Improved Verifier-Based Three-Party Password-Authenticated Key Exchange Protocol from Ideal Lattices

With the advent of large-scale social networks, two communication users need to generate session keys with the help of a remote server to communicate securely. In the existing three-party authenticated key exchange (3PAKE) protocols, users’ passwords need to be stored on the server; it cannot resist the server disclosure attack. To solve this security problem, we propose a more efficient 3PAKE protocol based on the verification element by adopting a public-key cryptosystem and approximate smooth projection hash (ASPH) function on an ideal lattice. Using the structure of separating authentication from the server, the user can negotiate the session key only after two rounds of communication. +e analysis results show that it can improve the efficiency of computation and communication and resist the server disclosure attack, quantum algorithm attack, and replay attack; moreover, it has session key privacy to the server. +is protocol can meet the performance requirement of the current communication network.


Introduction
In 1976, Diffie and Hellman [1] first proposed a key exchange (KE) protocol to generate a session key between two users, to realize the secure transmission of information in the channel, but they did not consider the identity authentication of two users. en, authenticated key exchange (AKE) protocol is proposed based on the KE protocol. AKE protocol ensures that it can still correctly generate the session key among two users in the case of an active attack by the adversary.
AKE protocol can be classified into identity-based AKE protocol, public-key infrastructure (PKI) based AKE protocol, and password-based AKE (PAKE) protocol. PAKE protocol dislodges the public-key infrastructure in the network and takes the low entropy password as the input so that the participants can negotiate a high entropy session key after mutual authentication on the insecure channel. e PAKE protocol has attracted extensive attention because the password is short, practical, and easy to remember.
With the emergence of large-scale user mutual communication, the implementation of the two-party authenticated key exchange (2PAKE) protocol increases the burden of user password management [2][3][4][5], and the 3PAKE protocol allows users to negotiate a session key with other users when they share a password with the server. In the 3PAKE protocol, if the user's password is stored on the server in plaintext, it is called symmetric 3PAKE protocol. Once the server is attacked and the password file is leaked, the attacker can forge a legitimate user to access after obtaining the user's password [6][7][8][9][10]. Rising is a company focusing on the research and development of antivirus products and network security products. Its threat intelligence system is based on threat detection technology of big data analysis and can trace the trajectory of threat behavior by using threat intelligence, and it once captures an overseas virus transmission server. e virus transmission server scans the server in the network by using a weak password. Once the server is found, it will implant a virus to obtain the password file on the server. When the virus transmission server is captured, it has stored the IP address and account's weak password of more than 2000 MSSQL servers and more than 600 phpMyAdmin servers.
Against this type of server file disclosure attack, Kwon et al. [11] constructed the first 3PAKE protocol based on verification element in 2007. e user sends the transformed value of the password to the server as a verification element. Now, even if the verification element on the server is leaked, the adversary cannot speculate the user's plaintext password. When the adversary carries out an offline dictionary attack to obtain the user's password, the server can notify the user that the verification element has been leaked and allow the user to reexecute the registration phase and generate a new verification element [12]. is approach effectively solves the disadvantages of the symmetric 3PAKE protocol.
In 2016, Yang et al. [13] proposed the first 3PAKE protocol based on a verification element under the standard model. However, through analysis, it is found that the user calculates the message sent to the server according to the password in the process of key agreement. Now, the attacker can use the message authentication code (MAC) value in the information to execute the offline dictionary attack on the user's password. In 2020, Zhang et al. [14] used the smooth projection hash function based on Yang's protocol and improved it by using the DDH difficulty hypothesis, so that after four rounds of communication between participants, it can negotiate a session key of both sides.
With the advent of the quantum computer, the traditional number theory problems cannot effectively resist the solution of the quantum algorithm, and the difficult problems on the lattice make the complexity of the worst-case consistent with the average case. erefore, as a lattice cryptosystem that can mitigate the quantum attack, it has attracted extensive attention. In 2012, Ding et al. [15] first constructed the KE protocol on the lattice. Ye et al. [16] first constructed the 3PAKE protocol on the lattice in 2013. With continuous research, in 2018, Yu et al. [17] constructed a new 3PAKE protocol by using the approximate smooth projection hash function on the lattice. ey used the separable public-key encryption system, and a session key can be negotiated in only two rounds of communication, reducing the communication overhead. In the same year, Choi et al. [18] designed a new 3PAKE protocol; they introduced implicit server authentication based on Ding et al. so that it can still safely complete key negotiation under incomplete trusted servers. To improve the computational efficiency, Liu et al. [19] proposed a 3PAKE protocol based on RLWE. eir protocol only depends on the hardness of the RLWE problem; it has no additional primitive in the protocol designed and can resist undetectable online password attacks and offline password attacks. ey struck a balance between efficiency and security. However, these symmetric 3PAKE protocols cannot resist server disclosure attack [20,21]. In 2019, Zhang et al. [22] proposed a 3PAKE protocol based on the verification element under the standard model. To enhance the security of the protocol, it uses anonymous authentication for server and user authentication, which increases the computation cost. In 2021, Shu et al. [23] adopted the Peikert [24] error reconciliation mechanism and proposed a 3PAKE protocol based on the verification element on the ideal lattice; it reduces the space complexity, but it needs six rounds of communication to negotiate a session key and increases the communication overhead.
It can see that the existing 3PAKE protocols cannot solve the server disclosure attack and reduce the communication overhead, and the authentication cannot be separated from the server. erefore, we construct a 3PAKE protocol based on the verification element using the approximate smooth projection hash function [25] on the ideal lattice. Specifically speaking, the main contributions are as follows: (i) Reducing space complexity: We use the public-key encryption system on the ideal lattice to reduce the size of the key and ciphertext. Because the ciphertext will be transmitted on the channel, shortening the ciphertext size can effectively improve the communication overhead efficiency. (ii) It can simplify the protocol flow and effectively reduce the communication overhead. e proposed 3PAKE protocol adopts an asymmetric structure to separate the authentication from the server. Using the approximate smooth projection hash function on the ideal lattice, each user can only transmit information with the server once to generate the session key. However, in the existing 2PAKE and 3PAKE, it needs at least four messages sent by the user and the server to generate a session key. (iii) Lower computational overhead: Most of the calculations are carried out on the polynomial ring in our protocol, so we can use the Fast Fourier Transform (FFT) algorithm to decrease the number of operations. In addition, the operation in the protocol can be parallelized by using the particularity of polynomial f(x) � x n + 1 and module q ≡ 1mod2n. Finally, our protocol can obtain the optimal implementation in the domain Z q , to significantly improve the operating rate. (iv) Greater security: Not only does the proposed protocol depend on the server to distribute the session key, but also the user's temporary private key determines part of the session key. us, the session key is private to the server, and it has forward security. e organization of this paper is as follows: we introduce the ideal lattice, RLWE problem and discrete Gaussian function, and other knowledge and give the specific structure of the public-key encryption algorithm and the approximate smooth hash function on the ideal lattice in Section 2. en, in Section 3, we introduce the security model of the proposed protocol. e complete structure and security proof of the protocol are given in Sections 4 and 5, respectively. Finally, in Section 6, we compare the security with the protocols in [2,14,17,23], and the experimental results of the protocol under different initial parameters are given to show the computation and communication overhead of each stage of the protocol.

