1. Introduction
Authenticated key exchange allows two or more parties to compute shared keys and also ensures their identities are authentic in insecure networks. Conventional authenticated key exchange protocols transfer identity information (ID) in plain text. Consequently, attackers can eavesdrop on communications between parties for information that enables them to forge the login request messages of legitimate users. Das et al. proposed a countermeasure in the form of a dynamic ID-based authentication scheme in which the user ID changes in every session based on the one-way hash function [1]. In the proposed scheme, the dynamic ID appears like a random number but in such a manner that legitimate parties can acquire the correct static ID without attackers being able to distinguish it. Although the scheme’s ability to provide user anonymity, mutual authentication, and security was subsequently deemed inadequate [2-4], it significantly influenced later studies related to user anonymity protection.
The dynamic ID-based authentication scheme can be classified as a client encryption scheme or a server encryption scheme, depending on the party that creates the dynamic ID. In the client encryption scheme, the client encrypts the static ID using secret information induced either by the server’s long-term or public key [1,3-12]. Conversely, in the server encryption scheme, the server encrypts the static ID using its own long-term key and transfers this dynamic ID, for subsequent use in the authentication process, to the user [13-18]. In each of these schemes, the user requires a device such as a smart card that can store and manage secret information acquired from the server’s long-term key, its public key, or a dynamic ID securely created by the server. Smart cards are convenient, portable, and inexpensive. Consequently, they are being widely adopted for two-factor authentication in remote host login, online banking, e-commerce, and e-health systems. Initially, dynamic ID-based authentication schemes adopted hash functions or symmetric key encryptions because of the poor performance of smart cards. However, more recent schemes have adopted complex operations such as public key encryption as a result of advancements in smart card technology. The most outstanding advantage of public key encryption over hash functions and symmetric key encryption is its ability to ensure forward secrecy.
Forward secrecy is a property that ensures that an established session key is not damaged, even if the long-term key used in key establishment is compromised. It is very important to ensure forward secrecy in order to prevent data leaks in the face of long-term key damage as a result of a system failure or leak, whether accidental or deliberate, because past data can be sensitive in the future as well. Various schemes that ensure forward secrecy have been proposed by researchers such as Sun et al. [14], Horng et al. [5], Wu et al. [8], Ma et al. [9], Wang et al. [10], and Jiang et al. [18].
However, because the schemes cited above used static long-term or public keys instead of the server’s ephemeral public key to generate a dynamic ID, they had the following two vulnerabilities. First, forward anonymity is not assured. Forward anonymity—first proposed by Diffie et al. to explain their station-to-station protocol attributes [19]—is similar to forward secrecy but prevents attackers from exposing any information about the identities of participants. In server encryption schemes and client encryption schemes that use secret information induced from a server’s long-term key, the static ID can be acquired from collected communication messages if a server’s long-term key is compromised. In client encryption schemes that use a static rather than an ephemeral public key to transfer a dynamic ID, the static ID can be identified immediately or can be traced if the static public key is compromised. As a result, the revealed ID may be used to identify messages from specific users, or as partial information to regenerate session keys.
Second, the schemes are vulnerable to replay attacks. Because the user ID is transferred using plain text in authentication schemes that do not ensure user anonymity, an eavesdropper can guess its password. This type of scheme defends against online dictionary attacks by limiting the number of attempts, but cannot limit attacks by attackers who try incorrect passwords repeatedly in order to induce denial of service. On the other hand, in schemes that ensure user anonymity, attackers cannot distinguish the static IDs of victims. Thus, replay attacks must be prevented if attackers do not know the static ID or dynamic ID generated by the server. However, attackers who eavesdrop on login request messages can carry out replay attacks by retransmitting the message to the server. This paper proposes a novel dynamic ID-based authentication scheme that solves the above problems by providing forward secrecy and forward anonymity. Further, we prove that the proposed scheme is secure under the computational Diffie-Hellman assumption and in the random oracle and ideal-cipher models.
The remainder of this paper is organized as follows: Section 2 defines the adversary model. Section 3 gives a brief review and cryptanalysis of Horng et al.’s, Wu et al.’s, and Wang et al.’s schemes. Section 4 outlines our proposed scheme. Section 5 and Section 6 conduct a security analysis and a performance analysis of our proposed scheme, respectively. Section 7 concludes this paper.
