On Security Analysis of Recent Password Authentication and Key Agreement Schemes Based on Elliptic Curve Cryptography

Secure and efficient mutual authentication and key agreement schemes form the basis for any robust network communication system. Elliptic Curve Cryptography (ECC) has emerged as one of the most successful Public Key Cryptosystem that efficiently meets all the security challenges. Comparison of ECC with other Public Key Cryptosystems (RSA, Rabin, ElGamal) shows that it provides equal level of security for a far smaller bit size, thereby substantially reducing the processing overhead. This makes it suitable for constrained environments like wireless networks and mobile devices as well as for security sensitive applications like electronic banking, financial transactions and smart grids. With the successful implementation of ECC in security applications (e-passports, e-IDs, embedded systems), it is getting widely commercialized. ECC is simple and faster and is therefore emerging as an attractive alternative for providing security in lightweight device, which contributes to its popularity in the present scenario. In this paper, we have analyzed some of the recent password based authentication and key agreement schemes using ECC for various environments. Furthermore, we have carried out security, functionality and performance comparisons of these schemes and found that they are unable to satisfy their claimed security goals.


INTRODUCTION
W ith the rapid growth of internet and wireless communication network, users can easily use the services of remote server anytime and anywhere.The popularity of such services has exposed the information over network to various security threats and the need of practically secure user authentication and key agreement systems has become vital for these networks.Various schemes based on password, biometric, smart card, dynamic-id or a combination of these have been proposed for remote user authentication.Of these, password based authentication schemes have gained more popularity due to their simplicity, scalability, efficiency and convenience.The concept of authentication based on password was introduced by Lamport [1] in 1981.He proposed a password authentication scheme based on hash function that mutually authenticates client and the server.Although it

Year Author
Related Research Scholarship 2011 D. He [4] In this paper, he analyzed the security of Islam and Biswas scheme [2] and found that it is vulnerable to three kinds of attacks in different scenarios: (1) Stolen-verifier attack (2) Offline password guessing attack (3) Privileged Insider attack 2011 Wang, Juang and Lei [5] In this paper, they studied Wang et al. [6] scheme and found that it is vulnerable to smart card loss problem and known key attack.They further proposed a key agreement scheme based on the elliptic curve discrete logarithm problem.

2012
He, Wu and Chen [7] In this paper, they performed a cryptanalysis of Islam and Biswas scheme [2] and found that their scheme is vulnerable to offline password guessing attack and stolen-verifier attack.
2012 Wang et al. [8] In this paper, they analyzed Islam and Biswas scheme [2] and showed it has following weaknesses: (1) It is susceptible to offline password guessing attack, stolen verifier attack and denial of service (DoS) attack; (2) It also fails to preserve user anonymity.

C.T.Li [9]
In this paper, he analyzed Islam and Biswas scheme [2] and found that it is prone to offline password guessing attack, stolen-verifier and insider attacks.He further proposed a smart card based ECC scheme that also provides user anonymity.
2014 Wang [10] In this paper, she demonstrated that in addition to previously found security flaws [4][8][9] in Islam and Biswas scheme [2] like offline password guessing attack, stolen verifier attack, privilege insider attack, and denial of service attack, their scheme cannot resist password compromise impersonation attack.She further proposed an anonymous remote authentication scheme using smart card without using bilinear paring computation.She claimed that her scheme not only inherits the advantages in Islam and Biswas' scheme, but also provides more features, including preserving user anonymity, supporting offline password change, revocation, re-registration with the same identifier and system update.

2014
Qiao and Tu [11] In this paper, they proposed a security enhanced scheme that eliminates the weaknesses of Islam and Biswas scheme [2] as pointed out by He et al. [7].They claimed that their scheme performs better than Islam and Biswas's scheme and is more suitable for practical applications.

2014
Ramesh and Bhaskaran [12] In this paper, they analyzed Li's scheme [9] and demonstrated that Li's scheme is prone to insiders attack, password guessing attack, stolen verifier attack and does not provide user anonymity.It is also inefficient in error password login.They also found that when the public key of the server is compromised, the adversary can obtain all the previous session keys between user and the server.They further proposed an improved scheme that inherits the merits of Li's scheme with the removal of modular computations involved in bilinear pairing operations.
Thus in this paper, we have considered only ECC based password authentication and update schemes for smart cards.Literature survey of various recent password authentication and key agreement schemes based on ECC and the works related to their improvement has been studied in Table I.