Lattices
Definition 1. Let B � b 1 , b 2 , · · ·, b m ∈ R n×m be a set of linearly independent vectors in R n , and n and m are positive integers. e lattice generated by B is defined as and B is the basis of L(B). n and m are the dimension and rank of the lattice, respectively. Definition 2 (circular lattice). Note that the once cyclic displacement of the vector a � (a 0 , a 1 , · · · , a n− 1 ) T is written as rot(a) � (a n− 1 , a 0 , a 1 , · · · , , a n− 1 ) T . For lattice L, if ∀a ∈ L, rot(a) ∈ L, then the lattice L is called a cyclic lattice, record as Rot(a) � a, rot(a), · · · , rot n− 1 (a) , and expressed as Rot(a) � a 0 a n−1 · · · a 1 a 1 a 0 · · · a 2 · · · · · · · · · · · · a n−1 a n−2 · · · a 0 Definition 3 (ideal lattice). In 2006, Lyubashevsky et al. [26] extended the cyclic lattice and first proposed the ideal lattice. A lattice, having a special ring structure, is called an ideal lattice. q is a prime number and satisfies n � 2 k (k > 1), is a ring of the integer polynomial f(x); then, the elements in R are usually represented by integer polynomials of less degree n. If vector a ∈ R, the cyclic lattice L(Rot(a)) generated by a is an ideal of ring is an integer polynomial ring of modules f(x) and q, in which the elements can be represented by a polynomial of degree n − 1 and the coefficients are expressed as 0, 1, · · ·, q − 1 . e ideal lattice lows down the space complexity by using a vector to represent an n dimensional lattice.
Definition 4 (RLWE problem). Let R q � R/qR be a quotient ring with a positive integer q as the module. We suppose n, m ≥ 1, q ≥ 2, an error distribution χ β which is a Gaussian distribution over R q , where β is the noise parameter, satisfying β ∈ (0, 1) and � n √ logn ≤ βq ≤ ( � q √ /4). For s ∈ R q , it will output (a, a · s + e(modq)) ∈ R q × R q through sampling a ⟵ R q and noise e ⟵ χ β .
Definition 5 (decision RLWE n,m,q,χ β problem). Given m independent uniformly distributed samples from R q × R q , there is no arbitrary probabilistic polynomial time (PPT) algorithm to distinguish whether the sample is chosen from RLWE distribution or uniform and random R q × R q .
Definition 6 (search RLWE n,m,q,χ β problem). Randomly generate polynomial a ∈ R q ,s ∈ R q , and e ⟵ χ β ; they satisfy b i � a i s + e i . Now, given multiple groups (a i , b i ), it is needed to find s.

Discrete Gaussian Distribution.
For any σ > 0, ρ σ,c (x) � exp(−π‖x − c‖ 2 /σ 2 ) is a Gaussian distribution function taking c ∈ R as the center and σ as the standard deviation. For any σ > 0, with taking c ∈ R m as the center and σ as the parameter, the discrete Gaussian distribution over lattice L is defined as D L,σ,c (y) � (ρ σ,c (y)/ρ σ,c (L)), where y ∈ L,ρ σ,c (L) � x∈L ρ σ,c (x). Note that c can be ignored not writing when c is 0.

