Three-party authenticated key agreements for optimal communication

Authenticated key agreements enable users to determine session keys, and to securely communicate with others over an insecure channel via the session keys. This study investigates the lower bounds on communications for three-party authenticated key agreements and considers whether or not the sub-keys for generating a session key can be revealed in the channel. Since two clients do not share any common secret key, they require the help of the server to authenticate their identities and exchange confidential and authenticated information over insecure networks. However, if the session key security is based on asymmetric cryptosystems, then revealing the sub-keys cannot compromise the session key. The clients can directly exchange the sub-keys and reduce the transmissions. In addition, authenticated key agreements were developed by using the derived results of the lower bounds on communications. Compared with related approaches, the proposed protocols had fewer transmissions and realized the lower bounds on communications.


Introduction
Authenticated key agreements (AKA) enable users to exchange confidential and authenticated information over an insecure network, and to establish a common key that can be employed to encrypt all communications over an insecure channel. In an AKA protocol, each communicating entity that wants to determine session keys is assured of the identity of each of the others to provide mutual authentication. In terms of realizing mutual authentication, AKA protocols can be divided into two types-implicit mutual authentication and explicit mutual authentication. An AKA protocol with implicit mutual authentication realizes mutual authentication in later communications. However, it is not possible to be certain how protocol participants will use the session key. In contrast, an AKA protocol with explicit mutual authentication (AKA-MA) realizes mutual authentication while executing the protocol [1].
The AKA protocols mainly focus on providing higher security and developing transmission efficiency. Numerous factors influence transmission efficiency. Aside from the computational complexity of an authentication protocol, message efficiency and round efficiency are two important evaluation criteria. Message efficiency considers the number of messages required to complete the protocol. A message is a data item sent from one party to a single destination at a particular time. Round efficiency considers the number of rounds required to complete the protocol. A round comprises all of the independent messages that can be sent and received in parallel [2,3]. Three-party authenticated key agreement (3AKA) protocol enables two users to agree a common session key for establishing a secure channel via the help of a trusted server. Recently, several approaches involving 3AKA-MA protocols have been presented. For instance, Gong et al. [2][3][4] provided lower bounds on communications for 3AKA-MA, which required five messages and four rounds. They also developed 3AKA-MA protocols to realize these lower bounds [2][3][4]. Kwon et al. [5][6][7][8] presented password-based 3AKA-MA protocols. In addition, some 3AKA-MA approaches have modified the structures of session keys to ensure perfect forward secrecy. For instance, the 3AKA-MA protocols in [3][4][5][6][7][8][9][10][11][12][13] based on the Diffie-Hellman problem [14] could provide perfect forward secrecy. Lee et al. [15] developed a 3AKA-MA based on chaotic maps without password table. Amin et al. [16] proposed anonymity preserving three-factor authenticated key exchange protocol for wireless sensor network. With reference to transmission, all of the 3AKA-MA protocols described above and other related secure approaches [14,[17][18][19][20][21][22][23][24][25][26] involve at least five messages or four rounds.
For 3AKA-MA protocols, few studies on the lower bounds on communication have been presented up to now, except for the investigation of Gong in [2,3]. However, Gong only considered this issue for conventional 3AKA-MA protocols, without ever completely discussing 3AKA-MA protocols. In 3AKA-MA protocols, two clients do not share any common secret key. Thus, they require the help of the server to authenticate the participants 0 identities and exchange confidential and authenticated information over an insecure network. In conventional 3AKA-MA protocols, the sub-keys for generating a session key cannot be revealed in the channel. Clients must exchange their sub-keys with the help of the server to establish an authentication key (session key). Accordingly, a conventional 3AKA-MA protocol requires at least five messages and four rounds [2,3]. However, if the session key is based on asymmetric cryptosystems, such as the Diffie-Hellman key exchange or the Elliptic Curve Diffie-Hellman key exchange, then revealing the sub-keys for generating the session key cannot compromise the session key. The clients can directly exchange the sub-keys without using the server, and thus the number of messages and rounds can be reduced.
This study investigated the rules according to the behavior patterns of AKA-MA protocols, and then derived the lower bounds of communications for 3AKA-MA protocols based on these rules. In addition, we used the derived results to develop communication-efficient 3AKA-MA protocols, including conventional 3AKA-MA protocols whose sub-keys cannot be revealed in the channel and 3AKA-MA protocols in which revealing the sub-keys cannot compromise the session key. The proposed conventional 3AKA-MA protocols require five messages and four rounds of communication and realize the lower bounds on the number of messages and rounds for conventional 3AKA-MA protocols. On the other hand, in the proposed 3AKA-MA protocols, the session key security is based on the Diffie-Hellman problem [14]. Revealing the information g x mod p and g y mod p for generating the session key (g xy mod p) cannot compromise the session key itself because the session key cannot be determined without a knowledge of x or y, where p is a large prime. Therefore, the clients can publicly exchange the information g x mod p and g y mod p for generating the session key without the help of the server. Using this technique, the proposed protocol reduced the number of messages and rounds and required only four messages and three rounds of communications. Hence, the proposed 3AKA-MA protocol also realized the proposed lower bounds on the number of messages and rounds for 3AKA-MA protocols. Furthermore, the proposed 3AKA-MA protocols were proven secure [27][28][29][30][31] and have AKE security and MA security.
Compared with related 3AKA-MA protocols, the proposed protocols were more efficient in communications, realized the lower bounds on the number of messages and rounds for 3AKA-MA protocols, and were suitable for practical environments.
This study is organized as follows. Section 2 describes the underlying primitives used in this investigation. Section 3 derives and proves the lower bounds on messages and rounds for 3AKA-MA protocols. Section 4 develops communication-efficient 3AKA-MA protocols based on the derived results from Section 3. All of the proposed protocols realize the lower bounds on the number of messages and rounds of communications. Section 5 provides security analyses and compares the performance of the proposed 3AKA-MA protocols with related protocols. Finally, Section 6 draws conclusions.

