Journal of Information Security and Applications 82 (2024) 103754

Contents lists available at ScienceDirect

Journal of Information Security and Applications

journal homepage: www.elsevier.com/locate/jisa

Towards post-quantum authenticated key agreement scheme for mobile

devices
Komal Pursharthi ∗, Dheerendra Mishra
Department of Mathematics, Bioinformatics and Computer Applications, Maulana Azad National Institute of Technology, Bhopal, India

ARTICLE INFO ABSTRACT

Keywords: Mobile device communication enables mobile devices to connect with each other, exchange data, and access
Mobile device communication services, where security is a crucial aspect to protect sensitive data and privacy. The authenticated key
Authentication agreement (AKA) protocols ensure authorized and secure communication in such environments. As the security
Key agreement
of current AKA protocols relies on the hardness of discrete logarithmic or factorization, it will lead to a
Lattice based cryptography
greater threat in the post-quantum world. Consequently, Ding et al. created a lattice-based AKA scheme for
Quantum security
the quantum world. Although the protocol is simple for mobile devices, it is susceptible to insider attacks.
Moreover, the scope of efficiency enhancement of this protocol needs to be explored. Therefore, to provide a
secure and efficient solution, a new lattice-based AKA scheme has been proposed in this paper. It is designed
with the idea of zero knowledge-based authentication. Further, our protocol resists key mismatch, and signal
leakage attacks and supports the reuse of the private key of the server, perfect forward secrecy, and anonymity
features. Additionally, we have talked about how our protocol stacks up in terms of computing complexity
when compared to competing with other zero knowledge-based authenticated key agreement systems.

1. Introduction the communication. Then, the SK can be used for authentication or

secure communication. Authenticated key agreement (AKA) schemes
The mechanism by which mobile devices, such as smartphones, are particularly important for secure communication in mobile devices
tablets, and wearables, share data and information with one another, where the wireless nature of communication introduces additional
as well as with other devices or networks, is referred to as mobile vulnerabilities. This protocol is utilized for AKA between the mobile
device communication. Multiple technologies and protocols are needed device and the serving network (e.g., the cellular network operator).
to support seamless data transfer and networking amongst mobile It provides mutual authentication, where both the mobile device and
devices. Cellular networks, wi-fi, bluetooth, near field communication the serving network authenticate each other using the master private
(NFC), and messaging protocols are a few examples of popular ways key of the server and challenge-response mechanisms. There are nu-
to communicate with mobile devices. Mobile devices are flexible tools merous AKA protocols which are efficient concerning communication
for communication, work, entertainment, and other purposes owing to and computation complexity [1–5].
these communication techniques that allow them to interact with one The discrete logarithm assumption underlies the security of all
another, share data, and access services. In order to protect confidential
the above-stated protocols because they are all based on the Diffie–
user information and secure sensitive data, security is an essential
Hellman protocol. These protocols will be redundant once a large-scale
aspect of mobile device communication. By implementing the advance
quantum computer is developed [6]. The employment of lattice-based
security techniques and best practices, mobile device communication
cryptographic primitives as a post-quantum replacement for current
can be safeguarded, reducing the risks of data breaches, unauthorized
cryptosystems that are constructed on classical hard problems looks
access, and privacy violations.
promising. Since the NSA revealed its intention to switch to quantum-
Authentication is crucial for secure communication and can be used
resistant cipher suites and NIST is soliciting submissions for post-
to confirm the legitimacy of a server, process, or network device.
A malicious verifier must not get the prover’s secret throughout the quantum primitives, the quest for quantum-resistance primitives has
authentication process as he can later use it to impersonate. Using the intensified [7].
cryptographic primitive KE, two parties can decide on a common key The emergence of the learning with errors (LWE) [8] and ring-
(SK) with maintaining this key private from the eavesdropper hearing LWE [9] problem revolutionized the usage of lattices in the creation

∗ Corresponding author.
E-mail address: [email protected] (K. Pursharthi).

https://doi.org/10.1016/j.jisa.2024.103754

Available online 6 April 2024

2214-2126/© 2024 Elsevier Ltd. All rights reserved.
K. Pursharthi and D. Mishra Journal of Information Security and Applications 82 (2024) 103754

of public key cryptosystems that can withstand the danger of quan- 1.1. Motivation
tum computing. One of the most efficient and secure post-quantum
cryptographic primitives is RLWE-based KE. Since then, numerous AKA
Recent researches [23,24] emphasis the requirement of AKA
systems using lattices have been presented as alternatives to traditional
schemes for mobile devices that resist SLA and KMA. [23] found vulner-
AKA schemes. The error reconciliation technique and encryption-based
able to signal leakage attack by [24]. By analysing the protocol [24],
technique can be used to develop AKA protocols using hard problems
we find that this scheme has missed some key requirements of a strong
on lattices.
The first post-quantum KE was suggested by Ding et al. [10], where authentication and key exchange. We have enlisted down weaknesses
the KE design is constructed on the RLWE assumption. In 2014, Peikert of [24] as follows:
et al. [11] developed the reconciliation idea that enables both parties to
• Insider attack:  stores different authentication parameters cor-
extract the session key from a substantially negotiated pseudorandom
responding to each user. With an increase in no. of users, the
ring element. On the idea that post-quantum key exchange will provide
secure database will increase, which leads to insider threats. As
forward secrecy against potential quantum attackers, while authen-
authentication only depends on stored 𝑃 𝑊𝑖 , which is communi-
tication will be provided using RSA keys under current commercial
cated by the user,  can never compute authentication value and
certificate authorities, Bos et al. [12] proposed an approach in 2015
that ties lattice-based KE together with conventional authentication verification has to remain dependent only on stored values. Thus,
using RSA. In 2016, Bos et al. [13] proposed a KE protocol to further any insider threat or loss of data may collapse the system.
reduce bandwidth usage in Ding’s protocol. Alkim et al. [14] revisited • Weak authentication: There is no user authentication in their
instantiation and stand-alone implementation of [12]. Continuing the scheme.  cannot verify the validity of user communication.
idea of [12], they introduced a new, more effective error-reconciliation • Inefficient login phase: Mobile device executes login without
scheme and a new set of parameters, they also recommended a defence verification.
against backdoors and all-for-the-price-of-one attacks and conducted • Key reuse attack: Since the static key is not completely protected.
a conservative analysis of the protocol’s hardness against threats by According to their construction, 𝑥𝑠 is known to the adversary, so
high scalable quantum computers. In 2017, Ding et al. [15] applied it can further compute 𝐻1 (𝑥𝑠 ) which is the value of d used to
the method introduced in [10] to design two party lattice-based Pass- conceal the private key of the server. The attacker can suitably
word Authenticated Key Exchange protocol. Feng et al. [16] proposed choose 𝑥𝑗 , communicate with 𝑆 to get 𝜔𝑠 . Using the value of d,
an ideal lattice-based anonymous authentication protocol for mobile the attacker can seek to recover the static 𝑠 using the leakage of
client–server environments in 2018. In 2020, Islam [17] designed a signal values [19].
two-party AKA scheme based on the hardness of RLWE problem on
lattices. In addition, there is redundant computation. As computed value H
All of the above-discussed schemes were found vulnerable to attack (𝐼𝐷𝑖 ∥ 𝑠∗ ) is not directly used in authentication. Further, there is
due to leakage of signal values [18]. Ding et al. [19] presented a signal stored 𝑠∗ unnecessarily in the server’s database corresponding to each
leakage attack (SLA) on [10]. To defend against this attack, a coun- user as  does not use 𝑠∗ to verify 𝑈𝑖 . Therefore, to overcome the
termeasure to this attack, KERK (Key Exchange with Reusable Keys) vulnerabilities of [24], we are proposing an AKA protocol for mobile
as Ding Key Exchange NIST Candidate published but wang et al. [20] devices which provides strong authentication, secure against SLA and
found that this solution is susceptible to key mismatch attack (KMA). KMA with improved computation complexity.
In 2019, Ding et al. [21] proposed a key exchange scheme as a coun-
termeasure to both attacks using the idea of zero knowledge-based
authentication protocol [22]. 1.2. Contribution
Secure communication in corporations, organizations, and sectors
depends on mobile multimedia security. Motivated to construct the The main contributions of this paper are enlisted below:
AKA scheme that ensures security in the postquantum world, Feng
et al. [16] suggested an anonymous authentication scheme for mobile • To remove the security flaws of [24] (presented in motivation
devices on the hard problem of lattices. This scheme is susceptible section), we have devised an RLWE-based AKA for mobile devices.
to SLA, it is also susceptible to manipulation-based attacks, spoofing In our suggested method, a mobile user develops a broadly safe,
attacks and user anonymity breaching attacks [23]. Inspired by this high-entropy SK (session key) and authentication mechanism with
scheme, Dabra et al. [23] suggested an LBAKA protocol for cellular the server via a public channel.
devices. This protocol supports perfect forward secrecy and anonymity • We have identified possibility of key reuse attack on scheme
features. This scheme is also found vulnerable to SLA when the master in [24]. Since, the static key is not completely protected. Accord-
key is reused [24]. To further analyse and improve Ding et al. [24] ing to their construction, 𝑥𝑠 is known to the adversary, so it can
proposed an enhanced AKA scheme. We find that it is vulnerable to further compute 𝐻1 (𝑥𝑠 ) which is the value of d used to conceal
insider attacks, password guessing attacks and stolen device attacks.
the private key of the server. The attacker can suitably choose 𝑥𝑗 ,
Also, It is claimed to be secure against key-reuse attacks. However,
communicate with 𝑆 to get 𝜔𝑠 . Using the value of d, the attacker
we analyse that key-reuse attack still works, since the static key is not
can seek to recover the static 𝑠 using the leakage of signal values
completely protected. According to their construction, 𝑥𝑠 is known to
according to attack presented in [19].
the adversary, so it can further compute 𝐻1 (𝑥𝑠 ) which is the value
• Our protocol resists SLA and KMA. In addition, it supports key
of d used to conceal the private key of the server. The attacker can
suitably choose 𝑥𝑗 , communicate with 𝑆 to get 𝜔𝑠 . Using the value reuse, perfect forward secrecy, and anonymity features.
of d, the attacker can seek to recover the static 𝑠 using the leakage • The security proof of the suggested AKA protocol has been pro-
of signal values [19]. In addition, there is redundant computation and vided using the popularly acknowledged Random Oracle model
weak authentication in their scheme. Also, there is a storage of unnec- (ROM).
essary parameters in the server’s database. To overcome the weaknesses • Further, the suggested AKA scheme and existing relevant schemes
of [24], we are proposing a post-quantum secure and efficient lattice- has been executed on the same mobile client–server system for the
based AKA scheme for mobile devices in this paper. In 2023, Song et comparison of computation cost. The performance analysis results
al. [25] proposed an AKA scheme. In this scheme, we have found that that the suggested AKA scheme is more efficient than existing
there is no verification of user credentials in the authentication phase. schemes in mobile-client server environment.

