Anonymous Three-Party Password-Authenticated Key Exchange Scheme for Telecare Medical Information Systems

Telecare Medical Information Systems (TMIS) provide an effective way to enhance the medical process between doctors, nurses and patients. For enhancing the security and privacy of TMIS, it is important while challenging to enhance the TMIS so that a patient and a doctor can perform mutual authentication and session key establishment using a third-party medical server while the privacy of the patient can be ensured. In this paper, we propose an anonymous three-party password-authenticated key exchange (3PAKE) protocol for TMIS. The protocol is based on the efficient elliptic curve cryptosystem. For security, we apply the pi calculus based formal verification tool ProVerif to show that our 3PAKE protocol for TMIS can provide anonymity for patient and doctor while at the same time achieves mutual authentication and session key security. The proposed scheme is secure and efficient, and can be used in TMIS.


Introduction
In the traditional medical diagnosis process, a patient goes to a hospital or clinic, and then consults a doctor. With the advancement of computer and network technologies, many countries and regions are establishing telecare medical information systems (TMIS), for making the medical diagnosis process more efficient, reliable and effective. With TMIS, patients can save time and have access to doctors and specialists more easily. Furthermore, patient records can also be exchanged between various hospitals and clinics. The system is also providing enhanced efficiency and effectiveness, especially on doing some basic diagnoses at patients' home [1]. Furthermore, TMIS is also useful for cases where chronic patients are involved. For example, through TMIS, a hypertension patient or a diabetes mellitus patient could exchange his/her daily medical data collected by the patient at home and the medical advice from doctors or nurses directly without requiring the patient to pay a visit to a hospital or a clinic. For emergency patients, such those with angina pectoris, hyperpyretic convulsion and asthma attacks, the TMIS can help exchange the medical records of a patient in concern, for example, between the database of a family doctor and the ICU of a hospital.
In TMIS, patients, doctors and nurses can register onto a trusted medical server (TS) and use passwords to perform authentication or secure channel establishment with the TS. Once a patient needs to consult a doctor, the patient can contact a doctor, and communicate with the doctor through a secure communication channel. For achieving these objectives, anony-mous three-party password-authenticated key exchange (3PAKE) protocols for TMSI should be addressed. The 3PAKE protocol is to achieve mutual authentication between a patient and a doctor with the aid of the TS, and at the same time, ensure that an adversary does not know the exact identities of both the doctor and the patient. Furthermore, 3PAKE helps establish a secure channel via generating jointly a session key, which is then used for building a secure channel between the patient and the doctor.
In 2007, Lu and Cao [2] proposed an efficient 3PAKE scheme. However, Guo et al. [3], Chung and Ku [4], Phan et al. [5] and Nam et al. [6] later showed that Lu and Cao's scheme is vulnerable to undetectable on-line dictionary attack, off-line password guessing attack, and man-in-the-middle attack, respectively. In 2009, Huang [7] proposed another 3PAKE scheme, which was later shown by Yoon and Yoo [8] that it cannot defend against undetectable password guessing attack and off-line password guessing attack. In 2011, Lou and Huang [9] proposed a new 3PAKE scheme. The scheme is based on Elliptic Curve Cryptosystem (ECC) and is efficient. However, Xie et al. [10] recently showed that Lou and Huang's scheme is vulnerable to offline password guessing attack and partition attack. Xie et al. also proposed an improved scheme for solving these problems. In 2012, Yang and Cao [11] and Chen et al. [12] also proposed modular exponentiation based and ECC-based 3PAKE schemes, respectively. However, these schemes, when compared with other existing schemes, require heavier computation costs. In 2010, Wang and Zhao [13] proposed a three-party key agreement protocol based on chaotic maps. Later, Yoon and Jeon [14] showed that their scheme is vulnerable to illegal message modification attack, and then proposed an improved one. Unfortunately, both schemes require a reliable third party, which shares a different long-term cryptographic key with each participant, it is inconvenient that each participant should protect the long-term secret key. Furthermore, these schemes are not as efficient as previous 3PAKE schemes. In 2013, Xie et al. [15] proposed the first chaotic maps-based 3PAKE scheme without using timestamp.
In light of all the schemes mentioned above, we notice that none of them can support privacy protection, since anyone can obtain user's identity from the authentication process. As we know, user's privacy protection is very important in some applications, such as telecare medical information systems (TMIS). In 2012, Lai et al. [16] proposed a smart-card-based anonymous 3PAKE using extended chaotic maps. However, Zhao et al. [17] showed that the scheme is vulnerable to the privileged insider attack and the offline password guessing attack, and proposed an improved one. In 2013, Lee et al. [18] proposed another anonymous 3PAKE scheme using Chebyshev chaotic maps, but their scheme is suffering from the man-in-the-middle attack once after an attacker gets the identity of each participant, which in practice is easy to obtain.
Based on the advantages of elliptic curve cryptosystem (ECC), that is, having shorter secret keys and faster computational speed, it is desirable if an ECC-based anonymous 3PAKE scheme can be built for TMIS. To the best of our knowledge, however, there is no ECC-based anonymous 3PAKE scheme is proposed. In this paper, we propose the first ECC-based anonymous 3PAKE scheme, and show that it is efficient.
The rest of the paper is organized as follows. In Section 2, we propose an anonymous 3PAKE scheme. The security analysis of the scheme is given in Section 3. After that, other security discussions and the performance comparison are described in Sections 4. The paper is concluded in Section 5.

