With the advent of large-scale social networks, two communication users need to generate session keys with the help of a remote server to communicate securely. In the existing three-party authenticated key exchange (3PAKE) protocols, users’ passwords need to be stored on the server; it cannot resist the server disclosure attack. To solve this security problem, we propose a more efficient 3PAKE protocol based on the verification element by adopting a public-key cryptosystem and approximate smooth projection hash (ASPH) function on an ideal lattice. Using the structure of separating authentication from the server, the user can negotiate the session key only after two rounds of communication. The analysis results show that it can improve the efficiency of computation and communication and resist the server disclosure attack, quantum algorithm attack, and replay attack; moreover, it has session key privacy to the server. This protocol can meet the performance requirement of the current communication network.

1. Introduction

In 1976, Diffie and Hellman [1] first proposed a key exchange (KE) protocol to generate a session key between two users, to realize the secure transmission of information in the channel, but they did not consider the identity authentication of two users. Then, authenticated key exchange (AKE) protocol is proposed based on the KE protocol. AKE protocol ensures that it can still correctly generate the session key among two users in the case of an active attack by the adversary.

AKE protocol can be classified into identity-based AKE protocol, public-key infrastructure (PKI) based AKE protocol, and password-based AKE (PAKE) protocol. PAKE protocol dislodges the public-key infrastructure in the network and takes the low entropy password as the input so that the participants can negotiate a high entropy session key after mutual authentication on the insecure channel. The PAKE protocol has attracted extensive attention because the password is short, practical, and easy to remember.

With the emergence of large-scale user mutual communication, the implementation of the two-party authenticated key exchange (2PAKE) protocol increases the burden of user password management [25], and the 3PAKE protocol allows users to negotiate a session key with other users when they share a password with the server. In the 3PAKE protocol, if the user’s password is stored on the server in plaintext, it is called symmetric 3PAKE protocol. Once the server is attacked and the password file is leaked, the attacker can forge a legitimate user to access after obtaining the user’s password [610]. Rising is a company focusing on the research and development of anti-virus products and network security products. Its threat intelligence system is based on threat detection technology of big data analysis and can trace the trajectory of threat behavior by using threat intelligence, and it once captures an overseas virus transmission server. The virus transmission server scans the server in the network by using a weak password. Once the server is found, it will implant a virus to obtain the password file on the server. When the virus transmission server is captured, it has stored the IP address and account’s weak password of more than 2000 MSSQL servers and more than 600 phpMyAdmin servers.

Against this type of server file disclosure attack, Kwon et al. [11] constructed the first 3PAKE protocol based on verification element in 2007. The user sends the transformed value of the password to the server as a verification element. Now, even if the verification element on the server is leaked, the adversary cannot speculate the user’s plaintext password. When the adversary carries out an offline dictionary attack to obtain the user’s password, the server can notify the user that the verification element has been leaked and allow the user to reexecute the registration phase and generate a new verification element [12]. This approach effectively solves the disadvantages of the symmetric 3PAKE protocol.

In 2016, Yang et al. [13] proposed the first 3PAKE protocol based on a verification element under the standard model. However, through analysis, it is found that the user calculates the message sent to the server according to the password in the process of key agreement. Now, the attacker can use the message authentication code (MAC) value in the information to execute the offline dictionary attack on the user’s password. In 2020, Zhang et al. [14] used the smooth projection hash function based on Yang’s protocol and improved it by using the DDH difficulty hypothesis, so that after four rounds of communication between participants, it can negotiate a session key of both sides.

