# Ephemeral-Secret-Leakage Secure ID-Based Three-Party Authenticated Key Agreement Protocol for Mobile Distributed Computing Environments

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Preliminaries

#### 2.1. Bilinear Pairings

- Bilinearity: Let $P,Q,R\in {G}_{1}$, we have:
- (1)
- $\widehat{e}\left(P+Q,R\right)=\widehat{e}\left(P,R\right)\cdot \widehat{e}\left(Q,R\right)$.
- (2)
- $\widehat{e}\left(P,Q+R\right)=\widehat{e}\left(P,Q\right)\cdot \widehat{e}\left(P,R\right)$.
- (3)
- $\widehat{e}\left(aP,bP\right)=\widehat{e}\left(bP,aP\right)=\widehat{e}{\left(P,P\right)}^{ab}$.

- Non-degeneracy: There exist $P\in {G}_{1}$ such that $\widehat{e}\left(P,P\right)\ne 1$.
- Computable: For $P,Q\in {G}_{1}$, there exists an efficient algorithm to compute $\widehat{e}\left(P,Q\right)$.

#### 2.2. Computational Problems

- Discrete Logarithm Problem (DLP): Give $P,Q\in {G}_{1}$; find an integer $a$ such that $Q=aP$ whenever such integer exists.
- Computational Diffie-Hellman Problem (CDHP): Given $P,aP,bP\in {G}_{1}$ for unknown $a,b\in {Z}_{q}^{*}$, the CDHP is to compute the value $abP\in {G}_{1}$.

#### 2.3. Security Attributes

**Known-Key Security.**A unique session key should be constructed in each round of an AKA protocol. An adversary cannot derive other previous session keys if knowledge of the previous session keys has been compromised. The main purpose of known-key security is to ensure that the compromising of one session key will not compromise other or future session keys.**Forward Secrecy.**If the long-term private keys of one or more of the participants are compromised, the secrecy of previously established session keys will not be obtained by an adversary. The main purpose of forward secrecy is to provide complete protection for the previous transferred messages. If all long-term private keys of the participants are compromised without compromising previous established session keys, that means an AKA protocol still provides protection for the previously transferred messages. We say that the AKA protocol offers perfect forward secrecy.**Key-Compromise Impersonation Resilience.**Suppose that $A$’s private key has been revealed to an adversary. The adversary only can impersonate $A$ to cheat $S$ and $B$. It is desired that the compromise of $A$’s private key does not allow the adversary to impersonate $S$ or $B$ to cheat $A$.**Unknown Key-Share Resilience.**After the session key has been established, $A$ believes the session key is shared with $S$ and $B$, while $S$ and $B$ mistakenly believe that the session key is instead shared with an adversary. Therefore, a desirable AKA protocol should be resistant to unknown key-share attacks. None of the participants can force $A$ to establish a session key with a participant that he does not know but $A$ believes he is sharing the session key with the participants that he knows.**Key Control Resilience.**The session key should be determined jointly by all participants (e.g., $A$, $S$ and $B$). None of the participants can control the session key construction procedure alone. The main purpose of key control resilience is to ensure session key construction fairness and security. It should not be possible for any participants or adversaries to predict or predetermine the session key value.

#### 2.4. Notations

- ${G}_{1}$: an additive cyclic group.
- ${G}_{2}$: a multiplicative cyclic group.
- $\widehat{e}$: a bilinear map, $\widehat{e}:{G}_{1}\times {G}_{1}\to {G}_{2}$.
- $P$: a generator of the group ${G}_{1}$.
- $s$: the private key of the authentication server, $s\in {Z}_{q}^{*}$.
- ${P}_{pub}$: the public key of the authentication server, ${P}_{pub}=s\cdot P$.
- $I{D}_{S}$: the identity of the authentication server.
- $I{D}_{A}$: the identity of the client.
- $I{D}_{B}$: the identity of the application server.
- $DI{D}_{A/B}$: the private key of $I{D}_{A}$/the private key of $I{D}_{B}$.
- ${f}_{1}(),{f}_{2}(),{f}_{3}(),{f}_{4}(),{f}_{5}(),{f}_{6}()$: six one-way hash functions, ${f}_{1},{f}_{2},{f}_{3},{f}_{4},{f}_{5},{f}_{6}:{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^{n}$, where $n$ is a fixed length and ${2}^{n}<q$.
- ${H}_{1}(),{H}_{2}()$: two map-to-point hash functions, ${H}_{1},{H}_{2}:{\left\{0,1\right\}}^{*}\to {G}_{1}$.

