
Citation: Qihui Zhang, Pradeep Chaudhary, Saru Kumari, Zhiyin Kong, Wenfen Liu. Verifier-based anonymous password-authenticated key exchange protocol in the standard model[J]. Mathematical Biosciences and Engineering, 2019, 16(5): 3623-3640. doi: 10.3934/mbe.2019180
[1] | Yanrong Lu, Dawei Zhao . An anonymous SIP authenticated key agreement protocol based on elliptic curve cryptography. Mathematical Biosciences and Engineering, 2022, 19(1): 66-85. doi: 10.3934/mbe.2022003 |
[2] | Han-Yu Lin, Tung-Tso Tsai, Hong-Ru Wu, Miao-Si Ku . Secure access control using updateable attribute keys. Mathematical Biosciences and Engineering, 2022, 19(11): 11367-11379. doi: 10.3934/mbe.2022529 |
[3] | Lihong Guo, Jian Wang, Haitao Wu, Najla Al-Nabhan . XML security protection scheme based on Kerberos authentication and polynomials authorization. Mathematical Biosciences and Engineering, 2020, 17(5): 4609-4630. doi: 10.3934/mbe.2020254 |
[4] | Yifeng Yin, Zhaobo Wang, Wanyi Zhou, Yong Gan, Yanhua Zhang . Group key agreement protocol for edge computing in industrial internet. Mathematical Biosciences and Engineering, 2022, 19(12): 12730-12743. doi: 10.3934/mbe.2022594 |
[5] | Tao Liu, Shubhangi Vairagar, Sushadevi Adagale, T. Karthick, Catherine Esther Karunya, John Blesswin A, Selva Mary G . Secure multimedia communication: advanced asymmetric key authentication with grayscale visual cryptography. Mathematical Biosciences and Engineering, 2024, 21(3): 4762-4778. doi: 10.3934/mbe.2024209 |
[6] | Qi Wang, John Blesswin A, T Manoranjitham, P Akilandeswari, Selva Mary G, Shubhangi Suryawanshi, Catherine Esther Karunya A . Securing image-based document transmission in logistics and supply chain management through cheating-resistant visual cryptographic protocols. Mathematical Biosciences and Engineering, 2023, 20(11): 19983-20001. doi: 10.3934/mbe.2023885 |
[7] | Mikail Mohammed Salim, Jungho Kang, Yi Pan, Jong Hyuk Park . A Lightweight authentication scheme for IoT against Rogue Base Station Attacks. Mathematical Biosciences and Engineering, 2022, 19(11): 11735-11755. doi: 10.3934/mbe.2022546 |
[8] | Shufen Niu, Wei Liu, Sen Yan, Qi Liu . Message sharing scheme based on edge computing in IoV. Mathematical Biosciences and Engineering, 2023, 20(12): 20809-20827. doi: 10.3934/mbe.2023921 |
[9] | Zhiguo Qu, Leiming Jiang, Le Sun, Mingming Wang, Xiaojun Wang . Continuous variable quantum steganography protocol based on quantum identity. Mathematical Biosciences and Engineering, 2019, 16(5): 4182-4195. doi: 10.3934/mbe.2019208 |
[10] | Jianfei Cai, Guozheng Yang, Jingju Liu, Yi Xie . FastCAT: A framework for fast routing table calculation incorporating multiple protocols. Mathematical Biosciences and Engineering, 2023, 20(9): 16528-16550. doi: 10.3934/mbe.2023737 |
Password authenticated key exchange (PAKE) is an important cryptographic primitive that allows a client to authenticate herself and to establish a high-entropy session key with a remote server via only a common, low-entropy password. It is very convenient since that no complicated public key infrastructure (PKI) or dedicated hardware such as a token is needed in advance. Because of its convenience and significance, password authentication schemes are regarded as, and are likely to continue to be, the dominant authentication mechanism in the foreseeable future [1].
In 1992, the most famous pioneering work of PAKE, called the Encrypted Key Exchange (EKE) protocol, was proposed by Bellovin and Merritt [2], in which the Diffie-Hellman flows are symmetrically encrypted under the common password to offer resistance to dictionary attack. Since then, a multitude of studies have been published on the construction of more efficient and more secure PAKE protocols in random oracle model [3,4], in the standard model [5,6,7,8,9], in multi-user setting [10,11], as well as on the security models suitable for the analysis of PAKE protocols [12,13]. Organizations like the International Organization for Standardization (ISO) have further issued a lot of password-related standards, such as ISO/IEC 11770-4, IEEE Std 1363.2, RFC 6124, etc., which further popularizes the widespread application of the PAKE protocols.
Along with the growing concern about privacy protection, many people want to strengthen the widely used PAKE protocols with the additional property of anonymity, which keeps a client's identity secret not only to all outsiders but also to the server. To address this need, anonymous password- authenticated key exchange (APAKE) protocols were first presented by Viet et al. in 2005 [14] and then improved by Yang et al. [15], Shin et al. [16] and Hu et al. [17] in the password-only setting. While the client has access to some extra storage other than the password, the computational performance of APAKE protocols, especially on the server side, could be further improved. The storage extra approach was first proposed by Yang et al. [18] in ACSAC'09, and further developed by Shin et al. [19], Zhang et al. [20]. Furthermore, ISO/IEC has recently issued an APAKE standard denoted as ISO/IEC 20009-4 [21].
Almost all the existing APAKE protocols, and most of the PAKE protocols, are designed in the symmetric setting, where the server holds all the clients' password in clear. This would be dramatic in case of server compromise. At the same time, the number of password leakage incidents and the cost to those experiencing them continue to increase in the last few years. Typical password data breaches include 167 million from LinkedIn [22], 3 billion from Yahoo [23] and 50 million from Facebook [24]. In order to mitigate the damage of server compromise, it is desirable to adapt traditional APAKE protocols to the verifier-based setting, in which the server holds a verifier corresponding to each client instead of the plain password. Although server verifier-based solutions have been put forward with respect to traditional (non-anonymous) PAKE protocols [25,26], only few verifier-based APAKE protocols [27,28] were proposed and, moreover, they are vulnerable to impersonation attacks (see details in Section 4).
In this paper, we propose a verifier-based anonymous password-authenticated key exchange protocol, which provides additional security guarantees in case of server compromise. The new protocol, which is built on standard cryptographic primitives such as ElGamal public key encryption, password hashing scheme and smooth projective hash functions, is proven secure in the standard model rather than the random oracle model. Comparisons show that our protocol guarantees stronger security while pays very little in terms of computational efficiency.