With the advent of the quantum computer, the traditional number theory problems cannot effectively resist the solution of the quantum algorithm, and the difficult problems on the lattice make the complexity of the worst-case consistent with the average case. Therefore, as a lattice cryptosystem that can mitigate the quantum attack, it has attracted extensive attention. In 2012, Ding et al. [15] first constructed the KE protocol on the lattice. Ye et al. [16] first constructed the 3PAKE protocol on the lattice in 2013. With continuous research, in 2018, Yu et al. [17] constructed a new 3PAKE protocol by using the approximate smooth projection hash function on the lattice. They used the separable public-key encryption system, and a session key can be negotiated in only two rounds of communication, reducing the communication overhead. In the same year, Choi et al. [18] designed a new 3PAKE protocol; they introduced implicit server authentication based on Ding et al. so that it can still safely complete key negotiation under incomplete trusted servers. To improve the computational efficiency, Liu et al. [19] proposed a 3PAKE protocol based on RLWE. Their protocol only depends on the hardness of the RLWE problem; it has no additional primitive in the protocol designed and can resist undetectable online password attacks and offline password attacks. They struck a balance between efficiency and security. However, these symmetric 3PAKE protocols cannot resist server disclosure attack [20, 21]. In 2019, Zhang et al. [22] proposed a 3PAKE protocol based on the verification element under the standard model. To enhance the security of the protocol, it uses anonymous authentication for server and user authentication, which increases the computation cost. In 2021, Shu et al. [23] adopted the Peikert [24] error reconciliation mechanism and proposed a 3PAKE protocol based on the verification element on the ideal lattice; it reduces the space complexity, but it needs six rounds of communication to negotiate a session key and increases the communication overhead.

It can see that the existing 3PAKE protocols cannot solve the server disclosure attack and reduce the communication overhead, and the authentication cannot be separated from the server. Therefore, we construct a 3PAKE protocol based on the verification element using the approximate smooth projection hash function [25] on the ideal lattice. Specifically speaking, the main contributions are as follows:(i)Reducing space complexity: We use the public-key encryption system on the ideal lattice to reduce the size of the key and ciphertext. Because the ciphertext will be transmitted on the channel, shortening the ciphertext size can effectively improve the communication overhead efficiency.(ii)It can simplify the protocol flow and effectively reduce the communication overhead. The proposed 3PAKE protocol adopts an asymmetric structure to separate the authentication from the server. Using the approximate smooth projection hash function on the ideal lattice, each user can only transmit information with the server once to generate the session key. However, in the existing 2PAKE and 3PAKE, it needs at least four messages sent by the user and the server to generate a session key.(iii)Lower computational overhead: Most of the calculations are carried out on the polynomial ring in our protocol, so we can use the Fast Fourier Transform (FFT) algorithm to decrease the number of operations. In addition, the operation in the protocol can be parallelized by using the particularity of polynomial and module . Finally, our protocol can obtain the optimal implementation in the domain , to significantly improve the operating rate.(iv)Greater security: Not only does the proposed protocol depend on the server to distribute the session key, but also the user’s temporary private key determines part of the session key. Thus, the session key is private to the server, and it has forward security.

The organization of this paper is as follows: we introduce the ideal lattice, RLWE problem and discrete Gaussian function, and other knowledge and give the specific structure of the public-key encryption algorithm and the approximate smooth hash function on the ideal lattice in Section 2. Then, in Section 3, we introduce the security model of the proposed protocol. The complete structure and security proof of the protocol are given in Sections 4 and 5, respectively. Finally, in Section 6, we compare the security with the protocols in [2, 14, 17, 23], and the experimental results of the protocol under different initial parameters are given to show the computation and communication overhead of each stage of the protocol.

2. Preliminaries

2.1. Lattices

Definition 1. Let be a set of linearly independent vectors in , and and are positive integers. The lattice generated by is defined as , and is the basis of . and are the dimension and rank of the lattice, respectively.

Definition 2 (circular lattice). Note that the once cyclic displacement of the vector is written as . For lattice , if , , then the lattice is called a cyclic lattice, record as , and expressed as

Definition 3 (ideal lattice). In 2006, Lyubashevsky et al. [26] extended the cyclic lattice and first proposed the ideal lattice. A lattice, having a special ring structure, is called an ideal lattice. is a prime number and satisfies , , , and is irreducible on the set of all rational numbers. is a ring of the integer polynomial ; then, the elements in are usually represented by integer polynomials of less degree . If vector , the cyclic lattice generated by is an ideal of ring . is an integer polynomial ring of modules and , in which the elements can be represented by a polynomial of degree and the coefficients are expressed as . The ideal lattice lows down the space complexity by using a vector to represent an dimensional lattice.

Definition 4 (RLWE problem). Let be a quotient ring with a positive integer as the module. We suppose , , an error distribution which is a Gaussian distribution over , where is the noise parameter, satisfying and . For , it will output through sampling and noise .

