDHP: given (𝑥+𝑎, 𝑃, 𝑥𝑃, new scheme protects client anonymity, effectively reduces the and 𝑏𝑃), it outputs 𝑎𝑏𝑃. computational load for client, and preserves the strong security Now given an instance of the CDHP (𝑃, 𝑎𝑃,and𝑏𝑃), we of the ECDHP. then choose a random value t andinputtheinstance(t, 𝑃, The rest of this paper is organized as follows. Section 2 𝑎𝑃,and𝑏𝑃) to the MECDHP oracle. The oracle will answer introduces the MECDHP and proves its security. Section 3 𝑏(𝑡𝑃 − 𝑎𝑃) = 𝑏(𝑡 − 𝑎)𝑃. =𝑡𝑏𝑃−𝑎𝑏𝑃 Using the response, we proposes our new scheme. Section 4 examines its security and can derive −(𝑡𝑏𝑃 − 𝑎𝑏𝑃 − 𝑡(𝑏𝑃)) = −(−𝑎𝑏𝑃).Thatis, =𝑎𝑏𝑃 evaluates its performance. Section 5 states our conclusions we get the answer for the ECDHP problem (𝑃, 𝑎𝑃,and𝑏𝑃). and discussions. Basedontheabovearguments,weprovethetheo- rem. 2. The MECDHP Problem and the Security Requirements Now we introduce the model and discuss the security In this section, we first propose the MECDHP and prove requirements of authenticated D-H key agreement scheme its security. Then we introduce the model and discuss the with client anonymity as follows. Our model consists of three security requirements of an authenticated key agreement kinds of entities: clients, servers, and outsiders. Clients would scheme with client anonymity. like to establish secure session keys with servers via key agreement schemes and their identities should not be learned Elliptic Curves over 𝐺𝐹(𝑝). Anonsupersingularellipticcurve by any outsiders. An outsider can actively manipulate the 𝐸(𝐹𝑝) is the set of points 𝑃 = (𝑥, 𝑦) and the point 𝑂 (called communications via replay, modification, or interception. Mobile Information Systems 3