2
K. Pursharthi and D. Mishra Journal of Information Security and Applications 82 (2024) 103754

2. Preliminaries Table 1
Description of symbols used in our scheme.

The essential terminologies and notions of RLWE, along with the Notations Description

numerous symbols used in this work, are covered in this part. We 𝑈𝑖 𝑖th user
 Server
also go through a few of the lemmas that we will utilize to prove the
𝐵𝑖𝑜𝑖 Biometric of 𝑈𝑖
correctness of proposed approach. Here, we take Z, n, 𝜌, where Z is 𝐻𝑏 (.) Biohashing function
set of integers, n ∈ Z (n | n = 2𝑚 ), and 𝜌 be an odd prime. Let us 𝐻0 (.) Hash function
consider two rings Z[X], Z𝜌 [𝑋] over Z. Take Q = 𝑍[𝑋]
𝑥𝑛 +1
and 𝑄𝜌 𝐻1 (.) maps {0, 1}∗ ⟶ 𝜒𝛼
𝑍 [𝑋] 𝜒𝛼 Gauss distribution
= 𝑥𝜌𝑛 +1 . Let t ∈ Q be any random member. So, it can be represented 𝑎 𝑎 ∈ 𝑄𝜌 public parameter
as 𝑡 = 𝑡0 + 𝑡1 𝑥 + 𝑡2 𝑥√2 + ⋯ + 𝑡𝑛−1 𝑥𝑛−1 . The 2 and ∞ norms for t are 𝑠𝑗 ∈ 𝜒𝛼  private key
defined as ‖𝑡‖2 = 𝑡0 2 + 𝑡1 2 + ⋯ + 𝑡𝑛−1 2 and ‖𝑡‖∞ = 𝑚𝑎𝑥0≤𝑖≤𝑛−1 (|𝑡𝑖 |). 𝑝𝑗 = 𝑎 ⋅ 𝑠𝑗 + 2 ⋅ 𝑒𝑗 where 𝑒𝑗 ∈ 𝜒𝛼  public key
Let 𝜒𝛼 presents the discrete gaussian distribution for a given 𝛼 ∈ R+ .
√
Lemma 2.1. For a,b ∈ Q, the inequality ‖𝑎.𝑏‖2 ≤ 𝑛 ‖𝑎‖2 ‖𝑏‖2 & ‖𝑎.𝑏‖∞ •  takes 𝜒𝛼 , and 𝑎 ∈ 𝑄𝜌 , where (𝛼 ∈ R, &𝛼 > 0).
≤ n ‖𝑎‖∞ ‖𝑏‖∞ satisfies.
•  collects samples 𝑠𝑗 , 𝑒𝑗 ⟵ 𝜒𝛼 , and computes 𝑝𝑗 = 𝑎 ⋅ 𝑠𝑗 + 2 ⋅ 𝑒𝑗
√ as its static public key.
Lemma 2.2. The relationship 𝑃 𝑟𝑎←𝜒𝛼 [‖𝑎‖ > 𝛼. 𝑛] ≤ 2−𝑛+1 holds for all
√ •  takes 𝐻0 ∶ {0, 1}∗ ⟶ {0, 1}𝓁 as a hash function with a
𝛼 of the form 𝛼 = 𝜔( 𝑙𝑜𝑔𝑛), where 𝛼 ∈ R+ . predefined output length 𝓁 and 𝐻1 ∶ {0, 1}∗ ⟶ 𝜒𝛼
Let 𝑍𝜌 = {− 𝜌−1 , … , 𝜌−1 } and 𝐹 = {−| 𝜌4 |, … , | 𝜌4 |} ⊂ 𝑍𝜌 . The •  broadcasts 𝑛, 𝜌, 𝜒𝛼 , 𝑎, 𝑝𝑗 , 𝐻0 and 𝐻1 as public parameters and
2 2
characteristic function 𝐶ℎ𝑎 is defined on 𝐹 𝑐 as retains 𝑠𝑗 as its secret key.
{
0, 𝑖𝑓 𝑦 ∈ 𝐹
𝐶ℎ𝑎(𝑦) =
1, 𝑖𝑓 𝑦 ∉ 𝐹 𝑓 𝑜𝑟 𝑎𝑛𝑦 𝑦 ∈ 𝑍𝜌 3.2. Registration phase

The function 𝛹2 : 𝑍𝜌 x {0, 1} → {0, 1} is constructed as 𝛹2 (𝑥, 𝑡′ ) = • 𝑈𝑖 sends a registration request to server  via a secure channel.
′
(𝑥 + 𝑡 (𝜌−1)
2
)𝑚𝑜𝑑 𝜌 𝑚𝑜𝑑 2, where x ∈ 𝑍𝜌 and t’ = 𝐶ℎ𝑎(𝑥). A lemma holds • After receiving request of 𝑈𝑖 , correspondingly the server selects a
for 𝛹2 is given below. random 𝑃 𝐼𝐷𝑖 and computes 𝐾𝑈𝑖 = 𝐻0 (𝑃 𝐼𝐷𝑖 ∥ 𝑠𝑗 ), and sends the
message ⟨𝐾𝑈𝑖 , 𝑃 𝐼𝐷𝑖 ⟩ to 𝑈𝑖 .
Lemma 2.3. 𝛹2 (𝑥, 𝑡) = 𝛹2 (𝑦, 𝑡) satisfies for given 𝜌 and 𝑥, 𝜖 ∈ 𝑄𝜌 , with • After receiving the message ⟨𝐾𝑈𝑖 , 𝑃 𝐼𝐷𝑖 ⟩ from , the user selects
|𝜖| < 𝜌8 and 𝑦 = 𝑥 + 2𝜖. 𝑃 𝑤𝑖 , inputs 𝐵𝑖𝑜𝑖 , computes 𝐵𝑖 = 𝐻𝑏 (𝐵𝑖𝑜𝑖 ), 𝐴𝑖 = 𝐾𝑈𝑖 ⊕𝐻0 (𝑃 𝑤𝑖 , 𝐵𝑖 ),
𝑉𝑖 = 𝐻0 (𝐾𝑈𝑖 , 𝑃 𝑊𝑖 , 𝐵𝑖 ) and stores 𝐴𝑖 , 𝑃 𝐼𝐷𝑖 , 𝑉𝑖 in his/her mobile
Any member 𝑣 = 𝑣0 + 𝑣1 𝑥 + 𝑣2 𝑥2 + ⋯ + 𝑣𝑛−1 𝑥𝑛−1 ∈ 𝑄𝜌 can be device. All the steps of registration process are described in
represented as 𝑣 = (𝑣0 , 𝑣1 , … , 𝑣𝑛−1 ). For vectors 𝑣 = (𝑣0 , 𝑣1 , … , 𝑣𝑛−1 ) and Table 2.
𝑢 = (𝑢0 , 𝑢1 , … , 𝑢𝑛−1 ) ∈ {0, 1}𝑛 , here we process 𝐶ℎ𝑎, 𝛹2 as