In this section, we recall the security model for APAKE protocols [17], which is extended from the security models for PAKE protocols [12] and for APAKE protocols [14,15,16].
The participants of an APAKE protocol P consist of a set of clients C and a set of servers S. Without loss of generality, we assume that the set S contains only one server S={S}. The client set C consists of a set of honest clients Γ={Cj}1⩽j⩽n and a set of malicious clients E. Each client C∈C holds a password πC chosen according to some given distribution D as its authentication credential; the server holds a list of transformed password pwS={H(πC)}C∈C corresponding to all the clients. The notion H(πC) denotes the value by using a password transformation function on πC. It might be, for example, H(πC)=πC for the symmetric setting and H(πC)=sπC for the asymmetric setting.
The adversary A, who has full control of the communication network and is modeled as a probabilistic polynomial time (PPT) Turing machine, can interact with various concurrent sessions of each user U∈C∪S through the following oracle queries:
● Execute(Cρ,Sδ): This query models those attacks that could be mounted by a passive adversary eavesdropping on communication between two honest sessions, where Cρ denotes the ρ-th session of client C and Sδ denotes the δ-th session of server S. The output of the query contains all the messages outputted by Cρ and Sδ during an honest execution.
● Send(Uρ,M): This query is used to model active attacks against a session Uρ of a user U∈C∪S. The adversary sends an arbitrary message M to the session Uρ, and gets the outputting message that would be generated by the Uρ upon receiving the message M.
● Reveal(Uρ): This query models the leakage or misuse of the session keys that have been used in those sessions other than the session being tested. In other words, this query is used to model known session key attacks.
● Corrupt(U): The query models the leakage of passwords of some clients or the server. If this query is asked to a client C∈C, the password πC of this client is returned. If this query is asked to the server S, the list of transformed passwords pwS={H(πC)}C∈C is returned.
The AKE security would guarantee that, when a session key is generated freshly by honest participants and has not been leaked or misused, it would look like uniformly random to an adversary. For this purpose, the notions of partnering sessions and fresh sessions need to be defined first.
Partnering sessions. A client session Cρ and a server session Sδ are called partnering sessions, if (1) they are the intended partner of each other; (2) they both accept; (3) their communication transcripts are matched with each other.
Freshness. We say that a session Uρ satisfies the definition of freshness, if no Reveal query has been asked to this session or its partnering session, and no Corrupt query has been asked to the participants involved in this session.
In addition, we need a new query to model the attack that the adversary distinguishes a real session key from a random one.
● Test(Uρ): This query can only be asked to a fresh session. When this query is received, a random bit b∈{0,1} is chosen and the query is answered as follows. If b=1, the real session key of Uρ is returned; if b=0, a random session key is returned.
The adversary is allowed to ask as many as queries defined in Section 2.2 and the above Test query, with the restriction that the Test query can only be asked once and the target session of the Test query should be kept fresh. At the end, the adversary outputs a bit b′ as his guess to the hidden random bit b. The advantage of the adversary A is defined by Adv(A)=2Pr{b=b′}−1. An APAKE protocol P is AKE secure if for every PPT adversary A the advantage satisfies AdvAKEP(A)⩽C′⋅qs′send+negl(k), where C′ and s′ are the Zipf parameters [1,29,30] corresponding to the password dictionary D, and qsend denotes the number of Send queries asked by the adversary.
The client anonymity notion states that even the trusted server, which behaves in an honest-but-curious way, should not be capable of getting the actual identity of the client in communication. What the server can only learn about the client is that she is a legitimate member of the group Γ={Cj}1⩽j⩽n.
Here we consider the server as a passive adversary M, who knows all the transformed passwords pwS={H(πC)}C∈C, interacting with the client in an honest way and wants to figure out the identity of the client. Denote by Πi the distribution of transcripts of the protocol P executed between the client Ci∈Γ and the server S. If for any two clients Ci, Cj∈Γ, the two distributions Πi,Πj are computational indistinguishable, i.e., |Pr{M(Πi)=1}−Pr{M(Πj)=1}|⩽negl(k), we say that the protocol P satisfies client anonymity.
In the construction of our verifier-based APAKE protocol, we use both CPA secure (i.e., secure under chosen-plaintext attacks) and labeled PCA secure (standing for secure under plaintext-checking attacks) public key encryption schemes. Formally speaking, a public key encryption scheme is defined by three algorithms E=(KGen,Enc,Dec), where KGen on input 1k outputs a public/secret key pair (pk,sk), Enc on inputs pk, message m and the random string r outputs a ciphertext c, and Dec on inputs sk and c outputs m or ⊥. A label public key encryption scheme is a public key encryption that additionally admits a label to its encryption and decryption algorithms as c←Enc(pk,m;label;r) and m or ⊥←Dec(sk,c;label).
We say that a public key encryption scheme is CPA secure, if when the public key pk is already published, every probabilistic polynomial time (PPT) adversary would have only negligible advantage in distinguishing the challenge ciphertexts corresponding to two messages m0,m1 chosen by the adversary. In order to address active attacks, a stronger notion called CCA security (standing for security under chosen-ciphertext attacks) was proposed, in which the adversary has additional access to a decryption oracle, which could decrypt any ciphertext other than the challenge ciphertext. Between CPA and CCA security, a new security notion termed PCA security, short for security under plaintext-checkable attacks, was recently proposed by Abdalla et al. [31]. The adversary in this notion does not have access to any decryption oracle, but has only access to an oracle indicating whether a given ciphertext/message pair is consistent, in the sense that the given ciphertext encrypts the given message.
In order to formalize the way how verifiers are generated, Benhamouda et al. [25] presented a new cryptographic primitive called password hashing scheme. As an added benefit, the password hashing scheme could easily suit to smooth projective hash functions in an algebraic way. Concretely, a password hashing scheme consists of a tuple of algorithms PHS=(PSetup,PPreHash,PSalt,Phash). Let n denote the bit-length of possible passwords, i.e., π∈D⊂{0, 1}n. The algorithm PSetup on inputs the security parameter 1k and the bit-length of the password 1n outputs the parameter param. The algorithm PPreHash on inputs param and a password π outputs a pre-hash value P. The algorithm PSalt on input param outputs a salt s. The algorithm Phash takes as inputs the parameter param, a salt s and a password π, and outputs a hash value H.