2. Adversary Model
Hao summarized robust security in the extreme-adversary principle as protection against an extremely powerful adversary who has all capabilities except that of trivially breaking a certain scheme [20]. On the basis of this ultimate definition of protocol security, Wang et al. [10] proposed the following six capabilities of the adversary for password-based dynamic ID authentication schemes that utilize smart card as follows: (1) full control of communication channel, (2) off-line enumeration of all possible ID-password pairs, (3) user ID identification, (4) password detection or sensitive information extraction from smart cards, (5) acquisition of the previous session key(s), and (6) acquisition of the server’s long-term key(s). They proved the above capabilities both theoretically and practically through the following cases: ID and password can be exposed through malicious smart card readers; ID can be guessed easily when a user selects an easy-to-memorize ID; and as a result, ID has low entropy so attackers can attempt off-line guessing attacks to all possible ID-password pairs within polynomial time. Note that the capability to acquire the server’s long-term key among the above six capabilities is limited to evaluation of the server’s final failure, called weak forward secrecy [21]. A scheme that provides weak forward security is vulnerable to session interception and user impersonation attacks when a long-term key is compromised.
The scheme proposed by Wang et al. [10] is trivially broken when a long-term key and the user registration table in the server are simultaneously compromised. Attackers can acquire either the server’s long-term key or user registration table without restrictions under the condition that two events do not occur simultaneously, according to the extreme-adversary principle. However, the scheme uses low precision time, resulting in it being susceptible to user impersonation attacks that can easily be carried out by any attacker who acquires a long-term key.
We propose the following adversary model, in which the adversary model proposed by Wang et al. is bolstered with strong forward secrecy characteristics:
Capabilities 1 to 5 are the same as those proposed by Wang et al. Capability 6 includes forward secrecy against the active adversary. If the adversary learns both the server’s long-term key and the registration table, then the protocol can be trivially broken; therefore, it was excluded from the capabilities.
3. Review of Dynamic ID-based Authentication Schemes
In this section, we briefly review dynamic ID-based authentication schemes that ensure forward secrecy—specifically, those proposed by Horng et al. [5], Wu et al. [8], and Wang et al. [10]—and discuss their vulnerabilities. Each scheme is a client encryption scheme that performs Diffie-Hellman key exchange using the client’s ephemeral public key and the server’s public key, and then encrypts the static ID using the key exchanged. The procedure comprises several phases—specifically, registration, login, authentication, and password changing. The password changing phase is not dealt with in this paper. The notations used throughout this paper are defined in Table 1.
Table 1.Notations
3.1 Review of Horng et al.’s Scheme
Horng et al.’s scheme uses H(s)and gH(s) as the server's private key and corresponding public key, respectively.
Registration phase:
Login phase:
Authentication phase:
3.1.1 Cryptanalysis of Horng et al.’s scheme
Off-line password guessing attack: An attacker A acquires WA, wA, bA stored in his smart card that was issued legally for a legitimate user by executing side-channel attacks. Then, A can get gH(s) mod p via the following calculation:
Now let us assume that A steals the smart card of victim U and acquires W, w, b stored in U’s smart card in the same way. A can guess a password, pw,∗ from the dictionary Password and check that the corresponding (gH(s))W⊕H(b║pw∗) mod p is equal to w . If they are, the correct password is pw∗. Otherwise, A selects another password and repeats this process until the correct password is found.
Online ID verification attack: Attacker A may need a process to know whether the guessed ID is a valid ID registered on the server prior to attacking user U. The vulnerability of the scheme is that the validity of the ID can be checked online. If an attacker already has gH(s) as in the off-line password guessing attack, he/she may compute C′ = ga′ mod p and send C′ to the server without knowing I, because the server cannot distinguish between C′ and C = gaI mod p, where a and a′ are random numbers. An attack can be carried out as follows:
No forward anonymity: If a long-term master key s or static private key H(s) of S is compromised, the attacker can calculate R = CH(s) mod p from the login request message {C, ℇR(id, M1)} and decrypt ℇR(id, M1) to determine id of the user.
Replay attack: Eavesdropper A, who captured the login request message sent by U to S, subsequently retransmits this message to S. S decrypts the message as usual in the authentication phase, and a response message is created in reply to A. However, A cannot decrypt the response message, hence correct M4 cannot be calculated, causing authentication failure. A repeats this process and eventually exceeds the number of online attempts allocated to legitimate user U.
