A Password-Based Authentication System Based on the CAPTCHA AI Problem

Powerful cryptographic systems based on mathematically hard problems are utilized to ensure tighter security for data communication purposes. However, these traditional cryptographic systems are bound to fail in the ensuing era of quantum computing. Thus, Artificial Intelligence (AI) inspired security methods are needed to secure communications in the era of quantum computing. This article presents a challenge-response password-based authentication system based on the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) AI hard problem. In this system, a server sends a challenge text to a client, then the client generates a random image and blends the challenge text inside this random image using his password. Then the client sends the generated image to the server. The server extracts the challenge text from the sent image using his copy of the client’s password. If the extracted challenge text is the same as the sent challenge text, then both the client’s and the server’s copies of the password match and the client is authenticated. The efficiency of the proposed system is analyzed and the outcomes prove that the proposed system is efficient in terms of time and space. Also, a security investigation of the proposed system is employed, and the results prove that the system is probabilistic and very sensitive to changes in its parameters. It does not leak any statistical information about the client’s password and the generated images cannot be distinguished from random images. In addition, the security of the proposed system is analyzed against two possible attacks; the brute force attack and the replay attack and the results prove that the proposed system is immune to these attacks. Finally, the proposed system is ensured to be indistinguishably secure against an adaptive chosen-challenge text attack (IND-ACCTA), based on the CAPTCHA AI hard problem when the hash function $H$ is modeled as a random oracle.


I. INTRODUCTION
The World is witnessing a new era of computing revolution. This revolution comes in the form of quantum computing. Although this revolution will renovate the way the people live, it comes with enormous information security challenges.
The security of current cryptographic systems is based on mathematical hard problems such as the integer factorization problem and the discrete log problem [1], [2]. These problems are very hard and impractical to solve with current traditional computing. But as the development of quantum The associate editor coordinating the review of this manuscript and approving it for publication was Yassine Maleh . computing grows each year, these problems will no longer be hard to solve. This is a major security concern as the current security systems will not be secure anymore.
The best way to overcome these security challenges is to move from depending on mathematical hard problems to AI hard problems. An AI hard problem is a problem that needs a computer to be ''humanly'' smart. This will be a challenge even for quantum computing [3].
An application of AI hard problems in cryptography is CAPTCHA [3]. A CAPTCHA is a program that distinguishes a human from a bot by creating a challenge that is easy for humans but hard for bots. For instance, humans can recognize a twisted text, but bots cannot. Examples of CAPTCHA challenges are shown in Figure 1. CAPTCHA is used to prevent bots from accessing websites with personal and valuable information such as emails and bank accounts.
Von Ahn et al. [4] were the first to use AI hard problems in information security. They proved that ''any program that passes the tests generated by a CAPTCHA can be used to solve any AI hard problem'' [3]- [5].
Despite the increasing number of methods to authenticate clients, password-based authentication is considered the most popular method of all [6]. Password-based authentication is a way for a client to securely access services such as emails hosted by a service provider. To prevent unauthorized persons from accessing his services, the client must provide a username and password to the service provider. The client is granted access to his requested service if the username and password pair provided by the client matches the username and password pair in the service provider's database. The major advantage in password-based authentication is that passwords can be easily used and memorized [6].
One of the most used password-based authentication systems is the Challenge Response Authentication Mechanism (CRAM) [6]. In these systems, the client requests to access a service (Ex. Email) from a service provider (Ex. Google). The service provider then challenges the client by sending a challenge to him. If the client answers the challenge correctly, the service provider grants him access to his requested service. CAPTCHA is considered a challenge that it used by CRAM to differentiate humans from bots [6]. An Example of CRAM is CRAM-MD5 [7].
A problem with these systems is that the same password is used repeatedly, and an adversary can intercept the sent password even if the password is hashed and resend it to the service provider. In this case, the service provider cannot determine if the client is legit or not. A solution to this problem is Salted Challenge Response Authentication Mechanism (SCRAM). In SCRAM, a unique salt is generated and hashed with the password to make the hash unique every time a client requests a service from the service provider [6]. An Example of CRAM is SCRAM-SHA-1 [8].
The main aim of this article is to propose a salted challenge-response password-based authentication system based on the CAPTCHA AI hard problem. The idea behind the proposed system is the same as CAPTCHA. That is, it is a hard problem for a bot to recognize a twisted text in an image. Instead of sending the challenge text in a way that is easy for humans but prohibitively difficult for bots as in CAPTCHA, the proposed system blends the challenge text and scatters it inside a random image using the client's password. This process makes the challenge text hard to spot for humans and bots. The server then receives the generated image from the client and uses his copy of the client's password to recover the challenge text. The challenge text can be recovered correctly if the client's and the server's copies of the password are the same.
The paper is structured as follows. Section II reviews the related work to the proposed system. Section III summarizes the mechanism of traditional challenge-response password-based authentication. Section IV explains in detail the proposed system. Section V investigates and evaluates the performance of the proposed system. Section VI extensively investigates the main security features of the proposed system. Section VII tests the proposed system against the brute force attack and the replay attack. A security proof for the proposed system is presented in section VIII. The paper is summarized and concluded in section IX. Finally, the future work is suggested in section X.