Theorem 2.
Gaussian distribution has the following characters: given the standard deviation σ and positive integer m, the following formulas hold: (2)

Public-Key Cryptosystem Based on Ideal Lattice.
Let n and m be positive integers; the security parameter is n; and q is an odd prime and satisfies q ≥ n 2.5 , q ≡ 1(mod 2n), m ≥ 6logq. A public-key cryptosystem, whose difficulty is based on the RLWE problem, is mainly composed of three algorithms.
(i) (pk, sk) ⟵ KeyGen(1 n )(1/2): this is a key generation algorithm, which inputs a security parameter n and outputs the public-private key pair (pk, sk) of the system (ii) (c 1 , c 2 ) ⟵ Enc(pk, msg): this is called an encapsulation algorithm. It takes as input a public key pk and a plaintext msg and outputs c � (c 1 , c 2 ) (iii) msg ⟵ Dec(sk, (c 1 , c 2 )): this is the decapsulation algorithm corresponding to the encapsulation algorithm; it takes as input the private key sk and ciphertext (c 1 , c 2 ) and outputs the corresponding plaintext m or "⊥"

Approximate Smooth Projection Hash
Function. e smooth projective hash function is an important component in lattice-based cryptography. It was first proposed by Cramer and Shoup [27]. Later, to construct a PAKE protocol against quantum attack, Katz et al. [28] improved it and extended it to the construction of the PAKE protocol for efficient communication. In this paper, we adopt the approximate smooth projection hash (ASPH) function [25] based on an ideal lattice and further modify it according to the requirements of our protocol.
We assume PKε � (KeyGen, Enc, Dec), and it is a semantically secure public-key encryption system composed of functions on the lattice. C pk represents the effective ciphertext space generated by public key pk encryption, and P Security and Communication Networks 3 is the plaintext space. We define X and language L ∈ X as follows: For any word c ∈ L, the hash value of c ∈ L can be expressed in two ways: using the hash key hk and c or using the projection key hp and the evidence w corresponding to c ∈ L. e function ε − ASPH of a public-key encryption system corresponding to the public key pk on the lattice is composed of four algorithms, which can be expressed as ε − ASPH � (HashKG, ProjKG, Hash, ProjH).
(i) HashKG(1 n ): Given the security parameter n, the hash key generation algorithm outputs the hash key hk. Note H � H hk hk∈HK represents the hash function cluster and HK is the hash key space. (ii) ProjKG(hk, pk): e projection key generation algorithm takes a hash key hk and a public key pk; it outputs the corresponding projection key hp ∈ HP, where HP is the projection key space. (iii) Hash(hk, L, c): When it inputs the hash key hk, language L , and any word c ∈ L, the hash function outputs the hash value h. (iv) ProjH(hp, w): is is a projection hash function.
Let the projection key hp and evidence w of word c ∈ L be the input, and it outputs the projection hash value h ′ . ε(n) correctness: for ∀c ∉ L and corresponding evidence w, let ε(n) ∈ 0, 1 { } ; Ham(a, b) represents the hamming distance between a and b; and then Pr[Ham(Hash (hk, L, c), ProjH(hp, w)) ≥ ε(n) · n] ≤ negl(n) holds.
Smoothness: for ∀c ∉ L , hp � ProjKG(hk, L, c) , p ⟵ r 0, 1 { }, the distributions of (hp, Hash(hk, L, c)) and (hp, p) are indistinguishable in the statistical distance. When n is the security parameter, ε SASPH (n) is defined as a negligible upper bound of the statistical distance of the two distributions.

Specific Internal Structure.
Combined with the content introduced in Section 2.3, we construct a public-key encryption scheme on the ideal lattice and instantiate the approximate smooth projection hash function in the proposed protocol. e specific structure is as follows.

Public-Key Encryption Scheme Based on RLWE Problem
(i) (pk, sk) ⟵ KeyGen(1 n ): Input a security parameter n ; then, it selects B 0 ⟵ r Rand runs the trapdoor function to get It finally outputs a public/private key pair (pk, sk) of the system; and a plaintext m ∈ Z n q be input; then, it selects r ⟵ r R , e 1 , e 2 ⟵ r R, the coefficients of e 1 and e 2 obey distribution e private key sk and ciphertext (c 1 , c 2 ) are input; this decapsulation algorithm outputs the corresponding plaintext m or "⊥".

