On Security Analysis of Recent Password Authentication and Key Agreement Schemes Based on Elliptic Curve Cryptography



Prabhdeep Kaur and Sheetal Kalra


Secure and efficient mutual authentication and key agreement schemes form the basis for any robust network communication system. Elliptic Curve Cryptography (ECC) has emerged as one of the most successful Public Key Cryptosystem that efficiently meets all the security challenges. Comparison of ECC with other Public Key Cryptosystems (RSA, Rabin, ElGamal) shows that it provides equal level of security for a far smaller bit size, thereby substantially reducing the processing overhead. This makes it suitable for constrained environments like wireless networks and mobile devices as well as for security sensitive applications like electronic banking, financial transactions and smart grids. With the successful implementation of ECC in security applications (e-passports, e-IDs, embedded systems), it is getting widely commercialized. ECC is simple and faster and is therefore emerging as an attractive alternative for providing security in lightweight device, which contributes to its popularity in the present scenario. In this paper, we have analyzed some of the recent password based authentication and key agreement schemes using ECC for various environments. Furthermore, we have carried out security, functionality and performance comparisons of these schemes and found that they are unable to satisfy their claimed security goals. 


Elliptic curve cryptography, Smart Card, Remote user authentication, ECDLP, User anonymity.


  • Lamport, L. (1981) “Password Authentication With Insecure Communication,” Commun. ACM, Vol. 24:11, pp. 770–772.
  • Islam, S.H., Biswas, G.P. (2013) “Design of Improved Password Authentication and Update Scheme Based on Elliptic Curve Cryptography,” Math. Comput. Model., Vol. 57:. 11–12, pp. 2703–2717.
  • Lin, C.L., Hwang T. (2003) “A Password Authentication Scheme with Secure Password Updating,”Computer and Security, Vol. 22:1, pp. 68-72. http://dx.doi.org/10.1016/S0167-4048(03)00114-7.
  • D. He, (2011) “Comments on A Password Authentication and Update Scheme Based on Elliptic Curve Cryptography,”   Cryptology EPrint Archive  Report 2011/411.
  • Wang, R.C., Juang, W.S., Lei, C.L. (2011) “Robust Authentication and Key Agreement Scheme Preserving yhe Privacy of Secret Key,” Computer Communications, Vol. 34:3, pp. 274–280. http://dx.doi.org/10.1016/j.comcom.2010.04.005.
  • X.M. Wang, W.F. Zhang, J.S. Zhang, M.K. Khan. (2007) “Cryptanalysis and Improvement on Two Efficient Remote User Authentication Scheme Using Smart Cards,” Computer Standards and Interfaces, Vol. 29:5, pp. 507–512, 2007. http://dx.doi.org/10.1016/j.csi.2006.11.005.
  • Debiao He, Shuhua Wu, Jianhua Chen (2012) “Note on ‘Design ff Improved Password Authentication and Update Scheme Based on Elliptic Curve Cryptography’”, Mathematical and Computer Modelling, Vol. 55: 3–4, pp. 1661-1664. http://dx.doi.org/10.1016/j.mcm.2011.10.079.
  • D. Wang, C. G. Ma, L. Shi, and Y. H. Wang (2012) “On ihe Security of An Improved Password Authentication Scheme Based on Ecc,” in  Information Computing and Applications, vol. 7473 of  Lecture Notes in Computer Science, pp. 181–188.
  • C.T. Li (2012) “A New Password Authentication and User Anonymity Scheme Based on Elliptic Curve Cryptography and Smart Card,” IET Information Security, Vol. 7, No. 1, pp. 3-10.
  • Lili Wang (2014) “Analysis and Enhancement of a Password Authentication and Update Scheme Based on Elliptic Curve Cryptography,” Journal of Applied Mathematics, Volume 2014 (2014), Article ID 247836, 11 pages. http://dx.doi.org/10.1155/2014/247836.
  • P. Qiao, H. Tu (2014) “A Security Enhanced Password Authentication and Update Scheme Based on Elliptic Curve Cryptography,” International Journal of Electronic Security and Digital Forensics, vol. 6 Issue 2, pp. 130-139. http://dx.doi.org/10.1504/IJESDF.2014.063109.
  • S. Ramesh, Dr.V.Murali Bhaskaran (2014) “An Improved Remote User Authentication Scheme with Elliptic Curve Cryptography and Smart Card without using Bilinear Pairings,” International Journal of Engineering and Technology (IJET) Vol. 5, No. 6 Dec 2013-Jan 2014.
  • I.-E. Liao, C.-C. Lee, and M.-S. Hwang (2006) “A Password Authentication Scheme Over InsecureNetworks,” Journal Of Computer And System Sciences, Vol. 72, No. 4, pp. 727–740. http://dx.doi.org/10.1016/j.jcss.2005.10.001.
  • Chun-Ta Li and Cheng-Chi Lee (2011) “A Robust Remote User Authentication Scheme Using Smart Card,” Information Technology and Control, Vol. 40, No. 3, pp. 236–245.
  • Toan-Thinh Truong, Tran, M.-T, Anh-Duc Duong (2012) “Improvement of More Efficient and Secure Id-Based Remote Mutual Authentication with Key Agreement Scheme for Mobile Devices on ECC,” 26th International Conference on Advanced Information Networking and Applications Workshops (WAINA). pp. 698-703.
  • R. Song (2010) “Advanced Smart Card Based Password Authentication Protocol”, Computer Standards & Interfaces, Elsevier Vol. 32, No. 4, pp. 321-325. http://dx.doi.org/10.1016/j.csi.2010.03.008.
  • SK Hafizul Islam, G.P.Biswas (2011) “A More Efficient and Secure Id-Based Remote Mutual Authentication with Key Agreement Scheme for Mobile Devices on Elliptic Curve Cryptography”, Journal of Systems and Software, Vol. 84, No. 11, pp. 1892-1898.
  • T.-H. Chen, Y.-C. Chen, W.-K. Shih (2010) “An Advanced ECC Id-Based Remote Mutual Authentication Scheme for Mobile Devices,” 7th International Conference on Ubiquitous, Autonomic and Trusted Computing, pp. 116–120. http://dx.doi.org/10.1109/UIC-ATC.2010.18.
  • H. Debiao, C.Jianhua, and H.Jin (2012) “An Id Based Client Authentication with Key Agreement Protocol for Mobile Client Server Environment on ECC with Provable Security,” Information Fusion, Elsevier, Vol. 13:3, pp. 223-230. http://dx.doi.org/10.1016/j.inffus.2011.01.001.
  • H. Debiao, C. Yitao, C.Jianhua (2013) “An Id-Based Three-Party Authenticated Key Exchange Protocol Using Elliptic Curve Cryptography for Mobile-Commerce Environments,” Arabian Journal for Science and Engineering, Vol. 38:8, pp. 2055-2061.
  • J. Yang, C. Chang (2009) “An Id-Based Remote Mutual Authentication with Key Agreement Protocol for Mobile Devices on Elliptic Curve Cryptosystem,” Computers and Security, Vol. 28, pp. 138–143.
  • E. Yoon, K. Yoo (2009) “Robust Id-Based Remote Mutual Authentication with Key Agreement Protocol for Mobile Devices on ECC,” in: 2009 International Conference on ComputationalScience and Engineering, Vancouver, Canada, pp. 633–640.
  • Sheetal Kalra, Sandeep K.Sood (2010) “Advanced Password Based Authentication Scheme for Wireless Sensor Networks,” Journal of Information Security and Applications, Elsevier, In press. http://dx.doi.org/10.1016/j.jisa.2014.10.008.
  • Z.H. Shen (2008) “A New Modified Remote User Authentication Scheme Using Smartcards,” Applied Mathematics, Vol. 23:3, pp. 371–376.
  • H. L. Yeh, T. H. Chen and W.K. Shih (2013) “Robust Smart Card Secured Authentication Scheme on Sip Using Elliptic Curve Cryptography,” Computer Standards & Interfaces, Elsevier, In press. http://dx.doi.org/10.1016/j.csi.2013.08.010.
  • Y.L. Jia, A.M. Jhou, M.X. Gao (2008) “A New Mutual Authentication Scheme Based on Nonce and Smartcards,” Computer Communications, Vol. 31:10, pp. 2205–2209. http://dx.doi.org/10.1016/10.1016/j.comcom.2008.02.002.
  • T.Y. Chen, M.S. Hwang, C.C. Lee, J.K. Jan (2009) “Cryptanalysis of A Secure Dynamic Id Based Remote User Authentication Scheme for Multi-Server Environment,” Fourth International Conference on Innovative Computing, Information and Control (ICICIC), Kaohsiung, Taiwan, China, pp. 725–728.
  • Khan, M.K., Kim, S.K. and Alghathbar, K. (2011) “Cryptanalysis and Security Enhancement of a More Efficient & Secure Dynamic ID-Based Remote User Authentication Scheme,” Computer Communications, Vol. 34, pp. 305-309. http://dx.doi.org/10.1016/j.comcom.2010.02.011.
  • Z. Gao, Y. Tu (2008) “An Improvement of Dynamic Id-Based Remote User Authentication Scheme with Smart Cards,” Proceedings of the 7th World Congress on Intelligent Control and Automation, Vol. 8, June 25–27, Chongqing, China, pp. 4562–4567.
  • Yoon E., Yoo K (2011) “Robust Biometric-Based Three-Party Authenticated Key Establishment Protocols,” Int. J. Comput. Math., Vol. 88:5, pp. 1144–1157. http://dx.doi.org/10.1080/00207160.2010.496851.
  • D. He, D. Wang (2014) “Robust Biometric-Based Authentication Scheme for Multiserver Environment,” IEEE Systems Journal, Vol. PP:99, pp 1-8.
  • Miller, V.S. (1986) “Use of Elliptic Curves in Cryptography”, In: Advances in cryptology. Proceedings of CRYPTO’85, 417–26.
  • Koblitz N (1987) “Elliptic Curve Cryptosystem. Math. Comput, 48, pp.203–209. H. Debiao, J.Chen, and R. Zhang (2011) “An Efficient Identity Based Blind Signature Scheme Without Using Bilinear Parings,” Computers and Electrical Engineering, Elsevier Vol. 37:4, pp. 444-450. http://dx.doi.org/10.1016/j.compeleceng.2011.05.009.
  • S. Pohlig,   M. Hellman (1978) “An Improved Algorithm for Computing Logarithms Over GF(p) and its Cryptographic Significance,” IEEE  Transactions on Information Theory, Vol. 24, pp. 106–110. http://dx.doi.org/10.1109/TIT.1978.1055817.
  • J. M. Pollard (1978) “Monte Carlo Methods for Index Computation (mod p),” Mathematics of Computation, Vol. 32:143, pp. 918–924. http://dx.doi.org/10.2307/2006496.
  • P. C. van Oorschot, M. J. Wiener (1999) “Parallel Collision Search With Cryptanalytic Applications,” Journal of Cryptology, Vol. 12:1, pp. 1–28.
  • D. Boneh, R. Lipton (1996) “Algorithms for Black-Box Fields and their Applications to Cryptography,” Advances in Cryptology—CRYPTO ’96, LNCS, Springer-Verlag, Vol. 1109, pp. 283–297.
  • V. Shoup (1997) “Lower Bounds for Discrete Logarithms and Related Problems,” Advances in Cryptology–Eurocrypt ’97, LNCS, SpringerVerlag, Vol. 1233, pp. 256-266.
  • Juang, W.S. et al. (2008) “Robust and Efficient Password Authentication Key Agreement Using Smart Cards,” IEEE Transactions on Industrial Electronics, vol. 55:6, pp. 2551-2556. http://dx.doi.org/10.1109/TIE.2008.921677.
  • Hankerson, D., Menezes, A Vanstone., S. (2004) “Guide to Elliptic Curve Cryptography. Springer, New York.

RNI Registration No. CHAENG/2016/68678