II. RELATED WORK
Ning et al. presented a hierarchical challenge-response authentication system with aggregated-proof for the Internet of Things (IoT) [9]. Two sub-protocols are made for unit and ubiquitous IoT for security protection. Their system provides confidentiality and data integrity using homomorphismbased Chebyshev chaotic maps and the directed path descriptor [9].
Alharbi et al. [10] presented a Fog Computing-based Security (FOCUS) system that is used to secure IoT. This system uses Virtual Private Networks (VPN) to connect to IoT devices, then it uses a challenge-response authentication mechanism to defend the VPN networks from distributed denial of service (DDoS) attacks. Their system is applied in the end user side to increase its speed and efficiency. The system has a low latency response without sacrificing its security.
Sluganovic et al. [11] presented a challenge-response authentication system based on the tracking of eye movements. The system takes advantage of the fact that eye movements are fast and contain unique biometric information for each person. The system records the images of person's eye movements and compares them to the ones associated with that person stored in the receiver's database. This system is immune against reply attacks. The system is tested practically with 30 persons. The system has achieved low latency of 5 seconds and low error rate of around 6%.
Prabhu and Shah [12] presented an authentication system combining graphics with textual password. The client enters a complex password, then it randomly generates a grid of symbols and characters and a password is selected from the grid. Although this system is improving security by combining VOLUME 8, 2020 graphics with textual password, the system can easily be compromised by taking a screenshot [12].

III. TRADITIONAL CHALLENGE-RESPONSE PASSWORD-BASED AUTHENTICATION
This section briefly explains the mechanism of traditional challenge-response password-based authentication. Assume that there is a client and an email server, and the client wants to access his email. The communication between the client and the server is illustrated in Figure 2. The symbols are defined in Table 1.  The server generates a challenge (Ex. CAPTCHA) and sends it to the client. The client then randomly generates a seed (salt) S and the hash H (P c , S) where P c is the client's password. Using the seed along with the password to generate the hash ensures that the hash will be different each time a different seed is used even if the password is the same. This process is essential to resist dictionary attacks [13]. The client answers the challenge and sends the answer along with S, H (P c , S) to the server.
After receiving S, H (P c , S) and the answer to the challenge from the client, the server checks the answer and calculates H (P s , S) where P s is the server's copy of the client's password. If the answer is correct and H (P s , S) = H (P c , S), then P s = P c and the client is authenticated.
The hardness of the traditional challenge-response password-based authentication systems is based on hash functions. Although it is very difficult to get the reverse of a hash function, it is not impossible, especially if quantum computing is taken into consideration.
Another problem is that hash functions are deterministic; the output of a hash function is the same if the input is the same [13]. This makes them vulnerable to brute force attack if the computing power requirements are met.

