Wireless Pers Commun (2018) 99:863–891

https://doi.org/10.1007/s11277-017-5156-5

Cryptanalysis and Enhancement of an Anonymous Self-

Certified Key Exchange Protocol

Susmita Mandal1 • Sujata Mohanty1 • Banshidhar Majhi1

Published online: 27 December 2017

Ó Springer Science+Business Media, LLC, part of Springer Nature 2017

Abstract Authentication protocols with anonymity have gained much popularity recently
which allows users to access any public network without compromising their identity.
Several key exchange protocols have been proposed in the literature using either public key
infrastructure or identity-based cryptosystem. However, the former suffers from heavy
computation cost and latter fails to prevent key escrow problem. Recently, Islam et al. have
proposed a self-certified authenticated key agreement protocol based on ECC which
removes the above limitations. However, through careful analysis, we found that their
scheme lack anonymity and vulnerable to trace the attack, clogging attack, and fails to
prevent the replay attack. To overcome these weaknesses, we propose an anonymous self-
certified authenticated key exchange protocol by including the required security features.
The scheme is formally proved using Automated Validation of Internet Security protocols
and Applications software. Also, the formal authentication proofs using Burrows–Abadi–
Needham logic ensures successful authentication. Furthermore, the performance analysis
demonstrates that the proposed scheme accomplishes less computational cost and is
applicable to a client–server architecture.

Keywords Anonymity  Ban logic  Elliptic-curve cryptography  Mutual

authentication  AVISPA tool

& Susmita Mandal

susmitamandal.nitrkl@gmail.com
Sujata Mohanty
sujata.nitrkl@gmail.com
Banshidhar Majhi
bmajhi@nitrkl.ac.in
1
Department of Computer Science and Engineering, National Institute of Technology Rourkela,
Rourkela, Orissa, India

123
864 S. Mandal et al.

1 Introduction

In this digital era, everyone is completely dependent on Internet as a part and parcel of day-
to-day life. Therefore, authentication and privacy act as two primary objectives to attain
secure communication where privacy prevents eavesdropping and authentication forbids
unauthorized access. These two goals can be achieved simultaneously, using authenticated
key exchange scheme, where two or more parties can share a common secret to transmit a
message securely in an open network. A secure user authenticated scheme must fulfill
successive requisites: (1) anonymity; (2) single registration; (3) session key freshness; (4)
low computation and communication cost; (5) avoidance of replay attack; (6) avoidance of
impersonation attack; and (7) presence of mutual authentication.
In pursuance of these security requisites, several schemes have been contributed in this
area as mentioned in the literature. However, the issue of designing an efficient authen-
ticated key exchange protocol still persists due to high communication and computation
cost. In this way, the primary groundbreaking work for key exchange was presented in a
seminal paper by Diffie–Hellman on public key cryptography that revolutionizes the field
of modern cryptography [1]. The scheme allowed two parties to agree upon a shared
session key in an insecure channel. However, the classic Diffie–Hellman protocol cannot
authenticate the communicating entities and suffers from the man-in-the-middle attack. An
authenticated key exchange protocol (AKEP2) was then introduced by Bellare and Rog-
away in 1994 [2]. But the protocol faces the issue of pre-sharing the secrets before actual
communication, which is absolutely infeasible if the entities have never conveyed before.
Lately, a 2 party password based encrypted key exchange (EKE) client server scheme was
proposed by Bellovin and Merrit [3]. On the basis of their protocol, several 2PAKE
protocols [4–6] are proposed in the literature. Henceforth, the 2PAKE protocols are mostly
suitable for client–server architectures, as they need to pre-share a common secret for
mutual authentication and session key agreement.
An appropriate solution for AKE will be adding encryption with identity during mes-
sage exchange. In 1984, Adi Shamir [7] proposed the first Identity-based cryptosystem
where a user is allowed to chose his public key consisting of his identity namely, email-id
or physical address. Abundant research has been witnessed in this area. Initially, an ID-
based key exchange protocol was introduced by Scott [8] that allows any user to select his
personal identity number. Later on, an efficient well pairing based key agreement protocol
was proposed by Smart [9] which incorporate the features of Boneh and Franklin [10] and
Jouxn’s [11] 3PKE based on Diffie–Hellman. But, Chen et al. [12] and Shim [13] found the
scheme can not achieve perfect forward secrecy. Later on, Chen et al. introduced an ID-
based two-party authenticated key agreement scheme in random oracle model. Shim also
proposed an efficient an ID-based two-party authenticated key agreement scheme by
reducing the number of verification steps in Weil pairings. The scheme claimed that it is
able to thwart several conventional attacks. However, Sun et al. [14] showed that Shim’s
scheme is vulnerable to man-in-the-middle attack. Lately, Ryu et al. [15] presented an ID-
based scheme with low computation cost. Conversely, the scheme is found insecure against
key compromise impersonation attack and reflection attack by Boyd et al. [16] and Wang
et al. [17]. Recently, Cao et al. [18] proposed a pairing free ID-based two-party key
exchange protocol whose security is based on Bellare–Rogaway (mBR) model [19].
However, Islam et al. [20] found that the scheme suffers from known session-specific
temporary information attack and key offset attack. Though several schemes achieved low
computation cost but most of the protocols suffers from key escrow problem as the private

123
Cryptanalysis and Enhancement of an Anonymous... 865

key is generated by a trusted third party namely Private Key Generation (PKG). The
addition of a trusted third-party increases the risk of the man-in-the-middle attack.
In order to resolve this issue, Girault [21] in 1991 proposed the first a self-certified
public key system which combines the advantages of certificate-based and identity-based
public key cryptosystem. The self-certified public key system contributes three charac-
teristics: (1) the secret key can be generated by the user himself or with the help of a
system authority (SA) without disclosure of the key; (2) the user can verify the self-
certified key using his secret key; (3) the self-certified public key can be verified publicly
provided the witness as a cryptographic application in a single step. Hence, it acts effi-
ciently as compared to public key infrastructure and identity-based cryptosystem. Saeed-
nia, in 1997 integrated the characteristics of the ID-based cryptosystem and the self-
certified public keys then presented an ID-based self-certified public key system [22].
Later, Wu et al. [23] and Kim et al. [24] proved that Saeednia’s scheme can not thwart
impersonate attack. In 2005, Zu-hua [25] introduced an efficient authenticated key
agreement protocol using bilinear pairings and self-certified public keys. However,
according to researchers pairings is a more complex and costly operation as compared to
elliptic curve scalar multiplication [9, 10]. Thus, a scalar multiplication is faster than a
pairing computation. Lately, Tsaur [26] proposed an ECC based self-certified public-key
cryptosystem but suffers from higher computation cost. Recently, Islam et al. [27] have
proposed a two-party authenticated key agreement scheme using self-certified public keys.
They claim to achieve required security properties for enabling strong authenticated key
exchange by minimizing computational overload. However, through careful analysis, we
find that Islam’s scheme fails to provide anonymity and is vulnerable to trace and clogging
attack, also unable to prevent the replay attack.
To overcome the above-mentioned limitations, in this paper we have introduced an
anonymous self-certified key exchange protocol based on elliptic curve cryptography and
two computational hard assumptions such as, elliptic curve discrete logarithm problem and
elliptic curve computational Diffie–Hellman problem which are described as below.
Elliptic Curve Cryptography Let p be a large prime number and E=Fp be a set of elliptic
curve points over a finite field Fp , defined by an equation
y2 ¼ x3 þ ax þ b; a; b 2 Fp ð1Þ

where ð4a3 þ 27b2 Þ 6¼ 0. The additive elliptic curve group defined as

Gp ¼ ðx; yÞ : x; y 2 Fp ; ðx; yÞ 2 E=Fp [ fOg, where the point ‘‘O’’ is known as ‘‘point at
infinity’’ or ‘‘zero point’’.
Definition 1 The elliptic curve discrete logarithm problem (ECDLP): Given P; R 2 Gp ,
where R ¼ xP and x 2 Zp . It is difficult to compute x from R.

Definition 2 The elliptic curve computational Diffie–Hellman problem (ECDHP): Given

(P, xP, yP) 2 Gp for x; y 2 Zp , where computation of xyP is hard from the group Gp .

1.1 Contribution

The proposed protocol is based on ECDLP and ECDHP with following characteristics:
– The model achieves the essential security features for preserving authentication with
anonymity.

123
866 S. Mandal et al.

