a generic multifactor authenticated key exchange with...

Research ArticleA Generic Multifactor Authenticated KeyExchange with Physical Unclonable Function

Jin Wook Byun

Department of Information and Communication Pyeongtaek University Yongi-dong 111 Pyeongtaek-siGyeonggi-do Republic of Korea

Correspondence should be addressed to Jin Wook Byun jwbyunptuackr

Received 31 October 2018 Revised 4 January 2019 Accepted 8 January 2019 Published 4 March 2019

Academic Editor Bela Genge

Copyright copy 2019 Jin Wook Byun This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

We study how to generally construct a PUF-based multifactor authenticated key exchange (MAKE) protocol from any securepassword-based authenticated key exchange protocol We newly consider a new setting in which a user holding a PUF-embeddeddevice desires to perform an authenticate key exchange through multifactor authentication factors (password biometrics secret)Our construction is the first PUF-based general MAKE construction By applying a PUF in a device our MAKE constructionis still secure even if all authentication factors are totally compromised Our construction is the first PUF-based generic MAKE

protocol requiring additional three communication flows without any public key based primitives such as signature

1 Introduction

To establish a secure communication over public networka secure exchange of secret key with authentication is anabsolute prerequisite Thus authenticated key exchange (forshort AKE) has been one of the most important crypto-graphic primitives Basically for practical and secure AKEa memory requirable long-term secret key a human mem-orable password and human-dependent biometric informa-tion have been utilized as authentication factors in the AKEIf the AKE protocol is designed with only one factor (egsecret key or password) for authentication it is consideredas a one-factor AKE Bellare and Rogaway first formalizedsecurity notions and definitions for the one-factor AKE

based on symmetric secret key [1] Subsequently Bellare etal have established a new security model in case of mem-orable password [2] (for short PAKE) In a span of twentyyears these two models not only have been the foundationfor subsequent PAKE results achieving augmented provablesecurity with efficiency [3 4] but also have been bases for theextended model such as group three-party and multifactor(secret password biometrics) authentication settings [5ndash9] In this paper we aim to design a generic frameworkto transform any secure PAKE into a secure MAKE with

physical unclonable function Before discussing our motiva-tions let us briefly summarize relevant results on provablysecure AKE and MAKE constructions

If two authentication factors (secret key and password)are simultaneously used into an AKE protocol we considerit as a two-factor AKE (for short TAKE) protocol Withthe rapid popularization of smartcard there have beenhuge amounts of research on TAKE in a practical scenariowhere a user memorizes own password and possesses asecret key in each own smartcard [10ndash16] In a smartcardsetting it is impossible to list all (or even some specificrelated works and topics) works here One main researchstream is that many protocols have been found to be flawedand then finally redesigned repeatedly Furthermore ourpaper does focus on not the TAKE but the MAKE thathandles multifactor AKE However in the TAKE therehave been good relevant works on generic constructionFirst Yang et al [17] have designed a framework to trans-form a secure password-based PAKE [18] suggested byHalevi and Krawczyk into the TAKE protocol The mainidea is to combine the HK password-based PAKE withsignature-based authenticator which finally enables achiev-ing a general TAKE scheme However it is not generalconstruction since the scheme is only able to transform

HindawiSecurity and Communication NetworksVolume 2019 Article ID 5935292 15 pageshttpsdoiorg10115520195935292

2 Security and Communication Networks

the HK scheme into two-factor scheme and is not be able tohandle all kinds of secure PAKE for building TAKE In 2010Stebila et al suggestedmultifactor password-based AKE [19]It has been designed to allow multiple kinds of passwordsMore precisely this protocol deals with multiple passwordsfor authentication (note that biometrics is not included at all)Hence it is fair to say that it falls into the TAKE protocolBesides the protocol relies on the PKI environment andrandom oracle model for security proof In 2014 Huanget al have presented new types of adversaries with pre-computed and different data on the smart card in a TAKE

setting [20] Two TAKE schemes [21 22] have been analyzedand securely revised under the new adversaries [20] In2018 Wang and Wang have syntagmatically and universallydefined an explicit and new security model with practicaladversariesrsquo capabilities for a TAKE setting Also a new andsecure TAKE scheme satisfying all security criteria has beensuggested Very recently Wang et al have also proposeda new framework for evaluating security efficiency andscalability for a TAKE wireless sensor network [23] Underthe framework two existing schemes [24 25] have beenfound to be flawed [23] Furthermore 44 TAKE schemeshave been universally compared and analyzed It is one of thesystematic comparisons over such vast amounts of research

A multifactor AKE (for short MAKE) deals with threetypes of authentication factors (secret password and bio-metrics) The main advantage of MAKE over TAKE is itsability to preserve the security even if one or two authenti-cation factors are compromised Despite its merits relativelythe MAKE has been received less attention in the literaturethan the TAKE In 2008 Pointcheval and Zimmer havedesigned a provably secure MAKE protocol (for short PZ)under computational Diffie-Hellman assumption [26] It usesan ElGamal public key encryption [27] for securing biometricinformation However in 2012 it has been found to beinsecure by Hao and Clarke [28]The insecurity of PZ is thatan attacker who steals a password is able to deduce biometricinformation After the PZ there have been attempts todesign a MAKE in smartcard cloud computing three-partyand multiserver environments [29ndash32] In 2009 Fan et alhave proposed a public key based MAKE in a smartcardsetting [29] It protects usersrsquo biometric data from anyoneelse including a server while allowing secure authenticationLater the PZ has been extended into three-party setting byLiu et al [30] It has been the first work on addressing thethree-party setting that assumes an intervention of trustyparty between a client and a server A new MAKE based onelliptic curve has been suggested in a multiserver setting byHe et al in 2015 [31] Very recently Wei et al have presenteda privacy-preserving multifactor authenticated key exchangefor cloud computing [32] It has achieved better efficiencythan the PZ in terms of computation and bandwidth costs

11 Related Works Our goal is to construct a securegeneric PUF-based MAKE protocol from any secure PAKE

protocol To the best of our knowledge a PUF-based MAKE

protocol has not been proposed yet in the literature Howeverregarding generic MAKE constructions which are not basedon PUF there have been few results in recent years First

in 2011 Huang et al have designed a generic transformationthat combines any secure PAKE in the smartcard settingwith biometrics for building a MAKE [33] Their main ideais to execute a TAKE twice They use a fuzzy extractor tohandle userrsquos biometrics Later it has been enhanced by Yuet al in 2014 [34] Its enhanced version applied a fuzzyvault based on euclidian distance for handling biometricfeatures And also it used a TAKE just once Despite itsefficiency and novelty these two constructions have beenbuilt under a PKI setting where participants must be allowedto sign (verify) and encrypt (decrypt) based on public keycryptography Moreover one critical problem is that thesetwo constructions [33 34] have not been built in a genericway For example in [34] they first make 119901119908 = 119867(1199011199081 119887119894119900) and apply 119901119908 into a TAKE where 1199011199081 is a password119887119894119900 is a biometric information and 119867 is a cryptographicsecure hash function Depending on what kind of TAKE

is being used an input of 119901119908(= 119867(1199011199081 119887119894119900)) is notalways an input for TAKE For instance if TAKE uses astructure 119892119901119908 (or 119864119901119908(sdot)) inside then before application119901119908(= 119867(1199011199081 119887119894119900)) should be customized as 119891(119901119908) where119891 is a function that converts an input to a cyclic group elementoutput (or fixed length output eg 128 bits 256 bits) In [34]they select a good but specific TAKE [17] and demonstratehow it can be initiated to build a final MAKE It does notmean that their generic MAKE is able to cover all casesof TAKE One important observation from this issue is that ageneric MAKE should execute a TAKE first and then use itssession key for integrating multifactor authenticators ratherthan executing TAKE with an integration of multifactorauthenticators

Fleischhacker et al have presented a generic MAKE con-struction (for short FMA) by combining subprotocols suchas unauthenticated key exchange password-based authen-tication (password) public key authentication (secret key)and biometric authentication protocols (biometric) [35] Themain idea is that it uses subprotocols independently forbuilding a general MAKE This approach guarantees notonly better security but also simplicity for implementationHowever it does not allow two authentication factors to beused together for one subprotocol hence it has a limitationto enhance the total communication cost

12 Motivation In the paper we firstly attempt to use aphysical unclonable function (PUF) for generally building asecure MAKE The PUF is basically embedded in a deviceat manufacturing stage It always produces an unpredictableoutput depending on devicersquos physical status and it cannot beduplicated or cloned over a new device This unpredictabilityhas been one of the good properties for enhancing securityin cryptology However if the PUF always outputs differentunpredictable result then its output itself cannot become asecret key A secret key in cryptology should be not onlyunpredictable but also the same value when it is used fora secret key of encryption decryption and authenticationFor this reason generally a fuzzy extractor (FE) has beenused with the PUF for making a secure fixed secret fromthe unpredictable PUFrsquos outputs In fact much research onhow the PUF can be securely combined with the existing

Security and Communication Networks 3

cryptographic primitives such as PUF-based authentica-tion bit commitment and PUF-based encryption has beenconducted in recent decades From the short histories ofthe PAKE MAKE and PUF one question naturally arisescan we design a MAKE protocol by using the existing andwell-proved PAKE protocol More precisely is it possible togenerally construct MAKE if we are given any secure PAKE

and hardware dependent PUF Generally the MAKE needsa storage device for maintaining a long-term secret Thatis why a huge amount of MAKE has been presented ina smartcard setting so far Besides the PUF is hardwaredependent function and it is well suited for a storage deviceTherefore it is quite natural for a MAKE to assume a PUF-embedded device such as smartcard DRAM SRAM Thissetting has one important benefit that the previous MAKE

inherently has not satisfied That is even if three authenti-cation factors (password secret biometrics) are all compro-mised our MAKEwith PUF-based device can be still secure

13 Our Result In the paper we first study a topic onhow to systematically construct a MAKE protocol with anysecure PAKE protocol in a PUF-embedded device settingIn our setting a user holds a PUF-embedded device anddesires to mutually authenticate it with a server by multi-factor authenticators The design difficulties come from howcommon symmetric secrets are securely established frommultiple authenticators As illustrated in Figure 1 our mainidea is to apply userrsquos strong secrets (a long-term secretbiometrics) into an input of PUF in a device and obtainan output secret 119903 Our PUF in a MAKE actually doesnot need a password as an input instead our MAKE justneeds to execute a secure PAKE first and obtain PAKErsquossession key Finally PUFrsquos 119903 and PAKErsquos session key arehashed (random oracle) in order to produce two symmetricauthentication keys These keys perform a critical role forsecurely making message authentication codes for Diffie-Hellman values and a final session key of MAKE Executinga secure PAKE first can avoid the security problem on thepassword such as off-line or on-line dictionary attacks Forinstance in case of using a long-term secret or biometricbased AKE we should first go through a problem on howa weak secret password can be securely combined with asecret or biometrics based AKE which would bemuchmoreharder than the cases of combining the PAKE with a long-term secret and biometrics

Most of all our construction is the first PUF-basedgeneral MAKE constructions By applying a PUF in a deviceour MAKE construction can be still secure even if all authen-tication factors (password secret biometrics) are totallyrevealed Moreover our construction is relatively efficient interms of communication costThat is our construction needsat most 6 communication flows (one execution of PAKE

and three additional communication flows) that no publickey based primitives such as signature are using Unless theunderlying PAKE is asymmetric-based setting our MAKE

construction is comprised of only symmetric primitivessuch as symmetric encryption MAC function which arerelatively efficient than the works [35] as analyzed in Table 2While the total communication round is greatly enhanced

our communication cost is not better than the FMA [35]This slight inefficiency is due to the use of PUF and Diffie-Hellman keying materials However enhanced security andthe reduced total communication flow balance up these littlecomputation loss

2 Preliminaries

21 Fuzzy Extractor and PUF

Definition 1 (fuzzy extractor[36]) A fuzzy extractor consistsof two procedures Gen (sdot) Rep (sdot)

(1) Gen (sdot) outputs a string 119877 isin 0 1119897119903 and a helper string119875 isin 0 1lowast on input 119882 isin 119872 guaranteeing that forany distribution 119882 with min-entropy 119898 if (119877 119875) larr997888Gen (119882) then SD ((119877 119875) (119880119897 119875)) le 120598 where the SDmeans statistical distance

