Security Analysis of Choi et al.'s Certificateless Short Signature Scheme

DOI 10.1007/s11227-013-0917-8

Security analysis and improvements

of a communication-efficient three-party password

authenticated key exchange protocol

Raylin Tso

Published online: 5 April 2013

© Springer Science+Business Media New York 2013

Abstract Three-party password-authenticated key exchange (3PAKE) protocols al-low two clients to establish secure communication channels over a public network merely by sharing a human-memorable (low-entropy) password with a trusted server. In this paper, we first show that the 3PAKE protocol introduced by Chang, Hwang, and Yang is insecure against even passive attackers. Thereafter, we propose two kinds of improvement that can remedy the security flaw in their protocol. Finally, we present simulations to measure the execution time to show the efficiency of our two improvements.

Keywords Dictionary attack· Key exchange · Password-based authentication · Security analysis

1 Introduction

Password-based authenticated key exchange (PAKE) protocols are important crypto-graphic techniques to secure digital communications. By utilizing a PAKE protocol, two entities can authenticate each other and then establish a common secret key, which is called the session key and is used to build a confidential communication channel between them. In this way, the two entities can communicate with each other secretly over a public network. To provide secure communication between entities, a PAKE protocol should satisfy at least the following security requirements:

1. Mutual authentication. Users are mutually enabled to authenticate each other.

R. Tso (



Department of Computer Science, National Chengchi University, Taipei, Taiwan e-mail:raylin@cs.nccu.edu.tw

R. Tso

2. Session key security. The session key cannot be obtained without a password. 3. No off-line guessing attacks. No attacker can guess a password and verify that

guess off-line.

4. Known-key security. If a protocol has known-key security, the compromise of one session key does not reveal other session keys.

5. No intruder-in-the-middle attacks. No intruder can interrupt a message and replace it such that any party is made to compute a wrong session key without detecting the intruder.

6. No replay attacks. No attack can record previous messages and use those to de-ceive the rede-ceiver in later processes.

1.1 Motivation

In order to increase the efficiency of a secure PAKE protocol, most researchers use symmetric cryptosystems as building blocks to establish PAKE protocols. In 2010, Chang, Hwang, and Yang [4] utilized a simple XOR operation to replace the symmet-ric cryptosystem in LHL-3PAKE. Their protocol removes both the server public keys and the standard symmetric cryptosystem so that only a single one-way hash function is required. Consequently, their protocol is much more efficient than previous proto-cols. In addition, they proved their scheme in the so-called “random oracle model” [1] and then claimed that their scheme was provably secure. However, we found that under their protocol a dishonest user can always abuse the protocol to extract the password of a targeted user. Hence, their construction is not successful and their pro-tocol is still insecure. It is then natural to ask whether we can devise a scheme that solves the security problem but is still as efficient as the original scheme.

1.2 Our contribution

In this paper, we first show how an adversary can extract the password of a targeted user by abusing the protocol proposed by Chang et al. [4]. We then provide two remedies to improve the scheme of Chang et al. In order to compare the performance of the improved schemes with that of the original scheme, we analyze performance through simulations implemented in Java. Based on our simulations, we find that both of our improvements yields the same performance as the protocol of Chang et al. In addition, these new schemes improve upon the security of the original scheme. 1.3 Paper organization

The rest of this paper is organized as follows. Section2introduces the evolution of PAKE protocols and the CDH hardness assumption. Section3revisits the protocol of Chang et al., and Sect.4points out the security flaw in their protocol. Section5

presents our two kinds of improvement to enhance the security. Section6compares the performance of our improvements with that of the 3PAKE protocol of Chang et al. Section7discusses the software performance in our simulations. Finally, we conclude the paper in Sect.8.

2 Related works and hardness assumption 2.1 Related works

Bellovin and Merritt [2] were the first to consider how two parties might commu-nicate over a public network and proposed their two-party password-based authen-ticated key exchange (2PAKE). Such 2PAKE protocols involve sharing a password in advance to establish a common session key via an insecure channel. Because the PAKE protocol requires users to remember only a low-entropy password, it is much simpler and more efficient.

