A Three-Party Dynamic Identity-Based Authenticated Key Exchange Protocol with Forward Anonymity

Abstract

The three-party (two clients and one server) authenticated key exchange protocols use a pre-shared password to authenticate each other, and then by the help of server to make the two clients compute a novel session key. At present, the situation of this application is very different from those considered in the conventional literatures, and the biggest two differences are that most of the former literatures cannot guarantee the user anonymity and forward anonymity. Therefore, we propose a new three-party key exchange protocol based on dynamic identity authentication with forward anonymity, so that if the server’s long-term key is compromised, user anonymity cannot be broken or the identities of the users cannot be traced, and both sides of the communication with the help of the authentication server can be mutual authentication and the establishment of a session key. Compared with the three-party key exchange protocols, our protocol is more effective in computing cost and communication cost for more suitable towards resource-constrained environment.

Appendix A: Proof of Theorems

\( Game_{0} \): In the random oracle model (Tables 3, 4), a game corresponds to a real attack. \( Game_{0} \) means that the attacker successfully guess \( Test \) query in the pre-use of the bit \( b \), you can get:

Table 3 Hash whisper machine and encryption, decryption simulator [11]

Table 4 \( Send \), \( Excute \), \( \text{Re} veal \) and \( Test \) simulation of the query [11]

$$ Adv_{P,A}^{ake} = 2pr[S_{0} ] - 1 $$

\( Game_{1} \): In this game, we simulate the random prophecy machine \( h \) and the encrypted \( E \) /decryption \( D \) extinction machine, Usually contains a list \( \varLambda_{h} \), and an encrypted list \( \varLambda_{e} \). We also simulate all instances of the query as well as the participant \( Send \), \( Excute \), \( \text{Re} veal \) and \( Test \). From this simulator, we can easily find this game with the real attack is indistinguishable, in addition to encryption \( E \) or decryption \( D \) replacement nature does not hold. So, the probability difference between \( Game_{0} \) and \( Game_{1} \) is:

$$ |\Pr [S_{1} ] - \Pr [S_{0} ]| \le \frac{{q_{e}^{2} }}{2(p - 1)(q - 1)} $$

\( Game_{2} \): In this game, we simulate all the oracle in \( Game_{1} \), according to the birthday paradox, the probability of the output of the encryption oracle is \( \frac{{q_{e}^{2} }}{2(p - 1)(q - 1)} \). Hash oracle output has the probability of collision at most \( \frac{{q_{h}^{2} }}{{2^{i + 1} }} \). Likewise, the probability of information on the collision is \( \frac{{(q_{send} + q_{exe} )^{2} }}{2(p - 1)(q - 1)} \), Thus, the probability difference between two games is:

$$ |\Pr [S_{1} ] - \Pr [S_{0} ]| \le \frac{{q_{e}^{2} }}{2(p - 1)(q - 1)} + \frac{{q_{h}^{2} }}{{2^{i + 1} }} + \frac{{(q_{send} + q_{exe} )^{2} }}{2(p - 1)(q - 1)} $$

\( Game_{3} \) :In this game, we terminate the attacker successfully guess the password, and its encryption calculation, the encrypted data sent to the server. We do this by modifying the server to perform the inquiry process. We first ask whether \( (pw,*,E,Y_{i} ) \) belongs to \( \varLambda_{e} \). If the list already exists, the definition is correct and the game is terminated. Likewise, compute \( V_{{S_{1} }} = A^{{x_{1} }} \) and \( K_{{S_{1} }} = A^{{s_{1} }} \). So that we can get \( Game_{3} \) and \( Game_{2} \) in addition to the occurrence of the incident is indistinguishable, so get the probability difference:

$$ |\Pr [S_{3} ] - \Pr [S_{2} ]| \le \Pr [Encrypt_{3} ] = \frac{{q_{send} }}{|D|} $$

\( Game_{4} \): In this game, we terminate the attacker successfully guess the certification type \( auth_{i} \). That is, \( H_{{S_{A} }} = H_{4} (T\|A\|ID_{A} \|ID_{B} ) \), did not by asking the corresponding hash of the message machine will be certified. According to the original agreement, get the accepted certification. There are two cases where the simulator and the attacker successfully decrypted to get a, and inquire about the hash oracle. Therefore, \( Game_{4} \) and \( Game_{3} \) in addition to the attacker did not ask the hash by the whistle machine to guess the certification is indistinguishable. So the probability difference is obtained:

$$ |\Pr [S_{4} ] - \Pr [S_{3} ]| \le \frac{{q_{send} }}{{2^{l} }} $$

\( Game_{5} \): In this game, the simulator defines a private hash oracle \( h^{'} \), using the oracle to compute the session key \( SK \) so that the value of \( SK \) is completely independent of \( h,SK_{U} ,SK_{S} \). Through the query on the simulator \( execute \), the return value is \( SK_{AB} = (g^{b} )^{a} = (B)^{a} \). Here we define an event \( AskH_{5} \): the attacker uses the hash function \( h \) to calculate \( ID_{i} \|h_{0}^{c} \|B\|B^{c} \) or \( ID_{i} \|A\|B\|h_{0}^{cb} \) of the query, that is, two common values \( ID_{i} \|h_{0}^{c} \|h_{0}^{b} \|h_{0}^{cb} \). This also means that the indistinguishability of \( Game_{5} \) and \( Game_{4} \) is the occurrence of the event \( AskH_{5} \) or not. And because only the simulator can access \( h^{'} \), and the attacker cannot access, then the attacker \( test \) query on the value of \( b \) is a session with the length of the same length of the random array, the value of the agreement with the session key value is mutually independent. Therefore, the probability difference between \( Game_{5} \) and \( Game_{4} \) is:

$$ |\Pr [S_{4} ] - \Pr [S_{3} ]| \le [AskH_{5} ],\Pr [S_{4} ] = \frac{1}{2} $$

\( Game_{6} \): In this game, we simulate the random execution of the problem from the protocol. Give an instance of a CDH \( (A,B) \). Here we do not need to know the value of \( \vartheta \) and \( \varphi \), because we do not need the value it generates to generate the session key. Here we define an event \( AskH_{6} \). An attacker who visits a random oracle \( h \) to compute \( ID_{i} \|h_{0}^{c} \|h_{0}^{b} \|h_{0}^{cb} \). Through analysis, we can know the probability of occurrence event \( AskH_{5} \) is equal to the probability of occurrence event \( AskH_{4} \), that is \( \Pr [AskH_{5} ] \le \Pr [AskH_{6} ] \).

So:

$$ |\Pr [AskH_{6} ]| \le q_{h} Succ_{G}^{cdh} (t^{'} ) $$

In summary:

$$ \begin{aligned} Adv_{P}^{ake} (A) \le \frac{{2q_{send} }}{|D|}{ + }2q_{h} Succ_{G}^{cdh} (t + (q_{send} + q_{exe} + 1) \cdot \tau_{G} ) \\ + \frac{{2q_{e}^{2} + (q_{send} + q_{exe} )^{2} }}{(p - 1)(q - 1)} + \frac{{q_{h}^{2} }}{{2^{l} }} + \frac{{q_{send} }}{{2^{l - 1} }} \\ \end{aligned} $$