The 3D PAKE protocol is unconditionally secure, as the password cannot be obtained when both the servers compromise together. Entities used in the 3D PAKE protocol are client C, server SI and server S2. The protocol executes in three phases, namely, initialization, registration, authentication and key exchange. The notations used in the 3D PAKE protocol are:

3.1.2 Registration phase of 3D PAKE protocol

The client C selects a password P and compute $g_2^{\mathrm{P}}$ . Further, the client computes ${\mathrm{b}}_{4}as\mathrm{ }{\mathrm{b}}_4\mathrm{ }=\mathrm{ }{\mathrm{b}}_3\mathrm{ }⨁Hash\mathrm{ }\left(\mathrm{P}\right)$ and forwards the authentication information { $\mathrm{U}\mathrm{s}\mathrm{e}\mathrm{r}\mathrm{n}\mathrm{a}\mathrm{m}\mathrm{e},\mathrm{ }{\mathrm{g}}_2^{\mathrm{p}},\mathrm{ }{\mathrm{b}}_3,\mathrm{ }{\mathrm{b}}_4$ } to server SI. The server SI build a tetrahedron from $g_4^{g_2^P}$ by splitting the valué ${g_4^{g_2^p}}_{}$ into x₁,x₂,x₃,y₁,y₂,y₃,z₁,z₂,z₃ where g₄ is a value known to S1 to avoid impersonation attack. SI calculate the angle between the medians (ϑ) and circumcenter (ω). Further, it stores ϑ as $g_2^{\theta }$ along with b₃ and transmit username ${\mathrm{g}}_2^{\omega }$, b₄ to the server S2. S2 receives and store ${\mathrm{g}}_2^{\omega }$, along with b4. As a result, registration of client with server SI and S2 is successful. The operations involved in the registration phase are clearly illustrated in Figure 1.

Fig. 1
A detailed registration process of 3D PAKE protocol.

3.1.3 Authentication Phase of 3D PAKE Protocol

The user induces the verification by sending the username and $g_2^p$ to the server SI, where 'P' is clients' password. Server SI constructs the tetrahedron from $g_4^{g_2^p}$ and ascertains angle between the medians $g_2^{\theta }$ (θ) and circumcenter (ω). The calculated angle between the medians $g_2^{\theta }$ is verified with the stored $g_2^{\theta }$ Further, SI forwards the request message {Username, $g_2^{\omega }$} to the server S2.

Upon receiving the message, the server S2 verifies the received $g_2^{\omega }$against the stored $g_2^{\omega }$. If the verification is successful, S2 forwards the $g_2^{\omega }$valué to SI for verifying the authenticity of S2. On the other hand, the server SI computes a secret key and passes the parameter 'H' to the client. With the received key generation parameter, the client validates the server. Finally, the client and server SI generate a secret key as shown in Figure 2.

Fig. 2
A detailed authentication and key Exchange process of 3D PAKE protocol.

Statement: 3D PAKE protocol is correct if

K =K'.

Proof:

In server side, SI computes key K from A, S₂ and S_s, where $A=g_1^a, S_2=A^{b_2}= g_1^{{ab}_2}and S_s=A^{b_1}{S}_2=g_1^{{ab}_1}{g}_1^{{ab}_2}$

= ${\mathrm{g}}_1^{\mathrm{a}\mathrm{ }({\mathrm{b}}_1+{\mathrm{b}}_2)}$K= Hash (S_s, 1)

In client side key K' is computed from B andS_u, where $\mathrm{B}={\mathrm{g}}_1^{({\mathrm{b}}_1+{\mathrm{b}}_2)}$

Therefore, S'_u = (B)^a

$=\left(g_1^{\left(b_1+b_2\right)}\right){}^a$

$=g_1^{a\left(b_1+b_2\right)}$

Key K' = Hash (S_u, 1)

As K = K', the protocol is proven for its correctness.

The random oracle model (Bellare & Rogaway, 1993) is used by the research community to evalúate the security schemes that are constructed using hash functions. In the random oracle model, the behaviour of a hash function is imitated by a deterministic and a proficient function that yields consistently distributed arbitrary valúes. The 3D PAKE protocol is secure under random oracle model, as the hash valué generated is random and irreversible.

Theorem 1: Under the random oracle model, the proposed 3D PAKE protocol is defensive against passive attack with a collision-resistant hash function ' Hash'.

Proof:

Consider that an adversary γ monitors all the Communications between SI and C and between SI and S2. Let's contradictorily prove this, by taking into consideration that the messages exchanged between SI, S2 and client C are traced by γ. Even though γ is able to read the messages of SI and C; SI and S2, obtaining the password from $g_2^p$ is infeasible, as it is a discrete logarithm problem and there exists no efficient algorithm for quantum computers to obtain a solution for discrete logarithm problem. In a similar sense, if γ obtains ${\mathrm{g}}_2^{\mathrm{\theta }}/{\mathrm{g}}_2^{\mathrm{\omega }}$ (i-e-,) V₁ /V₂ from the messages M2/M3, it is impossible for the adversary to obtain θ /ω. In addition, obtaining a, b₁ , b₂ from A, B2, B, S₁ , S₂ is quite challenging. It is impossible to obtain the vertices of the triangle from the circumcenter ( ω) and the angle between the medians (θ). A random one-way hash function is used for transmitting messages between the peers. Hence, 'Hash', b₄ and S_u is said to be secure under the random oracle model. Thus, a passive attacker γ unable to obtain the password P and the secret keyK. Hence the proposed protocol is proven to be defensive against passive attack.