𝐶ℎ𝑎(𝑣) = (𝐶ℎ𝑎(𝑣0 ), 𝐶ℎ𝑎(𝑣1 ), … , 𝐶ℎ𝑎(𝑣𝑛−1 )) and 3.3. Login and authentication phase

𝛹2 (𝑣, 𝑢) = (𝛹2 (𝑣0 , 𝑢0 ), 𝛹2 (𝑣1 , 𝑢1 ), … , 𝛹2 (𝑣𝑛−1 , 𝑢𝑛−1 )) • 𝑈𝑖 inserts 𝑃 𝑊𝑖 , imprints 𝐵𝑖𝑜𝑖 and computes 𝐵𝑖 = 𝐻𝑏 (𝐵𝑖𝑜𝑖 ) and
In this way, we have introduced 𝐶ℎ𝑎 and 𝛹2 to the ring 𝑄𝜌 . 𝐾𝑈𝑖 = 𝐴𝑖 ⊕ 𝐻0 (𝑃 𝑊𝑖 ∥ 𝐵𝑖 ). For verification, 𝑈𝑖 computes 𝑉𝑖′ =
𝐻0 (𝐾𝑈𝑖 , 𝑃 𝑤𝑖 , 𝐵𝑖 ) and checks that 𝑉𝑖′ = 𝑉𝑖 holds.
2.1. Ring learning with error • If the verification is successful, then user 𝑈𝑖 chooses random
R
sample 𝑟𝑖 , 𝑒𝑖 ←←←←← 𝜒𝛼 , and computes 𝑥𝑖 = 𝑎⋅𝑟𝑖 +2⋅𝑒𝑖 , 𝑐 = 𝐻1 (𝑥𝑖 ∥ 𝐾𝑈𝑖 ),
Various hard maths problems are defined on some lattices. These 𝛴𝑖 = 𝐻0 (𝑥𝑖 , 𝐾𝑈𝑖 , 𝑐), and sends ⟨𝑃 𝐼𝐷𝑖 , 𝑥𝑖 , 𝑇𝑖 , 𝛴𝑖 ⟩ to , where 𝑇𝑖 is
challenges inspires the construction of quantum safe cryptographic the time stamp.
systems based on distinctive ideal lattices. RLWE is defined below. • After receiving the message ⟨𝑥𝑖 , 𝛴𝑖 , 𝑃 𝐼𝐷𝑖 , 𝑇𝑖 ⟩ from 𝑈𝑖 ,  verifies
the freshness of timestamp. Then  computes 𝐾𝑈𝑗 = 𝐻0 (𝑃 𝐼𝐷𝑖 ∥
• RLWE: Take 𝜒𝛼 distribution and 𝑊 ′ ∈ 𝑄𝜌 , and let 𝛥𝑊 ′ , 𝜒𝛼 pair
𝑠𝑗 ), c = 𝐻1 (𝑥𝑖 ∥ 𝐾𝑈𝑗 ). After that, 𝛴𝑖′ = 𝐻0 (𝑥𝑖 , 𝐾𝑈𝑗 , 𝑐) and checks
distribution (𝑎′ , 𝑎′ + 𝜖) ∈ 𝑄𝜌 × 𝑄𝜌 , (𝑎′ ∈ 𝑄𝜌 , 𝜖 ← 𝜒𝛼 , 𝜖 ≠ 𝑎′ ), then
that 𝛴𝑖′ = 𝛴𝑖 .
𝑅𝐿𝑊 𝐸𝜌,𝛼 says that any opponent having a polynomial would be
incapable of differentiating 𝛥𝑊 ′ , 𝜒𝛼 by uniform distribution on • After verification, server computes d = 𝐻1 (𝛴𝑖 ∥ 𝐾𝑈𝑗 ), and selects
𝑒′𝑗 ← 𝜒𝛼 to compute 𝑘𝑗 = (𝑥𝑖 𝑠𝑗 + 2𝑐)𝑑 + 2𝑒′𝑗 , 𝜔𝑗 = 𝐶ℎ𝑎(𝑘𝑗 ), 𝜎𝑗 =
𝑄𝜌 × 𝑄𝜌 .
𝛹2 (𝑘𝑗 , 𝜔𝑗 ) and 𝛴𝑗 = 𝐻0 (𝜎𝑗 , 𝐾𝑈𝑗 , 𝑑). Finally, server computes
session key 𝑠𝑘𝑗 = 𝐻0 (𝜎𝑗 , 𝑝𝑗 , 𝑥𝑖 , 𝜔𝑗 ) and sends ⟨𝜔𝑗 , 𝛴𝑗 ⟩ to 𝑈𝑖 .
3. Proposed AKA scheme
• After obtaining ⟨𝜔𝑗 , 𝛴𝑗 ⟩ from server, 𝑈𝑖 computes 𝑑 = 𝐻1 (𝛴𝑖 ∥
The proposed authentication and key agreement scheme for mobile 𝐾𝑈𝑖 ), and chooses 𝑒′𝑖 ← 𝜒𝜌 to compute 𝑘𝑖 = (𝑝𝑗 𝑟𝑖 + 2𝑐)𝑑 + 2𝑒′𝑖 ,
𝜎𝑖 = 𝛹2 (𝑘𝑖 , 𝜔𝑗 ) and verify 𝛴𝑗 = 𝐻0 (𝜎𝑖 , 𝐾𝑈𝑖 , 𝑑). if condition holds,
client- server environment is comprised of the three phases namely, (1)
then computes session key as 𝑠𝑘𝑖 = 𝐻0 (𝜎𝑖 , 𝑝𝑗 , 𝑥𝑖 , 𝜔𝑗 ). All the
Setup Phase, (2) User registration phase, and (3) Login and authentica-
steps of login and authentication phase are described in Table 3.
tion phase. The detailed description of these phases is provided in the
The communication flow of login and authentication phase is
following subsections.
described in Fig. 1.

3.1. Setup phase 3.4. Proof of correctness

All the symbols used in our study are described in Table 1. The setup
phase is carried out by , which uses a random 𝑠𝑗 ← 𝜒𝛼 as its private Correctness of our protocol:
key. Generation of parameters by server is described as follows: √
Theorem 3.1. Suppose that 𝜌 > 8(2𝛼 3 𝑛5∕2 +2𝛼 𝑛). Then 𝑠𝑘𝑖 = 𝑠𝑘𝑗 except
•  takes 𝜌 as a prime number and n = 2𝑚 , where (𝑚 > 0, 𝑚 ∈ Z). with negligible chances.

3
K. Pursharthi and D. Mishra Journal of Information Security and Applications 82 (2024) 103754

Table 2
User registration stage.
𝑈𝑖 Secure channel 
𝑅𝑒𝑔𝑖𝑠𝑡𝑟𝑎𝑡𝑖𝑜𝑛 𝑟𝑒𝑞𝑢𝑒𝑠𝑡 Selects random 𝑃 𝐼𝐷𝑖
⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃗ Compute 𝐾𝑈𝑖 = 𝐻0 (𝑃 𝐼𝐷𝑖 ||𝑠𝑗 )
Select 𝑃 𝑤𝑖 ⟨𝐾𝑈𝑖 , 𝑃 𝐼𝐷𝑖 ⟩
Input 𝐵𝑖𝑜𝑖 and computes 𝐵𝑖 = 𝐻𝑏 (𝐵𝑖𝑜𝑖 ) ⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖
Compute 𝐴𝑖 = 𝐾𝑈𝑖 ⊕ 𝐻0 (𝑃 𝑤𝑖 , 𝐵𝑖 )
Compute 𝑉𝑖 = 𝐻0 (𝐾𝑈𝑖 , 𝑃 𝑤𝑖 , 𝐵𝑖 )
Stores 𝐴𝑖 , 𝑃 𝐼𝐷𝑖 , 𝑉𝑖 in his/her mobile device

Fig. 1. The flow of communication in our login and authentication scheme.