Approximate Smooth Projective Hash Function on
Ideal Lattice. (1) Hash key: e hash key space is HK � (R m q ) n used in this protocol to ensure the approximate correctness of ε − ASPH function, and the coefficients of polynomial e j (j ≤ n) must obey Gaussian distribution χ β for any (e 1 , e 2 , · · · , e n ) ∈ HK.
(2) Projection key: e projection key is generated by the hash key. For any (e 1 , e 2 , · · · , e n ) ∈ HK, the corresponding projection key is (u 1 , u 2 , · · · , u n ) � α(e 1 , e 2 , · · · , e n ) ∈ HP, and HP ∈ (Z n q ) n is the projection key space. e specific calculation process is as follows: is the result of connecting the coefficients of polynomial e j ∈ R m q , and it finally outputs a one-dimensional column vector composed of coefficients e j . After performing this type of operations on all e j ∈ (e 1 , e 2 , · · · , e n ), the result of transpose operation will be point multiplied by B 0 . B 0 ⟵ r R is a public parameter and B 0 is generated by the following calculations: (3) Hash function H � (H hk ) hk∈HK : the hash key hk � (e 1 , e 2 , · · ·, e n ) ∈ HK and x � (c, m) are used as input, and then perform the following calculations: (4) Projection function ProjH hp hp∈HP : let the projection key hp � (u 1 , u 2 , · · · , u n ) and the evidence w of x ∈ L be input, and run the following calculations: Theorem 3 (see [18]). If the parameters m, n, q, β, ω satisfy

MAC Based on Key Hash Function.
Message authentication mechanism can verify the identity of information source and integrity of data. Our protocol uses the MAC technology to authenticate information.
e MAC based on the key hash function takes as input a key and a message and outputs an information summary by using the hash algorithm. By verifying the correctness of the information summary, the receiver can realize the identity authentication of the information source and the integrity authentication of the message.
Using the correctness of approximate smooth projection hash function, the hash function value and projection function value between the user and the server can be input as a key; then, an information summary is generated by SHA-256. e specific structure is as follows: After receiving the MAC value, the receiver uses the key key * to generate a new information summary: Verify |Ρ * − Ρ| ≤ χ β ; if it holds, it proves that the information is indeed sent by the claimant, is complete, and has not been modified.

Security Model
3.1. Parties of the Protocol. 3PAKE protocol participants include users and servers. U represents a user collection, C ∈ U is an honest user, and V ∈ U is a malicious user. S represents a server collection; we usually assume that the server collection has only one element, that is, S � S { }.

Long-Term
Key. e long-term key in the protocol is the user's password; we assume the length of the nonempty dictionary D is l, and the password pw U of each user U ∈ U is randomly selected from D. e server S has a password list

Security Model of 3PAKE Protocol.
In the 3PAKE protocol, each participant can execute multiple sessions at the same time. Let U i represent the i − th instance of user U and let S j represent the j − th instance of the server S. Here, an instance represents a session. We suppose there is a PPT algorithm adversary A which knows all the malicious user's password set pw A � < pw ε > ε∈V and also can control the communication channel among all users. Adversary can obtain the specific abilities by sending the following queries.
: is query gives A the ability to wiretap channels. After activating instances U a 1 , S j , and U b 2 , A will get all the information transmitted between the user and the server.
is query simulates A's active attack on the user instance. e adversary A selects the message msg and sends it to the user instance U u . Finally, A obtains the reply of U u to the message msg.
(iii) Send(S j , msg): is query helps A to actively attack the server instance. e adversary A selects the message msg and sends it to the server instance S j . Finally, the adversary A obtains the reply of the instance S j to the message msg. (iv) Reveal(U a ): is query simulates session key is lost or leaked. After the adversary A executes this query, A can obtain all session keys sk a U of the instance U a .
(v) Corrupt(U): e execution of this query simulates the adversary 's corruption attack on user U. After A executes this query, it will obtain the user's password pw U . (vi) Corrupt(S): Adversary A sends this query to launch a corruption attack on the server S. After A executes this query, it will obtain the password list When this query is executed, it is valid only when the user instance U a is fresh. We throw a random coin b ∈ 0, 1 { }. If b � 1, it will return the real session key SK ab to the adversary A; otherwise, it will return a random bit string with the same length as the session key to the adversary A.
3.4. Accepted State. ssid i represents the session serial number of the user instance U i and pid i U represents the intended communicator of U i . If an instance executes successfully and generates the corresponding session key, we say it has been accepted. 3.6. Fresh session. If the instance U i has been accepted and the adversary A has not asked a Reveal query to U i , as well as the adversary A has not asked a Corrupt query to the user U and server S before instance U i is accepted, then U i is fresh.

Definition of Security.
During executing a 3PAKE protocol, any PPT adversary A can ask Execute, Send, Reveal, and Corrupt queries in any order for many times. Note that Test query can only be asked once. At the end of the game, the adversary A outputs his guess b ′ about b. If b ′ � b holds, it means that adversary A has broken the protocol. Let D be the space of user password and let P represent the protocol which A attacks. e advantage of A breaking the 3PAKE protocol is

Construction of Our Protocol
When users make a key agreement with the help of the server, they need to register with the server first, let the server store the verification element corresponding to the user password, and ensure that the server cannot recover the plaintext password through the verification element.

System Initialization Phase.
Running key generation algorithm (pk, sk) ⟵ KeyGen(1 n ): it takes as input a secure parameter n, then selects B 0 ⟵ r R, and runs trapdoor generation algorithm to get (B 1 , T 1 ) ⟵ ideal − trapGen and (B 2 , T 2 ) ⟵ ideal − trapGen. It finally outputs pk � (B 0 , B 1 , B 2 ) as a public key and sk � (T 1 , T 2 ) as a secret key. Note that keep private key sk � (T 1 , T 2 ) secret, and Param � B 0 , B 1 , B 2 public.

