Authenticated Diffie-Hellman Key Agreement Scheme that Protects Client Anonymity and Achieves Half-Forward Secrecy

Authenticated Diffie-Hellman key agreement (D-H key) is the de facto building block for establishing secure session keys in many security systems. Regarding the computations of authenticated D-H key agreement, the operation of modular exponentiation is the most expensive computation, which incurs a heavy loading on those clients where either their computational capacities or their batteries are limited and precious. As client’s privacy is a big concern in several e-commerce applications, it is desirable to extend authenticated D-H key agreement to protect client’s identity privacy. This paper proposes a new problem: the modified elliptic curves computational Diffie-Hellman problem (MECDHP) and proves that the MECDHP is as hard as the conventional elliptic curves computational Diffie-Hellman problem (ECDHP). Based on the MECDHP, we propose an authenticated D-H key agreement scheme which greatly improves client computational efficiency and protects client’s anonymity from outsiders.This new scheme is attractive to those applications where the clients need identity protection and lightweight computation.


Introduction
Authentication is an essential security; however, many existent authentication schemes either did not provide key agreement during authentication [1][2][3], did not protect client privacy [4], or required many expensive modular exponentiations [4][5][6][7][8][9][10][11][12][13][14][15][16].Authenticated key agreement aims at simultaneously providing authentication of communicating parties and establishing secure session keys.Nowadays it is very easy for any network operators or even outsiders to collect users' behavior and violate their privacy when they surf the Internet if key agreement schemes do not protect users' identities.It is, therefore, imperative to design key agreement schemes which protect client's identity.With such schemes, users' privacy can be protected when they enjoy Internet activities, e-commerce or m-commerce transactions.
Conventionally, the computational Diffie-Hellman problem over Galis field (called CDHP) and the same problem over elliptic curves (called ECDHP) are the most popular building blocks for many authenticated key agreement schemes [4][5][6][7][8][10][11][12][13][14][15][16][17][18][19], owing to their hardness.However, the modular exponentiation computations over Galis field or the point multiplications over elliptic curves impose a heavy computational stress on those clients where either their computing capacities or their batteries are limited.Such clients are called thin clients in the rest of this paper.Even a native D-H key scheme (not including authentication of communicating parties) that uses the CDHP requires of each party two modular exponentiations, and the corresponding version over elliptic curves would require of each party two point multiplications.Generally an authenticated version of D-H key scheme or an extended version of D-H key scheme which protects client's anonymity would require more modular exponentiations or more point multiplications [9-12, 14-16, 20], respectively.It is, therefore, important to reduce the number of exponentiation computations/point multiplications for those thin clients.In 2014, Chien [4] formulated the modified computational D-H problem (MCDHP) and proposed an authenticated D-H key agreement scheme, using the MCDHP.The scheme [4] effectively reduced the number of modular exponentiations but it did not protect client's anonymity.
Conventionally, key agreement schemes transmit participants' identities in plaintext.As privacy has been a big concern in many applications, it is desirable to protect participants' identities during the key agreement process.Such kinds of key agreement schemes are called authenticated 2 Mobile Information Systems key agreement schemes with client anonymity (or simply an anonymous authenticated key agreement).Chien [12] classified four types of two-party key agreement schemes, according to the protection of participants' anonymity.Type 1: the privacy of identities of two communicating parties is not protected; this type corresponds to those conventional twoparty key agreement schemes.Type 2: the client's identity is protected from the outsiders, but the identity of the server is not protected.Type 3: the client's identity is protected from the outsiders, but the anonymity of the server is only protected from unregistered entities.The scenarios for such a type are like that; in a mission-oriented ad hoc network, the clients and the servers want to protect their identities from outsiders, while all the preregistered clients know the IP address or MAC address of the servers.Type 4: both the identity of the client and the identity of the server are protected from outsiders.Type 2 is the most popular one for authenticated key agreement schemes that protect participant's anonymity, because it corresponds to the cases where clients want to protect their anonymity from outsiders.In this paper, we focus on authenticated two-party key agreement for Type 2 cases and aim to improve client's computational efficiency.
Authentication with anonymity protection is a popular topic, and there are some popular techniques for achieving client's anonymity during authentication process.Chien [2] classifies existent techniques into four categories: probabilistic encryption-based scheme like the OAKley protocol [13], pseudonym-based schemes like [20], hash-chain-based scheme like Ohkubo et al. 's scheme [1], and error-correctioncodes-based scheme like [2,3].It is challenging to extend the existent CDHP-based key agreement schemes like [5][6][7]13] (or ECDHP-based schemes like [8]) to their anonymous versions and reduce the modular exponentiation load (or the point multiplication load).In this paper, we first formulate a modified ECDHP (MECDHP) and prove its security.Then we propose a new authenticated two-party key agreement scheme with client anonymity, based on the MECDHP problem and Ohkubo et al. 's hashing chain technique [1].The new scheme protects client anonymity, effectively reduces the computational load for client, and preserves the strong security of the ECDHP.
The rest of this paper is organized as follows.Section 2 introduces the MECDHP and proves its security.Section 3 proposes our new scheme.Section 4 examines its security and evaluates its performance.Section 5 states our conclusions and discussions.

