A new lattice-based password authenticated key exchange scheme with anonymity and reusable key

Literature review

Lattice-based PAKE schemes have been constructed into two sub-classes: Smooth Projective Hash Functions (SPHF)-based and hard-lattice problem-based. With the usage of SPHF, it was aimed to eliminate the usage of random oracles in getting strong security features. It has been widely preferred in the PAKE design since it is a variation of a zero-knowledge proof system. In the SPHF-based PAKE schemes, public key is used to obtain the commitment of the password and check the validity of this commitment (Cramer & Shoup, 2002). In the last six years, (Zhang & Yu, 2017; Jheng et al., 2018; Li & Wang, 2019; Wang et al., 2019; Jiang et al., 2020; Li, Wang & Morais, 2020; Yin et al., 2020; Tang et al., 2021; Zhao, Ma & Qin, 2023) schemes were proposed to the literature by using SPHF assumptions. The hard-lattice problem-based ones have been defined by transforming DH-like PAKE ideas into lattice-based primitives. These PAKEs can be divided into two categories in terms of number of phases: one-phase and four-phase. The first adaptation of the one-phase PAKE scheme was proposed in Ding et al. (2017). Then, Xu et al. (2017), Liu et al., 2019, Ren, Gu & Wang (2023), Seyhan & Akleylek (2023) were also constructed by using lattice assumptions with different properties and usage areas.

In this section, we present the current literature on four-phase lattice-based PAKEs since the proposed BiGISIS.PAKE is proposed by following the four-phase PAKE design. In Dabra, Bala & Kumari (2020), a PAKE version of Feng et al. (2018) was constructed for the post-quantum era security of mobile devices. The idea of direct public key authentication from the zero-knowledge authentication scheme (Ding et al., 2018) was followed to obtain SLA resistance. Based on the hardness of the ring LWE (RLWE) problem, the scheme consists of setup, registration, login and authentication, and password update phases. In the proposed four-phase two-party PAKE, Ding functions (Ding, Xie & Lin, 2012) were chosen as a solution to the reconciliation problem. The security analysis of the proposed PAKE, which provides key reusability, anonymity, and PFS, was performed in the RoR model by examining attack resistance such as PDA, SLA, and MBA. In Islam & Basu (2021), a three-party and four-phase lattice-based PAKE scheme for mobile devices was proposed. Based on the hardness of the RLWE problem, the authentication was obtained using a timestamp and password. The reconciliation problem was solved by adding Ding functions (Zhang et al., 2015). The security analysis was performed in the ROM by making attack specific examinations. Due to the key reuse property, in Ding, Cheng & Qin (2022), Dabra, Bala & Kumari (2020) had been proven vulnerable to SLA. An improved SLA-resistant RLWE-based PAKE was also constructed by adding the practical randomized KE idea (Gao et al., 2018). The scheme was designed as a four-phase, two-party scheme, and the security analysis was also presented in the RoR. SLA and MBA resistances were discussed by considering mobile environment communication. In Kumar et al. (2023), an SLA-resistant PAKE scheme was constructed for mobile devices. The security of the proposed PAKE was based on the RLWE problem. It was designed as a four-phase PAKE for post-quantum secure two-party communication. The security analysis was performed in the ROM. The resistance against some attacks were examined and it also provided PFS, mutual authentication, and anonymity features. In Wang et al. (2023), an efficient smart-card-based PAKE scheme was proposed to obtain post-quantum secure two-factor authentication with reusable key. The main hardness of the proposed PAKE was based on the RLWE problem and used fuzzy-verifier + honeywords approach (Wang & Wang, 2016) to provide resistance against two-factor-based attacks. The resistance against smard-card-based attacks were analyzed with formal security analysis under the ROM assumptions.

