A New Password-and Position-Based Authenticated Key Exchange

Password-based authenticated key exchange is a popular method for secure authentication and key exchange. With the wide application of unmanned aerial vehicles, position information has also become an important factor in authentication. In this paper, we present a new key exchange protocol, which firstly realizes dual authentication for both password and position, and we propose two applicable scenarios for the PPAKE mechanism: one is unmanned aerial vehicle authentication, and the other one is authentication in the military base. By adding position authentication, the reliability of authentication has improved, and the difficulty of adversarial attacks also increases. Any arbitrary adversary who can listen, tamper, and sendmessages can only perform an online attack for password guessing at a specified position. Finally, we provide security proofs under the defined model.


Introduction
Key exchange protocol is designed to allow two or more parties to negotiate and share session keys over insecure channels to establish an encrypted communication. To achieve secure communication in open and insecure communication channels, Diffie and Hellman [1] in 1976 introduced the concept of public key cryptography and the famous Diffie-Hellman key exchange protocol which establishes a shared session key between two communicating parties. However, the Diffie-Hellman protocol cannot resistant manin-the-middle attacks or provide dual authentication.
A large number of authentication key exchange protocols have been proposed subsequently [2][3][4][5], as well as corresponding applications [6][7][8][9][10]. According to different application scenarios and assumptions, the authentication key exchange protocols are broadly divided into the following two categories: one assumes that each interacting party has a high-entropy private key which can be used to generate a high-entropy session key; the other one assumes that each interacting party only shares a weak password and generates a high-entropy session key through interaction.
Bellovin and Merritt [11] in 1992 first proposed the password-based authentication key exchange (PAKE) protocol, called the BM scheme. Subsequently, there were many improvements based on the BM scheme, but none of these had a security model. Until EUROCRYPT 2000, Boyko et al. [12] presented the first security model of PAKE. Under the random oracle model, the SPAKE scheme in [13] is an efficient provable secure scheme. Under the standard model, Goldreich and Lindell proposed a solution based on one-way functions and zero knowledge in EUROCRYPT 2001, but neither it nor the subsequent theoretical constructs based on it are practical. Katz et al. [14] proposed the first practical password-based solution for provable security with the help of public reference strings in EUROCRYPT 2001, called the KOY scheme. Gennaro and Lindell extended the KOY scheme to a general construction based on smooth projection hashing systems and the choice of secret security encryption schemes in EUROCRYPT 2003 [15].
Xue et al. [20] found that the scheme in [16], requiring six group elements and a random string, is more efficient than other current schemes in the BPR [21] model while under the standard model. And they presented an improved PAKE protocol by replacing the CCA-secured encryption scheme in [16] with a CCA-secured key encapsulation mechanism (KEM).
is protocol finally requires only 5 group elements and 2 short random strings. And the length of a random string is 1/3 log p bit (the size is equal to 1/6 of the length of a group element on an elliptic curve).
In previous proposals, the form of password-based key exchange needs to face the challenge of generating highentropy session keys from low-entropy keys. e current password-based key exchange protocol is mainly used in the scenario of the server-client, and the mainstream technology adopts a CCA2 secure encryption scheme and a smooth projective hash function.
In many real applications, such as drone control stations and military base communications, the position information is also an important type of authentication information. e first position-based authentication protocol was presented by Chandran et al. [22], where a location can be verified in the 3D space using 4 verifiers. e protocol has many application scenarios, e.g., 4 aircrafts can verify the controller's position and communication between military bases. Followed by this work, a lot of schemes are proposed, such as blockchain-based positioning scheme [23], tracking cryptographic keys and encrypted data using position verification [24], and position-based encryption [25].

