efficienthierarchicalauthenticationprotocolfor...
TRANSCRIPT
Research ArticleEfficient Hierarchical Authentication Protocol forMultiserver Architecture
Jiangheng Kou Mingxing He Ling Xiong and Zeqiong Lv
School of Computer and Software Engineering Xihua University Chengdu Sichuan 610039 China
Correspondence should be addressed to Mingxing He he_mingxing64aliyuncom
Received 23 August 2019 Revised 14 November 2019 Accepted 22 January 2020 Published 23 March 2020
Academic Editor Jose Marıa de Fuentes
Copyright copy 2020 JianghengKou et alis is an open access article distributed under the Creative CommonsAttribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
e multiserver architecture authentication (MSAA) protocol plays a significant role in achieving secure communicationsbetween devices In recent years researchers proposed many new MSAA protocols to gain more functionality and securityHowever in the existing studies registered users can access to all registered service providers in the systemwithout any limitationTo ensure that the system can restrict users that are at different levels and can access to different levels of service providers wepropose a new lightweight hierarchical authentication protocol for multiserver architecture using a Merkle tree to verify userrsquosauthentication right e proposed protocol has hierarchical authentication functionality high security and reasonable com-putation and communication costs Moreover the security analysis demonstrates that the proposed protocol satisfies the securityrequirements in practical applications and the proposed protocol is provably secure in the general security model
1 Introduction
Rapid advances in wireless communication technologiesbring convenience to our lives With an increasing numberof users and services the single-server architecture au-thentication protocols can no longer meet peoplersquos variousrequirements [1] Multiserver architecture authentication(MSAA) protocols have emerged and been widely used inthe Internet of things wireless sensor networks smart gridcloud computing and mobile payment Because MSAAprotocols have better properties than single-server archi-tecture authentication protocols [2 3] it becomes a hotspot in current research
However due to the openness of the multiserver envi-ronment an adversary can easily control communicationchannels and carries out many types of attacks such asintercept modify replay and delay messages betweenmultiple parties For defending these attacks researchersproposed many authentication protocols for the multi-server architecture that are using cryptographic methodsto secure communication between different parties Newprotocols also have lower computation and communica-tion costs than the previous protocols Currently MSAAprotocols can be divided into two types by whether it involves
the registration center (RC) at the authentication phase efirst type is MSAA protocols with the RC involving at theauthentication phase (MSAA1) [1 2 4ndash11] and the secondtype is MSAA protocols without RC involving at the au-thentication phase (MSAA2) [12ndash23] In MSAA1 proto-colsRC verifies every mutual authentication process whichmakes it a bottleneck in MSAA1 protocols e communi-cation cost in MSAA1 protocols is significantly increasedcompared to MSAA2 protocols To address these draw-backs researchers proposed many MSAA2 protocols whichhave more efficiency and security than the existing MSAA1protocols [14]
Currently hierarchical authentication functionality ismissing in the existing MSAA2 protocols When a userregistered at RC heshe can authenticate with all registeredservice providers [24] and access to their services Howeverthere are many different users and service providers in thissystem and the userrsquos level is different from each otherand low-level users should not successfully authenticatewith high-level service providers and access to their servicesBesides there should be some high-level service providersonly providing service for some particular users such as VIPusers In general the MSAA protocols with the hierarchicalauthentication functionality will have flexibility in managing
HindawiSecurity and Communication NetworksVolume 2020 Article ID 2523834 14 pageshttpsdoiorg10115520202523834
user authentication rights and access capabilities e hi-erarchical authentication functionality has been achievedin the MSAA1 protocol [2 4] In the MSAA1 protocol anRC is required at the authentication phase erefore RCcan verify the userrsquos authentication rights to determinewhether heshe can access to service providers that are at aparticular level However MSAA1 protocols have severaldrawbacks such as unreasonable communication cost thatwe showed earlier making the whole system inefficientSuppose we apply the existing MSAA2 protocols to theabove environment there should be multiple RCs to manageusers and service providers at different levels Users andservice providers need to store various certificates fromdifferent RCs e missing of hierarchical authenticationfunctionality in the existing MSAA2 protocols motivates usto design a new lightweight hierarchical authenticationprotocol for multiserver architecture
e proposed protocol uses a self-constructed Merkletree to achieve hierarchical authentication functionality Inthe proposed protocol a session key is established betweenservice providers and users without involving RC this sig-nificantly reduces communication cost and makes the au-thentication process faster e proposed protocol can meetthe security requirements of the multiserver architecture andis provably secure in general security model
e remainder of this paper is organized as followsSection 2 discusses the related work Section 3 describespreliminaries In Section 4 we show the details of theproposed protocol Section 5 gives out the formal securityproof of the proposed protocol Section 6 presents a com-parison of the proposed protocol with other related protocolson security computation and communication costs Section7 concludes the paper
2 Related Work
Li et al [1] proposed a new multiserver architecture au-thentication (MSAA) protocol for cloud computing basedon the identity-based model Shao and Chin [4] proposedan authentication protocol for multiserver architecture butfailed to resist the server spoofing and the impersonationattacks He and Wang [5] constructed the first genuinelythree-factor authentication protocol for the multiserverarchitecture but their protocol is vulnerable to the knownsession-specific temporary information attack and imper-sonation attack Odelu et al [6] proposed an improvedprotocol to solve the security drawbacks in [5] Xie et al [7]proposed a two-factor authentication protocol HoweverXiersquos protocol cannot resist the lost smart card attack and theoffline dictionary guessing attack To address the drawbacksChandrakar and Om [8] proposed a new security-enhancedthree-factor protocol Feng et al [9] proposed an enhancedbiometrics-based authentication protocol that can provideuser anonymity Amin et al [10] proposed a lightweightauthentication protocol that has lower computational andcommunication costs Cui et al [11] proposed an efficientprotocol that only uses nonce exclusive-OR operation andone-way hash function their protocol greatly reduces thecomputation cost However in this kind of protocol they all
need the help of an online registration center to achieve mutualauthentication which increases the communication cost
In order to solve the drawbacks in the first type protocolChoi et al [12] proposed the first MSAA protocol withoutthe online registration center Tseng et al [13] proposed alist-free ID-based authentication protocol using bilinearpairings for the multiserver architecture However Tsenget al [13] cannot provide credentials privacy and untrace-ability for users Recently Odelu et al [14] and He et al [15]proposed new protocols that reduce the computation andcommunication costs Irshad et al [16] found protocol in[17] cannot achieve desired security goals erefore theyproposed an improved multiserver authentication protocolfor distributed mobile cloud computing services AfterwardXiong et al [18] found protocol in [16] has unreasonablecomputation cost so they proposed an enhanced protocolfor distributed mobile cloud At the same time Xiong et al[19] proposed a new lightweight anonymous authenticationprotocol to reduce computation and communication costsBarman et al [25] used fuzzy commitment approach tosecure the information stored on personal device Kumariet al [20] proposed a concept of the fuzzy extractor toprovide the proper matching of biometric patterns Xu et al[21] proposed a new protocol that provides untraceabilityJiang et al [22] performed a security analysis to the protocolin [17] pointing out that it is vulnerable to the imper-sonation attack Chatterjee et al [23] proposed a biometric-based protocol using the chaotic map and enhanced thesecurity for multiserver architecture We summarizetechniques advantages and disadvantages that the existingprotocols used in Table 1
3 Preliminaries
In this section we introduce preliminaries of the proposedprotocol
Let G1 and G2 be an additive cyclic group and a mul-tiplicative cyclic group both of them have a large primeorder q Let 1113954e G1 times G1⟶ G2 denote a bilinear mapSuppose P is a generator of G1 g is a generator of G2 Abilinear map 1113954e has the following properties
(i) Bilinearity for all P Q isin G1 and for all a b isin Zlowastq 1113954e(aP bQ) 1113954e(P Q)ab
(ii) Computability there exists an algorithm that cansuccessfully compute 1113954e(P Q) for all P Q isin G1
(iii) Nondegeneracy there exists P Q isin G1 such that1113954e(P Q)ne 1 where 1 is the identity element of G2
We list the hard problems that we used in the proposedprotocol as follows
(i) Discrete logarithm (DL) problem given an elementx isin G2 it is hard to compute a isin Zlowastq such thatx ga
(ii) Computational DiffiendashHellman (CDH) problemgiven two elements ga gb isin G2 it is hard to com-pute gamiddotb isin G2 where a and b are unknown andrandomly chosen from Zlowastq
2 Security and Communication Networks
(iii) Modified Bilinear Inverse DiffiendashHellman withk value (k-mBIDH) problem [12] given k ele-ments α1 α2 αk1113864 1113865(αi isin Zlowastq ) and k + 2 elementsτ middot P η middot P (1(τ + α1)) middot P (1(τ + α2)) middot P 1113864 (1
(τ + αk)) middot P each of them is in G1 it is hard tocompute 1113954e(P P)η(τ+α) where α notin α1 α2 αk1113864 1113865
and τ and η are two unknown elements in Zlowastq
A security system parameter generator used in theproposed protocol is introduced below
Gen(middot) the system parameter generator takes a securityparameter n and outputs system parameters a bilinear mapan elliptic curve a multiplicative group etc Intuitively thesystem parameters will be publicly known
e notations used in the proposed protocol are listed inTable 2
4 The Proposed Protocol
41 RC Initialization Phase Registration center runs thegeneration function Gen(1n) which takes a security pa-rameter n isin Z+ and outputs parameters as follows
(1) RC chooses two bilinear map groups G1 and G2 witha prime order q the generator P isin G1 and g
1113954e(P P) isin G2 where 1113954e G1 times G1⟶ G2 is a bilinearmap
(2) RC chooses cryptographic hash functions H1
0 1 lowast ⟶ Zlowastq H2 G2⟶ Zlowastq H3 0 1 lowast ⟶ G1H4 0 1 lowast ⟶ 0 1 n
(3) RC chooses a random number s⟵R Zlowastq as the masterkey computes the corresponding public keyPpub sP isin G1 and constructs an authenticationright tree T as Figure 1 e detail of the tree willbe described in Section 45 Finally RC publishesG1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967
42 User Registration Phase If a user Ui wants to regis-ter with the registration center RC the followingsteps will be executed e main steps are provided inTable 3
(1) Ui sends hisher identity IDUito RC via a secure
channel
Table 1 Related work summaries
Protocol Technique Advantage Disadvantage[1] Identity-based Lightweight and efficient Cannot provide user anonymity
[4] Identity-based Provides user anonymity resists server spoofingattack and impersonation attack etc
Cannot resist server spoofing attack andimpersonation attacks
[5] Biometrics-based First truly three-factor authenticated scheme Cannot resist known session-specifictemporary attack and the impersonation attack
[6] Biometrics-based Provides secure authentication and resists passiveand active attacks
Needs registration center online forauthentication
[7] Identity-based Security enhanced and supports smart card revocationand password update without centralized storage
Cannot resist the lost smart card attack andthe offline dictionary guessing attack
[8] Biometrics-based Efficient in terms of computation cost communicationcost and resists smart card storage cost High maintenance cost
[9] Biometrics-based Incurs low overhead suitable for deployment atmobile devices
Needs registration center online forauthentication
[10] Two-factor-based Security enhanced lightweight and efficient Needs registration center online forauthentication
[11] Identity-based Resists the server spoofing attack Needs registration center onlinefor authentication
[12] Identity-based Does not need registration center onlinefor authentication Cannot provide hierarchical authentication
[13] Identity-based Provides blackwhite list-free and simplerevocation mechanism
Cannot provide credentials privacy anduntraceability
[14] Identity-based Provides SK-security and strong credentialsrsquo privacy Cannot provide hierarchical authentication
[15] Identity-based Uses the self-certified public key cryptography andhas lower computation and communication costs Cannot provide hierarchical authentication
[16] Two-factor-based Resists server spoofing attack desynchronization attackand denial-of-service attack Cannot provide hierarchical authentication
[17] Two-factor-basedReduces authentication processing time required by
communication and computation between cloud serviceproviders and traditional trusted third-party service
Cannot resist service provider impersonationattack and has no user revocation facility
[18] Biometrics-based Provides three-factor security user revocationand reregistration Cannot provide hierarchical authentication
[19] Biometrics-based User anonymity perfect forward secrecy and resistanceto desynchronization attack Cannot provide hierarchical authentication
[21] Two-factor-based Provides user untraceability and perfect forward security Cannot provide hierarchical authentication[23] Biometric-based Uses chaotic map to improve efficiency Cannot provide hierarchical authentication
Security and Communication Networks 3
(2) RC selects an authentication parameter KRi isin Tand computes the Uirsquos private key dUi
(1(s +
H1(IDUieKRi))) middot P where e is the expire date of
the private key andT is an authentication right treeRC chooses a parameter ai isin T and sends dUi
ai1113966 1113967 toUi via a secure channel
(3) Ui computes (σi θi)⟵f(bi) using the fuzzy-ex-tractor generation procedure f(middot) [26] where σi is abiometric key θi is a public reproduction parameterand bi is hisher personal biometrics Ui computesA dUi
oplusH3(pwσ i) and uses the widely imple-mented fuzzy-verifier technique [27 28] to computeB H4((H4(IDUi
)H4(pwσ i))mod n0) where pwis hisher password and n0 is the integer that definesin [27] Finally Ui stores ai θi A B e f(middot)1113864
fminus 1(middot) t H1 H2 H3 H4 on its mobile devicewhere t is the threshold in fuzzy extractor f(middot) is theprobabilistic generation procedure for outputtingσi and θi fminus 1(middot) is the deterministic reproductionprocedure that can recover σi and θi from a newpersonal biometrics input
43 Service Provider Registration Phase If a service providerSj wants to register with the RC the following steps will beexecuted e main steps are provided in Table 4