Motivation and contribution

PAKE schemes that meet the authentication requirements for key-sharing techniques by utilizing passwords are used in different areas. Thanks to these schemes, high-entropy shared session keys are obtained by using low-entropy and easy-to-remember passwords. With the PQC concept, the need for quantum secure PAKE schemes for different applications has arisen (Ott, Peikert et al., 2019; Hao, 2021). According to the current literature, two main properties, anonymity, and reusable key, are captured with PAKE schemes. The anonymity that gives user privacy and the reusable key features that efficiently use system resources are essential to propose solutions for these requirements. The number of schemes that provide these features is also quite limited. We sought an answer to how to design a PAKE protocol with appropriate processing steps for post-quantum security of mobile devices with additional features. Then, we constructed a four-phase BiGISIS.PAKE scheme, whose security is based on the assumptions of BiGISIS. The main contributions of the proposed BiGISIS.PAKE to the literature is highlighted as follows.

• The first BiGISIS-based PAKE scheme, which provides anonymity and reusable key features, is proposed for post-quantum security of mobile devices.

• The BiP approach is used to reduce the time spent on key generation by obtaining a reusable key. Unlike the methods in the literature, the reusable key feature does not cause SLA thanks to the part selection-based reconciliation method, the most significant bit (MSB).

• Anonymity is achieved to prevent illegal user login attempts by using pseudo-identity components and additional hash functions.

• The security analysis is presented by following the RoR model assumptions. As a result of security analysis, PFS and integrity are satisfied, and the resistance against eavesdropping, hash function simulation, manipulation, impersonation, MitM, KKS, and offline PDA are captured.

• To the best of our knowledge, it is the first SLA-resistant lattice-based PAKE scheme that provides anonymity and reusable key.

Organization

The rest of this manuscript is organized as follows. In ‘Preliminaries’, the notation and the mathematical background are given. In ‘Proposed PAKE’, each phase of the proposed scheme is explained step-by-step. Parameter selection constraints, basic computations, and protocol flow are explained in detail. In addition, the verification is done by examining basic assumptions and key parameters. In ‘Security Analysis’, the semantic security and attack resistances are discussed. The comparison with similar four-phase lattice-based PAKE schemes is given in ‘Comparison’. Finally, the conclusion is discussed in ‘Conclusion’.

Setup phase

ś performs the setup stage and generates the system parameters.

• n is chosen to be the power of 2. The sensitivity of the application is also considered in the selection of n. Then, the module dimension m is chosen such that m ≥ 2.

• The odd prime number q is selected such that qmod2n = 1.

• The common public key $A{\leftarrow }_r{\Re }_q^{m\times m}$ is selected and the distribution χ is defined.

• ś generates the static public key $p_{\text{ś}}^T=s_{\text{ś}}^{T}A+e_{\text{ś}}^T$, where $s_{\text{ś}}^T,e_{\text{ś}}^T{\leftarrow }_r\chi$.

• Three different hash functions H₀:{0, 1}^∗ → {0, 1}^l, $H_1:{\left\{0,1\right\}}^l\to {\Re }_q^{m\times 1}$, and H₂:{0, 1}^∗ → χ are specified for the BiP, authentication check, and password-based shared key generation.

At the end of this phase, ś publishes the session parameters $\left\{n,m,q,\chi ,A,p_{\text{ś}}^T,H_{\left\{i=0,1,2\right\}}\right\}$.

Registration phase

The mobile user registration is performed after the setup is completed. All messages are assumed to be transmitted over the secure channel at this stage. Due to the registration phase, user registration and the shared key agreement are achieved securely. The mobile user registration is completed by performing the enumerated steps in Fig. 1. Then, the login&password-based mutual authentication phase is started.