Preliminaries
This section describes the underlying primitives used in this paper. The underlying primitives include session key security, mutual authentication security, the authenticator, the chosen ciphertext secure symmetric-key encryption, the Diffie-Hellman assumptions, and the cryptographic hash functions.

AKE security (session key security)
In this security definition, the adversary is allowed to ask many Test queries as it wants. If a Test query is asked to a client instance that has not accepted, then return the invalid symbol ?. If a Test query is asked to an instance of an honest participant whose intended partner is dishonest or to an instance of a dishonest participant, then returns the real session key. Otherwise, the Test query decides to return either the real session key or a random string via an unbiased coin c. The adversary aims to correctly guess the value of the hidden bit c used by the Test oracle. Let E denote the event that the adversary wins this game. The ake-advantage of the event that an adversary violates the indistinguishability of the protocol P Adv ake P ðAÞ. The protocol P is AKE-secure if Adv ake P ðAÞ is negligible. [27] Mutual Authentication (MA) security In executing protocol P, the adversary A violates mutual authentication if A can fake the authenticator μ A or μ B . The probability of this event is denoted by Adv ma P ðAÞ. The protocol P is MA-secure if Adv ma P ðAÞ is negligible.

Authenticator
Additional information appended to a message to enable the receiver to verify that the message should be accepted as authentic. For AKA-MA protocols, an authenticator is used for the receiver to assure that the sender has the common session key. [32] Chosen ciphertext secure symmetric-key encryption For a symmetric-key encryption scheme, the CCA-advantage of the adversary A is the probability that A breaks the indistinguishability under Chosen Ciphertext Attacks, and denoted by Adv sk ðAÞ. The symmetric-key encryption scheme SE is Chosen Ciphertext Secure if Adv sk ðAÞ is negligible [30].
Lower bounds on number of messages and rounds for three-party AKA-MA protocols This subsection provides the lower bounds on the number of messages and rounds for the 3AKA-MA protocols, based on the rules described in Section 3.1. Theorem 1. Every 3AKA-MA protocol is implemented in at least five messages if the sub-keys cannot be revealed in the channel.
Proof: In a 3AKA-MA protocol, by Rule 1, the protocol originator A initiates a message, the other participants B and S issue messages at the moment of receiving one, and the protocol proceeds in sequential order. If the sub-keys cannot be revealed in the channel, then we have many variable protocols, as shown in Fig 1. For protocol (a), after the third message, A receives a message sent from B and transmitted by S. A can authenticate B via S by Rule 6, receive a sub-key K 2 from B, and derive the session key SK by Rules 3 and 7. Then, by Rule 4, A can construct and issue an authenticator auth A in the fourth message. On the other hand, after the fourth message, B receives a message sent from B and transmitted by S. Similarly, B can authenticate A via S, receive a sub-key K 1 from A, and derive the session key SK. Then, by Rule 4, B can verify auth A from A, and construct and issue an authenticator auth B in the fifth message. Finally, A can verify auth B from B. Hence, for A and B, five messages are required. In addition, for S, three messages are required by Rules 1 and 2. Therefore, the 3AKA-MA protocol can be implemented in five messages in (a).
For protocol (b), after the fourth message, B can receive a sub-key K 1 sent from A and transmitted by S. Then B can derive the session key SK and issue an authenticator auth B in the fifth message by Rules 3, 4, and 7. However, by Rule 5, A must receive and verify auth B from B. For A, at least one extra message is required. Thus protocol (b) cannot be implemented in five messages.
For protocol (c), by Rules 3 and 7, B cannot derive the session key SK until it receives a subkey K 1 sent from A and transmitted by S. Thus, for B, an extra message is required to receive the sub-key K 1 from A. In addition, another extra one is required to issue an authenticator auth B by Rules 4 and 5. Hence, at least two extra messages are required. Thus protocol (c) cannot be implemented in five messages.