Definition 5 (decision problem). Given independent uniformly distributed samples from , there is no arbitrary probabilistic polynomial time (PPT) algorithm to distinguish whether the sample is chosen from RLWE distribution or uniform and random .

Definition 6 (search problem). Randomly generate polynomial ,, and ; they satisfy . Now, given multiple groups , it is needed to find .

Theorem 1 (see [25]). We suppose , , ; they satisfy . Then, the -approximate SVP (shortest vector problem) can be reduced to problem and problem through quantum.

2.2. Discrete Gaussian Distribution

For any , is a Gaussian distribution function taking as the center and as the standard deviation. For any , with taking as the center and as the parameter, the discrete Gaussian distribution over lattice is defined as , where ,. Note that can be ignored not writing when is 0.

Theorem 2. Gaussian distribution has the following characters: given the standard deviation and positive integer , the following formulas hold:

2.3. Public-Key Cryptosystem Based on Ideal Lattice

Let and be positive integers; the security parameter is ; and is an odd prime and satisfies , , . A public-key cryptosystem, whose difficulty is based on the RLWE problem, is mainly composed of three algorithms.(i): this is a key generation algorithm, which inputs a security parameter and outputs the public-private key pair of the system(ii): this is called an encapsulation algorithm. It takes as input a public key and a plaintext and outputs (iii): this is the decapsulation algorithm corresponding to the encapsulation algorithm; it takes as input the private key and ciphertext and outputs the corresponding plaintext or “

2.4. Approximate Smooth Projection Hash Function

The smooth projective hash function is an important component in lattice-based cryptography. It was first proposed by Cramer and Shoup [27]. Later, to construct a PAKE protocol against quantum attack, Katz et al. [28] improved it and extended it to the construction of the PAKE protocol for efficient communication. In this paper, we adopt the approximate smooth projection hash (ASPH) function [25] based on an ideal lattice and further modify it according to the requirements of our protocol.

We assume , and it is a semantically secure public-key encryption system composed of functions on the lattice. represents the effective ciphertext space generated by public key encryption, and is the plaintext space. We define and language as follows:

For any word , the hash value of can be expressed in two ways: using the hash key and or using the projection key and the evidence corresponding to . The function of a public-key encryption system corresponding to the public key on the lattice is composed of four algorithms, which can be expressed as .(i): Given the security parameter , the hash key generation algorithm outputs the hash key . Note represents the hash function cluster and is the hash key space.(ii): The projection key generation algorithm takes a hash key and a public key ; it outputs the corresponding projection key , where is the projection key space.(iii): When it inputs the hash key , language , and any word , the hash function outputs the hash value .(iv): This is a projection hash function. Let the projection key and evidence of word be the input, and it outputs the projection hash value .

correctness: for and corresponding evidence , let ; represents the hamming distance between and ; and then holds.

Smoothness: for ,,, the distributions of and are indistinguishable in the statistical distance. When is the security parameter, is defined as a negligible upper bound of the statistical distance of the two distributions.

2.5. Specific Internal Structure

Combined with the content introduced in Section 2.3, we construct a public-key encryption scheme on the ideal lattice and instantiate the approximate smooth projection hash function in the proposed protocol. The specific structure is as follows.

2.5.1. Public-Key Encryption Scheme Based on RLWE Problem

(i): Input a security parameter ; then, it selects and runs the trapdoor function to get and , where , . It finally outputs a public/private key pair of the system;(ii): Let and a plaintext be input; then, it selects ,, the coefficients of and obey distribution . It outputs , where ,.(iii): The private key and ciphertext are input; this decapsulation algorithm outputs the corresponding plaintext or “”.

2.5.2. Approximate Smooth Projective Hash Function on Ideal Lattice

(1) Hash key: The hash key space is used in this protocol to ensure the approximate correctness of function, and the coefficients of polynomial must obey Gaussian distribution for any .