Table 3
Login and mutual authentication.
𝑈𝑖 Public channel 
Input 𝐵𝑖𝑜𝑖 and 𝑃 𝑤𝑖
Calculates 𝐵𝑖 = 𝐻𝑏 (𝐵𝑖𝑜𝑖 )
Calculates 𝐾𝑈𝑖 = 𝐴𝑖 ⊕ 𝐻0 (𝐵𝑖 ||𝑃 𝑤𝑖 )
?
Verify 𝑉𝑖 = 0 (𝐾𝑈𝑖 ||𝑃 𝑤𝑖 ||𝐵𝑖 )
R
Choose 𝑟𝑖 , 𝑒𝑖 ←←←← 𝜒𝛼
Computes 𝑥𝑖 = 𝑎 ⋅ 𝑟𝑖 + 2 ⋅ 𝑒𝑖 ,
Computes c = 𝐻1 (𝑥𝑖 ||𝐾𝑈𝑖 )
Computes 𝛴𝑖 = 𝐻0 (𝑥𝑖 ||𝐾𝑈𝑖 ||𝑐) ⟨𝑃 𝐼𝐷𝑖 , 𝑥𝑖 , 𝑇𝑖 , 𝛴𝑖 ⟩ Verify 𝑇𝑖 is fresh
⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃗ Computes 𝐾𝑈𝑗 = 𝐻0 (𝑃 𝐼𝐷𝑖 ||𝑠𝑗 )
Computes c = 𝐻1 (𝑥𝑖 ||𝐾𝑈𝑗 )
Verify 𝛴𝑖 = 𝐻0 (𝑥𝑖 ||𝐾𝑈𝑗 ||𝑐)
Computes d = 𝐻1 (𝛴𝑖 ||𝐾𝑈𝑗 )
Choose 𝑒′𝑗 ← 𝜒𝛼
Computes 𝑘𝑗 = (𝑥𝑖 𝑠𝑗 + 2𝑐)𝑑 + 2𝑒′𝑗
Computes 𝜔𝑗 = 𝐶ℎ𝑎(𝐾𝑗 )
Computes 𝜎𝑗 = 𝛹2 (𝑘𝑗 , 𝜔𝑗 )
Computes d = 𝐻1 (𝛴𝑖 , 𝐾𝑈𝑖 ) ⟨𝜔𝑗 , 𝛴𝑗 ⟩ Computes 𝛴𝑗 = 𝐻0 (𝜎𝑗 , 𝐾𝑈𝑗 , 𝑑)
Choose 𝑒′𝑖 ← 𝜒𝛼 ⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖⃖ Computes 𝑠𝑘𝑗 = 𝐻0 (𝜎𝑗 , 𝑝𝑗 , 𝑥𝑖 , 𝜔𝑗 )
Computes 𝐾𝑖 = (𝑝𝑗 𝑟𝑖 + 2𝑐)𝑑 + 2𝑒′𝑖
Computes 𝜎𝑖 = 𝛹2 (𝐾𝑖 , 𝜔𝑗 )
?
Verify 𝛴𝑗 = 𝐻0 (𝜎𝑖 , 𝐾𝑈𝑖 , 𝑑)
Computes 𝑠𝑘𝑖 = 𝐻0 (𝜎𝑖 , 𝑝𝑗 , 𝑥𝑖 , 𝜔𝑗 )

Proof. According to protocol, it is required to prove that 𝜎𝑖 = 𝜎𝑗 . Now, established in line with the ROM in our adversary model. Here, we
𝑘𝑖 = (𝑝𝑗 𝑟𝑖 +2𝑐)𝑑+2𝑒′𝑖 = (𝑎𝑠𝑗 +2𝑒𝑗 )𝑟𝑖 𝑑+2𝑐𝑑+2𝑒′𝑖 = 𝑎.𝑠𝑗 .𝑟𝑖 .𝑑+2𝑒𝑗 𝑟𝑖 𝑑+2𝑐𝑑+2𝑒′𝑖 take one more oracle to increase the possibilities of the attacker to
and 𝑘𝑗 = (𝑥𝑖 𝑠𝑗 +2𝑐)𝑑 +2𝑒′𝑗 = (𝑎.𝑟𝑖 +2𝑒𝑖 )𝑠𝑗 𝑑 +2𝑐𝑑 +2𝑒′𝑗 = 𝑎.𝑟𝑖 .𝑠𝑗 .𝑑 +2𝑒𝑖 𝑠𝑗 𝑑 + demonstrate the perfect forward security of our protocol.
2𝑐𝑑 + 2𝑒′𝑗 . So, ‖𝑘𝑗 − 𝑘𝑖 ‖ = ‖2𝑒𝑖 𝑠𝑗 𝑑 + 2𝑒′𝑗 − 2𝑒𝑗 𝑟𝑖 𝑑 − 2𝑒′𝑖 ‖.
Now, by using Lemma 2.1, we have ‖𝑘𝑗 − 𝑘𝑖 ‖ ≤ 2𝑛‖𝑒𝑖 ‖ ⋅ ‖𝑠𝑗 ‖ ⋅ ‖𝑑‖ • CorruptU (𝑈𝑖 ): It models the system of 𝑈𝑖 being controlled by
adversary. This order gives output the saved credentials in the
+ 2‖𝑒′𝑗 ‖ + 2𝑛‖𝑒𝑗 ‖ ⋅ ‖𝑟𝑖 ‖ ⋅ ‖𝑑‖ + 2‖𝑒′𝑖 ‖. Then, by using Lemma 2.2, we
√ √ √ device of 𝑈𝑖 and reveals it to adversary .
get ‖𝑘𝑗 − 𝑘𝑖 ‖ ≤ 2𝛼 3 𝑛5∕2 + 2𝛼 𝑛+2𝛼 3 𝑛5∕2 +2𝛼 𝑛 = 4𝛼 3 𝑛5∕2 + 4𝛼 𝑛 =
√
2(2𝛼 3 𝑛5∕2 + 2𝛼 𝑛)< 𝜌4 . Then, by using Lemma 2.3, we have  must determine bit b which is concealed in Test query after ac-
cessing Test, Send, and Execute enquiries numerous times by following
𝜎𝑗 = 𝛹2 (𝑘𝑗 , 𝜔𝑗 ) = 𝛹2 (𝑘𝑖 , 𝜔𝑗 ) = 𝜎𝑖 □.
the ROM. Whether a genuine SK or a random nonce is resulted from the
Test query relies on the uniform bit b.  is said to have won the game
4. Security analysis if they correctly estimate the bit b.  is the scenario where  succeeds
the case.
This section uses the well-known random oracle model (ROM) [26]
to establish the formal security of our enhanced approach. The Execute, Definition 4.1 (Semantic Security).: The strength of  in breaching the
Test, and Send enquiries as well as security terminologies are right well-formed safety of the suggested enhanced AKA scheme can be seen

4
K. Pursharthi and D. Mishra Journal of Information Security and Applications 82 (2024) 103754

as: As all 𝐺𝑖 are performed,  requires to anticipate b for conquer-

ing the game using Test query. So, we can see that P[4 ] = 1/2.
𝐴𝑑𝑣 = |2𝑃 [] − 1| Using Eq. (2), we get
Our AKA is considered to be safe if the power 𝐴𝑑𝑣 is negligible. 1
𝐴𝑑𝑣 = |𝑃 [0 ] − 21 | (7)
2

Theorem 4.1. Suppose 𝐴𝑑𝑣 be a polynomial time bounded contender By applying the triangular inequality with (4)–(6), we get:
seeking to get 𝑠𝑘𝑖 or 𝑠𝑘𝑗 in the Key Exchange stage. Then, the benefit of  2
𝑞𝐻 (𝑞𝑒𝑥𝑒 +𝑞𝑠𝑒𝑛𝑑 )2 +2𝑞𝑠𝑒𝑛𝑑
|𝑃 [1 ] − 𝑃 [4 ]| ≤ 2𝑞 𝑛
+ + 𝐴𝑑𝑣𝑅𝐿𝑊