(2) Rep (sdot) takes (1198821015840 119875) on inputs and it outputsRep(1198821015840 119875) = 119877 if dist (1198821198821015840) le 119905 and (119877 119875) larr997888 Gen

(119882)Definition 2 (PUF[37 38]) A physically unclonable function(119905 1205981 1205982 120598119901119906119891)-PUF is a function 0 1119897119901 997888rarr 0 1119897119900 satisfyingthe following

(1) A PUF is bound to a device and its evaluation isefficient

(2) For any PPT adversary A119901119906119891PUFrsquos output is impos-sible to characterize Let PUF0 1119897119901 997888rarr 0 1119897119900 bean ideal PUF An experiment Exp119901119906119891119887

A119901119906119891(119896) is defined

for 119887 119877larr997888 0 1 where 119896 isin N is a security parameterExp

1199011199061198910A119901119906119891

(119896) means an experiment in which A119901119906119891 canaccess an ideal PUF in polynomial number of timesThat is in this experiment an oracle OPUF(sdot) returns119910 larr997888 P(119909) on input 119909 isin 0 1119897119901 Otherwise if 119887 = 0 inExp

1199011199061198911A119901119906119891

(119896) OPUF(sdot) returns a random 119910 119877larr997888 0 1119897119900 asan answer A119901119906119891rsquos goal is to finally output a guessingbit 1198871015840 for 119887 To be precise the following puf -advantage120598119901119906119891 should be negligible

120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891

(119896) = 1]100381610038161003816100381610038161003816 (1)

(3) The distance between two PUFrsquos outputs on the samechallenge 119909 is at most 119905 eg the following probabilityis negligible 1205981

Pr [dist (119910 119911) gt 119905 | 119909 larr997888 0 1119897119901 119910 larr997888 PUF (119909) 119911larr997888 PUF (119909)] le 1205981

(2)

(4) The distance between two outputs PUF119860(119909)PUF119861(119909) from different devices 119860 119861 on the same


DEVICE

PUF

secret key

biometrics

PAKEpassword

authentication keys

Hashfunction

sessionkey

r

Figure 1 A generation of authentication keys from multifactor authenticators

challenge 119909 is at least 119905 eg the following probabilityis negligible 1205982

Pr [dist (119910 119911) lt 119905 | 119909 larr997888 0 1119897119901 119910 larr997888 PUF119860 (119909) 119911larr997888 PUF119861 (119909)] le 1205982

(3)

Our PUF is based on an ideal PUF model where a PUF

is considered as a random permutation oracle In the sameway as a random oracle an adversary A119901119906119891 is adaptivelyable to query the PUF within polynomial time [37ndash41] butA119901119906119891 is never able to tell apart which one is real PUF orsimulated PUF This second property basically follows thedefinition in [37] The third property says that the PUFrsquosoutput (119903 = PUF(119909)) is always different within a certaindistance 119889 on the same input 119909 It is one of the goodproperties as any adversary cannot predict PUFrsquos outputs butits uncertainty makes it hard to directly apply 119903(= PUF(119909))itself for making a cryptographic key Thus a PUF is usuallycombined with a fuzzy extractor which consists of Gen

and Rep for making and recovering a fixed cryptographicsecret 119896 That is even if any adversary corrupts the input 119909 itcannot predict output 119903(= PUF) or 119896without PUFwhile onlyvalid user who holds PUF can recover 119896 The last propertymeans that each PUF in different device should have ownunique output on the same input These third and fourthproperties follow definitions in [38]

22 PRF and DDH

Definition 3 (pseudorandom function family (PRF)) Apseu-dorandom function family is a collection of functions 119865119870 K(119865)timesD(119865) 997888rarr R(119865) indexed by a key119870 isin K(119865) whereK(119865)is the set of keys of 119865119870 and D(119865) is the set of domains of 119865119870such that for any PPT algorithm B it holds the following

(i) Given 119909 isin D(119865) and 119870 isin K(119865) there is a PPT

algorithm to compute F119870(119909)(ii) For any PPT algorithm B the following prf -

advantage 120598119901119903119891 is negligible1003816100381610038161003816100381610038161003816Pr [B

119865119870 = 1 119870 119877larr997888 K (119865)]

minus Pr [119861119865 = 1 119865 119877larr997888 119880119865119870]1003816100381610038161003816100381610038161003816 le 120598119901119903119891

(4)

where 119880119865119870is the set of all functions mapping from

D(119865) to R(119865) and 119877larr997888 denotes an element chosenrandomly

Definition 4 (decisional Diffie-Hellman assumption (DDH))The DDH problem is defined as follows Let G be a cyclicgroup that has a prime order 119902 and a generator 119892 Theadvantage ofA is

Adv119889119889ℎA (119879119863G)= 10038161003816100381610038161003816Pr [A (119892119906 119892V 119892119906V) = 1 119906 V larr997888 Z

lowast119902 ]

minus Pr [A (119892119906 119892V 119877) = 1 119906 V larr997888 Zlowast119902 119877 larr997888 G]10038161003816100381610038161003816

(5)

where A is PPT adversary with time complexity 119879119863 TheDDH assumption is that the advantage ofA is negligible

23 Secure MAC and Secure SymmetricEncryption under CCA

Definition 5 (secure message authentication code underchosen message attack) A message authentication code isa pair of algorithms MAC = (T V) We define a MACkey set 119872119896 = 0 1119897119898 where 119897119898 is the size of MAC key Analgorithm T is a MAC generation algorithm which takes asinputs a MAC key 119870 isin 119872119896 and message 119909 and outputsa string T(119870 119909) called a tag An algorithm V is a MACverification algorithm which takes key 119870 message 119909 and tagT(119870 119909) and outputs a bit 1 (authentic) or 0 (unauthentic)Let us consider the following experiment A notation ofA119874(sdot)

119898119886119888indicates that the adversary A119898119886119888 can access an oracle 119874(sdot)

Experiment Exp119888119898119886A119898119886119888

119896 119877larr997888MKey

(119909lowast Vlowast) larr997888 AT(119870sdot)V(119870sdotsdot)119898119886119888 Vlowast is a tag value for a new

message 119909lowast

IfV(119870 119909lowast Vlowast) = 1 and Vlowast wasnever outputted byT(119870 sdot)in response to query 119909lowast then return 1 else return 0

We define cma (chosen message attack) advantage ofA119898119886119888 as follows

Adk119888119898119886A119898119886119888

(119879119898 119896) = Pr [Exp119888119898119886A119898119886119888

(119879119898 119896) = 1] (6)

If cma-advantage of MAC is negligible the MAC scheme issecure under chosen message attack

Definition 6 (secure symmetric encryption under chosencipher attack) Let SE = (119864119863) be a symmetric encryptionscheme andA119904119890 be an adversary of SEWedefine a symmetrickey set Key = 0 1119897119890 where 119897119890 is the size of encryptionkey An algorithm E is a probabilistic symmetric encryptionalgorithm which takes a symmetric key 119870 isin Key and


plaintext 119898 and outputs ciphertext 119864119870(119898) An algorithm 119863is a deterministic decryption algorithm which takes key 119870plaintext 119898 and 119864119870(119898) as inputs and outputs message 119898Let us consider the following experiment A notation ofA119874(sdot)


(1) 119870 119877larr997888 Key

(2) (Find Stage) (1199090 1199091 119904) larr997888 A119864119870(sdot)119863119870(sdot)119904119890

(3) 119887 119877larr997888 0 1 119888 larr997888 119864119870(119909119887)(4) (Guess Stage) 1198871015840 larr997888 A119864119870(sdot)119863119870(sdot)

119904119890 (119888 119904)(5) If 1198871015840 = 119887 then return 1 else return 0

For any 119879119904119890 119902119890 119902119889 we define cca-advantage of SE as

Adv119888119888aA119904119890

(119896) = 2Pr [119887 = 1198871015840] minus 1 (7)

If cca-advantage of SE is negligible the SE scheme is secureunder chosen ciphertext attack

3 Security Model for MultifactorAuthenticated Key Exchange

Based on the BPR model [2] in this section a new securitymodel is presented for PUF-based MAKE We follow thebasic framework and its notations of BPR model [2] Asour compiler converts any secure PAKE into secure PUF-based MAKE two security models (PAKE and MAKE) arerequired for security proof Two security models are thesame except the number of authentication factors sessionfreshness

31 Communication Model Participants long-lived secrets inthe MAKE Two types of protocol participants a set of usersU and a set of servers S are assumed in a MAKE protocolwithmultiple long-lived secrets That is we suppose that eachuser U isin U owns a tuple 119872119888 = 120575 pw s PUF Umemorizesa secret password pw and possesses a physical unclonablefunction PUF which is usually embedded into a smartcardor memory card U holds a long-term secret s U itself ownsbiometric template 120575 such as iris or fingerprint S securelykeeps 119872119904 = 119868119863119879[119872119888] in its database where 119868119863 is anidentifier and 119879[119872119888] is a transformation of119872119888 A user U (ora server S) may execute MAKE protocol multiple times andwe also denote the 119894-th instance executed by entity U (respS) as 119880119894

119898 (resp 119878119894119898)Participants long-lived secret in the PAKEWeassume two

types of protocol participants a user U isin U and a server S isinS The set of all participants is the union U cup S We supposethat each userU isin Umemorizes a secret password pw and theserver S keeps a vector pw119904 = ⟨pw119906⟩uisinU that contains entryfor each client The passwords pw pw119904 are called the long-lived key of user U and server S A user U (or a server S)may execute the 2-party PAKE protocol multiple times The119894-th instance is executed by entity U (resp S) as119880119894

119905 (resp 119878119894119905)Queries of Adversary in theMAKEQueries are defined to

model malicious behaviors of an adversary We assume that

there is an adversaryA that is able to control communicationsover the networks and interact with the oracles by askingqueries defined below

(i) Send119898(119880 119894119872) It sends themessage119872 to an oracle119880119894

119898 This query models that A sends a message 119872 toan instance of 119880119894

119898 in the real protocol The oracle 119880119894119898

will return the nextmessage that an honest119880119894119898 should

be sent according to the protocol(ii) Reveal119898(119880 119905) If the oracle 119880119905

119898 has a session keythen this query outputs a session key toAThis querymodels the possibility thatA gets session keys

(iii) Corrupt119898(119880 a) This query models the possibilitythatA corrupts a client119880 We assume thatA can justobtain long-lived keys but cannot obtain ephemeralstates of instances This query is classified into threetypes according to 119886(a) If a = 1 then the password pw of U is returned

as an answer(b) If a = 2 then the secret PUF of U is returned

as an answer(c) If a = 3 then the secret 120575 of U is returned as an

answer(d) If a = 4 then the secret s of U is returned as an

answer

In case of PAKE the cases of 119886 = 1 are onlyconsidered

(iv) Execute119898(119880 119894 119878 119895) This query returns transcriptsof an honest execution between user instance 119880119894

119898

and server instance 119878119895119898 This query models a passiveadversary who simply eavesdrops transcripts on anhonest execution

(v) Test119898(119880119894119898) This query is only used to measure

A rsquos knowledge on a session key When A asks aTest query to the fresh 119880119894

119898 a coin is flipped togenerate a random bit 119887 If 119887 = 1 the real session key isreturned toA Otherwise a random value is returnedA is allowed to make a Test query only once at anytime during the experiment

Queries of Adversary in the PAKE All queries and theirresponses are the same as those of MAKE except a corruptquery with notions A corrupt query in the PAKE is definedonly in case of a=1 A notion on the instance 119880119894

119898 is replacedwith119880119894

119905 (119878119895119905 ) And also to distinguish notations in the securityproof we define notations of queries for the PAKE withoutsubscript119898 (eg Send Corrupt Execute Reveal Test)

32 Security Definition

Definition 7 (session identifier session key partner identifierand partnering 2-party MAKE) We define a sessionidentifier (SID) for 119880119894

119898 as sid119880119894119898 which is the concatenationof all messages sent and received by 119880119894

119898 A session key


is denoted as skUS A partner ID is a correspondingparticipant with whom119880119894

119898 is interacting which is denoted aspid119880119894119898 Instances 119880119894

119898 and 119878119895119898 are partnering if thefollowing conditions are satisfied (1) Both instances havebeen accepted with the same session key session IDand partner ID That is if both oracles have beenaccepted with (skUS sid119880119894119898 pid119880119895119898) (skSU sid119878119895119898 pid119878119895119898) then (skUS = skSU sid119880119894119898 = sid