For protocol (d), after the third message, B can authenticate A via S by Rule 6, receive a sub-key K 1 sent from A and transmitted by S, and derive the session key SK by Rules 3 and 7. Then, by Rule 4, B can compute and issue an authenticator auth B in the fourth message. Similarly, after the fourth message, A can authenticate B via S by Rule 6, receive a sub-key K 2 sent from B and transmitted by S, and derive the session key SK by Rules 3 and 7. Then, by Rule 4, A can verify auth B from B, and compute and issue an authenticator auth A in the fifth message. Finally, B can verify auth A from A. Hence, for A and B, five messages are required. In addition, for S, three messages are required by Rules 1 and 2. Therefore, the 3AKA-MA protocol can be implemented in five messages in (d).
For protocol (e), after the fourth message, A receives a message sent from B and transmitted by S. A can receive a sub-key K 2 from B and derive the session key SK by Rules 3 and 7. By Rule 4, A can issue an authenticator auth A in the fifth message. However, B must receive and verify auth A from A by Rule 5. For B, at least one extra message is required. Thus, protocol (e) cannot be implemented in five messages.
For protocol (f), by Rules 3 and 7, A must receive a message that includes a sub-key K 2 sent from B and transmitted by S. Then A can derive the session key SK. Thus, for A, an extra message is required to receive the sub-key K 2 from B and another extra message is required to issue an authenticator auth A by Rules 4 and 5. Hence, at least two extra messages are required.
Thus the protocol (f) cannot be implemented in five messages.
For protocol (g), from arguments similar to protocol (b), at least two extra messages are required. Thus, protocol (g) cannot be implemented in five messages.
For protocol (h), from arguments similar to protocol (f), at least two extra messages are required. Thus, protocol (h) cannot be implemented in five messages.
For protocol (i), by Rules 3 and 7, A cannot derive the session key SK until it receives a message that includes a sub-key K 2 sent from B and transmitted by S. Thus, for A, two extra messages are required to receive sub-key K 2 from B and another extra one is required to issue an authenticator auth A by Rules 4 and 5. Hence, at least three extra messages are required. Thus, protocol (i) cannot be implemented in five messages.
For protocol (j), after the second message, B can authenticate A via S by Rule 6, receive a sub-key K 1 sent from A and transmitted by S, and derive the session key SK by Rules 3 and 7. Then, from arguments similar to protocol (d), five messages are required for A and B and four messages are required for S. Therefore, the 3AKA-MA protocol can be implemented in five messages in (j).
For protocol (k), from arguments similar to protocol (e), at least one extra message is required. Thus, protocol (k) cannot be implemented in five messages.
For protocol (l), from arguments similar to protocol (f), at least two extra messages are required. Thus, protocol (l) cannot be implemented in five messages.
For protocols (m) and (n), from arguments similar to protocol (i), at least three extra messages are required. Thus, protocols (m) and (n) cannot be implemented in five messages.
For protocol (o), by Rules 1 and 2, B can send out a message that includes sub-key K 2 only after receiving one, and must send out a message. Therefore, at least two extra messages are required. In addition, A cannot derive the session key SK until it receives sub-key K 2 sent from B and transmitted by S. Thus, for A, an extra message is required to receive the sub-key K 2 transmitted by S. In addition, another extra one is required to issue an authenticator auth A by Rules 4 and 5. Hence, at least three extra messages are required. Thus, protocol (o) cannot be implemented in five messages. Table 1 summarizes the analyses of protocols (a), (b),. . ., (n) and (o). From these analyses, we can conclude that, with the exceptions of protocols (a), (d), and (j), these 3AKA-MA Table 1. The messages of 3AKA-MA protocols are required in communications if the sub-keys cannot be revealed in the channel.
protocols cannot be implemented in five messages. Therefore, every 3AKA-MA protocol requires at least five messages for implementation if the sub-keys cannot be revealed in the channel.