– A formal authentication model called BAN logic is used to prove the authenticity in the
scheme.
– Formal and informal security verification is achieved using AVISPA tool in OFMC and
CL-AtSe back-ends with valid security assumptions to support the design.

1.2 Organization

The rest of the paper is organized as follows. In Sect. 2 we review Islam et al.’s scheme.
Section 3 depicts the security analysis on Islam’s scheme. We present the proposed work
in Sect. 4. A formal and informal security analysis is shown in Sect. 5 with simulation
results and logic based proofs. Section 6 represents the comparison analysis of the pro-
posed scheme with existing ones along with performance evaluation. Finally, we conclude
in Sect. 7.

2 Review of Islam et al.’s Scheme

In this section we briefly review the Islam et al.’s scheme [27] that consist of three phases:
the setup phase, the user registration phase, and the key agreement phase. There are three
entities involved: Server (S), User (A), and User (B). For convenience, the notations used
in the scheme are mentioned in Table 1. The scheme is depicted in Fig. 1.

2.1 Setup Phase

In this phase, the server S selects a security parameter k 2 Z þ as input and returns system
parameters. Given k, the server chooses a prime number p and generates E=Fp . Then
chooses a base point P. Later, S selects a private key s 2 Zp and computes its corre-
sponding public key as Ps ¼ s:P. Thereafter, chooses three secure one-way hash functions
such as, SHA-512. Finally, publishes the system parameters fFp ; E=Fp ; p; P; Ps ; hð:Þg
keeping s as secret.

Table 1 Notations used in Islam et al.’s scheme

Notation Description

S Server
A User A
B User B
s Private key of server
Ps Public key of server
IDi Identity of users,where i 2 fA; Bg
hðÞ A one-way hash function, h : f0; 1gk , where k is the output length and h() allows the
concatenation of some points on the curve and integer values
|| Concatenation operator
SK Session key between A and B

123
Cryptanalysis and Enhancement of an Anonymous... 867

Fig. 1 Registration and key agreement phase

2.2 User Registration Phase

Step 1: In this phase, the user with identity IDi selects a random number ri 2 Zp and
computes Ri ¼ hðIDi jjri Þ:P. Then sends the tuple hIDi ; Ri i to the server.
Step 2: Upon receiving, the server S chooses a random number fi 2 Zp and computes
fKi ; Ti ; Ji g as follows: Ki ¼ hðIDi jjfi ÞPs þ Ri , Ti ¼ Ki þ hðIDi jjKi ÞPs , and Ji ¼
½hðIDi jjfi Þ þ hðIDi jjKi Þ:s mod p. Now S sends the tuple hIDi ; Ki ; Ji i to the user.
Step 3: Upon receiving, the user with identity IDi computes his secret key zi ¼
½Ji þ hðIDi jjri Þ mod p and its corresponding public key Ti ¼ zi :P. Hence by self-
certified property, anyone can verify user’s public key hIDi ; Ki ; Ps i as
Ti ¼ Ki þ hðIDi jjKi Þ:Ps .

2.3 Key Agreement Phase

Step 1: This phase consist of two steps basically a communication takes place between
two user’s A and B. Here, A selects a random number xa 2 Zp then computes Da ¼
xa  Ta and Wa ¼ hðDa jjza  Tb Þ. Thereafter send hIDa ; Da ; Wa i to user B.
Step 2: Upon receiving hIDa ; Da ; Wa i, the user B chooses his random number xb 2 Zp
then computes Db ¼ xb  Tb and Wb ¼ hðDb jjzb :Ta Þ. Thereafter send hIDb ; Db ; Wb i to
user A.
Now, User A computes Wb0 ¼ hðDb jjza :Tb Þ and compares Wb0 ? ¼ Wb. If received one
matches with the computed one, then A computes its session key as SK ¼

123
868 S. Mandal et al.

hðIDa jjIDb jjDa jjDb jjWa jjWb jjKÞ where K ¼ xa  za  Db . Similarly B computes the
session key SK ¼ hðIDa jjIDb jjDa jjDb jjWa jjWb jjKÞ.

3 Analysis of Islam et al.’s Scheme

In this section, through careful analysis we show that Islam et al.’s [27] scheme can not
withstand four possible attacks namely, lack of user anonymity, trace attack, replay attack,
and clogging attack.

3.1 Lack of User Anonymity

User anonymity is one of the security aspects of a client–server application. The purpose of
anonymous authentication is not only to determine whether a message is originated from
an intended sender, but also to restrain an attacker from identifying the sender against a
communication session. In the key agreement phase of Islam’s scheme, the initiator, UserA
openly transmits his identity IDa with the message fIDa ; Da ; Wa g through an insecure
channel. In some authentication scenarios, namely, online banking system (e.g. Bitcoin),
electronic tender, chat rooms, web blogs, e-voting, etc., it is very important to preserve the
sender’s privacy, because an attacker can sniff the communication channel and can identify
any particular transaction being performed by UserA [28, 29]. Therefore, leakage of any
user credentials, such as user identity can risk user’s privacy of being disclosed to an
attacker. Particularly, there are two major methods of achieving user anonymity, firstly, by
making use of cryptographic primitives ( e.g., symmetric-key operations [28, 30] and ring
signatures [31, 32]) and secondly by exploiting some non-cryptographic systems (e.g., pre-
loading a pseudo-IDs pool [33]). Islam’s scheme has used none of the above-mentioned
techniques to prevent user anonymity. In fact, without much effort, an attacker can derive
sensitive information such as users lifestyles, shopping patterns, social circle, etc., about
the sender using his identity. Therefore Islam’s scheme does not preserve the user
anonymity.

3.2 Trace Attack

Another significant issue arises due to the loss of anonymity is the ability of an attacker to
identify whether two conversations originate from the same user. An authentication
scheme is said to achieve un-traceability if an adversary fails to determine that whether two
distinct sessions are initiated by the same user. In the key agreement phase of Islam et al.’s
scheme, the UserA sends the message containing the users identity IDa without any pro-
tection. Since the identity is sent in an open channel, therefore it is feasible for an attacker
to intercept the message and can track down to know information such as, the types of
services accessed by the user, the duration of using any particular service, current location
according to the users IP address [34, 35]. Therefore, the trace attack violates the user’s
privacy. Hence Islam et al.’s scheme lacks un-traceability.

3.3 Replay Attack

An entity can resist the replay attack if the recipient can store few initiator related specific
information to detect the duplicate message. Islam et al.’s scheme assumes that an

123
Cryptanalysis and Enhancement of an Anonymous... 869

adversary is monitoring the communication medium and obtains the message sent by
UserA i.e., hIDa ; Da ; Wa i that are transmitted without any encryption or challenge-response
query in an insecure network [36]. Though Islam’s scheme uses ECDLP to protect the
private key from attacker. None of the identities of sender and receiver are protected under
ECDLP [37]. Therefore, if they are communicated in an insecure channel such as Internet,
then passive attacks such as sniffing, traffic analysis are possible. Also they are susceptible
to identity theft. To overcome this, the parameters between sender and receiver must be
communicated in an encrypted form. Due to this inability, UserB can not validate the
freshness of every session’s message. Hence, the possibility of detecting a replayed
message is minimal. Thus, Islam et al.’s scheme fails to prevent the replay attack.

3.4 Clogging Attack

It is a kind of denial-of-service (DoS) attack against a public key cryptosystem where an

adversary tries to clog the receiver by blocking all the resources by creating a huge traffic
at the network [38]. As Islam’s scheme also suffer from replay attack, therefore, an
adversary can replay the intercepted message to perform the computationally intensive
elliptic curve scalar multiplication operations ðTpm Þ that have much higher cost as com-
pared to the Map-to-Point conversion ðTmap Þ, addition ðTadd Þ, multiplication ðTmul Þ, and
bitwise XOR ðTxor Þ operations respectively ( i.e. Tpm  Tmap  Tadd  Tmul  Txor Þ [39–41].
Thus wasting a lot of time and resources hence forcing denial of services to legitimate
users [38, 42, 43]. We show that clogging attack is possible with Islam’s scheme in the
presence of an adversary in Fig. 2 as follows.
Step 1: The adversary intercepts the message hIDs ; Ds ; Ws i during communication
between a legitimate sender and receiver in the key agreement phase.
Step 2: Since the message is unencrypted, the adversary modifies the message by first
choosing a random number xc ; Wc 2 Zp then computes Dc ¼ xc :Tb .
Step 3: Thereafter sends the message hIDs ; Dc ; Wc i to the receiver as a legitimate sender.
Upon receiving the message, the receiver performs as follows.