𝐸
. (8)
in breaching the well formed safety to get SK among 𝑈𝑖 and 𝑆 in our AKA 2||
protocol can be given as Further, (3) provides
2 2
𝑞𝐻 (𝑞𝑒𝑥𝑒 +𝑞𝑠𝑒𝑛𝑑)2 +2𝑞 𝑞𝐻 (𝑞𝑒𝑥𝑒 +𝑞𝑠𝑒𝑛𝑑 )2 +2𝑞𝑠𝑒𝑛𝑑
𝐴𝑑𝑣 ≤ 2𝑞 𝑛
+ ||
𝑠𝑒𝑛𝑑
+ 2𝐴𝑑𝑣𝑅𝐿𝑊

𝐸
. (1) |𝑃 [0 ] − 12 | ≤ 2𝑞 𝑛
+ 2||
+ 𝐴𝑑𝑣𝑅𝐿𝑊

𝐸
. (9)

where 𝑞𝐻 is number of hash queries, 𝑞𝑒𝑥𝑒 for number of Execution queries Now, by using(7) and (9), we obtain the required (1). □
and 𝑞𝑠𝑒𝑛𝑑 for Send queries. Further, 𝑞 𝑛 and || represent the span for 𝐻
and 𝜒𝛼 correspondingly. The notion 𝐴𝑑𝑣𝑅𝐿𝑊
𝐸 represents the power of  to 4.1. User anonymity
resolve the RLWE challenge.
The proposed scheme in this article maintains the anonymity of
Proof. For security proof, we are taking a well comprised series of users. For external adversary, the messages ⟨𝑃 𝐼𝐷𝑖 , 𝑥𝑖 , 𝑇𝑖 , 𝛴𝑖 ⟩ and ⟨𝜔𝑗 ,
games represented by 𝐺𝑖 ; 0 ≤ i ≤ 4. For each 𝐺𝑖 , we take 𝑖 as a situation 𝛴𝑗 ⟩ communicated according to the protocol in the insecure channel
in which  anticipate the hidden bit b correctly selected in the Test do not comprise the identity of user. Hence, the proposed protocol
query. achieves user’s anonymity.

1. 𝐺0 : It constructs the model to break the suggested scheme under Theorem 4.2. The proposed AKE scheme resists SLA against PPT intruder.
Random Oracle Model. The bit b, for  to guess, is arbitrarily
selected at the beginning of 𝐺0 i.e. consequently, we have Proof. The first SLA was presented in [19]. According to the working
of signal leakage attack in [27], the intruder starts as a corrupt 𝑈𝑖 to
𝐴𝑑𝑣 = |2𝑃 [0 ] − 1| (2)
generate the public key 𝑥𝑖 = 𝑘, 𝑘 is member of Z𝑝 . Then if 𝑆 calculates
2. 𝐺1 : This game resembles an intrusion on the communication line 𝑘𝑗 as 𝑘𝑗 = k𝑠𝑗 , and find 𝐶ℎ𝑎() of 𝑘𝑗 to get signal 𝜔𝑗 = 𝐶ℎ𝑎(𝑘𝑠𝑗 ),
among 𝑈𝑖 and 𝑆.  accesses Execute oracle to obtain commu- i.e., 𝜔𝑗 [𝑖] = 𝐶ℎ𝑎(𝑘𝑠𝑗 [𝑖]). According to the notion of characteristic
nicated messages, then uses this knowledge to visit Test oracle function, when 𝑘 varies from 0 to 𝜌-1, 𝜔𝑗 [𝑖] changes from 0 to 1 or
to establish if result of Test query is true SK or a random 1 to 0. In fact 𝜔𝑗 [𝑖] switches in total 2|𝑠𝑗 [𝑖]| times when 𝑘 increases
nonce. Clearly,  only gets the specifics {𝜔𝑗 , 𝛴𝑗 , 𝑥𝑖 , 𝛴𝑖 , 𝑃 𝐼𝐷𝑖 } from 0 to 𝜌-1. Hence, the intruder can calculate the number of times
𝜔𝑗 [𝑖] flipped to fetch 𝑠𝑗 [𝑖] by running loop over 𝑘 from 0 to 𝜌-1.
by eavesdropping, but  does not know {𝑠𝑗 , 𝑒′𝑗 , 𝑐, 𝑑} and cannot
From Table 3, we can observe 𝑘𝑗 = (𝑥𝑖 𝑠𝑗 + 2𝑐)𝑑 + 2𝑒′𝑗 , where 𝑐
create {𝑘𝑗 , 𝜎𝑗 } to obtain 𝑠𝑘𝑗 . Hence, eavesdropping cannot boost
and 𝑑 are new in every session. So, 𝜔𝑗 = 𝐶ℎ𝑎((𝑝𝑖 𝑠𝑗 + 2𝑐)𝑑 + 2𝑒′𝑗 ) =
up ’s chances of conquering of 𝐺1 . So, we get 𝐶ℎ𝑎((𝑘𝑠𝑗 + 2𝑐)𝑑 + 2𝑒′𝑗 ). As 𝑘 increases in queries, 𝜔𝑗 [𝑖] switches when
𝑃 [0 ] = 𝑃 [1 ] (3) (𝑘𝑠𝑗 +2𝑐)𝑑 +2𝑒′𝑗 enters or exits region [− 𝜌4 , 𝜌4 ], according to the notion of
characteristic function. Here, the intruder will be incapable of making
3. 𝐺2 : When the authentication message (𝑥𝑖 ) and (𝛴𝑖 , 𝛴𝑗 ) collides, any reasonable result from the number of switches of 𝜔𝑗 [𝑖] as random
𝐺2 terminates immediately; otherwise, this game is analogous sampling and 𝑐, 𝑑 operated with 𝑠𝑗 [𝑖]. Therefore, use of random samples
as 𝐺1 . On the notion of birthday paradox, the collision of hash and values of 𝑐 and 𝑑, restrict the benefit of the intruder and resists him
𝑞𝐻 2 from extracting 𝑠𝑗 [𝑖] using leaked signal values. Therefore, our protocol
oracle is at most 2𝑞 𝑛 . As the log 𝑥𝑖 is randomly taken from 𝜒𝛼 ,
therefore, the chances of collision for random samples is at most is secure against SLA. □
(𝑞𝑒𝑥𝑒 +𝑞𝑠𝑒𝑛𝑑 )2
|2|
. Thus, we obtained
Theorem 4.3. The proposed AKE scheme resists KMA against PPT in-
2
𝑞𝐻 (𝑞𝑒𝑥𝑒 +𝑞𝑠𝑒𝑛𝑑 )2 truder.
|𝑃 [1 ] − 𝑃 [2 ]| ≤ 2𝑞 𝑛
+ |2|
(4)

4. 𝐺3 : Here, the attacker attacks the server with a signal leakage Proof. The user generates its public key 𝑥𝑖 = 𝑎𝑟𝑖 + 2𝑒𝑖 and it to 𝑆, now
if ℜ is an intruder with the information of 𝑥𝑖 and having the capability
operation while acting as an internal user. The Send query is
to start multiple queries to 𝑈𝑖 , it can employ key mismatching in every
specifically used by  to obtain signals in order to retrieve secret
session to get the private 𝑟𝑖 [28]. The intruder chooses 𝑠𝑗 = 0 in 𝑄𝜌 .
key 𝑠𝑗 . As 𝑘𝑗 = 𝑥𝑖 ⋅𝑠𝑗 .𝑑+2𝑐⋅𝑑+2𝑒′𝑗 and c, d is fresh in every session,
For getting the 𝑢th coefficient 𝑟𝑖 [𝑢], ℜ selects an 𝑒𝑗 as 𝑒𝑗 [𝑢] =0 ∀ u = 0
 seeks to guess c, d to select good choice of 𝑥𝑖 to extract the
to 𝑛 − 1 other than 𝑢 = 𝑛 − 1 − 𝑢, 𝑛 − 1 − 𝑣 and 𝑒𝑗 [𝑛 − 1 − 𝑢] = 1, 𝑒𝑗 [𝑛 − 1 − 𝑣]
coefficients of 𝑠𝑗 from 𝜔𝑗 , which is tough to accomplish. Since
= k. After that ℜ performs suggested protocol honestly, other than that
c,d ∈ 𝜒𝛼 , we get
it targetly switches bit n-1 of output 𝜔𝑗 that it sends to user. It selects
𝑞𝑠𝑒𝑛𝑑 position v such as 𝑟𝑖 [𝑣] = ±1. Then, ℜ needs to evaluate the sign of 𝑟𝑖 [𝑢]
|𝑃 [2 ] − 𝑃 [3 ]| ≤ ||
(5)
to construct queries accordingly. As soon the sign is evaluated, let us
5. 𝐺4 : This game models the CorruptU (𝑈𝑖 ) oracle. Here,  gets the sign found is +𝑣𝑒, then if we have 𝑘𝑖 [𝑛 − 1] = 2𝑟𝑖 [𝑢] − 2𝑘 and we can
saved credentials in device of 𝑈𝑖 . Now,  targets to achieve the observe this value switches from +𝑣𝑒 to −𝑣𝑒 as k ↑es when 𝑘 > 𝑟𝑖 [𝑢].
keys of previous session to breach perfect forward secrecy. To Also 𝑠𝑘𝑖 [𝑛−1] = 1 as long as 𝑘𝑖 [𝑛−1] is +𝑣𝑒 according to the flip in parity
construct 𝑠𝑘𝑖 or 𝑠𝑘𝑗 ,  requires 𝑘𝑖 or 𝑘𝑗 to calculate 𝜎𝑖 or 𝜎𝑗 . of 𝑠𝑘𝑖 [𝑛 − 1] occurs by adding 𝜌−1 2
and results in output of oracle to be
Hence,  requires to calculate 𝑟𝑖 from 𝑥𝑖 (or 𝑠𝑗 from 𝑝𝑗 ), which 0. As the value gets −𝑣𝑒, the oracle output flips to 1, which discloses
has the similar complexity as unfolding the RLWE difficulty. the 𝑢th coefficient of 𝑟𝑖 .
Thus, we get In suggested protocol, 𝑟𝑖 [𝑢] is multiplied with one Gaussian random
sample 𝑒𝑗 and hash value 𝑑 in the value of 𝑘𝑖 [𝑛 − 1], where intruder
|𝑃 [3 ] − 𝑃 [4 ]| ≤ 𝐴𝑑𝑣𝑅𝐿𝑊