## 3. The Proposed Protocol

#### 3.1. System Setup Phase

- Randomly select a system private key $s\in {Z}_{q}^{*}$.
- Compute the system public key ${P}_{pub}=s\cdot P$.
- Choose two map-to-point hash functions ${H}_{1},{H}_{2}:{\left\{0,1\right\}}^{*}\to {G}_{1}$.
- Choose six one-way hash functions ${f}_{1},{f}_{2},{f}_{3},{f}_{4},{f}_{5},{f}_{6}:{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^{n}$, where $n$ is a fixed length and ${2}^{n}<q$.
- Publish public parameters and functions $Params=<{G}_{1},{G}_{2},q,P,\widehat{e},{P}_{Pub},{H}_{1},{H}_{2},{f}_{1},{f}_{2},{f}_{3},{f}_{4},{f}_{5},{f}_{6}$.

#### 3.2. Key Extract Phase

- The client $A$ submits its identity $I{D}_{A}$ to the authentication server $S$.
- Upon receiving the client $A$ with identity $I{D}_{A}$, the authentication server $S$ chooses an ephemeral secret value ${l}_{A}\in {Z}_{q}^{*}$, and compute $QI{D}_{A1}={l}_{A}\cdot P$, ${h}_{A}={f}_{1}\left(I{D}_{A},QI{D}_{A1}\right)$, $DI{D}_{A1}={l}_{A}+{h}_{A}\cdot s$, $QI{D}_{A2}={H}_{1}\left(I{D}_{A}\right)$, $QI{D}_{S}={H}_{1}\left(I{D}_{S}\right)$ and $DI{D}_{A2}=s\cdot QI{D}_{A2}$.
- Set $DI{D}_{A}=\left(DI{D}_{A1},DI{D}_{A2},QI{D}_{A1},QI{D}_{S}\right)$ as the client $A$’s private key and send it to the client $A$ via a secure channel.

#### 3.3. Mutual Authentication and Key Agreement Phase

- (1)
- Random select an ephemeral secret ${r}_{A}\in {Z}_{q}^{*}$.
- (2)
- Compute ${U}_{A1}={r}_{A}\cdot P$ and ${U}_{A2}={r}_{A}\cdot QI{D}_{A2}$.
- (3)
- Compute ${W}_{A}={H}_{2}\left({U}_{A1},{U}_{A2}\right)$ and ${V}_{A}=\left({r}_{A}+DI{D}_{A1}\right)\cdot {W}_{A}+DI{D}_{A2}$.
- (4)
- Send $<I{D}_{A},I{D}_{B},{U}_{A1},{U}_{A2},{V}_{A},QI{D}_{A1}>$ to the authentication server $S$.

- (1)
- Compute ${W}_{A}={H}_{2}\left({U}_{A1},{U}_{A2}\right)$, ${h}_{A}={f}_{1}\left(I{D}_{A},QI{D}_{A1}\right)$ and $QI{D}_{A2}={H}_{1}\left(I{D}_{A}\right)$.
- (2)
- Check whether $\widehat{e}\left(P,{V}_{A}\right)=\widehat{e}\left({U}_{A1}+QI{D}_{A1},{W}_{A}\right)\cdot \widehat{e}\left({P}_{pub},{h}_{A}\cdot {W}_{A}+QI{D}_{A2}\right)$ or not. If the equation holds, then the authentication server $S$ accepts the request. Otherwise, the authentication server $S$ terminates it.
- (3)
- Random select an ephemeral secret ${r}_{S}\in {Z}_{q}^{*}$.
- (4)
- Compute ${U}_{S}={r}_{S}\cdot P$, ${U}_{SB1}={r}_{S}\cdot {U}_{A1}$ and ${U}_{SB2}={r}_{S}\cdot {U}_{A2}$.
- (5)
- Compute $DI{D}_{S}=s\cdot QI{D}_{S}$, ${h}_{SB}={f}_{2}\left(I{D}_{A},I{D}_{B},{U}_{S},{U}_{SB1},{U}_{SB2}\right)$ and ${V}_{SB}={r}_{S}\cdot {P}_{pub}+{h}_{SB}\cdot DI{D}_{S}$.
- (6)
- Send $<I{D}_{A},{U}_{S},{U}_{SB1},{U}_{SB2},{V}_{SB}>$ to the application server $B$.

- (1)
- Compute ${h}_{SB}={f}_{2}\left(I{D}_{A},I{D}_{B},{U}_{S},{U}_{SB1},{U}_{SB2}\right)$.
- (2)
- Check whether $\widehat{e}\left({V}_{SB},P\right)=\widehat{e}\left({U}_{S}+{h}_{SB}\cdot QI{D}_{S},{P}_{pub}\right)$ or not. If the equation holds, then the application server $B$ accepts the request. Otherwise, the application server $B$ terminates it.
- (3)
- Random select an ephemeral secret ${r}_{B}\in {Z}_{q}^{*}$.
- (4)
- Compute ${U}_{B1}={r}_{B}\cdot P$ and ${U}_{B2}={r}_{B}\cdot QI{D}_{B2}$.
- (5)
- Compute ${W}_{B}={H}_{2}\left({U}_{B1},{U}_{B2}\right)$ and ${V}_{B}=\left({r}_{B}+DI{D}_{B1}\right)\cdot {W}_{B}+DI{D}_{B2}$.
- (6)
- Send $<I{D}_{B},{U}_{B1},{U}_{B2},{V}_{B},QI{D}_{B1}>$ to the authentication server $S$.