Fig. 2 Clogging attack

123
870 S. Mandal et al.

Step 1: Initially, chooses a random number xb 2 Zp then computes Db ¼ xb :Ta and
Wb ¼ HðDb jjzb :Ta Þ.
Step 2: Then sends a response with the message hIDb ; Db ; Wb i to an adversary assuming
him as a legitimate sender.
Step 3: Upon sending, the receiver then tries to verify if Wc0 ¼ ?Wc , where
Wc0 ¼ HðDc jjzb :Ta Þ. Note that Ta is publicly known. This verification fails therefore
the request gets rejected.
The aim of an adversary is to engage the receiver to perform useless elliptic curve scalar
multiplication repeatedly several times that results in denial of services. Therefore Islam’s
scheme suffers from clogging attack.

4 Our Proposed Scheme

In this section, we propose an anonymous self-certified client–server model, that eliminates

the security flaws of existing protocols mentioned in the literature without increasing the
computation cost. The proposed scheme consists of three phases namely, initialization
phase, registration phase, and authenticated key exchange phase. Also, the model includes

Table 2 Notations used in pro-

Notation Description
posed scheme
S System authority
UserA Sender
UserB Receiver
IDi Identity of entities, where i 2 fUserA ; UserB ; Sg
TIDi Temporary identity of entities, where i 2 fUserA ; UserB g
Wi Witness of entities, where i 2 fUserA ; UserB g
Xsi Partial private key of entities, where i 2 fUserA ; UserB g
ss Private key of server
Ps Public key of server
Ta Timestamp of UserA
Tb Timestamp of UserB
Na Nonce generated by UserA
Nb Nonce generated by UserB
Keya Symmetric encryption key of UserA
Keyb Symmetric encryption key of UserB
SKab Session key shared between UserA and UserB
 An Exclusive-OR operation
H(.) One-way hash function
|| Concatenation operator
hi Braces used for message exchange
fg Braces used for message encryption
() Braces used for computing values
A¼B
? Compares whether A is equal to B
A!B A sends message to B

123
Cryptanalysis and Enhancement of an Anonymous... 871

three entities, namely a system authority (S), a sender UserA , and a receiver UserB . Table 2
denotes the notations used in the proposed scheme.

4.1 Initialization Phase

In this section, the system authority inputs a security parameter k 2 Z  and returns the
system parameters. Given a group Gp over a finite field Fp of prime order p where P is a
base point generator. The system authority chooses a secret value ss 2 Zp as his private key
and computes his public key Ps ¼ ss :P. Then publishes the system parameters including a
one-way hash function as fGp ; Fp ; E=Fp ; P; Ps ; Hð:Þg and keep ss as secret.

4.2 Registration Phase

In this phase, the user with identity IDi sends his ID which comprises of email address,
physical IP address, etc. with few computed parameters to obtain a partial private key and a
witness to compute his private and public key pair from S as per the following steps. The
description is shown in Fig. 3.
Step 1: A user chooses a random secret xi 2 Zp then computes Xi ¼ HðIDi jjxi Þ:P.
Thereafter, the user sends a message hIDi ; Xi i to S through a secure channel (SSL) that
sets up an encrypted connection between the user and the server.
Useri ! S : hIDi ; Xi i
Step 2: Upon receiving the message tuple from user with identity IDi , the server chooses
a random secret ki 2 Zp to compute Useri ’s partial private key ðXsi Þ along with a witness
ðWi Þ to verify his legitimacy as follows.
Vi ¼ HðIDi jjki Þ  ss ð2Þ

TIDi ¼ Xi  Vi ð3Þ

Wi ¼ Xi  ki  P ð4Þ

Fig. 3 Registration phase

123
872 S. Mandal et al.

Xsi ¼ HðTIDi jjWi Þ  ss  ki ð5Þ

Thereafter, S sends the message hIDs ; TIDi ; Wi ; Xsi i in a secure SSL channel to the user
Useri .
S ! Useri : hIDs ; TIDi ; Wi ; Xsi i
Step 3: After receiving the message Useri computes a pair of his own private/public key
i.e. (si ,Pi ) respectively.
si ¼ Xsi  HðIDi jjxi Þ ð6Þ

Pi ¼ si  P ð7Þ
?
Further, the keys can be verified as si :P¼½HðTIDi jjWi Þ  Ps  Wi . If this function holds
correct then Useri accepts the private key (si ) else rejects the session. The system
authority S need not provide any additional certificate to prove the authenticity of Pi , as
given the witness and server’s public key anyone can verify the public key of user.
Therefore S publishes the public key Pi of Useri after registration. The proof of Eq. (7)
can be verified as follows
Pi ¼ si  P
¼ ½Xsi  HðIDi jjxi Þ  P From Eq. ð6Þ
¼ ½Xsi  P  HðIDi jjxi Þ  P
¼ ½HðTIDi jjWi Þ  ss  ki   P  HðIDi jjxi Þ  P From Eq. ð5Þ
¼ ½HðTIDi jjWi Þ  ss  P  ki  P  HðIDi jjxi Þ  P
¼ ½HðTIDi jjWi Þ  Ps  Wi  From Eq. ð4Þ
The registration phase is depicted in Fig. 3.

4.3 Authenticated Key Exchange Phase

In this phase, assume that two users UserA and UserB who are already registered with S are
interested to exchange some information with each other over an insecure channel. The
process can be accomplished in a set of two rounds and the steps are depicted in Fig. 4.
Step 1: Initially, UserA generates a fresh nonce Na and chooses a time-stamp Ta . Then
sends a computed list of parameters encrypted using a symmetric encryption algorithm
(AES) to establish a secure connection with UserB . The steps are shown as follows.
W1 ¼ TIDa  Wa ð8Þ

Za ¼ Hðxa Þ ð9Þ

Keya ¼ Hðsa:PbjjNajjTa Þ ¼ ðKeyax ; Keyay Þ 2 Ep ða; bÞ ð10Þ

where Keyax is an x-co-ordinate derived using ECC-point on the curve to encrypt the
message generated by sender. Now, UserA computes,
M1 ¼ HðW1 jjKeya jjNa jjZ1 Þ ð11Þ

123
Cryptanalysis and Enhancement of an Anonymous... 873

Fig. 4 Authenticated key exchange phase

Z1 ¼ Za  M1 ð12Þ
Thereafter sends the message tuple fTIDa ; M1 ; Z1 ; Wa ; Na ; Ta g encrypted with Keyax .
UserA ! UserB : hNa ; Ta ; EKeyax fTIDa ; M1 ; Z1 ; Wa ; Na ; Ta gi

Step 2: Upon receiving the message tuple, UserB first verifies the freshness of the
timestamp (Ta ) by checking whether (T 0  Ta ) is less than (MT), where (T 0 ) is the current
system time, and (MT) is the amount of time tolerated for a transmission delay. If fails,
then UserB rejects the request else computes the symmetric key for decrypting the
received message as,
Key0a ¼ Hðsb :Pa jjNa jjTa Þ ð13Þ
Once Key0a is computed then its x and y co-ordinates are identified. Using the x-co-
ordinate ðKey0ax Þ, the message is decrypted to obtain TIDa , M1 , Z1 , and Wa then performs
a mutual authentication process using the received parameters.

123
874 S. Mandal et al.