IV. THE PROPOSED PASSWORD-BASED AUTHENTICATION SYSTEM
The proposed system is explained in Figure 3.  The server sends a challenge text CText to the client as a plaintext. The client then generates three random seeds S, S 1 , S 2 and a random image. An example of a random image is shown in Figure 4. Next, the client calculates T = CText ⊕ H (P c , S) where P c is the password of the client and converts it into ASCII (American Standard Code for Information Interchange) characters by representing each 8 bits of T in ASCII using the standard ASCII table. Then the client converts T into an image by representing each character as a pixel as shown in Figure 5. The XORing of the challenge text with H (P c , S) conceals the challenge text and makes it random. For clarification, let CText = HELLO, S = 543 and P c = 4443354h and using SHA-3 256-bit the client calculates T = CText ⊕H (P c , S) = HELLO⊕H (4443354h, 543) = 8Hz45 * 2P7f = Q : c{= z; q + W !@&SDG&hR6'. The image T is shown in Figure 5.
The client then calculates H (P c , S 1 ) and H (P c , S 2 ) and calculatesT = T ⊕ H (P c , S 1 ) by XORing H (P c , S 1 ) with the pixels of the T image. This step conceals the T image and makes it indistinguishable from a random image. The process is shown in Figure 6.  Next, the client insertsT into the random image shown in Figure 4 such thatT is scattered in the whole image using H (P c , S 2 ). This can be achieved using many techniques. For instance, H (P c , S 2 ) can be used as a seed for a random number generator (RNG) and the RNG output determines the indices of theT bits placed in the least significant bit (LSB) of the image pixels. Another way is to use permutation maps such as the baker map [14] to scrambleT in the image and use H (P c , S 2 ) as the key of the map. The client finally sends the generated image along with S, S 1 and S 2 . The generated image sent to the server is shown in Figure 7. After receiving the image, the server uses H (P s , S 2 ) where P s is the client's passwords stored in the server's database to get the image ofT s by undoing the scrambling made by the client. After that, the server gets the image of T s by XORing H (P s , S 1 ) with the pixels ofT s (i.e. T s =T s ⊕ H (P s , S 1 )). Then the server extracts the text of T s from its image using Optical Character Recognition (OCR). The server then calculates CText s = T s ⊕ H (P s , S)). If CText s = CText then P c = P s and the client is authenticated.
A comparison between the proposed system and the traditional systems are shown in Table 2.
Although it may appear that the proposed system is not efficient compared to traditional systems because it sends images larger than the numerical variables, this is actually not the case because most password-based authentication systems already send CAPTCHA images to make sure that a human not a bot is being authenticated. Sending a CAPTCHA image specifically to differentiate between humans and bots is not required in the proposed system. In addition, the size of a 256 × 256 RGB image is 193KB. This is nothing compared to nowadays communication speed or information storage capacity.
At first glance, it may appear that the proposed system is a steganographic system since the challenge text is placed inside an image. However, this is not true for the following reasons.
• The security of steganographic systems is based on inserting a secret payload inside an innocent-looking file (container) so that the payload is sent without being detected [15]. It requires the alterations caused by the payload to be negligible. However, the security of the proposed system does not depend on sending undetected secret information; the adversary in the proposed system knows that the generated image contains the challenge text.
• The payload embedding in steganographic systems does not require any secret information such as keys or passwords. On the other hand, the proposed system embeds the challenge text inside the random image based on the client's password.
• The payload is secret in steganographic systems, while the challenge text in the proposed system is public.
• The goal of steganographic systems is securely sending the payload without being detected, while the proposed system uses the challenge text to test the client's authenticity.

V. PERFORMANCE ANALYSIS
This section analyzes the performance of the proposed system by inspecting the computation time and the communication complexity of the proposed system and comparing these results with the traditional system presented in Section III. In this analysis, random colored red, green, and blue (RGB) images with a size of 256×256 pixels are used. The size of the T andT images are 20 × 90 pixels. The hash function used in this analysis is SHA-3 256-bit [16] and the baker map is used for the scrambling process [14]. The parameters used in these tests are shown in Table 3.
It is stressed here that the results of this analysis do not rely on the type of the hash function nor the type of scrambling algorithm. Any strong one-way hash function and any secure scrambling algorithm will give the same results. In addition, the values of CText, P, S, S 1 and S 2 can be chosen arbitrary and the results will still be the same.