In Fig. 1, the mobile user starts the registration by sending the client ID (id_m´) to the server. In lines 3–5, the server makes some random selections ($t,s_{\text{ś}}^{T^{\ast }}$) and computes the registration parameter ($d_{\text{m´}}^{\ast }$) to package the ID and secret key. In line 6, the server sends $\left\{t,d_{\text{m´}}^{\ast },pi{d}_{\text{m´}}\right\}$ to the mobile user to generate registration parameter. In lines 7–9, the mobile user computes the registration parameter (d_m´) and packaged password (PW_m´ = H₁(v_m´)). Finally, the mobile user and the server store {pid_m´, d_m´} and $\left\{pi{d}_{\text{m´}},P{W}_{\text{m´}},s_{\text{ś}}^{T^{\ast }}\right\}$ in the databases, respectively.

Login&password-based mutual authentication phase

At this stage, an insecure version of the communication channel is considered. With password-based authentication, the shared key is generated. By using hash function H₀ and cid_m´ components, the anonymity feature is obtained. To get the reusable key feature, the BiP method, given in Definition 5, is used. The operations of this stage are detailed in Fig. 2.

Let’s detail each party’s computations by looking at them step-by-step according to Fig. 2.

• Lines 1–8 for Mobile User: In line 1, the mobile user recalls the parameters that were generated during the registration phase. In lines 2–3, he/she computes the password (PW_m´) to use it in the protocol flow. Between lines 4 and 7, he/she generates static (p_m´) and temporary (x_m´) public keys by following the BiGISIS distribution. Finally, in lines 8–9, the mobile user computes and sends its packaged public key with the password ($x_{\text{m´}}^{\ast }$) to the server.

• Lines 10–21 for Server: In line 10–11, the server decrypts the packaged mobile user public key ($x_{\text{m´}}^{\ast }$) with the help of the fetched password (PW_m´) by using pid_m´. In lines 13–14, the server generates its temporary public key ($x_{\text{ś}}^T$). In lines 15–17, the server determines and computes BiP components to provide the reusable key feature. Based on these calculations, the server generates its key component (k_ś). Then, he/she uses MSB reconciliation to agree on the same shared key. Finally, the server sends its public key ($x_{\text{ś}}^T$) and authentication component (α_ś) to the mobile user.

• Lines 22–34 for Mobile User: In lines 22–24, the mobile user computes BiP-related components to ensure the reusable key feature with the computation of ($\overleftrightarrow{x_{\text{ś}}^T}$). In lines 25–27, he/she generates the key component of the server ($k_{\text{ś}}^{\prime }$) based on its computations and determines the reconciliation value (${\psi }_{\text{ś}}^{\prime }$) to check the first step of successful authentication (${\alpha }_{\text{ś}}\stackrel{?}{=}{H}_0\left(x_{\text{m´}},x_{\text{ś}}^T,{\psi }_{\text{ś}}^{\prime }\right)$). In line 28, he/she determines the pseudo-secret key (s_m´) to use it in the second authentication check. Then, the mobile user computes its key component (k_m´) and generates its reconciliation value (ψ_m´). In line 31, cid_m´ computation is occurred to assist the anonymity feature. Finally, lines 32-33, shared secret key ($s{k}_{\text{m´ś}}=H_0\left(i{d}_{\text{m´}},ci{d}_{\text{m´}},x_{\text{m´}},{\psi }_{\text{m´}},{\alpha }_{\text{m´}},x_{\text{ś}}^T,{\psi }_{\text{ś}}^{\prime },{\alpha }_{\text{ś}}\right)$) is generated by using third authentication check component (α_m´).

• Lines 35–41 for Server: Like the mobile user, in lines 35–39, the server computes server-related parameters such as key component ($k_{\text{m´}}^{\prime }$), reconciliation value (${\psi }_{\text{m´}}^{\prime }$), anonymity item (id_m´), pseudo-secret key (s_m´), and authentication component (${\alpha }_{\text{m´}}^{\prime }$). Finally, the server also generates the shared key ($s{k}_{\text{ś m´}}=H_0\left(i{d}_{\text{m´}},ci{d}_{\text{m´}},x_{\text{m´}},{\psi }_{\text{m´}}^{\prime },{\alpha }_{\text{m´}},x_{\text{ś}}^T,{\psi }_{\text{ś}},{\alpha }_{\text{ś}}\right)$) based on generated values.