W10 ¼ TIDa  Wa ð14Þ

M10 ¼ HðW10 jjKey0a jjNa jjZ1 Þ ð15Þ

Before proceeding further, the receiver compares the received value of M1 with the
?
computed one as M1 ¼M10 . If it holds correct then UserB accepts the message else rejects
it. Now, UserB generates a fresh nonce Nb and chooses a time-stamp Tb to performs a set
of operations to generate the session key as described below.
Za0 ¼ Z1  M10 ð16Þ

Zb ¼ Hðxb Þ ð17Þ

Z2 ¼ Zb  M10 ð18Þ

Keyb ¼HðZa0 :Zb jjNb jjTb Þ ¼ ðKeybx ; Keyby Þ 2 Ep ða; bÞ ð19Þ

where Keybx is an x-co-ordinate derived using ECC-point on the curve to encrypt the
message using AES encryption algorithm. Thereafter, UserB computes,
W2 ¼ TIDb  Wb ð20Þ

M2 ¼ HðW2 jjKeyb jjNb jjZ2 Þ ð21Þ

Finally, the session key is computed as,
SKab ¼ HðTIDa jjTIDb jjZa0 :Zb :sb :Pa jjKey0a jjKeyb jjM10 jjM2 jjNa jjNb Þ ð22Þ
Later, UserA sends the message tuple fTIDb ; M2 ; Z2 ; Wb ; Nb ; Tb g encrypted with Keybx .
UserB ! UserA : hNb ; Tb ; Z2 ; EKeybx fTIDb ; M2 ; Wb ; Nb ; Tb gi
Step 3: UserA performs similar kind of operations as performed by UserB such as
verifying the freshness of the timestamp (Tb ) by checking whether (T 0  Tb ) is less than
(MT) thereby decrypting the message. Finally computing the session key as,
Zb0 ¼ Z2  M1 ð23Þ

Key0b ¼ HðZa :Zb0 jjNb jjTb Þ ð24Þ

Once Key0b is computed then its x and y co-ordinates are identified. Using the x-co-
ordinate ðKey0bx Þ, the message is decrypted to obtain TIDb , Mb , and Wb then performs a
mutual authentication process using the received parameters.
W20 ¼ TIDb  Wb ð25Þ

M20 ¼ HðW20 jjKey0b jjNb jjZ2 Þ ð26Þ

Before proceeding further the receiver compares the received value of M2 with the
?
computed one as M2 ¼M20 if it holds then the session key is computed successfully.
SKab ¼ HðTIDa jjTIDb jjZa :Zb0 :sa :Pb jjKeya jjKey0b jjM1 jjM20 jjNa jjNb Þ ð27Þ

123
Cryptanalysis and Enhancement of an Anonymous... 875

4.4 Temporary ID Update Phase

In this phase, after each successful completion of a session, the user will renew his
temporary identity for the next communication. As the proposed scheme maintains user
anonymity/un-traceability such that UserA and UserB ’s permanent identity IDa ,IDb is never
sent in an open channel. Instead, it is replaced with a temporary identity TIDa ,TIDb which
is only seen by an adversary. Even though an adversary eavesdrops the message
hNa ; Ta ; EKeyax fTIDa ; M1 ; Z1 ; Wa ; Na ; Ta gi during authenticated key exchange phase, he can
not obtain the original identity because it is protected by virtue of a random number and a
hash function with its one-way property. By inspecting our protocol, notice that Vi is
computed by the server using a random number ki and his secret key ss which is stored in
the servers database. Therefore it is necessary to renew the temporal identity with respect
to the random number generated by a user for computing Xi in order to maintain freshness.
The steps are defined as follows.
Step 1: The user initially chooses a secret random number yi 2 Zp , then computes,

Xi0 ¼ HðIDi jjyi Þ:P ð28Þ

TIDnew ¼ TIDi  Xi0 ð29Þ

Step 2: In a session the sender will transmit his new temporary identity TIDnew with a list
of parameters and message. The proof of randomness in the new ID is given below,
TIDnew ¼ TIDi  Xi0
¼ Xi  Vi  HðIDi jjyi Þ:P  Xi From Eq. ð3Þ
¼ Vi  HðIDi jjyi Þ:P

5 Security Analysis

This section represents both formal and informal security analysis along with authenti-
cation proof based on BAN logic. The formal security analysis proves that the proposed
scheme is SAFE against active and passive attacks. Whereas the informal security analysis
shows that the proposed protocol can withstand possible attacks namely, mutual authen-
tication, user anonymity, un-traceability, prevention from clogging, replay attack, reflec-
tion attack, man-in-the-middle attack, masquerading attack, known-key attack, key-
compromise impersonation attack, and perfect forward secrecy.

5.1 Formal Security Analysis of Proposed Scheme Using AVISPA Tool

This segment introduces a formal security proof based on broadly recognized AVISPA tool
that guarantees the safety of the proposed protocol against the active and passive attacks
[44, 45]. After that, a simulation code based on High-Level Protocols Specification Lan-
guage (HLPSL) is presented along with a formal introduction to AVISPA.
AVISPA is a push-button tool for the automated validation of the Internet security-
sensitive protocols and applications. It is broadly acknowledged as a simulation tool for
formal security check, which ensures whether the designed schemes are SAFE or UNSAFE.

123
876 S. Mandal et al.

Fig. 5 Architecture of AVISPA

A High-Level Protocol Specification Language is used that combines diversified backends

to implement a variety of state-of-the-art automatic analysis techniques [46]. Figure 5
depicts the architecture of AVISPA toolkit. The HLPSL language is written based on roles
where the code is dynamically converted into lower level machine language through
intermediate format (IF). The tool consists of four back-ends namely, On-the-fly Model-
Checker (OFMC), CL-based Attack Searcher (CL-AtSe), SAT-based Model-Checker
(SATMC), and Tree-Automata-based Protocol Analyzer (TA4SP). The OFMC is respon-
sible for symbolic techniques for exploring the state place in a demand driven way. CL-
AtSe provides a translation from any security protocol wrote into an intermediate format
(IF) into a set of constraints mainly used to find whether there are attacks on protocols.
SAT generates a propositional form then input into a SAT solver and any model found is
translated back into an attack. Finally, TA4SP is responsible for approximating the intruder
knowledge using regular tree languages.
Designing an ideal protocol suitable to run on an open network is difficult. As the
protocol must be tested in a diversified worst-cases to check whether it can prevent passive
and active attacks namely, masquerading attacks, man-in-the-middle attacks and replay
attacks at runtime. This tool is specifically designed for IT professionals, engineers, and
protocol analysts working in industry or standardized organizations. The above-mentioned
back-ends ensure that the scheme undergoes the perfect assumptions of modern cryptog-
raphy where an adversary gets immense control on messages flows in a network based on
Dolev-Yao intruder model [47]. Our anonymous self-certified key exchange protocol is
simulated using SPAN (Security Protocol Animator) for AVISPA. The results are dis-
played using the standard OUTPUT FORMAT (OF) that describes the successful execution
of a protocol either in safe mode or in unsafe mode.

5.1.1 Specifying the Protocol

The proposed scheme is implemented using HLPSL language where, the primary two roles
are presented as alice A and bob B respectively. The role precise codes are demonstrated in

123
Cryptanalysis and Enhancement of an Anonymous... 877

Fig. 6 Role specification of sender (as Alice) in HLPSL

Figs. 6 and 7 followed by simulation results in Figs. 8 and 9. The results ensures that the
proposed protocol can thwart traditional active attacks, such as the masquerading, replay,
man-in-the-middle attacks, and passive attacks. The result summaries that the scheme is
safe under OFMC and CL-AtSe back-ends.

5.2 Informal Security Proof

In this subsection, we show the efficacy of the proposed scheme in order to achieve
desirable security properties. We initially show those attacks that our scheme can resist
over the Islam’s scheme. Later we present additional features that prove the efficiency of
our proposed protocol.
Theorem 1 The proposed scheme can preserve user’s anonymity.
Proof In our proposed scheme, the user UserA sends the message hNa ; Ta ;
EKeyax fTIDa ; M1 ; Z1 ; Wa ; Na ; Ta gi to UserB where the user’s identity is encrypted using a
symmetric-key operation [28, 30] over an insecure channel. Moreover the message
includes a temporary identity TIDa instead of IDa therefore even if an adversary intercepts
the message he cannot obtain the real identity of UserA as TIDa ¼ Xa  Va where Va is

123
878 S. Mandal et al.

Fig. 7 Role specification of receiver (as Bob) in HLPSL

Fig. 8 Simulation result of

OFMC

computed by server using a one-way hash function with two random secrets ss and ka .
Also, Xa is computed by the sender using a random secret xa which is chosen differently at
each session to maintain a fresh temporary identity as in Eqs. (28), (29) and a one-way hash

123
Cryptanalysis and Enhancement of an Anonymous... 879

Fig. 9 Simulation result of CL-

AtSe

function. Therefore it is difficult for an adversary to compute a temporary identity without

the knowledge of these random secrets. Thus our scheme preserves user anonymity. h
Theorem 2 The proposed scheme can preserve trace attack.
Proof In our proposed scheme, during authenticated key exchange phase each message is
encrypted and sent along with the user’s temporary identity i.e., TIDa , TIDb instead of their
real identity IDa , IDb which is not constant in each session as the temporary identity gets
renewed after every session. Therefore, it is infeasible for an attacker to intercept the
message and track their private information related to current location, IP address, shop-
ping patterns etc. Thus our proposed scheme preserves user privacy by enabling un-
traceability. h
Theorem 3 The proposed scheme can preserve replay attack.
Proof In our proposed scheme, replaying a message of the previous session into a new
session is useless because we use timestamp Ta , Tb as well as random nonces Na and Nb as
a challenge response in between UserA and UserB . However, an adversary can try in
following ways,
Step 1: Suppose an adversary intercepts the message hNa ; Ta ; EKeyax fTIDa ; M1 ;
Z1 ; Wa ; Na ; Ta gi and resends its to gain authentication then the tolerable time delay
MT will exceed. Therefore, the session will be aborted.
Step 2: Assume than an adversary replays the message at current time Ta as
hNa ; Ta ; EKeyax fTIDa ; M1 ; Z1 ; Wa ; Na ; Ta gi then UserB accepts the message and tries to
compute Keya . Here, the original Keya is infeasible to compute due to difficulty in
solving computational Diffie–Hellman problem. Therefore, the session is terminated as
the adversary cannot compute the Keya due to different timestamp Ta 6¼ Ta and
ignorance of UserA ’s secret key sa . Thus our proposed scheme preserves replay attack.
h
Theorem 4 The proposed scheme preserves clogging attack.

123
880 S. Mandal et al.

Proof Clogging occurs if an adversary blocks a server with useless computation by

limiting its resources. In our proposed scheme, the messages are not sent in clear text rather
are encrypted and sent along with a time-stamp and a fresh random nonce [48]. However,
an adversary can try in following ways,
Step 1: Suppose an adversary intercepted the message sent by UserA and tries to replay
it. However he fails to gain authenticity as our proposed scheme is prone to replay
attack.
Step 2: Assume that an adversary somehow trespasses and replays the message at current
time Ta with a random nonce Na as hNa ; Ta ; EKeyax fTIDa ; M1 ; Z1 ; Wa ; Na ; Ta gi then
UserB accepts the message and tries to compute Keya . In order to compute the
symmetric key the receiver performs Keya ¼ Hðsb :Pa jjNa jjTa which is different then the
original key. Therefore, the decryption fails and the session is rejected.
As per the time elapsed in computation at receiver’s side, Islam’s scheme needs two point
multiplication which costs around 1.66 ms before verifying the request. Whereas, we
require one point multiplication with one symmetric decryption that cost around 0.831 ms.
Therefore, our proposed scheme preserves clogging attack. h
Theorem 5 The proposed scheme preserves mutual authentication.
Proof In mutual authentication both sender and the receiver need to authenticate each
other. In our proposed scheme, at the key exchange phase, upon receiving the message
hNa ; Ta ; EKeyax fTIDa ; M1 ; Z1 ; Wa ; Na ; Ta gi UserB performs following steps to attain
authentication.
Step 1: UserB first decrypts the message by computing,
Key0a ¼ Hðsb :Pa jjNa jjTa Þ From Eq. ð13Þ
W10 ¼ TIDa  Wa From Eq. ð14Þ
M10 ¼ HðW10 jjKey0a jjNa jjZ1 Þ From Eq. ð15Þ
?
Step 2: If M1 ¼M10 , the user UserA is authenticated and proceed further; otherwise, the
session is terminated.
In order to authenticate the UserB , after receiving the message hNb ; Tb ; Z2 ; EKeybx
fTIDb ; M2 ; Wb ; Nb ; Tb gi, UserA performs following steps,
Step 1: UserA first decrypts the message by computing,
Key0b ¼ HðZa :Zb0 jjNb jjTb Þ From Eq. ð24Þ
W20 ¼ TIDb  Wb From Eq. ð25Þ
M20 ¼ HðW20 jjKey0b jjNb jjZ2 Þ From Eq. ð26Þ
?
Step 2: If M2 ¼M20 , the user UserB is authenticated and proceed further; otherwise, the
session is terminated.
h
Theorem 6 The proposed scheme achieves session key agreement.
Proof In our proposed scheme, the session key is generated for a particular session which
can not be accepted for another session by the same user. In our scheme, the session key

123
Cryptanalysis and Enhancement of an Anonymous... 881

depends on temporary values generated by UserA and UserB . The session key generated by
UserA is SKab ¼ HðTIDa jjTIDb jjZa :Zb0 :sa : Pb jjKeya jjKey0b jjM1 jjM20 jjNa jjNb Þ that requires
?
validity of M2 ¼M20 from Eq. (26). Similarly, UserA generates SKab ¼
?
HðTIDa jjTIDb jjZa0 :Zb :sb :Pa jjKey0a jjKeyb jjM10 jjM2 jjNa jjNb Þ
that requires validity of M1 ¼M10
from Eq. (15). This unique construction for each session ensure key freshness. Thus our
scheme successfully computes session key. h
Theorem 7 The proposed can preserve masquerade attack.
Proof An attacker may try to impersonate as a legitimate user or server by compromising
its secret keys. However, our proposed scheme resist this attack by considering following
scenarios,
Step 1: An adversary can try to masquerade as a legal user by first eavesdropping the
message hNa ; Ta ; EKeyax fTIDa ; M1 ; Z1 ; Wa ; Na ; Ta gi sent between UserA and UserB . Later
may try to replay the message to gain authorization but fails due to resistance to replay
attack.
Step 2: The adversary can randomly chooses its identity ID within the current
timestamp Ta and a fresh nonce Na in order to compute the symmetric key Keyax for
which he must have the knowledge about sender UserA ’s secret key or receiver UserB ’s
secret key which is infeasible to acquire due to the difficulty of solving ECDHP.
Step 3: Similarly an attacker can try to masquerade as a legal server to the users by
eavesdropping the message hIDs ; TIDi ; Wi ; Xsi i. The adversary can randomly choose a
witness Wi and can try to compute a temporary identity TIDi for which he must have the
knowledge about server’s secret key ss and his random secret ki which is infeasible to
acquire due to the difficulty of solving ECDLP.
Thus our scheme prevents masquerade attack at both user and server side. h
Theorem 8 The proposed can preserve man-in-the-middle attack.
Proof In this attack, an attacker may try to masquerade as a legal user or server by
intercepting the messages. However, our proposed schemes prevents masquerade attack
and achieves mutual authentication between UserA and UserB by verifying whether
? ?
M1 ¼M10 and M2 ¼M20 at both ends. Also, the transmitted message is encrypted with sym-
metric key Keyax and Keybx which is difficult to break due to ECDHP assumption and the
ignorance of sender’s and receiver’s secret key. Thus the proposed scheme can withstand
man-in-the-middle attack. h
Theorem 9 The proposed can prevent a known-key attack.
Proof A protocol is said to be known-key secure if the disclosure of any previous session
key does not affect the future session key. Suppose if a previously established session key
SKab ¼ HðTIDa jjTIDb jjZa0 :Zb :sb :Pa jjKey0a jjKeyb jjM10 jjM2 jjNa jjNb Þ is compromised, then the
compromised session key does not reveal any information about other session keys because
the key is hashed with one-way hash function and it includes the nonces, random secrets,
and secret keys of sender and receiver which is infeasible to obtain due to difficulty in
solving ECDLP in polynomial-time. Therefore, the proposed scheme prevents the known-
key attack. h

123
882 S. Mandal et al.

Theorem 10 The proposed scheme can preserve key-compromise impersonation attack.

Proof In this attack an adversary having the knowledge of UserA ’s long-term private key
may impersonate UserB to UserA in order to obtain a correct session key between them. For
instance, an adversary with UserA ’s secret key sa can compute the symmetric key Keyax
using UserB ’s public key Pb then randomly generates Zb 2 Zp for computing session key.
In order to compile a session key SKab ¼ HðTIDa jjTIDb jjZa :Zb0 :sa :Pb jjKeya jjKey0b jjM1 j
jM20 jjNa jjNb Þ an adversary must have the knowledge of UserB ’s private key which is
difficult to derive from the public key Pb ¼ sb :P of UserB due to ECDLP assumption. Also,
he requires the knowledge of M1 and M2 which is difficult to generate due to the property
of one-way hash function. Thus the proposed scheme is secure against key-compromise
impersonation attack. h
Theorem 11 Our scheme preserves an unknown key-share attack.
Proof In this attack, after completion of a session UserA believes that he has shared the
session key with UserB , but unfortunately, UserB believes that he has shared the session
key with an adversary. In our proposed scheme, the identities of each participating member
are included in the session key SKab which is validated by a legitimate sender UserA and
receiver UserB . Therefore, each user gets confirmation that they have shared the session
key with an authentic member. Thus our proposed scheme preserves unknown key-share
attack. h
Theorem 12 Our scheme meets the security requirement for perfect forward secrecy.
Proof An authentication protocol is said to achieve perfect forward secrecy if an
adversary cannot compute the session keys generated in previous sessions, even if he
obtains the secret keys of any participant. In our proposed scheme, The session key
SKab ¼ HðTIDa jjTIDb jjZa0 :Zb :sb :sa :PjjKey0a jjKeyb jjM10 jjM2 jjNa jjNb Þ is computed using the
session random numbers Za , Zb chosen by UserA and UserB . Therefore, even if the secret
keys sa , sb of each participant gets compromised, it is computationally infeasible for the
adversary to compute SKab without knowing Za , Zb due to the difficulty to solve ECDLP.
Thus our proposed scheme achieves perfect forward secrecy. h

5.3 BAN Logic

BAN is a logic of authentication proposed by Burrows–Abadi–Needham [49, 50]. The goal

of BAN logic is to provide trust among communicating parties. It is used to analyze the
security of authentication and key distribution protocols. In this section, we first briefly
describe the notations used in the BAN logic, and after that, we provide the authentication
proof. The notations of the BAN logic are as follows:
– P, Q: are the participating entities.
– X: message send in channel.
– K: the secret key.
– #(X): X is fresh.
– fXgK : message is encrypted with the secret key.
– ðX; YÞ: X and Y is one part of ðX; YÞ.
– hXiY : X is combined with Y.
– ðXÞK : X is hashed with key K.
– Pj  Q: P believes in Q.

123
Cryptanalysis and Enhancement of an Anonymous... 883

– P / X: P received message X.
– Pj X: P once said X.
– Q ) X: Q has jurisdiction on X.
K
– P ! Q: K is a shared key between P and Q.
– SK: Session key used in the current session.
– Pp j ! P: it means that Pp is a public key of P and its respective secret key will not be
discovered by anyone except P.
Some rules used in BAN logic as follows:
K
PjP ! Q;P/fXgK
– Message-meaning rule: PjQj X
X
– Nonce-verification rule: Pj#ðXÞ;PjQj
PjQjX
– Jurisdiction rule: PjQ)X;PjQjX
PjX
Pj#ðXÞ
– Freshness rule: Pj#ðX;YÞ
Pj#ðSKÞ;PjQjX
– Session key rule: SK
PjP ! Q

5.3.1 Deduction of the Proposed Protocol

1. Generic Form: The generic form of messages exchanged in our scheme as below:
From message M1, A ! B : hTa ; Na ; fTIDa ; Na ; Ta ; M1 ; Z1 ; Wa gKeyax i
From message M2, B ! A : hTb ; Nb ; Z2 fTIDa ; Nb ; Tb ; M2 ; Wb gKeybx i
2. Idealization: Subsequently, we translate the message M1 and M2 into their idealized
forms as follows:
M1 Pa SK
M1; A ! B : fTIDa ; Na ; Ta ; A ! B; Z1 ; Wa ; ; A ! B; A ! BgKeyax
M2 Pb SK
M2; B ! A : fTIDb ; Nb ; Tb ; A ! B; Wb ; ; A ! B; A ! BgKeybx

3. Initial State Assumptions: The following assumptions about the initial state are made
to analyze the proposed protocol:
A1 : Aj  #ðZa Þ; Aj  #ðPa Þ
A2 : Bj  #ðZb Þ; Bj  #ðPb Þ
A3 : Aj  #ðNa Þ; Aj  #ðTa Þ
A4 : Bj  #ðNb Þ; Bj  #ðTb Þ
Keyax
A5 : Aj  A ! B
Keybx
A6 : Bj  A ! B
Keyax
A7 : Bj  A ! B
Keybx
A8 : Aj  A ! B
M1
A9 : Bj  Aj ) ðA ! BÞ
M2
A10 : Aj  Bj ) ðA ! BÞ
A11 : Bj  Pa j ! A
A12 : Aj  Pb j ! B
Pa
A13 : Bj  Aj ) ðA ! BÞ

123
884 S. Mandal et al.

Pb
A14 : Aj  Bj ) ðA ! BÞ
SK
A15 : Bj  Aj ) ðA ! BÞ
SK
A16 : Aj  Bj ) ðA ! BÞ
4. Goals: According to the analytic procedures of BAN logic, the proposed scheme must
satisfy the following goals in order to prove the system is secure:
SK
Goal 1: Bj  Aj  A ! B
SK
Goal 2: Bj  A ! B
SK
Goal 3: Aj  Bj  A ! B
SK
Goal 4: Aj  A ! B
5. Derivation process: The idealized form of the proposed scheme is analyzed based on
the BAN logic rules according to the assumptions. The main proof is stated as follows:
According to M1, we have
M1 Pa SK
S1: B / fTIDa ; Na ; Ta ; A ! B; Z1 ; Wa ; ; A ! B; A ! BgKeyax

According to assumption A5, we apply the message-meaning rule on S1 to have

M1 Pa SK
S2: Bj  Aj ðTIDa ; Na ; Ta ; A ! B; Z1 ; Wa ; ; A ! B; A ! BÞ

From assumption A3,A7, we apply the freshness conjugation rule to obtain

M1 Pa SK
S3: Bj  Aj  ðTIDa ; Na ; Ta ; A ! B; Z1 ; Wa ; ; A ! B; A ! BÞ

According to assumption S3, we apply the BAN logic rule to break the conjugation to have
M1
S4: Bj  Aj  A ! B

From assumption A9 and S4, we apply the jurisdiction rule to obtain

M1
S5: Bj  A ! B

According to assumption A1, A11, S3, we apply the nonce-verification and freshness
conjugation rule to have
Pa
S6: Bj  Aj  A ! B

From assumption A13 and S6, we apply the jurisdiction rule to obtain
Pa
S7: Bj  A ! B

UserB believes that the public key Pa of UserA is authentic. Therefore, by applying
freshness conjugation and nonce verification rule on A1, A3, S3 we have
SK
S8: Bj  Aj  ! B ðGoal 1Þ

From A15, S8, we apply the session key rule to compute the session key SK using
ðZa :Zb :Sb :Pb Þ, M1 , Keyax along with other known values to have

123
Cryptanalysis and Enhancement of an Anonymous... 885

SK
S9: Bj  A ! B ðGoal 2Þ

According to M2, we have

M2 Pb SK
S10: A / fTIDb ; Nb ; Tb ; A ! B; Wb ; ; A ! B; A ! BgKeybx

According to assumption A6, we apply the message-meaning rule on S10 to have

M2 Pb SK
S11: Aj  Bj ðTIDb ; Nb ; Tb ; A ! B; Wb ; ; A ! B; A ! BÞ

From assumption A3, A8 we apply the freshness conjugation rule to obtain

M2 Pb SK
S12: Aj  Bj  ðTIDb ; Nb ; Tb ; A ! B; Wb ; ; A ! B; A ! BÞ

According to assumption S12, we apply the BAN logic rule to break the conjugation to
have
M2
S13: Aj  Bj  A ! B

From assumption A10 and S13, we apply the jurisdiction rule to obtain
M2
S14: Aj  A ! B

According to assumption A2, A12, S12, we apply the nonce-verification and freshness rule
to have
Pb
S15: Aj  Bj  A ! B

From assumption A14 and S15, we apply the jurisdiction rule to obtain
Pb
S16: Aj  A ! B

UserA believes that the public key Pb of UserB is authentic. Therefore, by applying
freshness conjugation and nonce verification rule on A2, A4, S12 we have
SK
S17: Aj  Bj  A ! B ðGoal3Þ

From A16, S17, we apply the session key rule to compute the session key SK using
ðZa :Zb :Sa :Pb Þ, M2 , Keybx along with other known values to have
SK
S18: Aj  A ! B ðGoal4Þ

The above discussion shows that according to (Goal 1), (Goal 2), (Goal 3), and (Goal 4)
both the UserA and UserB believes that the session key SK is successfully shared between
them.

123
886 S. Mandal et al.