(2) Projection key: The projection key is generated by the hash key. For any , the corresponding projection key is , and is the projection key space. The specific calculation process is as follows:

is the result of connecting the coefficients of polynomial , and it finally outputs a one-dimensional column vector composed of coefficients . After performing this type of operations on all , the result of transpose operation will be point multiplied by . is a public parameter and is generated by the following calculations:

(3) Hash function : the hash key and are used as input, and then perform the following calculations:

, where .


(4) Projection function : let the projection key and the evidence of be input, and run the following calculations:


Theorem 3 (see [18]). If the parameters satisfy , then the above structure is a function.

2.5.3. MAC Based on Key Hash Function

Message authentication mechanism can verify the identity of information source and integrity of data. Our protocol uses the MAC technology to authenticate information. The MAC based on the key hash function takes as input a key and a message and outputs an information summary by using the hash algorithm. By verifying the correctness of the information summary, the receiver can realize the identity authentication of the information source and the integrity authentication of the message.

Using the correctness of approximate smooth projection hash function, the hash function value and projection function value between the user and the server can be input as a key; then, an information summary is generated by SHA-256. The specific structure is as follows:

After receiving the MAC value, the receiver uses the key to generate a new information summary:

Verify ; if it holds, it proves that the information is indeed sent by the claimant, is complete, and has not been modified.

3. Security Model

3.1. Parties of the Protocol

3PAKE protocol participants include users and servers. represents a user collection, is an honest user, and is a malicious user. represents a server collection; we usually assume that the server collection has only one element, that is, .

3.2. Long-Term Key

The long-term key in the protocol is the user’s password; we assume the length of the nonempty dictionary is , and the password of each user is randomly selected from . The server has a password list of all users, where is composed of the user’s salt value and the verification element produced by the password and salt value .

3.3. Security Model of 3PAKE Protocol

In the 3PAKE protocol, each participant can execute multiple sessions at the same time. Let represent the instance of user and let represent the instance of the server . Here, an instance represents a session. We suppose there is a PPT algorithm adversary which knows all the malicious user’s password set and also can control the communication channel among all users. Adversary can obtain the specific abilities by sending the following queries.(i): This query gives the ability to wiretap channels. After activating instances , and , will get all the information transmitted between the user and the server.(ii): This query simulates ’s active attack on the user instance. The adversary selects the message and sends it to the user instance . Finally, obtains the reply of to the message .(iii): This query helps to actively attack the server instance. The adversary selects the message and sends it to the server instance . Finally, the adversary obtains the reply of the instance to the message .(iv): This query simulates session key is lost or leaked. After the adversary executes this query, can obtain all session keys of the instance .(v): The execution of this query simulates the adversary ’s corruption attack on user . After executes this query, it will obtain the user’s password .(vi): Adversary sends this query to launch a corruption attack on the server . After executes this query, it will obtain the password list of the server .(vii): When this query is executed, it is valid only when the user instance is fresh. We throw a random coin . If , it will return the real session key to the adversary ; otherwise, it will return a random bit string with the same length as the session key to the adversary .

3.4. Accepted State

represents the session serial number of the user instance and represents the intended communicator of . If an instance executes successfully and generates the corresponding session key, we say it has been accepted.

3.5. Matching Session

If (1) the instances and all have been accepted; (2) and have the same session serial number ; and (3) and are mutually intended communicators, the instances and are a matching session.

3.6. Fresh session

If the instance has been accepted and the adversary has not asked a query to , as well as the adversary has not asked a query to the user and server before instance is accepted, then is fresh.

3.7. Definition of Security

During executing a 3PAKE protocol, any PPT adversary can ask , , , and queries in any order for many times. Note that query can only be asked once. At the end of the game, the adversary outputs his guess about . If holds, it means that adversary has broken the protocol. Let be the space of user password and let represent the protocol which attacks. The advantage of breaking the 3PAKE protocol is , where represents the success probability of breaking the protocol.

4. Construction of Our Protocol

When users make a key agreement with the help of the server, they need to register with the server first, let the server store the verification element corresponding to the user password, and ensure that the server cannot recover the plaintext password through the verification element.

4.1. System Initialization Phase

Running key generation algorithm : it takes as input a secure parameter , then selects , and runs trapdoor generation algorithm to get and . It finally outputs as a public key and as a secret key. Note that keep private key secret, and public.