A. COMPUTATION TIME
This section measures the time required for the proposed system to 1) generate the image in the client side and 2) verify the password at the server side. These results are obtained using a PC running windows 10 and having a 10 th generation intel R core i7-1065g7 processor with 16 Gigabytes of RAM. The results are shown in Table 4. From these results, it is concluded that the proposed system is time-efficient and the difference between the proposed system and the traditional system with respect to computation time is negligible.

B. COMMUNICATION COMPLEXITY
This section evaluates the communication complexity of the proposed system by examining the size of the data sent from the client to the server and vice versa and compares these results with the traditional system. The results are shown in Table 5. From these results, it is concluded that the data traffic between the server and the client in both systems is dominated by images; the generated image in the proposed system and the CAPTCHA image in the traditional system and the difference between the two systems in terms of communication complexity is negligible. In addition, the image size in these systems is negligible. For example, a colored red, green, and blue (RGB) image with a size of 256 × 256 pixels is 193 KB represented in Portable Network Graphics (PNG) format. This means that the proposed system is efficient with respect to the speed of today's communication networks and the storage spaces of today's storage media.
To conclude, the proposed system is efficient in terms of computation time and communication complexity.

VI. SECURITY FEATURES
This section examines and verifies the main security features of the proposed system by inspecting 1) the indistinguishability of the generated images from random images using visual inspection, histogram analysis and entropy. 2) the probabilistic property of the proposed system and 3) the sensitivity tests (the diffusion property) for changes in CText, P, S, S 1 and S 2 . The same parameters used in the performance analysis are utilized in these tests.

A. THE INDISTINGUISHABILITY TESTS 1) VISUAL INSPECTION
A comparison between a generated image sent from a client to a server and a random image is shown in Figure 8.  Figure 8, the image generated by the proposed system is indistinguishable from any random image.

2) THE HISTOGRAM ANALYSIS
A histogram is a measure of the distribution of pixels' values in an image [17]. It is shown as a graph with the values of the pixels versus the number of times these values repeated in the image. A good random image should have a uniform distribution. The more uniform the histogram, the better the randomness of the generated image. Since these images are colored RGB images, the histograms of the red, green, and blue sub-images of a generated image and a Based on Figures 9 and 10, the histograms are uniform implying that the generated image is random.

3) THE ENTROPY
The entropy measures how much information is in an image. It is function of the probabilities of the existence of the image pixels' values. The closer the probabilities of the existence of these pixels' values to each other, the more the entropy and hence, the better the randomness of the generated images [18]. The information entropy can be calculated as [18]: where I is the entropy, P(x i ) is the probability of the existence of pixel x i and N is the pixel size in bits for each red, green and blue subimages. The maximum value of I is 8 [18]. I is calculated for each red, green and blue sub images for a generated image and a random image. The results are illustrated in Table 6. Based on Table 6, it is deduced that the entropy is similar for both images and it is close to the maximum value.  Based on these results, it is concluded that the generated images are indistinguishable from random images and there is no statistical information leaked about the client's password.

B. PROBABILISTIC PROPERTY
This section tests the probabilistic property of the proposed system by measuring the correlation coefficients between two different images generated using the same CText, P, S, S 1 and S 2 . Since each image is initially generated randomly, these images should be uncorrelated.
The correlation coefficient between two images x, y is calculated as follows [19]: where E is the average intensity of the image pixels. The lower the correlation coefficients between the generated images, the better the probabilistic property of the proposed system. This test is repeated by generating five images and measuring the correlation coefficient among the first image and the other four. The same CText, P, S, S 1 and S 2 are used in generating these images.
The results are illustrated in Table 7. The images are shown in Figures 11. Although these images are generated using the same parameters, they are highly uncorrelated. Consequently, the proposed system is probabilistic. This process makes the system immune to dictionary and brute force attacks.