After running the login&password-based mutual authentication phase, the mobile user and the server agree on a password-authenticated shared key. The final step, the password update phase, is optional and should be used when the parties need to update the password.

Password update phase

The password update step is performed when the user wants to update her/his password. It is assumed that all transmitted messages are sent over an secure channel. The password update stage is explained in Fig. 3. The step-by-step definition of Fig. 3 is summarized as follows.

• Lines 1–4 for mobile user: By using fetched {pid_m´, d_m´}, he/she determines the password component (v_m´) to derive the main password ($P{W}_{\text{m´}}^{\ast }$) and sends it to server to check the password update requirement.

• Lines 5–8 for server: The server brings back the stored password (PW_m´) by using pid_m´. In line 6, if a match is achieved, the server sends a warning message and allows the mobile user to initiate the password update process.

• Lines 9–13 for mobile user: In lines 9–12, the password-related components ($p{w}_{\text{m´}}^{\text{new}}$, $d_{\text{m´}}^{\text{new}}$, $P{W}_{\text{m´}}^{\text{new}}$) are re-generated and new password information ($d_{\text{m´}}^{\text{new}}$) is stored in the database. Finally, the mobile user sends the updated password ($P{W}_{\text{m´}}^{\text{new}}$) to the server.

• Line 14 for server: The updated password is received from the mobile user and is stored in the server database.

The correctness analysis of the proposed PAKE is discussed in ‘Correctness analysis’.

Correctness analysis

In the proposed BiGISIS.PAKE scheme, the necessary conditions to derive the shared key are computed based on the static and ephemeral key components. Due to the number of sub-components, the upper bound is determined by examining the static ones ($k_{\text{ś}},k_{\text{ś}}^{\prime }$). By considering Fig. 2, if k_ś and k_ś’ are rewritten, Eq. (2) is obtained. (2)${\displaystyle k_{\text{ś}}^{\prime }=\left(p_{\text{ś}}+{\overleftrightarrow{x_{\text{ś}}}}^T\right)\left(s_{\text{m´}}+r_{\text{m´}}+y\right)-\left(p_{\text{ś}}^T{s}_{\text{m´}}\right)+h_{\text{m´}}=\left(s_{\text{ś}}^{T}A+e_{\text{ś}}^T+x_{\text{ś}}^T+z^{T}A+g_{\text{m´}}^T\right)\left(s_{\text{m´}}+r_{\text{m´}}+y\right)-\left(s_{\text{ś}}^{T}A+e_{\text{ś}}^T\right)s_{\text{m´}}+h_{\text{m´}}=s_{\text{ś}}^{T}A{s}_{\text{m´}}+s_{\text{ś}}^{T}A{r}_{\text{m´}}+s_{\text{ś}}^{T}Ay+e_{\text{ś}}^T{s}_{\text{m´}}+e_{\text{ś}}^T{r}_{\text{m´}}+e_{\text{ś}}^{T}y+r_{\text{ś}}^{T}A{s}_{\text{m´}}+r_{\text{ś}}^{T}A{r}_{\text{m´}}+r_{\text{ś}}^{T}Ay+f_{\text{ś}}^T{s}_{\text{m´}}+f_{\text{ś}}^T{r}_{\text{m´}}+f_{\text{ś}}^{T}y+z^{T}A{s}_{\text{m´}}+z^{T}A{r}_{\text{m´}}+z^{T}Ay+g_{\text{m´}}^T{s}_{\text{m´}}+g_{\text{m´}}^T{r}_{\text{m´}}+g_{\text{m´}}^{T}y-s_{\text{ś}}^{T}A{s}_{\text{m´}}-e_{\text{ś}}^T{s}_{\text{m´}}+h_{\text{m´}}{k}_{\text{ś}}=\left(s_{\text{ś}}^T+r_{\text{ś}}^T+z^T\right)\left(p_{\text{m´}}+\overleftrightarrow{x_{\text{m´}}}\right)-\left(s_{\text{ś}}^T{p}_{\text{m´}}\right)+h_{\text{ś}}^T=\left(s_{\text{ś}}^T+r_{\text{ś}}^T+z^T\right)\left(A{s}_{\text{m´}}+e_{\text{m´}}+x_{\text{m´}}+Ay+g_{\text{ś}}\right)-s_{\text{ś}}^T\left(A{s}_{\text{m´}}+e_{\text{m´}}\right)+h_{\text{ś}}^T=s_{\text{ś}}^{T}A{s}_{\text{m´}}+r_{\text{ś}}^{T}A{s}_{\text{m´}}+z^{T}A{s}_{\text{m´}}+s_{\text{ś}}^T{e}_{\text{m´}}+r_{\text{ś}}^T{e}_{\text{m´}}+z^T{e}_{\text{m´}}+s_{\text{ś}}^{T}A{r}_{\text{m´}}+r_{\text{ś}}^{T}A{r}_{\text{m´}}+z^{T}A{r}_{\text{m´}}+s_{\text{ś}}^T{f}_{\text{m´}}+r_{\text{ś}}^T{f}_{\text{m´}}+z^T{f}_{\text{m´}}+s_{\text{ś}}^{T}Ay+r_{\text{ś}}^{T}Ay+z^{T}Ay+s_{\text{ś}}^T{g}_{\text{ś}}+r_{\text{ś}}^T{g}_{\text{ś}}+z^T{g}_{\text{ś}}-s_{\text{ś}}^{T}A{s}_{\text{m´}}-s_{\text{ś}}^T{e}_{\text{m´}}+h_{\text{ś}}^T}$

