A Secure Key Authentication Scheme Based on the Hardness of Solving Elliptic Curve Discrete Logarithm Problem

Corresponding Author: Eddie Shahril Ismail Department of Mathematical Sciences, Faculty of Science and Technology, Universiti Kebangsaan Malaysia, 43600 Bangi, Selangor, Malaysia Email: esbi@ukm.edu.my Abstract: A key authentication scheme is a scheme that protects a user’s public key from modification and counterfeiting by an adversary. The new development and improvement of key authentication schemes should be made continuously so that the systems are safe and practical to be used. To the best of our knowledge, there is no key authentication using the elliptic curve so far. Thus, in this paper, we propose the first secure elliptic curvebased key authentication scheme with its security, relying on the difficulty of solving the elliptic curve discrete logarithm problem. We show that the proposed scheme is secure against various defined cryptographic attacks such as public keyword modification and keyword guessing attacks. Next, we analyze the computational time complexity of the algorithms by computing the number of modular operations needed in these algorithms together with asymptotical analysis of running time using O(g(n)) notation. It turns out that our scheme requires the least amount of time complexity of 203.36Tmul + Th for user registration phase, 58.12Tmul for key authentication phase, and offers less running time compared to some existing key authentication schemes.


Introduction
solved a key distribution problem of secret key cryptography and proposed a novel idea of modern cryptography that is now called the public-key cryptography. Specifically, they proposed that any two communicating users need not be shared a common secret key, but instead, each user needs to generate two keys, namely public and private keys. In public-key cryptographic systems, the private key or sometimes called the secret key will be kept secret from other people. In contrast, the public key will be made public to anyone, including to adversary or enemy. Then the user publishes the public key in a public-key directory. One of the main components in public-key cryptographic systems is a cryptosystem. In a cryptosystem, two communicating parties, a sender and a receiver, are needed to complete the communication processes. The sender encrypts a confidential message or document by using the receiver's public key and submits the encrypted message to the known receiver. The receiver who has the private key can decrypt the encrypted message and later read the original message.
One of the main issues in designing any public-key cryptographic systems is the security of its public key.
The key question is, how do we protect the public key from alteration or modification by an adversary? The cryptographic solution to this problem is via Key Authentication Scheme (KAS). KAS provides a mechanism of authenticating the validity of the receiver's public key. KAS consists of three algorithms: (1) key generation algorithm, (2) user registration phase, and (3) key authentication phase. The organization of this paper is as follows. In the next section, we discuss some past and related works of KAS. Then we present our proposal of a key authentication scheme based on elliptic curve discrete logarithm problem. We next discuss the security analysis and efficiency consideration of our new scheme. Finally, we make a comparison of the new and existing schemes in terms of attacks and time complexity. Horng and Yang (1996) designed the first KAS whose security is based on the hardness of solving a discrete logarithm problem. Their scheme needs a certificate but requires no authority. The certificate is computed using the user's private key and password. However, a study by Zhan et al. (1999) found that Horng-Yang's scheme is not secure against the password guessing attack. If an enemy successfully finds the actual password, he or she can further generate a valid false public key. Zhan et al. proposed an improvement to the Horng and Yang's scheme. However, the improved scheme, as shown by Lee et al. (2003) does not achieve the non-repudiation property. A dishonest user can successfully deny his or her public key. Lee et al. fixed the problem and proposed a modified version of the Zhan et al. scheme. Later, Peinado (2004) and Zhang and Kim (2005) separately showed that Lee et al. (2003) scheme had some security flaws. They showed that the scheme is not secure as the attacker can easily recover the user's private key from the user's public key certificate. Also, Peinado (2004) proved that the verification procedure presented in the scheme is not valid. Both Peinado (2004) and Zhang and Kim (2005) then have suggested a modification to improve the security of the scheme. Meanwhile, Wu and Lin (2004) also showed that Lee et al.'s scheme is vulnerable to the key substitution attack and provided a modified version of Lee et al.'s. Sun and Cao (2005) proved that the improved version by Peinado (2004) does not achieve non-repudiation property. A dishonest user can forge his public key via the verification procedure and deny his signature. Sun and Cao (2005) next proposed modification and proved that the version has now achieved the nonrepudiation property. Meanwhile, Sun and Cao (2005) also proved that Zhang and Kim (2005) did not achieve non-repudiation property. Shao (2005) showed that Peinado's scheme is insecure as an attacker can obtain the user's private key through a guessing attack. Shao (2005) also showed that Zhang and Kim (2005) scheme is vulnerable to public key substitution attacks and modified a new version based on the discrete logarithmic problem. Yoon and Yoo (2005) demonstrated that Lee et al. (2003), Peinado (2004), and Wu and Lin (2004) are prone to key substitution attacks. They then proposed an improvement of Lee et al. (2003) and claimed that the version is resistant to public key substitution attacks. Two years later, Yoon and Yoo (2007) have performed some cryptanalysis toward Sun and Cao (2005) scheme and concluded that the Sun-Cao's is still vulnerable to public key substitution attack. They later proposed a highly secure improvement of the scheme.