119878119895119898

= NULL) (2) No oracleother than 119880119894

119898 and 119878119895119898 is accepted with the pid of 119880119894119898 and 119878119895119898

(pid119880119894119898 = 119878119895119898 pid119878119895119898 = 119880119894119898)

Regarding the PAKE we use essentially the same defi-nitions notations for SID a session key and PID with theones of MAKE model Thus we do not define them againhere Next we consider freshness forward secure freshnessfor MAKE and PAKE respectively

Definition 8 (freshness for 2-party MAKE) An instance119880119894

119898 is fresh in terms of multifactor AKE if (1) neither 119880119894119898

nor its partner has been asked for a Reveal query (2)neither 119880119894

119898 nor its partner has been asked for a Corrupt(119880119894119898

1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries

The second condition means that 119880119894119898 and its partner have

been asked for less than four corrupt queries That is A canask Corrupt queries satisfying the following equation

(Corrupt (1) and Corrupt (2) and Corrupt (3)and Corrupt (4)) = FALSE

(8)

If A has asked query of Corrupt(119880 a) where 1 le a le 4then it is Corrupt(a) = TRUE Otherwise it is Corrupt(a)= FALSE

Definition 9 (forward secure freshness for 2-party MAKE)Regarding forward secrecy a new freshness fs-fresh isdefined An instance 119880119894

119898 is fs-fresh in terms of multipleauthentication factors if (1) neither 119880119894

119898 nor its partner hasbeen asked for a Reveal query (2) before Test(119880119894

119898) neither119880119894

119898 nor its partner has been asked for all three Corrupt(119880119894119898

1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries

and Send119898(119880 119894119872) queries

Remark 10 The above first property (1) is for Reveal casefor both PAKE and MAKE However the second prop-erty (2) has been modified by multiple authentication fac-tors For example let us consider some cases of fs-freshIf A asks Corrupt(119880119894

119898 1) Corrupt(119880119894119898 2) queries (less

than all four Corrupt queries) before Test(119880119894119898) and does

ask Send119898(119880 119894119872) query then it is fs-fresh Also if A

asks Corrupt(119880119894119898 1) Corrupt(119880119894

119898 2) and Corrupt(119880119894119898 3)

queries before Test(119880119894119898) and does not ask Send119898(119880 119894119872)

query then it is fs-fresh If all Corrupt queries have been askedafter Test query then it is also fs-fresh

Definition 11 (freshness for 2-party PAKE) It is defined inthe same way as MAKE except the second condition That isthe first condition is the same as the MAKE but the second

condition is that (2)neither119880119894119898 nor its partner has been asked

for a Corrupt(119880119894119898 1) query

Definition 12 (forward secure freshness for 2-party PAKE)It is defined in the same way as the above MAKE except thesecond condition That is (2) before Test(119880119894

119898) neither 119880119894119898

nor its partner has been asked for a Corrupt(119880119894119898 1) query

and Send119898(119880 119894119872) query

Definition 13 (session key security for 2-party MAKE) Letus consider the following experiment We assume that anadversary A is run within a polynomial time bound 119879 Ainteracts with a finite number of oracles by asking queriesdefined above during the experimentA can ask a Test queryto a fresh oracle at any time When A asks a Test queryto the fresh 119880119894

119898 then the experiment flips a coin for bit 119887If it lands 119887 = 1 then the real session key is returned tothe adversary Otherwise a random key is returned to theadversary Eventually A guesses 119887 outputs the guessed bit1198871015840 and terminates the experiment The sk advantage of A inattacking the MAKE protocol 119875 is defined as Adv119898119886119896119890

119875119904119896 (A) =2Pr[119887 = 1198871015840] minus 1 It should be negligible as follows

Adv119898119886119896119890119875119904119896 (A 119879 119896) le 1198621015840 sdot 1199021199041015840

119904 + 120576 (119896) (9)

where 120576(119896) is a negligible function |D|(119890119892 12 898 437) isa password space for a Zipf rsquos parameters 1198621015840(eg 0062239)1199041015840(eg 0155478) which follows Zipf rsquos law for password [4243] 119902119904 is the number of on-line Send queries asked and 119896 isa security parameter

Remark 14 Since a memorable password is chosen by a userit is not uniformly distributed That is due to the memorableproperty it is natural for the user not to be able to make fulluse of the whole distribution of D at password selectionstage Thus regarding the formalization term on an on-line-password guessing attack in all of our definitions here wefollow the Zipf assumption for password distributions [4243] which formalizes user own memorable password (notuniform from D) 1198621015840 sdot 1199021199041015840

119904 rather than a uniformly modeledterm 119902119904D where 1198621015840 1199041015840 are Zipf rsquos parameters [42 43]depending on dataset policy language

Definition 15 (session key security for 2-party PAKE) Thedefinition for PAKE is the same as the MAKE securityexcept that a notion Adv119898119886119896119890

119875119904119896 (A 119879 119877) is replaced with anotion Adv

119901119886119896119890119875119904119896

(A 119879 119896) It is defined as Adv119901119886119896119890119875119904119896

(A 119879 119896) =2Pr[119887 = 1198871015840]minus1 and it should be as follows Adv119901119886119896119890

119875119904119896(A 119879 119896) le

1198621015840 sdot 1199021199041015840

119904 + 120576(119896) where 120576(119896) is a negligible function|D|(eg 12 898 437) is a password space for a Zipf rsquos parame-ters 1198621015840(eg 0062239) 1199041015840(eg 0155478) which follows Zipf rsquoslaw for password [42 43] 119902119904 is the number of on-line Send

queries asked and 119896 is a security parameter

Definition 16 (forward secure session key security for2-party PAKE) A forward secure 2-party PAKE protocol isdefined with a condition that the fs-fresh instance should


be asked for a Test query Basically its definition is thesame as the definition of session key secure PAKE exceptthat a notion Adv

119901119886119896119890

119875119904119896(A 119879 119896) is replaced with a notion

Adv119891119904minus119901119886119896119890

119875119904119896(A 119879 119896) = 2Pr[119887 = 1198871015840] minus 1 It should be as follows

Adv119891119904minus119901119886119896119890119875119904119896 (A 119879 119896) le 1198621015840 sdot 1199021199041015840

119904 + 120576(119896) where 120576(119896) is a negligiblefunction |D|(eg 12 898 437) is a password space fora Zipf rsquos parameters 1198621015840(eg 0062239) 1199041015840(eg 0155478)which follows Zipf rsquos law for password [42 43] 119902119904 is thenumber of on-line Send queries asked and 119896 is a securityparameter

The mutual authentication for MAKE and PAKE isdefined by an event Succ as follows

Definition 17 (mutual Authentication [2]) We follow a def-inition of mutual authentication defined in [2] For clientauthentication we consider sessions where the server acceptswith no partner instance of the client With regard to serverauthentication we consider sessions where the client acceptswith no partner instance of the server We say that anadversary breaks mutual authentication if either server orclient instance is accepted but has no partner oracle Wedenote this event by Succ and its probability is defined asSucc119898119886

119875 (A 119879 119896) = Pr[Succ] We say that a given MAKE

protocol 119875 provides mutual authentication if Succ119898119886119875 (A 119879 119896)

is negligible as follows

Succ119898119886119875 (A 119879 119896) le 120576 (119896) (10)

where 120576(119896) is a negligible function and 119896 is a securityparameter

4 A Compiler from PAKE toMAKE with PUF

The construction of MAKE consists of two phases one is forthe PAKE phase to derive a common key and the other is forgeneric authentication phase with the derived common keyas illustrated in Figure 2 and Figure 3 respectively We use thefollowing notations in the protocol

41 Notation

(i) 119888 It is a set of messages transferred between theuser U and the server S in the PAKE We assumethat it has 119897119888 bits We can assume a function (pseudo-random or hash function) that maps a set of messagesgenerated by any PAKE into the fixed size 119897119888 bits

(ii) 119868119863 120575 pw 119904119896119901 119868119863 is an identifier of U and it has 119897119894119889bits 120575 is Ursquos biometric template pw is Ursquos memo-rable password and s is a long-term secret key 119904119896119901

is an agreed-upon common key between U and S inthe PAKE which are assumed to have 119897119901 bits

(iii) 1198670 1198671 11986721198673 They are all cryptographic securehash functions which are simulated as random ora-cles in the security proof They are respectivelydefined as 1198670 0 11198990 997888rarr 0 11198970 1198671 0 11198991 997888rarr

0 11198971 1198672 0 11198992 997888rarr 0 11198972 1198673 0 11198993 997888rarr0 11198973

42 A Setup Description

(i) A setup is executed over a secure channel U firstcomputes a strong secret 120575(= Gen(120575)) from its ownbiometric template 120575 And U evaluates PUF andgenerates (119903 ℎ) from Gen (PUF(120575 s)) The values119868119863 119903 pw are sent to S

(ii) U and S securely maintain (pw PUF 120575 s)(119868119863 119903 pw)respectively

We note that the setup phase is a necessary step toshare pw in the PAKE setting Our MAKE setup phase isalso unavoidable for securely delivering multiple authentica-tion factors between U and S

43 A Description of the Compiler

(1) A user U and a server S execute any efficient andprovably secure PAKE protocol with 119888 (a set of alltransferred messages) and a common key 119904119896119901 Ifthe agreement of 119904119896119901 or authentication is failed inthe PAKE then our compiler outputs a failure andstops the protocol Otherwise it continues to run thenext step (2)

(2) The user U inputs own biometric template 120575 andthen computes a strong secret 120575 from Rep(120575 ℎ120575) Uevaluates PUF and executes Gen with ℎ then com-putes 119903(= PUF(1198670(120575 s) ℎ119903)) and derives commonkeys 1198961(= 1198671(119888 119903 119904119896119901)) 1198962(= 1198672(119888 119903 119904119896119901)) for message authentication U finally computes1205721(= 119892119909119898119900119889 q) and 1205731(= 1198721198601198621198961

(1205721)) and sendsthem to S

(3) On receiving 1205721 1205731 S first searches Ursquos list (119868119863119903 119901119908) from database Then S derives 1198961(= 1198671(119888 119903 119904119896119901)) 1198962(= 1198672(119888 119903 119904119896119901)) from 119888 119903 119904119896119901 S with1198961 verifies that 1205731(= 1198721198601198621198961

(1205721)) is valid or not If itis valid then S makes 1205722 = 119892119910119898119900119889119902 for a random119910 isin Zlowast

119902 its authentication tag 1205732 = 1198721198601198621198962(1205722) and

120574 = (1205721)119910 S also computes keying material 1199041198961015840(=1198673(120574 1205721 1205722 1205731 1205732 119888)) and its authenticatorℎ1(= 1198673(1199041198961015840 1)) The messages 1205722 1205732 ℎ1 are sentto U

(4) Regarding 1205722 1205732 ℎ1 U verify 1205722rsquos authenticator 1205732If it is valid then U computes keying material 1199041198961015840(=1198673(120574 1205721 1205722 1205731 1205732 119888)) U also verifiesℎ1(= 1198673(1199041198961015840 1)) by using 1199041198961015840 If it is also validthen U makes ℎ2(= 1198673(1199041198961015840 2)) and sends it to SThen U finally computes a common session key 119904119896(=1198673(1199041198961015840 0)) On receiving ℎ2 S verifies ℎ2 with 1199041198961015840 Ifit is valid S finally computes a common session key119904119896 = 1198673(1199041198961015840 0)

In Figures 2 and 3 we illustrate a setup phase and afinal general PUF-based MAKE construction respectively


Figure 2 A setup phase

Figure 3 A general construction of MAKE


Our construction combines two authentication factors bio-metric template and long-term secret and makes one secret119903 using a PUF However our compiler does not directlyhandle a password at all but just takes a PAKE as an inputThat is our MAKE obtains PAKErsquos session key 119904119896119905 throughexecuting a secure PAKE This approach can guarantee thepassword security such as off-line or on-line dictionaryattacks as explained earlier Anyway these two secret values119903 119904119896119905 are mainly used to establish intermediate keys 1198961 1198962

44 Security Proof The following well-known lemma [44]is used for calculating difference of probability betweenadjacent games in the security proof