In Eq. (2), for i ∈ {ś, m´}, since $\left\{s_i,r_i,e_i,f_i,h_i,y,z^T\right\}\in {\Re }_q^{m\times 1}$, $\left|\right|s_i,r_i,e_i,f_i,h_i,y,z^T\left|\right|<\beta =\sqrt{n}\sigma$ should be satisfied (Jing et al., 2019). The norm of the multiplication of any two of these components is ϑ = mnβ² (Note 2 in Akleylek & Seyhan, 2020). For instance, $\left|\right|e_{\text{m´}}^T{r}_{\text{ś}}\left|\right|,\left|\right|z^T{f}_{\text{ś}}\left|\right|\approx mn{\beta }^2=\vartheta$. So, reconsidering the relationship between $k_{\text{ś}}^{\prime }$ and k_ś, Eq. (3) is obtained. (3)${\displaystyle {k\prime }_{\text{ś}}-k_{\text{ś}}=e_{\text{ś}}^T{r}_{\text{m´}}+e_{\text{ś}}^{T}y+f_{\text{ś}}^T{s}_{\text{m´}}+f_{\text{ś}}^T{r}_{\text{m´}}+f_{\text{ś}}^{T}y+g_{\text{m´}}^T{s}_{\text{m´}}++g_{\text{m´}}^T{r}_{\text{m´}}+g_{\text{m´}}^{T}y+h_{\text{m´}}-\left(r_{\text{ś}}^T{e}_{\text{m´}}+z^T{e}_{\text{m´}}+s_{\text{ś}}^T{f}_{\text{m´}}+r_{\text{ś}}^T{f}_{\text{m´}}+z^T{f}_{\text{m´}}+s_{\text{ś}}^T{g}_{\text{ś}}+r_{\text{ś}}^T{g}_{\text{ś}}+z^T{g}_{\text{ś}}+h_{\text{ś}}^T\right)\Rightarrow |k_{\text{ś}}-k_{\text{ś}}|\le 2\left(8\vartheta +\beta \right)}$

Since q = O(2^λϑβ) and $s_{\text{ś}}^{T}A{s}_{\text{m´}}\approx q$, the probability of $k_{\text{ś}}^{\prime }=k_{\text{ś}}$ in the proposed PAKE is at most O(n2^−λ).