4.2. User Registration

When users join the system for the first time, they need to register. The specific operations are as follows:(i)User chooses identification and password , selects a salt value randomly, and uses to generate seeds of two pseudo-random number generators (PRNG): one is and the other is .(ii)Input the seeds of the pseudorandom number generator, then select from the discrete Gaussian distribution , note that and are polynomials whose coefficients obey , choose , calculate the verification element corresponding to the user , and let be public and the other secret.(iii)User sends to the server through the secure channel. If is not in the database list , will be automatically added to . Otherwise, it will send a new registration message to the user. After the user successfully executes the registration phase, needs to be deleted from the local memory and is stored locally.

4.3. Mutual Authentication and Key Agreement Phase

This stage is shown in Figure 1; the user negotiates a session key with the user . When user has a session, will automatically generate a session , and exists in increasing form. At the same time, after each session is successfully executed, the server will record the user session serial number in the local database list to effectively prevent message replay.(iii)The server first looks up the verification element corresponding to in the local list. If it cannot be found, exit. Otherwise, checks the ’s session serial number . If does not meet the requirements, exit. Finally, and are recovered according to the local information, and the ’s identity authentication is realized by verifying the effectiveness of the ciphertext , the integrity verification of the message is realized by verifying the effectiveness of . If they are all valid, the server selects , , , randomly, and and are polynomials whose coefficients obey discrete distribution . The hash key of user is randomly selected, and calculates the projection key , projection function value and and gets ciphertext and for massage . Next, uses random values and to calculate , , , . Finally, the projection function value is used to regenerate the verifiable MAC value for and sends to user .(iii)After receiving the message sent by , user can recover verification element , message , and hash function value by using and stored locally. Using the correctness of the approximate smooth projection hash function, the user can verify whether is correct by . After passing verification, selects and randomly and uniformly, the coefficients of and obey Gaussian distribution , and is regarded as the temporary private key. Then, calculates , , , and . According to the hash function value , the decoding algorithm of the error correction code and , can calculate and generate the session key , with the user , and the verifiable MAC value is generated by using . Finally, are sent to user .(iv) first checks ’s session serial number after receiving the message. If it does not meet the requirements, exit. Otherwise, calculates the corresponding projection key according to the hash key selected which is stored locally; then, the projection function value is calculated according to the projection key and the evidence that can prove the ciphertext. Using the correctness of the approximate smooth projection hash function, the user can verify whether is correct by . If it passes the verification, will select randomly. And according to the projection function , the decoding algorithm of the error correction code, and , calculates , , and . Finally, generates the session key with the user .

4.4. Correctness

When users , and server run the protocol honestly and if a valid session key can be generated with overwhelming probability, it is said that a 3PAKE protocol based on verification element is correct.

Taking user as an example, encrypts the verification element corresponding to his password to obtain an effective ciphertext , the server uses the ciphertext and hash key sent by the user to calculate the hash function value, and the user uses the projection key to obtain a projection function value. According to the approximate correctness of the function , the probability that the hamming distance of is greater than is negligible. The error correction code defined in this paper can correct error . Finally, users and can obtain and which is same as the server, respectively. Meanwhile, user can use

to calculate .

5. Security Analysis

A 3PAKE protocol based on the verification element can be widely used on the premise of ensuring its correctness and security. This section proves the security of the protocol under the security model given in Section 3. With that, we prove the forward security of the protocol and the privacy of the session key to the server.

5.1. Security Proof

Theorem 4. If the public-key encryption system based on the ideal lattice is CCA secure function cluster corresponding to the public key system . is the coding algorithm of error correction code. It can correct the error partthrough the decoding algorithm corresponding to the coding algorithm . is a pseudo-random function cluster; and then, this protocol is secure.

Proof. Assuming that any PPT attacker can make for , , and inquiries at most, the total running time is at most. The advantage of the attacker is simulated by constructing a series of games named . In this series of games, ’s advantage of breaking the protocol gradually increases. Finally, as long as the advantage of the attacker’s success in the game is negligible, cannot break the protocol. The advantage of breaking the protocol is defined as .Game . This game corresponds to the real attack in the security model. For all kinds of queries sent by the attacker , may get honest answers. At this time, the advantage of the attacker is .Game. In this game, we modify the simulation model of inquiry and replace the answer generated by the user using with the corresponding calculation in each inquiry, such as , .