𝐸
(6) has control over 𝑒𝑗 only, the value of 𝑑 is depend on the value of 𝐾𝑈𝑗 ,

5
K. Pursharthi and D. Mishra Journal of Information Security and Applications 82 (2024) 103754

Table 4
Symbols and run time of different operations in milliseconds.
Symbols Description Execution cost
User Server
𝑇𝑠𝑎𝑚𝑝 Run time to calculate sampling from 𝜒𝛼 2.106 0.252
𝑇𝑠𝑚 Run time to calculate scalar multiplication in 𝑄𝜌 0.175 0.135
𝑇𝑎𝑑 Run time to calculate componentwise addition in 𝑄𝜌 0.318 0.243
𝑇𝑚𝑎 Run time to calculate a componentwise multiplication and addition in 𝑄𝜌 0.333 0.251
𝑇𝐶ℎ𝑎 Run time to calculate 𝛹2 1.05 0.723
𝑇𝑚𝑢𝑙 Run time to calculate componentwise multiplication in 𝑄𝜌 0.323 0.242
𝑇𝑒𝑛 Run time for elliptic curve encryption 0.078 0.012
𝑇𝑒𝑝 Run time for elliptic curve point multiplication 3.437 0.417
𝑇𝐻1 Run time to calculate 𝐻1 function 0.809 0.142
𝑇𝐻0 Run time to calculate 𝐻 function 0.00277 0.00105
𝑇𝐻2 Run time to calculate 𝐻2 function 0.901 0.216

Table 5
Comparative analysis of execution cost in milliseconds.
Protocols User Server Total
Feng et al. [16] 2𝑇𝑠𝑎𝑚𝑝 + 𝑇𝑠𝑚 + 𝑇𝐶ℎ𝑎 + 𝑇𝑚𝑎 + 6𝑇𝐻0 + 2𝑇𝑚𝑢𝑙 = 2𝑇𝑠𝑎𝑚𝑝 + 𝑇𝑠𝑚 + 𝑇𝐶ℎ𝑎 + 5𝑇𝐻0 + 𝑇𝑚𝑎 + 2𝑇𝑚𝑢𝑙 = 8.53487
6.43262 ms 2.10225
Dabra et al. LBA-PAKE 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 2𝑇𝑎𝑑 + 3𝑇𝑚𝑎 + 6𝑇𝐻0 + 2𝑇𝐻1 + 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 2𝑇𝑎𝑑 + 3𝑇𝑚𝑎 + 5𝑇𝐻0 + 2𝑇𝐻1 + 15.94687
[23] 𝑇𝐶ℎ𝑎 + 𝑇𝐻2 + 𝑇𝑚𝑢𝑙 = 12.21162 ms 𝑇𝐻2 + 𝑇𝐶ℎ𝑎 + 𝑇𝑚𝑢𝑙 = 3.73525 ms
Ding et al. [24] 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 +𝑇𝑎𝑑 +3𝑇𝑚𝑎 +6𝑇𝐻0 +2𝑇𝐻1 +𝑇𝐶ℎ𝑎 +𝑇𝐻2 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 𝑇𝑎𝑑 + 3𝑇𝑚𝑎 + 5𝑇𝐻0 + 2𝑇𝐻1 + 𝑇𝐶ℎ𝑎 14.25687
= 11.57062 = 2.68625
Song et al. [25] 3𝑇𝑚𝑢𝑙 + 3𝑇𝑎𝑑 + 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 2𝑇𝑚𝑎 + 2𝑇𝐻0 3𝑇𝑚𝑢𝑙 + 3𝑇𝑎𝑑 + 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 2𝑇𝑚𝑎 + 2𝑇𝐻0 12.97064
= 9.26254 + 𝑇𝐶ℎ𝑎 = 3.7081
Sahoo et al. [30] 4𝑇𝑒𝑝 + 8𝑇𝐻0 = 13.77016 3𝑇𝑒𝑝 + 5𝑇𝐻0 + 𝑇𝑒𝑛 = 1.26825 15.03841
Garg et al. [31] 3𝑇𝑒𝑝 + 5𝑇𝐻0 = 10.32485 3𝑇𝑒𝑝 + 6𝑇𝐻0 = 1.2573 11.58215
Our AKE Protocol 3𝑇𝑠𝑎𝑚𝑝 + 3𝑇𝑠𝑚 + 3𝑇𝑚𝑎 + 6𝑇𝐻0 + 2𝑇𝐻1 = 9.6262 ms 𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 2𝑇𝑚𝑎 + 4𝑇𝐻0 + 2𝑇𝐻1 + 𝑇𝐶ℎ𝑎 = 11.6614
2.0352