- (1)
- Compute ${W}_{B}={H}_{2}\left({U}_{B1},{U}_{B2}\right)$, ${h}_{B}={f}_{1}\left(I{D}_{B},QI{D}_{B1}\right)$ and $QI{D}_{B2}={H}_{1}\left(I{D}_{B}\right)$.
- (2)
- Check whether $\widehat{e}\left(P,{V}_{B}\right)=\widehat{e}\left({U}_{B1}+QI{D}_{B1},{W}_{B}\right)\cdot \widehat{e}\left({P}_{pub},{h}_{B}\cdot {W}_{B}+QI{D}_{B2}\right)$ or not. If the equation holds, then the authentication server $S$ accepts the application server $B$. Otherwise, the authentication server $S$ terminates it.
- (3)
- Compute ${U}_{SA1}={r}_{S}\cdot {U}_{B1}$ and ${U}_{SA2}={r}_{S}\cdot {U}_{B2}$.
- (4)
- Acquire two nonce ${N}_{A}$, ${N}_{B}$.
- (5)
- Compute ${K}_{SA}=s\cdot {U}_{A2}$ and $Aut{h}_{SA}={f}_{3}\left(I{D}_{A},I{D}_{B},{U}_{A1},{U}_{A2},{V}_{A},{N}_{A},{K}_{SA},{U}_{S},{U}_{SA1},{U}_{SA2}\right)$.
- (6)
- Compute ${K}_{SB}=s\cdot {U}_{B2}$ and $Aut{h}_{SB}={f}_{3}\left(I{D}_{A},I{D}_{B},{U}_{B1},{U}_{B2},{V}_{B},{N}_{B},{K}_{SB},{U}_{S},{U}_{SB1},{U}_{SB2}\right)$.
- (7)
- Send $<{N}_{A},Aut{h}_{SA},I{D}_{B},{U}_{S},{U}_{SA1},{U}_{SA2}>$ and $<{N}_{B},Aut{h}_{SB}>$ to the client $A$.

- (1)
- Compute ${K}_{AS}={r}_{A}\cdot DI{D}_{A2}$.
- (2)
- Check whether $Aut{h}_{SA}={f}_{3}\left(I{D}_{A},I{D}_{B},{U}_{A1},{U}_{A2},{V}_{A},{N}_{A},{K}_{AS},{U}_{S},{U}_{SA1},{U}_{SA2}\right)$ or not. If the equation holds, then the client $A$ accepts the authentication server $S$. Otherwise, the client $A$ terminates it.
- (3)
- Compute ${K}_{AB}=\widehat{e}\left({r}_{A}\cdot {P}_{pub}+{K}_{AS},{U}_{SA1}+{U}_{SA2}\right)$ and $Aut{h}_{AB}={f}_{4}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{AB}\right)$.
- (4)
- Send $<{N}_{B},Aut{h}_{SB},Aut{h}_{AB}>$ to the application server $B$.

- (1)
- Compute ${K}_{BS}={r}_{B}\cdot DI{D}_{B2}$.
- (2)
- Check whether $Aut{h}_{SB}={f}_{3}\left(I{D}_{A},I{D}_{B},{U}_{B1},{U}_{B2},{V}_{B},{N}_{B},{K}_{BS},{U}_{S},{U}_{SB1},{U}_{SB2}\right)$ or not. If the equation holds, then the application server $B$ accepts the authentication server $S$. Otherwise, the application server $B$ terminates it.
- (3)
- Compute ${K}_{BA}=\widehat{e}\left({U}_{SB1}+{U}_{SB2},{r}_{B}\cdot {P}_{pub}+{K}_{BS}\right)$.
- (4)
- Check whether $Aut{h}_{AB}={f}_{4}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{BA}\right)$ or not. If the equation holds, then the application server $B$ can be sure that the client $A$ has the ability to compute the session key. Otherwise, the application server $B$ notifies the authentication server $S$ that the authentication has been failed and terminates it.
- (5)
- Compute $Aut{h}_{BA}={f}_{5}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{BA},Aut{h}_{AB}\right)$.
- (6)
- Compute the session key $S{K}_{AB}={f}_{6}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{BA},Aut{h}_{AB},Aut{h}_{BA}\right)$.
- (7)
- Send $<Aut{h}_{BA}>$ to the client $A$.