(1) Consider Mutual authentication of client and server The scheme consists of two phases: initial phase and key and resistance to various attacks like replay attack, imper- agreement phase. sonation attack, man-in-the-middle attack, and known key attack. The Initialization Phase. Each registered client 𝐶 shares its (2) Consider Partial forward secrecy and perfect forward identity ID𝐶 and public key 𝑃𝐶 with the server S,where𝑆 secrecy. Here partial forward secrecy requires that even if keeps two values ID𝐶,old and ID𝐶,new to track the dynamically we assume one party’s long-term private key is disclosed changing identity of the client. Both ID𝐶,old and ID𝐶,new are someday, the previous communications (the session keys initialized as ID𝐶. Each client keeps the identity and the before the disclosure) are still secure. If partial forward public key 𝑃𝑆 of the server. secrecy is preserved only when one specific party’s private key is compromised but it does not hold for the other party, The Key Agreement Phase. then it is called half forward secrecy. While perfect forward requires that even if we assume both of the two parties’ (1) 𝑆→𝐶:ID𝑆,𝑌. long-term private keys are disclosed someday, the previous 𝑦∈ 𝑍∗ communications (the session keys before the disclosure) are The server randomly chooses an integer 𝑅 𝑞 , 𝑌=𝑦𝑃 ,𝑌 still secure. computes , and sends (ID𝑆 )totheclient. (3) Anonymity of the client: the identities of clients should 𝐶→𝑆𝑔( ), 𝑐 + 𝑥, be well protected from outsiders. (2) : ID𝐶 Auth𝐶. ∗ The client chooses a random integer 𝑥∈𝑅𝑍𝑞 and 3. New Authenticated D-H Key Agreement computes 𝐾𝐶,𝑆 =𝑥𝑌, 𝐵𝐿 =𝑆 𝑥𝑃 ,andAuth𝐶 = ℎ((𝑃𝐶 + Scheme with Client Anonymity 𝐾𝐶,𝑆)⊕𝐵𝐿).Hesends(𝑔(ID𝐶), 𝑐 + 𝑥, Auth𝐶)tothe server. We introduce the following notations. We will omit the mod 𝑞 operation in the rest of this paper to simplify the presentation (3) 𝑆→𝐶:Auth𝑆. when the context is clear. Upon receiving the client’s data, the server first The Notations. searchesitsdatabasetolookuptheentrythatsatisfies ? ? either 𝑔(ID𝐶) =𝑔(ID𝐶, ) or 𝑔(ID𝐶) =𝑔(ID𝐶, ). 𝐸(𝐹𝑝), P,andq are as follows: 𝐸(𝐹𝑝) is an elliptic curve old new The matched entry (ID𝐶, or ID𝐶, ) is referred over 𝐹𝑝. P ∈𝐸(𝐹𝑝) is a generator point for a group over old new as ID𝐶, . The server uses the matched entry to 𝐸(𝐹𝑝). matched get the corresponding public key 𝑃𝐶 and computes ℎ(), 𝑔() are two cryptographic hash functions. Two 𝑋 = (𝑐 + 𝑥)𝑃𝐶 −𝑃 =𝑥𝑃, 𝐵𝐿=𝑠𝑋=𝑠𝑥𝑃, different hash functions are chosen here to hinder and 𝐾𝐶,𝑆 =𝑦𝑋=𝑥𝑦𝑃. It then checks whether outsiders from tracking users, using correlated data. ℎ((𝑃 +𝐾 )⊕𝐵𝐿) =? This idea is inspired by [1]. These functions could be the equation 𝐶 𝐶,𝑆 Auth𝐶 holds. = implemented using a pseudorandom function (PRF) If the verification succeeds, then it updates ID𝐶,old =ℎ( ) with distinct paddings. ID𝐶,matched and ID𝐶,new ID𝐶,matched and computes Auth𝑆 =ℎ(𝑃𝐶 ⊕𝐾𝐶,𝑆 ⊕𝐵𝐿) . C, S are as follows: C and 𝑆, respectively, denote client and server. (4) 𝐶: the client uses its local values to verify the validity ID𝐶, ID𝑆 are as follows: ID𝐶 and ID𝑆,respectively, of Auth𝑆. If the verification succeeds, then it updates denote the identity of the client and that of the server, its identity ID𝐶 as ℎ(ID𝐶). where ID𝑆 is static while ID𝐶 is dynamically updated. ∗ The final session key of the session is computed c, s are as follows: 𝑐, 𝑠 ∈𝑍 , respectively, denote the 𝑞 using any secure hash function: one example is like private key of 𝐶 and that of 𝑆. ℎ(𝑃𝐶,𝑃𝑆,𝑥+𝑐,𝑌,𝐾𝐶,𝑆). 𝑃𝐶,𝑃𝑆 are as follows: 𝑃𝐶 =𝑐𝑃and 𝑃𝑆 =𝑠𝑃, respectively, denote their corresponding public keys. 𝑥, 𝑦∗ ∈𝑍 4. Security Analysis and x, y are as follows: 𝑞 , respectively, denote Performance Evaluation ephemeral private keys. X, Y are as follows: 𝑋=𝑥𝑃,and𝑌=𝑦𝑃denotes their 4.1. Security Analysis. In this section, we examine the security corresponding public keys. of the proposed authenticated D-H key agreement scheme with client anonymity. The formulated MECDHP used in the ⊕, || are as follows: ⊕ denotes the exclusive OR opera- schemehasbeenprovedtobeashardastheconventional tion. || denotes concatenation. Here we abusively use ECDHP. Our new scheme improves the computational effi- the notation ⊕ between two elliptic curve points to ciency of client while preserving the strong security prop- represent (𝑥1, 𝑦1) ⊕(𝑥2, 𝑦2) = (𝑥1 ⊕𝑥2, 𝑦1⊕𝑦2) . erties of conventional secure D-H key agreement schemes The scheme is depicted in Figure 1 and is described as under the assumption that the communicating parties’ long- follows. term secret keys are secure.But,thesecuritypropertiesmight 4 Mobile Information Systems

g(), h(), s, PS,PC ID S ID ID ID C,PS,PC,c,h(),g() C C,old, C,new = C

(1.b) ID ,Y S (1.a) Randomly choose y (a) ∗ 2 x∈R Zq Compute Y=yP KC,S =xY=xyP ( .b) (ID Auth BL = xP =xsP 2 g C), c + x, C S 3(a) Search database to find the entry that matches Auth ? C = h((PC +KC,S)⊕BL) (ID (ID ) or (ID g C)=g C,old g C,new) The matched one is refered as ID , C,matched and retrieve its public key PC X = (c + x)P/PC (a) Verify Auth 4 S BL = sX ( .b) Auth if succeeds, then update ID (ID 3 S K =yX=xyP C =h C) C,S