MATHEMATICAL BACKGROUND OF ECC
The robustness of any cryptographic security protocol depends on the hardness in solving the underlying mathematical problem.The security of ECC based protocols depend on the difficulty of solving Elliptic Curve Discrete Logarithm Problem (ECDLP), Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP) and Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP).

Theory of elliptic curve
The equation of a non-singular elliptic curve E p (a,b) over a finite field Z p can be written as: where a and b are two integer elements and p is a large prime number.Furthermore, for the above equation to be non-singular, the condition must be satisfied.Like ECDLP, the solution to ECCDHP is also computationally hard.The proof of intractability of the ECCDHP was given by Boneh and Lipton [38] who proved that if the ECDLP cannot be solved in subexponential time, then neither can ECCDHP.Shoup's [39] result further provide more evidence of hardness of ECCDHP.
Problem 3. Elliptic Curve Decisional Diffie-Hellman Problem (ECD-DHP): Given G and three point xG, yG, zG, it is hard to decide whether zG = xyG or not, where x, y, z ϵ Z p * and are chosen randomly and are smaller than n.Like ECCDHP, the solution to ECDDHP is also computationally hard.The evidence of hardness of ECDDHP has been given by Shoup [39].

Elliptic Curve Point Operation
The security of elliptic curve cryptosystem is also based on the efficient execution of arithmetic operations in the underlying field.In point multiplication operation, a point P on the elliptic curve is multiplied with a scalar k using elliptic curve equations to obtain another point R on the same elliptic curve i.e. kP=R.Point multiplication is performed by two basic elliptic curve operations.
• Point addition, where two points P and Q on the elliptic curve are added to obtain another point R which also lie on the same elliptic curve i.e., R = P + Q.
• Point doubling, where the same point P on the elliptic curve is added to itself to obtain another point R on the curve i.e.R = 2P.
An instance of point multiplication operation is as shown.Here let P is a point on elliptic curve and k is a scalar.P is multiplied with k to obtain another point R on the curve i.e.R = kP.
Thus point multiplication operation involves repeated point addition and point doubling operations to find the result.Also, a point on an elliptic curve if repeatedly added to itself will eventually reach O, the point at infinity.The number of times a point can be repeatedly added to itself until it reaches infinity is called the order of the point.

SECURITY AND EFFICIENCY ANALYSIS
An ideal password authentication and key agreement scheme is expected to satisfy some prerequisite security and functionality features.In this section, we list out these desired attributes.We further compare some of the existing ECC based authentication schemes to analyze their claimed security and functionality goals.

Security Analysis
The security comparison of existing schemes is presented in Table II.The security attributes are discussed as below.

Offline Password Guessing Attack
The offline password guessing attack is a serious problem in any password based remote user authentication scheme.In this type of attack, the adversary eavesdrops various communication messages between remote server (S) and client (A) via insecure channel and tries to guess the client's identity ID A and password PW A from the exchanged messages.Most of the ECC schemes rely on the hard problem of Elliptic Curve Discrete Logarithm Problem (ECDLP) which is impossible to compromise using any polynomial time algorithm.Unfortunately, the adversary can guess the correct password by using the authentication information stored in the user's insecure device or by illegally accessing the secure information stored in the remote server.Also, the client chooses low entropy passwords which can be easily resolved by ECDLP in a polynomial time algorithm, thus exposing the system to offline password guessing attack.

Stolen Verifier Attack
The stolen verifier attack occur when the adversary steals the password verifier U A or other security sensitive information from the server's database and launch an offline guessing attack on it to acquire the client's legitimate password PW A .The adversary may then impersonate as a legitimate client to access the remote server.

Insider Attack
In insider attack, a client A may register with a number of servers S 1 , S 2 ,…,S n using the same identity ID A and password PW A for his/her convenience.If the privileged insider U 1 of server S 1 has knowledge of A's password PW A and identity ID A , then U 1 may try to access other servers S 2 ,S 3 ,…,S n by using the same password PW A and identity ID A , thereby compromising the security of the system.

Impersonation Attack
In impersonation attack, the adversary makes an attempt to imitate as a legal client A by forging the authentication information of the user.He may eavesdrop the information transmitted between the client A and server S and thus can launch an offline guessing attack on it to acquire the client's legitimate password PW A .Once the adversary obtains the correct password of client A, he can login to the remote server using PW A and ID A .