The MECDHP Problem and the Security Requirements
In this section, we first propose the MECDHP and prove its security.Then we introduce the model and discuss the security requirements of an authenticated key agreement scheme with client anonymity.
Now we formulate a new problem called the modified computational elliptic curve Diffie-Hellman problem (MECDHP) as follows.
Definition 2. The modified computational elliptic curve Diffie-Hellman problem (the MECDHP) is as follows: given an elliptic curve over a finite field   , a point  ∈ (  ) of order ,  + , and points  =  and  =  ∈ ⟨⟩ find the point  = .
We prove the hardness of the MECDHP to be as hard as the ECDHP as follows.

Theorem 3. The MECDHP is as hard as the ECDHP.
Proof.We prove this by reduction.
(1) The MECDHP Is Reduced to the ECDHP.Given an instance of the MECDHP problem ( + , , , and ), we can compute ( + ) −  =  and get the instance (, , and ) for the ECDHP.Assume there is one oracle that can answer the ECDHP.Now we input the instance (, , and ) to the oracle, and we get the answer .
(2) The ECDHP Is Reduced to the MECDHP.Assume there is one oracle that can answer the MECDHP: given ( + , , , and ), it outputs .
Based on the above arguments, we prove the theorem.
Now we introduce the model and discuss the security requirements of authenticated D-H key agreement scheme with client anonymity as follows.Our model consists of three kinds of entities: clients, servers, and outsiders.Clients would like to establish secure session keys with servers via key agreement schemes and their identities should not be learned by any outsiders.An outsider can actively manipulate the communications via replay, modification, or interception.
(1) Consider Mutual authentication of client and server and resistance to various attacks like replay attack, impersonation attack, man-in-the-middle attack, and known key attack.
(2) Consider Partial forward secrecy and perfect forward secrecy.Here partial forward secrecy requires that even if we assume one party's long-term private key is disclosed someday, the previous communications (the session keys before the disclosure) are still secure.If partial forward secrecy is preserved only when one specific party's private key is compromised but it does not hold for the other party, then it is called half forward secrecy.While perfect forward requires that even if we assume both of the two parties' long-term private keys are disclosed someday, the previous communications (the session keys before the disclosure) are still secure.
(3) Anonymity of the client: the identities of clients should be well protected from outsiders.

New Authenticated D-H Key Agreement Scheme with Client Anonymity
We introduce the following notations.We will omit the mod  operation in the rest of this paper to simplify the presentation when the context is clear.
The Notations.
(  ), P, and q are as follows: (  ) is an elliptic curve over   .P ∈ (  ) is a generator point for a group over (  ).ℎ(), () are two cryptographic hash functions.Two different hash functions are chosen here to hinder outsiders from tracking users, using correlated data.This idea is inspired by [1].These functions could be implemented using a pseudorandom function (PRF) with distinct paddings.C, S are as follows: C and , respectively, denote client and server.ID  , ID  are as follows: ID  and ID  , respectively, denote the identity of the client and that of the server, where ID  is static while ID  is dynamically updated.c, s are as follows: ,  ∈  *  , respectively, denote the private key of  and that of .  ,   are as follows:   =  and   = , respectively, denote their corresponding public keys.
The scheme is depicted in Figure 1 and is described as follows.
The scheme consists of two phases: initial phase and key agreement phase.
The Initialization Phase.Each registered client  shares its identity ID  and public key   with the server S, where  keeps two values ID ,old and ID ,new to track the dynamically changing identity of the client.Both ID ,old and ID ,new are initialized as ID  .Each client keeps the identity and the public key   of the server.
The Key Agreement Phase.
The server randomly chooses an integer ∈   *  , computes  = , and sends (ID  , ) to the client.The final session key of the session is computed using any secure hash function: one example is like ℎ(  ,   ,  + , ,  , ).