C. THE SENSITIVITY
An essential property for the proposed system is the diffusion property. It measures the sensitivity of the proposed system for changes in its parameters (CText, P, S, S 1 and S 2 ). A small change in any parameter must result in tremendous changes in the generated image. This property is essential for the proposed system to withstand cryptanalysis attacks [20], [21]. The sensitivity of the proposed system is tested by changing 1 bit in each of the challenge text CText, the password P, and the seeds S, S 1 and S 2 one at a time while keeping the other parameters constant. The modifications among the original image and the modified images are calculated using the number of pixels change rate (NPCR) and the unified average changing intensity (UACI) [20], [21]. The NPCR calculates the percentage of the total number of different pixels between two images to the total amount of pixels in these two images, while the UACI calculates the average intensity of the differences between the pixels of these two images. The more the values of NPCR and UACI, the better the sensitivity and the diffusion property of the proposed system.
Let two images x, y whose CText or P or S or S 1 or S 2 be different in only one bit. Let i, j be the horizontal and vertical indices of the pixels in both images. Define an array D i,j = 0 if x i,j = y i,j , otherwise D i,j = 1. The NPCR and the UACI are calculated as [20], [21]: where W, H represent the dimensions of the image [20], [21]. The original image is compared with respect to five images different in 1-bit in CText, P, S, S 1 and S 2 respectively. These images are shown in Figures 12. The NPCR and the UACI results are shown in Table 8. Based on Table 8, 1) the proposed system is sensitive to any changes to its parameters, 2) 96% of the pixels in the original   Based on these tests, the proposed system has a very strong diffusion property and is highly sensitive to changes in its parameters.

VII. IMMUNITY TO KNOWN ATTACKS
This section compares between the proposed system and the traditional system in terms of their resistance against known attacks such as the brute force attack and the replay attack.

A. IMMUNITY AGAINST THE BRUTE FORCE ATTACK
The traditional system protects the password using the hash function and utilizes the seed to randomize the output of the hash function for the same password. To brute forcefully attack the hash, an adversary needs to try 2 n different combinations where n is the hash size. Assuming a hash size of 256 bits, an adversary needs to try 2 256 = 1.15 × 10 77 different combinations to get the password P. Assume that this adversary uses a computer that can try 2 50 = 1.12 × 10 15 combinations per second, then the adversary will be able to break the hash and obtain the password in 2 206 seconds or 3.26 × 10 54 years. This makes the traditional system secure for the current computing capabilities. But this is not true for quantum computing, because quantum computing can break the hash in few seconds [22]. VOLUME 8, 2020 FIGURE 13. The security layers of the proposed system.
The proposed system protects the hash by concealing it inside the image. To successfully extract the hash from the image, the adversary needs to bypass two layers of security. The first layer is extractingT from the random image, while the second layer is extracting T fromT . These layers of security are shown in Figure 13. After obtaining T , the adversary needs to extract the characters of T using OCR, calculate H (P, S) = CText ⊕ T and then break the hash.
The first layer depends on the relation between the sizes of the random and theT images, while the second layer depends on the relation between the sizes of theT and T images.

1) THE FIRST SECURITY LAYER
There are two approaches to extractT from the random image; the first is brute forcefully attacking the random image by trying every possible combination ofT . The second approach is achieved through extracting the pixels ofT scrambled, then breaking the scrambling algorithm to getT . The second approach is more effective than the first one.
Let the number of pixels inT be k and the number of pixels in a random image be n. The number of possible ways to storeT inside the random image is: where nPrT is the permutation function. The probability of finding the specificT inside the random image is: The relations between PrT and nPrT with respect to n at constant k are shown in Figure 14, while the relations between PrT and nPrT with respect to k at constant n are shown in Figure 15.  From these figures, it is deduced that nPrT increases with n, k while PrT decreases with n, k. Using sufficiently large values of n, k will give very large possible combinations nPrT and the probability of findingT image PrT will be very small, making a brute force attack of findingT an extremely difficult task. For demonstration, if an imageT with 1800 pixels and a random image with 65536 pixels are used. Then nPrT and PrT can be calculated as: This means that a computer requires 6.83×10 8658 different combinations to find the correctT and the probability to find suchT is 1.46×10 −8659 . If a computer tries 1×10 100 combinations per second, it will require approximately 6.83×10 8558 seconds or 2.16 × 10 8551 years to try all the combinations.
The second approach to extractT is to get the pixels ofT out of order then break the scrambling algorithm to getT .
The number of possible ways to store the pixels ofT out of order inside the random image can be calculated as: where CT is the combination function. The probability of finding the pixels ofT out of order inside the random image is: The relations between PrCT and CT with respect to n at constant k are shown in Figure 16, while the relations between PrCT and CT with respect to k at constant n are shown in Figure 17. This means that a computer requires 1.11×10 3579 different combinations to find the pixels ofT out of order and the probability to find such pixels is 8.96 × 10 −3580 . If a computer tries 1 × 10 100 combinations per second, it will require approximately 1.11 × 10 3479 seconds or 3.54 × 10 3471 years to get the pixels ofT .
After finding the pixels ofT , it will be an easy task for a quantum computer to break the scrambling algorithm. That is why in this analysis the probability of a quantum computer to break a scrambling algorithm is ignored i.e. P (breaking the scrambling algorithm) ≈ 1.