Theorem 2. Every 3AKA-MA protocol is implemented in at least four rounds if the sub-keys cannot be revealed in the channel.
Proof: In a 3AKA-MA protocol, by Rule 1, the protocol originator A initiates a message including a sub-key K 1 for generating a session key to the trusted server S in the first round. Then, in the second round, S forwards the message including K 1 to B. At the same time, B sends a message including a sub-key K 2 to S. After receiving the message including K 1 from S, B can authenticate A by Rule 6 and derive the session key SK by Rules 3 and 7. In the third round, S forwards the message including a sub-key K 2 to A, and B can construct and issue an authenticator auth B to A by Rule 4. After receiving the messages including K 2 transmitted by S and auth B from B, A can authenticate B via S by Rule 6, derives a session key SK by Rules 3 and 7, and verifies auth B from B. Then, in the fourth round, A can compute and issue an authenticator auth A by Rule 4. Finally, B verifies auth A from A. Hence, by Rule 5, every 3AKA-MA protocol is implemented in at least four rounds if the sub-keys cannot be revealed in the channel.
Theorem 3. Every 3AKA-MA protocol is implemented in at least four messages. By using similar arguments in Theorem 1, we have many variable protocols, as shown in Fig 2, and have Table 2, which summarizes the analyses of protocols (a),(b),. . ., (i) and (j). We also can conclude that with the exceptions of protocol (a), these 3AKA-MA protocols cannot be implemented in four messages. Therefore, every 3AKA-MA protocol requires at least four messages for implementation. Theorem 4. Every 3AKA-MA protocol is implemented in at least three rounds. Proof: In a 3AKA-MA protocol, by Rule 1, the protocol originator A initiates messages for authentication and including a sub-key K 1 in the first round. After receiving the message including K 1 , B can randomly select a sub-key K 2 and compute the session key SK by Rule 3 and an authenticator auth B by Rules 3 and 4. In the second round, S sends the message to B for authenticating A, so that B can authenticate A via S by Rule 6. In addition, B also sends out messages for authentication and including K 2 and auth B . After receiving K 2 and auth B from B, A can derive a session key SK by Rules 3. Then A can verify auth B , compute an authenticator auth A by Rule 4, and send a message including auth A to B in the third round. Simultaneously, S sends out messages so that A can authenticate B via S by Rule 6 and B can verify auth A . Hence, by Rule 5, every 3AKA-MA protocol is implemented in at least four rounds.
This section has provided the lower bounds on the number of messages and rounds for the 3AKA and 3AKA-MA protocols based on the rules described in Section 3.1. In the next section, we will present 3AKA-MA protocols that realize the lower bounds on the number of messages and rounds for 3AKA-MA protocols based on the results of above theorems.

The communication-efficient 3AKA-MA protocols
This section will use the derived communication results of Section III to develop secure and communication-efficient 3AKA-MA protocols. First, we present 3AKA-MA protocols whose sub-keys cannot be revealed in the channel, and then propose 3AKA-MA protocols in which revealing the sub-keys cannot compromise the session key.
Assume that A and B are two communicating parties and that S is a trusted server. Clients A and B share long-lived keys K AS and K BS respectively, with server S. The notation used throughout this section is as follows: Notation p, g A large prime p and a generator g in group Z Ã p , a group in which the Diffie-Hellman problem is considered hard.; x, y Random exponents chosen by A and B.; Encryption of M using a symmetric encryption scheme with a cryptographically strong shared key K.;

H(M)
A one-way hash function H applied to M [32].; The communication-efficient nonce-based 3AKA-MA protocols for cases where the sub-keys cannot be revealed in the channel In the proposed 3AKA-MA protocols, A and B randomly select sub-keys K 1 and K 2 , respectively. Since the sub-keys cannot be revealed in the channel, A obtains the sub-key K 2 from B via S, and vice versa. Then, they can derive a common session key SK f(K 1 , K 2 ). Finally, they compute and send out their authenticators μ A and μ B . All of the proposed 3AKA-MA protocols were developed based on Theorem 1 and Theorem 2 in Section 3 and executed using five messages and four rounds. Proposed message-efficient nonce-based 3AKA1-MA protocol. The proposed messageefficient nonce-based 3AKA1-MA protocol was developed based on protocol (a) in Theorem 1 for a case where the sub-keys cannot be revealed in the channel. Fig 3 depicts the proposed 3AKA1-MA protocol, which will now be described in detail.  In an authenticated key agreement protocol, if the session key is based on asymmetric cryptosystems, such as the Diffie-Hellman key exchange or the Elliptic Curve (ECC) Diffie-Hellman key exchange [1,33,34], Chebyshev chaotic map-based Diffie-Hellman key exchange [15,35,36,37] then revealing the sub-keys used to generate the session key cannot compromise the session key. This subsection will use the Diffie-Hellman key exchange to propose communication-efficient 3AKA-MA protocols in which revealing the sub-keys cannot compromise the session key. In a Diffie-Hellman-based authentication protocol, revealing the sub-keys, K 1 = g x (mod p) and K 2 = g y (mod p), used to generate the session key (SK = H(A, B, K 1 , K 2 , K) cannot compromise the session key itself because the session key cannot be determined without a knowledge of x or y, where K g xy (mod p). Therefore, clients A and B can publicly exchange the subkeys K 1 and K 2 for generating the session key without the help of the server. Upon receiving

Security and performance analyses
The proposed 3AKA-MA protocols and compares their performance with that of other related authentication protocols.