which is known only to server 𝑆. Thus, intruder cannot modify 𝑑. We 2𝑇𝐻1 + 6𝑇𝐻0 = 9.6262 ms. In our scheme, the server chooses one sample
have, 𝑘𝑖 [𝑛−1] = 2𝑟𝑖 [𝑢]𝑑+2𝑘𝑟𝑖 [𝑣]𝑑+2𝑑𝑐+2𝑒′𝑖 = 2𝑟𝑖 [𝑢]𝑑+2𝑘𝑑+2𝑐𝑑+2𝑒′𝑖 . Let from 𝜒𝛼 , executes 2 𝐻1 hash function, scalar multiplication 2 times,
intruder evaluate sign of 𝑟𝑖 [𝑢] as +𝑣𝑒. Now, if intruder initiate queries componentwise multiplication and addition 2 times, computes one time
with increasing value of 𝑘 and search for the flip in output of oracle characteristic function and 4 times 𝐻0 hash function. Therefore, total
from 1 to 0, this flip will be fetched if |2𝑟𝑖 [𝑢]𝑑 + 2𝑐𝑑 + 2𝑒′𝑖 | ≤ 2𝑑, which cost of our AKA scheme at server’s end is 𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 2𝑇𝑚𝑎 + 4𝑇𝐻0 +
will not give any clue for the value of 𝑟𝑖 [𝑢]. Therefore, intruder will 2𝑇𝐻1 + 𝑇𝐶ℎ𝑎 = 2.0352 ms. Hence, total computation cost of our scheme
be incapable to perform the attack as it is provided on PRKE in [20] is 11.6614 ms.
and will be unsuccessful on getting such 𝑘 by raising queries, which In Feng et al. [16] protocol, the user takes 2 samples from 𝜒𝛼 , scalar
fails him to get 𝑟𝑖 [𝑢]. Hence, suggested protocol is secure against key multiplication one time, componentwise multiplication and addition
mismatch attack. □ one time, componentwise multiplication 2 times, one time Cha func-
tion, and 6 times 𝐻0 hash function. Therefore, total cost of [16] at
5. Performance analysis
user’s side is 2𝑇𝑠𝑎𝑚𝑝 +𝑇𝑠𝑚 +𝑇𝐶ℎ𝑎 +𝑇𝑚𝑎 +6𝑇𝐻0 +2𝑇𝑚𝑢𝑙 = 6.43262 ms. In Feng
et al. [16] scheme, server chooses 2 samples from 𝜒𝛼 , executes scalar
This part provides an analysis of the computation of the suggested
multiplication one time, componentwise multiplication and addition
protocol and comparative study between computation cost of our sug-
one time, 2 times componentwise multiplication, 5 times 𝐻0 hash
gested AKE scheme with existing AKE schemes. The simulation tools
function and one time characteristic function. Therefore, total cost
and devices used for our scheme are identical as used in paper [29].
of [16] at server’s side is 2𝑇𝑠𝑎𝑚𝑝 + 𝑇𝑠𝑚 + 𝑇𝐶ℎ𝑎 + 5𝑇𝐻0 + 𝑇𝑚𝑎 + 2𝑇𝑚𝑢𝑙 =
Here, 𝐻2 ∶ {0, 1}∗ → 𝑄𝜌 is a hash function. We take specification
selection as [23]. The parameter n is in power of 2 and of value 512. 2.10225 ms. Hence, total computation cost of [16] is 8.53487 ms. This
The Gaussian distribution 𝜒𝛼 for secret sampling having 𝛼 = √ 8 scheme has less computation cost than our scheme but this scheme
2∗𝜋 found vulnerable to SLA, manipulation based attacks, spoofing attack,
≡ 3.192. As discussed √ in proof of correctness of protocol in section
and user anonymity violation attack [23].
3, 𝜌 > 8(2𝛼 3 𝑛5∕2 + 2𝛼 𝑛), hence for n = 512 and 𝛼 = 3.192, the
computed value of 𝜌 is 7557773. The implementation of SHA512, In LBA-PAKE [23] protocol, user selects 3 Gaussian sample from
elliptic curve encryption, and elliptic curve scalar point multiplication 𝜒𝛼 , executes 2 𝐻1 hash function, scalar multiplication 2 times, com-
has been performed in python. We have implemented lattice operation ponentwise multiplication and addition 3 times, 2 times addition, one
codes in SageMath. The devices used for server and end user are same componentwise multiplication, one time Cha function, 6 times 𝐻0 hash
as devices used in [29]. Table 4 presents the computation time required function and performs 1 time 𝐻2 hash. Therefore, the total cost at the
for the computation of lattice operations and numerous cryptographic side of user is 3𝑇𝑠𝑎𝑚𝑝 +2𝑇𝑠𝑚 +2𝑇𝑎𝑑 +3𝑇𝑚𝑎 +𝑇𝑚𝑢𝑙 +2𝑇𝐻1 +𝑇𝐻2 +6𝑇𝐻0 +𝑇𝐶ℎ𝑎 =
functions in milliseconds. Comparison of computation presented graph- 12.21162 ms. In LBA-PAKE [23] scheme, the server chooses 3 samples
ically in Fig. 2. Table 6 presents the comparison of security attributes from 𝜒𝛼 , executes 2 𝐻1 hash function, scalar multiplication 2 times,
of all relevant schemes. componentwise multiplication and addition 3 times, addition 2 times,
In our AKA protocol, the user takes 3 samples from 𝜒𝛼 , performs 2 one componentwise multiplication in 𝑄𝜌 , 5 times 𝐻0 hash function
𝐻1 hash function, scalar multiplication 3 times, componentwise multi- and executes one time 𝐻2 hash function and one time characteristic
plication and addition 3 times, and 𝐻0 hash function 6 times. Therefore, function. Therefore, the total cost at the side of server is 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚
total cost of our AKA scheme at user’s end is 3𝑇𝑠𝑎𝑚𝑝 + 3𝑇𝑠𝑚 + 3𝑇𝑚𝑎 + + 3𝑇𝑚𝑎 + 5𝑇𝐻0 + 2𝑇𝐻1 + 𝑇𝐻2 + 𝑇𝑚𝑢𝑙 + 2𝑇𝑎𝑑 + 𝑇𝐶ℎ𝑎 = 3.73525 ms.

6
K. Pursharthi and D. Mishra Journal of Information Security and Applications 82 (2024) 103754

Table 6
Comparison of security attributes with existing AKE protocols.
Security attributes⧵Schemes [16] [23] [24] [25] [30] [31] Our scheme
√ √ √ √ √
Mutual authentication × ×
√ √ √
Impersonation attack × × × ×
√ √ √ √
Privileged insider attack × × ×
√ √ √ √ √
Provably secure in random oracle model × ×
√ √ √ √ √ √
Key mismatch attack ×
√ √ √ √ √
Signal leakage attack × ×
√ √ √ √ √
Stolen device attack × ×
√ √ √ √ √ √
User anonymity ×
√ √ √ √
Replay attack × × ×
√ √ √ √ √
Secure against quantum attack × ×
√ √ √ √ √
Password guessing attack × ×
√ √ √ √ √ √ √
Known session key security
√
: Scheme prevents attack or satisfies the attribute;
×: Scheme fails to prevent attack or does not satisfy the attribute.

In Sahoo et al. [30], the user performs 4 times elliptic curve point
multiplication and 8 times hash function. Therefore, the total cost at
the end of user is 4𝑇𝑒𝑝 + 8𝑇𝐻0 = 13.77016 ms. The server executes 5
times hash function, 3 times elliptic curve point multiplication and one
time elliptic curve encryption. Therefore, the total cost at the side of
server is 3𝑇𝑒𝑝 + 5𝑇𝐻0 + 𝑇𝑒𝑛 = 1.26825. Hence, the overall cost of [30]
is 15.03841 ms.
In Garg et al. [31], the user performs 3 times elliptic curve point
multiplication, 4 times hash function and one time key derivation func-
tion. They have claimed that cost of executing hash function is approx-
imately equal to cost of executing key derivation function. Therefore,
the total cost at the end of user is 3𝑇𝑒𝑝 + 5𝑇𝐻0 = 10.32485 ms. The
server executes 3 times elliptic curve point multiplication, 5 times hash
function and one time key derivation function. Therefore, the total cost
at the side of server is 3𝑇𝑒𝑝 + 6𝑇𝐻0 = 1.2573 ms. Hence, the overall cost
of [31] is 11.58215 ms. This scheme has less computation cost than
our scheme but this scheme is not quantum secure as it is based on the
hardness of elliptic curve discrete log problem which is breakable by a
quantum computer.
Energy Consumption
Fig. 2. Comparison of execution complexity.
We performed simulations using MATLAB to evaluate the perfor-
mance of the proposed protocol against different numbers of IoT sensor
nodes, which varied between the different network’s area sizes. The
Therefore, overall computation overhead of [23] is 15.94687 ms. Ta- simulation tested for fixed numbers of mobile sensor nodes ranging
ble 5 presents the comparison of computation complexity of all relevant between 1, 5, and 10, that were uniformly distributed within the area
schemes. of 10 × 10 m2 to 30 × 30 m2 with a single runtime. The energy
In Ding et al. [24], the user takes three samples from 𝜒𝛼 , per- consumption of mobile devices is evaluated over Matlab Simulink an
forms two 𝐻1 function, two times scalar multiplication, componentwise Intel Core i7-3700 at a frequency of 3.4 GHz. It takes approximately
multiplication and addition 3 times, 1 time addition, six times 𝐻0 9 h run with an efficiency of 0.8. The proposed protocol was stable
hash function and executes one time 𝐻2 hash function and one time until 9 rounds, which demonstrated the energy consumption of up to
characteristic function. Therefore, the total cost at the side of user is 90 W within the simulated area concerning devices. In Fig. 3, energy
3𝑇𝑠𝑎𝑚𝑝 +2𝑇𝑠𝑚 +𝑇𝑎𝑑 +3𝑇𝑚𝑎 +6𝑇𝐻0 +2𝑇𝐻1 +𝑇𝐶ℎ𝑎 +𝑇𝐻2 = 11.57062 ms. In Ding consumption is shown for different number of devices.
et al. [24], the server chooses 3 samples from 𝜒𝛼 , executes 2 𝐻1 hash
function, scalar multiplication 2 times, componentwise multiplication 6. Conclusion
and addition 3 times, one time adding in 𝑄𝜌 , 5 times 𝐻0 hash function
Quantum computers can easily resolve conventional mathematical
and one time characteristic operation. Therefore, the total cost at the
hard problems. As a result, current authentication protocols based on
side of server is 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 𝑇𝑎𝑑 + 3𝑇𝑚𝑎 + 5𝑇𝐻0 + 2𝑇𝐻1 + 𝑇𝐶ℎ𝑎 =
standard cryptographic techniques could no longer be secure. In order
2.68625 ms. Hence, total computation cost is 14.25687 ms.
to improve client–server security in a post-quantum mobile client–
In Song et al. [25], the user performs 1 encryption which executes server environment, we have developed an effective ideal lattice-based
three multiplication and three addition in 𝑄𝜌 , chooses three samples AKA mechanism for mobile devices designed on the idea of zero
from gaussian distribution, executes 2 times 𝑇𝑠𝑚 , 2 times 𝑇𝑚𝑎 and two knowledge-based authentication in this article. The proposed scheme
times hash function. Therefore, the total cost at the end of user is 3𝑇𝑚𝑢𝑙 is secure against signal leakage attack. It supports key reuse, perfect
+ 3𝑇𝑎𝑑 + 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 2𝑇𝑚𝑎 + 2𝑇𝐻0 = 9.26254 ms. The server forward secrecy and anonymity features. The security proof demon-
executes three times gaussian sampling, three multiplication and three strated that our proposed scheme in the ROM offers self-reducibility
addition in 𝑄𝜌 , 2 times 𝑇𝑠𝑚 , 2 times 𝑇𝑚𝑎 , 2 times hash function and for the RLWE problem. So, it is quantum secure. In future, one can
one time characteristic function. Therefore, the total cost at the side work on reducing its computation complexity without compromising
of server is 3𝑇𝑚𝑢𝑙 + 3𝑇𝑎𝑑 + 3𝑇𝑠𝑎𝑚𝑝 + 2𝑇𝑠𝑚 + 2𝑇𝑚𝑎 + 2𝑇𝐻0 + 𝑇𝐶ℎ𝑎 = attained security attributes to make it practicable for implementation
3.7081 ms. Hence, the overall cost of [25] is 12.97064 ms. in real-world applications.