Motivation
Position and password are all important information in wireless communication. Our basic idea is to combine the result of PAKE in [20] with the secure position-based protocol in [22] to obtain a secure key exchange protocol for dual authentication of position and password (called PPAKE). Dual authentication based on the password and position can improve the reliability of authentication and increase the difficulty of adversarial attacks. To propose a secure PPAKE protocol, we solved the following issues: (1) How do the four verifiers determine the position information of the participant and verify it simultaneously? (2) How does the participant verify the password information of the four verifiers and generate a highentropy session key at the same time? (3) How do four verifiers generate the same high-entropy session key while verifying the position and password information of the participant?
By applying our PPAKE protocol, four verifiers use a common reference string to authenticate the participant and initiate encrypted communication by sharing the password and position information.
e PPAKE protocol includes ElGamal ciphertext, universal projective hash function, key encapsulation mechanism, 4-wise independent hash function, and pseudo-random generator. e proposed PPAKE protocol can realize the synchronization authentication of password and position information.
e prior art authenticates participants unilaterally, but the present technique uses the password and position information to authenticate the joining party and negotiate a common session key to prepare for the next step of private communication. Specifically, the adversary cannot pretend to be the joining party to verify from a location that is inconsistent with its declared location. Any location and password forged by the adversary cannot be authenticated. Our PPAKE can be widely applied in many scenarios, for example, (1) the communication base station that needs to verify the position and password of the user and authorizes networking and (2) real-life logistics distribution scenarios require password and location information verification to negotiate important content. Other applications, such as unmanned aerial vehicle authentication and military base authentication, will be described in the later section. From what has been discussed above, it is very meaningful to present a key exchange protocol for dual authentication of password and position.

Applications of PPAKE
Next, we propose two applicable scenarios for the PPAKE mechanism: one is unmanned aerial vehicle authentication, and the other one is authentication in military base.

Unmanned Aerial Vehicle Authentication.
e unmanned aerial vehicle (UAV) is a kind of unmanned aircraft that uses wireless remote control or flight planning. Due to a series of advantages such as low cost, easy operation, fast image acquisition speed, high ground resolution, not restricted by a fixed environment, and no need to worry about accidental crashes that may cause casualties on board, UAVs have been widely used in map surveying and mapping update, geological survey, natural disaster monitoring, agricultural remote sensing monitoring, and other fields.
Control technology of the UAV refers to the technology of remote control, telemetry, tracking, positioning, and information transmission to the UAV. e corresponding technical facilities consist of a data chain and ground control station. e data chain realizes data transmission and delivery, tracking, and positioning between the ground control station and the UAV. e ground control station is used to realize such functions as mission planning, link control, flight control, load control, flight track display, and parameter and image display, as well as recording and distribution.
To ensure the authenticity of the information content and its source transmitted between the subjects, dual authentication and key exchange should be carried out before information exchange between the UAV and the ground control station. Our PPAKE adopts dual authentication based on the position and password to complete the identity authentication and key exchange between the two parties. When a UAV holding a legal identity and password granted by the ground control station sends a request to the ground control station for authentication and information transmission, it should also submit the encrypted identity, password, and position information. en, the ground control station authenticates the information separately. When the ground control station confirms the information, if it matches the prestored information, the session key is generated, and the message is transmitted; otherwise, the request for authentication and message transmission is aborted.

Military Base.
In recent years, several local wars in the world have shown the wide application of information technology in the military field, which has brought about comprehensive and profound changes to the war pattern. With the increasing use of modern communication and computer network technology, the situation of military information carriers has undergone great changes. e hidden danger of information security also spreads from simple document management in the past to information systems, equipment, places, and various links in information operation.
Modern communication technology in the army can be divided into three categories, namely, wired communication, wireless communication, and network communication, which all exist in different ways and have different degrees of security risk. In the process of wireless communication, to remote access system resources or data transmission, the user must obtain appropriate permissions. Dual identity authentication gives a simple and effective security solution to the problem.
Specifically, the PPAKE adopts the form of dual authentication based on the password and position to authenticate a wireless user who has registered with the base and obtained his or her identity ID and password and generate a session key. For a user who holds an ID and password, when sending an access and authentication request to the base station, the user needs to submit the encrypted ID, password, and location information. en, the base station will authenticate each message separately.