User Registration.
When users join the system for the first time, they need to register. e specific operations are as follows: (i) User U i chooses identification ID i and password pw i , selects a salt value salt i randomly, and uses SHA − 256 to generate seeds of two pseudo-random number generators (PRNG): one is seed1 � SHA − 256(salt i ||SHA − 256(ID i ||pw i )) and the other is seed2 � SHA − 256(seed1) . (ii) Input the seeds of the pseudorandom number generator, then select s i , e i from the discrete Gaussian distribution χ β , note that s i and e i are polynomials whose coefficients obey χ β , choose a ⟵ r R, calculate the verification element v i � a · s i + e i ∈ R q corresponding to the user U i , and let a be public and the other secret. (iii) User U i sends (a, ID i , v i ) to the server S through the secure channel. If (a, ID i , v i ) is not in the database list Q, (a, ID i , v i ) will be automatically added to Q.
Otherwise, it will send a new registration message to the user. After the user U i successfully executes the registration phase, (seed 1 , seed 2 , s i , e i , v i ) needs to be deleted from the local memory and (pw i , salt i ) is stored locally.

Mutual Authentication and Key Agreement Phase.
is stage is shown in Figure 1; the user U a negotiates a session key SK ab with the user U b . When user U i has a session, U i will automatically generate a session ID ssid i , and ssid i exists in increasing form. At the same time, after each session is successfully executed, the server will record the user session serial number in the local database list to effectively prevent message replay.
(iii) e server S first looks up the verification element corresponding to U a in the local list. If it cannot be found, exit. Otherwise, S checks the U a 's session serial number ssid a . If ssid a does not meet the requirements, exit. Finally, m a and h a are recovered according to the local information, and the U a 's identity authentication is realized by verifying the effectiveness of the ciphertext (C a1 , C a2 ), the integrity verification of the message x a is realized by verifying the effectiveness of φ a . If they are all valid, the server S selects δ sa ⟵ r 0, 1 { }, δ sb ⟵ r 0, 1 { }, e 4 , e 5 ⟵ r R, w b ⟵ r R randomly, and e 4 and e 5 are polynomials whose coefficients obey discrete distribution χ β . e hash key hk b � HashKG(1 n ) of user U b is randomly selected, and S calculates the projection key hp b � ProjKG(pk, hk b ), projection function value h b � ProjH(hp b , w b ) and m b � ID b ||ID a ||S||hk b ||ssid b ||v b ||1 · ·· and gets ciphertext C b1 � B 1 · w b + e 4 (modq) and C b2 � B 0 ·w b + B 2 · m b + e 5 (modq) for massage m b . Next, S uses random values δ sa and δ sb to calculate · · ·, and hash function value h b ′ � Hash(pk, hk b , C b1 , m b ′ ) by using pw b and salt b stored locally. Using the correctness of the approximate smooth projection hash function, the user can verify whether φ a ′ is correct by h b ′ . After passing verification, U b selects e 6 , e 7 ⟵ r R and sk b ′ ⟵ r R randomly and uniformly, the coefficients of e 6 and e 7 obey Gaussian distribution χ β , and sk b ′ is regarded as the temporary private key. en, Extr(k b , σ b ). According to the hash function value h b ′ , the decoding algorithm ECC − 1 of the error 6 Security and Communication Networks (iv) U a first checks U b 's session serial number ssid b after receiving the message. If it does not meet the requirements, exit. Otherwise, U a calculates the corresponding projection key hp a � ProjKG (pk, hk a ) according to the hash key hk a selected which is stored locally; then, the projection function value h a ′ � ProjH(hp a , w a ) is calculated according to the projection key hp a and the evidence w a that can prove the ciphertext. Using the correctness of the approximate smooth projection hash function, the user can verify whether φ b is correct by h a ′ . If it passes the verification, U a will select e 8 ⟵ r R randomly. And according to the projection function h a ′ , the decoding algorithm ECC − 1 of the error correction code, and Δ a , U a calculates δ sa � ECC − 1 (h a ′ ⊕Δ a ), k a � y · sk a ′ + 2e 8 , and ρ a � Extr(k a , σ b ). Finally, U a generates the session key SK ab � c a ⊕F δ sa (1)⊕F δ sa (3) ⊕σ b ⊕ρ a with the user U b .

Correctness.
When users U a , U b and server S run the protocol honestly and if a valid session key SK ab � SK ba can be generated with overwhelming probability, it is said that a 3PAKE protocol based on verification element is correct.
Taking user U a as an example, U a encrypts the verification element corresponding to his password to obtain an effective ciphertext (C a1 , C a2 ), the server S uses the ciphertext and hash key sent by the user to calculate the hash function value, and the user uses the projection key to obtain a projection function value. According to the approximate correctness of the function ε − ASPH, the probability that the hamming distance of h a is ε greater than h a ′ is negligible. e error correction code defined in this paper can correct error 2ε. Finally, users U a and U b can obtain δ sa and δ sb which is same as the server, respectively. Meanwhile, user U a can use to calculate ρ a .