Security proofs of proposed 3AKA-MA protocols
Communication model. Protocol participants: Two protocol participants A and B try to authenticate each other and establish an authentication key SK via the help of a trusted third party S in protocol P. A participant may be involved in numerous instances, called oracles, of distinct concurrent executions of P. The instance i of participant U is expressed as P i U . [35] Long-lived keys: The long-term secret key K AS is shared between A and S, and the longterm secret key K BS is shared between B and S. The long-lived keys K AS and K BS are defined as the symmetric keys of A and B, respectively.
Oracle queries: The following descriptions define oracle queries which model the capabilities of the adversary A.
-SendðP i U ; MÞ: In this query, the adversary A can control all communications in protocol P. When A sends oracle P i U a message M, P i U sends back the response message that is computed by executing P. A can send a user oracle P i U a query ðP i U ; }start}Þ as initialization of executing P [35]. -Reveal ðP i U Þ: This query models known key attacks. The adversary A who has compromised one authentication key cannot reveal other authentication keys. The Reveal query is only available to adversary A when oracle P i U has accepted [35]. -Test(P i U ): This query measures the semantic security of the session key SK, which specifies the indistinguishability of the real session key from a random string. During the executing protocol P, adversary A can ask a single Test query at sometime. Upon receiving this query, P i U returns A the real session key SK or a random string by flipping an unbiased coin c. This query is available only when P i U is Fresh [35]. Security proofs. The Difference Lemma [30] is used for our sequence of games and is described as follows: Lemma 5 (Difference Lemma). Let A, B and F be events defined in some probability distribution, and suppose that A^¬F , B^¬F. Then jPr½A À Pr½Bj Pr½F: The following theorem shows that the proposed 3AKA1-MA protocol has AKE security and provides mutual authentication by using the logical tool which was defined and presented by Burrows et al. [38] in 1990 and Buttyan et al. [39] in 1998. Theorem 6. The proposed 3AKA1-MA protocol has AKE security and provides mutual authentication.
The proposed 3AKA1-MA, 3AKA2-MA, 3AKA3-MA, 3AKA4-MA protocols are similar with the proposed 3AKA1-MA protocol. These protocols reveal the same information in the channel. Their security proofs are almost the same, can be obtained by using similar arguments, and thus are not presented here.
In the following, we first prove AKE security of the DH-3PAKA protocol, which is transformed from the DH-3PAKA-MA protocol by removing the authenticators μ A and μ B . Then, we use AKE security of the DH-3AKA protocol to prove AKE and MA securities of the DH-3PAKA-MA protocol. The DH-3AKA protocol is described as follow. The following theorem shows that the proposed DH-3AKA protocol has AKE security if the used long-term secret keys are secure and the Decisional Diffie-Hellman assumptions holds in G.
Theorem 7. Let Adv sk denote the advantage that an adversary breaks the long-term secret key within time t 1 . Let Adv ddh G be the advantage that a DDH attacker solves the DDH problem within time t 3 . Then, the probability that an adversary breaks the AKE security of the DH-3AKA protocol: where t 0 t 1 + (q 1 +q 2 )Áτ 1 + 4Áτ 3 ;q 0 denotes the numbers of the Send queries; q 1 and q 2 denote the numbers of the SymEnc queries involving A and S, and involving B and S, respectively; l is a security parameter [40]; t 0 = t 1 + (q 1 +q 2 )τ 1 ; and τ 1 is the time to compute a symmetric en/decryption; and τ 3 is the time to perform an exponential computation.
The following theorem shows that the proposed DH-3AKA-MA protocol has AKE security if the used hash function is secure and the DH-3AKA protocol has AKE security. Theorem 8. Let Adv ake dhÀ 3aka denote the advantage that an adversary breaks the long-term secret key within time t 4 . Then, the probability that an adversary breaks the AKE security of the DH-3AKA-MA protocol: where t 0 t 3 + (q 0 + q 1 + q 2 )Át relay + 2Áτ 2 + 4Áτ 3 ; the used parameters are defined as in Theorems 7; q 3 denotes the numbers of the Hash queries involving A and B; t relay is the time of relay a query; τ 2 is the time of generating a random number; and τ 3 is the time to perform an exponential computation.
The following theorem shows that the proposed DH-3AKA-MA protocol has MA security if the used hash function is secure and the DH-3AKA protocol has AKE security. Theorem 9. Let Adv ake dhÀ 3aka denote the advantage an adversary breaks the AKE security of the DH-3AKA protocol within time t 4 . Let Adv ma dhÀ 3akaÀ ma denote the advantage in violating the explicit mutual authentication of the DH-3AKA-MA protocol. Then, we have where t 0 t 4 + (q 0 + q 1 + q 2 )Át relay + 2Áτ 2 , the used parameters are defined as in Theorems 9 and 10. Table 3 shows a performance comparison of the related 3AKA-MA protocol and the 3AKA-MA protocols proposed here, where T E denotes the time to execute a exponential operation; T AS denotes the time to execute an asymmetric en/decryption operation; T C denotes the time required to execute a Chebyshev chaotic map operation; T S denotes the time to execute a symmetric en/decryption operation, and T H denotes the time to execute a hash operation. The first comparison item lists whether or not the sub-keys for generating a session key can be revealed in the channel. In Gong 0 s protocol [2,3], Amin et al. 0 s protocol [16], Amin and Biswas 0 s protocol [41] and the proposed protocols, the sub-keys cannot be revealed in the channel and clients must exchange their sub-key via the help of the server. In related DH-3AKA-MA protocols and the proposed DH-3AKA-MA protocols, session key security is based on the Diffie-Hellman problem, and thus clients can directly exchange their sub-keys.