Check wether ? Auth h((PC +KC,S)⊕BL)= C ID ID ID (ID C,old = C,matched; C,newh = C,matched) Auth S =h(PC ⊕KC,S ⊕BL)

Figure 1: Authenticated D-H key agreement with client anonymity.

change when client’s long-term secret keys are compromised. key ℎ(𝑃𝐶,𝑃𝑆,𝑥+𝑐,𝑌,𝐾𝐶,𝑆) is still preserved, because We examine these properties as follows. the computation of the session key involves 𝐾𝐶,𝑆. Here the computation of 𝐾𝐶,𝑆 needs the knowledge of Authentication of the Client. The authentication of the client either 𝑥 or 𝑦. This ensures the partial forward secrecy depends on its ability of providing a valid Auth𝐶 = ℎ((𝑃𝐶 + against server’s compromise. 𝐾𝐶,𝑆)⊕𝐵𝐿)in response to server’s challenge 𝑌. To have a valid 𝑐 Auth𝐶, the client should be able to provide well-formed “𝑥+𝑐,” (2) If we assume the client’s long-term secret is com- on which the server can correctly derive the corresponding promised, then the attacker can derive the ephemeral 𝑥 𝑥+𝑐 𝑋 = (𝑐 + 𝑥)𝑃𝐶 −𝑃 =𝑥𝑃, 𝐵𝐿 = 𝑠𝑋 =𝑠𝑥𝑃,and𝐾𝐶,𝑆 =𝑦𝑋= secret from andderivethesessionkey;that 𝑥𝑦𝑃 to verify the Auth𝐶. A well-formed “𝑥+𝑐” implies that the is, our scheme does not preserve partial forward client knows the private key 𝑐. This ensures the authentication secrecy against client’s compromise. So we call that of the client. our scheme owns half forward secrecy property but not perfect forward secrecy. Authentication of the Server. The authentication of server depends on server’s ability of providing a valid Auth𝑆 = ℎ(𝑃𝐶 ⊕𝐾𝐶,𝑆 ⊕𝐵𝐿) , which depends on the server’s ability of Client Anonymity. The client-identity-related data transmit- computing 𝐵𝐿 = 𝑠𝑋,using𝑋 = (𝑐 + 𝑥)𝑃𝐶 −𝑃 =𝑥𝑃.To tedinourprotocolinclude𝑔(ID𝐶),Auth𝐶 = ℎ((𝑃𝐶 +𝐾𝐶,𝑆)⊕ compute 𝐵𝐿 = 𝑠𝑋,itrequirestheknowledgeoftheserver’s 𝐵𝐿),andAuth𝑆 =ℎ(𝑃𝐶 ⊕𝐾𝐶,𝑆 ⊕𝐵𝐿) . The identity 𝐶ID is private key 𝑠. This ensures the authentication of the server. updated as ℎ(ID𝐶) per successful authentication, and only its hashed value 𝑔(ID𝐶) is transmitted. Therefore, an attacker Resistance to Replay Attack and Man-in-the-Middle Attack. could not learn clients’ identities and could not track any The client and the server, respectively, issue new challenges client using eavesdropped data. The other identity-related 𝑥+𝑐 𝑌 and in each session. The server is expected to generate data is client’s public key 𝑃𝐶.ThecalculationsofAuth𝐶 𝐵𝐿=𝑠𝑋=𝑠((𝑥+𝑐)𝑃−𝑃 ) the corresponding value 𝐶 ,where and Auth𝑆 first obscure 𝑃𝐶 with random value 𝐵𝐿 and then the value is derived from the well-formed challenge 𝑥+𝑐.The apply hashing: this ensures that attackers cannot link the clientisexpectedtohavetheabilityofcomputingthevalue transmissions to any specific client. 𝐾𝐶,𝑆 =𝑥𝑌,where𝑌 is the challenge. All of the computations involve new challenges. As long as the challenges are random andfresh,thisensurestheresistancetoreplayattackand 4.2. Performance Evaluation. Now we examine the perfor- man-in-the-middle attack. mance of our scheme in terms of communication cost and computational cost. Regarding communication cost, we Half Forward Secrecy. Partial forward secrecy concerns the concern the number of message steps and the length of privacy of session keys corresponding to those sessions before message length. Our scheme requires three message steps. It 3𝐿 +2𝐿 +1𝐿 𝐿 one party’s private key was compromised. demands the message length ℎ point 𝑞,where ℎ |ℎ()| |𝑔()| 𝐿 denotes the length of hash function ( and ), point (1) If we assume that the server’s long-term secret 𝑠 is denotes the length of string representation of one elliptic compromised, then the forward privacy of the session curve point, and 𝐿𝑞 denotes the bit length of q. Mobile Information Systems 5