Proof. Due to the approximate correctness of and the coding algorithm of the error correction code, has the same advantages in the game ; it can be denoted by .Game. During the simulated query, for any user , the only difference between game and game is that the ciphertext in the message sent by the user for the first time is replaced with the ciphertext of encrypting the virtual verification element (i.e., the verification element that does not belong to the password space ). Finally, we can see that the advantage difference of between game and game can be ignored. We recorded it as .

Proof. Taking the public key as a public parameter, is the attacker of the public-key encryption system so that can answer the queries of attacker. sends to their challenger as the challenge plaintext and replaces the ciphertext with the received challenge ciphertext in the query. Then, makes their guess about the random bit in the query. If , the guess is successful, and outputs 1. Otherwise, outputs 0. According to the CCA security of the public-key cryptosystem on the ideal lattice, the attacker cannot distinguish two ciphertexts with negligible advantage. Therefore, the ciphertext in the query sent by the attacker can be replaced with the encrypted ciphertext of the virtual verification element . Considering that the attacker only needs additional calculation time during and query in the whole process of simulating the protocol and does not need additional calculation time during other queries because it only needs to return the corresponding state, it only needs at most calculation time in the whole process.Game . In this game, and in the query will be replaced by a randomly selected bit string of equal length. Let be a negligible upper bound of the statistical distance between the outputs of inputting nonverbal element and the uniform random distribution. Here, .

Proof. It is known that the ciphertexts are replaced by the encryption results of the virtual verification element in game , so the input of the approximate smooth projection hash function is a nonverbal element. According to the smoothness of the function, the statistical distance between the outputs of the inputting nonverbal element and the uniform random distribution can be ignored.Game . In the query, will be replaced by a randomly selected bit string of equal length, where . Here, .

Proof. It is known that the ciphertext in game has been replaced by the encryption of the virtual verification element, and will be replaced by a random bit string with an equal length in the game . Now, is random. According to the decision problem, the advantages of game and game are the same.Game. Game modifies the pseudorandom function in query, and the others remain unchanged, the same as game . and are still randomly selected, but the values of , , , and are replaced with independent and random numbers. holds at this time because the pseudorandom function is hidden for the user.

Proof. The user and the server have the same , and according to the correctness of the decoding algorithm of the error correction code, the user will get the same as the server.
The above is to modify the query. It can be known from the content of game to game that all messages are replaced with random values independent of the user’s password, and the attacker cannot obtain any information related to the user’s password in the Oracle query so that the communication parties can finally negotiate a completely random session key.
Next, we modify the query, means sending message to the server instance , and indicates sending message to the user instance . Only when the server instance receives a correct and valid message , it can return the corresponding valid message to the attacker. Note that represents that the user instance and the server instance are activated and start to execute the protocol. In addition, the simulator should record the private key corresponding to the public key in the key generation phase.Game . For query received from the server, where , if there is no corresponding verification element in the local password list of the server, the emulator rejects the message, or if is smaller than the value of the previous session serial number saved by the server, the message is rejected. Finally, checks whether the ciphertext is valid. If not, continues to reject the message. Otherwise, the emulator decrypts the ciphertext with the corresponding private key and gets the user’s verification element. If , it is considered that the attacker has broken the protocol and ends the game simulation. The modification of the above game obviously increases the probability of an attacker’s success, so holds.

Proof. If is a valid ciphertext, the simulator can successfully decrypt to obtain . If , this situation significantly increases the success advantage of the attacker . When , ciphertext is obvious. According to the smoothness of , does not increase the advantage of the attacker . It is found that holds by applying the proof of the game .Game . We modify the query received by the user in this game. Let the message be a valid output of for the previous query. If is a replay of an honest simulated query, will no longer be generated for the user according to the protocol, but force the user to have the same as the server. Because it is hidden from the attacker, the above modifications will not increase the attacker’s advantage, and holds.Game . The model of the response to the activation message is further modified. If the user is activated, the ciphertext is replaced with the encryption of the virtual verification element . Now, .