Additional properties of proposed PAKE

With the proposal of BiGISIS.PAKE, it is aimed to obtain a post-quantum secure PAKE scheme with additional features, basically reusable key and anonymity. These properties are defined in Definitions 3–4. In the constructed scheme, anonymity is captured with the usage of an additional identity component and the one-way property of the hash function. The reusable key is provided by adding BiP components that allow storing the secret key in case the public key is reused. Let’s show how these properties are satisfied with the proposed PAKE according to the login&password-based mutual authentication phase, given in Fig. 2.

• Anonymity: According to Definition 3, id_m´ value should not be obtained by the attacker (Ă) to ensure anonymity. In the proposed PAKE, with step 37, $i{d}_{\text{m´}}=ci{d}_{\text{m´}}\oplus H_0\left(x_{\text{m´}},{\psi }_{\text{m´}}^{\prime },x_{\text{ś}}^T,{\psi }_{\text{ś}}\right)$ is determined. Let’s show that Ă cannot obtain all the components included in this calculation through possible attempts. Suppose that Ă captures {pid_m´, x_m´}, $\left\{x_{\text{ś}}^T,{\alpha }_{\text{ś}}\right\}$, and {cid_m´, α_m´} with MitM attack. Ă obtains $x_{\text{ś}}^{T^{\ast }}=r_{\text{ś}}^{T^{\ast }}A+f_{\text{ś}}^{T^{\ast }}$ using the modified $r_{\text{ś}}^{T^{\ast }},f_{\text{ś}}^{T^{\ast }}{\leftarrow }_r\chi$. Also, by using $k_{\text{ś}}=\left(s_{\text{ś}}^T+r_{\text{ś}}^T+z^T\right)\left(p_{\text{m´}}+\overleftrightarrow{x_{\text{m´}}}\right)-\left(s_{\text{ś}}^T{p}_{\text{m´}}\right)+h_{\text{ś}}^T$, Ă can compute ${\psi }_{\text{ś}}^{\ast }$. Although Ă can get $s_{\text{ś}}^T$ with Corrupt-ś(ś_j) query, defined in Section ‘Security Analysis’, the BiP method component $r_{\text{ś}}^T$ is unknown. The only possible way to get $r_{\text{ś}}^T$ is to solve the BiGISIS problem. It is known that even in the presence of quantum computers, $r_{\text{ś}}^T$ cannot be obtained as a result of Lemma 1 and Conclusion 1. Overall, Ă cannot get id_m´ and anonymity is ensured.

• Reusable Key: In the proposed PAKE, the reusable key is provided with the help of BiP component, added in steps 17 and 24. According to Definition 5, the computed BiP component $\overleftrightarrow{x_{\text{m´}}}=x_{\text{m´}}+Ay+g_{\text{ś}}$ and $\overleftrightarrow{x_{\text{ś}}^T}=x_{\text{ś}}^T+z^{T}A+g_{\text{m´}}^T$ have same distribution properties with x_m´ and $x_{\text{ś}}^T$, respectively and hide the general properties of x_m´ and $x_{\text{ś}}^T$. So, even if an Ă gets $s{k}_{\text{ś m´}}=H_0\left(i{d}_{\text{m´}},ci{d}_{\text{m´}},x_{\text{m´}},{\psi }_{\text{m´}}^{\prime },{\alpha }_{\text{m´}},x_{\text{ś}}^T,{\psi }_{\text{ś}},{\alpha }_{\text{ś}}\right)=s{k}_{\text{m´ś}}$, he/she cannot obtain any information about real/static secret keys when the session is run multiple times. So, the reusable key property is satisfied.

The detailed security analysis of the BiGISIS.PAKE is shown in ‘Security Analysis’.