Security Model
In this model, we assume that (1) the clocks of all verifiers are synchronized. We require that the pace between verifiers and the participants be the same. (2) e protocol has a fixed set of protocol users. (3) Messages travel at a speed equal to that of radio waves. (4) Each principal can execute the protocol multiple times with different partners. As described above, the PPAKE protocol concludes two phases, namely, the initialization phase and the execution phase.
Initialization phase: in this phase, public parameters are established, each user's position is given, and the unique identifiers of all the verifiers are given to all protocol users. Each participant shares a password with all verifiers. Each password is uniformly chosen from the set 1, . . . , D n for some integer D n depending on n.
Execution phase: in this phase, we separately define how the verifiers, participants, and adversaries execute in these following two security definitions according to [16,22].
Position-based authentication [22]: in the execution phase, any verifier and adversary can send all the following three types of messages: broadcast messages, directional messages, and private multicast messages. Any participant can send broadcast messages and directional messages. e detailed description of all types of messages is as follows: (1) Broadcast messages: a broadcast message travels with equal speed in all directions, in concentric hyperspheres centered at the sender's position P, which arrives at a position P′ after time t (t is the time the radio waves travel from P to P′) (2) Directional messages: a directional message travels in a region of concentric hyperspheres centered at the sender's position P and arrives at position P′ after time t (t is the time the radio waves travel from P to P′) (3) Private multicast messages: a verifier (or an adversary) talks to other verifiers (or other adversaries) via a private channel A PPAKE protocol in the 3-dimensional space is described as a set of verifiers Ver � V 1 , V 2 , . . . , V n at positions pos 1 , pos 2 , . . . , pos n , respectively, which take as input a claimed position P′ of a participant at position P and jointly return "accept" after interacting with the honest participant (if P′ � P) and in the absence of any adversarial parties. Password-based authenticated key exchange [16]: in the execution phase, the adversary is given oracle access to these different instances. All the oracles are described as follows: (1) Send: this oracle sends message M to instance Π i U (denote instance i of user U as Π i U ) and outputs the message sent by the instance of Π i U to the adversary (2) Execute: if Π i U and Π j U ' have not yet been used, this oracle executes the protocol between these instances and outputs the resulting transcript to the adversary (3) Reveal: this oracle outputs the session key sk i U to the adversary Finally, adversary A makes a single query Test to a fresh instance Π i U and outputs a bit b ′ . In the Test oracle, a random bit b is chosen; if b � 1, the adversary is given sk i U , and if b � 0, the adversary is given a session key chosen uniformly from the appropriate space. A succeeds if either b ′ � b or at the end of the experiment, there is an instance Π i U that accepts but is not semipartnered with any other instance (semipartnering is defined as follows: instances Π i U and Π attacks, A succeeds with advantage Adv A,Π � def 2 · Pr [Succ] − 1 ≤ Q(n)/D n + ε(n), where Succ is the event that the adversary succeeds and ε is negligible in the defined security parameter.
We claim that if protocol Π satisfies both position-based authentication and password-based authenticated key exchange, then protocol Π is a secure PPAKE protocol.

Description of PPAKE
In the PPAKE protocol, we assume that (1) all participants of the system have a synchronized clock, and all users have access to the public reference string CRS; (2) all verifiers share the private random number string VRS; (3) the calculation time is negligible relative to the transmission time of the information; and (4) computation for the Diffie-Hellman problem on a group with prime order p is difficult. e main process of our PPAKE protocol is described in Figure 1, and the details are as follows.

Initialize Phase.
In this phase, all users share a common reference string CRS � G, p, g, h, H, H cr , PRG, d, e and maintain a common clock. In CRS, G is a cyclic group of order p, and generally, the length of p is greater than 160 bits. g and h are random elements on group G. H is a 4-wise independent hash function. H cr is a collision-resistant hash function. PRG is a pseudo-random generator. d and e are elements on group G; specifically, d � g a 1 h b 1 and e � g a 2 h b 2 are the public keys for the key encapsulation mechanism (KEM), where a 1 , a 2 , b 1 , and b 2 are random numbers generated when the system is established.
Assume that all verifiers V i (i � 1, ..., 4) share a random number string VRS � (K 1 , K 2 , K 3 , K 4 , r) through a secure communication channel. Generally, the length of all K 1 , K 2 , K 3 , and K 4 is greater than 80 bits. e length of r is greater than 160 bits, and t 1 , . . . , t 4 , respectively, represent the time in which the radio waves were transmitted from the verifiers V 1 , . . . , V 4 to the position of the participant (write as P for short).

Execution
Phase. Now, we introduce the execution phase, which is described from phase 1 to phase 4.