Table 1: Summary of performance comparison among two-party key agreement schemes with client anonymity.

Scheme Ours. Yoon-You [11] Chien [12]Yangetal.[10]Wu-Hsu[14]Wangetal.[15] Numberofsteps333333 3𝐿 +1𝐿 + 3𝐿 +1𝐿 + 3𝐿 +1𝐿 + 5𝐿 +4𝐿 + Length of 3𝐿 +2𝐿 +1𝐿 𝑁 Time 𝑁 Time 𝑁 Time 3𝐿 +1𝐿 nonce point ℎ point 𝑞 1𝐿 1𝐿 1𝐿 𝑁 Time 1𝐿 message ID ID ID ID 2𝑇 +𝑇 + 5𝑇 +2𝑇 + 5𝑇 +1𝑇 + 5𝑇 +3𝑇 + Computational PS PA exp multi exp multi exp multi 4𝑇 +3𝑇 +1𝑇 4𝑇 2𝑇 3𝑇 3𝑇 +3𝑇 1𝑇 1𝑇 +2𝑇 1𝑇 +1𝑇 exp multi ℎ PS + enc + ℎ cost of client XOR ℎ enc enc ℎ enc ℎ 4𝑇 +2𝑇 + 5𝑇 +2𝑇 + 5𝑇 +2𝑇 + 5𝑇 +2𝑇 + Computational PS PA exp multi exp multi exp multi 4𝑇 +2𝑇 +1𝑇 4𝑇 +2𝑇 +3𝑇 3𝑇 +(𝑛+2)𝑇 1𝑇 1𝑇 +2𝑇 1𝑇 +1𝑇 exp multi ℎ PS enc ℎ cost for server XOR ℎ enc enc ℎ enc ℎ Client/server Client/server Security Mutual auth. Mutual auth. Mutual auth. impersonation impersonation Mutual auth. properties [11] [11] Client anonymity Yes Fail (Note 5) Yes Yes Yes Yes Half forward Forward secrecy Yes Yes Yes Yes Note 3 secrecy NP problem MCDHP RSA, CDHP RSA, CDHP RSA, CDHP RSA, CDHP Note 3 1 𝐿 𝐿 |ℎ()| |𝑔()| 𝐿 Note : 𝑁:thebitlengthofRSAmodulusN; ℎ: the length of hash function ( and ); point: the length of string representation of one elliptic curve 𝐿 𝐿 𝐿 𝐿 point, and 𝑞 denotes the bit length of q. Time: the bit length of timestamp; ID: the length of identity; nonce: the length of nonce. 2 𝑇 𝑇 𝑇 Note : PS: time complexity of one elliptic curve point multiplication; PA : time complexity for one elliptic curve point addition; XOR: time complexity for 𝑇 𝑇 𝑇 one XOR operation; ℎ: time complexity for one hash operation; exp: time complexity of one modular exponentiation; multi: time complexity of one modular 𝑇 multiplication; enc: time complexity of one symmetric encryption. Note 3: The session key security was based on the privacy of nonce and the fixed D-H key (the fixedkey 𝑠𝑃𝐶 =𝑐𝑃𝐶 =𝑐𝑠𝑃). If one private key of either the server or the client is compromised, then the long-term, fixed D-H key is compromised and one of the nonce is compromised; therefore, its security is not strong as the ECDHP. Note 4: Our scheme applies hashing to protect the dynamic identity while other schemes use encryption of identity to protect anonymity; therefore, we can 𝐿 =𝐿 simplify the comparison by assuming ℎ ID. Note 5: Chien [12] reported the failure of client anonymity of Yoon-You’s scheme [11].