Although 2PAKEs are well suited for client-server architectures, they suffer from the problem of password management. This is because the password management in a large-scale communication situation is often considered very costly and inconve-nient. Many researchers have extended the scheme of Bellovin and Merritt into three-party PAKE (3PAKE) protocols in order to solve this problem. In 3PAKEs, each user shares a password only with a trusted server, which then assists the users to establish a session key. For the reason mentioned above, many 3PAKE protocols [8,9,12,18] have been proposed. Unfortunately, many of these are not secure or the security can only be analyzed in a heuristic way instead of through formal security proofs. For example, STW-3PAKE [18] has been pointed out at [7,12,13] as vulnerable to un-detectable on-line password guessing attacks and off-line password guessing attacks. To resolve this problem, LSH-3PAKE [14] and SCH-3PAKE [19] were proposed in 2000 and 2005, respectively.

In 2004, Yeh and Sun considered other communication systems, such as Kerberos, in distributed computing environments and proposed the YS-3PAKE scheme [21]. On the other hand, because the heuristic security in LSH-3PAKE cannot guarantee complete security against all possible attacks, Lin et al. modified LSH-3PAKE and proposed LWHS-3PAKE, which is a provably secure 3PAKE protocol.

In 2005, Wen et al. proposed WLH-3PAKE [20] based on the Weil Diffie-Hellman problem [10], but Nam et al. [16] pointed out that the protocol of Wen et al. has a security flaw during the three-party key-exchange and throw-over processes. In 2009, Chien and Wu [5] proposed a 3PAKE that can establish a session key within four rounds. Lee et al. [19] improved the YS-3PAKE of Yeh and Sun to propose LLSYC-3PAKE. This involves the least number of messages in communication and is thus more efficient than other 3PAKEs with server public keys.

The earlier 3PAKEs required the utilization of a public key infrastructure. To deal with this drawback, Lin et al. proposed LSSH-3PAKE [15] in 2001. LSSH-3PAKE removes the server public keys by using a symmetric cryptosystem, a pseudo-random function, and two different one-way hash functions. In 2004, an improvement to re-duce the number of rounds in LSSH-3PAKE was made by Lee et al. [17] as well as Chang and Chang [3]. The LHL-3PAKE of Lee et al. improved upon LSSH-3PAKE by arranging the messages in parallel to increase the number of rounds. The CC-3PAKE of Chang and Chang used an extra one-way trapdoor function to reduce the number of rounds. Although CC-3PAKE has fewer rounds than LSSH-3PAKE, the server needs to store more secrets. Furthermore, Chen et al. pointed out that CC-3PAKE was susceptible to undetectable on-line password guessing attacks, and their

newly proposed CCLC-3PAKE corrected this weakness. However, CCLC-3PAKE suffers from the same mass secret storing as CC-3PAKE. In 2007, Lu and Cao pro-posed LC-3PAKE [18] on the chosen-basis computational Diffie-Hellman assump-tion, but Chung and Ku [6], Kim and Choi [11], and Nam et al. [17] each showed that LC-3PAKE is insecure.

In 2010, Chang et al. [4] proposed a new 3PAKE protocol that is very efficient because it utilizes only XOR operations. They also proved their scheme in the random oracle model. However, we found that their protocol too is insecure, even against passive attackers. Details will be given below.

2.2 Hardness assumption

2.2.1 Computational Diffie–Hellman assumption (CDH)

Let p be a large prime to make sure that the discrete logarithm defined in Z_p∗is hard.

G⊆ Z∗_p is a large cyclic group of prime order q and g is a generator of G where

p= 2q + 1. Let B be a (t, ε)-CDH attacker where a probabilistic Turning machine that has given a challenge ψ= (gx_{, g}y_{), and has the probability ε that B can output} an element z in G such that z= gxy_{comes with polynomial time t . We denote this} success probability as follows:

SuccessCDH_G (t )= Pr

xy



gx, gy= gxy≥ ε

The CDH problem is (t, ε) intractable if ε is negligible with polynomial time t .