Table 3 Comparison with existing schemes

Properties Zu-hua Tsaur Wang Cao et al. Islam Islam Our
[25] [26] et al. [51] [18] et al. [20] et al. [27] scheme

User anonymity No Yes No No No No Yes

Clogging attack No Yes No No No No Yes
Known-key attack Yes Yes Yes Yes Yes Yes Yes
Key-compromise Yes Yes Yes Yes Yes Yes Yes
impersonation attack
Mutual authentication Yes Yes No No No Yes Yes
Man-in-the-middle Yes Yes Yes Yes Yes Yes Yes
attack
Perfect forward secrecy Yes No Yes Yes Yes Yes Yes
Masquerade attack Yes Yes Yes Yes Yes Yes Yes
Replay attack No Yes No No No No Yes
Trace attack No Yes No No No No Yes
Unknown key-share Yes Yes Yes Yes Yes Yes Yes
attack

6 Performance Evaluation

This segment, shows the performance analysis of our proposed scheme in terms of com-
putational costs and security properties with respect to existing schemes namely,
[18, 20, 25–27, 51]. The schemes in [25, 51] are based on bilinear pairing and rest of the
schemes uses elliptic curve discrete logarithm assumption.
The properties considered in comparisons includes user anonymity, clogging attack,
known-key attack, key-compromise impersonation attack, mutual authentication, man-in-
the-middle attack, perfect forward secrecy, masquerade attack, replay attack, trace attack,
and unknown key-share attack. Table 3 summarizes the comparison based on security
features. Table 4 enlist the notations used for complexity conversion with respect to time
in milliseconds as described in [52, 53]. Table 5 summarizes the results of comparisons of
the computational costs. As the time complexity for executing the symmetric-key
encryption/decryption is 0.0087 ms which is nearly equal to 0.001 ms and the time
complexity for executing the hash function is 0.0005 ms which are nearly negligible.

Table 4 Computation time in (ms) for different operations

Notation Definition and conversion

Tbp Time complexity for executing the bilinear pairing Tbp

20:01 ms
Tpe Time complexity for executing the pairing -based exponentiation Tpe
6:38 ms
Tpm Time complexity for executing the elliptic-curve scalar point multiplication Tpm
0:83 ms
Tsy Time complexity for executing the symmetric-key encryption/decryption Tsy
0:0087 ms
Th Time complexity for executing the hash function is Th
0:0005 ms

123
 Table 5 Comparison of communication cost in each protocol
Protocol Number of rounds User A User B Total cost

Zu-hua [25] 2 2Tpm þ 2Tpe þ 3Tbp þ 2Th 2Tpm þ 2Tpe þ 3Tbp þ 2Th 4Tpm þ 4Tpe þ 6Tbp þ 4Th
148:9 ms
Tsaur [26] 2 5Tpm þ 3Th 5Tpm þ 3Th 10Tpm þ 6Th
8:3 ms
Cryptanalysis and Enhancement of an Anonymous...

Wang et al. [51] 2 3Tpm þ 1Tbp þ 1Th 3Tpm þ 1Tbp þ 1Th 6Tpm þ 2Tbp þ 2Th
45 ms
Cao et al. [18] 2 5Tpm þ 2Th 5Tpm þ 2Th 10Tpm þ 4Th 8:3 ms
Islam et al. [20] 2 4Tpm þ 3Th 4Tpm þ 3Th 8Tpm þ 6Th
6:64 ms
Islam et al. [27] 2 3Tpm þ 3Th 3Tpm þ 3Th 6Tpm þ 6Th
4:98 ms
Our scheme 2 2Tpm þ 6Th 2Tpm þ 6Th 4Tpm þ 12Th
3:32 ms
887

123
888 S. Mandal et al.

Comparion of communication cost

150
Zu-hua [25]

Tsaur [26]

Wang et al. [34]

Computation time(sec)

Cao et al.[18]
100 Islam et al. [20]

Islam et al. [27]

Our Scheme

50

0
User A User B Total Cost

Fig. 10 Comparison of computational cost of proposed scheme with [18, 20, 25–27, 51]

Therefore we consider only the time complexity for executing the elliptic-curve scalar
point multiplication and bilinear pairing for comparison in Table 5.
As shown in Table 5 the computation cost of our proposed scheme is not only lower
than the existing schemes but it also overcomes the weaknesses faced by recently proposed
Islam et al.’s scheme [27] by achieving user anonymity, un-traceability property, pre-
venting clogging and replay attack. As a result, our scheme is much suitable for practical
applications as compared to the existing schemes (Fig. 10).

7 Conclusion

In this paper, we have first reviewed the recently proposed Islam et al.’s scheme and then
shown that their scheme fails to prevent the replay attack, clogging attack, trace attack and
also fails to protect the user anonymity. To withstand these drawbacks, we have proposed
an anonymous self-certified authenticated key exchange protocol using elliptic curve
cryptography. The proposed scheme supports mutual authentication and session key
agreement, where two users can identify the legitimacy of one another and establish a
secure connection. The proposed scheme undergoes a series of informal and formal
security analysis. Through the informal security analysis, we have shown that our
scheme is secure against various known attacks. In addition, through the formal security
analysis using the widespread automated tool AVISPA and BAN logic, we have shown that
the scheme achieves secure authentication during passive and active attacks. Furthermore,
the performance analysis shows that the proposed scheme has lower computation and
communication costs as compared to competent protocols. Therefore our proposed
scheme is suitable for client–server applications.

References
1. Diffie, W., & Hellman, M. (1976). New directions in cryptography. IEEE Transactions on Information
Theory, 22(6), 644–654.

123
Cryptanalysis and Enhancement of an Anonymous... 889

2. Bellare, M., & Rogaway, P. (1993). Entity authentication and key distribution. In Annual international
cryptology conference (pp. 232–249). Springer.
3. Bellovin, S. M., & Merritt, M. (1992). Encrypted key exchange: Password-based protocols secure
against dictionary attacks. In Proceedings of 1992 IEEE computer society symposium on research in
security and privacy (pp. 72–84). IEEE.
4. Bellare, M., Pointcheval, D., & Rogaway, P. (2000). Authenticated key exchange secure against dic-
tionary attacks. In International conference on the theory and applications of cryptographic techniques
(pp. 139–155). Springer.
5. Chen, T.-H., Lee, W.-B., & Chen, H.-B. (2008). A round-and computation-efficient three-party
authenticated key exchange protocol. Journal of Systems and Software, 81(9), 1581–1590.
6. Blake-Wilson, S., Johnson, D., & Menezes, A. (1997). Key agreement protocols and their security
analysis. In IMA international conference on cryptography and coding (pp. 30–45). Springer.
7. Shamir, A. (1984). Identity-based cryptosystems and signature schemes. In Workshop on the theory and
application of cryptographic techniques (pp. 47–53). Springer.
8. Scott, M. (2002). Authenticated id-based key exchange and remote log-in with simple token and pin
number. IACR Cryptology ePrint Archive, 2002, 164.
9. Smart, N. P. (2002). Identity-based authenticated key agreement protocol based on weil pairing.
Electronics Letters, 38(13), 630–632.
10. Boneh, D., & Franklin, M. (2001). Identity-based encryption from the Weil pairing. In Annual inter-
national cryptology conference (pp. 213–229). Springer.
11. Joux, A. (2000). A one round protocol for tripartite Diffie–Hellman. In International algorithmic
number theory symposium (pp. 385–393). Springer.
12. Chen, L., & Kudla, C. (2003). Identity based authenticated key agreement protocols from pairings. In
Proceedings of 16th IEEE on computer security foundations workshop (pp. 219–233). IEEE.
13. Shim, K. (2003). Efficient ID-based authenticated key agreement protocol based on weil pairing.
Electronics Letters, 39(8), 653–654.
14. Sun, H.-M., & Hsieh, B.-T. (2003). Security analysis of shim’s authenticated key agreement protocols
from pairings. IACR Cryptology ePrint Archive, 2003, 113.
15. Ryu, E.-K., Yoon, E.-J., & Yoo, K.-Y. (2004). An efficient ID-based authenticated key agreement
protocol from pairings. In International conference on research in networking (pp. 1458–1463).
Springer.
16. Boyd, C., & Choo, K.-K. R. (2005). Security of two-party identity-based key agreement. In Interna-
tional conference on cryptology in Malaysia (pp. 229–243). Springer.
17. Wang, S., Cao, Z., Choo, K. K. R., & Wang, L. (2009). An improved identity-based key agreement
protocol and its security proof. Information Sciences, 179(3), 307–318.
18. Cao, X., Kou, W., & Xiaoni, D. (2010). A pairing-free identity-based authenticated key agreement
protocol with minimal message exchanges. Information Sciences, 180(15), 2895–2903.
19. Kudla, C., & Paterson, K. G. (2005). Modular security proofs for key agreement protocols. In Inter-
national conference on the theory and application of cryptology and information security (pp.
549–565). Springer.
20. Hafizul Islam, S. K., & Biswas, G. P. (2012). An improved pairing-free identity-based authenticated key
agreement protocol based on ECC. Procedia Engineering, 30, 499–507.
21. Girault, M. (1991). Self-certified public keys. In Workshop on the theory and application of crypto-
graphic techniques (pp. 490–497). Springer.
22. Saeednia, S. (1997). Identity-based and self-certified key-exchange protocols. In Australasian con-
ference on information security and privacy (pp. 303–313). Springer.
23. Tzong-Chen, W., Chang, Y.-S., & Lin, T.-Y. (1998). Improvement of saeednia’s self-certified key
exchange protocols. Electronics Letters, 34(11), 1094–1095.
24. Kim, S., Oh, S., Park, S., Wong, D., Kimy, S., Ohy, S. et al. (1998). On saeednia’s key-exchange
protocols. Citeseer: In Proceedings of teddington conference on the mechanization of thought
processes.
25. Zu-Hua, S. (2005). Efficient authenticated key agreement protocol using self-certified public keys from
pairings. Wuhan University Journal of Natural Sciences, 10(1), 267–270.
26. Tsaur, W.-J. (2005). Several security schemes constructed using ECC-based self-certified public key
cryptosystems. Applied Mathematics and Computation, 168(1), 447–464.
27. Hafizul Islam, S. K., & Biswas, G. P. (2015). Design of two-party authenticated key agreement protocol
based on ecc and self-certified public keys. Wireless Personal Communications, 82(4), 2727–2750.
28. Khan, M. K., Kim, S.-K., & Alghathbar, K. (2011). Cryptanalysis and security enhancement of a more
efficient and secure dynamic id-based remote user authentication scheme. Computer Communications,
34(3), 305–309.