Next we examine the computational cost of our scheme. CDHP, their message length is larger than our scheme and 2𝑇 +1𝑇 +3𝑇 +3𝑇 The client in our scheme demands PS PA XOR ℎ, thescheme[15]. And, the message length of our scheme is 𝑇 where PS denotes the time complexity of one elliptic curve shorter than its ECC-based counterpart [15]. 𝑇 point multiplication, PA denotes that of one elliptic curve Now we compare the computational performance. 𝑇 point addition, XOR denotes that of one XOR operation, and Recently there have been several publications like [21– 𝑇ℎ denotes that of one hash operation. The server averagely 24] discussing the implementation performances of ECC 4𝑇 +2𝑇 +3𝑇 +(𝑛+2)𝑇 needs PS PA XOR ℎ to find the matched client standard and other public-key standards (like RSA and (each trial for one potential client takes two hash operations), El-Gamal public key), where [21] compared various software where 𝑛 denotes the number of entries of potential clients in implementations of point multiplication, [22]aimedat the database. improving hardware implementation of point multiplication, Table 1 summarizes the performance comparison of the [23] discussed the hardware implementation performance proposed scheme with its counterparts. The notations used of RSA digital signature and ECDSA, and [24]compared in the table are introduced in the bottom of the table. The implementation performance of El-Gamal elliptic curve security of the schemes [10–12, 14]isbasedonRSAandthe encryption method using two different libraries. These works CDHP problem, and our scheme is based on the MECDHP focused on the implementation performances of elliptic problem. Please note that even though the authors [15] claimed curve point multiplication and related standards (like ECC that their scheme was based on the ECDHP problem but standards, RSA digital signature, and El-Gamal elliptic curve actuallyitssessionkeysecuritywasbasedontheprivacyof encryption). For a fair comparison of custom-designed nonce and the fixed D-H key (the fixed key 𝑠𝑃𝐶 =𝑐𝑃𝐶 =𝑐𝑠𝑃), if algorithms that consist of underlying field operations one private key of either the server or the client is compromised, (like field multiplication and exponentiation in 𝑍𝑝,field then the fixed D-H key and one nonce are compromised; multiplication in 𝑍𝑞, and elliptic curve point multiplication), therefore, its security is not strong as the ECDHP. the figures in NSA18 [ ] and the algebra equations of elliptic Regarding the communicational performance, we focus curve operations in terms of underlying field operations on the number of message steps and the length of the from [19] have been widely adopted [15]. We adopt the same messages. According to National Security Agency of the USA principle in the following evaluation, since it gives a fair [18], to have an equivalent security of an 80-bit symmetric comparison of custom-designed algorithms. encryption, RSA algorithm and Diffie-Hellman algorithm ThesecurityofECCwith160-bitkeyisequivalenttothat need 1024-bit key while ECC only needs 160-bit key. From the of RSA with 1024-bit key or D-H algorithm with 1024-bit key. 𝑇 table, we can see that all the schemes require three message Under the above figures, multi,𝑝 (the time complexity of a steps. Because the schemes [9–12, 14]usedRSAandthe field multiplication in 𝑍𝑝,where𝑝 is 1024-bit) is 41 times 6 Mobile Information Systems