Related Works
One common feature of the above schemes is that all schemes were designed based on a single hard cryptographic problem. Soon, if one finds a solution to the hard problem, all these schemes will no longer be secure. Thus, there is an urgent need to develop key authentication schemes based on multiple hard problems. Suparlan et al. (2016), Meshram et al. (2016), and Kumaraswamy et al. (2016) respectively developed their schemes based on factoring with discrete logarithm problems, factoring with generalized discrete logarithm and discrete logarithm problem with Chinese remainder theorem. The idea is that even if one of the underlying hard problems is solvable, the designated scheme is still secure due to the security of the other underlying hard problem. Unfortunately, Peinado (2017) managed to reveal the weaknesses of Kumaraswamy et al. (2016)'s scheme in which the scheme has several mathematical inconsistencies that led to the vulnerability attack. To the best of our knowledge, there is no known key authentication scheme of which security depends on Elliptic Curve Discrete Logarithm (ECDLP), which was first introduced independently by Miller (1985) and Koblitz (1987). Applying the ECDLP to the scheme will offer some added values to the proposed scheme in terms of efficiency while maintaining an adequate level of security.

Materials and Methods
The proposed scheme makes use of the elliptic curve from computational number theory (Ismail and Hijazi, 2012;Koblitz, 1987;Miller, 1985). The equation of the elliptic curve in a general form is defined by: where, a, b, c, d, e and is a field. We define on this curve an elliptic curve addition operation with a point at infinity (we denote this point as ∞). Now, suppose that q is a 160-bits prime with the corresponding field has characteristics neither two nor three. For cryptographic purposes, we now consider an elliptic curve E over the Galois Field E( q) as below: The coefficients a,b< q are non-negative integers and satisfy the condition 4a 3 + 27b 2  0 mod q, which defines the elliptic curve with no multiple roots of unity.
The terminology of point addition can be extended to point multiplication where in this operation, a point P on the elliptic curve is multiplied with a scalar k using the elliptic curve equation to obtain another point Q on the elliptic curve and this is defined by kP = Q. If k = 2, the point multiplication is called the point doubling. The point multiplication kP is computed by performing multiple point additions. Thus, point multiplication uses point addition and point doubling repeatedly to obtain the result. This method is called "double and add" for point multiplication. Mathematically, we have the following: Point addition by adding two elliptic curve points J and K to obtain another point L = J+K and point doubling by adding a point J to itself to obtain another point L = 2J = J+J. If we want to compute L = 3J+5K then we can use the following formula L = 3J+5K = 2J+2(2K)+J+K involving three point doublings and three point additions.

The Proposed Key Authentication Scheme
In this section, we present our new key authentication scheme for a cryptosystem based on the difficulty of solving the elliptic curve discrete logarithm problem. A key authentication consists of three phases that are key generation, user registration, and key authentication. The security of the proposed scheme heavily depends on the hardness of solving the elliptic curve discrete logarithm (Koblitz, 1987).

Definition 1
Given an elliptic curve E over the Galois Field E( q) defined by: where, 0xq and the coefficients a,b,q are non-negative integers and the curve contains no multiple roots of unity. Assume that P and Q are two elliptic curve point on E such that Q = np. Find integer n.
From the above definition, we create a corresponding public one-way function defined by ( ) mod f x xG q  where, G is an elliptic curve point on E. We now give the description of the algorithms of the scheme.