Security Analysis
A 3PAKE protocol based on the verification element can be widely used on the premise of ensuring its correctness and security. is section proves the security of the protocol under the security model given in Section 3. With that, we prove the forward security of the protocol and the privacy of the session key to the server. Proof. Assuming that any PPT attacker can make q exe , q send , q re , q co for Execute, Send, Reveal and Corrupt inquiries at most, the total running time is t at most. e advantage of the attacker is simulated by constructing a series of games named G 0 , G 1 , · · ·, G 8 . In this series of games, A's advantage of breaking the protocol gradually increases. Finally, as long as the advantage of the attacker's success in the game G 8 is negligible, A cannot break the protocol. e advantage of A breaking the protocol is defined as Game G 2 . During the simulated Execute query, for any user u ∈ A, B { }, the only difference between game G 2 and game G 1 is that the ciphertext C u in the message sent by the user for the first time is replaced with the ciphertext of encrypting the virtual verification element VT 0 (i.e., the verification element that does not belong to the password space D). Finally, we can see that the advantage difference of A between game G 2 and game G 1 can be ignored. We recorded it as |Adv 2 (A) −Adv 1 (A)| < 2 q exe · Adv ake Proof. Taking the public key pk as a public parameter, B is the attacker of the public-key encryption system so that B can answer the queries of attackerA. B sends (v u ′ , VT 0 ) to their challenger as the challenge plaintext and replaces the ciphertext C u with the received challenge ciphertext C u ′ in the Execute query. en, A makes their guess b ′ about the random bit b in the Test query. If b ′ � b, the guess is successful, and B outputs 1. Otherwise, B outputs 0. According to the CCA security of the public-key cryptosystem on the ideal lattice, the attacker B cannot distinguish two ciphertexts with negligible advantage. erefore, the ciphertext in the q exe Execute query sent by the attacker can be replaced with the encrypted ciphertext of the virtual verification element VT 0 . Considering that the attacker A only needs additional calculation time during Execute and Send query in the whole process of simulating the protocol and does not need additional calculation time during other queries because it only needs to return the corresponding state, it only needs t + O(q send + q exe ) at most calculation time in the whole process.

Security Proof
Game G 3 . In this game, h u � Hash(pk, hk u , C u2 , m u ′ ) and u ∈ A, B { } in the Execute query will be replaced by a randomly selected bit string of equal length. Let ε ASPH (n) be a negligible upper bound of the statistical distance between the outputs of inputting nonverbal element and the uniform random distribution. Here, It is known that the ciphertexts are replaced by the encryption results of the virtual verification element in game G 2 , so the input of the approximate smooth projection hash function is a nonverbal element. According to the smoothness of the function, the statistical distance between the outputs of the inputting nonverbal element and the uniform random distribution can be ignored.
Game G 4 . In the Execute query, (sk u ′ , x u ) will be replaced by a randomly selected bit string of equal length, where u ∈ A, B { }. Here, Adv 4 (A) � Adv 3 (A).

□
Proof. It is known that the ciphertext in game G 2 has been replaced by the encryption of the virtual verification element, and h u will be replaced by a random bit string with an equal length in the game G 3 . Now, (x u , φ u ) is random. According to the decision RLWE n,m,q,χ β problem, the advantages of game G 4 and game G 3 are the same.
Game G 5 . Game G 5 modifies the pseudorandom function in Execute query, and the others remain unchanged, the same as game G 4 . δ sa and δ sb are still randomly selected, but the values of F δ sa (1), F δa (3), F δb (1), and F δ sb (1) are replaced with independent and random numbers. Adv 5 (A) � Adv 4 (A) holds at this time because the pseudorandom function F δ su is hidden for the user.