The Proposed Scheme
In this section, we propose an anonymous 3PAKE scheme. Some notations will be used in this paper are defined as follows.
E: an elliptic curve defined over a finite field with large order n. P: a generator on E with large order n. h(): a secure one-way hash function which maps to an integer. A: user A, may be a patient. B: user B, may be a doctor or nurse. TS: trusted medical sever. The proposed anonymous 3PAKE scheme is described as follows. Algorithm 1 illustrates the proposed scheme.
Step 1: User A randomly choosest a , and computes Then sends fQ A ,Z A g to TS.
Step 2: Upon receiving fQ A ,Z A g, the trusted server TS computes F A 0~d Q A , and decrypts Z A to obtain fID A ,ID B ,V A g, terminates. Otherwise, user A is authenticated. Thus, TS knows that user A wants to establish a shared session key and communicate with a user B. TS randomly chooses an integer T TS , computes Z TS~TTS +h(pw B ,ID TS ,ID B ), and sends fID TS ,Z TS g to B.
Step 3: Upon receiving fID TS ,Z TS g, user B computes T TS~ZTS +h(pw B ,ID TS ,ID B ) and randomly chooses t b , computes ,ID Session key: sk~h(t a t b P,ID B ,ID A ) Algorithm 1 The proposed anonymous 3PAKE scheme and decrypts Z B to obtain fID B ,V B g. Then TS computes V B 0~h (pw B ,ID TS ,ID B ,T TS ) and verifies if the decryptedV B is correct or not by V B 0~V B . If not, terminates. Otherwise, user B is authenticated.
TS computes and sends R B~Eh( Step 5: Upon receiving R A or R B from TS, A decrypts R A and gets fQ B ,ID A ,ID B ,F A 0 g. Then A checks the validity of F A 0 , and computes sk~h(t a Q B ,ID B ,ID A )~h(t a t b P,ID B ,ID A ) as the session key. At the same time, B decrypts R B , and gets

Security Analysis
In this section, we use applied pi calculus [19] based formal verification tool ProVerif [20] to show that the proposed scheme satisfies anonymity, authentication and security. ProVerif is an automatic cryptographic protocol verifier in the formal model and supports automatic and effective security analysis of many cryptographic primitives such as symmetric and asymmetric encryption, digital signature, hash function, Diffie-Hellman key agreements, etc [21].

Authentication and security
We model the protocol steps according to the message sequences shown in section 2. In particular, public channel ch1 is used for the communication between user A and the trusted medical server TS, and public channel ch2 is used for the communication between user B and TS.   The process UserB defines the behavior of user B during authentication, who computes TTS', QB, FB, VB and ZB, and sends message (QB, ZB) back to TS through a public channe2. After that, user B receives message RB and compute SKB. The process of UserB is modeled as follows: ( query attacker(SKB). The Authentication of the protocol was modeled as a correspondence relation between two events: UserStarted and UserAuthed, which are inserted into the processes of UserA and UserB, respectively: event UserAuthed(bitstring). event UserStarted(bitstring). query id: bitstring; inj-event(UserAuthed(id)) = = . inj-event (UserStarted(id)).
We perform the above process in the latest version 1.85 of ProVerif and the performance results show that (1) the session key in the proposed scheme is secure under Dolev-Yao model; and (2) the authentication property is satisfied.