For the security of verifier-based APAKE protocols, a password hashing scheme should satisfy several security notions, such as the correctness, salt indistinguishability, second pre-image resistance, entropy preservation, pre-hash entropy preservation, and tight one-wayness [25]. The tight one-wayness is the most vital notion, as it ensures that recovering a valid password from a leaked server's file requires a time approximately equals computing 2β times of Phash, where β denotes the min-entropy of the password distribution.
Smooth projective hash functions (SPHF) were introduced by Cramer and Shoup [32] in order to construct CCA secure public key encryption schemes. In 2003, Gennaro et al. [33] tailored the initial definition to the construction of PAKE protocols. Later, the SPHF definition was further developed by Katz et al. [34], Benhamouda et al. [6] and Abdalla et al. [35] to fit more complex language obtained by disjunctions or conjunctions of simpler languages.
More specifically, given a language L⊂X for some set X, a SPHF system for the language L consists of the following 4 algorithms H=(HashKG,ProjKG,Hash,ProjH). The hash key generation algorithm HashKG takes as input the language L and outputs a hash key hk. The algorithm ProjKG takes as inputs the language L, a hash key hk and possibly a word c∈L and outputs a projection key hp. The algorithm Hash takes as inputs the language L, a hash key hk and an element c∈X, and outputs the hash value corresponding to the word c. The algorithm ProjH takes as inputs the language L, a projection key hp, a word c∈L as well as the witness w with respect to the fact c∈L, and outputs the hash value corresponding to the word c.
The security requirement of a SPHF system contains correctness and smoothness. The correctness property ensures that for any word c∈L and its related witness w, the following equation Hash(L,hk,c)=ProjH(L,hp,c,w) always holds. The smoothness property guarantees that, for any element c∈X∖L, even the corresponding projection key hp is published, the statistical distance between the distribution of Hash(L,hk,c) and uniform random is negligible.
A one-time signature [36] is a weak notion of cryptographic signature that could be instantiated in the standard model, yet enjoys much more efficient computational complexity. Similar to classical signatures, a one-time signature consists of 3 algorithms Σ=(SignKG,Sign,Verify). The algorithm SignKG takes as input the security parameter 1k and outputs a pair of signing/verification keys (SK,VK). The algorithm Sign takes as inputs SK and the message m and outputs a signature σ. The algorithm Verify takes as inputs VK, a message m and a signature σ, and outputs 1 iff the σ is a valid signature of m. With respect to the security definition of existential unforgeability, we allow the adversary to get access to only one message/signature pair. If for any PPT adversary, the possible advantage is negligible, we say that the one-time signature scheme is secure.
Although APAKE protocols have been researched for more than a decade, as far as we know, only two recent studies have focused on verifier-based setting [27,28]. However, we find that these protocols are not as secure as claimed, both of them are vulnerable to impersonation attacks.
In 2016, Yang et al. [27] put forward the first verifier-based APAKE protocol and proved its security in the standard model. The proposed protocol, which achieves mutual authentication in only two rounds, is very efficient in terms of communication complexity.
The construction of Yang et al.'s protocol is illustrated in Figure 1, which utilizes a CCA-secure labeled public key encryption scheme (KG1,Enc1,Dec1), a CPA-secure public key encryption scheme (KG2,Enc2,Dec2), and a password hashing scheme PHS=(PSetup,PPHSalt,PPreHash, PHSalt,PHash). Note that the definition of password hashing scheme used here follows the one provided in [37], which employs two salt-generating algorithms. Given two salts sP,sH∈Z∗p, the pre-hash and hash values are generated as P=gsP⋅π and H=(H1,H2)=(gsP,P⋅hsH).
Their protocol also uses two KV-SPHFs [34] for the following two languages,
LC={(l,cC)|∃π,∃rC:c=Encl1(pk1,gπi−i;rC)∧H2i=Hπi1hsHi}, |
LS={cSi|∃rS:cSi=Enc2(pk2,H2ihsHi;rS)}. |
We point out that Yang et al.'s protocol is vulnerable to an impersonation attack. Recall that the projection key hpC generated and sent by the client is protected by containing it in the label of the CCA-secure ciphertext cC. However, the projection key hpS sent by the server to the client is not in protected. This will lead to an impersonation attack in which an adversary impersonates the legitimate server by sending well-crafted message. More specifically, if the protocol is instantiated by Cramer-Shoup-like encryption schemes as that was presented in Section D of [27], the adversary could generate the message <hpS,{Aj,H1j}1⩽j⩽n> as follows. The projection key hpS is chosen to be hpS=(hpS1,hpS2,hpS3) where hpS1=f−ξ+1,hpS2=f,hpS3=g. Note that the adversary can eavesdrop the message sent by the client and get cC=Encl1(pk1,gπi−i;rC)=(u,v,e,w) where e=frC⋅gπi−i. Then the adversary chooses a random rS, computes cSj=(uj,ej)=(grS,frS), Aj=(e⋅gj)⊕cSj=frCgπi−i+j⊕cSj, and sets H1j=1, for all 1⩽j⩽n.
Upon receiving the above message, the client Ci will compute according to the protocol specification as follows. She first computes a projection hash value as (hpS1⋅hpξS2)rC⋅hpπiS3=gπifrC. Then she computes cSi=Ai⊕(hpS1⋅hpξS2)rC⋅hpπiS3=Ai⊕gπifrC=(grS,frS) and generates her session key as KC=(grS)α(frS)β. However, as the adversary has already obtained the projection key hpC=gαfβ from the first message, he can also compute the session key as KS=hprSC=(gαfβ)rS. This results in a successful impersonation attack.
In 2018, Chen et al. [28] gave out a new verifier-based APAKE protocol by taking Zhang et al.'s algebraic MAC [20] as the server's verifier. With the help of hash functions, which would usually be recognized as random oracles (RO), this protocol performs much better than Yang et al.'s protocol [27], and is more efficient than most of the existed APAKE protocols in terms of computation and communication cost. It is claimed that this protocol is also secure against various known attacks, such as mutual authentication and forward secrecy.
The concrete steps of Chen et al.'s protocol [28] is depicted in Figure 2. In the registration phase, each user Uj enrolls to the server S by sending IDj and mj=H(IDj||PWj), then the server S uses its secret key s to compute an algebraic MAC Vj=g1/(mj+s) as the corresponding verifier.