Lemma 18 Let 119864 1198641015840 and 119865 be events defined on a probabilityspace such that 119875119903[119864 and not119865] = 119875119903[1198641015840 and not119865] Then we have|119875119903[119864] minus 119875119903[1198641015840]| le 119875119903[119865]Theorem 19 LetA be a PPT adversary against the session keysecurity of MAKE protocol P within a time bound TA can ask119902119904119898

to send queries 119902119890119898executes queries and then

Adv119898119886119896119890119875119904119896 (A 119879 119896) le 2Adv119901119886119896119890

119875119904119896(A119901 119879119886 119896) + 2120598119901119906119891

+ +11990221198673

21198973 + (119902119904119898+ 119902119904119890

)222119901+1

+ 2Adv119889119889ℎA119889119889ℎ(119879119863G)

+ 4Adv119888119898119886A119898119886119888

(119879119898119886119888 119896)

Succ119898119886119875 (A 119879 119896) le 1199022

119904119898(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896 (A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G)+ 2Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(11)

where 119879119886 119879119863 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119879119898119886119888 ge 119879 + 119879119891(119902119905 + 119902V)119902119904119898

119902119905 119902V are the total numbers of Send119898 tag verification(for MAC) queries 119879119891 119879119890 119879ℎ are the computation time forMAC exponentiation and hash function respectively

Proof We assume an adversary A that runs in games fromG0 to G5 In each game A asks a Test119898 query then a coinfor bit 119887 is flipped to specify a real key or a random key andthenA outputs a guessing bit 1198871015840 Let S119894 be an event that 1198871015840 = 119887in G119894 and Pr[S119894] is its probability Also Succ119894 is defined as anevent that a server or a user instance accepts with no partnerinstance of the client in G119894 as in Definition 17

Game 1198660 The game G0 provides a real environment forthe MAKE protocol By the security definition the sessionkey advantage ofA is defined as follows

Adv119898119886119896119890119875119904119896 (A 119879 119896) = 2Pr [S0] minus 1

Succ119898119886119875 (A 119879 119896) = Pr [Succ0]

(12)

Game1198661 In this game a randomkey 119904119896119903 is selected randomlyand it is replaced with the established key 119904119896119901 of the PAKEThrough the replacement we show that if there exists a PPTadversary 119860119863 that distinguishes two games then one canbuild an adversary 119860119901 that breaks the security of PAKEwhich is shown in Lemma 20

Lemma 20 The difference of success probability between G0

and G1 is at most the advantage of breaking 2-party PAKE

protocol

1003816100381610038161003816Pr [S0] minus Pr [S1]1003816100381610038161003816 = Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) (13)

where 119879119886 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119902119904119898

is the total numberof Send119898 queries 119879119891 119879119890 119879ℎ are the computation time forMAC exponentiation and hash function

Proof 119860119901 exploits 119860119863 to guess a hidden bit 119887 defined in theexperiment of 2-party PAKE 119860119901 provides simulations onqueries asked by 119860119863 All queries are simulated as follows

(i) Hash queries of11986711198672 1198673 IfA119863 asks a hash query of119898 to 1198671 (resp 1198672 1198673) where a list (119898 120582) appears inthe hash table 1205751198671

(resp 1205751198672 1205751198673

) then 120582 is returnedas an answer for1198671(119898) (resp1198671(119898)1198672(119898)) Other-wise a new120582 isin 0 11198971 (resp 1198972 1198973) is chosen at randomand returnedThen the list (119898 120582) is added to the table1205751198671

(resp 1205751198672 1205751198672

)(ii) Send119898(119880 119894119872) It is classified into two types as

follows

(a) If Send query is asked to the parts of PAKE119860119901

first asks Send(119880 119894 119898) query to the PAKE andthen returns its output as an answer At the endof PAKE protocol there exists a Send queryto let the instance be accepted in the PAKEFor this Send query 119860119901 uses the random key119904119896119903 to simulate an answer 1205721 1205731 That is first119860119901 evaluates PUF computes 119903 and then decides1198961 = 1198671(119888 119903 119904119896119903 ) 1198962 = 1198672(119888 119903 119904119896119903 )from 119904119896119903 and11986711198672 oracles119860119901 finally producesan answer 1205721 = 119892119909mod 119902 1205731 = MAC1198961

(1205721) fora random 119909 fromZlowast

119902 119860119901 keeps 119903 1205721 1205731 for latersimulations

(b) Otherwise if119872 = 1205722 1205732 ℎ1 thenA119901 verifies ℎ1If it is valid then it is accepted with 1199041198961015840 = 1198673(120574 1205721 1205722 1205731 1205732 119888) and ℎ2 = 1198673(1199041198961015840 2)A119901

finally outputs ℎ2 as an answer

(iii) Send119898(119878 119895119872) There are also three types ofqueries as follows

(a) If Send query belongs to the query in PAKE119860119901 asks Send(119878 119894119872) query to the PAKE andthen uses its output as an answer


(b) If119872 = 1205721 1205731 then 119860119901 verifies 1205731 If it is validthen 119860119901 makes 1198961 = 1198671(119888 119903 119904119896119903 ) 1198962 =1198672(119888 119903 119904119896119903 ) with previously made value119888 119903 119860119901 finally produces an answer 1205722 =119892119910119898119900119889119902 1205732 = MAC1198961

(1205722) for a random 119910 fromZlowast

119902 119860119901 keeps 1205722 1205732 for later simulations(c) Otherwise if119872 = ℎ2 then 119860119901 first verifies ℎ2 If

it is valid then 119860119901 accepts it with 119904119896 = 1198673(1199041198961015840 0)

(iv) Execute119898(119880 119894S 119895) To return transcripts of anhonest execution between 119880119894

119898 and 119878119895119898A119901 collects alloutputs of Send119898 queries and outputs them as ananswer

(v) Reveal119898(119880 119905) For the instance that has beenaccepted 119860119901 returns 119904119896 = 1198673(1199041198961015840 0) as an outputwhere 1199041198961015840 = 1198673(120574 1205721 1205722 1205731 1205732 119888)

(vi) Corrupt119898(119880 119886) According to 119886 it outputs reg-istered password pw (119886 = 1) PUF (119886 = 2)biometric template 120575 (119886 = 3) and s (119886 = 4) for 119880

(vii) Test119898(119880 119905) When 119860119863 asks Test119898(119880 119894) query119860119901 chooses a random bit 119887 isin 0 1 and selects afs-fresh instance in aspect of MAKE and asks a Test

(119880 119894) query For the hidden bit 119887 (real or session key)119860119863 outputs 1198871015840 If 119887 = 1198871015840 then119860119901 outputs 1 otherwise119860119901119886119896119890 outputs 0

Let us consider the advantage of 119860119901 over the above sim-ulation We define an event real as a real session key 119904119896119901

(119887 = 1) is given by experiment of MAKE security while anevent rand is a random key and 119904119896119903 (119887 = 0) is given to 119860119901

Adv119901119886119896119890

119875119904119896(1198791015840A119901 119896) = 2Pr [119887 = 1198871015840] minus 1

= 10038161003816100381610038161003816Pr [119860119901 = 1 | real] minus Pr [119860119901 = 1 | rand]10038161003816100381610038161003816= 10038161003816100381610038161003816Pr [119887 = 1198871015840 | G0] minus Pr [119887 = 1198871015840 | G1]10038161003816100381610038161003816= 1003816100381610038161003816Pr [S0] minus Pr [S1]1003816100381610038161003816

(14)

If we suppose 119860119863 runs with polynomial time 119879 then 119860119901rsquosrunning time 119879119886 is dependent on 119879 Additionally it requiresthe time of making the messages 1205721 1205731 1205722 1205732 ℎ1 ℎ2 Hencethe total time is bounded as 119879119886 ge 119879 + 119902119904119898

(119879119891 + 119879119890 + 119879ℎ)119902119904119898is the total number of Send119898 queries 119879119891 119879119890 119879ℎ are the

computation time for MAC exponentiation hash functionThis completes the proof of Lemma 20Game 1198662 In this game we consider a value 119903 in the

protocol which is an output of ideal PUF We replace 119903 witha random value as a random oracle That is a table L119875 ismaintained for a valid simulation Regarding each input 119909if a list (119909 119910) appears inL119875 then 119910 is outputted as an answerOtherwise a random 119910 is selected from 0 1119897119900 and returnedas an answer for PUF(119909) The list (119909 119910) is added to the listL119875 Then if there exists A that is able to distinguish twoadjacent games then it is clear to build an adversary A119901119906119891

In G1 an ideal PUF has been used but in G2 a randomlychosen value is used A119901119906119891 returns an output bit 119889 = 1 if1198871015840 = 119887 Otherwise A119901119906119891 returns 119889 = 0 Then we have thefollowing

120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891

(119896) = 1]100381610038161003816100381610038161003816= 10038161003816100381610038161003816Pr [119889 = 1 | PUF (119909)] minus Pr [119889 = 1 | 119910 larr997888 0 1119897119900]10038161003816100381610038161003816ge 10038161003816100381610038161003816Pr [119887 = 1198871015840 | G1] minus Pr [ 119887 = 1198871015840 | G2

10038161003816100381610038161003816= 1003816100381610038161003816Pr [S1] minus Pr [S2]1003816100381610038161003816

(15)

Game 1198663 In this game we analyze a collision event Col

that an identical session key is accidentally generated for anytwo sessions This event is due to a random oracle 1198673 thatproduces final secrets 1199041198961015840 119904119896 It can be analyzed in two casesThe first case is that if its simulated output (randomly chosenvalue) is identical for two sessions then two sessions naturallyhave the same 1199041198961015840 119904119896 For example on two different inputqueries 119909 = (120574 1205721 1205722 | 1205731 1205732 119888) 1199091015840 = (1205741015840 1205721015840

1 12057210158402 |

12057310158401 1205731015840

2 1198881015840) each output can be simulated as an one randomvalue (119890119892(119909 119910) (1199091015840 119910) isin L119901) However its probability is11990221198673(21198973 + 1) which is negligible The second case is that the

input queries (120574 1205721 1205722 | 1205731 1205732 119888) themselves can bethe same and then they naturally output the same output of1199041198961015840 119904119896The security (duplication) of 119888 comes from the securityof PAKE which is negligible In addition the values 1205722 1205732

are decided by 1205721 1205722 Hence for two sessions the probabilityof equally selecting 1205721 = 119892119909119898119900119889119902 1205731 = 119892119910119898119900119889119902 is boundto (119902119904119898

+ 119902119904119890)222(119902+1) where 119902119904119898

119902119904119890are the total numbers

of Send Execute queries We have the following

1003816100381610038161003816Pr [S2] minus Pr [S3]1003816100381610038161003816 le Pr [Col] le 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119902+1)

(16)

Game 1198664 In this game we consider an event MS thatA makes valid Send(119878 119895 ) queries where = 1205731 MAC1198961

(1) Regarding valid messages 1205721 1205731 theirSend(119878 119895119872) query has been simulated in G2 Hereour goal is to exclude forgery events among Send(119878 119895119872)queries that have valid MAC pair 1205731 MAC1198961

(1) Let usassume a MAC forgery A119898119886119888 If this event happens thenA119898119886119888 halts and outputs the pair 1 1205731 as its forgery ofMAC which contradicts a secure MAC assumption If thereare no forgeries then A119898119886119888 returns a failure notificationOther processes of simulation for A are the same as thoseof previous games A119898119886119888 requires computational time 119879119898119886119888

such that 119879119898119886119888 ge 119879 + 119879119891(119902119905 + 119902V) where 120591T is computationaltime for MAC and 119902119905 119902V are tag and verification queries thatAmakes The same analysis applies to the case of 1205722 1205732 Wehave the following

Pr [G3 | notMS] = Pr [G4 | notMS]1003816100381610038161003816Pr [G3] minus Pr [G4]1003816100381610038161003816 le Pr [MS] le 2 sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(17)

Game 1198665 In this game we consider a random DDH triple119863119903119886119899119889 = (119883119884 119885) where 119883 = 119892119906 119898119900119889119902 119884 = 119892V 119898119900119889119902 and


119885 = 119892119903 119898119900119889 119902 Using 119863119877 the Send queries are simulated asfollows

(i) Send119898(119880 119894119872) It is classified into two types asfollows

(a) If Send query is asked for letting the instance beaccepted in the PAKE thenG5 uses the randomkey 119904119896119903 to make 1198961 1198962 However the value 1205721 isreplaced with 119883 Accordingly the value 1205731(=1198721198601198621198961