Proof. The same as the proof of game because the public-key encryption system is CPA secure, the advantage difference of attacker between this game and game can be ignored.
According to the constructed game , the attacker can successfully break the protocol only if they meet the following conditions:(i)The attacker forges a legal user to communicate, and the ciphertext is generated by encrypting the verification element corresponding to the user password in the message sent to the server.(ii)The attacker pretends to be the server and sends a valid message to the user.(iii)In the query, the attacker’s guess of random bit satisfies .It can be seen from the analysis that the first and second conditions can be satisfied only when can obtain the password of the legal user from the session. However, through the game constructed above, it can be found that the attacker can no longer obtain any information related to the password during the session, even if the user verification element on the server has leaked, the attacker can only guess the user’s password by a dictionary attack. Let the user password space in the proposed protocol obey the Zipf principle; and are the parameters of Zipf. Note that represents that the first two conditions are true; then . At the end of game , the session key negotiated by the user has been replaced with a completely random value. Here, the probability of a successful guess by the attacker in the query is at most. Therefore, .
To sum up, the advantages of the attacker in the game is . Meanwhile, ; it can see that the attacker’s advantage is only a negligible difference from the dictionary attack advantage. Therefore, the proposed 3PAKE protocol based on the verification element is secure.

5.2. Forward Security

Theorem 5. When the search RLWE difficult assumption is true, if the attacker still cannot use the known private key to interact with the participants to obtain the correct session key after obtaining the long-term private key of each participant in the protocol, the protocol has forward security.

Proof. In this protocol, the session key among users needs to be generated with the help of the server. The complete session key includes two parts: one is determined by the server and the other is determined by users. When the attacker has the long-term private key of the server, they can authenticate with the user and server by forging ciphertext and signature. Now, they can obtain part of the session key calculated by the server. The session key determined by the user is also related to the temporary key selected by the user for this communication. The temporary key is not transmitted on the channel, and the attacker can only obtain transmitted on the channel. On the premise that the attacker knows , the attacker needs to solve the search RLWE problem to obtain the temporary private key .

5.3. Privacy of Session Key

Theorem 6. When the search RLWE difficulty assumption holds, the session key negotiated by the user using our protocol is private to the server. In other words, it is inoperable when the honest server wants to recover the user’s session key because of curiosity.

Proof. Firstly, we construct an adversary against the search RLWE problem and let adversary destroy session key privacy. It is assumed that adversary can have , times and queries when launching the session key attack, and the total running time is at most. In the process of an attack, a random coin is thrown by to obtain a triplet . When , the triplet is the real RLWE generated by the running protocol. When , the triplet is random. Right now, adversary simulates protocol stipulates, honestly runs, and answers the and query of adversary , but when responding to the query, replaces the relevant contents with in the real protocol.
Finally, outputs the guess according to the response. If , outputs 1, the triplet is a real RLWE, and the probability of guessing successfully can be denoted by . If , outputs 0, the triplet is random, and the probability of guessing successfully can be expressed as below.
. Therefore, the probability solving the search RLWE problem can be calculated as

6. Performance Analysis

This section analyzes the security and efficiency of the protocol. Table 1 lists the security comparison results of our protocol with references [2, 14, 17, 23]. A/B/S in Table 1 represents the number of messages to be sent by user A, user B, and server S, respectively. Table 2 shows the analysis results of the calculation overheads and communication overheads of our protocol.

6.1. Security Comparison

By analyzing the protocol of Guo and Zhang [29], Liu and Xue [2] found that the adversary in [29] can obtain the trust of the server by replaying the messages of other legitimate users. If an adversary uses this loophole to launch a DoS attack, it will consume the resources of the server and cause legitimate users to be unable to access the service. To solve this problem, Liu and Xue’s protocol introduces a timestamp and reduces a lot of unnecessary communication overheads; they reduce the six rounds of communication in the existing protocol to three and effectively solve the server spoofing attack and offline dictionary attack. However, their protocol is a 2PAKE protocol. With the emergence of large-scale end-to-end communication, users will communicate with each other frequently. 2PAKE protocol makes users need to store a large number of passwords for key agreement. Note that the 2PAKE protocol does not need a server to negotiate, so it is impossible to discuss whether the session key is private.