7
K. Pursharthi and D. Mishra Journal of Information Security and Applications 82 (2024) 103754

Fig. 3. Comparison of mobile device energy consumption.

CRediT authorship contribution statement [10] Ding J, Xie X, Lin X. A simple provably secure key exchange scheme based on
the learning with errors problem. Cryptol ePrint Arch 2012.
[11] Peikert C. Lattice cryptography for the internet. In: International workshop on
Komal Pursharthi: Writing – original draft, Visualization, Method-
post-quantum cryptography. Springer; 2014, p. 197–219.
ology, Investigation, Formal analysis, Data curation. Dheerendra [12] Bos JW, Costello C, Naehrig M, Stebila D. Post-quantum key exchange for the TLS
Mishra: Writing – review & editing, Supervision, Conceptualization. protocol from the ring learning with errors problem. In: 2015 IEEE symposium
on security and privacy. IEEE; 2015, p. 553–70.
[13] Bos J, Costello C, Ducas L, Mironov I, Naehrig M, Nikolaenko V, Raghunathan A,
Declaration of competing interest
Stebila D. Frodo: Take off the ring! practical, quantum-secure key exchange from
LWE. In: Proceedings of the 2016 ACM SIGSAC conference on computer and
The authors declare that they have no known competing finan- communications security. 2016, p. 1006–18.
cial interests or personal relationships that could have appeared to [14] Alkim E, Ducas L, Pöppelmann T, Schwabe P. Post-quantum key {Exchange—A}
influence the work reported in this paper. new hope. In: 25th USeNIX security symposium. USeNIX security 16, 2016, p.
327–43.
[15] Ding J, Alsayigh S, Lancrenon J, RV S, Snook M. Provably secure password
Data availability authenticated key exchange based on RLWE for the post-quantum world. In:
Cryptographers’ track at the RSA conference. Springer; 2017, p. 183–204.
No data was used for the research described in the article. [16] Feng Q, He D, Zeadally S, Kumar N, Liang K. Ideal lattice-based anonymous
authentication protocol for mobile devices. IEEE Syst J 2018;13(3):2775–85.
[17] Islam SH. Provably secure two-party authenticated key agreement protocol for
References post-quantum environments. J Inf Secur Appl 2020;52:102468.
[18] Dabra V, Bala A, Kumari S. Reconciliation based key exchange schemes using
[1] Krawczyk H. HMQV: A high-performance secure Diffie-Hellman protocol. In: lattices: a review. Telecommun Syst 2021;77(2):413–34.
Annual international cryptology conference. Springer; 2005, p. 546–66. [19] Ding J, Alsayigh S, Saraswathy R, Fluhrer S, Lin X. Leakage of signal function
[2] LaMacchia B, Lauter K, Mityagin A. Stronger security of authenticated key with reused keys in RLWE key exchange. In: 2017 IEEE international conference
exchange. In: International conference on provable security. Springer; 2007, p. on communications. ICC, IEEE; 2017, p. 1–6.
1–16. [20] Wang K, Jiang H. Analysis of two countermeasures against the signal leakage
[3] Law L, Menezes A, Qu M, Solinas J, Vanstone S. An efficient protocol for attack. In: International conference on cryptology in africa. Springer; 2019, p.
authenticated key agreement. Des Codes Cryptogr 2003;28(2):119–34. 370–88.
[4] Menezes A. Some new key agreement protocols providing implicit authentication. [21] Ding J, Branco P, Schmitt K. Key exchange and authenticated key exchange with
In: Workshop on selected areas in cryptography, 1997. CRC Press; 1997. reusable keys based on RLWE assumption. Cryptol ePrint Arch 2019.
[5] Yao AC-C, Zhao Y. OAKE: a new family of implicitly authenticated diffie-hellman [22] Ding J, Saraswathy R, Alsayigh S, Clough C. How to validate the secret of a
protocols. In: Proceedings of the 2013 ACM SIGSAC conference on computer & Ring Learning with Errors (RLWE) key. Cryptol ePrint Arch 2018.
communications security. 2013, p. 1113–28. [23] Dabra V, Bala A, Kumari S. LBA-PAKE: Lattice-based anonymous password
[6] Shor PW. Polynomial-time algorithms for prime factorization and discrete authenticated key exchange for mobile devices. IEEE Syst J 2020;15(4):5067–77.
logarithms on a quantum computer. SIAM Rev 1999;41(2):303–32. [24] Ding R, Cheng C, Qin Y. Further analysis and improvements of a lattice-based
[7] Moody D. Post-quantum cryptography: NIST’s plan for the future. In: The seventh anonymous PAKE scheme. IEEE Syst J 2022;16(3):5035–43.
international conference on post-quntum cryptography, Japan. 2016. [25] Song Y, Guo S, Ding R. Anonymous password-authenticated key exchange
[8] Regev O. On lattices, learning with errors, random linear codes, and protocol based on lattice. In: 2023 2nd international conference on big data,
cryptography. J ACM 2009;56(6):1–40. information and computer network. BDICN, IEEE; 2023, p. 350–6.
[9] Lyubashevsky V, Peikert C, Regev O. On ideal lattices and learning with errors [26] Abdalla M, Fouque P-A, Pointcheval D. Password-based authenticated key
over rings. In: Annual international conference on the theory and applications exchange in the three-party setting. In: International workshop on public key
of cryptographic techniques. Springer; 2010, p. 1–23. cryptography. Springer; 2005, p. 65–84.

8
K. Pursharthi and D. Mishra Journal of Information Security and Applications 82 (2024) 103754

[27] Pursharthi K, Mishra D. On the security of ring learning with error-based key [30] Sahoo SS, Mohanty S, Majhi B. Improved biometric-based mutual authentication
exchange protocol against signal leakage attack. Secur Privacy 2023;6(5):e310. and key agreement scheme using ECC. Wirel Pers Commun 2020;111:991–1017.
[28] Fluhrer S. Cryptanalysis of ring-LWE based key exchange with key share reuse. [31] Garg S, Kaur K, Kaddoum G, Ahmed SH, Gagnon F, Guizani M. ECC-based
Cryptol ePrint Arch 2016. secure and lightweight authentication protocol for mobile environment. In:
[29] Pursharthi K, Mishra D. A computationally efficient and randomized RLWE-based IEEE INFOCOm 2019-IEEE conference on computer communications workshops.
key exchange scheme. Cluster Comput 2023;1–12. INFOCOm WKSHPS, IEEE; 2019, p. 1–6.