We find that Chen et al.'s protocol [28] is also vulnerable to an impersonation attack. An outside adversary who does not know any secret of the server and the client can impersonate a legitimate server to the client. The specific attack is as follows. When an adversary gets the first message <U,A,X> sent by some client Ui, he generates the second message by setting B=h−1, Y=gy, Wj=A−1, Cj=gy−1, 1⩽j⩽n and K=Xy=gxy, VS=H(1||TRANS||Y||K). The adversary then sends the message <S,B,tbl,VS> to the client by pretending to be the legitimate server. When this message is received by the client, she will compute Y′=(B−aWi)miCi=(ha⋅g1/mih−a)mi⋅gy−1 =gy and K′=Y′x=gxy=K. As a consequence, all the subsequent verification will be successful and the adversary successfully impersonates the server.
In this section, we give out a new verifier-based APAKE protocol constructed from standard cryptographic primitives such as public key encryption scheme, smooth projective hash functions and password hashing scheme. The underlying techniques are from [17,25,34,38], which explored SPHFs for complex languages dealing with anonymous and verifier-based authentication.
The resulting protocol, depicted in Figure 3, is a 3-flow verifier-based APAKE protocol with explicit mutual authentication. We emphasize that, when the messages in boxes, i.e., τC,τS, are set to be empty strings and the last flow of message <τC> is removed like [38], one would get a 2-flow protocol but with only explicit unilateral authentication.
Assume that G be a cyclic multiplicative group with prime order p, and g,h be its two random generators. Our construction uses an ElGamal encryption scheme E=(KGen,Enc,Dec), which takes g,h as its public key pk. The encryption on message M∈G with randomness r is computed as c=Enc(pk,M;r)=(u,e)=(gr,hr⋅M). The construction also needs a PCA-secure public key encryption scheme E′=(KGen′,Enc′,Dec′) and a one-time signature Σ=(SignKG,Sign,Verify), which could be instantiated arbitrarily. We emphasize that, the public keys of public key encryption schemes are contained in the common reference string as [5,33], thus no PKI is needed here.
Our construction also uses an algebraic password hashing scheme proposed by Benhamouda et al. [25], where param=g||G||F(⋅), P=PPreHash(param,π)=gF(π), s=PSalt(param)∈RG, and H=PHash(param,s,π)=sF(π), where F(⋅) is a hash function from the password dictionary to Z∗p. Given a salt s and a password hashing value H, we define the following complex language
Ls.H={(u,e)|∃r,∃π,u=gr,e=hrgF(π),H=sF(π)}, | (1) |
which could be seem as the set of ciphertexts of a pre-hash value that is consistent with the password hashing value H. By exploiting the technique of [25], we also construct the following SPHF system H. The hash key is generated as hk=HashKG(Ls,H)=(x,y,z)∈RZ3p; the projection key is computed as hp=ProjKG(Ls,H,hk,c)=(hp1,hp2)=(gxhy,gysz). The hash value could be computed through hk as h=Hash(Ls,H,hk,c)=uxeyHz. It could also be generated by using the projection key hp and a pair of witnesses r,π as h=ProjH(Ls,H,hp,c,r,π)=hpr1hpF(π)2.
Let Γ={Cj}1⩽j⩽n denote a set of legitimate clients and n denote the set size. Assume that each client Ci∈Γ holds a password πi, thus it could pre-compute Pi=gF(πi); assume that the server S holds the verifiers pwS={sj,Hj}1⩽j⩽n for all the clients. Suppose a client Ci∈Γ wants to establish a session key with the server S in an anonymous way, the verifier-based APAKE protocol proceeds as follows.
(1) The client Ci∈Γ selects a random number r∈Zp and computes an ElGamal ciphertext of its pre-hash value Pi=gF(πi) as ci=Enc(pk,Pi;r)=(u,e)=(gr,hr⋅Pi). Then she sends the message <S,ci> to the server.
(2) Upon receiving the message <S,ci>, the server first does the following computations for each index 1⩽j⩽n. He chooses random hkj=(xj,yj,zj)∈RZ3p, computes the projection key as hpj=(hpj1,hpj2)=(gxjhyj,gyjszj) and the hash values as tkj||tpj=Hash(Ls,H,hkj,ci)=uxjeyjHzjj. Note that, similar to [38], the hash value is divided into two substrings for subsequent use. Next, the server S computes δj=tp1⊕tpj,τS||skS=tp1, sets hp=(hp1,⋯,hpn,δ2,⋯,δn), and generates a signing/ verification key pair as (SK,VK)=SignKG(1k). Then, he sets label=S||ci||hp||VK and computes a ciphertext as c′j=Enc′(pk′,sj||Hj;label;tkj) where the random string is the first part of the SPHF's hash value. After that, the server sets c′=(s1,⋯sn,c′1,c′2,⋯,c′n), signs it with his signing key SK as σ=Sign(SK,c′) and sends <hp,VK,c′,σ> to the server.
(3) When the client Ci receives the message, she first verifies the validity of the signature σ. If the verification is successful, the client computes the SPHF's hash value by using her witnesses r,πi as ~tki||~tpi=ProjH(hpi,ci,r,πi)=hpri1⋅hpF(πi)i2. Next, the client sets label=S||ci||hp||VK, computes Hi=sF(πi)i and checks whether it holds c′i=Enc′(pk′,si||Hi;label;~tki). Note that only the i-th ciphertext is recomputed but the whole vector c′ is guaranteed unmodified, because the verify key VK is contained in the label. Then, the client recovers the value tp1 as follows: if i=1, this values is already known; if i⩾2, she would compute it as ~tpi⊕δi. Denote the value obtained by the client as tp. Finally, the client divides tp into two parts as τC||skC=tp, sets its session key as skC and sends τC to the server as an authentication value.
(4) While the message <τC> is received, the server S verifies this value by checking whether τC=τS holds. If the message passes the check, the server will complete the session and set his session key as skS.
We stress that if a verification conducted by the client (the server) fails, she (or he) will abort the session immediately.
The construction of our verifier-based APAKE protocol takes the Groce-Katz framework [38] of traditional PAKE protocols as a starting point. This framework achieves mutual authentication in 3 flows of communication, or alternatively unilateral authentication in 2 flows. Although the Groce-Katz framework does not achieve the optimal rounds for PAKE protocols, it enjoys the advantage of a high computational efficiency as the encryption scheme adopted by the client side only needed to be CPA secure instead of CCA secure. More precisely, the Groce-Katz framework is more efficient in terms of computation than those one-round PAKE protocols presented in [6,34]. As a consequence, the resulting verifier-based APAKE protocol is also computationally efficient.