Security proofs

In the game-based security analysis of the proposed PAKE, resistance analysis against; eavesdropping (G₁), hash functions simulation (G₂), MBA (G₃), SLA (G₄), and PFS (G₅) attacks are discussed. Let’s examine some security-related concepts.

• Integrity: In the proposed PAKE, authentication checks are done with the help of the controls defined in steps 27 and 40. If these steps (${\alpha }_{\text{m´}}^{\prime }\stackrel{?}{=}{\alpha }_{\text{m´}}$ where ${\alpha }_{\text{m´}}=H_0\left(i{d}_{\text{m´}},s_{\text{m´}},ci{d}_{\text{m´}},x_{\text{m´}},{\psi }_{\text{m´}},x_{\text{ś}}^T,{\psi }_{\text{ś}}^{\prime },{\alpha }_{\text{ś}}\right)$ and ${\alpha }_{\text{ś}}\stackrel{?}{=}{H}_0\left(x_{\text{m´}},x_{\text{ś}}^T,{\psi }_{\text{ś}}^{\prime }\right)$) are satisfied correctly, then ś and m´ will be valid. The components examined in authentication include all messages exchanged between the two parties and are generated with a secure hash function (H₀). Thus, the protocol satisfies the integrity and authentication of the message.

• Impersonation Attack: In the proposed idea, the authentication checks are done by looking ${\alpha }_{\text{ś}}\stackrel{?}{=}{H}_0\left(x_{\text{m´}},x_{\text{ś}}^T,{\psi }_{\text{ś}}^{\prime }\right)$ and ${\alpha }_{\text{m´}}^{\prime }=H_0\left(i{d}_{\text{m´}},s_{\text{m´}},ci{d}_{\text{m´}},x_{\text{m´}},{\psi }_{\text{m´}}^{\prime },x_{\text{ś}}^T,{\psi }_{\text{ś}},{\alpha }_{\text{ś}}\right)$. When Ă tries to impersonate the parties, he/she needs to have $\left\{i{d}_{\text{m´}},s_{\text{m´}},{\psi }_{\text{ś}},{\psi }_{\text{m´}}^{\prime }\right\}$. Ă can not obtain id_m´ with the anonymity property and get $\left\{s_{\text{m´}},{\psi }_{\text{ś}},{\psi }_{\text{m´}}^{\prime }\right\}$ get since the hardness of BiGISIS. So, the impersonation attempts of Ă do not work against the proposed PAKE.

• MitM Attack: With MitM, Ă can obtain $\left\{pi{d}_{\text{m´}},x_{\text{m´}}^{\ast }\right\}$, $\left\{x_{\text{ś}}^T,{\alpha }_{\text{ś}}\right\}$, and {cid_m´, α_m´}. By using these components, Ă cannot impersonate parties due to the hash functions (H_{i=0,1,2}), authentication checks, and no polynomial-time algorithm to solve BiGISIS problem.

• Offline PDA: Let Ă captures the mobile device at the registration stage and obtains $d_{\text{m´}}=d_{\text{m´}}^{\ast }\oplus H_0\left(i{d}_{\text{m´}},t\right)\oplus H_0\left(i{d}_{\text{m´}},p{w}_{\text{m´}}\right)$ and v_m´ = H₀(id_m´, pw_m´, d_m´) given in Fig. 1. In this case, even if Ă guesses pw_m´ correctly, Ă cannot complete the registration phase without id_m´. Overall, it is resistant to offline dictionary attacks.

• KKS: In the constructed PAKE, shared key is computed with $s{k}_{\text{ś m´}}=H_0\left(i{d}_{\text{m´}},ci{d}_{\text{m´}},x_{\text{m´}},{\psi }_{\text{m´}}^{\prime },{\alpha }_{\text{m´}},x_{\text{ś}}^T,{\psi }_{\text{ś}},{\alpha }_{\text{ś}}\right)$. Each component varies depending on the session and unique parties. In addition, the reusable key feature is provided. So, the attacker cannot obtain information about previous or subsequent sessions and KKS is provided.