123
890 S. Mandal et al.

29. Liao, Y.-P., & Wang, S.-S. (2009). A secure dynamic id based remote user authentication scheme for
multi-server environment. Computer Standards and Interfaces, 31(1), 24–29.
30. Wang, Y., Liu, J., Xiao, F., & Dan, J. (2009). A more efficient and secure dynamic id-based remote user
authentication scheme. Computer Communications, 32(4), 583–585.
31. Chaum, D., & Van Heyst, E. (1991). Group signatures. In Advances in cryptology EUROCRYPT91 (pp.
257–265). Springer.
32. Ren, J., & Harn, L. (2013). An efficient threshold anonymous authentication scheme for privacy-
preserving communications. IEEE Transactions on Wireless Communications, 12(3), 1018–1025.
33. He, D., Chen, C., Chan, S., & Jiajun, B. (2012). Secure and efficient handover authentication based on
bilinear pairing functions. IEEE Transactions on Wireless Communications, 11(1), 48–53.
34. Lu, Y., Li, L., Peng, H., & Yang, Y. (2016). Robust id based mutual authentication and key agreement
scheme preserving user anonymity in mobile networks. KSII Transactions on Internet and Information
Systems, 10(3), 1.
35. Hsieh, W.-B., & Leu, J.-S. (2014). An anonymous mobile user authentication protocol using self-
certified public keys based on multi-server architectures. The Journal of Supercomputing, 70(1),
133–148.
36. Hankerson, D., & Menezes, A. J. (2005). Guide to elliptic curve cryptography. Computing Reviews,
46(1), 13.
37. Gutub, A. A.-A., & Arabia, S. (2010). Remodeling of elliptic curve cryptography scalar multiplication
architecture using parallel jacobian coordinate system. International Journal of Computer Science and
Security (IJCSS), 4(4), 409.
38. Garrett, K., Talluri, S. R., & Roy, S. (2015). On vulnerability analysis of several password authenti-
cation protocols. Innovations in Systems and Software Engineering, 11(3), 167–176.
39. Rankl, W., & Effing, W. (2004). Smart card handbook. New York: Wiley.
40. Han, W., & Zhu, Z. (2014). An id-based mutual authentication with key agreement protocol for
multiserver environment on elliptic curve cryptosystem. International Journal of Communication
Systems, 27(8), 1173–1185.
41. He, D. (2012). An efficient remote user authentication and key agreement protocol for mobile client–
server environment from pairings. Ad Hoc Networks, 10(6), 1009–1016.
42. Khatwani, C., & Roy, S. (2015). Security analysis of ECC based authentication protocols. In 2015
International conference on computational intelligence and communication networks (CICN) (pp.
1167–1172). IEEE.
43. Roy, S. (2017). Denial of service attack on protocols for smart grid communications. In Security
solutions and applied cryptography in smart grid communications (pp. 50–67). IGI Global.
44. Viganò, L. (2006). Automated security protocol analysis with the avispa tool. Electronic Notes in
Theoretical Computer Science, 155, 61–86.
45. Avispa Web Tool. (2017). Automated validation of internet security protocols and applications.
46. Hlpsl Tutorial. (2006). http://www.avispa-project.org/package/tutorial.pdf.
47. Dolev, D., & Yao, A. C. (1983). On the security of public key protocols. IEEE Transactions on
Information Theory, 29(2), 198–208.
48. Roy, S., Das, A. K., & Li, Y. (2011). Cryptanalysis and security enhancement of an advanced
authentication scheme using smart cards, and a key agreement scheme for two-party communication. In
2011 IEEE 30th international performance computing and communications conference (IPCCC) (pp.
1–7). IEEE.
49. Burrows, M., Abadi, M., & Needham, R. M. (1989). A logic of authentication. Proceedings of the Royal
Society of London A: Mathematical, Physical and Engineering Sciences, 426, 233–271.
50. Wen, J., Zhang, M., & Li, X. (2005). The study on the application of ban logic in formal analysis of
authentication protocols. In Proceedings of the 7th international conference on electronic commerce
(pp. 744–747). ACM.
51. Wang, S., Cao, Z., Cao, F., et al. (2008). Efficient identity-based authenticated key agreement protocol
with pkg forward secrecy. IJ Network Security, 7(2), 181–186.
52. Hafizul Islam, S. K., & Biswas, G. P. (2015). A pairing-free identity-based two-party authenticated key
agreement protocol for secure and efficient communication. Journal of King Saud University-Computer
and Information Sciences, 29(1), 63–73.
53. Farash, M. S., Chaudhry, Shehzad A., Heydari, M., Sadough, S., Mohammad, S., Kumari, S., et al.
(2017). A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks
with provable security. International Journal of Communication Systems, 30(4), 2017.

123
Cryptanalysis and Enhancement of an Anonymous... 891

Susmita Mandal is presently perusing Ph.D. from Department of

Computer Science and Engineering, National Institute of Technology
Rourkela, India. She received her B.Tech degree from G. Nar-
ayanamma Institute of Technology and Science, Hyderabad, India in
2009. In 2012, she received her M.Tech degree in Information Security
and Computer Forensic from SRM University, Chennai, India. Her
current research interests include authentication, key exchange, wire-
less adhoc network, financial cryptography and multiparty
computation.

Sujata Mohanty is an Assistant professor in Department of Computer

Science and Engineering, National Institute of Technology Rourkela,
India since 2008. In 2013, she received her Ph.D. degree from National
Institute of Technology, Rourkela, India. She has 7 years of teaching
and research experience. Her current research interest includes infor-
mation security, digital signature, and cryptography. Banshidhar Majhi
is a Professor in Department of Computer Science and Engineering,
National Institute of Technology Rourkela, India since 2006. In 2003,
he received his Ph.D. degree from Sambalpur University, India. He has
24 years of teaching and research experience. His current research
interest includes data structures, image processing, cryptography,
biometrics, parallel processing, and soft computing.

Banshidhar Majhi is Professor in Department of Computer Science

and Engineering, National Institute of Technology Rourkela, India
since 2006. He has 24 years of teaching and research experience. He
has published several articles in refereed journals and international
conferences. He has worked on several government funded projects.
His area of interest includes data structures, image processing, cryp-
tography, biometrics, parallel processing and soft computing.

123