Phase 1: Key Generation Phase
This phase is done by the trusted administrator (steps 1-4) and the receiver (steps 5-6): 1. Select a 160-bits prime p which determines the order of field p 2. Choose two numbers a and b in p. These values determine the elliptic curve, E 3. Pick a base elliptic curve point G from the defined elliptic curve with a large prime generator m such that mG =  4. Choose a secure one-way hash function h() which maps an arbitrary length of input to a 160-bit of output 5. Choose at random an integer, d p with d< m The public parameters of the scheme are given by (p,a,b,m,E,G,h). The public and private keys of the receiver are given by Q and d respectively.

Phase 2: User Registration Phase
This phase is done by the receiver (steps 1-5), the administrator (step 6) and the server (steps 7-10): 1. Choose two random integers s,pwd p with s,pwd < m.
Calculate Y = f(pwd+s) = (pwd+s)G mod p 5. Generate certificate, C = (pwd+s+ d) mod p 6. Store the three components (Rx(Q),Y,h(W)) in a protected key directory, where Rx(Q) represents the x-coordinate of the point Q and h(W) is a hash value of W). We require that these components are protected by the access control (public can see and use but unable to modify the values/points in the directory). However, the other four components (C,Q,V,W) will be stored in the accessible public key directory. These directories will be monitored and protected by the administrator 7. The server validates if Y = V+W mod p and f (C) = Y+Q mod p holds 8. The server chooses , where , < m and computes J = G mod p and K = G mod p 9. The server generates a user secondary certificate, C' defined by C' = Rx(Q)+C mod p 10. The server stores (C',J,K) in the accessible public key directory Thus, each receiver has two directories; the protected access control directory (Rx(Q),Y,h(W)) and the accessible public directory (C,Q,V,W,C',J,K).

Phase 3: Key Authentication Phase
This phase is completely done by the sender: 1. The sender verifies if the equation f(C') = Rx(Q)J + CK mod p is true or not 2. The sender accepts the public key Q as valid if the equation above holds otherwise rejects it We next provide proof of the receiver's public key validity so that the sender is convinced to use the validated public key to encrypt any message to the receiver.

Proposition 1
Given the scheme's public parameter (p,a,b,m,E,G,h). If all receiver's public key, Q, certificate, C and (C',J,K) are generated correctly, then the receiver's public key is validated.

Proof
If all receiver's public key, Q, certificate, C and (C',J,K) are mathematically correct, then we have C = (pwd+s+d) mod p, C' = Rx(Q)+C mod p, J = G mod p and K = G mod p. Note that: We now discuss the security and efficiency performances of the new designated key authentication scheme.

Security Analysis
We show that our scheme is heuristically secure by applying the scheme with common security cryptographic attacks. We define each attack and give the corresponding analysis of why this attack would fail. In general, the possible cryptographic attacks by the adversary are as follows.

Attack 1: Public Key Replacement and Public Keyword Modification Attacks
In this attack, the attacker tries to generate a false but valid public key and certificate and replace the original public key and certificate in the public key directory with the false ones. If the attacker succeeds with high probability, then the sender is unknowingly using the false public key to encrypt the message. If this cipher text falls into the attacker, he or she will be able to read the message using his or her own corresponding false but valid private key. There are two strategies of this attack.
First, the attacker calculates the false public key, Q , chooses a false password, pwd and attempts to obtain the corresponding false certificate, C̄. The attacker chooses the false key, d̄, assuming d  d̄ (this assumption is valid because of the hardness of ECDLP) and calculates Q = dG mod p Next, the attacker computes We conclude that: This shows that the server is unable to verify C̄, Q and Y and the attacker fails to replace the public key.
Second, the attacker chooses the false certificate, C̄ and tries to obtain the corresponding false public key, Q such that f(C̄) = Y+Q mod p following the original equation in the scheme. The attacker chooses C̄, assuming that C̄  C (this assumption is valid because of the hardness of ECDLP). It can be shown that: Now the attacker successfully obtains the corresponding value of Q which satisfies the equation f(C̄) = Y+Q mod p. However, the value of Rx(Q ) is not equal to the value of Rx(Q ) stored in the public key directory which is protected by the access control technique. Therefore, Q will be rejected by the server. Otherwise, the attacker may choose Q and try to obtain C̄ from Q = C̄G-Y mod p. This attempt might fail due to the difficulty of solving the elliptic curve discrete logarithm problem.

