Proposed by the 3rd Generation Partnership Project (3GPP) as a standard for 3G and 4G mobile-network communications, the AKA protocol is meant to provide a mutually-authenticated key-exchange between clients and associated network servers. As a result AKA must guarantee the indistinguishability from random of the session keys (key-indistinguishability), as well as client- and server-impersonation resistance. A paramount requirement is also that of client privacy, which 3GPP defines in terms of: user identity confidentiality, service untraceability, and location untraceability. Moreover, since servers are sometimes untrusted (in the case of roaming), the AKA protocol must also protect clients with respect to these third parties. Following the description of client-tracking attacks e.g. by using error messages or IMSI catchers, van den Broek et al. and respectively Arapinis et al. each proposed a new variant of AKA, addressing such problems. In this paper we use the approach of provable security to show that these variants still fail to guarantee the privacy of mobile clients. We propose an improvement of AKA, which retains most of its structure and respects practical necessities such as key-management, but which provably attains security with respect to servers and Man-in-the- Middle (MiM) adversaries. Moreover, it is impossible to link client sessions in the absence of client-corruptions. Finally, we prove that any variant of AKA retaining its mutual authentication specificities cannot achieve client-unlinkability in the presence of corruptions. In this sense, our proposed variant is optimal.
 3GPP. 3rd Generation Partnership Project; Technical Specification Group Services ans System Aspects; Security related network functions (Release 12). TS 43.020 3rd Generation Partnership Project (3GPP) June 2014.
 J. Alwen M. Hirt U. Maurer A. Patra and P. Raykov. Anonymous authentication with shared secrets. In Proceedings of LatinCrypt volume 8895 of LNCS pages 219-236. Springer- Verlag 1999.
 G. Ateniese A. Herzberg H. Krawczyk and G. Tsudik. Untraceable mobility or how to travel incognito. In Elsevier Computer Networks volume 31 pages 871-884. Elsevier 1999.
 BSI. A Proposal for: Functionality classes for random number generators. AIS 20 / AIS 31. Version 2.0 Bundesamt fur Sichercheit in der Informationstechnik (BSI) 2011.
 R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attacks. In Advances in Cryptology - CRYPTO 1998 volume 1462 of LNCS pages 13-25. Springer 1998.
 David A. McGrew and John Viega. The Security and Performance of the Galois/Counter Mode of Operation (Full Version). IACR Cryptology ePrint Archive 2004:193 2004.
 D.Strobel. IMSI Catcher. In 2007 Seminar Work Ruhr- Universitat Bochum 2007.
 Fabian van den Broek and Roel Verdult and Joeri de Ruiter. Defeating IMSI Catchers. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security USA October 12-6 2015 pages 340-351 2015.
 P. A. Fouque C. Onete and B. Richard. Achieving Better Privacy for the 3GPP AKA Protocol. Cryptology ePrint Archive Report 2001/112 2016.
 Jens Hermans and Andreas Pashalidis and Frederik Vercauteren and Bart Preneel. A New RFID Privacy Model. In Computer Security - ESORICS 2011 - 16th European Symposium on Research in Computer Security Leuven Belgium September 12-14 2011. Proceedings pages 568-587 2011.
 Jens Hermans and Andreas Pashalidis and Frederik Vercauteren and Bart Preneel. A New RFID Privacy Model. In V. Atluri and C. Diaz editors Esorics volume 6879 pages 568-587 2011.
 M. S. A. Khan and C. J. Mitchell. Another look at privacy threats in 3G mobile telephony. In Proceedings of ACISP volume 8544 of Lecture Notes in Computer Science pages 386-396. Springer 2014.
 Michael Burrows and Martín Abadi and Roger M. Needham. A Logic of Authentication. ACM Trans. Comput. Syst. 8(1):18-36 1990.
 Mihir Bellare and David Pointcheval and Phillip Rogaway. Authenticated Key Exchange Secure against Dictionary Attacks. In Advances in Cryptology - EUROCRYPT 2000 International Conference on the Theory and Application of Cryptographic Techniques pages 139-155 2000.
 Mihir Bellare and Phillip Rogaway. Entity Authentication and Key Distribution. In D. R. Stinson editor Advances in Cryptology - CRYPTO ’93 volume 773 of LNCS pages 232-249. Springer 1993.
 Mihir Bellare and Ran Canetti and Hugo Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. In Proceedings of the ACM Symposium on the Theory of Computing pages 419-428 1998.
 Ming-Feng Lee and Nigel P. Smart and Bogdan Warinschi and Gaven J. Watson. Anonymity guarantees of the UMTS/LTE authentication and connection protocol. Int. J. Inf. Sec. 13(6):513-527 2014.
 Muxiang Zhang. Provably-Secure Enhancement on 3GPP Authentication and Key Agreement Protocol. IACR Cryptology ePrint Archive 2003:92 2003.
 Muxiang Zhang and Yuguang Fang. Security analysis and enhancements of 3gpp authentication and key agreement protocol. IEEE Transactions on Wireless Communications 4(2):734-742 2005.
 Myrto Arapinis and Loretta Ilaria Mancini and Eike Ritter and Mark Ryan. Privacy through Pseudonymity in Mobile Telephony Systems. In 21st Annual Network and Distributed System Security Symposium NDSS 2014.
 Myrto Arapinis and Loretta Ilaria Mancini and Eike Ritter and Mark Ryan and Nico Golde and Kevin Redon and Ravishankar Borgaonkar. New privacy issues in mobile telephony: fix and verification. In the ACM Conference on Computer and Communications Security CCS’12 Raleigh NC USA October 16-18 2012 pages 205-216 2012.
 S. provider. Personal communication with one of europe’s largest service providers 2015.
 Radu-Ioan Paise and Serge Vaudenay. Mutual Authentication in RFID: Security and Privacy. In Proc. on the 3rd ACM Symposium on Information Computer and Communications Security (ASIACCS) pages 292-299. ACM 2008.
 Ran Canetti and Hugo Krawczyk. Universally Composable Notions of Key Exchange and Secure Channels. In Advances in Cryptology - EUROCRYPT 2002 volume 2332 of LNCS pages 337-351 2002.
 Serge Vaudenay. On Privacy Models for RFID. In ASIACRYPT ’07 volume 4883 pages 68-87 2007.
 A. Shaik R. Borgaonkar N. Asokan V. Niemi and J.-P. Seifert. Practical attacks against privacy and availability in 4g/lte mobile communication systems. In Proceedings of NDSS. Internet Society 2016.
 Ulrike Meyer and Susanne Wetzel. A man-in-the-middle attack on UMTS. In Proceedings of the 2004 ACM Workshop on Wireless Security Philadelphia PA USA October 1 2004 pages 90-97 2004.
 Zahra Ahmadian and Somayeh Salimi and Ahmad Salahi. New attacks on UMTS network access. In 2009 Wireless Telecommunications Symposium WTS 2009 Prague Czech Republic April 22-24 2009 pages 1-6 2009.