(119883)) is made by 1198961 119883 Other simulationsare the same as the previous games

(b) Otherwise if119872 = 1205722 1205732 ℎ1 thenA119901 verifies ℎ1If it is valid then accepts with 1199041198961015840 = 1198673( 119885 1205721 1205722 1205731 1205732 119888) and ℎ2 = 1198673(1199041198961015840 2)A119901


(ii) Send119898(119878 119895119872) There are also three types ofqueries as follows

(a) If Send query belongs to the query in PAKEthe way of simulations is the same as theprevious game

(b) If 119872 = 1205721 1205731 then 119860119901 verifies 1205731 If it isvalid then 119860119901 makes 1198961 = 1198671(119888 119903 119904119896119903)1198962 = 1198672(119888 119903 119904119896119903) However the answer value1205722 is replaced with 119884 and itsMAC value is alsocomputed by 1205732 = MAC1198961

( 119884 ) Others are thesame as the previous games

By usingA which tries to distinguish two games G4 andG5 one can build a polynomial time algorithm A119889119889ℎ thatbreaks the assumption of DDH For a Test query A guessesa coin and outputs 1198871015840 If 119887 = 1198871015840 then A119889119889ℎ outputs 1 whichmeans that the input triple is a real DDH triple Otherwise itoutputs 0 whichmeans that the input triple is a randomDDHtripleThe success probability ofA119889119889ℎ is calculated as followsA119889119889ℎ requires computation time for simulating Send queriessuch that 119879119863 ge 119879 + 119902119904119898

(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]

minus Pr [A119889119889ℎ (119883 119884 119885) = 1 119906 V larr997888 Zlowast119902 119885 larr997888 G]10038161003816100381610038161003816

le Pr [A119889119889ℎ = 1 | 119863119903119890119886119897] minus Pr [A119889119889ℎ = 1 | 119863119903119886119899119889] = Pr [119887 = 1198871015840 | G4] minus Pr [119887 = 1198871015840 | G5] = Pr [S4]minus Pr [S5]

(18)

Let us consider Pr[G5] in G5 As simulated in Send

queries the session key 119904119896 is decided by the given randomelement 119885 Hence 119904119896 is random and independent of elements119880 119881 That is no information of 119887 is leaked through the Testquery We have the following

Pr [S5] = 12 (19)

Thus we obtain the final result as follows

Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)

Let us consider the event Succ119894 We have alreadyexcluded collision events on 1205721 1205732 and MAC forgeries on1205731 1205732 in the previous games The left analysis is on ℎ1 ℎ2 Inthis game the secret 1199041198961015840 is made by a random oracle 1198673 andℎ1(= 1198673(1199041198961015840 1)) is also simulated by a random oracle 1198673Thus for successful impersonationA should correctly guessℎ1 ℎ2 This probability is bounded as 1199022

11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)

By the following difference we can bound Succ119898119886119875 (A 119879 119896)

(Δ 119894 is the probability difference between G119894 and G119894+1)

Succ119898119886119875 (A119872) = Pr [Succ0] le Pr [Succ5] +

4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)

This completes the proof of Theorem 19

5 Performance Analysis and Discussion

For coherent comparison and analysis we follow a recentevaluation metrics that has been suggested by Wang andWang [45] and been utilized inmany other recent studies [2023 45ndash47] One important difference is that our scheme isnot two-factor (smartcard and password) AKE scheme but ageneric construction that securely converts any secure PAKE

into MAKE Hence regarding criteria on a password ourconstruction depends on the properties that the basis PAKE

itself guarantees And also our scheme aims for a universalconstruction and thus it cannot guarantee or handle cri-teria on a smart card Moreover our scheme is the firstgeneric MAKE using a PUF for short there is no schemefor comparison However in view of generic construction wecompare our generic construction with other recent schemes


Table 1 Security criteria comparison

Scheme G C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 C12HXCZD [33] times times radic - - radic - radic radic - radic - radicYWMG [34] times times radic - - radic - radic radic - radic - radicFMA [35] radic times - - - radic - radic radic - radic - radicOur scheme radic times - - radic radic times radic radic - radic - radicG whether it is a generic compiler or not radic satisfied times unsatisfied - depending on the basis instantiations or not considered

Table 2 Efficiency comparison

Scheme G TFR1 TCC2 TSS3

HXCZD [33] times 4 le 2 sdot 119905119886 le 6 ℎ + 119891 ℎ + 119891YWMG [34] times 2 le 119905119886 le 3 2119890 + V + 119901119890 + 119891 + ℎ 2119890 + 119904 + 119901119889FMA [35] radic 10 le 119906 + 119901119908 + 119887 + 119901119896 + 2 le 14 3ℎ 3ℎOur scheme radic 5 le 119901119908 + 3 le 6 5ℎ + 2119890 + 119898 + 119901 5ℎ + 2119890 + 1198981TFR the total flow number of communications The notions 119906 119901119908 119887 119901119896 119905119886 respectively mean unauthenticated key exchange PAKE biometric-basedauthentication public key authentication and two-factor authentication protocols 2The total computation time for a user ℎ 119890 119898 computation time for hashexponentiation andMAC operations resp119901 119891 computation time for PUF fuzzy vault resp 119904 V computation time for a signature generation and verificationresp 3The total computation time for a server

in Table 1 (security) and Table 2 (efficiency) As explainedearlier we remind again that recent schemes [33 34] cannotbe a generic construction unlike their claims even thoughtheir subjects are on general construction However pleasenote that their constructions have been built up with theassumption of secure existing PAKE or TAKE Thus thosetwo schemes [33 34] have been analyzed with the FMA

[35] scheme in each table First we briefly summarize 12evaluation criteria introduced in [45]

(i) C1 The server never needs a database for user pass-word or verifier

(ii) C2 The user can freely choose and change a memo-rable password

(iii) C3 The server administrator should not be able toderive userrsquos password

(iv) C4 The scheme is strong against a smart card lossattack

(v) C5 The scheme is strong against off-line replayparallel session desynchronization stolen verifierimpersonation key control unknown key share andknown key attacks

(vi) C6 The user can revoke own card without changingits own identity

(vii) C7 The scheme provides a key agreement betweenparticipants

(viii) C8 The scheme is free from a clock synchronization(ix) C9 If a wrong password is typed by mistake any type

of notification is alarmed to the user(x) C10 The scheme provides a mutual authentication(xi) C11 The scheme protects usersrsquo identities(xii) C12 The scheme provides forward secrecy

51 Discussion on Security Criteria Our MAKE has beenbuilt up with a secure PAKE scheme From the PAKE ourcompiler securely adds other multiple factors to achieve anauthenticated key exchange Since the secure PAKE itselfhandles security of password our construction is free from itsrelated attacksThus in some criteria our schemedepends onhow the basis PAKE has been instantiated The same appliesto other schemes [33ndash35] It is because not only they havebeen constructed from secure initiations (general construc-tion) but also security criteria defined in [45] (Table 1) areactually motivated from two-factor authenticators (passwordand smart card) For instance a general MAKE constructionjust assumes multiple long-term secrets and does not takeaccount of how these secrets are maintained Thus a smartcard stolen attack (C4) cannot be considered in a general con-struction model In our model however we firstly use PUF

as an authenticator that is dependent on a hardware devicesuch as a smart card and C4 can be analyzed for comparisonEven if an adversary obtains PUF our scheme is still secureauthentication unless other secrets remain secure which isbetter criterion than others The criteria C2 C3 C4 C6 C9are closely related to the underlying PAKE or TAKE In par-ticular C1 evaluateswhether a database is required or not for apassword verifier In most TAKE schemes over a smart cardactually C1 may be easily attained It is because they assumea smart card that is capable enough to take a valid passwordas an input through a card reader and calculate a valid sharedsecret with a server if its input password is valid on a smartcard Afterwards the server just takes a step for checkingwhether the shared secret is valid or not which never requiresa password or password verifier on a server side Howeverin generic compiler setting first of all holding a smartcard is not necessary condition It just focuses on how tosecurely transform a secure primitive one into an integratedprimitive one One may argue that a general MAKE can besystematically constructed from a TAKE with a smart cardBut in this approach the underlying TAKE already includes


a smart card and it is hard (or not practical) to include anew hardware dependent PUFmore In conclusion in PUF

setting it is more reasonable to initiate PAKE (or AKE) firstand then construct MAKE by using PUF Table 1 shows thatour scheme is an accurate general MAKE construction withrelatively better security performances

52 Discussion on Efficiency Table 2 shows in generalconstruction setting that our scheme achieves better com-munication cost than the FMA [35] scheme The FMA

scheme executes many types of subprotocols for making ageneral MAKE It may guarantee better security from thesecure underlying subprotocols with simple implementationHowever two authentication factors are never used togetherfor one subprotocol and many types of subprotocols shouldbe initiated independently Hence it has a fundamentallimits in order to reduce the total communication cost InTable 2 we assume that a normal PAKE or TAKE can bedesigned in two communication flows without an authenti-cation This influences upper or lower bounding of TFR Inconclusion our scheme requires at most 6 communicationflows with no public key based setting such as a signatureused While the total communication flow is more greatlyenhanced than the FMA [35] our communication cost isnot better than the FMA This slight inefficiency is due tothe use of PUF and Diffie-Hellman keying materials forguaranteeing forward secrecy That is enhanced security andthe reduced total communication cost balance up this littlecomputation loss One interesting topic would be on how wecan design MAKE with PUF at the lower communicationbounding cost (119890119892 4 le 119901119908 + 2) Except the part of PAKEour compiler additionally needs three more communicationflows But by initiating PAKE we already share a commonkey This common secret can be used for making a finalsession key with slight modification For instance in ourprotocol a user can compute a final session key after receivingmessages in step (3) ignoring step (4) In the same wayupon messages of (2) a server can generate a final sessionkey before step (3) The messages in steps (2) and (3) canbe designed for just sharing ephemeral values and verifying(authentication) keying materials by using a shared keyfrom PAKE This construction remains one of future workincluding security analysis under rigorous security model

6 Concluding Remarks

In the paper we presented a general PUF-MAKE con-struction that securely transforms a PAKE into a MAKE

with a physically unclonable function Our constructionespecially takes a secure PAKE rather than taking the PKI-based (or non PKI-based) AKE as an input The reasonis that it naturally resolves a password issue such as off-line or on-line dictionary attacks For instance in case oftransforming a PKI-based AKE into a MAKE we shouldfirst go through a problem on how an easy-to-guess passwordcan be securely combined with the PKI-based AKE andbiometrics which would be much more harder than thecase of combining the PAKE with a long-term key andbiometrics Nevertheless in view of foundation works it

is quite meaningful to show the existence of PUF-MAKE

from PKI non-PKI-based AKE or other AKE primitivesIn addition we elaborated on two-party setting here but ageneral PUF-MAKE construction for a group setting wouldalso be a good future work

Data Availability

The data used to support the findings of this study areincluded in the article

Conflicts of Interest

The author declares that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by Basic Science ResearchProgram through the National Research Foundation ofKorea (NRF) funded by the Ministry of Education (NRF-2017R1D1A1B03032424)

References

[1] M Bellare and P Rogaway ldquoEntity authentication and keydistributionrdquo in Proceedings of the Crypto rsquo93 vol 773pp 232ndash249 LNCS Springer-Verlag 1993 Full version athttpwww-cseucsdeduusersmihir

[2] M Bellare D Pointcheval and P Rogaway ldquoAuthenticated keyexchange secure against dictionary attacksrdquo inProceedings of theEurocryptrsquo00 pp 139ndash155 LNCS Springer-Verlag 2000

[3] J Katz R Ostrovsky and M Yung ldquoEfficient password-authenticated key exchange using human-memorable pass-wordsrdquo in Proceedings of the EUROCRYPTrsquo01 vol 2045 pp475ndash494 LNCS 2001

[4] B LaMacchia K Lauter and A Mityagin ldquoStronger securityof authenticated key exchangerdquo in Proceedings of the ProvSec07vol 4784 pp 1ndash16 LNCS Springer-Verlag 2007

[5] M Abdalla and D Pointcheval ldquoInteractive diffie-hellmanassumptions with applications to password-based authentica-tionrdquo in Proceedings of the FC 2005 vol 3570 pp 341ndash356Springer-Verlag 2005