3 Chang et al.’s scheme revisit

In this section, we review the three-party PAKE protocol proposed by Chang et al. [4] in 2010. Hereinafter, A and B denote the two parties in communication and S denotes the trusted sever. The identities of A and B are denoted by idAand idB, respectively, which should be unique to index the verified table stored in the server database. The passwords of A and B shared with S are denoted by pwAand pwB, respectively. The exclusive operator (XOR) is denoted by⊕, and A → B : m means that a message

mis sent from A to B. The scheme of Chang et al. consists of the following six steps. 3.1 Chang et al.’s protocol

Step 1. A→ S: idA, idB

A sends identity idA, idBto S as initial request. Step 2. S→ A: Rs1⊕ pwA, Rs2⊕ pwB

After receiving A’s message, S chooses two random numbers es1, es2∈ Zq and then computes Rs1= ges1 _{mod p and Rs2}= ges2 _{mod p. S then computes Rs1}⊕ pwAand Rs2⊕ pwBand sendsRs1⊕ pwA, Rs2⊕ pwB to A.

Step 3. A→ B: idA, RA, h(RAS1, RS1, idA, idB), RS2⊕ pwB

After receiving S’s message, A retrieves RS1by comparing (RS1⊕ pwA)⊕ pwA and chooses a random number eA∈ Zq to compute RA= geA mod p, RAS1=

ReA

S1mod p, and the hash value h(RAS1, RS1, idA, idB). A then sendsidA, RA,

h(RAS1, RS1, idA, idB), RS2⊕ pwB to B.

Step 4. B → S: RA, h(RAS1, RS1, idA, idB), RB, h(RBS2, RS2, idA, idB), h(KB,

RA)

After receiving A’s message, B retrieves RS2by computing (RS2⊕ pwB)⊕ pwB and chooses a random number eB∈ Zq to compute RB= geB mod p, RBS2=

ReB

S2 mod p, KB = R eB

A mod p, and the hash values h(RBS2, RS2, idA, idB) and h(KB, RA).B then sends RA, h(RAS1, RS1, idA, idB), RB, h(RBS2, RS2,

idA, idB), h(KB, RA) to S.

Step 5. S→ A: RB, h(RS1A, RB), h(KB, RA), h(RS2B, RA)

After receiving B’s message, S verifies it to separately authenticate A and

B. To authenticate A, S computes RS1A= ReS1

A mod p and the hash value

h(RS1A, RS1, idA, idB). Then S verifies the consistency between the computed

h(RS1A, RS1, idA, idB)and the received h(RAS1, RS1, idA, idB). To authenticate

B, S computes RS2B = ReS2

B mod p and the hash value h(RS2B, RS2, idA, idB). Then S verifies the consistency between the computed h(RS2B, RS2, idA, idB) and the received h(RBS2, RS2, idA, idB). If the two results are positive, then S computes the hash values h(RS1A, RB)and h(RS2B, RA), and sendsRB, h(RS1A,

RB), h(KB, RA), h(RS2B, RA) to A. Note that the two authenticated messages

h(RS1A, RS1, idA, idB)and h(RS2B, RS2, idA, idB)include the identities idAand

idB, which are used for confirming that A and B have agreed to establish the ses-sion key.

Step 6. A→ B: h(RS2B, RA), h(KA, RB)

After receiving S’s message, A computes the hash value h(RAS1, RB) by us-ing the computed RAS1 in Step 3 and the received RB. Then, A authenticates

S by checking the consistency between the computed h(RAS1, RB)and the re-ceived h(RS2B, RA). If the result is positive, A computes KA= ReBA mod p and the hash value h(KA, RB)to compare it with the received h(KB, RA). If both are equal, A can be sure that B has the ability to compute the session key as

SK= h(geAeB_{mod p, idA, id}

B). Finally, A sends h(RS2B, RA), h(KA, RB)to B. Based on the computational Diffie–Hellman assumption, Chang et al. showed that their protocol is provably secure in the random oracle model. Figure1 illustrates Cheng et al.’s protocol in detail.

4 Security analysis

As mentioned above in the Introduction, one of the security requirements is that an attacker can perform neither undetectable on-line guessing attacks nor off-line guess-ing attacks to obtain information about client passwords. In other words, the protocol should not leak any information about client passwords.

Unfortunately, the protocol of Chang et al. described above is insecure in the pres-ence of a passive adversary.

Fig. 1 Execution times (ms) for 3PAKEs using different schemes with 512 bits, 768 bits, and 1024 bits

We assume that C is an attacker who monitors the communication between A and S. The goal of C is to guess the password of A or B through a passive attack.

In the protocol of Chang et al., p is a large prime to make sure that the discrete logarithm defined in Z∗_p is hard, G⊆ Z_p∗ is a large cyclic group of prime order q, where p= 2q + 1, and g is a generator of G. The attack is launched as follows: Eavesdropping phase

1. As an initial request, A sends the identities idAand idBto S.

2. When the server receives idAand idB, it chooses two random exponents es1, es2∈

Zq to compute Rs1= ges1 mod p and Rs2= ges2 mod p, and then it sends

Rs1⊕ pwA, Rs2⊕ pwB to A. Since the communication is monitored by C, at this moment, attacker C receives the information that S intended to send to A.

Password guessing phase

1. For each pwi∈ P W , where P W is a set of possible passwords, C computes TAi=

(RS1⊕ pwA⊕ pwi)qmod p and TBi= (RS2⊕ pwB⊕ pwi)

q_{mod p.}

2. C concludes that pwi = pwAif TAi= 1 and pwi= pwBif TBi= 1. Then C can

easily discard some of the wrong passwords to increase the probability of guessing the right password.

To make it easy to understand, we use an example with small integers to explain how the attack works.

Assume that C wants to guess B’s password pwB where pwB∈ P W and P W =

{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}. In addition,

p= 47 q=47− 1

g= 7 eS2= 3

pwB= 5

RS2= geS2mod p= 73mod 47= 14 and

RS2⊕ pwB= 14 ⊕ 5 = 11.

After the eavesdropping phase, C receives RS2⊕ pwB from server S, then C computes ((RS2⊕pwB)⊕pw_B)qmod p for each possible pwB. That is, C computes the following results:

(14⊕ 5 ⊕ 1)23mod 47= 46, (14⊕ 5 ⊕ 2)23mod 47= 1, (14⊕ 5 ⊕ 3)23mod 47= 1, (14⊕ 5 ⊕ 4)23mod 47= 46, (14⊕ 5 ⊕ 5)23mod 47= 1, (14⊕ 5 ⊕ 6)23mod 47= 46, (14⊕ 5 ⊕ 7)23mod 47= 1, (14⊕ 5 ⊕ 8)23mod 47= 1, (14⊕ 5 ⊕ 9)23mod 47= 1, (14⊕ 5 ⊕ 10)23mod 47= 1.

Ccan conclude that{1, 4, 6} does not include B’s password since the results are not equal to unity. In this situation, we see that C can increase the probability of guessing the right password of pwBfrom 1/10 to 1/7.

4.1 Effectiveness of the proposed attack

Assume G⊆ Z∗_pbe a large cyclic group of prime order q, where p= 2q + 1 is also a prime. According to the group properties as well as Fermat’s little theorem, the number of a⊆ G such that ap−1= 1 mod p is p − 1. In addition, the number of

b⊆ G such that bq= 1 mod p is q. Since p = 2q + 1, we know that the number of a is twice the number of b. For a randomly picked element u⊆ G, the probability of uq= 1 mod p is q/p = 1/2. Therefore, in general speaking, the probability of

TAi= 1 (or TBi= 1) is about q/p = 1/2. In conclusion, this means that from

moni-toring the communication channel between A (or B) and S, an attacker C can easily discard about half of the wrong passwords to increase the probability of guessing the right password of A (or B) from 1/|P W| to 2/|P W|, where |P W| is the cardinality of P W . We emphasize that when C is an active attacker (instead of a passive at-tacker), she can impersonate A (or B) and to communicate with S. This attack (i.e.,

impersonation) can be launched as many times as C wants and to communicate with

Suntil she finds the correct password of A (or B).

5 Improved scheme

In the previous section, we demonstrated an attack to expose the security flaw in the scheme of Chang et al. This security flaw is irrelevant to their security proof [19] since the problem arises from the XOR operation, which is not considered in their security proof. On the one hand, the XOR operation makes the protocol very efficient in comparison with other protocols. However, as a side-product, it creates a security loophole in the protocol. In this section, we present two enhanced protocols to remedy the security loophole that exists in the protocol of Chang et al. [19].

5.1 Improvement 1

The technique of this improvement is very simple. First, in setting the scheme of Chang et al., g is a generator of a large cyclic group G. In addition, the order of G is a prime q= (p − 1)/2, where p is a large prime. There is no problem with this setting if all the operations of the protocol are performed algebraically in G. However, since XOR is not an algebraic operation, we cannot guarantee that Rs1⊕ pwAand

Rs2⊕ pwB are elements of G (here Rs1= ges1 mod p and Rs2= ges2 mod p). If these are not elements of G, then our attack described in the previous section may obtain some information about pwAand/or pwBfor an attacker.

To overcome this problem without modifying the protocol (i.e., preserving the XOR operation), we can change the order of g (i.e., the generator of the group G) from q= (p − 1)/2 to q = p − 1. In this case, because {1, . . . , p − 1} = g = G, we can ensure that Rs1⊕ pwAand Rs2⊕ pwB will be elements of G even though XOR operations are used in the protocol. Specifically, to use the abovementioned attack by computing any TA_i= (RS1⊕ pwA⊕ pwi)q mod p or any TBi= (RS2⊕

pwB⊕ pwi)q mod p will always result in unity, no matter which pwi is chosen. Therefore, no information about the passwords pwAand pwBis leaked. This simple improvement preserves the operations in the protocol of Chang et al. and solves the security problem as well.

5.2 Improvement 2

As we know from the previous subsection, the XOR operation is the main problem with the scheme of Chang et al., since it is not an algebraic operation. Therefore, our second improvement is to remove the XOR operation in order to maintain the algebraic architecture in the cyclic group G. Our modified protocol consists of the following six steps:

Step 1. A→ S: idA, idB

Step 2. S→ A: Rs1, Rs2

After receiving A’s message, S chooses two random numbers es1, es2∈ Zq. Ad-ditionally, S chooses pwA and pwB corresponding to idA and idB to compute

es1+ pwA and es2+ pwB. After that, S computes Rs1= ges1+pwA mod p and

Rs2= ges2+pwB mod p. Then S sendsRs1, Rs2 to A. Step 3. A→ B: idA, RA, h(RAS1, ges1, idA, idB), RS2

After receiving S’s message, A retrieves ges1 _{by computing (RS1/g}pwA_{)mod p}

and chooses a random exponent eA∈ Zqto compute RA= geAmod p and RAS1=

(ges1₎eA _{mod p, and as well as the hash value h(RAS1, g}es1_{, id}

A, idB). Then A sendsidA, RA, h(RAS1, ges1, idA, idB), RS2 to B.

Step 4. B → S: RA, h(RAS1, ges1, idA, idB), RB, h(RBS2, ges2, idA, idB), h(KB,

RA)

After receiving A’s message, B retrieves ges2 _{by computing RS2/g}pwB _and

chooses a random exponent eB ∈ Zq to compute RB = geBmod p, RBS2=

(gpwB₎eB_{mod p, and KB}= ReB

A mod p, and as well as the hash values h(RBS2,

gpwB_{, id}

A, idB) and h(KB, RA) Then B sends RA, h(RAS1, ges1, idA, idB),

RB, h(RBS2, ges2, idA, idB), h(KB, RA) to S.

Step 5. S→ A: RB, h(RS1A, RB), h(KB, RA), h(RS2B, RA)

After receiving B’s message, S verifies this to separately authenticate A and B. For authenticating A, S computes RS1A = ReS1

A mod p and the hash value

h(RS1A, geS1, idA, idB). Then S verifies the consistency between the computed

h(RS1A, geS1, idA, idB)and the received h(RAS1, geS1, idA, idB). For authenticat-ing B, S computes RS2B= ReS2

B mod p and the hash value h(RS2B, geS2, idA, idB). Then S verifies the consistency between the computed h(RS2B, geS2_{, id}

A, idB) and the received h(RBS2, geS2_{, id}

A, idB). If the two results are positive, S com-putes the hash values h(RS1A, RB)and h(RS2B, RA). Then S sendsRB, h(RS1A,

RB), h(KB, RA), h(RS2B, RA) to A. Note that the two authenticated messages

h(RS1A, geS1, idA, idB) and h(RS2B, geS2, idA, idB) include the identities idA and idB, which are used for confirming that A and B have agreed to establish the session key.

Step 6. A→ B: h(RS2B, RA), h(KA, RB)

After receiving the message from S, A computes the hash value h(RS1A, RB) using the RAS1computed in Step 3 and the received RB. Then A authenticates S by checking the consistency between the computed h(RAS1, RB)and the received

h(RS1A, RB). If the result is positive, A computes KA= Re_BAmod p, and then A computes the hash value h(KA, RB)to compare it with the received h(KB, RA). If these are equal, A can be sure that B has the ability to compute the session key as SK= h(geAeB _{mod p, idA, id}

B). Finally, A sendsh(RS2B, RA), h(KA, RB) to B.

5.3 Security analysis of the improvements

The proposed two improvements are proper solutions to overcome the problem of using XOR in Chang et al.’s protocol. We here show that the two improvements leak no information about pwAas well as pwB.

The first improvement only modifies the order of g in order to make sure that Rs1⊕

Table 1 Performance comparison between 3PAKE of Chang et al. and our two improvements

Related schemes C1 C2 C3 C4 C5

3PAKE of Chang et al. A: pwA 6 A: 1 A: 4 A: 3TE+ 1T⊕+ 5Th

B: pwB B: 1 B: 3 B: 3TE+ 1T⊕+ 5Th

S: pwS S: 2 S: 5 S: 4TE+ 2T⊕+ 4Th

Our improvement 1 A: pwA 6 A: 1 A: 4 A: 3TE+ 1T⊕+ 5Th

B: pwB B: 1 B: 3 B: 3TE+ 1T⊕+ 5Th

S: pwS S: 2 S: 5 S: 4TE+ 2T⊕+ 4Th

Our improvement 2 A: pwA 6 A: 1 A: 4 A: 3TE+ 5Th+ 1Tmul

B: pwB B: 1 B: 3 B: 3TE+ 5Th+ 1Tmul

S: pwS S: 2 S: 5 S: 4TE+ 4Th+ 2Tadd

used in the protocol. In this way, TA_i and TBi will always be 1 for all pwi so the above mentioned attack will become meaningless.

In our second improvement, Rs1and Rs2are generated as Rs1= ges1+pwA_{mod p}

and Rs2= ges2+pwB _{mod p.pwA, pwBare chosen from the set P W , es}

1and es2are chosen from Zqwhere| P W | q. For any pwi ∈ P W , there exists an esj∈ Zqsuch that Rsj= gesj+pwi_{mod p for i}∈ {A, B} and j ∈ {1, 2}, so R

sjleaks no information about pwi. Consequently, we conclude that the modification leaks no information about pwAand pwB.

6 Performance analysis

In this section, we compare our improved 3PAKE with the protocol of Chang et al. in terms of the computational complexity and steps. To analyze the computational complexity, we first define the following notation:

TE Time for computing modular exponentiation.

Th Time for computing the adopted one-way hash function.

TP Time for computing the adopted pseudo-random function.

TT Time for computing the adopted one-way trapdoor function.

T_⊕ Time for computing XOR operation.

TEN /DE Time for encryption or decryption by the adopted symmetric cryptosystem.

Tadd Time for computing ADD operation.

Tmul Time for computing MUL operation.

The results of our performance analysis is shown in Tables1 and2. In our first improved 3PAKE, the computational complexity is the same as that in the 3PAKE of Chang et al. The server requires 2TE+ 2T_⊕ in Step 2, 2TE+ 2Th to authenticate A and B in Step 4, and 2Thto send the message in Step 5. As a result, the computational complexity of the server is 4TE+ 2T_⊕+ 4Th. Client A requires 1T⊕+ 2TE+ 1Thin Step 3 and 3Th+ 1TEin Step 6 to authenticate S and confirm that B has knowledge of the session key. Finally, A requires another 1Th to compute the session key. As a result, the computational complexity of client A is 3TE+ 1T_⊕+ 5Th. Client B

Table 2 The parameters for the

simulation Parameter Length (bit-size) of the element

p 512/768/1024 bits

g 512/768/1024 bits

q 160 bits

pwA, pwB 8 bytes

requires 1T_⊕+ 3TE+ 2Thin Step 4 and 2Thto authenticate S and confirm that A has knowledge of the session key. Finally, B requires another 1Thto compute the session key. As a result, the computational complexity of client B is 3TE+ 1T⊕+ 5Th.

In our second improved 3PAKE, we changed all XOR operations into modular ex-ponentiations. At the server side, the computational complexity was reduced by 2T_⊕ but increased by 2Tadd. Because gpwA _{and g}pwB _{can be computed off-line, we did}

not count those in the on-line execution time. Hence, the computational complexities of clients A and B were both reduced by 1T_⊕and increased by 1Tmul.

7 Software performance and discussion

Simulations were implemented in Java. We used a PC with an Intel Core 2 Quad CPU Q9400 at 2.66 GHz and with 2 GB of RAM. The results of the execution time, shown in Fig.1, are computed in average of 100 simulations.

Because we merely changed the size of the group in our first improvement, we obviously knew that the execution time would not change too much. In our second improvement, we replaced two XOR operations with two MUL operations, but this did not cause too much execution time. From the simulations, we conclude that each of our improvements hardly increases the execution time.

8 Conclusion

This paper first pointed out the insecurity flaw in the 3PAKE of Chang et al. and then proposed two improvements. Compared with the 3PAKE of Chang et al., our improvements not only provide the same efficiency, but also guarantee the security. In addition, our improvements meet the security requirements inherited from the pro-tocol of Chang et al.

References

1. Bellare M, Rogaway P (1993) Entity authentication and key distribution. In: Advances in cryptology (CRYPTO ’93), pp 232–249

2. Bellovin SM, Merritt M (1992) Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the 1992 IEEE computer society conference on research in security and privacy, pp 72–84

3. Chang CC, Chang YF (2004) A novel three-party encrypted key exchange protocol. Comput Stand Interfaces 26(5):471–476

4. Chang TY, Hwang MS, Yang WP (2011) A communication-efficient three-party password authenti-cated key exchange protocol. Inf Sci 181:217–226

5. Chien HY, Wu TC (2009) Provably secure password-based three-party key exchange with optimal message steps. Comput J 52(6):646–655

6. Chung HR, Ku WC (2008) Three weaknesses in a simple three-party key exchange protocol. Inf Sci 178(1):220–229

7. Ding Y, Horster P (1995) Undetectable on-line password guessing attacks. Oper Syst Rev 29(3):22– 30

8. Gong L (1995) Optimal authentication protocols resistant to password guessing attacks. In: Proceed-ings of 8th IEEE computer security foundation workshop, pp 24–29

9. Gong L, Lomas M, Needham R, Saltzer J (1993) Protecting poorly chosen secrets from guessing attacks. IEEE J Sel Areas Commun 11(5):648–656

10. Joux A (2000) A one round protocol for tripartite Diffie–Hellman. In: Proceedings of the 4th algorith-mic number theory symposium (ANTS IV)

11. Kim HS, Choi JY (2009) Enhanced password-based simple three-party key exchange protocol. Com-put Electr Eng 35(1):107–114

12. Kwon T, Kang M, Jung S, Song J (1999) An improvement of the password-based authentication protocol K1P on security against replay attacks. IEICE Trans Commun E82-B(7):991–997 13. Lee TF, Liu JL, Sung MJ, Yang SB, Chen CM (2009) Communication-efficient three-party protocols

for authentication and key agreement. Comput Math Appl 58:641–648

14. Lin CL, Sun HM, Hwang T (2000) Three-party encrypted key exchange: attacks and a solution. Oper Syst Rev 34(4):12–20

15. Lin CL, Sun HM, Steiner M, Hwang T (2001) Three-party encrypted key exchange without server public-keys. IEEE Commun Lett 5(12):497–499

16. Nam J, Lee Y, Kim S, Won D (2007) Security weakness in a three-party pairing-based protocol for password authenticated key exchange. Inf Sci 177(6):1364–1375

17. Nam J, Paik J, Kang HK, Kim UM, Won D (2009) An off-line dictionary attack on a simple three-party key exchange protocol. IEEE Commun Lett 13(3):205–207

18. Steiner M, Tsudik G, Waidner M (1995) Refinement and extension of encrypted key exchange. Oper Syst Rev 29(3):22–30

19. Sun HM, Chen BC, Hwang T (2005) Secure key agreement protocols for three-party against guessing attacks. J Syst Softw 75(1–2):63–68

20. Wen HA, Lee TF, Hwang T (2005) Provably secure three-party password-based authenticated key exchange protocol using Weil pairing. IEE Proc, Commun 152(2):138–143

21. Yeh HT, Sun HM (2004) Password-based user authentication and key distribution protocols for client-server applications. J Syst Softw 72(1):97–103