In order to achieve anonymity by utilizing SPHFs, we let the server generate a sequence of projection keys for each possible client, i.e., for each language Lsj,Hj,1⩽j⩽n. The smooth property of the SPHF system guarantees that only when the ciphertext ci matches the languages Lsi,Hi, the hash value could be reconstructed by the client by using the projection key; otherwise, it is totally random to her. However, since only one of these projection keys is actually used by the client, special attention should be paid to the protection of these projection keys. We address this problem by containing them in the labels of a CCA-secure public encryption scheme and binding these ciphertext together with a one-time signature.
For the purpose of checking the verifiers in an implicit way, we choose to use the algebraic password hashing scheme proposed by Benhamouda et al. [25]. Recall that the pre-hash value P and the hash value Hj are with the same exponent with respect to bases g and sj respectively. Henceforth the server could prove this fact by selecting a projective hash key of the form gyjszjj. Furthermore, this password hashing scheme meets all the security notions presented in Section 3.2, including tight one-wayness. On the contrary, although the password hashing scheme [37] utilized in Yang et al.'s protocol [27] is also an algebraic one, it is not tightly one-way as claimed [25].
In this section, we first analyze the security of the verifier-based APAKE protocol heuristically. Then, we give out a rigorous security proof within the security model presented in Section 2.
In this subsection, we show that the new protocol guarantees typical security goals for verifier-based APAKE protocols and resists various known attacks.
(1) Resistance to off-line dictionary attacks. In the protocol, the passwords of clients only appear in the CPA-secure ciphertext ci generated by the client or those CCA-secure ciphertexts c′j,1⩽j⩽n generated by the server. According to the semantic security of these public key encryption schemes, an adversary cannot mount an off-line dictionary attack on them. On the other hand, the smoothness property of the SPHF system guarantees that, except for negligible probability, no information of the passwords could be obtained by the adversary from the outputs of the SPHFs. Hence, the adversary cannot conduct off-line dictionary attacks.
(2) Mutual authentication. Recall that the ciphertext c′i generated by the server using a substring tki derived from the SPHF hash value as its randomness. If the server holds the right verifier (si,Hi) corresponding to the client's password πi, the correctness property of the SPHF system would guarantee that this value can be recomputed by the client. However, if the client's password and the server's i-th verifier are not consistent, they will get different tki. Therefore, the ciphertext c′i ensures the authentication from the server to the client. In addition, the message τC is used as an authenticator from the client to the server. Hence, we conclude that this protocol provides explicit mutual authentication.
(3) Client anonymity. The server generates a projective key hpj and computes a SPHF hash value for each of the potential client. No matter which client is involved in the communication by using the correct password, she will compute the same SPHF hash value as the server. Meanwhile, the server cannot detect the actual identity of the client since the same substring tp1 is used by any client Ci∈Γ for client's authentication and the final session key's generation.
(4) Security against stolen-verifier attack. If the server is compromised and the verifiers are leaked, the adversary would obtain all tuples {sj,Hj}1⩽j⩽n. It is obvious that the best way for the adversary to derive the password from Hj=sF(πj)j is to mount a brute-force guessing attack. Additionally, since different bases are used for different client, the adversary can only guess the password one by one. In fact, the above security is actually guaranteed by the tight one-wayness of the underlying password hashing scheme.
In this subsection, we prove that the 2-flow version of our verifier-based APAKE protocol satisfies the AKE security and anonymity defined in the security model presented in Section 2. It is obvious that the 3-flow version will additionally provide explicit client authentication by sending the last authenticating message to the server.
Theorem 1. Assume that (KGen,Enc,Dec) is the ElGamal encryption scheme which is CPA secure, (KGen′,Enc′,Dec′) is a labeled public key encryption scheme with PCA security [31], (SignKG,Sign,Verify) is an existential unforgeable one-time signature, and the SPHF system and password hashing scheme are secure. Then, the verifier-based APAKE protocol presented in Section 4.2 guarantees AKE security. More specifically, the advantage of any adversary A against the AKE security in the security model is
AdvAKEP(A)⩽C′⋅qs′send+(qexe+qsend)⋅(AdvcpaE(t)+n⋅AdvpcaE′(t)+n⋅εSPHF(k))+AdvEUFΣ(t), | (2) |
where t is the maximum running time of the adversary A, qsend,qexe are the maximum number of Execute and Send queries asked by A, AdvcpaE(t),AdvpcaE′(t),AdvEUFΣ(t) denote the adversaries' advantages against the encryption scheme E,E′ and the one-time signature Σ, εSPHF(k) denotes a negligible upper bound of the statistical distance involved in the smoothness definition of the SPHF system, where C′ and s′ are the Zipf parameters [1,29].
Proof. The proof consists of a sequence of incrementally changed games G0,G1,⋯,G9, starting from the game G0 representing the real attack in the security model, and ending with a game G9 in which the adversary cannot get any information of the passwords from the session keys and the exchanging messages. For this purpose, we will modify the simulation of Execute and Send queries step by step. Denote by Advk(A) the adversary's advantage in the k-th game. Denote by Send0(Cρi,start) the first send query to start the ρ-th session Cρi of some client Ci∈C, and denote by Send1(Sδ,<S,ci>) and Send2(Cρi,<hp,VK,c′,σ>) the queries relative to the first and second message respectively. Furthermore, assume that the simulator maintains a list of the form PWList={(Pj,sj,Hj)}1⩽j⩽n recording the compatible password and verifier pair registered by all honest clients.
Game G0: This game is the real attack as defined in Section 2, where the simulator simulates all the honest sessions and all the queries asked by the adversary are answered honestly. Thus, we have
AdvAKEP(A)=Adv0(A). | (3) |
Game G1: In this game, we begin to modify the way Execute queries between honest client and server sessions are answered. When a query of the form Execute(Cρ,Sδ) is received, the simulator first discriminates whether the client C and the server S hold compatible passwords, through checking whether the corresponding tuple (P,s,H) appears in the list PWList.
(1) If they hold incompatible passwords, we simply let the client session abort. Note that the client session indeed aborts in this situation because of the smooth property of the SPHF system.