2) THE SECOND SECURITY LAYER
The same analysis can be made for extracting T fromT as follows. For an imageT with a size of k bits and an image T with a size of l bits, nPr T and Pr T can be calculated as: The second approach that is used to extractT from the image is not applicable here. That is because T = CText ⊕ H (P c , S). Since the hash function has a random distribution, T will have a random distribution because of the XORing operation.
Assuming that both images have a size of 1800 pixels (i.e. l = k = 1800), nPr T and Pr T can be calculated as:.
After successfully extracting T , the adversary needs to calculate H (P, S) = CText ⊕ T and break the hash to obtain the password. The probability of breaking a 256-bit hash can be calculated as: To summarize, the probability for the adversary to break the proposed system and obtain the password is equal to the probability to getT multiplied by the probability to get T multiplied by the probability to break the hash.
The number of different combinations the adversary has to try for breaking the system is 1 Pr P = 7.93 × 10 8735 . If a computer tries 1 × 10 100 combinations per second, it will require approximately 7.93×10 8635 seconds or 2.58×10 8628 years to get the password.
This section concludes that brute forcefully breaking the proposed system requires enormous amount of computing power and time and breaking the proposed system will be a challenge even for quantum computing.
A comparison between traditional systems and the proposed system in terms of resisting a brute force attack is shown in Table 9   TABLE 9. A comparison between traditional systems and the proposed system in terms of resisting a brute force attack.
This means that the proposed system is more powerful than traditional systems by a factor of 6.89 × 10 8658 . If a quantum computer can break a hash function in just one second, then this computer will be able to break the proposed system in 2.17 × 10 8650 years.
This can be achieved without sacrificing the spaceefficiency of the proposed system; a 256 × 256 random RGB image has a size of 193KB when stored in Portable Network Graphics (PNG) file format.

B. IMMUNITY AGAINST THE REPLAY ATTACK
In traditional systems, if an adversary obtains S, H (P, S), a replay attack can be launched. The adversary can resend S, H (P, S) to the server pretending to be the legitimate client. The adversary can hack the system without knowing the password P. This attack is not possible with the proposed system because the server sends random CText to the client. If an adversary obtains a generated image along with S, S 1 , S 2 , the authentication will fail because the server sends a different CText.

VIII. THE SECURITY PROOF
This section proves that the proposed system is secure by proving the following theorem.
Theorem 1: Suppose the CAPTCHA AI hard problem holds and the scrambling algorithm is secure. Then the proposed system is indistinguishably secure against an adaptive chosen-challenge text attack (IND-ACCTA) based on the CAPTCHA AI hard problem when the hash function H is modeled as a random oracle [23]. Let A be an efficient IND-ACCTA adversary whose running time is at most τ , then there are two efficient algorithms B 1 and B 2 whose running time is the same as the running time of A such that: where Adv A,pr is the advantage of A to break the proposed system, Adv B 1 ,C is the advantage of algorithm B 1 to break CAPTCHA and Adv B 2 ,S is the advantage of algorithm B 2 to break the scrambling algorithm. Proof: To prove Theorem 1, the CAPTCHA AI hard problem and the security notion of challenge text confidentiality are defined. After that, a game played between an adversary and a challenger who challenges the adversary to break the proposed system is presented.