𝑇 𝑍 multi,𝑞 (the time complexity of field multiplication in 𝑞, RFID Privacy Workshop, Massachusetts Institute of Technology, 𝑞 𝑇 ∼= 29𝑇 𝑇 ∼= 240𝑇 ∼ where is 160-bit), PS multi,𝑝, exp multi,𝑝 November 2003. =8𝑇 𝑇 ∼= 0.12𝑇 𝑇 ∼= 241 𝑇 ∼= PS, PA multi,𝑝,and PS PA ,where [2] H.-Y. Chien and C.-S. Laih, “ECC-based lightweight authenti- means “roughly equal.” To simplify the comparison and get cation protocol with untraceability for low-cost RFID,” Journal an insight of the computational performance, we can focus of Parallel and Distributed Computing,vol.69,no.10,pp.848– on the number of ECC point multiplications, point addi- 853, 2009. tion, modular exponentiation, and modular multiplication [3] H.-Y. Chien, “Combining Rabin cryptosystem and error cor- only because the other operations are not computationally rection codes to facilitate anonymous authentication with un- significant. In this simplification, the client in our scheme traceability for low-end devices,” Computer Networks,vol.57, 2𝑇 +𝑇 ∼= 58.12𝑇 no.14,pp.2705–2717,2013. needs PS PA multi,𝑝, the client in [11] needs 5𝑇 +2𝑇 ∼= 1202𝑇 exp multi,𝑝 multi,𝑝, the client in [12]takes [4] H. Y. Chien, “Provably secure authenticated Diffie-Hellman key 5𝑇 +1𝑇 ∼= 1201𝑇 exp multi,𝑝 multi,𝑝, the client in [10]requires exchange for resource-limited smart card,” Journal of Shanghai 5𝑇 +3𝑇 ∼= 1203𝑇 Jiaotong University (Science),vol.19,no.4,pp.436–439,2014. exp multi,𝑝 multi,𝑝, the client in [14] demands 4𝑇 +3𝑇 ∼= 9633𝑇 exp multi,𝑝 multi,𝑝,andtheclientinWanget [5]A.Brusilovsky,I.Faynberg,Z.Zeltsan,andS.Patel,“RFC683- 4𝑇 ∼= 116𝑇 al.’s scheme [15]requires PS multi,𝑝.Basedonthese Password-Authenticated Key (PAK) Diffie-Hellman Exchange,” figures,wecangetaninsightthattheclientinourscheme 2010, http://tools.ietf.org/html/rfc5683. only takes roughly 1/20 computational complexity of those [6] V. Boyko, P. MacKenzie, and S. Patel, “Provably secure RSA-based schemes like [10–12, 14] and takes only 1/2 time password-authenticated key exchange using Diffie-Hellman,” complexity of Wang et al.’s ECC-based scheme [15]. in Advances in Cryptology—EUROCRYPT 2000,vol.1807of Lecture Notes in Computer Science, pp. 156–171, Springer, Berlin, Germany, 2000. 5. Conclusions and Further Investigations [7] ISO/IEC 9798-3 Authentication SASL Mechanism, http://www .faqs.org/rfcs/rfc3163.html. Thispaperhasformulatedanewproblemcalledthe MECDHP and has proved its security being equivalent to [8] S. Blake-Wilson, N. Bolyard, V.Gupta, C. Hawk, and B. Moeller, “Elliptic curve cryptography (ECC) cipher suites for transport the conventional ECDHP. Based on the MECDHP, we have layer security (TLS),” RFC 4492, Internet Engineering Task proposed a new authenticated D-H key agreement scheme Force (IETF), 2006. which protects client anonymity and greatly improves client’s [9] W.-B. Lee and C.-C. Chang, “User identification and key computational efficiency. Based on the figures of 160-bit ECC distribution maintaining anonymity for distributed computer key and 1024-bit RSA key (or 1024-bit D-H algorithm), the networks,” Computer Systems Science and Engineering,vol.15, client of our scheme requires only 1/20 time complexity of its no.4,pp.113–116,2000. RSA-based counterparts [10–12, 14] and takes only 1/2 time [10] Y.Yang,S.Wang,F.Bao,J.Wang,andR.H.Deng,“Newefficient complexity of Wang et al.’s ECC-based scheme [15]. Security User identification and key distribution scheme providing analysis shows that the scheme achieves half forward secrecy: enhanced security,” Computers and Security,vol.23,no.8,pp. it achieves forward secrecy if server’s private key is compro- 697–704, 2004. mised but the session keys of a compromised client would [11] E.-J. Yoon and K.-Y. Yoo, “Cryptanalysis of two user identifi- be disclosed. Here we note that it only affects the session cation schemes with key distribution preserving anonymity,” keys of compromised clients. These excellent performances in Information and Communications Security: 7th International make our scheme quite attractive to those thin clients that Conference, ICICS 2005, Beijing, China, December 10–13, 2005. require anonymity protection. One interesting open issue Proceedings,vol.3783ofLecture Notes in Computer Science,pp. is whether we can improve the computational efficiency of 315–322, Springer, Berlin, Germany, 2005. existent authenticated D-H key agreement schemes while still [12] H.-Y. Chien, “Practical anonymous user authentication scheme preserving the perfect forward secrecy. with security proof,” Computers & Security,vol.27,no.5-6,pp. 216–223, 2008. Conflict of Interests [13] P. Szalachowski and Z. Kotulski, “Enhancing the Oakley key agreement protocol with secure time information,” in Proceed- The author declares that there is no conflict of interests ings of the International Symposium on Performance Evaluation regarding the publication of this paper. of Computer and Telecommunication Systems (SPECTS ’12),pp. 1–8, Genoa, Italy, July 2012. [14] T.-S. Wu and C.-L. Hsu, “Efficient user identification scheme Acknowledgment with key distribution preserving anonymity for distributed computer networks,” Computers and Security,vol.23,no.2,pp. This project is partially supported by the National Science 120–125, 2004. Council, Taiwan, under Grant no. MOST 103-2221-E-260- [15] R.-C. Wang, W.-S. Juang, and C.-L. Lei, “Provably secure and 022. efficient identification and key agreement protocol with user anonymity,” Journal of Computer and System Sciences,vol.77, References no. 4, pp. 790–798, 2011. [16] M. S. Farash, M. Bayat, and M. A. Attari, “Vulnerability of two [1]M.Ohkubo,K.Suzki,andS.Kinoshita,“Cryptographic multiple-key agreement protocols,” Computers and Electrical approach to ‘privacy-friendly’ tags,” in Proceedings of the Engineering,vol.37,no.2,pp.199–204,2011. Mobile Information Systems 7