#### 3.4. The Parallel Version

#### 3.5. Preventing and Tracing Network Crime

## 4. Security and Performance Analysis

#### 4.1. Security Analysis

**Mutual authentication and Ephemeral-Secret-Leakage Resistance.**The proposed protocol adopted Tseng et al.’s ESL-secure ID-AKE protocol [7] to achieve the client-to-server authentication. The authentication server $S$ authenticates the client $A$ and the application server $B$ by checking whether $\widehat{e}\left(P,{V}_{A}\right)=\widehat{e}\left({U}_{A1}+QI{D}_{A1},{W}_{A}\right)\cdot \widehat{e}\left({P}_{pub},{h}_{A}\cdot {W}_{A}+QI{D}_{A2}\right)$ and $\widehat{e}\left(P,{V}_{B}\right)=\widehat{e}\left({U}_{B1}+QI{D}_{B1},{W}_{B}\right)\cdot \widehat{e}\left({P}_{pub},{h}_{B}\cdot {W}_{B}+QI{D}_{B2}\right)$ or not. To the client $A$ as an example, the message $<I{D}_{A},I{D}_{B},{U}_{A1},{U}_{A2},{V}_{A},QI{D}_{A1}>$, where ${W}_{A}={H}_{2}\left({U}_{A1},{U}_{A2}\right)$, ${h}_{A}={f}_{1}\left(I{D}_{A},QI{D}_{A1}\right)$ and $QI{D}_{A2}={H}_{1}\left(I{D}_{A}\right)$ can be viewed as a signature on a message ${U}_{A2}$ in Tseng et al.’s ESL-secure ID-AKE protocol. According to the security analysis by Tseng et al., if an adversary could have obtained the ephemeral secret ${r}_{A}$ using ESL attacks, the adversary still needs to solve the computational Diffie-Hellman problem to violate the client-to-server authentication.The application server $B$ authenticates the authentication server $S$ by checking whether $\widehat{e}\left({V}_{SB},P\right)=\widehat{e}\left({U}_{S}+{h}_{SB}\cdot QI{D}_{S},{P}_{pub}\right)$ or not. The message ${V}_{SB}$, where ${V}_{SB}={r}_{S}\cdot {P}_{pub}+{h}_{SB}\cdot DI{D}_{S}$, ${h}_{SB}={f}_{2}\left(I{D}_{A},I{D}_{B},{U}_{S},{U}_{SB1},{U}_{SB2}\right)$ and $DI{D}_{S}=s\cdot QI{D}_{S}$, can be viewed as a signature on a message $<I{D}_{A},{U}_{S},{U}_{SB1},{U}_{SB2}$. Without knowledge of the authentication server $S$’s private key $s$, none of the participants or adversaries can forge the message and compute a valid signature. To forge a valid message $<I{D}_{A},{U}_{S},{U}_{SB1},{U}_{SB2},{V}_{SB}$, an adversary must have obtained the authentication server $S$’s private key $s$ from ${P}_{pub}$, where ${P}_{pub}=s\cdot P$. It is a discrete logarithm problem to the adversary.The proposed protocol provides the server-to-client authentication that is also based on Tseng et al.’s ESL-secure ID-AKE protocol. The client $A$ and the application server $B$ authenticate the authentication server $S$ by checking whether $Aut{h}_{SA}={f}_{3}\left(I{D}_{A},I{D}_{B},{U}_{A1},{U}_{A2},{V}_{A},{N}_{A},{K}_{AS},{U}_{S},{U}_{SA1},{U}_{SA2}\right)$ and $Aut{h}_{SB}={f}_{3}\left(I{D}_{A},I{D}_{B},{U}_{B1},{U}_{B2},{V}_{B},{N}_{B},{K}_{BS},{U}_{S},{U}_{SB1},{U}_{SB2}\right)$ or not. Even though an adversary could obtain the client $A$’s ephemeral secret ${r}_{A}$ by the ESL attacks. Since $<Aut{h}_{SA}>$ and $<Aut{h}_{SB}>$ are derived from ${K}_{SA}=s\cdot {U}_{A2}={r}_{A}\cdot DI{D}_{A2}={K}_{AS}$ and ${K}_{SB}=s\cdot {U}_{B2}={r}_{B}\cdot DI{D}_{B2}={K}_{BS},$ respectively. To violate the server-to-client authentication, the adversary has to solve the computational Diffie-Hellman problem to obtain $DI{D}_{A2}$ and the discrete logarithm problem to compute the application server $B$’s ephemeral secret ${r}_{B}$ and the computational Diffie-Hellman problem to obtain $DI{D}_{B2}$ from the transferred messages. Otherwise, the adversary only can compute the authentication server $S$’s private key $s$ from ${P}_{pub}$, in which the adversary needs to solve the discrete logarithm problem.The application server $B$ can be sure that the client $A$ has obtained the session key by checking whether $Aut{h}_{AB}={f}_{4}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{BA}\right)$ or not. The client $A$ checks whether $Aut{h}_{BA}={f}_{5}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{AB},Aut{h}_{AB}\right)$ or not to be sure that the application server $B$ also has obtained the session key and both of them with the authentication server $S$ can agree upon the common session key $S{K}_{AB}={f}_{6}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{AB},Aut{h}_{AB},Aut{h}_{BA}\right)$. For computing a valid message $<Aut{h}_{AB}>$ or $<Aut{h}_{BA}>$, we assume that the client $A$’s ephemeral secret ${r}_{A}$ has been compromised by an adversary. Since the messages $<Aut{h}_{AB}>$ and $<Aut{h}_{BA}>$ are derived from ${K}_{AB}=\widehat{e}\left({r}_{A}\cdot {P}_{pub}+{K}_{AS},{U}_{SA1}+{U}_{SA2}\right)=\widehat{e}\left({U}_{SB1}+{U}_{SB2},{r}_{B}\cdot {P}_{pub}+{K}_{BS}\right)={K}_{BA}$, where ${K}_{AS}={r}_{A}\cdot DI{D}_{A2}$ and ${K}_{BS}={r}_{B}\cdot DI{D}_{B2}$, the adversary must solve the computational Diffie-Hellman problem to compute $DI{D}_{A2}$ or the discrete logarithm problem to compute ${r}_{B}$ and the computational Diffie-Hellman problem to compute $DI{D}_{B2}$ from transferred messages. Otherwise, the adversary only can compute the authentication server $S$’s private key $s$ from ${P}_{pub}$, in which the adversary needs to solve the discrete logarithm problem.Without knowledge of the private key of a participant (e.g., the client $A$’s private key $DI{D}_{A}$). An adversary cannot impersonate the participant since the adversary is unable to forge a valid signature. The proposed protocol employs the signature to authenticate the participants’ identities and one way hash function to protect the integrity of the transferred messages. Even though the ephemeral secret of the client has been compromised, each participant can be sure that none of the adversaries can impersonate other participants to violate the verification procedures and corrupt the participants’ private keys and the session key.**Known Key Security.