[6] M Abdalla P-A Fouque and D Pointcheval ldquoPassword-based authenticated key exchange in the three-party settingrdquo inProceedings of the PKC vol 3386 pp 65ndash84 Springer-Verlag2005

[7] E Bresson O Chevassut and D Pointcheval ldquoGroup diffie-hellman key exchange secure against dictionary attacksrdquo inProceedings of the Asiacryptrsquo02 vol 2501 pp 497ndash514 LNCSSpringer-Verlag 2002

[8] V Boyko P MacKenzie and S Patel ldquoProvably securepassword-authenticated key exchange using diffie-hellmanrdquoin Proceedings of Eurocrypt00 vol 1807 pp 156ndash171 LNCSSpringer-Verlag 2000

[9] P MacKenzie T Shrimpton and M Jakobsson ldquoThresholdpassword-authenticated key exchangerdquo in Proceedings of theCryptorsquo02 vol 2442 pp 385ndash400 LNCS Springer-Verlag 2002


[10] H-R Chung W-C Ku and M-J Tsaur ldquoWeaknesses andimprovement of Wang et alrsquos remote user password authenti-cation scheme for resource-limited environmentsrdquo ComputerStandards amp Interfaces vol 31 no 4 pp 863ndash868 2009

[11] R Song ldquoAdvanced smart card based password authenticationprotocolrdquo Computer Standards amp Interfaces vol 32 no 5-6 pp321ndash325 2010

[12] Y-Y Wang J-Y Liu F-X Xiao and J Dan ldquoA more efficientand secure dynamic ID-based remote user authenticationschemerdquoComputer Communications vol 32 no 4 pp 583ndash5852009

[13] M-S Hwang S-K Chong and T-Y Chen ldquoDoS-resistant ID-based password authentication scheme using smart cardsrdquoTheJournal of Systems and Software vol 83 no 1 pp 163ndash172 2010

[14] J Xu W-T Zhu and D-G Feng ldquoAn improved smart cardbased password authentication scheme with provable securityrdquoComputer Standards amp Interfaces vol 31 no 4 pp 723ndash7282009

[15] H-T Yeh H-M Sun and T Hwang ldquoSecurity analysis ofthe generalized key agreement and password authenticationprotocolrdquo IEEE Communications Letters vol 5 no 11 pp 462-463 2011

[16] K-H Yeh C Su N W Lo Y Li and Y-X Hung ldquoTwo robustremote user authentication protocols using smart cardsrdquo TheJournal of Systems and Software vol 83 no 12 pp 2556ndash25652010

[17] G Yang D S Wong H Wang and X Deng ldquoTwo-factormutual authentication based on smart cards and passwordsrdquoJournal of Computer and System Sciences vol 74 no 7 pp 1160ndash1172 2008

[18] S Halevi and H Krawczyk ldquoPublic-key cryptography andpassword protocolsrdquo ACM Transactions on Information andSystem Security vol 2 no 3 pp 230ndash268 1999

[19] D Stebila P Udupi and S Chang ldquoMulti-factor password-authenticated key exchangerdquo in Proceedings of the ACISP10 vol105 pp 56ndash66 2010

[20] X Huang X Chen J Li Y Xiang and L Xu ldquoFurtherobservations on smart-card-based password-authenticated keyagreement in distributed systemsrdquo IEEETransactions on Paralleland Distributed Systems vol 25 no 7 pp 1767ndash1775 2014

[21] W-S Juang S-T Chen and H-T Liaw ldquoRobust and efficientpassword-authenticated key agreement using smart cardsrdquoIEEE Transactions on Industrial Electronics vol 55 no 6 pp2551ndash2556 2008

[22] D Z Sun J P Huai J Z Sun J W Zhang and Z Y FengldquoImprovements of juang et alrsquos password-authenticated keyagreement scheme using smart cardsrdquo IEEE Transactions onIndustrial Electronics vol 56 no 6 pp 2284ndash2291 2009

[23] D Wang W Li and P Wang ldquoMeasuring two-factor authenti-cation schemes for real-time data access in industrial wirelesssensor networksrdquo IEEE Transactions on Industrial Informaticsvol 14 no 9 pp 4081ndash4092 2018

[24] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wirless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 32 no 1pp 16ndash30 2017

[25] J Srinivas S Mukhopadhyay and D Mishra ldquoSecure andefficient user authentication scheme for multi-gateway wirelesssensor networksrdquo Ad Hoc Networks vol 54 pp 147ndash169 2017

[26] D Pointcheval and S Zimmer ldquoMulti-factor authenticated keyexchangerdquo in Proceedings of the ACNSrsquo08 vol 5037 pp 277ndash295LNCS 2008

[27] T ElGamal ldquoA public key cryptosystem and a signature schemebased on discrete logarithmsrdquo in Proceedings of the CRYPTO1984 vol 196 pp 10ndash18 Springer-Verlag 1985

[28] F Hao and D Clarke ldquoSecurity analysis of a multi-factorauthenticated key exchange protocolrdquo Cryptology ePrintArchive Report 2012039 2012

[29] C-I Fan and Y-H Lin ldquoProvably secure remote truly three-factor authentication scheme with privacy protection on bio-metricsrdquo IEEE Transactions on Information Forensics and Secu-rity vol 4 no 4 pp 933ndash945 2009

[30] Y Liu F Wei and C Ma ldquoMulti-factor authenticated keyexchange protocol in the three-party settingrdquo in Proceedings ofthe Inscryptrsquo10 vol 6584 pp 255ndash267 2010

[31] D He and D Wang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 2015

[32] F-S Wei Q Jiang R-J Zhang and C-G Ma ldquoA privacy-preserving multi-factor authenticated key exchange protocolwith provable security for cloud computingrdquo Journal of Infor-mation Science and Engineering vol 33 no 4 pp 907ndash921 2017

[33] X Huang Y Xiang A Chonka J Zhou and R H Deng ldquoAgeneric framework for three-factor authentication Preservingsecurity and privacy in distributed systemsrdquo IEEE Transactionson Parallel and Distributed Systems vol 22 no 8 pp 1390ndash13972011

[34] J Yu G Wang Y Mu and W Gao ldquoAn efficient genericframework for three-factor authenticationwith provably secureinstantiationrdquo IEEE Transactions on Information Forensics andSecurity vol 9 no 12 pp 2302ndash2313 2014

[35] N Fleischhacker M Manulis and A Azodi ldquoModular designand analysis framework for multi-factor authentication and keyexchangerdquo Cryptology ePrint Archive Report 2012181 2012

[36] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquoin Proceedings of the EUROCRYPTrsquo04 vol 3027 pp 523ndash540LNCS Springer 2004

[37] A Sadeghi I Visconti and C Wachsmann ldquoPUF-enhancedRFID security and privacyrdquo in Proceedings of the SECSI 2010Germany 2010

[38] K B Frikken M Blanton and M J Atallah ldquoRobust authenti-cation using physically unclonable functionsrdquo in Proceedings ofthe ISCrsquo09 vol 5735 pp 262ndash277 LNCS Springer 2009

[39] C Brzuska M Fischlin H Schroder and S KatzenbeisserldquoPhysically unclonable functions in the universal compositionframeworkrdquo in Proceedings of the CRYPTOrsquo11 vol 6841 pp 51ndash70 LNCS 2011

[40] M V Dijk and U Ruhrmair ldquoPhysical unclonable functionsin cryptographic protocols security proofs and impossibilityresultsrdquo Cryptology ePrint Archive Report 2012228 2012

[41] A C D Resende K Mochetti and D F Aranha ldquoPUF-basedmutual multifactor entity and transaction authentication forsecure bankingrdquo LightSec vol 9542 pp 77ndash96 2015

[42] DWang H Cheng PWang X Huang and G Jian ldquoZipf rsquos lawin passwordsrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 11 pp 2776ndash2791 2017

[43] D Wang and P Wang ldquoOn the Implications of Zipfs Law inPasswordsrdquo in Proceedings of the ESORICS16rsquo vol 9878 pp 111ndash131 2016

[44] V Shoup ldquoSequences of games a tool for taming complexity insecurity proofsrdquo Cryptology ePrint Archive Report 20043322004


[45] D Wang and P Wang ldquoTwo Birds with One Stone Two-FactorAuthentication with Security beyond Conventional BoundrdquoIEEE Transactions on Dependable and Secure Computing vol15 no 4 pp 708ndash722 2018

[46] E Erdem and M T Sandikkaya ldquoOTPass-One Time Passwordas a Servicerdquo IEEE Trans on Information Forensics and Securityvol 14 no 3 pp 743ndash756 2019

[47] H Luo G Wen and J Su ldquoLightweight three factor schemefor real-time data access in wireless sensor networksrdquo WirelessNetworks pp 1ndash16 2018

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


the HK scheme into two-factor scheme and is not be able tohandle all kinds of secure PAKE for building TAKE In 2010Stebila et al suggestedmultifactor password-based AKE [19]It has been designed to allow multiple kinds of passwordsMore precisely this protocol deals with multiple passwordsfor authentication (note that biometrics is not included at all)Hence it is fair to say that it falls into the TAKE protocolBesides the protocol relies on the PKI environment andrandom oracle model for security proof In 2014 Huanget al have presented new types of adversaries with pre-computed and different data on the smart card in a TAKE

setting [20] Two TAKE schemes [21 22] have been analyzedand securely revised under the new adversaries [20] In2018 Wang and Wang have syntagmatically and universallydefined an explicit and new security model with practicaladversariesrsquo capabilities for a TAKE setting Also a new andsecure TAKE scheme satisfying all security criteria has beensuggested Very recently Wang et al have also proposeda new framework for evaluating security efficiency andscalability for a TAKE wireless sensor network [23] Underthe framework two existing schemes [24 25] have beenfound to be flawed [23] Furthermore 44 TAKE schemeshave been universally compared and analyzed It is one of thesystematic comparisons over such vast amounts of research

A multifactor AKE (for short MAKE) deals with threetypes of authentication factors (secret password and bio-metrics) The main advantage of MAKE over TAKE is itsability to preserve the security even if one or two authenti-cation factors are compromised Despite its merits relativelythe MAKE has been received less attention in the literaturethan the TAKE In 2008 Pointcheval and Zimmer havedesigned a provably secure MAKE protocol (for short PZ)under computational Diffie-Hellman assumption [26] It usesan ElGamal public key encryption [27] for securing biometricinformation However in 2012 it has been found to beinsecure by Hao and Clarke [28]The insecurity of PZ is thatan attacker who steals a password is able to deduce biometricinformation After the PZ there have been attempts todesign a MAKE in smartcard cloud computing three-partyand multiserver environments [29ndash32] In 2009 Fan et alhave proposed a public key based MAKE in a smartcardsetting [29] It protects usersrsquo biometric data from anyoneelse including a server while allowing secure authenticationLater the PZ has been extended into three-party setting byLiu et al [30] It has been the first work on addressing thethree-party setting that assumes an intervention of trustyparty between a client and a server A new MAKE based onelliptic curve has been suggested in a multiserver setting byHe et al in 2015 [31] Very recently Wei et al have presenteda privacy-preserving multifactor authenticated key exchangefor cloud computing [32] It has achieved better efficiencythan the PZ in terms of computation and bandwidth costs

11 Related Works Our goal is to construct a securegeneric PUF-based MAKE protocol from any secure PAKE

protocol To the best of our knowledge a PUF-based MAKE

protocol has not been proposed yet in the literature Howeverregarding generic MAKE constructions which are not basedon PUF there have been few results in recent years First

in 2011 Huang et al have designed a generic transformationthat combines any secure PAKE in the smartcard settingwith biometrics for building a MAKE [33] Their main ideais to execute a TAKE twice They use a fuzzy extractor tohandle userrsquos biometrics Later it has been enhanced by Yuet al in 2014 [34] Its enhanced version applied a fuzzyvault based on euclidian distance for handling biometricfeatures And also it used a TAKE just once Despite itsefficiency and novelty these two constructions have beenbuilt under a PKI setting where participants must be allowedto sign (verify) and encrypt (decrypt) based on public keycryptography Moreover one critical problem is that thesetwo constructions [33 34] have not been built in a genericway For example in [34] they first make 119901119908 = 119867(1199011199081 119887119894119900) and apply 119901119908 into a TAKE where 1199011199081 is a password119887119894119900 is a biometric information and 119867 is a cryptographicsecure hash function Depending on what kind of TAKE

is being used an input of 119901119908(= 119867(1199011199081 119887119894119900)) is notalways an input for TAKE For instance if TAKE uses astructure 119892119901119908 (or 119864119901119908(sdot)) inside then before application119901119908(= 119867(1199011199081 119887119894119900)) should be customized as 119891(119901119908) where119891 is a function that converts an input to a cyclic group elementoutput (or fixed length output eg 128 bits 256 bits) In [34]they select a good but specific TAKE [17] and demonstratehow it can be initiated to build a final MAKE It does notmean that their generic MAKE is able to cover all casesof TAKE One important observation from this issue is that ageneric MAKE should execute a TAKE first and then use itssession key for integrating multifactor authenticators ratherthan executing TAKE with an integration of multifactorauthenticators