Proof.
e user and the server have the same Δ a , and according to the correctness of the decoding algorithm E − 1 : (0, 1) k ⟶ 0, 1 { } n of the error correction code, the user will get the same δ sa as the server. e above is to modify the Execute query. It can be known from the content of game G 1 to game G 5 that all messages are replaced with random values independent of the user's password, and the attacker cannot obtain any information related to the user's password in the Oracle query so that the communication parties can finally negotiate a completely random session key.
Next, we modify the Send query, Send(S j , msg 1 ) means sending message msg 1 to the server instance S j , and Send(U u , msg 2 ) indicates sending message msg 2 to the user instance U u . Only when the server instance S j receives a correct and valid message msg 1 , it can return the corresponding valid message msg 2 to the attacker. Note that Send 0 (U u , S j ) represents that the user instance U u and the server instance S j are activated and start to execute the protocol. In addition, the simulator M should record the private key sk corresponding to the public key pk in the key generation phase.
if there is no corresponding verification element v u ′ in the local password list ID u ′ of the server, the emulator M rejects the message, or if ssid u ′ is smaller than the value of the previous session serial number saved by the server, the message is rejected. Finally, M checks whether the ciphertext (C ' u1 , C ' u2 ) is valid. If not, M continues to reject the message. Otherwise, the emulator M decrypts the ciphertext (C ' u1 , C ' u2 ) with the corresponding private key sk and gets the user's verification element. If v * u � v u ′ , it is considered that the attacker has broken the protocol and ends the game simulation. e modification of the above game obviously increases the probability of an attacker's success, so Adv 5 (A) ≤ Adv 6 (A)+ 2q send · ε SAPH (n) holds.
is a valid ciphertext, the simulator M can successfully decrypt to obtain v * u . If v * u � v u ′ , this situation significantly increases the success advantage of the attacker ∈ X\L is obvious. According to the smoothness of ε − ASPH, v * u ≠ v u ′ does not increase the advantage of the attacker A. It is found that Adv 5 (A) ≤ Adv 6 (A) + 2q send · ε SAPH (n) holds by applying the proof of the game G 3 . Game G 7 . We modify the query received by the user in this game. Let the message msg 1 � < ID u ′ , ID u , S, hk u ′ , C ' u1 , C ' u2 , ssid u ′ > be a valid output of Send(U u , 〈Δ u , h u > ) for the previous Send(U u , < Δ u , h u > ) query. If 〈Δ u , h u 〉 is a replay of an honest simulated Send(S, < ID u ′ , ID u , S, hk u ′ , C ' u1 , C ' u2 , ssid u ′ > ) query, h u ′ will no longer be generated for the user according to the protocol, but force the user to have the same δ su as the server. Because it is hidden from the attacker, the above modifications will not increase the attacker's advantage, and Adv 7 (A) � Adv 6 (A) holds. Game G 8 . e model of the response to the activation message Send 0 (U u , S j ) is further modified. If the user is activated, the ciphertext is replaced with the encryption of the virtual verification element VT 0 . Now, e same as the proof of game G 2 because the publickey encryption system is CPA secure, the advantage difference of attacker A between this game and game G 7 can be ignored.
According to the constructed game G 8 , the attacker A can successfully break the protocol only if they meet the following conditions: (i) e attacker forges a legal user to communicate, and the ciphertext is generated by encrypting the verification element v U corresponding to the user password in the message sent to the server. (ii) e attacker pretends to be the server and sends a valid message 〈Δ a , h a 〉 to the user. (iii) In the Test query, the attacker's guess It can be seen from the analysis that the first and second conditions can be satisfied only when A can obtain the password of the legal user from the session. However, through the game constructed above, it can be found that the attacker can no longer obtain any information related to the password during the session, even if the user verification element on the server has leaked, the attacker can only guess the user's password by a dictionary attack. Let the user password space D in the proposed protocol obey the Zipf principle; C and ϖ are the parameters of Zipf. Note that F represents that the first two conditions are true; then Pr[F] ≤ C · q ϖ send . At the end of game G 8 , the session key negotiated by the user has been replaced with a completely random value. Here, the probability of a successful guess by the attacker in the Test query is 1/2 at most. erefore, Adv 8 (A) ≤ C · q ϖ send . To sum up, the advantages of the attacker in the game G 0 is Adv 0 (A) ≤ C · q ϖ send + 2(q send +q exe ) · [Adv ake PKE′ (t + O (q send + q exe )) + ε SAPH (n)].
Meanwhile, Adv 1 (A) � Adv 0 (A); it can see that the attacker's advantage is only a negligible difference from the dictionary attack advantage. erefore, the proposed 3PAKE protocol based on the verification element is secure.

Forward Security
Theorem 5. When the search RLWE difficult assumption is true, if the attacker still cannot use the known private key to interact with the participants to obtain the correct session key after obtaining the long-term private key of each participant in the protocol, the protocol has forward security.
Proof. In this protocol, the session key among users needs to be generated with the help of the server. e complete session key includes two parts: one is determined by the server and the other is determined by users. When the attacker has the long-term private key of the server, they can authenticate with the user and server by forging ciphertext and signature. Now, they can obtain part of the session key calculated by the server. e session key determined by the user is also related to the temporary key selected by the user for this communication.
e temporary key sk u ′ is not transmitted on the channel, and the attacker can only obtain x u � a · sk u ′ + 2e transmitted on the channel. On the premise that the attacker knows (a, x u ), the attacker needs to solve the search RLWE problem to obtain the temporary private key sk u ′ . □

Privacy of Session Key
Theorem 6. When the search RLWE difficulty assumption holds, the session key negotiated by the user using our protocol is private to the server. In other words, it is inoperable when the honest server wants to recover the user's session key because of curiosity.
Proof. Firstly, we construct an adversary A RLWE against the search RLWE problem and let adversary A privacy destroy session key privacy. It is assumed that adversary A privacy can have q exe , q send times Execute and Send queries when launching the session key attack, and the total running time is t at most. In the process of an attack, a random coin b ∈ 0, 1 { } is thrown by A RLWE to obtain a triplet (x b , C b , φ b ). When b � 0, the triplet is the real RLWE generated by the running protocol. When b � 1, the triplet is random. Right now, adversary A RLWE simulates protocol stipulates, honestly runs, and answers the Execute and Send query of adversary A privacy , but when responding to the query, A RLWE replaces the relevant contents (x, C, φ) with (x b , C b , φ b ) in the real protocol.
Finally, A privacy outputs the guess b ′ according to the response.
is a real RLWE, and the probability of A RLWE guessing successfully can be denoted by Pr is random, and the probability of A RLWE guessing successfully can be expressed as below.
Pr A RLWE wins � Pr[b ′ ≠ b|b � 0]. erefore, the probability A RLWE solving the search RLWE problem can be calculated as □

Performance Analysis
is section analyzes the security and efficiency of the protocol. Table 1 lists the security comparison results of our protocol with references [2,14,17,23]. A/B/S in Table 1 represents the number of messages to be sent by user A, user B, and server S, respectively. Table 2 shows the analysis results of the calculation overheads and communication overheads of our protocol.