[17] N.-Y. Lee, C.-N. Wu, and C.-C. Wang, “Authenticated multiple key exchange protocols based on elliptic curves and bilinear pairings,” Computers and Electrical Engineering,vol.34,no.1, pp. 12–20, 2008. [18] US National Security Agency, The Case for Elliptic Curve Cryp- tography, https://www.nsa.gov/business/programs/elliptic curve.shtml. [19] A. Jurisic and A. J. Menezes, “Elliptic curves and cryptography,” Certicom Whitepaper, 1997. [20] K. Xue, P.Hong, and C. Ma, “Alightweight dynamic pseudonym identity based authentication and key agreement protocol with- out verification tables for multi-server architecture,” Journal of Computer and System Sciences,vol.80,no.1,pp.195–206,2014. [21] M. Rivain, “Fast and regular algorithms for scalar multiplication over elliptic curve,” The International Association for Cryp- tologic Research (IACR) Cryptology ePrint Archive 2011/338, https://eprint.iacr.org/2011/338.pdf. [22] G. D. Sutter, J.-P. Deschamps, and J. L. Imana, “Efficient elliptic curve point multiplication using digit-serial binary field operations,” IEEE Transactions on Industrial Electronics,vol.60, no. 1, pp. 217–225, 2013. [23] R. Sinha, H. K. Srivastava, and S. Gupta, “Performance based comparison study of RSA and elliptic curve cryptography,” International Journal of Scientific & Engineering Research,vol. 4, no. 5, pp. 720–725, 2013. [24]D.F.Pigatto,N.B.F.d.Silva,andK.R.L.J.C.Branco, “Performance evaluation and comparison of algorithms for elliptic curve cryptography with el-gamal based on MIRACL and RELIC libraries,” Journal of Applied Computing Research, vol.1,no.2,pp.95–103,2012. Advances in Journal of Multimedia Industrial Engineering Applied Computational Intelligence and Soft

International Journal of Computing The Scientific Distributed World Journal Sensor Networks Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

Advances in Fuzzy Systems

Modelling & Simulation in Engineering

Hindawi Publishing Corporation Hindawi Publishing Corporation Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com

Submit your manuscripts at http://www.hindawi.com Journal of Computer Networks and Communications Advances in Artificial Intelligence Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 Hindawi Publishing Corporation http://www.hindawi.com Volume 2014

International Journal of Advances in Biomedical Imaging Artificial Neural Systems

International Journal of Advances in Computer Games Advances in Computer Engineering Technology Software Engineering

Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

International Journal of Reconfigurable Computing

Advances in Computational Journal of Journal of Human-Computer Intelligence and Electrical and Computer Robotics Interaction Neuroscience Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014