1) THE CAPTCHA AI HARD PROBLEM
CAPTCHA is an information security algorithm that creates challenges that are easy for most humans but hard and unsolvable for bots [3]. Its security is based on the hardness assumption of AI hard problems. A bot that solves a challenge C generated by CAPTCHA can be used to solve these AI hard problems [3].
The definition of CAPTCHA is modified here by elevating the restriction of being easy for humans. The CAPTCHA AI hard problem in this article should be hard for both humans and bots who do not have the secret key required to solve the challenge C. This will harden the CAPTCHA AI hard problem and will make it more difficult for an adversary to solve.

Definition 1:
An AI problem is defined as a tripartite P = (Q, R, b), such that Q is a set of hard problem cases, R is the probability distribution over the set Q, and b : Q → {0, 1} * is the answer to the set Q. Assume an adversary A whose running time is at most τ for any input from the set Q. A receives a problem P as input and outputs b : Q → {0, 1} * . A solves the hard problem P if b = b. The advantage of A to solve P is: Definition 2: An η-CAPTCHA is a challenge C that is defined as follows. Assume that there is an AI hard problem P and an adversary A. A can solve the challenge C if the adversary A runs a program B whose running time is the same as A and B has success greater than η over P.
Von Ahn et al. [4] introduced a set of hard problems that can be used to construct CAPTCHA images as shown in Figure 1. If a computer can solve these hard problems, then the twisted texts can be extracted from the CAPTCHA images and the CAPTCHA AI hard problem can be solved.
Assume that there is a colored RGB image with a height H and width W . Define an image transformation that takes an image as input and produces another image as output (not essentially of the similar width and height). Instances of image transformations are altering the size of an image, transforming an image into its negative version, etc.
Choose I from a set of colored RGB images and D from a set of image transformations. Assume for simplicity that D is a one-to-one transformation. Von Ahn et al. [4] proved that an adversary A can break the CAPTCHA AI hard problem if A is running a program B whose running time is close to that of A and the program B can solve the problem family P.

2) THE CHALLENGE TEXT CONFIDENTIALITY NOTION
This section presents a new security notion for the proposed system called the challenge text confidentiality notion. The proposed system must maintain this notion that models an adversary who tries to distinguish the challenge text from a random text under an adaptive chosen-challenge text attack. The challenge text confidentiality is illustrated as a game between a challenger C and an adversary A. This game is as follows.
• Setup (n, k): C produces the public parameters n, k and transfers them to A and hides the password (P).
• Query Phase 1: In this phase, A can query H (P, S), H (P, S 1 ) and H (P, S 2 ) based on S, S 1 and S 2 of his choosing. Upon receiving the queried S, S 1 and S 2 from A, C calculates H (P, S), H (P, S 1 ) and H (P, S 2 ) and sends the results to A. In addition, A can query a generated image based on CText, S, S 1 and S 2 of his choice. To answer his query, the challenger calculates T = CText ⊕ H (P, S), generates a random image, converts T into an image, getsT = T ⊕ H (P, S 1 ) and scramblesT inside the random image using H (P, S 2 ) as shown in Figure 3. Then the challenger sends the generated image to the adversary A.
• Challenge Phase: A sends to C two challenge texts CText 1 and CText 2 and three seeds S * , S * 1 and S * 2 of his choosing. C tosses a fair coin b ∈ [0, 1] and uses CText b as the challenge text. Using CText b , S * , S * 1 and S * 2 , the challenger C generates the challenge image and sends it to the adversary A. It is noted here that the challenged CText b , S * , S * 1 and S * 2 must not be queried before in the query phase.
• Query Phase 2: The adversary can make adaptive queries as in phase 1 but the challenged parameters.
• Guess: A outputs b ∈ [0, 1]. A wins the game if b = b. The advantage of A to break a system z and win this game is: Definition 4: The proposed system is indistinguishably secure against an adaptive chosen-challenge text attack (IND-ACCTA) if the advantage of any polynomially bounded adversary A in the above game is negligible.