3.2 Review of Wu et al.’s Scheme
Wu et al.'s scheme is based on an elliptic curve E defined over a prime finite field Fp. Let P be a base point with a large order q, s be a master key, and (x, Q = x⋅P) be the server's private key and corresponding public key, respectively.
Registration phase:
Precomputation phase: The smart card chooses two random elements r1, r2 in , computes R1 = r1⋅P, R2 = r2⋅P, Z2 = r2⋅Q, and h = H1(R2║Q║Z2), and stores R1, r1, R2, h into its memory for use in the authentication and key agreement phase.
Authentication and key agreement phase:
3.2.1 Cryptanalysis of Wu et al.’s scheme
Smart card loss attack: Attacker A steals the smart card of victim U and determines the A and R1, r1, R2, h stored in the registration and precomputation phases, respectively, via side-channel attacks. Then, A returns the smart card to its original location without the victim's knowledge. Consequently, when U attempts to login to S, A eavesdrops on the login request message to acquire {did, , R2}, and guesses U’s password via the following process:
No forward anonymity: If S’s private key x is compromised, the attacker calculates (id║cid) = did ⊕ H1(R2║Q║x⋅R2) from the login request message {did, , R2}, thereby finding the id and cid of the user.
Replay attack: Eavesdropper A, who captured login request message {did, , R2}, which was transferred by U to S, subsequently retransmits this messages to S. Authentication will fail because A does not know r1, which will be used to calculate Z1 . However, because S does not store all past messages transmitted by U, it cannot distinguish whether this request is an attack via retransmission or simply an incorrect password input by U. Thus, A repeats this process and may eventually exceed the number of online attempts allocated to legitimate user U.
3.3 Review of Wang et al.’s Scheme
Registration phase:
Login phase:
Verification phase:
3.3.1 Cryptanalysis of Wang et al.’s scheme
No forward anonymity: When S’s private key x is compromised, eavesdropper A can identify id = cid ⊕ H0(C1║ mod p) using the information collected from the login request message {C1, cid, M}.
Replay attack: Eavesdropper A, who captured login request message {C1, cid, M}, which was transferred by U to S, subsequently retransmits this messages to S. Authentication will fail because A does not know random number u, which will be used to calculate C4 by A. However, S does not store all past messages transmitted by U, so it cannot distinguish whether this request is an attack via retransmission or simply an incorrect password input by U. Thus, A repeats this process and may eventually exceed the number of online attempts allocated to legitimate user U.
User impersonation attack: Assuming that the precision of time T, generated in the registration phase, is less than or equal to a second, as shown in the Unix time function, its increase is less than 3.2 × 107 per year. As such, if low precision time is used and the server's private key x is compromise, eavesdropper A can calculate a shared secret k between user and server via the following process using information collected from login request message {C1, cid, M}.
A calculates Y1 = (C1)x mod p and id = cid ⊕ H0(C1║ Y1) from the message. Then, the following computation is performed with respect to all time T∗, from service initiation of the server to current time.
1. Compute k∗ = H0(x║id║T) and M∗ = H0(Y1║k║cid).
2. Iterate the calculation until M∗ = M.
The actual value shared by the server and user is k , so if the value of k is known, the user impersonation attack can be easily accomplished. To interrupt this attack, the time T used in the registration phase should contain a sufficiently long random number along with time information.
4. Our Proposed Scheme
In this section, we outline our proposed dynamic ID-based authentication scheme, in which forward secrecy and forward anonymity are preserved and replay attacks are obviated using a smart card. The scheme comprises three phases: registration phase, authentication phase, and password changing phase.
Registration phase: Our scheme is defined over a finite cyclic group G of prime order q with g as a generator. Hash functions {0,1}∗→{0,1}ℓi are denoted by Hi, where i ∈ {0,1,2,3,4,5} and ℓi is the output bit length of Hi. Let (x, y = gx mod p) denote server S’s private key and its corresponding public key. When user U wishes to register his/her ID to sever S, the following operations are performed:
Authentication phase:
Password changing phase: In our scheme, the user can change his/her password either interactively or non-interactively. Although the non-interactive procedure is simple, it may render the smart card unusable if the user enters a wrong password by mistake or an adversary intentionally inputs an arbitrary password after gaining temporary access to the smart card. Thus, we suggest the following interactive password change procedure:
Fig. 1.The proposed scheme
5. Security Analysis
In this section, we describe a formal security model for dynamic ID-based authentication schemes using smart cards, and show that our scheme is secure under the computational Diffie-Hellman assumption and in the random oracle and ideal-cipher models.