Security Analysis and Performance Evaluation
4.1.Security Analysis.In this section, we examine the security of the proposed authenticated D-H key agreement scheme with client anonymity.The formulated MECDHP used in the scheme has been proved to be as hard as the conventional ECDHP.Our new scheme improves the computational efficiency of client while preserving the strong security properties of conventional secure D-H key agreement schemes under the assumption that the communicating parties' longterm secret keys are secure.But, the security properties might change when client's long-term secret keys are compromised.We examine these properties as follows.
Authentication of the Client.The authentication of the client depends on its ability of providing a valid Auth  = ℎ((  +  , )⊕) in response to server's challenge .To have a valid Auth  , the client should be able to provide well-formed "+, " on which the server can correctly derive the corresponding  = ( + ) −   = ,  =  = , and  , =  =  to verify the Auth  .A well-formed "+" implies that the client knows the private key .This ensures the authentication of the client.
Authentication of the Server.The authentication of server depends on server's ability of providing a valid Auth  = ℎ(  ⊕  , ⊕ ), which depends on the server's ability of computing  = , using  = ( + ) −   = .To compute  = , it requires the knowledge of the server's private key .This ensures the authentication of the server.

Resistance to Replay Attack and Man-in-the-Middle Attack.
The client and the server, respectively, issue new challenges  +  and  in each session.The server is expected to generate the corresponding value  =  = (( + ) −   ), where the value is derived from the well-formed challenge +.The client is expected to have the ability of computing the value  , = , where  is the challenge.All of the computations involve new challenges.As long as the challenges are random and fresh, this ensures the resistance to replay attack and man-in-the-middle attack.
Half Forward Secrecy.Partial forward secrecy concerns the privacy of session keys corresponding to those sessions before one party's private key was compromised.
(1) If we assume that the server's long-term secret  is compromised, then the forward privacy of the session key ℎ(  ,   ,  + , ,  , ) is still preserved, because the computation of the session key involves  , .
Here the computation of  , needs the knowledge of either  or .This ensures the partial forward secrecy against server's compromise.
(2) If we assume the client's long-term secret  is compromised, then the attacker can derive the ephemeral secret  from  +  and derive the session key; that is, our scheme does not preserve partial forward secrecy against client's compromise.So we call that our scheme owns half forward secrecy property but not perfect forward secrecy.
Client Anonymity.The client-identity-related data transmitted in our protocol include (ID  ), Auth  = ℎ((  +  , ) ⊕ ), and Auth  = ℎ(  ⊕  , ⊕ ).The identity ID  is updated as ℎ(ID  ) per successful authentication, and only its hashed value (ID  ) is transmitted.Therefore, an attacker could not learn clients' identities and could not track any client using eavesdropped data.The other identity-related data is client's public key   .The calculations of Auth  and Auth  first obscure   with random value  and then apply hashing: this ensures that attackers cannot link the transmissions to any specific client.