Phase 1.
In this phase, all verifiers send authentication information to P, in which the content of the message sent by the prime verifier is slightly different from those sent by other nonprime verifiers. Figure 2 illustrates the calculation process of the prime verifier V 1 . V 1 sends the calculated results, that is, encrypted password and position authentication information, to P. Figure 3 illustrates the calculation process of nonprime verifiers V i (i � 2, 3, 4). Nonprime verifiers calculate and send the position authentication information, which reaches P at the same time. e computation details are described as follows: (1) V 1 selects r from VRS and calculates A � g r and c ′ � h r g π , where π represents the password previously shared between all verifiers and P.
en, V 1 broadcasts (K 1 , A ‖ c ′ ) at time T − t 1 , as shown in Figures 1 and 2. (2) V 2 randomly selects X 1 , calculates K 2 ′ � PRG(X 1 , K 1 )⊕K 2 , and broadcasts (X 1 , K 2 ′ ) at time T − t 2 , as shown in Figures 1 and 3. (3) V 3 randomly selects X 2 , calculates K 3 ′ � PRG(X 2 , K 2 )⊕K 3 , and broadcasts (X 2 , K 3 ′ ) at time T − t 3 , as shown in Figures 1 and 3. (4) V 4 randomly selects X 3 , calculates K 4 ′ � PRG(X 3 , K 3 )⊕K 4 , and broadcasts (X 3 K 4 ′ ) at time T − t 4 , as shown in Figures 1 and 3. Figure 4, phase 2 can be divided into three steps, as detailed from Figures 5 to 7. e computation details are described as follows. Figure 5 illustrates the process of calculating the password-based authentication information. When calculating the password information, P randomly calculates μ, the public key of the hash proof function, and the hash value σ, according to the password-encrypted ElGamal secret message. σ is divided into three parts, which can be written as τ p � � � � � sk p � � � � � r p ←σ, where τ p is used to verify the identity of the verifier, sk p is used to generate the session key, and r p is used to encapsulate the key and dissimulate the password and location information. e specific calculation steps are as follows: P randomly selects λ 1 and λ 2 from Zq (the value of q is related to the safety parameters), computes μ � g λ 1 h λ 2 , c � c ′ g − π , and σ � A λ 1 c λ 2 , where σ is divided into three equal pieces by bit value τ p � � � � � sk p � � � � � r p ←σ, then computes c kem � (g r P , h r P ) and k kem � H(d t e r P ), where t � H cr (g r P , h r P , A‖c ′ , V 1 , P); and finally, it outputs (μ � � � �c kem ) and k kem as (2 − P − 1). Figure 6 illustrates the process of calculating positionbased authentication information K 4 by the information received in phase 1. P computes the position information K i+1 � PRG(X i , K i )⊕K ' i+1 (i � 1, 2, 3) and outputs K 4 as (2 − P − 2). Figure 7 illustrates how to compute password and position authentication information (2 − P − 3) from (2 − P − 1) and (2 − P − 2). P computes δ � k kem (π � � � �K 4 ) and broadcasts 1, 2, 3, and 4).

Phase 3.
In this phase, all verifiers V i (i � 1, 2, 3, and 4) verify P's password and position authentication information, calculate the session key, and reply the authentication information to P. As shown in Figure 8, all verifiers receive the information from P, calculate the hash value σ, verify the password, and check the consistency of the receiving time and location. After passing all the authentication checks, all verifiers send the first block of σ back to P.
e detailed computation process is as follows: when V i (i � 1, 2, 3, and 4) receives (μ � � � �c kem ‖δ), it calculates the hash value σ � μ r and sets τ V ‖sk v ‖r V ←σ. en, V i verifies c kem , δ, and the receiving time. Only if c kem is equal to (g r V , h r V ), δ is equal to H(d t e r V )⊕(π ‖ K 4 ), where t � H cr (g r V , h r V , A � � � �c ′ , V 1 , P), and the receiving time is equal to T + t i , then V i sends τ V as the message of (3−V i ) to P; otherwise, V i aborts the progress of phase 3. At the end of this phase, V i sets the negotiated session key as sk v .

Phase 4.
As shown in Figure 9, P determines whether the authentication message τ V sent by V i is equal to τ p . If they are equal, P sets sk p as the communication key with verifiers; otherwise, P aborts the progress of phase 4.