Server Spoofing Attack
Server spoofing attack is also known as server impersonation attack.In this type of attack, the adversary sets up a fake server by manipulating the sensitive data of the legitimate user.The client thus transmits security sensitive information to this fake server without being aware of its authenticity.

Many Logged-in Users Attack
In this attack, it is assumed that the password (PW A ) and the identity of A (ID A ) are leaked to many adversaries who can in turn login the remote server whenever they want.This is a serious issue as a number of adversaries can cause a security breach using valid password PW A and the identity of ID A thus disrupting the whole system.

Password Disclosure Attack
In password disclosure, the client's password is disclosed by intrusion in the verification table from the server or by using the authentication information stored in the user's insecure device.

Functionality Analysis
The functionality comparison of existing schemes is presented in Table III.
The functionality attributes are discussed as below.

Mutual Authentication
Mutual authentication is the mechanism in which both the client and server authenticate each other using response-challenge technique and are assured of each others' legal identity before the initiation of communication over insecure channel.After mutual authentication, the security sensitive information is exchanged between the server and the client.

Freely Choosing and Updating Password
In ideal authentication scheme, the client can easily choose his/her password PW A without any support from the remote server.Also the legal client can

On Security Analysis of recent 47
Journal of Technology Management for Growing Economies, Volume 6, Number 1, April 2015 modify his/her password anytime using the password change phase.

Session Key Agreement
In session key agreement, after successful mutual authentication a common and secure session key SK is established between the legal server and client in each session.With this SK, the confidential messages between the client and the remote server can exchange safely.

Prevention of Clock Synchronization
The clock synchronization problem arises due to the use of time stamps used in login systems to prevent replay attacks.Random numbers can be used instead of time stamps to prevent replay attack and thus can prevent clock synchronization problem.

User Anonymity
During the communication between client and remote server over an insecure network, the adversary or third parties may know the identity of the client by intercepting the messages exchanged between them.Thus providing user anonymity is very important.

Perfect Forward Secrecy
In perfect forward secrecy, the security of previous sessions established between the legal client and remote server using common session key is not affected even if the security of private keys of client and server is compromised.

Bilinear Pairing
Bilinear pairings derived from the Weil pairings or Tate pairings on elliptic curves are used in cryptography to construct identity and password based cryptographic schemes.It has been found that the cost of the bilinear parings is approximately 20 times more than that of the scalar multiplication over elliptic curve group [34].Thus using an alternative approach over bilinear pairing improves the performance of the system to a great extent.

PERFORMANCE ANALYSIS
In this section, in order to evaluate the performance of the recent existing schemes, we compare the computation cost of these schemes in each phase.
Table IV gives a brief review of the performance by computing the time consumed by various operations in each phase.Here T S denote the symmetric key encryption, T H denote the hash operation, T E denotes the modulus exponentiation operation, T EM denotes the elliptic curve multiplication, T A denotes the elliptic curve addition and subtraction, T X denotes the XOR operation and T P denotes bilinear pairing operation We analyze that Islam-Biswas's scheme [2] and C.T.Li's scheme [9] make use of bilinear pairings.It has been found that the cost of the bilinear parings is approximately 20 times more than that of the scalar multiplication over elliptic curve group [34] i.e.T P ≫ T EM .Also Song [16] uses exponential operation and the time taken to perform an exponential operation is approximately 8 times than the time taken to perform one elliptic point multiplication [40] i.e.T E ≫ T EM .Furthermore, Islam and Biswas [2], Li [9] and Ramesh and Bhaskaran [12] makes use of elliptic curve addition/multiplication which is quite slow than XOR operation which increases their overall computation cost.Thus we can analyze that the existing schemes are quite inefficient in terms of their overall performance.