Attack 2: Keyword/Password Guessing Attack
The attacker attempts to obtain the password, pwd, of a specific user by guessing. If the attacker successfully obtains pwd, then the scheme is considered insecure. From equation Y = f(pwd+s)mod p, the attacker will try to guess the user password as pwd and verifies whether the following equation is true or false: The above equation is only true when pwd pwd  .
The value of pwd is chosen from p where p is 160-bit and 2 159 < p < 2 160 . Thus, the probability of having pwd pwd  is approximately 160 11 2 p  and this is highly unlikely to happen. To obtain the password directly from equations V,W,Y and C, the attacker has to solve the elliptic curve discrete logarithm problem. This is impossible as this hard problem is cryptographically difficult to solve.

Attack 3: Achieving user Public Key Non-Repudiation
A dishonest user tries to repudiate his public key or signature on a received document. Therefore, after the user signs the document, the user tries to replace the public key, Q and the certificate, C, as well as the original server certificate, C', with the false but valid public key, Q̄, certificate, C̄ and server's certificate, C̄'. Specifically, the user wants to calculate the key Q̄  Q such that it satisfies Rx(Q̄) = Rx(Q). This can be achieved by solving the equation: For y. Next, the user tries to generate the new user certificate by first choosing d̄ randomly and calculating: Then, the user obtains the new server certificate from the equation C' = Rx(Q)+C mod p. However, this is impossible as the values  and  are the server secret keys.
The user may also attempt to obtain the value of C̄' from the equation f(C') = Rx(Q)J+CK mod p. Note that: mod . x To obtain the value of C̄, the user must solve the elliptic curve discrete logarithm problem of ' mod .

C G p
  This is impossible because elliptic curve discrete logarithm problems in cryptography are difficult to solve as to this day, no polynomial algorithms have been found.

Performance Analysis
We now discuss the efficiency performance of our key authentication scheme in terms of the number of keys, computational complexity and communication cost. Let Tmul and Texp be the time necessary for performing a modular multiplication and a modular exponentiation, respectively. Let also Tec-add, Tec-mul and Th be the time taken for performing an elliptic curve addition, an elliptic curve scalar multiplication and a hashing, respectively. We further use the following standard conversion of various operation units to the time complexity for executing the modular multiplication (Ismail and Sakib, 2012) given by Texp  240Tmul; Tec-mul  0.12T and Tec-mul  29Tmul.
From the Table 1, for the key generation phase, time complexity 3Tec-mul is required, user registration phase needed 3Tec-mul+7Tec-mul+Th and key authentication phase needed Tec-add +2Tec-mul. By using the conversion, time complexity needed for key generation phase, user registration phase and key authentication phase are respectively given by 29Tmul, 203.36Tmul+Th and 58.12Tmul. The overall communication cost of the scheme is 11|p| in total. This is considered smaller than Wu and Lin (2004), Zhang and Kim (2005) and Yoon and Yoo (2007). We next compare our scheme with some other related schemes in Table 2. In Table 3, we provide the comparison in terms of time complexity, Tmul.

Conclusion
One of the challenges in designing a key authentication scheme is its security analysis. If we want to create a secure scheme, the algorithms or phases in the designated scheme must be mathematically and cryptographically strong. In the literature, there are many key authentication schemes developed based on factoring and discrete logarithm problems. In this study, we design a key authentication scheme based on the hardness of solving the elliptic curve discrete logarithm problem. Our proposed scheme provides greater security and efficiency compared to existing key authentication schemes. The designated scheme is also shown to be heuristically secure against most of the common cryptographic attacks for key authentication such as public keyword modification and keyword guessing attacks. In terms of efficiency performance, our scheme requires the least amount of time complexity of 203.36Tmul+Th for user registration phase, 58.12Tmul for key authentication phase and offers O(logn) 2 poly-logarithmic running time compared to some existing key authentication schemes. Next, the overall communication cost of the scheme is 11|p| in total. For future work, one could strengthen the security of the scheme by applying provable security on it. One may also integrate the security of the scheme with other hard problems to make it harder for an adversary to break it.