5.1 Formal Security Model
We adopt the security model defined by Wang et al. [10], which is based on previous work by Bellare et al. [22] and Bresson et al. [23], to define the special security requirements for password authentication schemes using smart cards.
Players. We denote a server S and a client U that can participate in the authenticated key exchange protocol P. Each of them may have several instances, called oracles, involved in distinct, possibly concurrent, executions of P. We denote client instances (resp. server instances) by Ui (resp. Sj), or by I when we consider any kind of instance.
Queries. The adversary, A, interacts with the participants and tries to break the privacy of the key or the authentication of the players. To this aim, several queries are available to A.
Semantic Security. The privacy of the session key is modeled by the game Gameake(A, P), in which one more query is available to the adversary: Test(I). The Test(I)-query can be asked at most once by adversary A and is only available to A if the session key is not obviously known to A. This query is answered as follows: one flips a coin b and forward sk (the value Reveal(I) outputs) if b = 1, or a random value if b = 0. In playing this game, the goal of the adversary is to guess the bit b involved in the Test(I)-query, by outputting this guess b′. We denote AKE Advantage as the probability that A correctly guesses the value b. More precisely, we define it by = 2Pr[b = b′]−1. Protocol P is said to be AKE-secure if such a probability is negligible in the security parameter.
Authentication. Another goal of the adversary is to impersonate the client or the server. We denote by the probability that A successfully impersonates an instance of U in the execution of P. Protocol P is said to be Auth-secure if such a probability is negligible in the security parameter.
Computational Diffie-Hellman Assumption. A (t, ε)-CDHg,G attacker, in a finite cyclic group G of prime order q with g as a generator, is a probabilistic machine Δ running in time t such that its success probability, , given random elements gx and gy to output gxy, is greater than ε. As usual, we denote by the maximal success probability over every adversaries running within time t. The CDH-Assumption states that ≤ ε for any t⁄ε is not overly large.
5.2 Security Proof
Semantic Security. The following theorem shows that the proposed scheme securely distributes session keys under the reasonable and well-defined intractability assumptions.
Theorem 1. Let P be the above protocol and Password be a finite dictionary of size N equipped with a uniform distribution. Let A be an adversary against the AKE security of P within a time bound , with less than qs interactions with the parties and qp passive eavesdroppings, and asking qh hash-queries and qe encryption/decryption-queries. Then, we have
where t′ ≤ t + (qs + qp +1 )⋅τG with ℓ denoting min {ℓ1, ℓ2, ℓ3, ℓ4} and τG denoting the computational time for an exponentiation in G.
Proof. We prove this theorem through a sequence of games beginning with the real protocol and ending up with a game where adversary A’s advantage is zero. The details of the proof can be found in Appendix A.1. □
Authentication. The following theorem shows that the proposed scheme further ensures mutual authentication, in the sense that neither a server instance nor a client instance will accept an authenticator that has not been actually sent by the related instance with probability significantly greater than qs/N.
Theorem 2. Let P be the above protocol and Password be a finite dictionary of size N equipped with a uniform distribution. Let A be an adversary against the mutual authentication within a time bound t, with less than qs interactions with the parties and qp passive eavesdropping, and asking qh hash-queries and qe encryption/decryption-queries. Then, we have
where t′ ≤ t + (qs + qp + 1)⋅τG with ℓ denoting min{ℓ1, ℓ2, ℓ3, ℓ4} and τG denoting the computational time for an exponentiation in G.
Proof. The proof of this theorem is similar to the previous one. The details of the proof can be found in Appendix A.2. □
5.3 Resistance to Possible Attacks
User anonymity and forward anonymity: Even if attacker A eavesdrops on a message {B, ID∗, A, MU, MS} between user and server during the authentication phase, and moreover, even if A knows the server's private key x, A has to know random number a, chosen by the user, or random number b, chosen by the server in order to acquire ID from ID∗. Otherwise, A has to solve a discrete logarithm problem to acquire ID from ID∗ under the condition that the attacker does not know a or b. Thus, the proposed scheme provides user anonymity, user untraceability and forward anonymity.
Forward secrecy: Even if an adversary A eavesdrops on a message {B, ID∗, A, MU, MS} between user and server during the authentication phase, and even if A knows the server's private key x and the confidential information VU, A has to know random number a, chosen by the user, or random number b, chosen by the server, in order to acquire sk. Otherwise, A has to solve a discrete logarithm problem to acquire sk. Thus, the proposed scheme provides forward secrecy.
Smart card loss attack (user impersonation attack): MU is protected by the secured one-way hash function so that server S can detect this easily if the attacker cannot calculate a valid MU, even when the attacker has managed to tamper with a legitimate user's authentication message. Moreover, even if confidential information , stored in the smart card is exposed, the correct VU cannot be acquired if the attacker does not know the password. Consequently, a valid MU cannot be calculated. Thus, the proposed scheme is secure against smart card loss and user impersonation attacks.
Replay attack: Unlike other schemes in which service denial attacks can succeed by exceeding the allocated number of online attempts using retransmission of captured login request messages, the proposed scheme uses the server's ephemeral public key, which is changed in every session, for ID∗ conversion so that retransmission of captured messages cannot increase the number of attempts because it cannot identify the user of the particular session. Thus, replay attacks will fail.
Key compromise impersonation attacks: Let us assume that attacker A has stolen the server's private key x. However, A does not know random number R for user U, which is stored in the registration table, so A cannot calculate H5(x║ID║R) correctly and U cannot be impersonated.
6. Performance Analysis
In Table 2, we provide a comparative summary of relevant dynamic ID-based forward security preserving authentication schemes, including our proposed scheme. The schemes are compared in terms of computation, communication, and security.
Table 2.SKS: session key security; FS: forward secrecy; UA: user anonymity; FA: forward anonymity; RSCL: Resistance to smart card loss attacks; RR: Resistance to replay attacks
We assume that the identities are 32-bit long random numbers and that the outputs of the one-way hash function are 128-bit long. Further, we assume that public key parameters p, y, and g are 1024-bit, q is 128-bit long, and the elliptic curve point is 160-bit long. Let TE, TS, TH, and TM denote the time complexity for exponential operation, symmetric encryption/decryption, hash function evaluation, and scalar-point multiplication, respectively.
During the authentication phase in our scheme, the total computation cost of the user and server is 6TE + 1TS + 10TH and the communication cost is 2464( = 32 + 3 × 128 + 2 × 1024) bits. Our scheme is more efficient than Horng et al.’s and is no less efficient than Wang et al.’s. Furthermore, it provides forward anonymity and resists both smart card loss attacks and replay attacks, whereas Horng et al.’s, Wu et al.’s, and Wang et al.’s schemes are susceptible to such attacks.
7. Conclusion
In this paper, we demonstrated that three dynamic ID-based authentication schemes that preserve forward secrecy cannot guarantee forward anonymity and can be vulnerable to replay attacks because they use static long-term keys instead of the server’s ephemeral keys to generate dynamic IDs. We then presented an adversary model that incorporates forward secrecy against active attackers according to the extreme-adversary principle and proposed a dynamic ID-based authentication scheme in which forward secrecy and forward anonymity are preserved and replay attacks can be obviated through retransmission of the authentication messages. We subsequently proved that our scheme is provably secure under the computational Diffie-Hellman assumption and in the random oracle and ideal-cipher models.
References
- M. L. Das, A. Saxena and V. P. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, vol. 50, no. 2, pp. 629-631, 2004. Article (CrossRef Link). https://doi.org/10.1109/TCE.2004.1309441
- A. K. Awasthi and S. Lal, “Security analysis of a dynamic ID-based remote user authentication scheme,” IACR Cryptology ePrint Archive, 2004. Article (CrossRef Link).
- I. Liao, C. Lee and M. Hwang, "Security enhancement for a dynamic ID-based remote user authentication scheme," in Proc. of Int. Conf. on Next Generation Web Services Practices, 2005. Article (CrossRef Link).
- H. Chien and C. Chen, "A remote authentication scheme preserving user anonymity," in Proc. of 19th Int. Conf. on Advanced Information Networking and Applications, pp.245-248, 2005. Article (CrossRef Link).
- W. Horng, C. Lee and J. Peng, “A secure remote authentication scheme preserving user anonymity with non-tamper resistant smart cards,” WSEAS Transactions on Information Science and Applications, vol. 7, no. 5, pp. 619-628, 2010. Article (CrossRef Link).
- J. Tsai, T. Wu and K. Tsai, “New dynamic ID authentication scheme using smart cards,” International Journal of Communication Systems, vol. 23, no. 12 pp. 1449-1462, 2010. Article (CrossRef Link). https://doi.org/10.1002/dac.1118
- M. K. Khan, S. Kim and K. Alghathbar, “Cryptanalysis and security enhancement of a `more efficient & secure dynamic ID-based remote user authentication scheme',” Computer Communications, vol. 34, no. 3. pp. 305-309, 2011. Article (CrossRef Link). https://doi.org/10.1016/j.comcom.2010.02.011
- S. Wu, Y. Zhu and Q. Pu, “Robust smart-cards-based user authentication scheme with user anonymity,” Security and Communication Networks, vol. 5, no. 2, pp. 236-248, 2012. Article (CrossRef Link). https://doi.org/10.1002/sec.315
- C. Ma, D. Wang and Q. Zhang, "Cryptanalysis and improvement of Sood et al.'s dynamic ID-based authentication scheme," Distributed Computing and Internet Technology, pp. 141-152, 2012. Article (CrossRef Link).
- D. Wang, C. Ma, P. Wang and Z. Chen, “Robust smart card based password authentication scheme against smart card security breach,” IACR Cryptology ePrint Archive, 2012. Article (CrossRef Link).
- C. Liu and C. Ma, "An efficient and provable secure pake scheme with robust anonymity," Information Computing and Applications, 2012. Article (CrossRef Link).
- T. Cao and J. Zhai, “Improved dynamic ID-based authentication scheme for telecare medical information systems,” Journal of medical systems, vol. 37, no. 2, pp. 1-7, 2013. Article (CrossRef Link). https://doi.org/10.1007/s10916-012-9912-5
- W. Juang, S. Chen and H. Liaw, “Robust and efficient password-authenticated key agreement using smart cards,” IEEE Transactions on Industrial Electronics, vol. 55, no. 6, pp. 2551-2556, 2008. Article (CrossRef Link). https://doi.org/10.1109/TIE.2008.921677
- D. Sun, J. Huai, J. Sun, J. Li, J. Zhang and Z. Feng, “Improvements of Juang’s password- authenticated key agreement scheme using smart cards,” IEEE Transactions on Industrial Electronics, vol. 56, no. 6, pp. 2284-2291, 2009. Article (CrossRef Link). https://doi.org/10.1109/TIE.2009.2016508
- X. Li, W. Qiu, D. Zheng, K. Chen and J. Li, “Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards,” IEEE Transactions on Industrial Electronics, vol. 57, no. 2, pp. 793-800, 2010. Article (CrossRef Link). https://doi.org/10.1109/TIE.2009.2028351
- C. Chang, H. Le and C. Chang, “Novel untraceable authenticated key agreement protocol suitable for mobile communication,” Wireless personal communications, vol. 71, no. 1, pp. 425-437, 2013. Article (CrossRef Link). https://doi.org/10.1007/s11277-012-0822-0
- Q. Jiang, J. Ma, Z. Ma and G. Li, “A privacy enhanced authentication scheme for telecare medical information systems,” Journal of medical systems, vol. 37, no. 1, pp. 1-8, 2013. Article (CrossRef Link). https://doi.org/10.1007/s10916-012-9897-0
- Q. Jiang, J. Ma, G. Li and L. Yang, “Robust two-factor authentication and key agreement preserving user privacy,” IJ Network Security vol. 16, no. 3, pp. 229-240, 2014. Article (CrossRef Link).
- W. Diffie, P. C. Van Oorschot and M.J. Wiener, “Authentication and authenticated key exchanges,” Designs, codes and cryptography, vol. 2, no. 2, pp. 107-125, 1992. Article (CrossRef Link). https://doi.org/10.1007/BF00124891
- F. Hao, "On robust key agreement based on public key authentication," Financial Cryptography and Data Security, pp. 383-390, 2010. Article (CrossRef Link).
- H. Krawczyk, "HMQV: A high-performance secure Diffie-Hellman protocol," Advances in Cryptology-CRYPTO 2005, pp. 546-566, 2005. Article (CrossRef Link).
- M. Bellare, D. Pointcheval and P. Rogaway, "Authenticated key exchange secure against dictionary attacks," Advances in Cryptology-Eurocrypt 2000, pp. 139-155, 2000. Article (CrossRef Link).
- E. Bresson, O. Chevassut and D. Pointcheval, "Security proofs for an efficient password-based key exchange," in Proc. of 10th ACM conf. on Computer and communications security, pp. 241-250, 2003. Article (CrossRef Link).