The protocol of Yu et al. [17] introduces the session sequence number to resist the replay attack. The number of communication rounds is reduced to two rounds by using the separable cryptosystem and the smooth hash projection function. Since the password is stored in plaintext on the server, it cannot resist the server disclosure attack. In addition, the honest and curious server can recover the session key between users, and their protocol cannot resist the server’s internal attack.

The protocols in [14, 23] are a 3PAKE protocol based on a verification element, effectively resisting the server disclosure attack. The protocol of Zhang et al. is based on the DDH assumption and cannot be against the quantum algorithm attack [14]. Although the session key can be negotiated only by four rounds of communication, it cannot resist the replay attack and cannot meet the security requirements in practical applications. Shu et al. [23] provided quantum level security, introduced the session sequence number to resist replay attack, and realized the privacy of the session key to the server, but they increased the communication overheads. It needs seven rounds of communication and sends nine massages to make a session key agreement.

Based on protecting the user password, our protocol can also resist replay attacks. The proposed protocol is constructed according to the RLWE problem that improves security and reduces the storage space of the key. We use FFT to accelerate the operation speed, effectively lower down the time complexity, and introduce a message authentication mechanism to solve the problem of session key disclosure caused by the dishonesty of the server. In general, this protocol effectively resists the server disclosure attack and has stronger security.

6.2. Efficiency Analysis

Our protocol adopts an asymmetric model. User A initiating the establishment of the session key needs to perform two calculations: the first calculation is used to generate the information related to the session request, and the session key negotiated with user B is generated in the second calculation. We analyze the efficiency of the proposed protocol on Windows 10 system, 11th Gen. Intel (R) core (TM) i5-1135g7 @ 2.40 GHz processor and 16.0 GB running memory, and the computational complexity of each stage is the average value of running 10000 calculations. Table 2 lists the specific computation overhead of each communication stage and the total communication overhead of the protocol.

Set the parameters , , , ; now our protocol is safe, where and are integer. It can be seen from Table 2 that with the increase of , the computation overhead of each stage also increases. Note that the computation overhead of user A for the first round of communication and server, relatively speaking, is large. User A needs to generate ciphertext, message authentication code, and other information during the first round of communication; these operations are relatively complex. The server needs to verify the validity of the ciphertext and message authentication code, regenerate the message authentication code of user A, and generate a valid ciphertext for user B. When verifying the validity of ciphertext, the server needs to recover the corresponding plaintext message using the Exhaustive Method. In the experiment, we assume that plaintext can be decrypted and recovered in the worst case; that is to say, the server needs to run times to decrypt successfully, and the value of will increase rapidly with the increase of . Therefore, the growth rate of computation overhead at this stage is high. And the computation overhead of the server will be optimized in the real operation process.

When ( or ), the total communication overhead is 29 KB (56 KB or 95 KB). It can be seen that the computation and communication overhead of each stage is low when , , or ; it can resist quantum algorithm attacks, and achieve the required security level, so the proposed protocol can be effectively applied to the large-scale communication networks.

7. Conclusion

Using approximate smooth projection hash function technology and message authentication mechanism on the ideal lattice, we construct a more efficient 3PAKE protocol based on the verification element. Compared with the existing verification element-based 3PAKE protocol, our protocol reduces space complexity and improves computation and communication efficiency. It only needs two rounds of communication to correctly negotiate a session key. Furthermore, it can be against server password disclosure attack, server internal attack, and replay attack; we give the semantic security proof of the new protocol. In short, the proposed protocol has high security and low overhead, which can meet the communication requirements of large-scale low bandwidth networks.

Data Availability

The experimental results are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest.


This work was supported by the National Natural Science Fund (no. 61802117), Shaanxi Key Laboratory of Information Communication Network and Security, Xi’an University of Posts and Telecommunications, Xi’an, Shaanxi, China (no. ICNS202006), Support Plan of Scientific and Technological Innovation Team in Universities of Henan Province (no. 20IRTSTHN013), Fundamental Research Funds for the Universities of Henan Province (no. NSFRF210312), and Youth Talent Support Program of Henan Association for Science and Technology (no. 2021HYTP008).