Theorem 2: The proposed 3D PAKE protocol is defensive against active attack, if there is no existence of polynomial-time algorithm to break the Discrete Logarithm Problem (DLP).

Proof:

Assumption (i): Assume that an active adversary y impersonate as client C by compromising server S1/S2.

• Assume that an active adversary γ modifies $g_2^p$ as $g_2^p$.Let's contradictorily prove this, by taking into consideration that an active adversary γ has compromised server S1/S2 to impersonate as client C, by replacing/modifying $g_2^p$ transferred in message MI with arbitrary number $g_2^p$ $g_2^p$. Since the challenger receives $g_2^p$ instead of $g_2^p$ , client verification fails at server side as per Equation (1). $Verify calculated g_2^{\theta }=stored g_{2 }^{\theta }in S1$

  $Verify calculated g_2^{\omega }=stored g_{2 }^{\omega }in S1$(1)
  where 'θ ' and 'ω ' are derived from $g_4^{g_2^P}$.

• Assume that adversary γ modifies the valué S_u transferred in message M5 as S_uv. Since, the challenger receives S_uv instead of S_u , establishment of key is liable to failure in server SI side as per Equation (2).

  $S_u=Hash\left(S_1^{S_2}\right)$(2)

• Further, imagine that the adversary γ is assuming $A\to \left(g_1^a\right)$) as $A^{\text{'}}\to g_1^{a\text{'}}$transferred in message M5 for the key generation in server S1. Since, the challenger receives A' instead of A, verification of server is liable to failure on client side as per Equation (3).

  $Hash \left(S_{u^{\text{'}}}^{\text{'}}0\right)⨁H=?Hash\left(P\right)$(3)

In server side $K=Hash\left(S_s\right)$

In client side, $K^{\text{'}}=Hash \left(S_u^{\text{'}}\right)=Hash \left({\mathrm{B}}^{\mathrm{a}}\right)=\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}\left({\mathrm{g}}_1^{{\mathrm{a}}^{\mathrm{\text{'}}{\mathrm{b}}_1{\mathrm{b}}_2}}\right)$

Therefore, K ≠K'.

Analysis:

Considering the case $A\to \left(g_1^a\right)as A^{\text{'}}\to \left(g_1^{a^{\text{'}}}\right)$ as$S_u as S_{uv}$, and $g_2^p$ $g_2^{P^{\text{'}}}$ the active adversary γ cannot succeed in generating the secret key K, such that K= K'.

Assumption (ii): Assume that an active adversary y impersonate as server SI by compromising server S2.

• Assume that an active adversary γ modifies $g_2^P$as $g_2^{P^{\text{'}}}$. Let's contradictorily prove this, by taking into consideration, that an active adversary γ has compromised the server S2 to impersonate as server SI by replacing/modifying the messages exchanged between the server and the client. Such an adversary may modify the valué $g_2^P$transferred in message MI with a random number. Authentication and key exchange process terminates as proved in Assumption (i): case (a) of Theorem 2. Challenger tries to construct the triangle from $g_4^{g_2^P}$ and examines whether calculated ${\mathrm{g}}_2^{\mathrm{\theta }}=\mathrm{s}\mathrm{t}\mathrm{o}\mathrm{r}\mathrm{e}\mathrm{d}\mathrm{ }{\mathrm{g}}_2^{\mathrm{\theta }}$ . As an effect, triangle construction is not possible by γ as the valué g₄ is not known to the adversary.

• The adversary γ tries to modify the valúes transferred in messages M4: B, M5: A, S_u and M8: H. Challenger verifies whether $S_u=Hash \left(S_1^{s_2}\right)$ $S_s= A^{b_1}{S}_2$ and $H=Hash \left(S_{S^{\text{'}}}0\right)⨁b_3⨁b_4$. Retrieving the valué b₃ is impossible by γ as the valué is stored in server SI. Modifications in messages M4, M5 or in M8, leads to termination of the key generation process as per Assumption (i): case (a) and (b) of Theorem 2.

Analysis:

Thus, by modifying the valúes in messages M4: B, M5: A,S_u , M8: H and $g_2^p$ as $g_2^{P^{\text{'}}}$, the active adversary γ can't prevail in generating the secret key K.

Assumption (iii): Assume that an active adversary y impersonate as server S2 by compromising server SI.

• Assume that an active adversary γ has compromised the server SI to impersonate as server S2 by replacing/modifying the messages exchanged between the server and the client. Such an adversary may modify the valué $g_2^{\omega }$ transferred in message M2 with a random number. Challenger verifies received $g_2^{\omega }$ with stored $g_2^{\omega }$. As an effect, retrieving the stored $g_2^{\omega }$valué is impossible by γ, since, the valué is known only to server S2.

• The adversary γ may try to modify the values transferred in messages M6: A, S_u, S₁ or M7: b₄ , S₂ . Challenger computes $S_u= A^{b_2}$ $S_u=Hash \left(S_1^{S_2}\right)$. Retrieving valué b₄ is impossible by γ, since, the value is stored in server S2. Altering the valúes in messages M6/M7, terminates the key generation process as proved in Assumption (i): case (a) and (b) of Theorem 2.

  Analysis:

  Thus, by modifying the valúes of the messages M6: A, S_ui ,S₁ , M7: b₄ ,S₂ or $g_2^{\omega }$ with a random number by the active adversary γ cannot succeed in generating the secret key K.

Remark 1:

Active impersonation of one server as another is possible in Yang et al. (2006) model. 3D PAKE protocol routs the drawback of Yang et al. protocol and proved it is secure against impersonation attacks on server SI and S2 as shown by Theorems 1 and 2. When both the servers are compromised by the intruder, it is infeasible to determine the password 'P' from the stored valúes, based on the properties of the tetrahedron. It is demonstrated that the proposed 3D protocol is strong and intractable, when compared to existing two-server PAKE protocols in the circumstance of the servers' datábase are controlled by the adversaries.

Theorem 3: The proposed 3D PAKE protocol is defensive against offline dictionary attack by providing two levéis of security.

Proof:

Assumption (i): Assume that an active adversary y breaks the 3D PAKE protocol under offline dictonary attack.

• Assurance of primary level of security by β. Let´s contradictorily prove this, by taking into consideration, when the adversary . γ attains Access to the database of both the servers by dictonary attack, the adversary obtain $g_2^{\theta }$ $g_2^{\omega }$values.

• However, deriving θ and ω from $g_2^{\theta }$ and $g_2^{\omega }$respectively is NP hard. Hence, it cannot be resolved in polynomial time. Thus, primary level of security is guaranteed.

• Assurance of the second level of security by β. If the adversary γ manages to solve DLP, then θ and ω valúes are attained by the adversary. However, finding the vértices of the triangle θ and ω are derived from $g_4^{g_2^P}$ Henceforth, second level of security is assured.

The protocol has been tested with Sqlmap, Wireshark, Havij, Vega, Websecurify, Webcruiser, SSLSmart, WSAttacker and WSDigger to affirm the strength of the protocol. In addition, 3D PAKE complies with known key security, forward secrecy, key control, key confirmation, zero-knowledge proof, explicit key authentication, key freshness, impersonation resilience and reciprocity principies. Also, it is sturdy against low-encryption-exponent attack, known and chosen cipher text attack, known and chosen plaintext attack, sniffer attack, replay attack, man in the middle attack and rainbow table attack. Table 2 summarizes the security standards of the proposed protocol and it proves that the proposed protocol is rigid.

Table. 2
Functionality comparison of 3D PAKE protocol with Yang et al. and Yi et al. protocol.

The performance of the proposed 3D PAKE protocol is analyzed by comparison with the existing two-server PAKE protocols. Number of group elements in communication are measured in terms of 'L' and the number of hash valúes in communication is measured in terms of '1'. The communication complexity includes number of group elements in communication, the number of hash valúes in communication and the number of rounds taken by the protocol for successful completion.

Communication complexity of 3D PAKE is 9L + 41 and computational complexity is 32, which is very near to that of existing protocols as presented in Table 4. Slight increase in computation is due to the construction of the tetrahedron. It is noticed that the client side complexity is considerably reduced. Furthermore, as the proposed protocol is asymmetric, there is a notable difference in the server side because of the communication between the servers SI and S2. However, this computational complexity can be negotiated as the server S2 is hidden and protected from security vulnerabilities. Nevertheless, it routs the postulation made by other protocols and augments the security.

Tabla 4
Communication and computational complexity analysis of 3D PAKE protocol

For a clear understanding, valúes are graphically presented in Figure 3. From Figure 3, it can be inferred that 3D PAKE provides a fair communication complexity. For a broad computational cost analysis, the number of transmissions, hash computations, modular/scalar multiplications, XOR operations and modular exponentiations are examined. The proposed 3D PAKE protocol computation wise performs in a fair manner when compared to Yang et al. (2006), Yi et al. (2013), and Jin et al. (2007) protocols as shown in Table 5.

Fig. 3
Complexity analysis of 3D PAKE protocol

Table. 5
Comparativo cost analysis of 3D PAKE protocol.

Thus, the proposed 3D PAKE performs judiciously computation wise. To the best of our cognizance, a foolproof two-server 3D PAKE protocol is proposed based on tetrahedron properties and proved its resistance against attacks.

*Corresponding author. E-mail address:anitha.psgsoft@gmail.com(Anitha Kumari K.) Peer Review under the responsibility of Universidad Nacional Autónoma de México. http://