Performance analyses and comparisons
The second comparison item is computational cost. Gong 0 s 3AKA-MA protocol, Amin et al. 0 s 3AKA-MA [16], Amin and Biswas 0 s protocol [41] and the proposed 3AKA-MA protocols only require symmetric en/decryption and hash processes, but do not provide perfect forward secrecy. The related DH-3AKA-MA protocols [9,12,15,25,[35][36][37] require more exponential computations or Chebyshev chaotic map operations. The proposed DH-3AKA-MA protocols also require eight en/decryption processes and four exponential computations. Although extra modular exponential costs or Chebyshev chaotic map operations are required, the related DH-3AKA-MA protocols and the proposed DH-3AKA-MA protocols provide perfect forward secrecy.  The number of transmissions was also compared. Gong 0 s 3AKA-MA protocol and the proposed 3AKA-MA protocols require five messages and four rounds. These protocols thus realize the lower bounds on communications for 3AKA-MA protocols without revealing sub-keys in the channel. Although Amin and Biswas 3AKA [40] protocol requires fewer messages than other protocols, but does not provide explicit mutual authentication. In addition, the related DH-3AKA-MA protocols in [35] and [36] and the proposed DH-3AKA-MA protocol requires four messages and three rounds. However, Lee et al. 0 s DH-3AKA-MA protocol [35] require server public keys, thus is inefficient in computations. Lee et al. 0 s DH-3AKA-MA protocol [36] only requires four messages, but does not provide explicit mutual authentication. Altogether, the proposed protocols involve fewer transmissions than other 3AKA-MA protocols, and realize the lower bounds on communications for 3AKA-MA protocols.

Conclusions
This investigation has provided the lower bounds on communications for 3AKA-MA protocols. In addition, it also considered the lower bounds on communications for the 3AKA-MA protocols whose sub-keys cannot be revealed in the channel and for the 3AKA-MA protocols in which revealing the sub-keys cannot compromise the session key. By using the derived results for the lower bounds on communications, communication-efficient and provably secure 3AKA-MA protocols were developed. As seen in Table 3, the proposed 3AKA-MA protocols involve fewer transmissions than other related 3AKA-MA protocols, but also realize the newly defined lower bounds on communications for 3AKA-MA protocols and are suitable for practical environments. Therefore, a 3AKA-MA protocol, which is developed by using the derived results in this paper, involves fewer transmissions and is efficient in communication.

Proof of Theorem 3:
In a 3AKA-MA protocol, by Rule 1, the protocol originator A initiates a message, the other participants B and S issue messages at the moment of receiving one, and the protocol proceeds in sequential order. Then, by using similar arguments in Theorem 2, we have many variable protocols, as shown in Fig 2. For protocol (a), after the first message, B can receive a sub-key K 1 from A and derive the session key SK by Rule 3. Then, by Rule 4, B can compute and issue an authenticator auth B in the second message. On the other hand, after the third message, A can authenticate B via S by Rule 6, receive a sub-key K 2 from B, derive the session key SK by Rule 3, and verify auth B from B. Then, by Rule 4, A can compute and issue an authenticator auth A in the fourth message. Finally, B can authenticate A via S by Rule 6 and verify auth A from A. Hence, for A and B, four messages are required. In addition, for S, three messages are required by Rules 1 and 2. Therefore, the 3AKA-MA protocol can be implemented in four messages in (a).
For protocol (b), after the third message, A can receive a sub-key K 2 from B and derive the session key SK by Rule 3. By Rule 4, A can compute and issue an authenticator auth A in the fourth message. However, by Rule 5, B must receive and verify auth A from A, and thus requires an extra message at least. Therefore, protocol (b) cannot be implemented in four messages.
For protocol (c), by Rules 3, A cannot derive the session key SK until it receives a sub-key K 2 from B. Thus, for A, an extra message is required to receive the K 2 . In addition, another extra message is required to issue an authenticator auth A . Hence, at least two extra messages are required by Rules 4 and 5. Thus protocol (c) cannot be implemented in four messages.
For protocol (d), by Rule 3, A can obtain a sub-key K 2 from B and derive the session key SK after it receives a message from B in the second message. Then, by Rule 4, A can compute and issue an authenticator auth A in the third message. However, by Rule 5, B must receive and verify auth A from A, and thus requires an extra message at least. Therefore, protocol (d) cannot be implemented in five messages.
For protocol (e), by Rule 6, A cannot authenticate B via S until it receives a message sent from B and transmitted by S. Then, A requires an extra message at least. Therefore, protocol (e) cannot be implemented in four messages.
For protocol (f), by Rules 1 and 2, S can issue messages only while receiving one and must send out a message. Therefore, two extra messages are required at least. Thus protocol (f) cannot be implemented in four messages.
For protocol (g), by Rule 3, A cannot derive the session key SK until it receives a sub-key K 2 from B. Then, A requires an extra message to receive the sub-key K 2 from B. In addition, by Rules 4 and 5, another extra one is required to issue an authenticator auth A . Therefore, protocol (g) requires two extra messages at least, and thus cannot be implemented in four messages.
For protocol (h), by Rule 6, A cannot authenticate B via S since it does not receive a message sent from B and transmitted by S. Therefore, protocol (h) requires two extra messages at least, and thus is implemented in at least six messages.
For protocol (i), by Rule 3, A can receive a sub-key K 2 from B and derive the session key SK after receiving a message from B in the third message. Then, by Rule 4, A can issue an authenticator auth A in the fourth message. However, by Rule 5, B must receive and verify auth A , and thus requires an extra message at least. Therefore, protocol (i) cannot be implemented in four messages.
For protocol (j), by Rules 1 and 2, B can issue messages only while receiving one and must send out a message including a sub-key K 2 . Then, for B, two extra messages are required at least. On the other hand, A can derive the session key SK after receiving a sub-key K 2 from B. In addition, A requires an extra message to issue an authenticator auth A by Rules 4 and 5. Hence, three extra messages are required at least. Thus the protocol (j) cannot be implemented in four messages. Table II summarizes the analyses of protocols (a),(b),. . .,(j). From these analyses, we can conclude that with the exceptions of protocol (a), these 3AKA-MA protocols cannot be implemented in four messages. Therefore, every 3AKA-MA protocol requires at least four messages for implementation.
Proof of Theorem 6: Assume that P and Q range over principals. C denotes a communicating channel and X and Y are messages. The followings define the notation used for logical analyses.

C(X)
The message X is transited via channel C.; r(C) The set of readers of channel C.; w(C) The set of writers of channel C.; P ⊲ C(X) P sees C(X). The message X is transited via channel C and can be observed by P. P must be a reader of channel C to read message X.; P ⊲ X|C P sees X via C. The message X is transited via channel C and can be received by P.
The used assumptions and logic rules [38,39,42] and the logical description of the proposed protocol are describes as follows.
The Assumptions used in [38,39,42], where U and V are S, A and B, and U 6 ¼ V:  : If P believes that another Q said X and P also believes that X is fresh, then P believes that Q has recently said X.
(F2) P# ðX Þ P# ðX ;Y Þ : If P believes that a part of a mixed message X is fresh, then it believes that the whole message (X,Y) is fresh.Rationality rules : If P believes that F 1 implies F 2 and P believes that F 1 is true, then P believes that F 2 is true.
According to the logic in [38,39,42], the proposed protocol is described as follows.
Step 1 S ⊲ (A, B, C S,A (A, S, A, K 1 )) B ⊲ (A, B) Step 2 S ⊲ (A, B, C S,B (B, S, B, K 2 )) Step 3 A ⊲ (C S,A (S, A, B, K 2 )) B ⊲ (C S,B (S, B, A, K 1 )) Step According the assumptions and logical analyses, the proposed protocol must realize the goals of authentication and key agreement: is a symmetric key shared between participants A and B.
protocol and the terminal game G ake 4 concludes that the adversary has a negligible advantage to break the AKE security of the DH-3AKA protocol.
Game G ake 0 : This game corresponds to the real attack. By definition, we have Adv ake dhÀ 3aka ðA ake Þ ¼ j2Pr½E 0 À 1j: ð1Þ The following games G ake 1 and G ake 2 can be derived by using similar arguments of Theorem 5.2.
Game G ake 1 : This game simulates all oracles as in previous game except for replacing the long-term secret keys with two random numbers. Then, we have Game G ake 2 : This game simulates all oracles as in previous game except for using two table lists to simulate SymEnc queries. Then, we have Game G ake 3 : This game simulates all oracles as in previous game except for modifying the simulation of Send queries refereeing the flows containing g x in Step 1 and g y in Step 2 of the DH-3AKA protocol and the simulation of the Test(U i ) oracle to avoid relying on the knowledge of x, y and z used to compute the answer to these queries. Assume that (X = g x , Y = g y , Z = g xy ) is a random DDH triple. Using similar arguments in [35], we have that the set of random variables in G ake 2 is replaced by another set of identically distributed random variables in G ake 3 . G ake 2 is equivalent to G ake 3 and Game G ake 4 : This game simulates all oracles as in previous game except that all rules are computed using a triple (X, Y, Z) sample from a random distribution (g x , g y , g z ), instead of a DDH triple. Using similar arguments in [35], we have and the probability Pr[E 4 ] is exactly 1 2 . Combining Eqs (1), (2), (3), (4) and (5), we have Adv ake dhÀ 3aka ðA ake Þ q 1 2 þ q 2 2 2 lÀ 1 þ 4 Á Adv sk ðA 1 Þ þ 2 Á Adv ddh G ðA ddh Þ: Then the proof is concluded.

Proof of Theorem 8:
The proof also consists of a sequence of games starting at the game G ake 0 . Each game G ake i defines the probability of the event E i that the adversary wins this game, i.e. c' = c. The first game is the real attack against the DH-3AKA-MA protocol and the terminal game G ake 3 concludes that the adversary has a negligible advantage to break AKE security of the DH-3AKA-MA protocol. Assume that the challenger A 2 attempts to break AKE security of the DH-3AKA protocol, and the adversary A ake is constructed to break AKE security of the DH-3AKA -MA protocol. The challenger A 2 returns the real session key SK or a random string to A ma by flipping an unbiased coin c 2 {0,1}. The adversary A ma wins if it correctly guesses bit c.
The following game models that A ake tries to distinguish the real session key from the random string.
where A ma makes q 3 Hash queries involving A and B. Game G ake 2 : This game simulates all oracles as in previous game except for replacing the session key SK with a random number. Then, we can use A ma to build an adversary A 2 against the AKE security of DH-3AKA. First, A 2 sets up the parameters, starts simulating the DH-3AKA -MA protocol and answers the oracle queries made by A ma as follows.
-When A ma make Send or SymEnc queries, A 2 answers what the DH-3AKA protocol says to.
-When A ma makes Hash queries, A 2 answers corresponding authenticators to A ma by making the same queries to the oracle Hash.
-When A ma makes Test queries, A 2 answers these queries using the bit c that it has previously selected and the session keys that has computed.
Accordingly, the probability that A 2 outputs 1 when its Test oracle returns the real authentication keys is equivalent to the probability that A ake correctly guesses the hidden bit c in game G ake 1 . Similarly, the probability that A 2 outputs 1 when its Test oracle returns the random strings is equivalent to the probability that A ma correctly guesses the hidden bit c in game G ake 2 . Thus, by Lemma 1, we have jPr½E 1 À Pr½E 2 j Adv ake dhÀ 3aka ðA 2 Þ ð8Þ At this time, no information on the hidden bit c is leaked to the adversary. It is straightforward that Combining Eqs (6), (7), (8) and (9), we have Adv ake dhÀ 3akaÀ ma ðA ma Þ 2Adv ake dhÀ 3aka ðA 2 Þ þ q 3 2 2 lÀ 1 : Then the proof is concluded. Proof of Theorem 9: The proof also consists of a sequence of games starting at the game G ma 0 . The first game is the real attack against the DH-3AKA-MA protocol and the terminal game G ma 3 concludes that the adversary has a negligible advantage to break MA security of the DH-3AKA protocol. The challenger A 3 attempts to break MA security for the DH-3AKA protocol and the adversary A ma is constructed to break MA security for the DH-3AKA-MA protocol. The adversary A ma wins this game if he successfully fakes the authenticator μ A or μ B .
where A ma makes q 3 Hash queries involving A and B. Game G ma 2 : This game simulates all oracles as in previous game except for replacing the session key SK with a random number. Then, we can use A ma to build an adversary A 3 against the AKE security of 3AKA1. Using similar arguments for G ake 2 in Theorem 8, we have jPr½E 1 À Pr½E 2 j Adv ake dhÀ 3aka ðA 3 Þ ð12Þ No information on the authenticator is leaked to the adversary, and thus Combining Eqs (10), (11), (12) and (13), we have Adv ake dhÀ 3aka ðA ma Þ 2Adv ake dhÀ 3aka ðA 3 Þ þ q 3 2 þ 1 2 lÀ 1 : Then the proof is concluded.