(2) If they hold compatible passwords, the simulator computes the SPHF value from the client side as ~tki||~tpi=tkj||tpj=Hash(Ls,H,hkj,ci), and removes the verifying process of the signature σ and the ciphertext c′i. The correctness property of the SPHF system guarantees that these modifications do not alter the adversary's view at all. Therefore, Adv1(A)=Adv0(A).
Game G2: In this game, we continue to modify the way Execute queries are answered, through replacing the ciphertext ci by an encryption corresponding to a dummy password π0 as ci=Enc(pk,P0;r) where P0=gF(π0) and π0 is not contained in the password dictionary. Because the encryption scheme E is CPA-secure, the ciphertexts of Pi and P0 are indistinguishable. Consequently, one can easily bound the gap of the adversary's advantage in these two games as
|Adv2(A)−Adv1(A)|⩽qexe⋅AdvcpaE(t) | (4) |
via a classical hybrid argument.
Game G3: This game replaces the SPHF values tkj||tpj,1⩽j⩽n by truly random strings. Since the ciphertext ci no longer belongs to the language Ls.H according to the above game, we could bound the change of the adversary's advantage via resorting to the smoothness property of the SPHF system and the hybrid technique. Note that there are at most qexe⋅n Execute queries are modified in this game. Thus, it can be concluded that
|Adv3(A)−Adv2(A)|⩽qexe⋅n⋅εSPHF(k). | (5) |
Game G4: In this game, we replace the ciphertext c′j by an encryption corresponding to a dummy password π0 as c′j=Enc′(pk′,sj||Hj,0;label;tkj), where Hj,0=sF(π0)j, for all 1⩽j⩽n. Owing to the PCA security of the encryption scheme E′, which implies CPA security as well [31], the advantage gap caused by replacing one of the above ciphertext is at most AdvpcaE′(t). As a result of this fact, with the aid of a classical hybrid argument, the overall difference of the adversary's advantage in these two games is at most
|Adv4(A)−Adv3(A)|⩽qexe⋅n⋅AdvpcaE′(t). | (6) |
Game G5: Till now, we have finished the modification of Execute queries. Before modifying the Send queries, we first exclude the situations that the adversary forges a valid signature with respect to the one-time signature scheme. Denote by AdvEUFΣ(t) the advantage of the adversary against the one-time signature. Then, we can conclude that the gap of advantages caused by the above modification is at most AdvEUFΣ(t).
Game G6: From now on, we will begin to modify the Send queries. In this game, we first modify the way how Send2 queries are answered. If a query of the form Send2(Cρi,<hp,VK,c′,σ>) is sent to a client session Cρi in the name of a server session Sδ, the simulator first gets the verifier (si,Hi) corresponding to the client Ci via retrieving the list PWList. We say that the message <hp,VK,c′,σ> is match-session-generated, if it was outputted by Sδ as an answer to the Send1(Sδ,<S,ci>) query and <S,ci> is exactly the message outputted by Cρi as an answer to a Send0 query.
(1) If the message is not match-session-generated, the simulator checks through its PCA oracle whether (c′i,si,Hi) is valid. If it is valid, we simply let the adversary win the game and denote this event by Win1; if it is not, we let the client directly abort this session.
(2) If the message is match-session-generated, the simulator checks whether (si,Hi) obtained above is compatible with the verifier held by the server session. If they are compatible, the simulator answers the query as in game G1, computing the SPHF value from the client side as ~tki||~tpi=tkj||tpj=Hash(Ls,H,hkj,ci), and removes the verification process against the ciphertext c′i; If they are compatible, we let the client directly abort this session.
Note that except the event Win1 happens, modification in this game does not affect the adversary's advantage. Hence the advantage of the adversary satisfies Adv5(A)⩽Adv6(A).
Game G7: This game modifies the way Send0 queries are answered, through replacing the ciphertext ci by an encryption corresponding to a dummy password π0. Similar to the analysis in game G2, we could bound the advantage gap as
|Adv7(A)−Adv6(A)|⩽qsend⋅AdvcpaE(t). | (7) |
Game G8: In this game, we change the simulation of Send1 queries as follows. If the message <S,ci> is generated by some honest client session or is generated by the adversary in the name of some honest client session but with incompatible password, the simulator replaces the SPHF values tkj||tpj,1⩽j⩽n by truly random strings. Similar to the analysis in game G3, the advantage gap between this game and the last one is at most
|Adv8(A)−Adv7(A)|⩽qsend⋅n⋅εSPHF(k). | (8) |
Game G9: This game continues the modification of Send1 queries. Upon receiving a message <S,ci> that is generated by the adversary in the name of some client session Cρi, where Ci and S hold incompatible passwords, we simply let the adversary win the game and denote this event by Win2. As a consequence, Adv8(A)⩽Adv9(A).
Game G10: In this game, similar to game G4, we replace the ciphertext c′j by an encryption corresponding to a dummy password π0 as c′j=Enc′(pk′,sj||Hj,0;label;tkj), where Hj,0=sF(π0)j, for all 1⩽j⩽n. Recall that the adversary needs the access to the PCA oracles since in game G6. By utilizing a classical hybrid argument, we could estimate the advantage gap as
|Adv10(A)−Adv9(A)|⩽qsend⋅n⋅AdvpcaE′(t) | (9) |
In the last game G10, all the messages and session keys are changed such that no information of the passwords is included. Thus, the adversary can only win the game on the case that the events win1 or win2 happens. Recall that all the passwords are chosen at random but not actually used, the probability that events win1 or win2 happens is bounded by C′⋅qs′send, , where C′ and s′ are the Zipf parameters [1,29]. To sum up, the global advantage of any adversary is bounded by the inequality (2) in the theorem.
Theorem 2. Based on the same assumptions as theorem 1, the verifier-based APAKE protocol guarantees client anonymity against the honest-but-curious server.
Proof. Note that the adversary against the client anonymity is considered to be an honest-but-curious one. We also recall that in the proof of theorem 1, all the messages outputted by Execute,Send queries have been incrementally changed into messages and ciphertexts corresponding to the same dummy password π0. Henceforth, no matter which client is actually involved in the protocol, by following the similar steps as in game G1 to G4, we can prove that the adversary's view is subject to the same distribution. In other words, for any two clients Ci, Cj∈Γ, the two distributions Πi,Πj are identical to each other, thus are computational distinguishable.
In this section, we compare the proposed verifier-based APAKE protocol with other representative verifier-based APAKE, as well as PAKE, protocols, in terms of both security and efficiency.