Fleischhacker et al have presented a generic MAKE con-struction (for short FMA) by combining subprotocols suchas unauthenticated key exchange password-based authen-tication (password) public key authentication (secret key)and biometric authentication protocols (biometric) [35] Themain idea is that it uses subprotocols independently forbuilding a general MAKE This approach guarantees notonly better security but also simplicity for implementationHowever it does not allow two authentication factors to beused together for one subprotocol hence it has a limitationto enhance the total communication cost

12 Motivation In the paper we firstly attempt to use aphysical unclonable function (PUF) for generally building asecure MAKE The PUF is basically embedded in a deviceat manufacturing stage It always produces an unpredictableoutput depending on devicersquos physical status and it cannot beduplicated or cloned over a new device This unpredictabilityhas been one of the good properties for enhancing securityin cryptology However if the PUF always outputs differentunpredictable result then its output itself cannot become asecret key A secret key in cryptology should be not onlyunpredictable but also the same value when it is used fora secret key of encryption decryption and authenticationFor this reason generally a fuzzy extractor (FE) has beenused with the PUF for making a secure fixed secret fromthe unpredictable PUFrsquos outputs In fact much research onhow the PUF can be securely combined with the existing










2 Preliminaries








A119901119906119891(119896) is defined


1199011199061198910A119901119906119891


1199011199061198911A119901119906119891


120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891

(119896) = 1]100381610038161003816100381610038161003816 (1)



(2)



DEVICE

PUF

secret key

biometrics

PAKEpassword

authentication keys

Hashfunction

sessionkey

r




(3)




22 PRF and DDH





119865119870 = 1 119870 119877larr997888 K (119865)]

minus Pr [119861119865 = 1 119865 119877larr997888 119880119865119870]1003816100381610038161003816100381610038161003816 le 120598119901119903119891

(4)





lowast119902 ]


(5)





Experiment Exp119888119898119886A119898119886119888

119896 119877larr997888MKey





Adk119888119898119886A119898119886119888

(119879119898 119896) = Pr [Exp119888119898119886A119898119886119888

(119879119898 119896) = 1] (6)






(1) 119870 119877larr997888 Key





Adv119888119888aA119904119890

(119896) = 2Pr [119887 = 1198871015840] minus 1 (7)




















answer



119898
















119878119895119898



(pid119880119894119898 = 119878119895119898 pid119878119895119898 = 119880119894119898)






1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries




(8)





119898) neither119880119894


1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries

and Send119898(119880 119894119872) queries






119898 2) and Corrupt(119880119894119898 3)







119898) neither 119880119894119898


and Send119898(119880 119894119872) query




Adv119898119886119896119890119875119904119896 (A 119879 119896) le 1198621015840 sdot 1199021199041015840

119904 + 120576 (119896) (9)






119901119886119896119890119875119904119896



119875119904119896(A 119879 119896) le

1198621015840 sdot 1199021199041015840






119901119886119896119890


Adv119891119904minus119901119886119896119890









Succ119898119886119875 (A 119879 119896) le 120576 (119896) (10)




41 Notation





0 11198971 1198672 0 11198992 997888rarr 0 11198972 1198673 0 11198993 997888rarr0 11198973























Adv119898119886119896119890119875119904119896 (A 119879 119896) le 2Adv119901119886119896119890

119875119904119896(A119901 119879119886 119896) + 2120598119901119906119891

+ +11990221198673

21198973 + (119902119904119898+ 119902119904119890

)222119901+1

+ 2Adv119889119889ℎA119889119889ℎ(119879119863G)

+ 4Adv119888119898119886A119898119886119888

(119879119898119886119888 119896)

Succ119898119886119875 (A 119879 119896) le 1199022

119904119898(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896 (A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G)+ 2Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(11)

where 119879119886 119879119863 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119879119898119886119888 ge 119879 + 119879119891(119902119905 + 119902V)119902119904119898




Adv119898119886119896119890119875119904119896 (A 119879 119896) = 2Pr [S0] minus 1

Succ119898119886119875 (A 119879 119896) = Pr [Succ0]

(12)




protocol

1003816100381610038161003816Pr [S0] minus Pr [S1]1003816100381610038161003816 = Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) (13)

where 119879119886 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119902119904119898




(resp 1205751198672 1205751198673


(resp 1205751198672 1205751198672


follows






















Adv119901119886119896119890

119875119904119896(1198791015840A119901 119896) = 2Pr [119887 = 1198871015840] minus 1


(14)






120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891


10038161003816100381610038161003816= 1003816100381610038161003816Pr [S1] minus Pr [S2]1003816100381610038161003816

(15)



1 12057210158402 |

12057310158401 1205731015840




+ 119902119904119890)222(119902+1) where 119902119904119898




21198973+1 + (119902119904119898+ 119902119904119890

)222(119902+1)

(16)






A119898119886119888(119879119898119886119888 119896)

(17)














(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]



(18)



Pr [S5] = 12 (19)


Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)


11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)




4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)



































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia











2 Preliminaries








A119901119906119891(119896) is defined


1199011199061198910A119901119906119891


1199011199061198911A119901119906119891


120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891

(119896) = 1]100381610038161003816100381610038161003816 (1)



(2)



DEVICE

PUF

secret key

biometrics

PAKEpassword

authentication keys

Hashfunction

sessionkey

r




(3)




22 PRF and DDH





119865119870 = 1 119870 119877larr997888 K (119865)]

minus Pr [119861119865 = 1 119865 119877larr997888 119880119865119870]1003816100381610038161003816100381610038161003816 le 120598119901119903119891

(4)





lowast119902 ]


(5)





Experiment Exp119888119898119886A119898119886119888

119896 119877larr997888MKey





Adk119888119898119886A119898119886119888

(119879119898 119896) = Pr [Exp119888119898119886A119898119886119888

(119879119898 119896) = 1] (6)






(1) 119870 119877larr997888 Key





Adv119888119888aA119904119890

(119896) = 2Pr [119887 = 1198871015840] minus 1 (7)




















answer



119898
















119878119895119898



(pid119880119894119898 = 119878119895119898 pid119878119895119898 = 119880119894119898)






1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries




(8)





119898) neither119880119894


1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries

and Send119898(119880 119894119872) queries






119898 2) and Corrupt(119880119894119898 3)







119898) neither 119880119894119898


and Send119898(119880 119894119872) query




Adv119898119886119896119890119875119904119896 (A 119879 119896) le 1198621015840 sdot 1199021199041015840

119904 + 120576 (119896) (9)






119901119886119896119890119875119904119896



119875119904119896(A 119879 119896) le

1198621015840 sdot 1199021199041015840






119901119886119896119890


Adv119891119904minus119901119886119896119890









Succ119898119886119875 (A 119879 119896) le 120576 (119896) (10)




41 Notation





0 11198971 1198672 0 11198992 997888rarr 0 11198972 1198673 0 11198993 997888rarr0 11198973























Adv119898119886119896119890119875119904119896 (A 119879 119896) le 2Adv119901119886119896119890

119875119904119896(A119901 119879119886 119896) + 2120598119901119906119891

+ +11990221198673

21198973 + (119902119904119898+ 119902119904119890

)222119901+1

+ 2Adv119889119889ℎA119889119889ℎ(119879119863G)

+ 4Adv119888119898119886A119898119886119888

(119879119898119886119888 119896)

Succ119898119886119875 (A 119879 119896) le 1199022

119904119898(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896 (A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G)+ 2Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(11)

where 119879119886 119879119863 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119879119898119886119888 ge 119879 + 119879119891(119902119905 + 119902V)119902119904119898




Adv119898119886119896119890119875119904119896 (A 119879 119896) = 2Pr [S0] minus 1

Succ119898119886119875 (A 119879 119896) = Pr [Succ0]

(12)




protocol

1003816100381610038161003816Pr [S0] minus Pr [S1]1003816100381610038161003816 = Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) (13)

where 119879119886 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119902119904119898




(resp 1205751198672 1205751198673


(resp 1205751198672 1205751198672


follows






















Adv119901119886119896119890

119875119904119896(1198791015840A119901 119896) = 2Pr [119887 = 1198871015840] minus 1


(14)






120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891


10038161003816100381610038161003816= 1003816100381610038161003816Pr [S1] minus Pr [S2]1003816100381610038161003816

(15)



1 12057210158402 |

12057310158401 1205731015840




+ 119902119904119890)222(119902+1) where 119902119904119898




21198973+1 + (119902119904119898+ 119902119904119890

)222(119902+1)

(16)






A119898119886119888(119879119898119886119888 119896)

(17)














(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]



(18)



Pr [S5] = 12 (19)


Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)


11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)




4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)



































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



DEVICE

PUF

secret key

biometrics

PAKEpassword

authentication keys

Hashfunction

sessionkey

r




(3)




22 PRF and DDH





119865119870 = 1 119870 119877larr997888 K (119865)]

minus Pr [119861119865 = 1 119865 119877larr997888 119880119865119870]1003816100381610038161003816100381610038161003816 le 120598119901119903119891

(4)





lowast119902 ]


(5)





Experiment Exp119888119898119886A119898119886119888

119896 119877larr997888MKey





Adk119888119898119886A119898119886119888

(119879119898 119896) = Pr [Exp119888119898119886A119898119886119888

(119879119898 119896) = 1] (6)






(1) 119870 119877larr997888 Key





Adv119888119888aA119904119890

(119896) = 2Pr [119887 = 1198871015840] minus 1 (7)




















answer



119898
















119878119895119898



(pid119880119894119898 = 119878119895119898 pid119878119895119898 = 119880119894119898)






1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries




(8)





119898) neither119880119894


1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries

and Send119898(119880 119894119872) queries






119898 2) and Corrupt(119880119894119898 3)







119898) neither 119880119894119898


and Send119898(119880 119894119872) query




Adv119898119886119896119890119875119904119896 (A 119879 119896) le 1198621015840 sdot 1199021199041015840

119904 + 120576 (119896) (9)






119901119886119896119890119875119904119896



119875119904119896(A 119879 119896) le

1198621015840 sdot 1199021199041015840






119901119886119896119890


Adv119891119904minus119901119886119896119890









Succ119898119886119875 (A 119879 119896) le 120576 (119896) (10)




41 Notation





0 11198971 1198672 0 11198992 997888rarr 0 11198972 1198673 0 11198993 997888rarr0 11198973























Adv119898119886119896119890119875119904119896 (A 119879 119896) le 2Adv119901119886119896119890

119875119904119896(A119901 119879119886 119896) + 2120598119901119906119891

+ +11990221198673

21198973 + (119902119904119898+ 119902119904119890

)222119901+1

+ 2Adv119889119889ℎA119889119889ℎ(119879119863G)

+ 4Adv119888119898119886A119898119886119888

(119879119898119886119888 119896)

Succ119898119886119875 (A 119879 119896) le 1199022

119904119898(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896 (A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G)+ 2Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(11)

where 119879119886 119879119863 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119879119898119886119888 ge 119879 + 119879119891(119902119905 + 119902V)119902119904119898




Adv119898119886119896119890119875119904119896 (A 119879 119896) = 2Pr [S0] minus 1

Succ119898119886119875 (A 119879 119896) = Pr [Succ0]

(12)




protocol

1003816100381610038161003816Pr [S0] minus Pr [S1]1003816100381610038161003816 = Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) (13)

where 119879119886 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119902119904119898




(resp 1205751198672 1205751198673


(resp 1205751198672 1205751198672


follows






















Adv119901119886119896119890

119875119904119896(1198791015840A119901 119896) = 2Pr [119887 = 1198871015840] minus 1