3) THE PROOF
To prove Theorem 1, this section first proves the following Lemma.
Lemma 1: Any value x that is XORed with a uniformly distributed value y results in a uniformly distributed value z regardless of the distribution of x.
Proof: Assume that the probability of x to be one is P. Then the probability of x to be zero is 1 − P. The truth table of x and a random value y is shown in Table 10. The probability that z = 0 is 0.5P + 0.5(1 − P) = 0.5. The same goes for z = 1. Now, the security proof of the proposed system is introduced.
• This segment describes an arrangement of games. Let W i be the winning of the i th game by the adversary A. These games are described as follows.
-Game-0. This game is the usual adversarial game.
-Game-1. This game illustrates how to reply to a generated image query from A. VOLUME 8, 2020 -Game-2. This game replaces the hash function H with a truly random function. -Game-3. This game replaces T with a randomly uniform distributed value. -Game-4. This game proves that extracting T from T is a CAPTCHA AI hard problem. -Game-5. This game scramblesT inside the random image. -Game-6 replaces the challenge text T with a random text Z .
• Game-0. This is the typical adversarial game for defining the IND-ACCTA security of the proposed system. The challenger C picks the public parameters (n, k) and sends them to A. The challenger also picks a random oracle H : N × N → N at random from the group of all similar functions in the Setup algorithm and permits A to query H at random points. Thus.
• Game-1. This game explains how to respond to a generated image query from A. Upon receiving a challenge text CText and three seeds S, S 1 and S 2 from A, the challenger C calculates T = CText ⊕ H (P, S), generates a random image, converts T into an image, getsT = T ⊕ H (P, S 1 ) and scramblesT inside the random image using H (P, S 2 ) as shown in Figure 3. Then the challenger sends the generated image to the adversary A. Since this is similar to Game-0, thus.
• Game-2. The hash function H is replaced in Game-1 with a truly random function. To answer a hash query from A for S, S 1 and S 2 , the challenger C builds a hashing table with two columns; the first column is for the queried values of S, S 1 and S 2 and the other column is for randomly generated values that correspond to S, S 1 and S 2 . When C receives queries of H (P, S), H (P, S 1 ) and H (P, S 2 ) from A for S, S 1 and S 2 of his choice, C looks up the hashing table for S, S 1 and S 2 . If they exist, then C answers the queries with the random values associated with S, S 1 and S 2 . If S, S 1 and S 2 do not exist in the table, C generates three random values, sends them to A and then puts these random values in the hashing table alongside the queried values of S, S 1 and S 2 . Building this table ensures that the generated values are collision-free (each generated random value is unique and matches with a unique queried value of S, S 1 and S 2 ). This replaces the hashes H (P, S), H (P, S 1 ) and H (P, S 2 ) with three randomly uniform distributed variables x, y and z. Then T = CText ⊕ z,T = T ⊕ x andT is scrambled using y. Since in the random oracle model (ROM), the hash is viewed as a truly random function generating random values with uniform distribution, the adversary be humanly smart. This is a challenge even for quantum computing. The authentication process starts by sending a challenge text from the server to the client. The client sends back the challenge text concealed by his password inside a random image. The detailed analysis proved that the proposed system is time-and space efficient, probabilistic, sensitive to changes in its parameters, immune to leakage of any statistical information about the client's password and the generated images are indistinguishable from random images. Also, the security analysis proved that the proposed system is immune to brute force and replay attacks. In addition, the proposed system is proven to be indistinguishably secure against an adaptive chosen-challenge text attack (IND-ACCTA) based on the CAPTCHA AI hard problem when the hash function H is modeled as a random oracle. The intent behind this article is to address the challenges presented by the impending advent of powerful quantum computing. These findings represent an important step towards that future.

X. FUTURE WORK
In the future, it is intended to investigate the following questions in depth.
• How will AI hard problems in general and the CAPTCHA AI hard problem in particular stand against an actual quantum computer?
• Can the world depend on AI hard problems to protect the information in the quantum computing era?
• Can the proposed system withstand an attack from an actual quantum computer?
• Can other cryptographic systems, such as encryption, digital signature, and key exchange systems be built using AI hard problems?