Protocol type | Security model | Resistance to impersonation attacks | Number of rounds | Client computation | Server computation | |
Benhamouda et al. [25] | V-PAKE | standard | Yes | 2 | 3 E + 4 DE | 2 E + 4 DE |
Hu et al. [17] | APAKE | standard | Yes | 3 | 4E + 3 DE | 3n E + 3n DE |
Chen et al. [28] | V-APAKE | ROM | No | 3 | 6 E | (2n+3) E |
Yang et al. [27] | V-APAKE | standard | No | 2 | 3 E + 4 DE | 2n E + 4n DE |
Ours protocol | V-APAKE | standard | Yes | 2 | 4 E + 2 DE | 2n E + 4n DE |
The comparison results are presented in Table 1. The protocol type indicates the concrete type of the protocol, where V-PAKE, APAKE and V-APAKE are abbreviation of verifier-based PAKE, anonymous PAKE, and verifier-based anonymous PAKE respectively. The client and server computation stand for the main computational costs required by the client side and server side, where E denotes the time needed for computing one exponentiation and DE denotes the time needed for the computation of a double-exponentiation or multi-exponentiation.
As show in Table 1, our protocol is the only secure verifier-based APAKE protocol, while the verifier-based APAKE protocols in [27,28] are both vulnerable to impersonation attacks. The protocol requires only 2 rounds of communication, which is quite efficient compared to other protocols. When it comes to computational costs, the new protocol enjoys considerable efficiency in terms of number of exponentiations and double-exponentiations. The computational cost needed on the server side is almost equal to those in [17,27], and the cost on the client side is less than those in [17,25,27] thanks to the application of the PCA-secure encryption instead of CCA-secure encryption. Although Chen et al.'s protocol [28] is more efficient than ours, but it depends on the ROM in depth. On the contrary, our protocol is provably secure in the standard model.
In this paper, we first show that two recently proposed verifier-based APAKE protocols are vulnerable to impersonation attacks, thus does not reach their security goals. Then, we put forward a new verifier-based APAKE protocol based on implicitly checking the validity of the verifier via smooth projective hash functions for complex languages. The new protocol is with provable security in the standard model, and enjoys considerable computation and communication efficiency.
This work was supported in part by the National Nature Science Foundation of China under Grants Nos. 61702549, 61862011, 61872449, and in part by Guangxi Natural Science Foundation under Grant No. 2018GXNSFAA138116 and the Guangxi Key Laboratory of Cryptography and Information Security under Grant No. GCIS201704, and in part by Foundation of Science and Technology on Information Assurance Laboratory under Grant No. KJ-17-001.
The authors declare that they have no conflict of interest.
[1] | D. Wang, H. Cheng, P. Wang, et al., Zipf's law in passwords. IEEE T. Inf. Foren. Sec., 12 (2017), 2776–2791. |
[2] | S. M. Bellovin and M. Merritt, Encrypted key exchange: Password-based protocols secure against dictionary attacks, in Proceedings of IEEE Computer Society Symposium on Research in Security and Privacy, IEEE, (1992), 72–84. |
[3] | E. Bresson, O. Chevassut and D. Pointcheval, Security proofs for an efficient password-based key exchange, in Proceedings of ACM CCS 2003, ACM Press, (2003), 241–250. |
[4] | M. Abdalla and D. Pointcheval, Simple password-based encrypted key exchange protocols, in Proceedings of CT-RSA 2005, Springer, (2005), 191–208. |
[5] | J. Katz, R. Ostrovsky and M. Yung, Efficient password-authenticated key exchange using human- memorable passwords, in Proceedings of EUROCRYPT 2001, Springer, (2001), 475–494. |
[6] | F. Benhamouda, O. Blazy, C. Chevalier, et al., New techniques for SPHFs and efficient one-round PAKE protocols, in Proceedings of CRYPTO 2013, Springer, (2013), 449–475. |
[7] | X. Yi, F. Y. Rao, Z. Tari, et al., ID2S password-authenticated key exchange protocols, IEEE T. Comput., 65 (2016), 3687–3701. |
[8] | Y. Zhang, Y. Xiang, W. Wu, et al., A variant of password authenticated key exchange protocol, Future Gener. Comput. Sy., 78 (2018), 699–711. |
[9] | Z. Li and D. Wang, Two-round PAKE protocol over lattices without NIZK, in Proceedings of ICISC 2018, Springer, (2018), 138–159. |
[10] | M. Abdalla, P. A. Fouque and D. Pointcheval, Password-based authenticated key exchange in the three-party setting, in Proceedings of PKC 2005, Springer, (2005), 65–84. |
[11] | F. Wei, N. Kumar, D. He, et al., A general compiler for password-authenticated group key exchange protocol in the standard model, Discrete Appl. Math., 241 (2018), 78–86. |
[12] | M. Bellare, D. Pointcheval and P. Rogaway, Authenticated key exchange secure against dictionary attacks, in Proceedings of EUROCRYPT 2000, Springer, (2000), 139–155. |
[13] | R. Canetti, S. Halevi, J. Katz, et al., Universally composable password-based key exchange, in Proceedings of EUROCRYPT 2005, Springer, (2005), 404–421. |
[14] | D. Q. Viet, A. Yamamura and H. Tanaka, Anonymous password-based authenticated key exchange, in Proceedings of INDOCRYPT 2005, Springer, (2005), 244–257. |
[15] | J. Yang and Z. Zhang, A new anonymous password-based authenticated key exchange protocol, in Proceedings of INDOCRYPT 2008, Springer, (2008), 200–212. |
[16] | S. H. Shin, K. Kobar and H. Imai, Very-efficient anonymous password-authenticated key exchange and its extensions, in Proceedings of AAECC 2009, Springer, (2009), 149–158. |
[17] | X. Hu, J. Zhan, Z. Zhang, et al., Anonymous Password Authenticated Key Exchange Protocol in the Standard Model, Wirel. Pers. Commun., 96 (2017), 1451–1474. |