Anonymity
In ProVerif, strong anonymity is defined as follows [22]. Let P~newñ n :(!R 1 D Á Á Á D!R p ) be a p-party protocol in its canonical form where R i~n ew id:newm m:init i :!(new s:main i ) for any i[f1,:::,pg. Vi[f1,:::,pg, we build the protocol P Ri as: The identity id V of the agent playing role R V is a public name, not under any new restriction in P. P is said to preserve strong anonymity of R i if P& l P Ri . Informally, this means that the adversary cannot distinguish a situation where the role R V with known identity id V was executed from one in which it was not executed at all [23]. Going back to our proposed protocol, strong anonymity requires a system in which a user (A or B) with publicly known identity IDV executes the protocol to be indistinguishable from a system in which it is not present at all. We formally define user A and user B as follows: ). For verification, we use randomized symmetric encryption to conceal the random integer T TS instead of using the exclusive-or. The proposed protocol is formally defined as: process !((UserA) | (UserB) | (TS)) Anonymity of users A and B is proved separately as follows. In order to show A's anonymity, the proposed protocol is required to be observational equivalent to the augmented protocol defined as follows: process !((UserA) | (UserB) | (TS)) | let IDA = IDV in ((UserA) | (UserB) | (TS)) The observational equivalence can be translated into the following ProVerif bi-process: process !((UserA) | (UserB) | (TS)) | new ID: bitstring; let IDA = choice[ID, IDV] in ((UserA) | (UserB) | (TS)) The right hand side of the choice represents a system where a user with public identity IDV can run the protocol. The proposed protocol is simulated using the latest version 1.85 of ProVerif and simulation outcome shows that the scheme achieves the anonymity for user A. The anonymity of user B can be simulated and shown in a similar way.

Security Discussions and Performance Comparison
In this section, we discuss some other aspects related to security, and then evaluate the performance of the scheme. 4.1.4 Forgery attack and impersonation. In our scheme, if an adversary attempts to impersonate A (or B, or TS) and sends messages to TS (or B, or A), but these messages cannot pass the verification process of TS (or B, or A) as the adversary does not know the password or secret key d. 4.1.5 Man-in-the-middle attack. If an adversary attempts to launch the man-in-the-middle attack, the adversary has to generate and send the forgery messages to TS and has to pass the verification performed by the TS, before the adversary can obtain the session key shared with A and another session key shared with B. However, it is infeasible as the adversary does not know d or pw A or pw B .

Performance Analysis
Let T, D, H and M be the time for performing a Chebyshev polynomial computation, a symmetric encryption/decryption, a one-way hash function, and a scalar multiplication on elliptic curve, respectively. Li et al. [24] and Li et al. [25] showed that it needs 0.0005 second for completing one hash operation, 0.0087 second for one symmetric encryption/decryption, and 0.063075 second for one elliptic curve scalar multiplication operation, respectively. Kocarev and Lian [26] showed that it needs 0.07 second for a Chebyshev polynomial computation. As we know, these computation costs may vary due to different computational configurations and settings. However, in general, the elliptic curve scalar multiplication operation and the Chebyshev polynomial evaluation are slower than a symmetric key based encryption/ decryption or a one-way hash function operation. The performance comparison between the scheme proposed in this paper and three other recently proposed ones [16][17][18] is given in Table 1.
From Table 1, we can see that all schemes are efficient, but Lai et al.'s scheme is vulnerable to the privileged insider attack and offline password guessing attack, while Lee et al.'s scheme is vulnerable to man-in-the-middle attack once after the adversary gets to know the identities of at least two users, which in practice, is feasible.

Conclusion
In this paper, we proposed the first anonymous three-party password-authenticated key exchange scheme based on elliptic curve cryptosystem. Anonymity, authentication and security of the proposed scheme are validated using the applied pi calculus based formal verification tool ProVerif. The proposed scheme is secure and efficient, and is suitable for applications in telecare medical information systems.