Security Comparison.
By analyzing the protocol of Guo and Zhang [29], Liu and Xue [2] found that the adversary in [29] can obtain the trust of the server by replaying the messages of other legitimate users. If an adversary uses this loophole to launch a DoS attack, it will consume the resources of the server and cause legitimate users to be unable to access the service. To solve this problem, Liu and Xue's protocol introduces a timestamp and reduces a lot of unnecessary communication overheads; they reduce the six rounds of communication in the existing protocol to three and effectively solve the server spoofing attack and offline dictionary attack. However, their protocol is a 2PAKE protocol. With the emergence of large-scale end-to-end communication, users will communicate with each other frequently. 2PAKE protocol makes users need to store a large number of passwords for key agreement. Note that the 2PAKE protocol does not need a server to negotiate, so it is impossible to discuss whether the session key is private. e protocol of Yu et al. [17] introduces the session sequence number to resist the replay attack. e number of communication rounds is reduced to two rounds by using the separable cryptosystem and the smooth hash projection function. Since the password is stored in plaintext on the server, it cannot resist the server disclosure attack. In addition, the honest and curious server can recover the session key between users, and their protocol cannot resist the server's internal attack. e protocols in [14,23] are a 3PAKE protocol based on a verification element, effectively resisting the server disclosure attack. e protocol of Zhang et al. is based on the DDH assumption and cannot be against the quantum algorithm attack [14]. Although the session key can be negotiated only by four rounds of communication, it cannot resist the replay attack and cannot meet the security requirements in practical applications. Shu et al. [23] provided quantum level security, introduced the session sequence number to resist replay attack, and realized the privacy of the session key to the server, but they increased the communication overheads. It needs seven rounds of communication and sends nine massages to make a session key agreement.
Based on protecting the user password, our protocol can also resist replay attacks. e proposed protocol is constructed according to the RLWE problem that improves security and reduces the storage space of the key. We use FFT to accelerate the operation speed, effectively lower down the time complexity, and introduce a message authentication mechanism to solve the problem of session key disclosure caused by the dishonesty of the server. In general, this protocol effectively resists the server disclosure attack and has stronger security.

Efficiency Analysis.
Our protocol adopts an asymmetric model. User A initiating the establishment of the session key needs to perform two calculations: the first calculation is used to generate the information related to the session request, and the session key negotiated with user B is generated in the second calculation. We analyze the efficiency of the proposed protocol on Windows 10 system, 11 th Gen. Intel (R) core (TM) i5-1135g7 @ 2.40 GHz processor and 16.0 GB running memory, and the computational complexity of each stage is the average value of running 10000 calculations. Table 2 lists the specific computation overhead of each communication stage and the total communication overhead of the protocol.
Set the parameters n � 2 k , k ≥ 2, q � n 3 − 1, m � 6logq; now our protocol is safe, where kand m are integer. It can be seen from Table 2 that with the increase of n, the computation overhead of each stage also increases. Note that the computation overhead of user A for the first round of  communication and server, relatively speaking, is large. User A needs to generate ciphertext, message authentication code, and other information during the first round of communication; these operations are relatively complex. e server needs to verify the validity of the ciphertext and message authentication code, regenerate the message authentication code of user A, and generate a valid ciphertext for user B. When verifying the validity of ciphertext, the server needs to recover the corresponding plaintext message using the Exhaustive Method. In the experiment, we assume that plaintext can be decrypted and recovered in the worst case; that is to say, the server needs to run q times to decrypt successfully, and the value of q will increase rapidly with the increase of n. erefore, the growth rate of computation overhead at this stage is high. And the computation overhead of the server will be optimized in the real operation process.
When n � 128 (n � 256 or n � 512), the total communication overhead is 29 KB (56 KB or 95 KB). It can be seen that the computation and communication overhead of each stage is low when n � 128, n � 256, or n � 512; it can resist quantum algorithm attacks, and achieve the required security level, so the proposed protocol can be effectively applied to the large-scale communication networks.

Conclusion
Using approximate smooth projection hash function technology and message authentication mechanism on the ideal lattice, we construct a more efficient 3PAKE protocol based on the verification element. Compared with the existing verification element-based 3PAKE protocol, our protocol reduces space complexity and improves computation and communication efficiency. It only needs two rounds of communication to correctly negotiate a session key. Furthermore, it can be against server password disclosure attack, server internal attack, and replay attack; we give the semantic security proof of the new protocol. In short, the proposed protocol has high security and low overhead, which can meet the communication requirements of large-scale low bandwidth networks.
Data Availability e experimental results are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest.