logo

SCIENCE CHINA Information Sciences, Volume 63 , Issue 3 : 130103(2020) https://doi.org/10.1007/s11432-019-9922-x

A privacy preserving two-factor authentication protocol for the Bitcoin SPV nodes

More info
  • ReceivedApr 24, 2019
  • AcceptedJun 17, 2019
  • PublishedFeb 10, 2020

Abstract

In the Bitcoin network, the simplified payment verification protocol (SPV) enables a lightweight device such as a mobile phone to participate in the bitcoin network without needed todownload and store the whole Bitcoin blocks. A Bitcoin SPV node initiates and verifies transactions of the Bitcoin network through the Bitcoin wallet software which is deployed on a resource constrained device such as a mobile phone.Thus, the security of the wallet is critical for the SPV nodes as it may affect the security of user's cryptocurrencies. However, there are some concerns about the security flaws within the SPV nodes which could lead to significant economic losses. Most of these vulnerabilities can be resolved by employing a secure user authentication protocol. Over the years, researchers have engaged in designing a secure authentication protocol. However, most proposals have security flaws or performance issues. Recently, Park et al. proposed a two-party authenticated key exchange protocol for the mobile environment. They claimed that their protocol is not only secure against various attacks but also can be deployed efficiently. However, after a thorough security analysis, we find that the Park et al.'s protocol is vulnerable to user forgery attack, smart card stolen attack and unable to provide user anonymity. To enhance security, we proposed an efficient and secure user authentication protocol for the SPV nodes in the mobile environment which can fulfill all the security requirements and has provable security. Additionally, we provide performance analysis which shows our proposed protocol is efficient for the SPV nodes in the Bitcoin network.


Acknowledgment

Chunpeng GE was supported by National Natural Science Foundation of China (Grant No. 61702236) and Changzhou Sci $\&$ Tech Program (Grant No. CJ20179027). Chunhua SU was supported by JSPS Kiban(B) (Grant No. 18H03240) and JSPS Kiban(C) (Grant No. 18K11298).


References

[1] Market B. Bitcoin market. 2019. https://coinmarketcap.com/zh/currencies/bitcoin/. Google Scholar

[2] Nakamoto S, et al. Bitcoin: A peer-to-peer electronic cash system. 2008. Google Scholar

[3] Wang D, Cheng H B, Wang P. Zipf's Law in Passwords. IEEE TransInformForensic Secur, 2017, 12: 2776-2791 CrossRef Google Scholar

[4] Lamport L. Password authentication with insecure communication. Commun ACM, 1981, 24: 770-772 CrossRef Google Scholar

[5] Das M L, Saxena A, Gulati V P. A dynamic ID-based remote user authentication scheme. IEEE Trans Consumer Electron, 2004, 50: 629-631 CrossRef Google Scholar

[6] Yoon E J, Ryu E K, Yoo K Y. Further improvement of an efficient password based remote user authentication scheme using smart cards. IEEE Trans Consumer Electron, 2004, 50: 612-614 CrossRef Google Scholar

[7] Das M L. Two-factor user authentication in wireless sensor networks. IEEE Trans Wireless Commun, 2009, 8: 1086-1090 CrossRef Google Scholar

[8] Khan M K, Alghathbar K. Cryptanalysis and security improvements of 'two-factor user authentication in wireless sensor networks'.. Sensors, 2010, 10: 2450-2459 CrossRef PubMed Google Scholar

[9] Jiang Q, Ma J F, Lu X. An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks. Peer-to-Peer Netw Appl, 2015, 8: 1070-1081 CrossRef Google Scholar

[10] Wang D, Wang P. Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound. IEEE Trans Dependable Secure Comput, 2016, : 1-1 CrossRef Google Scholar

[11] Zhang G, Chen Y, Ji X, et al. Dolphinattack: Inaudible voice commands. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2017. 103--117. Google Scholar

[12] Park K, Park Y, Park Y. 2PAKEP: Provably Secure and Efficient Two-Party Authenticated Key Exchange Protocol for Mobile Environment. IEEE Access, 2018, 6: 30225-30241 CrossRef Google Scholar

[13] He D B, Chen J H, Hu J. An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security. Inf Fusion, 2012, 13: 223-230 CrossRef Google Scholar

[14] Wu Z Y, Lee Y C, Lai F P. A secure authentication scheme for telecare medicine information systems.. J Med Syst, 2012, 36: 1529-1535 CrossRef PubMed Google Scholar

[15] He D B, Chen J H, Zhang R. A more secure authentication scheme for telecare medicine information systems.. J Med Syst, 2012, 36: 1989-1995 CrossRef PubMed Google Scholar

[16] Wei J H, Hu X X, Liu W F. An improved authentication scheme for telecare medicine information systems.. J Med Syst, 2012, 36: 3597-3604 CrossRef PubMed Google Scholar

[17] Wang D, He D B, Wang P. Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment. IEEE Trans Dependable Secure Comput, 2015, 12: 428-442 CrossRef Google Scholar

[18] Tsai J L, Lo N W, Wu T C. Novel Anonymous Authentication Scheme Using Smart Cards. IEEE Trans Ind Inf, 2013, 9: 2004-2013 CrossRef Google Scholar

[19] Li C T. A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card. CrossRef Google Scholar

[20] Memon I, Hussain I, Akhtar R. Enhanced Privacy and Authentication: An Efficient and Secure Anonymous Communication for Location Based Service Using Asymmetric Cryptography Scheme. Wireless Pers Commun, 2015, 84: 1487-1508 CrossRef Google Scholar

[21] Reddy A G, Das A K, Yoon E J. A Secure Anonymous Authentication Protocol for Mobile Services on Elliptic Curve Cryptography. IEEE Access, 2016, 4: 4394-4407 CrossRef Google Scholar

[22] Chaudhry S A, Naqvi H, Sher M. An improved and provably secure privacy preserving authentication protocol for SIP. Peer-to-Peer Netw Appl, 2017, 10: 1-15 CrossRef Google Scholar

[23] Feng Q, He D B, Zeadally S. Ideal Lattice-Based Anonymous Authentication Protocol for Mobile Devices. IEEE Syst J, 2018, : 1-11 CrossRef Google Scholar

[24] Qi M P, Chen J H. An efficient two-party authentication key exchange protocol for mobile environment. Int J Commun Syst, 2017, 30: e3341 CrossRef Google Scholar

[25] Wang D, Zhang Z, Wang P, et al. Targeted online password guessing: an underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016. 1242--1254. Google Scholar

[26] Chen X F, Li J, Huang X Y. New Publicly Verifiable Databases with Efficient Updates. IEEE Trans Dependable Secure Comput, 2015, 12: 546-556 CrossRef Google Scholar

[27] Zhu Y M, Fu A M, Yu S, et al. New algorithm for secure outsourcing of modular exponentiation with optimal checkability based on single untrusted server. In: Proceedings of 2018 IEEE International Conference on Communications (ICC). New York: IEEE, 2018. 1--6. Google Scholar

[28] Chen X F, Li J, Huang X Y. Secure Outsourced Attribute-Based Signatures. IEEE Trans Parallel Distrib Syst, 2014, 25: 3285-3294 CrossRef Google Scholar

[29] Wu F, Xu L L, Kumari S. An improved and provably secure three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Netw Appl, 2018, 11: 1-20 CrossRef Google Scholar

[30] Lu Y R, Li L X, Peng H P. An anonymous two-factor authenticated key agreement scheme for session initiation protocol using elliptic curve cryptography. Multimed Tools Appl, 2017, 76: 1801-1815 CrossRef Google Scholar

[31] He D B, Zeadally S, Xu B. An Efficient Identity-Based Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks. IEEE Trans Inform Forensic Secur, 2015, 10: 2681-2691 CrossRef Google Scholar

  • Figure 1

    (Color online) Network model.

  • Figure 2

    Authentication and key agreement parse for Park et al.'s protocol

  • Figure 3

    User registration parse for our protocol.

  • Figure 4

    User authentication and key agreement parse for our protocol.

  • Figure 5

    Password change parse.

  • Figure 6

    (Color online) Communication costs comparison.

  • Table 1   Symbols were used in the protocol of Park et al. and our protocol
    SymbolsDescription
    $~\mathcal{A}~$An attacker
    $~U_{i}~$$i$-th of user
    $~{\rm~ID}_{i}~$Identity of $~U_{i}~$
    $~{\rm~PW}_{i}~$Password of $~U_{i}~$
    $~S~$The server
    $~d_{S}~$Private key of the server
    $~Q_{S}~$Public key of the server
    $~P~$Elliptic curve point
    $~h(\cdot),H(\cdot)~$Secure Hash functions
    $~\Pi~$Our protocol
    kdf Secure one-way key derivation function
    $~\oplus~$Exclusive-OR operation
    $~||~$Concatenation operation
  • Table 2   Security requirement comparison
    SRPart et al.[12]Lu et al.[30]Ours
    Smart card stolen attackNNY
    Mutual authenticationNYY
    User forgery attackNYY
    Server forgery attackYYY
    Reply attackYYY
    Insider attackYYY
    Forward securityYYY
    User anonymityNYY
    Password guessing attackNNY
    Correct login and password change phaseYYY
  • Table 3   Computational costs comparison
    PhasePart et al.[12]Lu et al.[30]Ours
    System initialization phase$~T_{\rm~PM}~$$~T_{\rm~PM}~$$~T_{\rm~PM}~$
    User registration phase$~6T_{H}$$~5T_{H}$$~2T_{H}$
    Authentication and key agreement phase$~6T_{\rm~PM}+11T_{H}~$$~11T_{\rm~PM}+15T_{H}~$$~6T_{\rm~PM}+12T_{H}~$
    Password change phase$~4T_{H}~$$~3T_{H}~$$~3T_{H}~$
    Total costs$~7T_{\rm~PM}+21T_{H}~$$~12T_{\rm~PM}+23T_{H}~$$~7T_{\rm~PM}+23T_{H}~$

Copyright 2020 Science China Press Co., Ltd. 《中国科学》杂志社有限责任公司 版权所有

京ICP备17057255号       京公网安备11010102003388号