Performance
Evaluation.Now we examine the performance of our scheme in terms of communication cost and computational cost.Regarding communication cost, we concern the number of message steps and the length of message length.Our scheme requires three message steps.It demands the message length 3 ℎ + 2 point + 1  , where  ℎ denotes the length of hash function (|ℎ()| and |()|),  point denotes the length of string representation of one elliptic curve point, and   denotes the bit length of q.The session key security was based on the privacy of nonce and the fixed D-H key (the fixed key   =   = ).If one private key of either the server or the client is compromised, then the long-term, fixed D-H key is compromised and one of the nonce is compromised; therefore, its security is not strong as the ECDHP.Note 4: Our scheme applies hashing to protect the dynamic identity while other schemes use encryption of identity to protect anonymity; therefore, we can simplify the comparison by assuming  ℎ =  ID .Note 5: Chien [12] reported the failure of client anonymity of Yoon-You's scheme [11].
Next we examine the computational cost of our scheme.The client in our scheme demands 2 PS + 1 PA + 3 XOR + 3 ℎ , where  PS denotes the time complexity of one elliptic curve point multiplication,  PA denotes that of one elliptic curve point addition,  XOR denotes that of one XOR operation, and  ℎ denotes that of one hash operation.The server averagely needs 4 PS +2 PA +3 XOR +(+2) ℎ to find the matched client (each trial for one potential client takes two hash operations), where  denotes the number of entries of potential clients in the database.
Table 1 summarizes the performance comparison of the proposed scheme with its counterparts.The notations used in the table are introduced in the bottom of the table.The security of the schemes [10][11][12]14] is based on RSA and the CDHP problem, and our scheme is based on the MECDHP problem.Please note that even though the authors [15] claimed that their scheme was based on the ECDHP problem but actually its session key security was based on the privacy of nonce and the fixed D-H key (the fixed key   =   = ), if one private key of either the server or the client is compromised, then the fixed D-H key and one nonce are compromised; therefore, its security is not strong as the ECDHP.
Regarding the communicational performance, we focus on the number of message steps and the length of the messages.According to National Security Agency of the USA [18], to have an equivalent security of an 80-bit symmetric encryption, RSA algorithm and Diffie-Hellman algorithm need 1024-bit key while ECC only needs 160-bit key.From the table, we can see that all the schemes require three message steps.Because the schemes [9][10][11][12]14] used RSA and the CDHP, their message length is larger than our scheme and the scheme [15].And, the message length of our scheme is shorter than its ECC-based counterpart [15].Now we compare the computational performance.Recently there have been several publications like [21][22][23][24] discussing the implementation performances of ECC standard and other public-key standards (like RSA and El-Gamal public key), where [21] compared various software implementations of point multiplication, [22] aimed at improving hardware implementation of point multiplication, [23] discussed the hardware implementation performance of RSA digital signature and ECDSA, and [24] compared implementation performance of El-Gamal elliptic curve encryption method using two different libraries.These works focused on the implementation performances of elliptic curve point multiplication and related standards (like ECC standards, RSA digital signature, and El-Gamal elliptic curve encryption).For a fair comparison of custom-designed algorithms that consist of underlying field operations (like field multiplication and exponentiation in   , field multiplication in   , and elliptic curve point multiplication), the figures in NSA [18] and the algebra equations of elliptic curve operations in terms of underlying field operations from [19] have been widely adopted [15].We adopt the same principle in the following evaluation, since it gives a fair comparison of custom-designed algorithms.
The security of ECC with 160-bit key is equivalent to that of RSA with 1024-bit key or D-H algorithm with 1024-bit key.Under the above figures,  multi, (the time complexity of a field multiplication in   , where  is 1024-bit) is 41 times

Figure 1 :
Figure 1: Authenticated D-H key agreement with client anonymity.

Table 1 :
Summary of performance comparison among two-party key agreement schemes with client anonymity.4 exp +2 multi +1 ℎ 4 PS + 2 enc + 3 ℎ Note 1:   : the bit length of RSA modulus N;  ℎ : the length of hash function (|ℎ()| and |()|);  point : the length of string representation of one elliptic curve point, and   denotes the bit length of q.  Time : the bit length of timestamp;  ID : the length of identity;  nonce : the length of nonce.Note 2:  PS : time complexity of one elliptic curve point multiplication;  PA : time complexity for one elliptic curve point addition;  XOR : time complexity for one XOR operation;  ℎ : time complexity for one hash operation;  exp : time complexity of one modular exponentiation;  multi : time complexity of one modular multiplication;  enc : time complexity of one symmetric encryption.Note 3: