Mobile Information Systems

Volume 2015, Article ID 354586, 7 pages

http://dx.doi.org/10.1155/2015/354586

## Authenticated Diffie-Hellman Key Agreement Scheme that Protects Client Anonymity and Achieves Half-Forward Secrecy

Department of Information Management, National Chi-Nan University, 470 University Road, Puli, Nantou, Taiwan

Received 3 January 2015; Revised 30 March 2015; Accepted 12 April 2015

Academic Editor: Francesco Gringoli

Copyright © 2015 Hung-Yu Chien. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Authenticated Diffie-Hellman key agreement (D-H key) is the de facto building block for establishing secure session keys in many security systems. Regarding the computations of authenticated D-H key agreement, the operation of modular exponentiation is the most expensive computation, which incurs a heavy loading on those clients where either their computational capacities or their batteries are limited and precious. As client’s privacy is a big concern in several e-commerce applications, it is desirable to extend authenticated D-H key agreement to protect client’s identity privacy. This paper proposes a new problem: the modified elliptic curves computational Diffie-Hellman problem (MECDHP) and proves that the MECDHP is as hard as the conventional elliptic curves computational Diffie-Hellman problem (ECDHP). Based on the MECDHP, we propose an authenticated D-H key agreement scheme which greatly improves client computational efficiency and protects client’s anonymity from outsiders. This new scheme is attractive to those applications where the clients need identity protection and lightweight computation.

#### 1. Introduction

Authentication is an essential security; however, many existent authentication schemes either did not provide key agreement during authentication [1–3], did not protect client privacy [4], or required many expensive modular exponentiations [4–16]. Authenticated key agreement aims at simultaneously providing authentication of communicating parties and establishing secure session keys. Nowadays it is very easy for any network operators or even outsiders to collect users’ behavior and violate their privacy when they surf the Internet if key agreement schemes do not protect users’ identities. It is, therefore, imperative to design key agreement schemes which protect client’s identity. With such schemes, users’ privacy can be protected when they enjoy Internet activities, e-commerce or m-commerce transactions.

Conventionally, the computational Diffie-Hellman problem over Galis field (called CDHP) and the same problem over elliptic curves (called ECDHP) are the most popular building blocks for many authenticated key agreement schemes [4–8, 10–19], owing to their hardness. However, the modular exponentiation computations over Galis field or the point multiplications over elliptic curves impose a heavy computational stress on those clients where either their computing capacities or their batteries are limited. Such clients are called thin clients in the rest of this paper. Even a native D-H key scheme (not including authentication of communicating parties) that uses the CDHP requires of each party two modular exponentiations, and the corresponding version over elliptic curves would require of each party two point multiplications. Generally an authenticated version of D-H key scheme or an extended version of D-H key scheme which protects client’s anonymity would require more modular exponentiations or more point multiplications [9–12, 14–16, 20], respectively.* It is, therefore, important to reduce the number of exponentiation computations/point multiplications for those thin clients*. In 2014, Chien [4] formulated the modified computational D-H problem (MCDHP) and proposed an authenticated D-H key agreement scheme, using the MCDHP. The scheme [4] effectively reduced the number of modular exponentiations but it did not protect client’s anonymity.

Conventionally, key agreement schemes transmit participants’ identities in plaintext. As privacy has been a big concern in many applications, it is desirable to protect participants’ identities during the key agreement process. Such kinds of key agreement schemes are called authenticated key agreement schemes with client anonymity (or simply an anonymous authenticated key agreement). Chien [12] classified four types of two-party key agreement schemes, according to the protection of participants’ anonymity. Type 1: the privacy of identities of two communicating parties is not protected; this type corresponds to those conventional two-party key agreement schemes. Type 2: the client’s identity is protected from the outsiders, but the identity of the server is not protected. Type 3: the client’s identity is protected from the outsiders, but the anonymity of the server is only protected from unregistered entities. The scenarios for such a type are like that; in a mission-oriented ad hoc network, the clients and the servers want to protect their identities from outsiders, while all the preregistered clients know the IP address or MAC address of the servers. Type 4: both the identity of the client and the identity of the server are protected from outsiders. Type 2 is the most popular one for authenticated key agreement schemes that protect participant’s anonymity, because it corresponds to the cases where clients want to protect their anonymity from outsiders. In this paper, we focus on authenticated two-party key agreement for Type 2 cases and aim to improve client’s computational efficiency.

Authentication with anonymity protection is a popular topic, and there are some popular techniques for achieving client’s anonymity during authentication process. Chien [2] classifies existent techniques into four categories: probabilistic encryption-based scheme like the OAKley protocol [13], pseudonym-based schemes like [20], hash-chain-based scheme like Ohkubo et al.’s scheme [1], and error-correction-codes-based scheme like [2, 3]. It is challenging to extend the existent CDHP-based key agreement schemes like [5–7, 13] (or ECDHP-based schemes like [8]) to their anonymous versions and reduce the modular exponentiation load (or the point multiplication load). In this paper, we first formulate a modified ECDHP (MECDHP) and prove its security. Then we propose a new authenticated two-party key agreement scheme with client anonymity, based on the MECDHP problem and Ohkubo et al.’s hashing chain technique [1].* The new scheme protects client anonymity, effectively reduces the computational load for client, and preserves the strong security of the ECDHP*.

The rest of this paper is organized as follows. Section 2 introduces the MECDHP and proves its security. Section 3 proposes our new scheme. Section 4 examines its security and evaluates its performance. Section 5 states our conclusions and discussions.

#### 2. The MECDHP Problem and the Security Requirements

In this section, we first propose the MECDHP and prove its security. Then we introduce the model and discuss the security requirements of an authenticated key agreement scheme with client anonymity.

*Elliptic Curves over **.* A nonsupersingular elliptic curve is the set of points and the point (called the* point at infinity*), where satisfy the equation ( are constants, such that ). Two points and on the elliptic curve can be added together using the following rule: if and , then ; otherwise, , where , , and if or if .

*Definition 1. *The computational elliptic curve Diffie-Hellman problem (ECDHP) is as follows: given an elliptic curve over a finite field , a point of order* q* and points and find the point .

Now we formulate a new problem called the modified computational elliptic curve Diffie-Hellman problem (MECDHP) as follows.

*Definition 2. *The* modified computational elliptic curve Diffie-Hellman problem* (the MECDHP) is as follows: given an elliptic curve over a finite field , a point of order , *,* and points and find the point .

We prove the hardness of the MECDHP to be as hard as the ECDHP as follows.

Theorem 3. *The MECDHP is as hard as the ECDHP.*

*Proof. *We prove this by reduction. *(1) The MECDHP Is Reduced to the ECDHP.* Given an instance of the MECDHP problem (, , , and ), we can compute and get the instance (, , and ) for the ECDHP. Assume there is one oracle that can answer the ECDHP. Now we input the instance (, , and ) to the oracle, and we get the answer .*(2) The ECDHP Is Reduced to the MECDHP.* Assume there is one oracle that can answer the MECDHP: given (, , , and ), it outputs .

Now given an instance of the CDHP (, , and ), we then choose a random value* t* and input the instance (*t*, , , and ) to the MECDHP oracle. The oracle will answer . Using the response, we can derive . That is, we get the answer for the ECDHP problem (, , and ).

Based on the above arguments, we prove the theorem.

Now we introduce the model and discuss the security requirements of authenticated D-H key agreement scheme with client anonymity as follows. Our model consists of three kinds of entities: clients, servers, and outsiders. Clients would like to establish secure session keys with servers via key agreement schemes and their identities should not be learned by any outsiders. An outsider can actively manipulate the communications via replay, modification, or interception.

(1) Consider Mutual authentication of client and server and resistance to various attacks like replay attack, impersonation attack, man-in-the-middle attack, and known key attack.

(2) Consider Partial forward secrecy and perfect forward secrecy. Here partial forward secrecy requires that even if we assume one party’s long-term private key is disclosed someday, the previous communications (the session keys before the disclosure) are still secure. If partial forward secrecy is preserved only when one specific party’s private key is compromised but it does not hold for the other party, then it is called half forward secrecy. While perfect forward requires that even if we assume both of the two parties’ long-term private keys are disclosed someday, the previous communications (the session keys before the disclosure) are still secure.

(3) Anonymity of the client: the identities of clients should be well protected from outsiders.

#### 3. New Authenticated D-H Key Agreement Scheme with Client Anonymity

We introduce the following notations. We will omit the mod operation in the rest of this paper to simplify the presentation when the context is clear.

*The Notations.* ,* P*, and* q *are as follows: is an elliptic curve over .* P * is a generator point for a group over . , are two cryptographic hash functions. Two different hash functions are chosen here to hinder outsiders from tracking users, using correlated data. This idea is inspired by [1]. These functions could be implemented using a pseudorandom function (PRF) with distinct paddings. *C*,* S *are as follows:* C* and , respectively, denote client and server. are as follows: and , respectively, denote the identity of the client and that of the server, where is static while is dynamically updated. *c*,* s *are as follows: , respectively, denote the private key of and that of . are as follows: and , respectively, denote their corresponding public keys. *x*,* y *are as follows: , respectively, denote ephemeral private keys. *X*,* Y *are as follows: , and denotes their corresponding public keys. , || are as follows: denotes the exclusive OR operation. || denotes concatenation. Here we abusively use the notation between two elliptic curve points to represent .

The scheme is depicted in Figure 1 and is described as follows.