**Suppose that an adversary can eavesdrop on the transmitted messages to learn the previous session keys. However, the session key of the proposed protocol is unique and dependent of each participant’s ephemeral secrets ${r}_{A}$, ${r}_{B}$ and ${r}_{S}$ and private keys $DI{D}_{A2}$, $DI{D}_{B2}$ and $s$. Therefore, knowledge of the previous session keys does not enable the adversary to derive other session keys and does not give the adversary any information that the adversary could use to derive other session keys. Even though the client $A$’s ephemeral secret ${r}_{A}$ has been compromised. If an adversary would like to compute ${K}_{AB}=\widehat{e}\left({r}_{A}\cdot {P}_{pub}+{K}_{AS},{U}_{SA1}+{U}_{SA2}\right)$, where ${K}_{AS}={r}_{A}\cdot DI{D}_{A2}$ from the transferred messages, the adversary needs to solve the computational Diffie-Hellman problem to compute the client $A$’s private key $DI{D}_{A2}$ or the discrete logarithm problem from ${P}_{pub}$, where ${P}_{pub}=s\cdot P$ to obtain the authentication server $S$’s private key $s$. Otherwise, the adversary only can solve the discrete logarithm problem and the computational Diffie-Hellman problem to compute the application server $B$’s corresponding ephemeral secret ${r}_{B}$ and private key $DI{D}_{B2}$. In the proposed protocol, even if one of the session key has been compromised, the security of the other or future session keys is not endangered.**Partial Forward Secrecy.**The proposed protocol session key is dependent on each participant’s private key and corresponding ephemeral secret. In the proposed protocol, if the private key of client $A$ or the application server $B$ has been compromised, an adversary also needs to obtain the corresponding ephemeral secrets to compute the session key. Suppose that the adversary would like to compute the corresponding ephemeral secrets from the transferred messages, the adversary needs to solve the discrete logarithm problem. However, if the adversary corrupts the private key $s$ of the authentication server $S$, it is obvious that all of the previous session keys can be recovered from the transferred messages. Since the adversary is indeed able to compute ${K}_{SA}=s\cdot {U}_{A2}$, ${K}_{AB}=\widehat{e}\left(s\cdot {U}_{A1}+{K}_{SA},{U}_{SA1}+{U}_{SA2}\right)$ or ${K}_{SB}=s\cdot {U}_{B2}$, ${K}_{BA}=\widehat{e}\left({U}_{SB1}+{U}_{SB2},s\cdot {U}_{B1}+{K}_{SB}\right)$ and $S{K}_{AB}={f}_{6}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{AB},Aut{h}_{AB},Aut{h}_{BA}\right)$. The proposed protocol offers partial forward secrecy.**Key-Compromise Impersonation Resilience.**To discuss the key-compromise impersonation resilience property, we assume that client $A$’s private key $DI{D}_{A}$ is compromised to an adversary who tries to impersonate the application server $B$ to cheat the client $A$ and the authentication server $S$. When the client $A$ requests service from the application server $B$, the adversary only can choose $<I{D}_{B},{U}_{B1},{U}_{B2},{V}_{B},QI{D}_{B1}>$ and $<Aut{h}_{BA}>$ from the previous sessions and send them to the authentication server $S$ and the client $A$, respectively. Since the adversary cannot derive the application server $B$’s private key $DI{D}_{B2}$ and the corresponding ephemeral secret ${r}_{B}$ from the transferred messages to compute ${K}_{BA}=\widehat{e}\left({U}_{SB1}+{U}_{SB2},{r}_{B}\cdot {P}_{pub}+{K}_{BS}\right)$, where ${K}_{BS}={r}_{B}\cdot DI{D}_{B2}$. The adversary only can violate the verification procedures of the authentication server $S$. If the adversary tries to derive the ephemeral secret ${r}_{B}$ and the private key $DI{D}_{B2}$ from the transferred messages to compute $Aut{h}_{BA}={f}_{5}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{BA},Aut{h}_{AB}\right)$ and construct the session key, the adversary needs to solve the discrete logarithm problem and the computational Diffie-Hellman problem.**Unknown Key-Share Resilience.**To implement such an attack, the adversary is required to obtain the private key of client $A$ or the application server $B$. In the proposed protocol, both of the client $A$ and the application server $B$ have to be authenticated by the authentication server $S$. Only the participant that has the private key distributed from the authentication server $S$ could compute the valid signature and thus pass the verification procedures and compute the session key. To the client $A$ as an example, the client $A$ with its private key $DI{D}_{A}$ and the ephemeral secret ${r}_{A}$ can compute ${V}_{A}=\left({r}_{A}+DI{D}_{A1}\right)\cdot {W}_{A}+DI{D}_{A2}$ and ${K}_{AB}=\widehat{e}\left({r}_{A}\cdot {P}_{pub}+{K}_{AS},{U}_{SA1}+{U}_{SA2}\right)$ to pass the verification procedures of the authentication server $S$ and the application server $B$. The ephemeral secret ${r}_{A}$ with $DI{D}_{A2}$ are able to compute the session key $S{K}_{AB}={f}_{6}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{AB},Aut{h}_{AB},Aut{h}_{BA}\right)$. Hence, the proposed protocol can withstand an unknown key-shared attack.**Key control Resilience.**In the proposed protocol, the session key $S{K}_{AB}={f}_{6}\left(I{D}_{A},I{D}_{B},{U}_{S},{K}_{AB},Aut{h}_{AB},Aut{h}_{BA}\right)$, where ${K}_{AB}=\widehat{e}\left({r}_{A}\cdot {P}_{pub}+{K}_{AS},{U}_{SA1}+{U}_{SA2}\right)=\widehat{e}\left({U}_{SB1}+{U}_{SB2},{r}_{B}\cdot {P}_{pub}+{K}_{BS}\right)={K}_{BA}$ is determined by all participants’ private keys and corresponding ephemeral secrets. None of the participants can force a session key to be predetermined or predict the value and control the outcome of the session key. Hence, the proposed protocol ability to prevent the session key is created only by the authentication server $S$ or other two participants.