[18] | Y. Yang, J. Zhou, J. Weng, et al., A new approach for anonymous password authentication, in Proceedings of ACSAC 09, IEEE, (2009), 199–208. |
[19] | S. H. Shin and K. Kobara, Simple anonymous password-based authenticated key exchange (SAPAKE), reconsidered, IEICE T. Fundam. Electron. Commun. Comput. Sci., 100 (2017), 639–652. |
[20] | Z. Zhang, K. Yang, X. Hu, et al., Practical anonymous password authentication and TLS with anonymous client authentication, in Proceedings of ACM CCS 2016, ACM Press, (2016), 1179–1191. |
[21] | Information technology-Security techniques-Anonymous entity authentication-Part 4: Mechanisms based on weak secrets, ISO/IEC standard 20009-4, 2017. Available from: https:// www. iso. org/ standard/64288.html. |
[22] | K. Thomas, F. Li, A. Zand, et al., Data breaches, phishing, or malware? Understanding the risks of stolen credentials, in Proceedings of ACM CCS 2017, ACM Press, (2017), 1421–1434. |
[23] | J. Li, L. Stecker, E. Zeigler, et al., Scramble the password before you type it, in Proceedings of World Conference on Information Systems and Technologies, Springer, (2018), 1097–1107. |
[24] | Facebook Security Breach Exposes Accounts of 50 Million Users, 2018. Available from: https://www.nytimes.com/ 2018/09/28/ technology/facebook-hack-data-breach.html. |
[25] | F. Benhamouda and D. Pointcheval, Verifier-based password-authenticated key exchange: new models and constructions. IACR Crypt. ePrint Archive, 2013: 833. |
[26] | D. Pointcheval and G. Wang, VTBPEKE: verifier-based two-basis password exponential key exchange, in Proceedings of Asia CCS 2017, ACM Press, (2017), 301–312.v 27. X. Yang, H. Jiang, Q. Xu, et al., A provably-secure and efficient verifier-based anonymous password-authenticated key exchange protocol, in Proceedings of Trustcom/BigDataSE/ISPA, 2016, IEEE, (2016), 670–677. |
[27] | 28. C. M. Chen, G. J. Wang, W. C. Fang, et al., A new verifier-based anonymous password- authenticated key exchange protocol, J. Info. Hiding Multimedia Signal Process., 9 (2018), 1595–1602. |
[28] | 29. D. Wang and P. Wang, Two birds with one stone: Two-factor authentication with security beyond conventional bound, IEEE T. Depend. Secure Comput., 15 (2018), 708–722. |
[29] | 30. F. Wei, P. Vijayakumar, Q. Jiang, et al., A mobile intelligent terminal based anonymous authenticated key exchange protocol for roaming service in global mobility networks, IEEE T. Sustain. Comput., 2018. |
[30] | 31. M. Abdalla, F. Benhamouda and D. Pointcheval, Public-key encryption indistinguishable under plaintext-checkable attacks, in Proceedings of PKC 2015, Springer, (2015), 332–352. |
[31] | 32. R. Cramer and V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption, in Proceedings of EUROCRYPT 2002, Springer, (2002), 45–64. |
[32] | 33. R. Gennaro and Y. Lindell, A framework for password-based authenticated key exchange, in Proceedings of EUROCRYPT 2003, Springer, (2003), 524–543. |
[33] | 34. J. Katz and V. Vaikuntanatha, Round-optimal password-based authenticated key exchange, in Proceedings of TCC 2011, Springer, (2011), 293–310. |
[34] | 35. M. Abdalla, F. Benhamouda and D. Pointcheval, Disjunctions for hash proof systems: New constructions and applications, in Proceedings of EUROCRYPT 2015, Springer, (2015), 69–100. |
[35] | 36. S. Even, O. Goldreich and S. Mical, On-line/off-line digital signatures, in Proceedings of CRYPTO 89, Springer, (1989), 263–275. |
[36] | 37. F. Kiefer and M. Manulis, Zero-knowledge password policy checks and verifier-based PAKE, in Proceedings of ESORICS 2014, Springer, (2014), 295–312. |
[37] | 38. A. Groce and J. Katz, A new framework for efficient password-based authenticated key exchange, in Proceedings of ACM CCS 2010, ACM Press, (2010), 516–525. |
1. | Qihui Zhang, Wenfen Liu, Kang Yang, Xuexian Hu, Ying Mei, 2020, Chapter 30, 978-3-030-42920-1, 499, 10.1007/978-3-030-42921-8_30 | |
2. | Yousheng Zhou, Yang Luo, Mohammad S. Obaidat, P. Vijayakumar, Xiaojun Wang, 2021, PAMI-Anonymous Password Authentication Protocol for Medical Internet of Things, 978-1-7281-8104-2, 1, 10.1109/GLOBECOM46510.2021.9685900 | |
3. | Yongli Tang, Ying Li, Zongqu Zhao, Jing Zhang, Lina Ren, Yuanhong Li, Zhe-Li Liu, Improved Verifier-Based Three-Party Password-Authenticated Key Exchange Protocol from Ideal Lattices , 2021, 2021, 1939-0122, 1, 10.1155/2021/6952869 | |
4. | Preecha Yupapin, Chandrashekhar Meshram, Sharad Kumar Barve, Rabha W. Ibrahim, Muhammad Azeem Akbar, An efficient provably secure verifier-based authentication protocol using fractional chaotic maps in telecare medicine information systems, 2023, 1432-7643, 10.1007/s00500-023-07889-4 |
Protocol type | Security model | Resistance to impersonation attacks | Number of rounds | Client computation | Server computation | |
Benhamouda et al. [25] | V-PAKE | standard | Yes | 2 | 3 E + 4 DE | 2 E + 4 DE |
Hu et al. [17] | APAKE | standard | Yes | 3 | 4E + 3 DE | 3n E + 3n DE |
Chen et al. [28] | V-APAKE | ROM | No | 3 | 6 E | (2n+3) E |
Yang et al. [27] | V-APAKE | standard | No | 2 | 3 E + 4 DE | 2n E + 4n DE |
Ours protocol | V-APAKE | standard | Yes | 2 | 4 E + 2 DE | 2n E + 4n DE |
Protocol type | Security model | Resistance to impersonation attacks | Number of rounds | Client computation | Server computation | |
Benhamouda et al. [25] | V-PAKE | standard | Yes | 2 | 3 E + 4 DE | 2 E + 4 DE |
Hu et al. [17] | APAKE | standard | Yes | 3 | 4E + 3 DE | 3n E + 3n DE |
Chen et al. [28] | V-APAKE | ROM | No | 3 | 6 E | (2n+3) E |
Yang et al. [27] | V-APAKE | standard | No | 2 | 3 E + 4 DE | 2n E + 4n DE |
Ours protocol | V-APAKE | standard | Yes | 2 | 4 E + 2 DE | 2n E + 4n DE |