Security Analysis of PPAKE
Our PPAKE protocol dual authenticates the participant by password and position and negotiates a session key for the next step of private communication. In particular, the prime verifier V 1 is responsible for both password-based authenticated key exchange as well as position-based authentication with participant P, while V 2 , V 3 , and V 4 are mainly responsible for position-based authentication. Our protocol is   We redescribe our PPAKE as follows, in which the position-based authentication part is omitted: in phase 1, V 1 sends (A‖c ′ ) to P; in phase 2, P broadcasts (μ � � � �c kem ); in phase 3, every verifier computes the negotiated key as sk v and sends τ V to P; and finally, in phase 4, P checks the value of τ V and computes similarly as in [20]. PAKE protocol assumes that, in phase 3, only V 1 will compute the negotiated key. In PPAKE, we assume that V 2 , V 3 , and V 4 can get the value of r from VRS, so they have the ability to compute the negotiated key. At the end of the protocol, all verifiers and the participant share the same session key. People without r cannot compute the shared key. erefore, the security proof of our PPAKE can also follow the security proof in [20]. Xue et al. proved that their PAKE is secure in the BPR model; the security proof sketch is as follows. e proof proceeds via a sequence of experiments. Let "G i " denote the sequence of experiments and denote the advantage of adversary A in "G i " as A dv A,Gi(n) � 2Pr [A succeeds in G i ] − 1. Let G 0 be the experiment of BPR challenge. e proof is separated into two phases: the first phase (from G 1 to G 5 ) bounds out the advantage of execute queries, and the second phase (from G 6 to G 10 ) bounds out the advantage of send queries. e detailed descriptions of G 1 to G 10 are the same as eorem 2 in [20]. Finally, summing up all the gap advantages, we finally have In the following, we analyze the security of positionbased authentication. e completeness follows from the fact that verifiers can compute K 4 from the stored Xi values, and the participant can also compute K 4 since all the information required is gathered at time T at P. Now, we prove that our PPAKE protocol is secure on position-based authentication.
We redescribe the position-based authentication part in our PPAKE as follows: in phase 1, V 1 broadcasts (A � � � �c ′ , K 1 ) at time T − t 1 , and V i (i � 2, 3, 4) broadcasts (X i−1 , K i ′ ) at time T − t i ; in phase 2, P calculates K i+1 � PRG(X i , K i )⊕K ' i+1 (i � 1, 2, 3) and broadcasts δ, where δ � k kem ⊕(π � � � �K 4 ), k kem � H(d t e r P ), and t � H cr (g r P , h r P , A‖c ′ , V 1 , P); and in phase 3, all verifiers verify δ and the receiving time. If the verification passed, Select r from VRS Select g and h from CRS Calculate A = g r and c′ = h r g π Figure 2: Prime verifier's algorithm for generating the sent message in phase 1.  Randomly select λ 1 , λ 2 from ℤq Generate password authentication message (μ || c kem ) (2-P-1) Calculate: Security and Communication Networks then V i 's authentication on P is successful. ere are some differences between the secure positioning protocol proposed by Chandran et al. [22] and our PPAKE, that is, in phase 2, P broadcasts K 4 , instead of δ.
In our protocol, to cooperate with password-based authenticated key exchange, we enhanced the protocol in [22] by encrypting K 4 . We compute δ � k kem ⊕(π � � � �K 4 ), where k kem � H(d t e r P ), t � H cr (g r P , h r P , A‖c ′ , V 1 , P). erefore, our PPAKE protocol at least satisfies the security of position-based authentication in [22]. For more details of this proof, please refer to Section 7 in [22].
From the above analysis, we can claim that our proposed protocol is a secure authenticated key exchange, which provides both password-and position-based authentication.

Conclusion
In summary, the PPAKE protocol dual authenticates the participant through the password and position and negotiates a common session key to prepare for the next step of private communication. e proposed protocol can resist the attack of the active adversary under the standard model. Specifically, an arbitrary adversary who can listen, tamper, and send messages can only perform an online attack for password guessing at a specified position. e impersonation of any of the position and password by the adversary cannot be authenticated.

Data Availability
is is a pure theoretic research paper; therefore, it does not include any experimental data.

Conflicts of Interest
e authors declare that they have no conflicts of interest.  Security and Communication Networks