#### 4.2. Formal Analysis Using AVISPA

#### 4.3. Performance Analysis

- $T{G}_{e}$: the execution time for a bilinear pairing operation $\widehat{e}:{G}_{1}\times {G}_{1}\to {G}_{2}$.
- $T{G}_{mul}$: the execution time for points in ${G}_{1}$ multiplication operation.
- ${T}_{exp}$: the execution time for a modular exponential operation in ${G}_{2}$.
- $T{G}_{H}$: the execution time for a map-to-point hash function in ${G}_{1}$.
- $T{G}_{add}$: the execution time for an addition operation of points in ${G}_{1}$ or a multiplication operation in ${G}_{2}$.
- ${T}_{H}$: the execution time for a one-way hash function.

#### 4.4. Software Performance

## 5. Conclusions

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## Appendix A

## References

- Wen, H.A.; Lin, C.L.; Hwang, T. Provably secure authenticated key exchange protocols for low power computing clients. Comput. Secur.
**2006**, 25, 106–113. [Google Scholar] [CrossRef] - Wong, D.S.; Chan, A.H. Efficient and mutually authenticated key exchange for low power computing devices. In Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, 9–13 December 2008; pp. 272–289. [Google Scholar]
- Jakobsson, M.; Pointcheval, D. Mutual Authentication for Low-Power Mobile Devices. Financ. Cryptogr.
**2002**, 2339, 178–195. [Google Scholar] - Choi, K.; Hwang, J.; Lee, D.; Seo, I. ID-based Authenticated Key Agreement for Low-Power Mobile Devices. Inf. Sec. Priv.
**2005**, 3574, 494–505. [Google Scholar] - Chuang, Y.H.; Tseng, Y.M. Towards generalized ID-based user authentication for mobile multi-server. Int. J. Commun. Syst.
**2012**, 25, 447–460. [Google Scholar] [CrossRef] - Wu, T.Y.; Tseng, Y.M. An efficient user authentication and key exchange protocol for mobile client–server environment. Comput. Netw.
**2010**, 53, 1062–1070. [Google Scholar] [CrossRef] - Tseng, Y.M.; Tseng, L. Ephemeral-Secret-Leakage Secure ID-Based Authenticated Key Exchange Protocol for Mobile Client-Server Environments. In Proceedings of the 24th Cryptology and Information Security Conference, Putrajaya, Malaysia, 24–26 June 2014. [Google Scholar]
- Diffie, W.; Hellman, M.E. New directions in cryptography. IEEE Trans. Inf. Theory
**1976**, 22, 644–654. [Google Scholar] [CrossRef] - Tsai, C.S.; Lee, C.C.; Hwang, M.S. Password Authentication Schemes: Current Status and Key Issues. IJINS
**2006**, 3, 101–115. [Google Scholar] - Shamir, A. Identity-Based Cryptosystems and Signature Schemes. Adv. Cryptol.
**1985**, 5, 47–53. [Google Scholar] - Boneh, D.; Franklin, M. Identity-Based Encryption from the Weil Pairing. In Proceedings of the 21st Annual International Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2001; pp. 213–229. [Google Scholar]
- Boneh, D.; Boyen, X. Secure Identity Based Encryption without Random Oracles. In Proceedings of the 24th Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 2004; pp. 443–459. [Google Scholar]
- Waters, B. Efficient Identity-Based Encryption without Random Oracles. In Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005; pp. 114–127. [Google Scholar]
- Gentry, C. Practical Identity-Based Encryption without Random Oracles. In Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, 28 May–1 June 2006; pp. 445–464. [Google Scholar]
- Joux, A. A One Round Protocol for Tripartite Diffie–Hellman. Algorithm. Number Theory
**2000**, 1838, 385–393. [Google Scholar] - Al-Riyami, S.; Paterson, K. Tripartite Authenticated Key Agreement Protocols from Pairings. In Proceedings of the 9th IMA International Conference, Cirencester, UK, 16–18 December 2003; pp. 332–359. [Google Scholar]
- Lim, M.H.; Lee, S.; Moon, S. Cryptanalysis of Tso et al.’s ID-Based Tripartite Authenticated Key Agreement Protocol. Inf. Syst. Secur.
**2007**, 4812, 64–76. [Google Scholar] - Hölbl, M.; Welzer, T.; Brumen, B. Two proposed identity-based three-party authenticated key agreement protocols from pairings. Comput. Secur.
**2010**, 29, 244–252. [Google Scholar] [CrossRef] - Xiong, H.; Chen, Z.; Li, F. New identity-based three-party authenticated key agreement protocol with provable security. JNCA
**2013**, 36, 927–932. [Google Scholar] [CrossRef] - Yeh, H.T.; Sun, H.M. Password-based user authentication and key distribution protocols for client–server applications. J. Syst. Softw.
**2004**, 72, 97–103. [Google Scholar] [CrossRef] - Kohl, J.T.; Neuman, B.C.; Tso, T.Y. The evolution of the Kerberos authentication system. In Distributed Open System; IEEE Computer Society Press: Washington, DC, USA, 1991; pp. 78–94. [Google Scholar]
- Yeh, H.T.; Sun, H.M. Password authenticated key exchange protocols among diverse network domains. Comput. Electr. Eng.
**2005**, 31, 175–189. [Google Scholar] [CrossRef] - Li, G. Optimal authentication protocols resistant to password guessing attacks. In Proceedings of the Eighth IEEE Computer Security Foundations Workshop, Kerry, Ireland, 13–15 June 1995; pp. 24–29. [Google Scholar]
- Kwon, T.; Kang, M.; Jung, S.; Song, J. An Improvement of the Password-Based Authentication Protocol (K1P) on Security against Replay Attacks. IEICE Trans. Commun.
**1999**, 82, 991–997. [Google Scholar] - Kwon, T.; Song, J. Authenticated key exchange protocols resistant to password guessing attacks. Commun. IEE Proc.
**1998**, 145, 304–308. [Google Scholar] [CrossRef] - Chang, T.Y.; Hwang, M.S.; Yang, W.P. A communication-efficient three-party password authenticated key exchange protocol. Inf. Sci.
**2011**, 181, 217–226. [Google Scholar] [CrossRef] - Ni, L.; Chen, G.; Li, J. Escrowable identity-based authenticated key agreement protocol with strong security. Comput. Math. Appl.
**2013**, 65, 1339–1349. [Google Scholar] [CrossRef] - Chang, T.Y.; Tsai, C.J.; Lin, J.H. A graphical-based password keystroke dynamic authentication system for touch screen handheld mobile devices. J. Syst. Softw.
**2012**, 85, 1157–1165. [Google Scholar] [CrossRef] - Blake-Wilson, S.; Menezes, A. Authenticated Diffe-Hellman Key Agreement Protocols. In Proceedings of the Selected Areas in Cryptography, Kingston, Ontario, Canada, 17–18 August 1999; pp. 339–361. [Google Scholar]
- AVISPA v1.1 User Manual. 2006. Available online: http://www.avispa-project.org/ (accessed on 24 January 2018).
- Chen, T.H.; Lee, W.B.; Chen, H.B. A round- and computation-efficient three-party authenticated key exchange protocol. J. Syst. Softw.
**2008**, 81, 1581–1590. [Google Scholar] [CrossRef] - Metz, C. AAA protocols: Authentication, authorization, and accounting for the Internet. IEEE Int. Comput.
**1999**, 3, 75–79. [Google Scholar] [CrossRef] - Rensing, C.; Karsten, M.; Stiller, B. AAA: A survey and a policy-based architecture and framework. IEEE Netw.
**2002**, 16, 22–27. [Google Scholar] [CrossRef] - Decugis, S. Towards a Global AAA Framework for Internet. In Proceedings of the 2009 Ninth Annual International Symposium on Applications and the Internet, Bellevue, WA, USA, 20–24 July 2009; pp. 227–230. [Google Scholar]
- Dolev, D.; Yao, A.Y. On the Security of Public Key Protocols. IEEE Inf. Theory Soc.
**1983**, 29, 198–208. [Google Scholar] [CrossRef] - AVISPA Web tool. Automated Validation of Internet Security Protocols and Applications. Available online: http://www.avispa-project.org/web-interface (accessed on 24 January 2018).
- Scott, M.; Costigan, N.; Abdulwahab, W. Implementing Cryptographic Pairings on Smartcards. In Proceedings of the 8th International Workshop, Yokohama, Japan, 10–13 October 2006; pp. 134–147. [Google Scholar]
- Oliveira, L.B.; Aranha, D.F.; Gouvêa, C.P.L.; Scott, M.; Câmara, D.F.; López, J. TinyPBC: Pairings for authenticated identity-based non-interactive key distribution in sensor networks. Comput. Commun.
**2011**, 34, 485–493. [Google Scholar] [CrossRef] - Hu, L.; Dong, J.W.; Pei, D.Y. Implementation of Cryptosystem Based on Tate Pairing. J. Comput. Sci. Technol.
**2005**, 20, 264–269. [Google Scholar] [CrossRef]

**Figure 3.**The parallel version of Ephemeral Secret Leakage (ESL)-secure ID-based three-party Authenticated Key Agreement (AKA) protocol.

**Figure 4.**Simulation result of the proposed protocol on On-the-fly Model-Checker (OFMC) model checker.

**Figure 5.**Simulation result of the proposed protocol on Constraint-Logic-based Attack Searcher (CL-AsSe) model checker.

$\mathit{T}{\mathit{G}}_{\mathit{e}}$ | $\mathit{T}{\mathit{G}}_{\mathit{m}\mathit{u}\mathit{l}}$ | ${\mathit{T}}_{\mathit{e}\mathit{x}\mathit{p}}$ | $\mathit{T}{\mathit{G}}_{\mathit{H}}$ | $\mathit{T}{\mathit{G}}_{\mathit{a}\mathit{d}\mathit{d}}$ | ${\mathit{T}}_{\mathit{H}}$ | |
---|---|---|---|---|---|---|

Android 5.0 and 2.3 $G{H}_{z}$ Intel Atom with 4 GB of RAM | 0.251 s | 0.148 s | 0.076 s | 0.002 s | 0.001 s | 0.001 s |

Computational Cost (Total) | Computational Cost (Online) | Execution Time (Total) | Execution Time (Online) | |
---|---|---|---|---|

Client Side | $T{G}_{e}+5T{G}_{mul}+T{G}_{H}+3T{G}_{add}+4{T}_{H}$ | $T{G}_{e}+2T{G}_{mul}+2T{G}_{add}+4{T}_{H}$ | $\fallingdotseq 1.0$s | $\fallingdotseq 0.553$s |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Liu, C.-L.; Tsai, W.-J.; Chang, T.-Y.; Liu, T.-M.
Ephemeral-Secret-Leakage Secure ID-Based Three-Party Authenticated Key Agreement Protocol for Mobile Distributed Computing Environments. *Symmetry* **2018**, *10*, 84.
https://doi.org/10.3390/sym10040084

**AMA Style**

Liu C-L, Tsai W-J, Chang T-Y, Liu T-M.
Ephemeral-Secret-Leakage Secure ID-Based Three-Party Authenticated Key Agreement Protocol for Mobile Distributed Computing Environments. *Symmetry*. 2018; 10(4):84.
https://doi.org/10.3390/sym10040084

**Chicago/Turabian Style**

Liu, Chao-Liang, Wang-Jui Tsai, Ting-Yi Chang, and Ta-Ming Liu.
2018. "Ephemeral-Secret-Leakage Secure ID-Based Three-Party Authenticated Key Agreement Protocol for Mobile Distributed Computing Environments" *Symmetry* 10, no. 4: 84.
https://doi.org/10.3390/sym10040084