(14)






120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891


10038161003816100381610038161003816= 1003816100381610038161003816Pr [S1] minus Pr [S2]1003816100381610038161003816

(15)



1 12057210158402 |

12057310158401 1205731015840




+ 119902119904119890)222(119902+1) where 119902119904119898




21198973+1 + (119902119904119898+ 119902119904119890

)222(119902+1)

(16)






A119898119886119888(119879119898119886119888 119896)

(17)














(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]



(18)



Pr [S5] = 12 (19)


Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)


11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)




4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)



































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





(1) 119870 119877larr997888 Key





Adv119888119888aA119904119890

(119896) = 2Pr [119887 = 1198871015840] minus 1 (7)




















answer



119898
















119878119895119898



(pid119880119894119898 = 119878119895119898 pid119878119895119898 = 119880119894119898)






1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries




(8)





119898) neither119880119894


1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries

and Send119898(119880 119894119872) queries






119898 2) and Corrupt(119880119894119898 3)







119898) neither 119880119894119898


and Send119898(119880 119894119872) query




Adv119898119886119896119890119875119904119896 (A 119879 119896) le 1198621015840 sdot 1199021199041015840

119904 + 120576 (119896) (9)






119901119886119896119890119875119904119896



119875119904119896(A 119879 119896) le

1198621015840 sdot 1199021199041015840






119901119886119896119890


Adv119891119904minus119901119886119896119890









Succ119898119886119875 (A 119879 119896) le 120576 (119896) (10)




41 Notation





0 11198971 1198672 0 11198992 997888rarr 0 11198972 1198673 0 11198993 997888rarr0 11198973























Adv119898119886119896119890119875119904119896 (A 119879 119896) le 2Adv119901119886119896119890

119875119904119896(A119901 119879119886 119896) + 2120598119901119906119891

+ +11990221198673

21198973 + (119902119904119898+ 119902119904119890

)222119901+1

+ 2Adv119889119889ℎA119889119889ℎ(119879119863G)

+ 4Adv119888119898119886A119898119886119888

(119879119898119886119888 119896)

Succ119898119886119875 (A 119879 119896) le 1199022

119904119898(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896 (A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G)+ 2Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(11)

where 119879119886 119879119863 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119879119898119886119888 ge 119879 + 119879119891(119902119905 + 119902V)119902119904119898




Adv119898119886119896119890119875119904119896 (A 119879 119896) = 2Pr [S0] minus 1

Succ119898119886119875 (A 119879 119896) = Pr [Succ0]

(12)




protocol

1003816100381610038161003816Pr [S0] minus Pr [S1]1003816100381610038161003816 = Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) (13)

where 119879119886 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119902119904119898




(resp 1205751198672 1205751198673


(resp 1205751198672 1205751198672


follows






















Adv119901119886119896119890

119875119904119896(1198791015840A119901 119896) = 2Pr [119887 = 1198871015840] minus 1


(14)






120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891


10038161003816100381610038161003816= 1003816100381610038161003816Pr [S1] minus Pr [S2]1003816100381610038161003816

(15)



1 12057210158402 |

12057310158401 1205731015840




+ 119902119904119890)222(119902+1) where 119902119904119898




21198973+1 + (119902119904119898+ 119902119904119890

)222(119902+1)

(16)






A119898119886119888(119879119898119886119888 119896)

(17)














(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]



(18)



Pr [S5] = 12 (19)


Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)


11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)




4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)



































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






119878119895119898



(pid119880119894119898 = 119878119895119898 pid119878119895119898 = 119880119894119898)






1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries




(8)





119898) neither119880119894


1) Corrupt(119880119894119898 2) Corrupt(119880119894

119898 3) Corrupt(119880119894119898 4) queries

and Send119898(119880 119894119872) queries






119898 2) and Corrupt(119880119894119898 3)







119898) neither 119880119894119898


and Send119898(119880 119894119872) query




Adv119898119886119896119890119875119904119896 (A 119879 119896) le 1198621015840 sdot 1199021199041015840

119904 + 120576 (119896) (9)






119901119886119896119890119875119904119896



119875119904119896(A 119879 119896) le

1198621015840 sdot 1199021199041015840






119901119886119896119890


Adv119891119904minus119901119886119896119890









Succ119898119886119875 (A 119879 119896) le 120576 (119896) (10)




41 Notation





0 11198971 1198672 0 11198992 997888rarr 0 11198972 1198673 0 11198993 997888rarr0 11198973























Adv119898119886119896119890119875119904119896 (A 119879 119896) le 2Adv119901119886119896119890

119875119904119896(A119901 119879119886 119896) + 2120598119901119906119891

+ +11990221198673

21198973 + (119902119904119898+ 119902119904119890

)222119901+1

+ 2Adv119889119889ℎA119889119889ℎ(119879119863G)

+ 4Adv119888119898119886A119898119886119888

(119879119898119886119888 119896)

Succ119898119886119875 (A 119879 119896) le 1199022

119904119898(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896 (A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G)+ 2Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(11)

where 119879119886 119879119863 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119879119898119886119888 ge 119879 + 119879119891(119902119905 + 119902V)119902119904119898




Adv119898119886119896119890119875119904119896 (A 119879 119896) = 2Pr [S0] minus 1

Succ119898119886119875 (A 119879 119896) = Pr [Succ0]

(12)




protocol

1003816100381610038161003816Pr [S0] minus Pr [S1]1003816100381610038161003816 = Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) (13)

where 119879119886 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119902119904119898




(resp 1205751198672 1205751198673


(resp 1205751198672 1205751198672


follows






















Adv119901119886119896119890

119875119904119896(1198791015840A119901 119896) = 2Pr [119887 = 1198871015840] minus 1


(14)






120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891


10038161003816100381610038161003816= 1003816100381610038161003816Pr [S1] minus Pr [S2]1003816100381610038161003816

(15)



1 12057210158402 |

12057310158401 1205731015840




+ 119902119904119890)222(119902+1) where 119902119904119898




21198973+1 + (119902119904119898+ 119902119904119890

)222(119902+1)

(16)






A119898119886119888(119879119898119886119888 119896)

(17)














(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]



(18)



Pr [S5] = 12 (19)


Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)


11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)




4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)



































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




119901119886119896119890


Adv119891119904minus119901119886119896119890









Succ119898119886119875 (A 119879 119896) le 120576 (119896) (10)




41 Notation





0 11198971 1198672 0 11198992 997888rarr 0 11198972 1198673 0 11198993 997888rarr0 11198973























Adv119898119886119896119890119875119904119896 (A 119879 119896) le 2Adv119901119886119896119890

119875119904119896(A119901 119879119886 119896) + 2120598119901119906119891

+ +11990221198673

21198973 + (119902119904119898+ 119902119904119890

)222119901+1

+ 2Adv119889119889ℎA119889119889ℎ(119879119863G)

+ 4Adv119888119898119886A119898119886119888

(119879119898119886119888 119896)

Succ119898119886119875 (A 119879 119896) le 1199022

119904119898(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896 (A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G)+ 2Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(11)

where 119879119886 119879119863 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119879119898119886119888 ge 119879 + 119879119891(119902119905 + 119902V)119902119904119898




Adv119898119886119896119890119875119904119896 (A 119879 119896) = 2Pr [S0] minus 1

Succ119898119886119875 (A 119879 119896) = Pr [Succ0]

(12)




protocol

1003816100381610038161003816Pr [S0] minus Pr [S1]1003816100381610038161003816 = Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) (13)

where 119879119886 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119902119904119898




(resp 1205751198672 1205751198673


(resp 1205751198672 1205751198672


follows






















Adv119901119886119896119890

119875119904119896(1198791015840A119901 119896) = 2Pr [119887 = 1198871015840] minus 1


(14)






120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891


10038161003816100381610038161003816= 1003816100381610038161003816Pr [S1] minus Pr [S2]1003816100381610038161003816

(15)



1 12057210158402 |

12057310158401 1205731015840




+ 119902119904119890)222(119902+1) where 119902119904119898




21198973+1 + (119902119904119898+ 119902119904119890

)222(119902+1)

(16)






A119898119886119888(119879119898119886119888 119896)

(17)














(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]



(18)



Pr [S5] = 12 (19)


Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)


11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)




4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)



































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia










Adv119898119886119896119890119875119904119896 (A 119879 119896) le 2Adv119901119886119896119890

119875119904119896(A119901 119879119886 119896) + 2120598119901119906119891

+ +11990221198673

21198973 + (119902119904119898+ 119902119904119890

)222119901+1

+ 2Adv119889119889ℎA119889119889ℎ(119879119863G)

+ 4Adv119888119898119886A119898119886119888

(119879119898119886119888 119896)

Succ119898119886119875 (A 119879 119896) le 1199022

119904119898(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896 (A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G)+ 2Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(11)

where 119879119886 119879119863 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119879119898119886119888 ge 119879 + 119879119891(119902119905 + 119902V)119902119904119898




Adv119898119886119896119890119875119904119896 (A 119879 119896) = 2Pr [S0] minus 1

Succ119898119886119875 (A 119879 119896) = Pr [Succ0]

(12)




protocol

1003816100381610038161003816Pr [S0] minus Pr [S1]1003816100381610038161003816 = Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) (13)

where 119879119886 ge 119879 + 119902119904119898(119879119891 + 119879119890 + 119879ℎ) 119902119904119898




(resp 1205751198672 1205751198673


(resp 1205751198672 1205751198672


follows






















Adv119901119886119896119890

119875119904119896(1198791015840A119901 119896) = 2Pr [119887 = 1198871015840] minus 1


(14)






120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891


10038161003816100381610038161003816= 1003816100381610038161003816Pr [S1] minus Pr [S2]1003816100381610038161003816

(15)



1 12057210158402 |

12057310158401 1205731015840




+ 119902119904119890)222(119902+1) where 119902119904119898




21198973+1 + (119902119904119898+ 119902119904119890

)222(119902+1)

(16)






A119898119886119888(119879119898119886119888 119896)

(17)














(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]



(18)



Pr [S5] = 12 (19)


Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)


11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)




4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)



































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia















Adv119901119886119896119890

119875119904119896(1198791015840A119901 119896) = 2Pr [119887 = 1198871015840] minus 1


(14)






120598119901119906119891 = 100381610038161003816100381610038161003816Pr [Exp1199011199061198911A119901119906119891

(119896) = 1] minus Pr [Exp1199011199061198910A119901119906119891


10038161003816100381610038161003816= 1003816100381610038161003816Pr [S1] minus Pr [S2]1003816100381610038161003816

(15)



1 12057210158402 |

12057310158401 1205731015840




+ 119902119904119890)222(119902+1) where 119902119904119898




21198973+1 + (119902119904119898+ 119902119904119890

)222(119902+1)

(16)






A119898119886119888(119879119898119886119888 119896)

(17)














(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]



(18)



Pr [S5] = 12 (19)


Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)


11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)




4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)



































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia














(119879119891 + 119879119890 + 119879ℎ)Adv

119889119889ℎA119889119889ℎ

(119879119863G)= 10038161003816100381610038161003816Pr [A119889119889ℎ (119892119909 119892119910 119892119909119910) = 1 119909 119910 larr997888 Z

lowast119902 ]



(18)



Pr [S5] = 12 (19)


Pr [S0] le Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891 + 11990221198673

21198973+1

+ (119902119904119898+ 119902119904119890

)222(119901+1) + Adv

119889119889ℎA119889119889ℎ

(119879119863G) + 2

sdot Adv119888119898119886A119898119886119888

(119879119898119886119888 119896) + 12

(20)


11990411989821198971+1 1199022

11990411989821198972+1

respectively

Pr [Succ5] le1199022119904119898

21198971+1 + 1199022s119898

21198972+1(21)




4

sum119894=0

Δ 119894

le 1199022119904119898

(21198971+1 + 21198972+1)21198971+1198972+2

+ Adv119901119886119896119890119875119904119896

(A119901 119879119886 119896) + 120598119901119906119891

+ 11990221198673

21198973+1 + (119902119904119898+ 119902119904119890

)222(119901+1)

+ Adv119889119889ℎA119889119889ℎ

(119879119863G) + 2sdot Adv119888119898119886

A119898119886119888(119879119898119886119888 119896)

(22)



































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia































Data Availability




Acknowledgments


References




















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia












































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


a generic multifactor authenticated key exchange with...

Documents