APPLICATIONS OF ECC
ECC is successfully being used in vast majority of existing applications.
In resource constrained environments, elliptic curves are emerging as an attractive alternative over the first generation public key systems like Diffie and Hellman.Also, the elliptic curves are suitable in applications where • Computing power is limited (intelligent cards, wireless devices, PC boards, PDAs, etc.) • Processing overheads should be less (wireless sensor networks) • Memory size on integrated circuit is limited (embedded systems) • a great speed of computing is necessary (Big Data, e-commerce) • Digital bandwidth is limited This makes it suitable for constrained environments like wireless networks, mobile devices as well as security sensitive applications like electronic banking, financial transactions and smart grids.ECC significantly reduces the high processing burden on applications conducting large number of secure transactions thus making it widely acceptable for e-commerce and e-ID documents.ECC delivers faster, more secure processing for e-passports and other government issued e-ID.ECC provides high performance and security at a reasonable cost.Furthermore, it successfully prevents most of the security attacks with a very small key size as compared to other public key cryptosystems like RSA.Today, manufacturers have incorporated ECC into their solutions because the technology is designed for small devices like smart meters, smart cards, etc. Due to this commercialization, ECC based technology is finding applicability in wired and wireless networks, mobile ad-hoc networks, Internet of Things (IoT), radio frequency identification, Wireless Body Area Networks (WBAN), smart grids, big data, ubiquitous computing and so on.

Issues
Despite the wide acceptance of elliptic curves because of their unlimited merits, they have been criticized by researchers on various grounds which limit their use and implementation.
1 Various features of ECC have been patented by corporate and business organizations all over the world.For instance, Certicom Inc. which is a Canadian company holds over 130 patents related to public key cryptography and elliptic curves, thus restricting its usage. 2 Various attacks against curve over prime fields as well as over binary fields are possible if the elliptic curve is not chosen carefully.Such curves which are also known as supersingular or anomalous curves have been identified and strictly prohibited in various projects developing standard specifications for public key cryptography like IEEE P1363, ANSI X9.62 and ANSI X9.63.Many such anomalous curves still remain unidentified.3 Pollard's Rho method provides a simple yet powerful way to solve discrete logarithm problems on elliptic curves defined over finite fields.The algorithm is easy to implement, requires minimal storage and works for curves defined over any finite field with any type of representation.Thus strengthening the security of system from pollard's attack is a major issue.4 The security of ECC based authentication schemes is further crippled due to weak passwords.Passwords can be easily compromised by launching offline password guessing, impersonation and stolen verifier attacks.In such a scenario, proposal of password less authentication schemes can remarkably contribute towards improving the security of these systems.

B. Future scope
Despite of the above issues, ECC based applications are getting commercialized.
For instance, Certicom has planned to enter the market by selling elliptic curve cryptography based software toolkits.National Security Agency (NSA) which is an American organization utilizes the mathematics of elliptic curves over finite fields for providing internet security.Other countries like U.K and Canada have also adopted ECC based systems to ensure the security of their systems.The popularity and successful implementation of ECC can be estimated from the fact that the US Department of Defense plans at replacing almost 1.3 million existing equipments over the coming decade.New generation of cryptographic equipments that are based on the mathematics of elliptic curves for key management and digital signatures are successfully being used in defense sector in many countries.Thus we can foresee the bright future of ECC in the coming years.

CONCLUSIONS
Elliptic Curve Cryptography provides higher security and efficiency than other public key cryptosystems (RSA, Rabin and Elgamal).In implementations, the savings of processing overhead leads to higher processing speeds, lower power consumption and code size reductions.The applications seeking practically efficient, clean and sustainable solutions to network security threats have seriously considered elliptic curve cryptosystems as an attractive alternative over the other systems.Unfortunately, we observe that no single scheme till date satisfies all the security and functionality requirements.Thus robust and improved elliptic curve cryptography based authentication scheme need to be developed that not only provide all the security and functionality features but also reduce the computation costs.
is a base point in E p (a,b) with a prime order n and O is the point of elliptic curve at infinity, where G multiplies n is equal to O (n.G=O).A cyclic group E = {(x, y) E p (a, b)} {O} is formed by any point P(x, y) E p (a, b), x, y Z p , where O represents additive identity element of the group.The point multiplication is evaluated by iterative addition as, Although ECDLP is computationally hard to solve, various exponential algorithms for attacks on ECDLP are known.Such attacks, also known as generic attacks use algorithms like the Pohlig-Hellman [35], Pollard-Rho [36] and parallelized version [37] of the Pollard rho algorithm for attacks on ECDLP.However, if the elliptic curve parameters are cautiously selected, then all the known attacks on ECDLP are believed to be infeasible given the state of today's scientific technology.Problem 2. Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP): Given G and two point xG, yG, computation of xyG is hard, where x, y ϵ Z p * and are randomly chosen and are smaller than n.

Table 2 :
Security Comparison of the Existing Schemes

Table 3 :
Functionality Comparison of the Existing Schemes

Table 4 :
Computation Cost Comparison of the Existing Schemes