(1) Sj sends hisher identity IDSjto RC via a secure
channel(2) RC computes the private key dSj
(1(s +
H1(IDSj))) middot P for Sj and sends dSj
1113954T1113882 1113883 to him via a
secure channel where 1113954T is an authentication righttree for service provider We will describe the detailof 1113954T in Section 45
(3) Finally Sj saves dSj 1113954T1113882 1113883
44 User and Service Provider Authentication Phase In thispart we show the mutual authentication phase between auser and a service provider without involving RC e mainsteps are provided in Table 5
(1) First Ui inputs hisher biometrics bi identity IDUi
and password pw into hisher mobile deviceMobile device computes σi fminus 1(θi bi) and Blowast
H4((H4(IDUi)H4(pwσi))mod n0) and verifies the
validity of inputted biometrics and password bycomputing Blowast
B If it holds mobile device retrieves
Uirsquos private key by computing dUi AoplusH3(pwσi)
and temporarily saves IDUi en Ui selects a tem-
porary session secret r1 calculates r1 H1(r1dUi)
and computes g1 gr1 C r1 middot (H1(IDSj)P + Ppub)
by using the identity of Sj Next Ui
computesD H1(IDUieIDSj
g1) E (r1 + D)middot
dUi and F (aiIDUi
eIDSj)oplusH2(gr1) Finally Ui
sends the login message C E F to Sj(2) After receiving C E F Sj checks whether IDUi
is inIDRL if IDUi
is not in IDRL Sj retrieves g1 usinghisher private key dSj
as g1 gr1 1113954e(C dSj) Sj re-
trieves ai D IDUi e IDSj
by computingFoplusH2(g1) Sj
computes KRi H4(KRi+1Li) where Li
H4(ai 1113954ai) and verifies 1113954e(E H1(IDUieKRi)middot
P + Ppub)
g1 middot gD If both are equal Ui is allowed toauthenticate with Sjen Sj selects a temporary sessionsecret 1113954r2 then heshe calculates r2 H1( 1113954r2dSj
) andcomputes g2 gr2 and session key is set assk H2(g
r21 ) H2(gr1r2) Finally Sj calculates G
H4(skg1g2IDSjC) and sends the message g2 G1113864 1113865
to Ui(3) Upon receiving g2 G1113864 1113865 Ui computes sk H2(g
r12 )
H2(gr1r2)and Glowast H4(skg1g2IDSjC) and
checks whether G and Glowast are equal If both are notequal Ui aborts the session Otherwise Ui con-firms Sj as a valid service provider and sets sk assession key between Ui and Sj
Table 2 Notations used in the proposed protocol
Notation DescriptionRC e registration centerUi e ith userSj e jth service providerA e adversaryIDUi
e identity of ith userIDSj
e identity of jth service providerpw e password of a userbi e ith userrsquos personal biometricsσi e biometric keye e private key expire parameter1113954r1 1113954r2 Random numbers from Zlowastqsk e session key
Concatenation operationT e authentication right tree1113954T e authentication right tree on service provider sideai 1113954ai e authentication right parametersKRi e ith node of the authentication right treeLi e subnode of KRi
f(middot) e fuzzy-extractor generation proceduref(middot)minus 1 e deterministic reproduction procedureHi(middot) Secure one-way hash functionsIDRL ID revocation list
KRn
KR1
L1
a1 a 1
L2
a2 a 2
KRnndash1
Lnndash1
anndash1
Ln
an
a nndash1KR2
hellip a n
Figure 1 Authentication right tree
4 Security and Communication Networks
45 Tree Construction and Verification e proposed pro-tocol uses an authentication right tree T to store userrsquos andservice providerrsquos hierarchical authentication informationT is a Merkle hash tree that was introduced by Merkle [29]in 1998 Merkle hash tree is a digital signature scheme thatonly uses a conventional encryption function to compute thedigital signature making it extremely efficient In 2009Satoshi proposed a peer-to-peer electronic cash system asknown as bitcoin [30] Bitcoin system stores transactions inMerkle hash tree which saves disk space and this methodcan be used to verify transactions in each block ereforewe use a Merkle hash tree to construct our authenticationright tree In this part we will show how we construct anauthentication tree and how to verify a userrsquos authenticationright based on the rules of Merkle hash tree
451 Tree Construction First we introduce the construc-tion of the authentication right tree T as Figure 1 Anauthentication tree T contains the information of n dif-ferent levels e first level is the lowest level in the systemand the nth level is the highest level in the system Node KRi
denotes a user that has the authentication right which isfrom the first level to ith level Value stored in node KRi iscomputed from the hash values of its left child node KRiminus 1and right child node Li as KRi H4(KRiminus 1Li) e cal-culation of node KR1 as KR1 H4(L1) is different fromother KR nodes If a user is at the first level KR1 is embed inhisher private key and heshe can only access to first levelservice providers in this system If user is at ith level KRi isembed in hisher private key and heshe can access toservice providers which are from first to ith levels e right
Table 4 Service provider registration phase
Service provider Sj Registration center RC
⟶IDSj
secure channelComputes
dSj (1(s + H1(IDSj
))) middot P
larrdSj
1113954T1113966 1113967
secure channel
Stores dSj 1113954T1113882 1113883
Table 3 User registration phase
Mobile user Ui Registration center RC
⟶IDUi
secure channelComputes private key dUi
(1(s + H1(IDUieKRi))) middot P
and selects ai isin T
⟵dUi
ai1113966 1113967
secure channelComputes (σi θi)⟵f(bi)A dUioplusH3(pw σi)
B H4((H4(IDUi) H4(pwσi))mod n0) and stores
ai θi A B e f(middot) fminus 1(middot) t H1 H2 H3 H41113864 1113865
Table 5 User and service provider authentication phase
Mobile user Ui Service provider Sj
r1 H1( 1113954r1dUi) g1 gr1 C r1 middot (H1(IDSj
) middot P + Ppub)
D H1(IDUieIDSj
g1)
E (r1 + D) middot dUiF (aiIDUi
eIDSj)oplusH2(g1)
⟶CEF
Retrieves g1 gr1 1113954e(C dSj)(aiIDUi
eIDSj) FoplusH2(g1)
computes Li H4(ai1113954ai)KRi H4(KRi+1Li)1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD andacceptsrejects
r2 H1( 1113954r2dSj) g2 gr2 sk H2(g
r21 )G H4(skg1g2IDSj
C)
⟵(Gg2)
Computes sk H2(gr12 )Glowast H4(skg1g2IDSj
C) checks
Glowast
G and acceptsrejects sk
Security and Communication Networks 5
child node Li is an intermediate variable which preparesfor calculating KRi Value stored in node Li is computedfrom the hash values of its left leaf node ai and right leafnode 1113954ai as Li H4(ai 1113954ai) Leaf node ai and 1113954ai are two 160-bit random strings that are stored on user and serviceprovider separately If a user is at ith level number i is storedin the last logn
2 bits and the first (160 minus logn2) bits should be
a random string
452 Tree Stored on Service Provider e authenticationright tree 1113954T stored on the service provider has a littledifferent from T Service provider uses 1113954T to verify userrsquosauthentication right e scale of 1113954T stored on each serviceprovider is based on the level of service provider As wementioned above nth level is the highest level in the systemIf service provider is at nth level heshe only provides servicefor nth level user so heshe only needs to save the au-thentication right tree 1113954T as Figure 2 If service provider is atthe jth level heshe can provide service for user that is fromjth to nth level erefore heshe needs to save 1113954aj to 1113954an andKRjminus 1 to KRn as Figure 3 where the symbol ldquordquo denotes thenode that service provider does not have
453 Authentication Right Verification When an ith leveluser wants to access a jth level service provider where ige juser sends ai to service provider and when service pro-vider received authentication parameter ai heshe checksthe last logn
2 bits of ai to get userrsquos level and finds 1113954ai Serviceprovider computes the value of Li as Li H4(ai 1113954ai) andthe value of KRi as KRi H4(KRiminus 1Li) en serviceprovider verifies userrsquos authentication right by calculating1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD If the equationholds service provider continues Otherwise hesheaborts the session For instance if a 10th level user wants toaccess to a 5th level service provider user sends a10 toservice provider and when service provider receivedauthentication parameter a10 heshe checks the last logn
2bits of a10 to get userrsquos level and finds 1113955a10 Service providercomputes L10 H4(a101113955a10) and KR10 H4(KR9L10)Service provider verifies userrsquos authentication right bycalculating 1113954e(E H1(IDUi
eKR10) middot P + Ppub)
g1 middot gD Ifthe equation holds service provider continues Otherwiseheshe aborts the authentication
46 4e User Revocation and Reregistration PhaseRevocation and reregistration has been used in many pro-tocols [31 32] In this part we describe user revocation andreregistrationWhen a userUi lost hisher smart card hesheneeds to reregister Ui submits hisher personal informationto RC and then RC verifies Uirsquos personal information andchecks the expire date of the private key dUi
If dUihas
already expired RC issues Ui a new private key with a newexpire date If dUi
has not expired RC issues Ui a new ID anda new private key with the same expire date as the lost smartcard RC adds the lost IDUi
to its ID revocation list (IDRL)
and board casts IDUito all service providers After received
IDUi service providers save it into their local storage
5 Security Proof
In this section we analyze the security of our protocol Firstwe present a security model for our protocol which is basedon BellarendashRogaway (BR) model [33] and CK-adversarymodel [34] and we use Zipfrsquos law [35] to enhance the se-curity of the basemodel Second we show that the security ofthe proposed protocol is based on the hardness of mathe-matical problems ird we show that our protocol satisfiessecurity requirements
51 Security Model We propose a security model for theproposed protocol based on literature studies [5 15 27 33 36]ere areUi and Sj at the authentication phase of the proposedprotocol e security of the proposed protocol is defined by agame played between an adversary A and a challenger C LetΠlΛ denote the lth instance of the participant of Λ isin Ui Sj1113966 1113967
respectively In this game we describe the capabilities ofA thatis defined in the literature [27] as follows
(i) A can enumerate offline all the items in the Car-tesian product Did ⋆Dpw within polynomial timewhere Dpw and Did denote the password space andthe identity space respectively
(ii) A has the capability of somehow learning thevictimrsquos identity when evaluating security strength(but not privacy provisions) of the protocol
(iii) A is in full control of the communication channelbetween the protocol participants
(iv) A may either (i) learn the password of a legitimateuser via malicious card reader or (ii) extract thesensitive parameters in the card memory by side-channel attacks but cannot achieve both
KRn
KRnndash1
a n
Figure 2 Authentication right tree on nth level service provider
KRn
KRnndash1
a n
KR2
KR1
a 1
a 2
hellip
a nndash1
Figure 3 Authentication right tree on jth level service provider
6 Security and Communication Networks
(v) A can learn previous session keys(vi) A has the capability of learning serverrsquos longtime
private keys only when evaluating the resistance toeventual failure of the server (eg forward secrecy)
A can issue queries to C and get answers from it asfollows
(i) Hi(qj) at any timeA issues query qj where qj canbe any string and C picks a random numberrj isin Zlowastq and stores langqj rjrang into list Hlist
i wherei isin 1 2 3 4 and j isin poly(n)1113864 1113865 FinallyC sends rj
to A(ii) ExtractUID (IDUi
) A issues queries of useridentity IDUi
andC generates users private key dUi
and stores langIDUi dUi
rang into list ElistdUi
(iii) ExtractSID (IDSj
) A issues queries of serviceproviderrsquos identity IDSj
and C generates serviceproviderrsquos private key dSj
and stores langIDSj dSj
rang
into list ElistdSj
(iv) Send (Πl
Λ) A issues query of the message m andC runs the protocol and returns the result to A
(v) SKReveal (ΠlΛ)A issues query and C returns the
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) A issues the query of userrsquos
identity IDUi and C returns userrsquos private key dUi
to A(vii) CorruptSID (IDSj
) A issues the query of serviceproviderrsquos identity IDSj
and C returns serviceproviderrsquos private key dSj
to A(viii) Test (Πl
Λ) when A issues the query C flips arandom coin b isin 0 1 If b 1 C sends sessionkey in Πl
Λ to A otherwise (b 0) and C picks arandom number with the same length of sessionkey and sends it to A
After issuing the queries aboveA outputs bprime where bprime isabout the coin b produced in Test (Πl
Λ)-query A violatesthe authentication key agreement (AKA) of the proposedprotocol Σ if A can guess b correctly We define Arsquosadvantage in attacking the proposed protocol Σ asAdvAKAΣ (A) |2Pr[b bprime] minus 1|
Definition 1 (AKA-Secure) e proposed protocol Σis authentication key agreement secure (AKA-Secure) ifAdvAKAΣ (A) |2Pr[b bprime] minus 1| is negligible for anypolynomial-time adversary A
A violates the mutual authentication of the proposedprotocol Σ ifA can generate a legal login message or a legalresponse message Let E US and E SU denote the events thatA generates a legal login message and a legal responsemessage We define the advantage ofA attacking the mutualauthentication of the proposed protocol Σ as AdvMA
Σ (A)
Pr[E US ] + Pr[E SU ]
Definition 2 (MA-Secure) e proposed protocol Σ ismutual authentication secure (MA-Secure) if AdvMA
Σ (A) isnegligible for any polynomial-time adversary A
52 Proof of Security In this part we show the proposedprotocol Σ for multiserver architecture is AKA-secure andMA-secure in the security model we described above
Lemma 1 No polynomial-time adversaryA can forge a legallogin message with a nonnegligible probability ϵ
Proof Suppose the adversaryA forges a legal login messagewith a nonnegligible probability ϵ We show there is achallenger C who can solve the discrete logarithm (DL)problem with a nonnegligible probability
Given an instance (g gs) of the DL problem the aim ofchallenger C is to compute s isin Zlowastq and C sends the systemparameters G1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967 to A Crandomly selects IDUi
and answersArsquos queries according tothe following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise
Crandomly picks rj isin Zlowastq and stores langqj rjrang inHlist
i then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUi
ini-tialized empty When receiving the query IDUi
Cchecks if langIDUi
dUirang exists in Elist
dUi
then C senddUi
to A otherwise C executes the operations asfollows
(1) If IDUi IDUch
C sets H1(IDUi)⟵ α
dUi⟵perp and stores langIDUi
αrang into Hlist1
langIDUi dUi
rang into ElistU
(2) Otherwise if IDUine IDUch
C randomly selectsαi isin α1 α2 αk1113864 1113865 setsH1 IDUch
1113966 1113967⟵αi dUi⟵ (1(s + αi)) middot P and
stores langIDUi αirang in Hlist
1 langIDUi dUi
rang in ElistdUi
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
If yesC send
dSjto A otherwise C randomly picks rdSj
isin Zlowastq
and computes dSj (1(s + rdSj
)) middot P C storeslangIDSj
dSjrang into Elist
dSj
langIDSj rdSj
rang into Hlist1 and
sends dSjto A
(iv) Send (ΠlΛ) C checks if Λ and Uch are equal if yes
C aborts the game otherwise C operatesaccording to protocol Σ
(v) SKReveal (ΠlΛ) after received the query C sends
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) C searches for langIDUi
dUirang in
ElistdUi
and returns dUito A
(vii) CorruptSID (IDSj) C searches for langIDSj
dSjrang in
ElistdSj
and returns dSjto A
(viii) Test (ΠlΛ) C randomly picks a number with the
same length of session key and sends it to A
At last A outputs a legal login message C E F cor-responding to userrsquos identity IDUi
If IDUine IDUch
C abortsthe game Based on the forking lemma [37] A can output
Security and Communication Networks 7
another legal login message (C Eprime Fprime) Because the loginmessages is legal we get the following two equations gUi
iscomputed by rising g to the power of a random numberchose by A
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gD
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gDprime
(1)
Based on the two equations above we get the followingequations
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
gUi
middot gD
gUimiddot gDprime
gDminus Dprime
(2)
C outputs (D minus Dprime)minus 1 middot (E minus Eprime) as the solution to the givenDL problem e probability that C can solve the DLproblem is described as follows
(i) E1 C dose not abort in the any Send-queries(ii) E2 A outputs a legal login request(iii) E3 IDUi
and IDUIare equal
Let l denote the number of bits in biometric data qSendand qH1
denote the number of Send-queries and H1-queriesexecuted in the game Cprime and sprime are the Zipfrsquos parameters[35] and l is the length of biometric information We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1qH1
)erefore the nonnegligible probability thatC can solve
the DL problem is given byPr E1 andE2 andE31113858 1113859 Pr E3 E1 andE2
11138681113868111386811138681113960 1113961
Pr E2 E111138681113868111386811138681113960 1113961 middot Pr E11113858 1113859ge
1 minus 1 qSend + 1( 1113857( 1113857( 1113857qSend
qH1
middot ε
+ max Cprime middot qs primeSend
qSend
2l1113882 1113883
(3)
is contradicts with the hardness of the DL problemerefore we get that no polynomial-time adversary againstthe proposedMSAA protocol can forge a legal login messagewith a nonnegligible probability
Lemma 2 No polynomial-time adversaryA can forge a legalresponse message with a nonnegligible probability
Proof Suppose the adversary A forges a legal responsemessage with a nonnegligible probability ε We show there isa challenger C who can solve the k-mBIDH problem with anonnegligible probability
Given an instance (P y middot P z middot P (1(y + α1)) middot P
(1(y + α2)) middot P (1(y + αk)) middot P isin G1) of the k-mBIDHproblem the aim of challengerC is to compute 1113954e(P P)s(y+α)he picks a random number x isin Zlowastq and computes x middot P y middot Pand sends the system parameters G1G2 q e P Ppub1113966
g H1 H2 H3 H4 toAC randomly selects IDUiand answers
Arsquos queries according to the following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise C
randomly picks rj isin Zlowastq and stores langqj rjrang in Hlisti
then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUiinitialized empty When receiving the query IDUi
C checks if langIDUi dUi
rang exists in ElistdUi
and then C
sends dUito A otherwise C randomly picks
rdUiisin Zlowastq and computes dUi
(1(s + rdUi)) middot P C
stores langIDUi dUi
rang in ElistdUi
langIDUi rdUi
rang in Hlist1 and
sends dUito A
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
and then C
sends dSjto A otherwise C executes the oper-
ations as follows
(1) If IDSj IDSch
C sets H1 IDUi1113966 1113967⟵α and stores
langIDSj αrang into Hlist
1 langIDSjperprang into Elist
dSj
(2) Otherwise if IDSjne IDSch
C randomly selects
αi isin α1 α2 αk1113864 1113865 sets H1 IDSj1113882 1113883⟵α and
stores langIDSj αirang in Hlist
1 langIDSj αi (1(s + αi)) middot
Prang in ElistdSj
(iv) Send (ΠlΛ) C checks if Λ and Sch are equal if yes
C aborts the game otherwiseC operates accordingto the proposed protocol Σ
Finally A outputs a response message correspondingto identity IDSj
C outputs g1 as the solution of k-mBIDHproblem e probability that C can solve the k-mBIDHproblem is described as follows
(i) E1 C dose not abort in any Send-queries(ii) E2 C outputs a legal response message(iii) E3 IDSJ
and IDSchare equal
Let qSend qH1 and qH2
denote the number of Response-query H1-query and H2-query in the game We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1(qH1
middot qH2)) erefore the non-
negligible probability that C can solve the k-mBIDHproblem is given by
Pr E1 andE2 andE31113858 1113859 Pr E31113868111386811138681113868 E1 andE21113960 1113961 middot Pr E2
1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859
ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857
qSend
qH1middot qH2
middot ε(4)
is contradicts with the hardness of the k-mBIDHproblem erefore we get that no polynomial-timeadversary against the proposed MSAA protocol canforge a legal response message with a nonnegligibleprobability
Theorem 1 4e proposed protocol is MA-secure if the DLproblem and the k-mBIDH problem are hard
8 Security and Communication Networks
Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure
Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard
Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability
Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)
Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations
ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859
andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961
Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2
minus Pr E US 1113960 1113961
(5)
Since Pr[ETS andE US ] Pr[ETU] we get
Pr ETS andE US 1113960 1113961geε4
minusPr E US 1113960 1113961
2 (6)
We get the probability as follows
Pr sk H2 gr1r2( 1113857
1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge
ε4
minusPr E US 1113960 1113961
2 (7)
According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard
53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows
(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration
(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi
and IDSjcan au-
thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication
(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi
is only in the messageF (DIDUi
eIDSj)oplusH2(gr1) To get IDUi
ad-versary needs to compute gr1 from C
r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-
versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard
(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj
) middot P +
Ppub) gr1 F (aiDIDUieIDSj
)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability
(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement
(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj
) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g
r21 g
r12 gr1r2 where g1 gr1
g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard
(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-
Security and Communication Networks 9
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
user authentication rights and access capabilities e hi-erarchical authentication functionality has been achievedin the MSAA1 protocol [2 4] In the MSAA1 protocol anRC is required at the authentication phase erefore RCcan verify the userrsquos authentication rights to determinewhether heshe can access to service providers that are at aparticular level However MSAA1 protocols have severaldrawbacks such as unreasonable communication cost thatwe showed earlier making the whole system inefficientSuppose we apply the existing MSAA2 protocols to theabove environment there should be multiple RCs to manageusers and service providers at different levels Users andservice providers need to store various certificates fromdifferent RCs e missing of hierarchical authenticationfunctionality in the existing MSAA2 protocols motivates usto design a new lightweight hierarchical authenticationprotocol for multiserver architecture
e proposed protocol uses a self-constructed Merkletree to achieve hierarchical authentication functionality Inthe proposed protocol a session key is established betweenservice providers and users without involving RC this sig-nificantly reduces communication cost and makes the au-thentication process faster e proposed protocol can meetthe security requirements of the multiserver architecture andis provably secure in general security model
e remainder of this paper is organized as followsSection 2 discusses the related work Section 3 describespreliminaries In Section 4 we show the details of theproposed protocol Section 5 gives out the formal securityproof of the proposed protocol Section 6 presents a com-parison of the proposed protocol with other related protocolson security computation and communication costs Section7 concludes the paper
2 Related Work
Li et al [1] proposed a new multiserver architecture au-thentication (MSAA) protocol for cloud computing basedon the identity-based model Shao and Chin [4] proposedan authentication protocol for multiserver architecture butfailed to resist the server spoofing and the impersonationattacks He and Wang [5] constructed the first genuinelythree-factor authentication protocol for the multiserverarchitecture but their protocol is vulnerable to the knownsession-specific temporary information attack and imper-sonation attack Odelu et al [6] proposed an improvedprotocol to solve the security drawbacks in [5] Xie et al [7]proposed a two-factor authentication protocol HoweverXiersquos protocol cannot resist the lost smart card attack and theoffline dictionary guessing attack To address the drawbacksChandrakar and Om [8] proposed a new security-enhancedthree-factor protocol Feng et al [9] proposed an enhancedbiometrics-based authentication protocol that can provideuser anonymity Amin et al [10] proposed a lightweightauthentication protocol that has lower computational andcommunication costs Cui et al [11] proposed an efficientprotocol that only uses nonce exclusive-OR operation andone-way hash function their protocol greatly reduces thecomputation cost However in this kind of protocol they all
need the help of an online registration center to achieve mutualauthentication which increases the communication cost
In order to solve the drawbacks in the first type protocolChoi et al [12] proposed the first MSAA protocol withoutthe online registration center Tseng et al [13] proposed alist-free ID-based authentication protocol using bilinearpairings for the multiserver architecture However Tsenget al [13] cannot provide credentials privacy and untrace-ability for users Recently Odelu et al [14] and He et al [15]proposed new protocols that reduce the computation andcommunication costs Irshad et al [16] found protocol in[17] cannot achieve desired security goals erefore theyproposed an improved multiserver authentication protocolfor distributed mobile cloud computing services AfterwardXiong et al [18] found protocol in [16] has unreasonablecomputation cost so they proposed an enhanced protocolfor distributed mobile cloud At the same time Xiong et al[19] proposed a new lightweight anonymous authenticationprotocol to reduce computation and communication costsBarman et al [25] used fuzzy commitment approach tosecure the information stored on personal device Kumariet al [20] proposed a concept of the fuzzy extractor toprovide the proper matching of biometric patterns Xu et al[21] proposed a new protocol that provides untraceabilityJiang et al [22] performed a security analysis to the protocolin [17] pointing out that it is vulnerable to the imper-sonation attack Chatterjee et al [23] proposed a biometric-based protocol using the chaotic map and enhanced thesecurity for multiserver architecture We summarizetechniques advantages and disadvantages that the existingprotocols used in Table 1
3 Preliminaries
In this section we introduce preliminaries of the proposedprotocol
Let G1 and G2 be an additive cyclic group and a mul-tiplicative cyclic group both of them have a large primeorder q Let 1113954e G1 times G1⟶ G2 denote a bilinear mapSuppose P is a generator of G1 g is a generator of G2 Abilinear map 1113954e has the following properties
(i) Bilinearity for all P Q isin G1 and for all a b isin Zlowastq 1113954e(aP bQ) 1113954e(P Q)ab
(ii) Computability there exists an algorithm that cansuccessfully compute 1113954e(P Q) for all P Q isin G1
(iii) Nondegeneracy there exists P Q isin G1 such that1113954e(P Q)ne 1 where 1 is the identity element of G2
We list the hard problems that we used in the proposedprotocol as follows
(i) Discrete logarithm (DL) problem given an elementx isin G2 it is hard to compute a isin Zlowastq such thatx ga
(ii) Computational DiffiendashHellman (CDH) problemgiven two elements ga gb isin G2 it is hard to com-pute gamiddotb isin G2 where a and b are unknown andrandomly chosen from Zlowastq
2 Security and Communication Networks
(iii) Modified Bilinear Inverse DiffiendashHellman withk value (k-mBIDH) problem [12] given k ele-ments α1 α2 αk1113864 1113865(αi isin Zlowastq ) and k + 2 elementsτ middot P η middot P (1(τ + α1)) middot P (1(τ + α2)) middot P 1113864 (1
(τ + αk)) middot P each of them is in G1 it is hard tocompute 1113954e(P P)η(τ+α) where α notin α1 α2 αk1113864 1113865
and τ and η are two unknown elements in Zlowastq
A security system parameter generator used in theproposed protocol is introduced below
Gen(middot) the system parameter generator takes a securityparameter n and outputs system parameters a bilinear mapan elliptic curve a multiplicative group etc Intuitively thesystem parameters will be publicly known
e notations used in the proposed protocol are listed inTable 2
4 The Proposed Protocol
41 RC Initialization Phase Registration center runs thegeneration function Gen(1n) which takes a security pa-rameter n isin Z+ and outputs parameters as follows
(1) RC chooses two bilinear map groups G1 and G2 witha prime order q the generator P isin G1 and g
1113954e(P P) isin G2 where 1113954e G1 times G1⟶ G2 is a bilinearmap
(2) RC chooses cryptographic hash functions H1
0 1 lowast ⟶ Zlowastq H2 G2⟶ Zlowastq H3 0 1 lowast ⟶ G1H4 0 1 lowast ⟶ 0 1 n
(3) RC chooses a random number s⟵R Zlowastq as the masterkey computes the corresponding public keyPpub sP isin G1 and constructs an authenticationright tree T as Figure 1 e detail of the tree willbe described in Section 45 Finally RC publishesG1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967
42 User Registration Phase If a user Ui wants to regis-ter with the registration center RC the followingsteps will be executed e main steps are provided inTable 3
(1) Ui sends hisher identity IDUito RC via a secure
channel
Table 1 Related work summaries
Protocol Technique Advantage Disadvantage[1] Identity-based Lightweight and efficient Cannot provide user anonymity
[4] Identity-based Provides user anonymity resists server spoofingattack and impersonation attack etc
Cannot resist server spoofing attack andimpersonation attacks
[5] Biometrics-based First truly three-factor authenticated scheme Cannot resist known session-specifictemporary attack and the impersonation attack
[6] Biometrics-based Provides secure authentication and resists passiveand active attacks
Needs registration center online forauthentication
[7] Identity-based Security enhanced and supports smart card revocationand password update without centralized storage
Cannot resist the lost smart card attack andthe offline dictionary guessing attack
[8] Biometrics-based Efficient in terms of computation cost communicationcost and resists smart card storage cost High maintenance cost
[9] Biometrics-based Incurs low overhead suitable for deployment atmobile devices
Needs registration center online forauthentication
[10] Two-factor-based Security enhanced lightweight and efficient Needs registration center online forauthentication
[11] Identity-based Resists the server spoofing attack Needs registration center onlinefor authentication
[12] Identity-based Does not need registration center onlinefor authentication Cannot provide hierarchical authentication
[13] Identity-based Provides blackwhite list-free and simplerevocation mechanism
Cannot provide credentials privacy anduntraceability
[14] Identity-based Provides SK-security and strong credentialsrsquo privacy Cannot provide hierarchical authentication
[15] Identity-based Uses the self-certified public key cryptography andhas lower computation and communication costs Cannot provide hierarchical authentication
[16] Two-factor-based Resists server spoofing attack desynchronization attackand denial-of-service attack Cannot provide hierarchical authentication
[17] Two-factor-basedReduces authentication processing time required by
communication and computation between cloud serviceproviders and traditional trusted third-party service
Cannot resist service provider impersonationattack and has no user revocation facility
[18] Biometrics-based Provides three-factor security user revocationand reregistration Cannot provide hierarchical authentication
[19] Biometrics-based User anonymity perfect forward secrecy and resistanceto desynchronization attack Cannot provide hierarchical authentication
[21] Two-factor-based Provides user untraceability and perfect forward security Cannot provide hierarchical authentication[23] Biometric-based Uses chaotic map to improve efficiency Cannot provide hierarchical authentication
Security and Communication Networks 3
(2) RC selects an authentication parameter KRi isin Tand computes the Uirsquos private key dUi
(1(s +
H1(IDUieKRi))) middot P where e is the expire date of
the private key andT is an authentication right treeRC chooses a parameter ai isin T and sends dUi
ai1113966 1113967 toUi via a secure channel
(3) Ui computes (σi θi)⟵f(bi) using the fuzzy-ex-tractor generation procedure f(middot) [26] where σi is abiometric key θi is a public reproduction parameterand bi is hisher personal biometrics Ui computesA dUi
oplusH3(pwσ i) and uses the widely imple-mented fuzzy-verifier technique [27 28] to computeB H4((H4(IDUi
)H4(pwσ i))mod n0) where pwis hisher password and n0 is the integer that definesin [27] Finally Ui stores ai θi A B e f(middot)1113864
fminus 1(middot) t H1 H2 H3 H4 on its mobile devicewhere t is the threshold in fuzzy extractor f(middot) is theprobabilistic generation procedure for outputtingσi and θi fminus 1(middot) is the deterministic reproductionprocedure that can recover σi and θi from a newpersonal biometrics input
43 Service Provider Registration Phase If a service providerSj wants to register with the RC the following steps will beexecuted e main steps are provided in Table 4
(1) Sj sends hisher identity IDSjto RC via a secure
channel(2) RC computes the private key dSj
(1(s +
H1(IDSj))) middot P for Sj and sends dSj
1113954T1113882 1113883 to him via a
secure channel where 1113954T is an authentication righttree for service provider We will describe the detailof 1113954T in Section 45
(3) Finally Sj saves dSj 1113954T1113882 1113883
44 User and Service Provider Authentication Phase In thispart we show the mutual authentication phase between auser and a service provider without involving RC e mainsteps are provided in Table 5
(1) First Ui inputs hisher biometrics bi identity IDUi
and password pw into hisher mobile deviceMobile device computes σi fminus 1(θi bi) and Blowast
H4((H4(IDUi)H4(pwσi))mod n0) and verifies the
validity of inputted biometrics and password bycomputing Blowast
B If it holds mobile device retrieves
Uirsquos private key by computing dUi AoplusH3(pwσi)
and temporarily saves IDUi en Ui selects a tem-
porary session secret r1 calculates r1 H1(r1dUi)
and computes g1 gr1 C r1 middot (H1(IDSj)P + Ppub)
by using the identity of Sj Next Ui
computesD H1(IDUieIDSj
g1) E (r1 + D)middot
dUi and F (aiIDUi
eIDSj)oplusH2(gr1) Finally Ui
sends the login message C E F to Sj(2) After receiving C E F Sj checks whether IDUi
is inIDRL if IDUi
is not in IDRL Sj retrieves g1 usinghisher private key dSj
as g1 gr1 1113954e(C dSj) Sj re-
trieves ai D IDUi e IDSj
by computingFoplusH2(g1) Sj
computes KRi H4(KRi+1Li) where Li
H4(ai 1113954ai) and verifies 1113954e(E H1(IDUieKRi)middot
P + Ppub)
g1 middot gD If both are equal Ui is allowed toauthenticate with Sjen Sj selects a temporary sessionsecret 1113954r2 then heshe calculates r2 H1( 1113954r2dSj
) andcomputes g2 gr2 and session key is set assk H2(g
r21 ) H2(gr1r2) Finally Sj calculates G
H4(skg1g2IDSjC) and sends the message g2 G1113864 1113865
to Ui(3) Upon receiving g2 G1113864 1113865 Ui computes sk H2(g
r12 )
H2(gr1r2)and Glowast H4(skg1g2IDSjC) and
checks whether G and Glowast are equal If both are notequal Ui aborts the session Otherwise Ui con-firms Sj as a valid service provider and sets sk assession key between Ui and Sj
Table 2 Notations used in the proposed protocol
Notation DescriptionRC e registration centerUi e ith userSj e jth service providerA e adversaryIDUi
e identity of ith userIDSj
e identity of jth service providerpw e password of a userbi e ith userrsquos personal biometricsσi e biometric keye e private key expire parameter1113954r1 1113954r2 Random numbers from Zlowastqsk e session key
Concatenation operationT e authentication right tree1113954T e authentication right tree on service provider sideai 1113954ai e authentication right parametersKRi e ith node of the authentication right treeLi e subnode of KRi
f(middot) e fuzzy-extractor generation proceduref(middot)minus 1 e deterministic reproduction procedureHi(middot) Secure one-way hash functionsIDRL ID revocation list
KRn
KR1
L1
a1 a 1
L2
a2 a 2
KRnndash1
Lnndash1
anndash1
Ln
an
a nndash1KR2
hellip a n
Figure 1 Authentication right tree
4 Security and Communication Networks
45 Tree Construction and Verification e proposed pro-tocol uses an authentication right tree T to store userrsquos andservice providerrsquos hierarchical authentication informationT is a Merkle hash tree that was introduced by Merkle [29]in 1998 Merkle hash tree is a digital signature scheme thatonly uses a conventional encryption function to compute thedigital signature making it extremely efficient In 2009Satoshi proposed a peer-to-peer electronic cash system asknown as bitcoin [30] Bitcoin system stores transactions inMerkle hash tree which saves disk space and this methodcan be used to verify transactions in each block ereforewe use a Merkle hash tree to construct our authenticationright tree In this part we will show how we construct anauthentication tree and how to verify a userrsquos authenticationright based on the rules of Merkle hash tree
451 Tree Construction First we introduce the construc-tion of the authentication right tree T as Figure 1 Anauthentication tree T contains the information of n dif-ferent levels e first level is the lowest level in the systemand the nth level is the highest level in the system Node KRi
denotes a user that has the authentication right which isfrom the first level to ith level Value stored in node KRi iscomputed from the hash values of its left child node KRiminus 1and right child node Li as KRi H4(KRiminus 1Li) e cal-culation of node KR1 as KR1 H4(L1) is different fromother KR nodes If a user is at the first level KR1 is embed inhisher private key and heshe can only access to first levelservice providers in this system If user is at ith level KRi isembed in hisher private key and heshe can access toservice providers which are from first to ith levels e right
Table 4 Service provider registration phase
Service provider Sj Registration center RC
⟶IDSj
secure channelComputes
dSj (1(s + H1(IDSj
))) middot P
larrdSj
1113954T1113966 1113967
secure channel
Stores dSj 1113954T1113882 1113883
Table 3 User registration phase
Mobile user Ui Registration center RC
⟶IDUi
secure channelComputes private key dUi
(1(s + H1(IDUieKRi))) middot P
and selects ai isin T
⟵dUi
ai1113966 1113967
secure channelComputes (σi θi)⟵f(bi)A dUioplusH3(pw σi)
B H4((H4(IDUi) H4(pwσi))mod n0) and stores
ai θi A B e f(middot) fminus 1(middot) t H1 H2 H3 H41113864 1113865
Table 5 User and service provider authentication phase
Mobile user Ui Service provider Sj
r1 H1( 1113954r1dUi) g1 gr1 C r1 middot (H1(IDSj
) middot P + Ppub)
D H1(IDUieIDSj
g1)
E (r1 + D) middot dUiF (aiIDUi
eIDSj)oplusH2(g1)
⟶CEF
Retrieves g1 gr1 1113954e(C dSj)(aiIDUi
eIDSj) FoplusH2(g1)
computes Li H4(ai1113954ai)KRi H4(KRi+1Li)1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD andacceptsrejects
r2 H1( 1113954r2dSj) g2 gr2 sk H2(g
r21 )G H4(skg1g2IDSj
C)
⟵(Gg2)
Computes sk H2(gr12 )Glowast H4(skg1g2IDSj
C) checks
Glowast
G and acceptsrejects sk
Security and Communication Networks 5
child node Li is an intermediate variable which preparesfor calculating KRi Value stored in node Li is computedfrom the hash values of its left leaf node ai and right leafnode 1113954ai as Li H4(ai 1113954ai) Leaf node ai and 1113954ai are two 160-bit random strings that are stored on user and serviceprovider separately If a user is at ith level number i is storedin the last logn
2 bits and the first (160 minus logn2) bits should be
a random string
452 Tree Stored on Service Provider e authenticationright tree 1113954T stored on the service provider has a littledifferent from T Service provider uses 1113954T to verify userrsquosauthentication right e scale of 1113954T stored on each serviceprovider is based on the level of service provider As wementioned above nth level is the highest level in the systemIf service provider is at nth level heshe only provides servicefor nth level user so heshe only needs to save the au-thentication right tree 1113954T as Figure 2 If service provider is atthe jth level heshe can provide service for user that is fromjth to nth level erefore heshe needs to save 1113954aj to 1113954an andKRjminus 1 to KRn as Figure 3 where the symbol ldquordquo denotes thenode that service provider does not have
453 Authentication Right Verification When an ith leveluser wants to access a jth level service provider where ige juser sends ai to service provider and when service pro-vider received authentication parameter ai heshe checksthe last logn
2 bits of ai to get userrsquos level and finds 1113954ai Serviceprovider computes the value of Li as Li H4(ai 1113954ai) andthe value of KRi as KRi H4(KRiminus 1Li) en serviceprovider verifies userrsquos authentication right by calculating1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD If the equationholds service provider continues Otherwise hesheaborts the session For instance if a 10th level user wants toaccess to a 5th level service provider user sends a10 toservice provider and when service provider receivedauthentication parameter a10 heshe checks the last logn
2bits of a10 to get userrsquos level and finds 1113955a10 Service providercomputes L10 H4(a101113955a10) and KR10 H4(KR9L10)Service provider verifies userrsquos authentication right bycalculating 1113954e(E H1(IDUi
eKR10) middot P + Ppub)
g1 middot gD Ifthe equation holds service provider continues Otherwiseheshe aborts the authentication
46 4e User Revocation and Reregistration PhaseRevocation and reregistration has been used in many pro-tocols [31 32] In this part we describe user revocation andreregistrationWhen a userUi lost hisher smart card hesheneeds to reregister Ui submits hisher personal informationto RC and then RC verifies Uirsquos personal information andchecks the expire date of the private key dUi
If dUihas
already expired RC issues Ui a new private key with a newexpire date If dUi
has not expired RC issues Ui a new ID anda new private key with the same expire date as the lost smartcard RC adds the lost IDUi
to its ID revocation list (IDRL)
and board casts IDUito all service providers After received
IDUi service providers save it into their local storage
5 Security Proof
In this section we analyze the security of our protocol Firstwe present a security model for our protocol which is basedon BellarendashRogaway (BR) model [33] and CK-adversarymodel [34] and we use Zipfrsquos law [35] to enhance the se-curity of the basemodel Second we show that the security ofthe proposed protocol is based on the hardness of mathe-matical problems ird we show that our protocol satisfiessecurity requirements
51 Security Model We propose a security model for theproposed protocol based on literature studies [5 15 27 33 36]ere areUi and Sj at the authentication phase of the proposedprotocol e security of the proposed protocol is defined by agame played between an adversary A and a challenger C LetΠlΛ denote the lth instance of the participant of Λ isin Ui Sj1113966 1113967
respectively In this game we describe the capabilities ofA thatis defined in the literature [27] as follows
(i) A can enumerate offline all the items in the Car-tesian product Did ⋆Dpw within polynomial timewhere Dpw and Did denote the password space andthe identity space respectively
(ii) A has the capability of somehow learning thevictimrsquos identity when evaluating security strength(but not privacy provisions) of the protocol
(iii) A is in full control of the communication channelbetween the protocol participants
(iv) A may either (i) learn the password of a legitimateuser via malicious card reader or (ii) extract thesensitive parameters in the card memory by side-channel attacks but cannot achieve both
KRn
KRnndash1
a n
Figure 2 Authentication right tree on nth level service provider
KRn
KRnndash1
a n
KR2
KR1
a 1
a 2
hellip
a nndash1
Figure 3 Authentication right tree on jth level service provider
6 Security and Communication Networks
(v) A can learn previous session keys(vi) A has the capability of learning serverrsquos longtime
private keys only when evaluating the resistance toeventual failure of the server (eg forward secrecy)
A can issue queries to C and get answers from it asfollows
(i) Hi(qj) at any timeA issues query qj where qj canbe any string and C picks a random numberrj isin Zlowastq and stores langqj rjrang into list Hlist
i wherei isin 1 2 3 4 and j isin poly(n)1113864 1113865 FinallyC sends rj
to A(ii) ExtractUID (IDUi
) A issues queries of useridentity IDUi
andC generates users private key dUi
and stores langIDUi dUi
rang into list ElistdUi
(iii) ExtractSID (IDSj
) A issues queries of serviceproviderrsquos identity IDSj
and C generates serviceproviderrsquos private key dSj
and stores langIDSj dSj
rang
into list ElistdSj
(iv) Send (Πl
Λ) A issues query of the message m andC runs the protocol and returns the result to A
(v) SKReveal (ΠlΛ)A issues query and C returns the
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) A issues the query of userrsquos
identity IDUi and C returns userrsquos private key dUi
to A(vii) CorruptSID (IDSj
) A issues the query of serviceproviderrsquos identity IDSj
and C returns serviceproviderrsquos private key dSj
to A(viii) Test (Πl
Λ) when A issues the query C flips arandom coin b isin 0 1 If b 1 C sends sessionkey in Πl
Λ to A otherwise (b 0) and C picks arandom number with the same length of sessionkey and sends it to A
After issuing the queries aboveA outputs bprime where bprime isabout the coin b produced in Test (Πl
Λ)-query A violatesthe authentication key agreement (AKA) of the proposedprotocol Σ if A can guess b correctly We define Arsquosadvantage in attacking the proposed protocol Σ asAdvAKAΣ (A) |2Pr[b bprime] minus 1|
Definition 1 (AKA-Secure) e proposed protocol Σis authentication key agreement secure (AKA-Secure) ifAdvAKAΣ (A) |2Pr[b bprime] minus 1| is negligible for anypolynomial-time adversary A
A violates the mutual authentication of the proposedprotocol Σ ifA can generate a legal login message or a legalresponse message Let E US and E SU denote the events thatA generates a legal login message and a legal responsemessage We define the advantage ofA attacking the mutualauthentication of the proposed protocol Σ as AdvMA
Σ (A)
Pr[E US ] + Pr[E SU ]
Definition 2 (MA-Secure) e proposed protocol Σ ismutual authentication secure (MA-Secure) if AdvMA
Σ (A) isnegligible for any polynomial-time adversary A
52 Proof of Security In this part we show the proposedprotocol Σ for multiserver architecture is AKA-secure andMA-secure in the security model we described above
Lemma 1 No polynomial-time adversaryA can forge a legallogin message with a nonnegligible probability ϵ
Proof Suppose the adversaryA forges a legal login messagewith a nonnegligible probability ϵ We show there is achallenger C who can solve the discrete logarithm (DL)problem with a nonnegligible probability
Given an instance (g gs) of the DL problem the aim ofchallenger C is to compute s isin Zlowastq and C sends the systemparameters G1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967 to A Crandomly selects IDUi
and answersArsquos queries according tothe following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise
Crandomly picks rj isin Zlowastq and stores langqj rjrang inHlist
i then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUi
ini-tialized empty When receiving the query IDUi
Cchecks if langIDUi
dUirang exists in Elist
dUi
then C senddUi
to A otherwise C executes the operations asfollows
(1) If IDUi IDUch
C sets H1(IDUi)⟵ α
dUi⟵perp and stores langIDUi
αrang into Hlist1
langIDUi dUi
rang into ElistU
(2) Otherwise if IDUine IDUch
C randomly selectsαi isin α1 α2 αk1113864 1113865 setsH1 IDUch
1113966 1113967⟵αi dUi⟵ (1(s + αi)) middot P and
stores langIDUi αirang in Hlist
1 langIDUi dUi
rang in ElistdUi
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
If yesC send
dSjto A otherwise C randomly picks rdSj
isin Zlowastq
and computes dSj (1(s + rdSj
)) middot P C storeslangIDSj
dSjrang into Elist
dSj
langIDSj rdSj
rang into Hlist1 and
sends dSjto A
(iv) Send (ΠlΛ) C checks if Λ and Uch are equal if yes
C aborts the game otherwise C operatesaccording to protocol Σ
(v) SKReveal (ΠlΛ) after received the query C sends
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) C searches for langIDUi
dUirang in
ElistdUi
and returns dUito A
(vii) CorruptSID (IDSj) C searches for langIDSj
dSjrang in
ElistdSj
and returns dSjto A
(viii) Test (ΠlΛ) C randomly picks a number with the
same length of session key and sends it to A
At last A outputs a legal login message C E F cor-responding to userrsquos identity IDUi
If IDUine IDUch
C abortsthe game Based on the forking lemma [37] A can output
Security and Communication Networks 7
another legal login message (C Eprime Fprime) Because the loginmessages is legal we get the following two equations gUi
iscomputed by rising g to the power of a random numberchose by A
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gD
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gDprime
(1)
Based on the two equations above we get the followingequations
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
gUi
middot gD
gUimiddot gDprime
gDminus Dprime
(2)
C outputs (D minus Dprime)minus 1 middot (E minus Eprime) as the solution to the givenDL problem e probability that C can solve the DLproblem is described as follows
(i) E1 C dose not abort in the any Send-queries(ii) E2 A outputs a legal login request(iii) E3 IDUi
and IDUIare equal
Let l denote the number of bits in biometric data qSendand qH1
denote the number of Send-queries and H1-queriesexecuted in the game Cprime and sprime are the Zipfrsquos parameters[35] and l is the length of biometric information We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1qH1
)erefore the nonnegligible probability thatC can solve
the DL problem is given byPr E1 andE2 andE31113858 1113859 Pr E3 E1 andE2
11138681113868111386811138681113960 1113961
Pr E2 E111138681113868111386811138681113960 1113961 middot Pr E11113858 1113859ge
1 minus 1 qSend + 1( 1113857( 1113857( 1113857qSend
qH1
middot ε
+ max Cprime middot qs primeSend
qSend
2l1113882 1113883
(3)
is contradicts with the hardness of the DL problemerefore we get that no polynomial-time adversary againstthe proposedMSAA protocol can forge a legal login messagewith a nonnegligible probability
Lemma 2 No polynomial-time adversaryA can forge a legalresponse message with a nonnegligible probability
Proof Suppose the adversary A forges a legal responsemessage with a nonnegligible probability ε We show there isa challenger C who can solve the k-mBIDH problem with anonnegligible probability
Given an instance (P y middot P z middot P (1(y + α1)) middot P
(1(y + α2)) middot P (1(y + αk)) middot P isin G1) of the k-mBIDHproblem the aim of challengerC is to compute 1113954e(P P)s(y+α)he picks a random number x isin Zlowastq and computes x middot P y middot Pand sends the system parameters G1G2 q e P Ppub1113966
g H1 H2 H3 H4 toAC randomly selects IDUiand answers
Arsquos queries according to the following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise C
randomly picks rj isin Zlowastq and stores langqj rjrang in Hlisti
then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUiinitialized empty When receiving the query IDUi
C checks if langIDUi dUi
rang exists in ElistdUi
and then C
sends dUito A otherwise C randomly picks
rdUiisin Zlowastq and computes dUi
(1(s + rdUi)) middot P C
stores langIDUi dUi
rang in ElistdUi
langIDUi rdUi
rang in Hlist1 and
sends dUito A
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
and then C
sends dSjto A otherwise C executes the oper-
ations as follows
(1) If IDSj IDSch
C sets H1 IDUi1113966 1113967⟵α and stores
langIDSj αrang into Hlist
1 langIDSjperprang into Elist
dSj
(2) Otherwise if IDSjne IDSch
C randomly selects
αi isin α1 α2 αk1113864 1113865 sets H1 IDSj1113882 1113883⟵α and
stores langIDSj αirang in Hlist
1 langIDSj αi (1(s + αi)) middot
Prang in ElistdSj
(iv) Send (ΠlΛ) C checks if Λ and Sch are equal if yes
C aborts the game otherwiseC operates accordingto the proposed protocol Σ
Finally A outputs a response message correspondingto identity IDSj
C outputs g1 as the solution of k-mBIDHproblem e probability that C can solve the k-mBIDHproblem is described as follows
(i) E1 C dose not abort in any Send-queries(ii) E2 C outputs a legal response message(iii) E3 IDSJ
and IDSchare equal
Let qSend qH1 and qH2
denote the number of Response-query H1-query and H2-query in the game We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1(qH1
middot qH2)) erefore the non-
negligible probability that C can solve the k-mBIDHproblem is given by
Pr E1 andE2 andE31113858 1113859 Pr E31113868111386811138681113868 E1 andE21113960 1113961 middot Pr E2
1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859
ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857
qSend
qH1middot qH2
middot ε(4)
is contradicts with the hardness of the k-mBIDHproblem erefore we get that no polynomial-timeadversary against the proposed MSAA protocol canforge a legal response message with a nonnegligibleprobability
Theorem 1 4e proposed protocol is MA-secure if the DLproblem and the k-mBIDH problem are hard
8 Security and Communication Networks
Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure
Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard
Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability
Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)
Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations
ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859
andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961
Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2
minus Pr E US 1113960 1113961
(5)
Since Pr[ETS andE US ] Pr[ETU] we get
Pr ETS andE US 1113960 1113961geε4
minusPr E US 1113960 1113961
2 (6)
We get the probability as follows
Pr sk H2 gr1r2( 1113857
1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge
ε4
minusPr E US 1113960 1113961
2 (7)
According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard
53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows
(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration
(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi
and IDSjcan au-
thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication
(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi
is only in the messageF (DIDUi
eIDSj)oplusH2(gr1) To get IDUi
ad-versary needs to compute gr1 from C
r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-
versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard
(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj
) middot P +
Ppub) gr1 F (aiDIDUieIDSj
)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability
(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement
(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj
) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g
r21 g
r12 gr1r2 where g1 gr1
g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard
(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-
Security and Communication Networks 9
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
(iii) Modified Bilinear Inverse DiffiendashHellman withk value (k-mBIDH) problem [12] given k ele-ments α1 α2 αk1113864 1113865(αi isin Zlowastq ) and k + 2 elementsτ middot P η middot P (1(τ + α1)) middot P (1(τ + α2)) middot P 1113864 (1
(τ + αk)) middot P each of them is in G1 it is hard tocompute 1113954e(P P)η(τ+α) where α notin α1 α2 αk1113864 1113865
and τ and η are two unknown elements in Zlowastq
A security system parameter generator used in theproposed protocol is introduced below
Gen(middot) the system parameter generator takes a securityparameter n and outputs system parameters a bilinear mapan elliptic curve a multiplicative group etc Intuitively thesystem parameters will be publicly known
e notations used in the proposed protocol are listed inTable 2
4 The Proposed Protocol
41 RC Initialization Phase Registration center runs thegeneration function Gen(1n) which takes a security pa-rameter n isin Z+ and outputs parameters as follows
(1) RC chooses two bilinear map groups G1 and G2 witha prime order q the generator P isin G1 and g
1113954e(P P) isin G2 where 1113954e G1 times G1⟶ G2 is a bilinearmap
(2) RC chooses cryptographic hash functions H1
0 1 lowast ⟶ Zlowastq H2 G2⟶ Zlowastq H3 0 1 lowast ⟶ G1H4 0 1 lowast ⟶ 0 1 n
(3) RC chooses a random number s⟵R Zlowastq as the masterkey computes the corresponding public keyPpub sP isin G1 and constructs an authenticationright tree T as Figure 1 e detail of the tree willbe described in Section 45 Finally RC publishesG1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967
42 User Registration Phase If a user Ui wants to regis-ter with the registration center RC the followingsteps will be executed e main steps are provided inTable 3
(1) Ui sends hisher identity IDUito RC via a secure
channel
Table 1 Related work summaries
Protocol Technique Advantage Disadvantage[1] Identity-based Lightweight and efficient Cannot provide user anonymity
[4] Identity-based Provides user anonymity resists server spoofingattack and impersonation attack etc
Cannot resist server spoofing attack andimpersonation attacks
[5] Biometrics-based First truly three-factor authenticated scheme Cannot resist known session-specifictemporary attack and the impersonation attack
[6] Biometrics-based Provides secure authentication and resists passiveand active attacks
Needs registration center online forauthentication
[7] Identity-based Security enhanced and supports smart card revocationand password update without centralized storage
Cannot resist the lost smart card attack andthe offline dictionary guessing attack
[8] Biometrics-based Efficient in terms of computation cost communicationcost and resists smart card storage cost High maintenance cost
[9] Biometrics-based Incurs low overhead suitable for deployment atmobile devices
Needs registration center online forauthentication
[10] Two-factor-based Security enhanced lightweight and efficient Needs registration center online forauthentication
[11] Identity-based Resists the server spoofing attack Needs registration center onlinefor authentication
[12] Identity-based Does not need registration center onlinefor authentication Cannot provide hierarchical authentication
[13] Identity-based Provides blackwhite list-free and simplerevocation mechanism
Cannot provide credentials privacy anduntraceability
[14] Identity-based Provides SK-security and strong credentialsrsquo privacy Cannot provide hierarchical authentication
[15] Identity-based Uses the self-certified public key cryptography andhas lower computation and communication costs Cannot provide hierarchical authentication
[16] Two-factor-based Resists server spoofing attack desynchronization attackand denial-of-service attack Cannot provide hierarchical authentication
[17] Two-factor-basedReduces authentication processing time required by
communication and computation between cloud serviceproviders and traditional trusted third-party service
Cannot resist service provider impersonationattack and has no user revocation facility
[18] Biometrics-based Provides three-factor security user revocationand reregistration Cannot provide hierarchical authentication
[19] Biometrics-based User anonymity perfect forward secrecy and resistanceto desynchronization attack Cannot provide hierarchical authentication
[21] Two-factor-based Provides user untraceability and perfect forward security Cannot provide hierarchical authentication[23] Biometric-based Uses chaotic map to improve efficiency Cannot provide hierarchical authentication
Security and Communication Networks 3
(2) RC selects an authentication parameter KRi isin Tand computes the Uirsquos private key dUi
(1(s +
H1(IDUieKRi))) middot P where e is the expire date of
the private key andT is an authentication right treeRC chooses a parameter ai isin T and sends dUi
ai1113966 1113967 toUi via a secure channel
(3) Ui computes (σi θi)⟵f(bi) using the fuzzy-ex-tractor generation procedure f(middot) [26] where σi is abiometric key θi is a public reproduction parameterand bi is hisher personal biometrics Ui computesA dUi
oplusH3(pwσ i) and uses the widely imple-mented fuzzy-verifier technique [27 28] to computeB H4((H4(IDUi
)H4(pwσ i))mod n0) where pwis hisher password and n0 is the integer that definesin [27] Finally Ui stores ai θi A B e f(middot)1113864
fminus 1(middot) t H1 H2 H3 H4 on its mobile devicewhere t is the threshold in fuzzy extractor f(middot) is theprobabilistic generation procedure for outputtingσi and θi fminus 1(middot) is the deterministic reproductionprocedure that can recover σi and θi from a newpersonal biometrics input
43 Service Provider Registration Phase If a service providerSj wants to register with the RC the following steps will beexecuted e main steps are provided in Table 4
(1) Sj sends hisher identity IDSjto RC via a secure
channel(2) RC computes the private key dSj
(1(s +
H1(IDSj))) middot P for Sj and sends dSj
1113954T1113882 1113883 to him via a
secure channel where 1113954T is an authentication righttree for service provider We will describe the detailof 1113954T in Section 45
(3) Finally Sj saves dSj 1113954T1113882 1113883
44 User and Service Provider Authentication Phase In thispart we show the mutual authentication phase between auser and a service provider without involving RC e mainsteps are provided in Table 5
(1) First Ui inputs hisher biometrics bi identity IDUi
and password pw into hisher mobile deviceMobile device computes σi fminus 1(θi bi) and Blowast
H4((H4(IDUi)H4(pwσi))mod n0) and verifies the
validity of inputted biometrics and password bycomputing Blowast
B If it holds mobile device retrieves
Uirsquos private key by computing dUi AoplusH3(pwσi)
and temporarily saves IDUi en Ui selects a tem-
porary session secret r1 calculates r1 H1(r1dUi)
and computes g1 gr1 C r1 middot (H1(IDSj)P + Ppub)
by using the identity of Sj Next Ui
computesD H1(IDUieIDSj
g1) E (r1 + D)middot
dUi and F (aiIDUi
eIDSj)oplusH2(gr1) Finally Ui
sends the login message C E F to Sj(2) After receiving C E F Sj checks whether IDUi
is inIDRL if IDUi
is not in IDRL Sj retrieves g1 usinghisher private key dSj
as g1 gr1 1113954e(C dSj) Sj re-
trieves ai D IDUi e IDSj
by computingFoplusH2(g1) Sj
computes KRi H4(KRi+1Li) where Li
H4(ai 1113954ai) and verifies 1113954e(E H1(IDUieKRi)middot
P + Ppub)
g1 middot gD If both are equal Ui is allowed toauthenticate with Sjen Sj selects a temporary sessionsecret 1113954r2 then heshe calculates r2 H1( 1113954r2dSj
) andcomputes g2 gr2 and session key is set assk H2(g
r21 ) H2(gr1r2) Finally Sj calculates G
H4(skg1g2IDSjC) and sends the message g2 G1113864 1113865
to Ui(3) Upon receiving g2 G1113864 1113865 Ui computes sk H2(g
r12 )
H2(gr1r2)and Glowast H4(skg1g2IDSjC) and
checks whether G and Glowast are equal If both are notequal Ui aborts the session Otherwise Ui con-firms Sj as a valid service provider and sets sk assession key between Ui and Sj
Table 2 Notations used in the proposed protocol
Notation DescriptionRC e registration centerUi e ith userSj e jth service providerA e adversaryIDUi
e identity of ith userIDSj
e identity of jth service providerpw e password of a userbi e ith userrsquos personal biometricsσi e biometric keye e private key expire parameter1113954r1 1113954r2 Random numbers from Zlowastqsk e session key
Concatenation operationT e authentication right tree1113954T e authentication right tree on service provider sideai 1113954ai e authentication right parametersKRi e ith node of the authentication right treeLi e subnode of KRi
f(middot) e fuzzy-extractor generation proceduref(middot)minus 1 e deterministic reproduction procedureHi(middot) Secure one-way hash functionsIDRL ID revocation list
KRn
KR1
L1
a1 a 1
L2
a2 a 2
KRnndash1
Lnndash1
anndash1
Ln
an
a nndash1KR2
hellip a n
Figure 1 Authentication right tree
4 Security and Communication Networks
45 Tree Construction and Verification e proposed pro-tocol uses an authentication right tree T to store userrsquos andservice providerrsquos hierarchical authentication informationT is a Merkle hash tree that was introduced by Merkle [29]in 1998 Merkle hash tree is a digital signature scheme thatonly uses a conventional encryption function to compute thedigital signature making it extremely efficient In 2009Satoshi proposed a peer-to-peer electronic cash system asknown as bitcoin [30] Bitcoin system stores transactions inMerkle hash tree which saves disk space and this methodcan be used to verify transactions in each block ereforewe use a Merkle hash tree to construct our authenticationright tree In this part we will show how we construct anauthentication tree and how to verify a userrsquos authenticationright based on the rules of Merkle hash tree
451 Tree Construction First we introduce the construc-tion of the authentication right tree T as Figure 1 Anauthentication tree T contains the information of n dif-ferent levels e first level is the lowest level in the systemand the nth level is the highest level in the system Node KRi
denotes a user that has the authentication right which isfrom the first level to ith level Value stored in node KRi iscomputed from the hash values of its left child node KRiminus 1and right child node Li as KRi H4(KRiminus 1Li) e cal-culation of node KR1 as KR1 H4(L1) is different fromother KR nodes If a user is at the first level KR1 is embed inhisher private key and heshe can only access to first levelservice providers in this system If user is at ith level KRi isembed in hisher private key and heshe can access toservice providers which are from first to ith levels e right
Table 4 Service provider registration phase
Service provider Sj Registration center RC
⟶IDSj
secure channelComputes
dSj (1(s + H1(IDSj
))) middot P
larrdSj
1113954T1113966 1113967
secure channel
Stores dSj 1113954T1113882 1113883
Table 3 User registration phase
Mobile user Ui Registration center RC
⟶IDUi
secure channelComputes private key dUi
(1(s + H1(IDUieKRi))) middot P
and selects ai isin T
⟵dUi
ai1113966 1113967
secure channelComputes (σi θi)⟵f(bi)A dUioplusH3(pw σi)
B H4((H4(IDUi) H4(pwσi))mod n0) and stores
ai θi A B e f(middot) fminus 1(middot) t H1 H2 H3 H41113864 1113865
Table 5 User and service provider authentication phase
Mobile user Ui Service provider Sj
r1 H1( 1113954r1dUi) g1 gr1 C r1 middot (H1(IDSj
) middot P + Ppub)
D H1(IDUieIDSj
g1)
E (r1 + D) middot dUiF (aiIDUi
eIDSj)oplusH2(g1)
⟶CEF
Retrieves g1 gr1 1113954e(C dSj)(aiIDUi
eIDSj) FoplusH2(g1)
computes Li H4(ai1113954ai)KRi H4(KRi+1Li)1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD andacceptsrejects
r2 H1( 1113954r2dSj) g2 gr2 sk H2(g
r21 )G H4(skg1g2IDSj
C)
⟵(Gg2)
Computes sk H2(gr12 )Glowast H4(skg1g2IDSj
C) checks
Glowast
G and acceptsrejects sk
Security and Communication Networks 5
child node Li is an intermediate variable which preparesfor calculating KRi Value stored in node Li is computedfrom the hash values of its left leaf node ai and right leafnode 1113954ai as Li H4(ai 1113954ai) Leaf node ai and 1113954ai are two 160-bit random strings that are stored on user and serviceprovider separately If a user is at ith level number i is storedin the last logn
2 bits and the first (160 minus logn2) bits should be
a random string
452 Tree Stored on Service Provider e authenticationright tree 1113954T stored on the service provider has a littledifferent from T Service provider uses 1113954T to verify userrsquosauthentication right e scale of 1113954T stored on each serviceprovider is based on the level of service provider As wementioned above nth level is the highest level in the systemIf service provider is at nth level heshe only provides servicefor nth level user so heshe only needs to save the au-thentication right tree 1113954T as Figure 2 If service provider is atthe jth level heshe can provide service for user that is fromjth to nth level erefore heshe needs to save 1113954aj to 1113954an andKRjminus 1 to KRn as Figure 3 where the symbol ldquordquo denotes thenode that service provider does not have
453 Authentication Right Verification When an ith leveluser wants to access a jth level service provider where ige juser sends ai to service provider and when service pro-vider received authentication parameter ai heshe checksthe last logn
2 bits of ai to get userrsquos level and finds 1113954ai Serviceprovider computes the value of Li as Li H4(ai 1113954ai) andthe value of KRi as KRi H4(KRiminus 1Li) en serviceprovider verifies userrsquos authentication right by calculating1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD If the equationholds service provider continues Otherwise hesheaborts the session For instance if a 10th level user wants toaccess to a 5th level service provider user sends a10 toservice provider and when service provider receivedauthentication parameter a10 heshe checks the last logn
2bits of a10 to get userrsquos level and finds 1113955a10 Service providercomputes L10 H4(a101113955a10) and KR10 H4(KR9L10)Service provider verifies userrsquos authentication right bycalculating 1113954e(E H1(IDUi
eKR10) middot P + Ppub)
g1 middot gD Ifthe equation holds service provider continues Otherwiseheshe aborts the authentication
46 4e User Revocation and Reregistration PhaseRevocation and reregistration has been used in many pro-tocols [31 32] In this part we describe user revocation andreregistrationWhen a userUi lost hisher smart card hesheneeds to reregister Ui submits hisher personal informationto RC and then RC verifies Uirsquos personal information andchecks the expire date of the private key dUi
If dUihas
already expired RC issues Ui a new private key with a newexpire date If dUi
has not expired RC issues Ui a new ID anda new private key with the same expire date as the lost smartcard RC adds the lost IDUi
to its ID revocation list (IDRL)
and board casts IDUito all service providers After received
IDUi service providers save it into their local storage
5 Security Proof
In this section we analyze the security of our protocol Firstwe present a security model for our protocol which is basedon BellarendashRogaway (BR) model [33] and CK-adversarymodel [34] and we use Zipfrsquos law [35] to enhance the se-curity of the basemodel Second we show that the security ofthe proposed protocol is based on the hardness of mathe-matical problems ird we show that our protocol satisfiessecurity requirements
51 Security Model We propose a security model for theproposed protocol based on literature studies [5 15 27 33 36]ere areUi and Sj at the authentication phase of the proposedprotocol e security of the proposed protocol is defined by agame played between an adversary A and a challenger C LetΠlΛ denote the lth instance of the participant of Λ isin Ui Sj1113966 1113967
respectively In this game we describe the capabilities ofA thatis defined in the literature [27] as follows
(i) A can enumerate offline all the items in the Car-tesian product Did ⋆Dpw within polynomial timewhere Dpw and Did denote the password space andthe identity space respectively
(ii) A has the capability of somehow learning thevictimrsquos identity when evaluating security strength(but not privacy provisions) of the protocol
(iii) A is in full control of the communication channelbetween the protocol participants
(iv) A may either (i) learn the password of a legitimateuser via malicious card reader or (ii) extract thesensitive parameters in the card memory by side-channel attacks but cannot achieve both
KRn
KRnndash1
a n
Figure 2 Authentication right tree on nth level service provider
KRn
KRnndash1
a n
KR2
KR1
a 1
a 2
hellip
a nndash1
Figure 3 Authentication right tree on jth level service provider
6 Security and Communication Networks
(v) A can learn previous session keys(vi) A has the capability of learning serverrsquos longtime
private keys only when evaluating the resistance toeventual failure of the server (eg forward secrecy)
A can issue queries to C and get answers from it asfollows
(i) Hi(qj) at any timeA issues query qj where qj canbe any string and C picks a random numberrj isin Zlowastq and stores langqj rjrang into list Hlist
i wherei isin 1 2 3 4 and j isin poly(n)1113864 1113865 FinallyC sends rj
to A(ii) ExtractUID (IDUi
) A issues queries of useridentity IDUi
andC generates users private key dUi
and stores langIDUi dUi
rang into list ElistdUi
(iii) ExtractSID (IDSj
) A issues queries of serviceproviderrsquos identity IDSj
and C generates serviceproviderrsquos private key dSj
and stores langIDSj dSj
rang
into list ElistdSj
(iv) Send (Πl
Λ) A issues query of the message m andC runs the protocol and returns the result to A
(v) SKReveal (ΠlΛ)A issues query and C returns the
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) A issues the query of userrsquos
identity IDUi and C returns userrsquos private key dUi
to A(vii) CorruptSID (IDSj
) A issues the query of serviceproviderrsquos identity IDSj
and C returns serviceproviderrsquos private key dSj
to A(viii) Test (Πl
Λ) when A issues the query C flips arandom coin b isin 0 1 If b 1 C sends sessionkey in Πl
Λ to A otherwise (b 0) and C picks arandom number with the same length of sessionkey and sends it to A
After issuing the queries aboveA outputs bprime where bprime isabout the coin b produced in Test (Πl
Λ)-query A violatesthe authentication key agreement (AKA) of the proposedprotocol Σ if A can guess b correctly We define Arsquosadvantage in attacking the proposed protocol Σ asAdvAKAΣ (A) |2Pr[b bprime] minus 1|
Definition 1 (AKA-Secure) e proposed protocol Σis authentication key agreement secure (AKA-Secure) ifAdvAKAΣ (A) |2Pr[b bprime] minus 1| is negligible for anypolynomial-time adversary A
A violates the mutual authentication of the proposedprotocol Σ ifA can generate a legal login message or a legalresponse message Let E US and E SU denote the events thatA generates a legal login message and a legal responsemessage We define the advantage ofA attacking the mutualauthentication of the proposed protocol Σ as AdvMA
Σ (A)
Pr[E US ] + Pr[E SU ]
Definition 2 (MA-Secure) e proposed protocol Σ ismutual authentication secure (MA-Secure) if AdvMA
Σ (A) isnegligible for any polynomial-time adversary A
52 Proof of Security In this part we show the proposedprotocol Σ for multiserver architecture is AKA-secure andMA-secure in the security model we described above
Lemma 1 No polynomial-time adversaryA can forge a legallogin message with a nonnegligible probability ϵ
Proof Suppose the adversaryA forges a legal login messagewith a nonnegligible probability ϵ We show there is achallenger C who can solve the discrete logarithm (DL)problem with a nonnegligible probability
Given an instance (g gs) of the DL problem the aim ofchallenger C is to compute s isin Zlowastq and C sends the systemparameters G1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967 to A Crandomly selects IDUi
and answersArsquos queries according tothe following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise
Crandomly picks rj isin Zlowastq and stores langqj rjrang inHlist
i then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUi
ini-tialized empty When receiving the query IDUi
Cchecks if langIDUi
dUirang exists in Elist
dUi
then C senddUi
to A otherwise C executes the operations asfollows
(1) If IDUi IDUch
C sets H1(IDUi)⟵ α
dUi⟵perp and stores langIDUi
αrang into Hlist1
langIDUi dUi
rang into ElistU
(2) Otherwise if IDUine IDUch
C randomly selectsαi isin α1 α2 αk1113864 1113865 setsH1 IDUch
1113966 1113967⟵αi dUi⟵ (1(s + αi)) middot P and
stores langIDUi αirang in Hlist
1 langIDUi dUi
rang in ElistdUi
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
If yesC send
dSjto A otherwise C randomly picks rdSj
isin Zlowastq
and computes dSj (1(s + rdSj
)) middot P C storeslangIDSj
dSjrang into Elist
dSj
langIDSj rdSj
rang into Hlist1 and
sends dSjto A
(iv) Send (ΠlΛ) C checks if Λ and Uch are equal if yes
C aborts the game otherwise C operatesaccording to protocol Σ
(v) SKReveal (ΠlΛ) after received the query C sends
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) C searches for langIDUi
dUirang in
ElistdUi
and returns dUito A
(vii) CorruptSID (IDSj) C searches for langIDSj
dSjrang in
ElistdSj
and returns dSjto A
(viii) Test (ΠlΛ) C randomly picks a number with the
same length of session key and sends it to A
At last A outputs a legal login message C E F cor-responding to userrsquos identity IDUi
If IDUine IDUch
C abortsthe game Based on the forking lemma [37] A can output
Security and Communication Networks 7
another legal login message (C Eprime Fprime) Because the loginmessages is legal we get the following two equations gUi
iscomputed by rising g to the power of a random numberchose by A
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gD
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gDprime
(1)
Based on the two equations above we get the followingequations
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
gUi
middot gD
gUimiddot gDprime
gDminus Dprime
(2)
C outputs (D minus Dprime)minus 1 middot (E minus Eprime) as the solution to the givenDL problem e probability that C can solve the DLproblem is described as follows
(i) E1 C dose not abort in the any Send-queries(ii) E2 A outputs a legal login request(iii) E3 IDUi
and IDUIare equal
Let l denote the number of bits in biometric data qSendand qH1
denote the number of Send-queries and H1-queriesexecuted in the game Cprime and sprime are the Zipfrsquos parameters[35] and l is the length of biometric information We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1qH1
)erefore the nonnegligible probability thatC can solve
the DL problem is given byPr E1 andE2 andE31113858 1113859 Pr E3 E1 andE2
11138681113868111386811138681113960 1113961
Pr E2 E111138681113868111386811138681113960 1113961 middot Pr E11113858 1113859ge
1 minus 1 qSend + 1( 1113857( 1113857( 1113857qSend
qH1
middot ε
+ max Cprime middot qs primeSend
qSend
2l1113882 1113883
(3)
is contradicts with the hardness of the DL problemerefore we get that no polynomial-time adversary againstthe proposedMSAA protocol can forge a legal login messagewith a nonnegligible probability
Lemma 2 No polynomial-time adversaryA can forge a legalresponse message with a nonnegligible probability
Proof Suppose the adversary A forges a legal responsemessage with a nonnegligible probability ε We show there isa challenger C who can solve the k-mBIDH problem with anonnegligible probability
Given an instance (P y middot P z middot P (1(y + α1)) middot P
(1(y + α2)) middot P (1(y + αk)) middot P isin G1) of the k-mBIDHproblem the aim of challengerC is to compute 1113954e(P P)s(y+α)he picks a random number x isin Zlowastq and computes x middot P y middot Pand sends the system parameters G1G2 q e P Ppub1113966
g H1 H2 H3 H4 toAC randomly selects IDUiand answers
Arsquos queries according to the following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise C
randomly picks rj isin Zlowastq and stores langqj rjrang in Hlisti
then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUiinitialized empty When receiving the query IDUi
C checks if langIDUi dUi
rang exists in ElistdUi
and then C
sends dUito A otherwise C randomly picks
rdUiisin Zlowastq and computes dUi
(1(s + rdUi)) middot P C
stores langIDUi dUi
rang in ElistdUi
langIDUi rdUi
rang in Hlist1 and
sends dUito A
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
and then C
sends dSjto A otherwise C executes the oper-
ations as follows
(1) If IDSj IDSch
C sets H1 IDUi1113966 1113967⟵α and stores
langIDSj αrang into Hlist
1 langIDSjperprang into Elist
dSj
(2) Otherwise if IDSjne IDSch
C randomly selects
αi isin α1 α2 αk1113864 1113865 sets H1 IDSj1113882 1113883⟵α and
stores langIDSj αirang in Hlist
1 langIDSj αi (1(s + αi)) middot
Prang in ElistdSj
(iv) Send (ΠlΛ) C checks if Λ and Sch are equal if yes
C aborts the game otherwiseC operates accordingto the proposed protocol Σ
Finally A outputs a response message correspondingto identity IDSj
C outputs g1 as the solution of k-mBIDHproblem e probability that C can solve the k-mBIDHproblem is described as follows
(i) E1 C dose not abort in any Send-queries(ii) E2 C outputs a legal response message(iii) E3 IDSJ
and IDSchare equal
Let qSend qH1 and qH2
denote the number of Response-query H1-query and H2-query in the game We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1(qH1
middot qH2)) erefore the non-
negligible probability that C can solve the k-mBIDHproblem is given by
Pr E1 andE2 andE31113858 1113859 Pr E31113868111386811138681113868 E1 andE21113960 1113961 middot Pr E2
1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859
ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857
qSend
qH1middot qH2
middot ε(4)
is contradicts with the hardness of the k-mBIDHproblem erefore we get that no polynomial-timeadversary against the proposed MSAA protocol canforge a legal response message with a nonnegligibleprobability
Theorem 1 4e proposed protocol is MA-secure if the DLproblem and the k-mBIDH problem are hard
8 Security and Communication Networks
Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure
Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard
Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability
Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)
Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations
ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859
andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961
Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2
minus Pr E US 1113960 1113961
(5)
Since Pr[ETS andE US ] Pr[ETU] we get
Pr ETS andE US 1113960 1113961geε4
minusPr E US 1113960 1113961
2 (6)
We get the probability as follows
Pr sk H2 gr1r2( 1113857
1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge
ε4
minusPr E US 1113960 1113961
2 (7)
According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard
53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows
(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration
(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi
and IDSjcan au-
thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication
(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi
is only in the messageF (DIDUi
eIDSj)oplusH2(gr1) To get IDUi
ad-versary needs to compute gr1 from C
r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-
versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard
(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj
) middot P +
Ppub) gr1 F (aiDIDUieIDSj
)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability
(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement
(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj
) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g
r21 g
r12 gr1r2 where g1 gr1
g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard
(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-
Security and Communication Networks 9
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
(2) RC selects an authentication parameter KRi isin Tand computes the Uirsquos private key dUi
(1(s +
H1(IDUieKRi))) middot P where e is the expire date of
the private key andT is an authentication right treeRC chooses a parameter ai isin T and sends dUi
ai1113966 1113967 toUi via a secure channel
(3) Ui computes (σi θi)⟵f(bi) using the fuzzy-ex-tractor generation procedure f(middot) [26] where σi is abiometric key θi is a public reproduction parameterand bi is hisher personal biometrics Ui computesA dUi
oplusH3(pwσ i) and uses the widely imple-mented fuzzy-verifier technique [27 28] to computeB H4((H4(IDUi
)H4(pwσ i))mod n0) where pwis hisher password and n0 is the integer that definesin [27] Finally Ui stores ai θi A B e f(middot)1113864
fminus 1(middot) t H1 H2 H3 H4 on its mobile devicewhere t is the threshold in fuzzy extractor f(middot) is theprobabilistic generation procedure for outputtingσi and θi fminus 1(middot) is the deterministic reproductionprocedure that can recover σi and θi from a newpersonal biometrics input
43 Service Provider Registration Phase If a service providerSj wants to register with the RC the following steps will beexecuted e main steps are provided in Table 4
(1) Sj sends hisher identity IDSjto RC via a secure
channel(2) RC computes the private key dSj
(1(s +
H1(IDSj))) middot P for Sj and sends dSj
1113954T1113882 1113883 to him via a
secure channel where 1113954T is an authentication righttree for service provider We will describe the detailof 1113954T in Section 45
(3) Finally Sj saves dSj 1113954T1113882 1113883
44 User and Service Provider Authentication Phase In thispart we show the mutual authentication phase between auser and a service provider without involving RC e mainsteps are provided in Table 5
(1) First Ui inputs hisher biometrics bi identity IDUi
and password pw into hisher mobile deviceMobile device computes σi fminus 1(θi bi) and Blowast
H4((H4(IDUi)H4(pwσi))mod n0) and verifies the
validity of inputted biometrics and password bycomputing Blowast
B If it holds mobile device retrieves
Uirsquos private key by computing dUi AoplusH3(pwσi)
and temporarily saves IDUi en Ui selects a tem-
porary session secret r1 calculates r1 H1(r1dUi)
and computes g1 gr1 C r1 middot (H1(IDSj)P + Ppub)
by using the identity of Sj Next Ui
computesD H1(IDUieIDSj
g1) E (r1 + D)middot
dUi and F (aiIDUi
eIDSj)oplusH2(gr1) Finally Ui
sends the login message C E F to Sj(2) After receiving C E F Sj checks whether IDUi
is inIDRL if IDUi
is not in IDRL Sj retrieves g1 usinghisher private key dSj
as g1 gr1 1113954e(C dSj) Sj re-
trieves ai D IDUi e IDSj
by computingFoplusH2(g1) Sj
computes KRi H4(KRi+1Li) where Li
H4(ai 1113954ai) and verifies 1113954e(E H1(IDUieKRi)middot
P + Ppub)
g1 middot gD If both are equal Ui is allowed toauthenticate with Sjen Sj selects a temporary sessionsecret 1113954r2 then heshe calculates r2 H1( 1113954r2dSj
) andcomputes g2 gr2 and session key is set assk H2(g
r21 ) H2(gr1r2) Finally Sj calculates G
H4(skg1g2IDSjC) and sends the message g2 G1113864 1113865
to Ui(3) Upon receiving g2 G1113864 1113865 Ui computes sk H2(g
r12 )
H2(gr1r2)and Glowast H4(skg1g2IDSjC) and
checks whether G and Glowast are equal If both are notequal Ui aborts the session Otherwise Ui con-firms Sj as a valid service provider and sets sk assession key between Ui and Sj
Table 2 Notations used in the proposed protocol
Notation DescriptionRC e registration centerUi e ith userSj e jth service providerA e adversaryIDUi
e identity of ith userIDSj
e identity of jth service providerpw e password of a userbi e ith userrsquos personal biometricsσi e biometric keye e private key expire parameter1113954r1 1113954r2 Random numbers from Zlowastqsk e session key
Concatenation operationT e authentication right tree1113954T e authentication right tree on service provider sideai 1113954ai e authentication right parametersKRi e ith node of the authentication right treeLi e subnode of KRi
f(middot) e fuzzy-extractor generation proceduref(middot)minus 1 e deterministic reproduction procedureHi(middot) Secure one-way hash functionsIDRL ID revocation list
KRn
KR1
L1
a1 a 1
L2
a2 a 2
KRnndash1
Lnndash1
anndash1
Ln
an
a nndash1KR2
hellip a n
Figure 1 Authentication right tree
4 Security and Communication Networks
45 Tree Construction and Verification e proposed pro-tocol uses an authentication right tree T to store userrsquos andservice providerrsquos hierarchical authentication informationT is a Merkle hash tree that was introduced by Merkle [29]in 1998 Merkle hash tree is a digital signature scheme thatonly uses a conventional encryption function to compute thedigital signature making it extremely efficient In 2009Satoshi proposed a peer-to-peer electronic cash system asknown as bitcoin [30] Bitcoin system stores transactions inMerkle hash tree which saves disk space and this methodcan be used to verify transactions in each block ereforewe use a Merkle hash tree to construct our authenticationright tree In this part we will show how we construct anauthentication tree and how to verify a userrsquos authenticationright based on the rules of Merkle hash tree
451 Tree Construction First we introduce the construc-tion of the authentication right tree T as Figure 1 Anauthentication tree T contains the information of n dif-ferent levels e first level is the lowest level in the systemand the nth level is the highest level in the system Node KRi
denotes a user that has the authentication right which isfrom the first level to ith level Value stored in node KRi iscomputed from the hash values of its left child node KRiminus 1and right child node Li as KRi H4(KRiminus 1Li) e cal-culation of node KR1 as KR1 H4(L1) is different fromother KR nodes If a user is at the first level KR1 is embed inhisher private key and heshe can only access to first levelservice providers in this system If user is at ith level KRi isembed in hisher private key and heshe can access toservice providers which are from first to ith levels e right
Table 4 Service provider registration phase
Service provider Sj Registration center RC
⟶IDSj
secure channelComputes
dSj (1(s + H1(IDSj
))) middot P
larrdSj
1113954T1113966 1113967
secure channel
Stores dSj 1113954T1113882 1113883
Table 3 User registration phase
Mobile user Ui Registration center RC
⟶IDUi
secure channelComputes private key dUi
(1(s + H1(IDUieKRi))) middot P
and selects ai isin T
⟵dUi
ai1113966 1113967
secure channelComputes (σi θi)⟵f(bi)A dUioplusH3(pw σi)
B H4((H4(IDUi) H4(pwσi))mod n0) and stores
ai θi A B e f(middot) fminus 1(middot) t H1 H2 H3 H41113864 1113865
Table 5 User and service provider authentication phase
Mobile user Ui Service provider Sj
r1 H1( 1113954r1dUi) g1 gr1 C r1 middot (H1(IDSj
) middot P + Ppub)
D H1(IDUieIDSj
g1)
E (r1 + D) middot dUiF (aiIDUi
eIDSj)oplusH2(g1)
⟶CEF
Retrieves g1 gr1 1113954e(C dSj)(aiIDUi
eIDSj) FoplusH2(g1)
computes Li H4(ai1113954ai)KRi H4(KRi+1Li)1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD andacceptsrejects
r2 H1( 1113954r2dSj) g2 gr2 sk H2(g
r21 )G H4(skg1g2IDSj
C)
⟵(Gg2)
Computes sk H2(gr12 )Glowast H4(skg1g2IDSj
C) checks
Glowast
G and acceptsrejects sk
Security and Communication Networks 5
child node Li is an intermediate variable which preparesfor calculating KRi Value stored in node Li is computedfrom the hash values of its left leaf node ai and right leafnode 1113954ai as Li H4(ai 1113954ai) Leaf node ai and 1113954ai are two 160-bit random strings that are stored on user and serviceprovider separately If a user is at ith level number i is storedin the last logn
2 bits and the first (160 minus logn2) bits should be
a random string
452 Tree Stored on Service Provider e authenticationright tree 1113954T stored on the service provider has a littledifferent from T Service provider uses 1113954T to verify userrsquosauthentication right e scale of 1113954T stored on each serviceprovider is based on the level of service provider As wementioned above nth level is the highest level in the systemIf service provider is at nth level heshe only provides servicefor nth level user so heshe only needs to save the au-thentication right tree 1113954T as Figure 2 If service provider is atthe jth level heshe can provide service for user that is fromjth to nth level erefore heshe needs to save 1113954aj to 1113954an andKRjminus 1 to KRn as Figure 3 where the symbol ldquordquo denotes thenode that service provider does not have
453 Authentication Right Verification When an ith leveluser wants to access a jth level service provider where ige juser sends ai to service provider and when service pro-vider received authentication parameter ai heshe checksthe last logn
2 bits of ai to get userrsquos level and finds 1113954ai Serviceprovider computes the value of Li as Li H4(ai 1113954ai) andthe value of KRi as KRi H4(KRiminus 1Li) en serviceprovider verifies userrsquos authentication right by calculating1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD If the equationholds service provider continues Otherwise hesheaborts the session For instance if a 10th level user wants toaccess to a 5th level service provider user sends a10 toservice provider and when service provider receivedauthentication parameter a10 heshe checks the last logn
2bits of a10 to get userrsquos level and finds 1113955a10 Service providercomputes L10 H4(a101113955a10) and KR10 H4(KR9L10)Service provider verifies userrsquos authentication right bycalculating 1113954e(E H1(IDUi
eKR10) middot P + Ppub)
g1 middot gD Ifthe equation holds service provider continues Otherwiseheshe aborts the authentication
46 4e User Revocation and Reregistration PhaseRevocation and reregistration has been used in many pro-tocols [31 32] In this part we describe user revocation andreregistrationWhen a userUi lost hisher smart card hesheneeds to reregister Ui submits hisher personal informationto RC and then RC verifies Uirsquos personal information andchecks the expire date of the private key dUi
If dUihas
already expired RC issues Ui a new private key with a newexpire date If dUi
has not expired RC issues Ui a new ID anda new private key with the same expire date as the lost smartcard RC adds the lost IDUi
to its ID revocation list (IDRL)
and board casts IDUito all service providers After received
IDUi service providers save it into their local storage
5 Security Proof
In this section we analyze the security of our protocol Firstwe present a security model for our protocol which is basedon BellarendashRogaway (BR) model [33] and CK-adversarymodel [34] and we use Zipfrsquos law [35] to enhance the se-curity of the basemodel Second we show that the security ofthe proposed protocol is based on the hardness of mathe-matical problems ird we show that our protocol satisfiessecurity requirements
51 Security Model We propose a security model for theproposed protocol based on literature studies [5 15 27 33 36]ere areUi and Sj at the authentication phase of the proposedprotocol e security of the proposed protocol is defined by agame played between an adversary A and a challenger C LetΠlΛ denote the lth instance of the participant of Λ isin Ui Sj1113966 1113967
respectively In this game we describe the capabilities ofA thatis defined in the literature [27] as follows
(i) A can enumerate offline all the items in the Car-tesian product Did ⋆Dpw within polynomial timewhere Dpw and Did denote the password space andthe identity space respectively
(ii) A has the capability of somehow learning thevictimrsquos identity when evaluating security strength(but not privacy provisions) of the protocol
(iii) A is in full control of the communication channelbetween the protocol participants
(iv) A may either (i) learn the password of a legitimateuser via malicious card reader or (ii) extract thesensitive parameters in the card memory by side-channel attacks but cannot achieve both
KRn
KRnndash1
a n
Figure 2 Authentication right tree on nth level service provider
KRn
KRnndash1
a n
KR2
KR1
a 1
a 2
hellip
a nndash1
Figure 3 Authentication right tree on jth level service provider
6 Security and Communication Networks
(v) A can learn previous session keys(vi) A has the capability of learning serverrsquos longtime
private keys only when evaluating the resistance toeventual failure of the server (eg forward secrecy)
A can issue queries to C and get answers from it asfollows
(i) Hi(qj) at any timeA issues query qj where qj canbe any string and C picks a random numberrj isin Zlowastq and stores langqj rjrang into list Hlist
i wherei isin 1 2 3 4 and j isin poly(n)1113864 1113865 FinallyC sends rj
to A(ii) ExtractUID (IDUi
) A issues queries of useridentity IDUi
andC generates users private key dUi
and stores langIDUi dUi
rang into list ElistdUi
(iii) ExtractSID (IDSj
) A issues queries of serviceproviderrsquos identity IDSj
and C generates serviceproviderrsquos private key dSj
and stores langIDSj dSj
rang
into list ElistdSj
(iv) Send (Πl
Λ) A issues query of the message m andC runs the protocol and returns the result to A
(v) SKReveal (ΠlΛ)A issues query and C returns the
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) A issues the query of userrsquos
identity IDUi and C returns userrsquos private key dUi
to A(vii) CorruptSID (IDSj
) A issues the query of serviceproviderrsquos identity IDSj
and C returns serviceproviderrsquos private key dSj
to A(viii) Test (Πl
Λ) when A issues the query C flips arandom coin b isin 0 1 If b 1 C sends sessionkey in Πl
Λ to A otherwise (b 0) and C picks arandom number with the same length of sessionkey and sends it to A
After issuing the queries aboveA outputs bprime where bprime isabout the coin b produced in Test (Πl
Λ)-query A violatesthe authentication key agreement (AKA) of the proposedprotocol Σ if A can guess b correctly We define Arsquosadvantage in attacking the proposed protocol Σ asAdvAKAΣ (A) |2Pr[b bprime] minus 1|
Definition 1 (AKA-Secure) e proposed protocol Σis authentication key agreement secure (AKA-Secure) ifAdvAKAΣ (A) |2Pr[b bprime] minus 1| is negligible for anypolynomial-time adversary A
A violates the mutual authentication of the proposedprotocol Σ ifA can generate a legal login message or a legalresponse message Let E US and E SU denote the events thatA generates a legal login message and a legal responsemessage We define the advantage ofA attacking the mutualauthentication of the proposed protocol Σ as AdvMA
Σ (A)
Pr[E US ] + Pr[E SU ]
Definition 2 (MA-Secure) e proposed protocol Σ ismutual authentication secure (MA-Secure) if AdvMA
Σ (A) isnegligible for any polynomial-time adversary A
52 Proof of Security In this part we show the proposedprotocol Σ for multiserver architecture is AKA-secure andMA-secure in the security model we described above
Lemma 1 No polynomial-time adversaryA can forge a legallogin message with a nonnegligible probability ϵ
Proof Suppose the adversaryA forges a legal login messagewith a nonnegligible probability ϵ We show there is achallenger C who can solve the discrete logarithm (DL)problem with a nonnegligible probability
Given an instance (g gs) of the DL problem the aim ofchallenger C is to compute s isin Zlowastq and C sends the systemparameters G1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967 to A Crandomly selects IDUi
and answersArsquos queries according tothe following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise
Crandomly picks rj isin Zlowastq and stores langqj rjrang inHlist
i then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUi
ini-tialized empty When receiving the query IDUi
Cchecks if langIDUi
dUirang exists in Elist
dUi
then C senddUi
to A otherwise C executes the operations asfollows
(1) If IDUi IDUch
C sets H1(IDUi)⟵ α
dUi⟵perp and stores langIDUi
αrang into Hlist1
langIDUi dUi
rang into ElistU
(2) Otherwise if IDUine IDUch
C randomly selectsαi isin α1 α2 αk1113864 1113865 setsH1 IDUch
1113966 1113967⟵αi dUi⟵ (1(s + αi)) middot P and
stores langIDUi αirang in Hlist
1 langIDUi dUi
rang in ElistdUi
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
If yesC send
dSjto A otherwise C randomly picks rdSj
isin Zlowastq
and computes dSj (1(s + rdSj
)) middot P C storeslangIDSj
dSjrang into Elist
dSj
langIDSj rdSj
rang into Hlist1 and
sends dSjto A
(iv) Send (ΠlΛ) C checks if Λ and Uch are equal if yes
C aborts the game otherwise C operatesaccording to protocol Σ
(v) SKReveal (ΠlΛ) after received the query C sends
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) C searches for langIDUi
dUirang in
ElistdUi
and returns dUito A
(vii) CorruptSID (IDSj) C searches for langIDSj
dSjrang in
ElistdSj
and returns dSjto A
(viii) Test (ΠlΛ) C randomly picks a number with the
same length of session key and sends it to A
At last A outputs a legal login message C E F cor-responding to userrsquos identity IDUi
If IDUine IDUch
C abortsthe game Based on the forking lemma [37] A can output
Security and Communication Networks 7
another legal login message (C Eprime Fprime) Because the loginmessages is legal we get the following two equations gUi
iscomputed by rising g to the power of a random numberchose by A
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gD
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gDprime
(1)
Based on the two equations above we get the followingequations
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
gUi
middot gD
gUimiddot gDprime
gDminus Dprime
(2)
C outputs (D minus Dprime)minus 1 middot (E minus Eprime) as the solution to the givenDL problem e probability that C can solve the DLproblem is described as follows
(i) E1 C dose not abort in the any Send-queries(ii) E2 A outputs a legal login request(iii) E3 IDUi
and IDUIare equal
Let l denote the number of bits in biometric data qSendand qH1
denote the number of Send-queries and H1-queriesexecuted in the game Cprime and sprime are the Zipfrsquos parameters[35] and l is the length of biometric information We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1qH1
)erefore the nonnegligible probability thatC can solve
the DL problem is given byPr E1 andE2 andE31113858 1113859 Pr E3 E1 andE2
11138681113868111386811138681113960 1113961
Pr E2 E111138681113868111386811138681113960 1113961 middot Pr E11113858 1113859ge
1 minus 1 qSend + 1( 1113857( 1113857( 1113857qSend
qH1
middot ε
+ max Cprime middot qs primeSend
qSend
2l1113882 1113883
(3)
is contradicts with the hardness of the DL problemerefore we get that no polynomial-time adversary againstthe proposedMSAA protocol can forge a legal login messagewith a nonnegligible probability
Lemma 2 No polynomial-time adversaryA can forge a legalresponse message with a nonnegligible probability
Proof Suppose the adversary A forges a legal responsemessage with a nonnegligible probability ε We show there isa challenger C who can solve the k-mBIDH problem with anonnegligible probability
Given an instance (P y middot P z middot P (1(y + α1)) middot P
(1(y + α2)) middot P (1(y + αk)) middot P isin G1) of the k-mBIDHproblem the aim of challengerC is to compute 1113954e(P P)s(y+α)he picks a random number x isin Zlowastq and computes x middot P y middot Pand sends the system parameters G1G2 q e P Ppub1113966
g H1 H2 H3 H4 toAC randomly selects IDUiand answers
Arsquos queries according to the following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise C
randomly picks rj isin Zlowastq and stores langqj rjrang in Hlisti
then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUiinitialized empty When receiving the query IDUi
C checks if langIDUi dUi
rang exists in ElistdUi
and then C
sends dUito A otherwise C randomly picks
rdUiisin Zlowastq and computes dUi
(1(s + rdUi)) middot P C
stores langIDUi dUi
rang in ElistdUi
langIDUi rdUi
rang in Hlist1 and
sends dUito A
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
and then C
sends dSjto A otherwise C executes the oper-
ations as follows
(1) If IDSj IDSch
C sets H1 IDUi1113966 1113967⟵α and stores
langIDSj αrang into Hlist
1 langIDSjperprang into Elist
dSj
(2) Otherwise if IDSjne IDSch
C randomly selects
αi isin α1 α2 αk1113864 1113865 sets H1 IDSj1113882 1113883⟵α and
stores langIDSj αirang in Hlist
1 langIDSj αi (1(s + αi)) middot
Prang in ElistdSj
(iv) Send (ΠlΛ) C checks if Λ and Sch are equal if yes
C aborts the game otherwiseC operates accordingto the proposed protocol Σ
Finally A outputs a response message correspondingto identity IDSj
C outputs g1 as the solution of k-mBIDHproblem e probability that C can solve the k-mBIDHproblem is described as follows
(i) E1 C dose not abort in any Send-queries(ii) E2 C outputs a legal response message(iii) E3 IDSJ
and IDSchare equal
Let qSend qH1 and qH2
denote the number of Response-query H1-query and H2-query in the game We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1(qH1
middot qH2)) erefore the non-
negligible probability that C can solve the k-mBIDHproblem is given by
Pr E1 andE2 andE31113858 1113859 Pr E31113868111386811138681113868 E1 andE21113960 1113961 middot Pr E2
1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859
ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857
qSend
qH1middot qH2
middot ε(4)
is contradicts with the hardness of the k-mBIDHproblem erefore we get that no polynomial-timeadversary against the proposed MSAA protocol canforge a legal response message with a nonnegligibleprobability
Theorem 1 4e proposed protocol is MA-secure if the DLproblem and the k-mBIDH problem are hard
8 Security and Communication Networks
Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure
Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard
Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability
Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)
Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations
ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859
andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961
Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2
minus Pr E US 1113960 1113961
(5)
Since Pr[ETS andE US ] Pr[ETU] we get
Pr ETS andE US 1113960 1113961geε4
minusPr E US 1113960 1113961
2 (6)
We get the probability as follows
Pr sk H2 gr1r2( 1113857
1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge
ε4
minusPr E US 1113960 1113961
2 (7)
According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard
53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows
(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration
(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi
and IDSjcan au-
thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication
(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi
is only in the messageF (DIDUi
eIDSj)oplusH2(gr1) To get IDUi
ad-versary needs to compute gr1 from C
r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-
versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard
(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj
) middot P +
Ppub) gr1 F (aiDIDUieIDSj
)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability
(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement
(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj
) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g
r21 g
r12 gr1r2 where g1 gr1
g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard
(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-
Security and Communication Networks 9
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
45 Tree Construction and Verification e proposed pro-tocol uses an authentication right tree T to store userrsquos andservice providerrsquos hierarchical authentication informationT is a Merkle hash tree that was introduced by Merkle [29]in 1998 Merkle hash tree is a digital signature scheme thatonly uses a conventional encryption function to compute thedigital signature making it extremely efficient In 2009Satoshi proposed a peer-to-peer electronic cash system asknown as bitcoin [30] Bitcoin system stores transactions inMerkle hash tree which saves disk space and this methodcan be used to verify transactions in each block ereforewe use a Merkle hash tree to construct our authenticationright tree In this part we will show how we construct anauthentication tree and how to verify a userrsquos authenticationright based on the rules of Merkle hash tree
451 Tree Construction First we introduce the construc-tion of the authentication right tree T as Figure 1 Anauthentication tree T contains the information of n dif-ferent levels e first level is the lowest level in the systemand the nth level is the highest level in the system Node KRi
denotes a user that has the authentication right which isfrom the first level to ith level Value stored in node KRi iscomputed from the hash values of its left child node KRiminus 1and right child node Li as KRi H4(KRiminus 1Li) e cal-culation of node KR1 as KR1 H4(L1) is different fromother KR nodes If a user is at the first level KR1 is embed inhisher private key and heshe can only access to first levelservice providers in this system If user is at ith level KRi isembed in hisher private key and heshe can access toservice providers which are from first to ith levels e right
Table 4 Service provider registration phase
Service provider Sj Registration center RC
⟶IDSj
secure channelComputes
dSj (1(s + H1(IDSj
))) middot P
larrdSj
1113954T1113966 1113967
secure channel
Stores dSj 1113954T1113882 1113883
Table 3 User registration phase
Mobile user Ui Registration center RC
⟶IDUi
secure channelComputes private key dUi
(1(s + H1(IDUieKRi))) middot P
and selects ai isin T
⟵dUi
ai1113966 1113967
secure channelComputes (σi θi)⟵f(bi)A dUioplusH3(pw σi)
B H4((H4(IDUi) H4(pwσi))mod n0) and stores
ai θi A B e f(middot) fminus 1(middot) t H1 H2 H3 H41113864 1113865
Table 5 User and service provider authentication phase
Mobile user Ui Service provider Sj
r1 H1( 1113954r1dUi) g1 gr1 C r1 middot (H1(IDSj
) middot P + Ppub)
D H1(IDUieIDSj
g1)
E (r1 + D) middot dUiF (aiIDUi
eIDSj)oplusH2(g1)
⟶CEF
Retrieves g1 gr1 1113954e(C dSj)(aiIDUi
eIDSj) FoplusH2(g1)
computes Li H4(ai1113954ai)KRi H4(KRi+1Li)1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD andacceptsrejects
r2 H1( 1113954r2dSj) g2 gr2 sk H2(g
r21 )G H4(skg1g2IDSj
C)
⟵(Gg2)
Computes sk H2(gr12 )Glowast H4(skg1g2IDSj
C) checks
Glowast
G and acceptsrejects sk
Security and Communication Networks 5
child node Li is an intermediate variable which preparesfor calculating KRi Value stored in node Li is computedfrom the hash values of its left leaf node ai and right leafnode 1113954ai as Li H4(ai 1113954ai) Leaf node ai and 1113954ai are two 160-bit random strings that are stored on user and serviceprovider separately If a user is at ith level number i is storedin the last logn
2 bits and the first (160 minus logn2) bits should be
a random string
452 Tree Stored on Service Provider e authenticationright tree 1113954T stored on the service provider has a littledifferent from T Service provider uses 1113954T to verify userrsquosauthentication right e scale of 1113954T stored on each serviceprovider is based on the level of service provider As wementioned above nth level is the highest level in the systemIf service provider is at nth level heshe only provides servicefor nth level user so heshe only needs to save the au-thentication right tree 1113954T as Figure 2 If service provider is atthe jth level heshe can provide service for user that is fromjth to nth level erefore heshe needs to save 1113954aj to 1113954an andKRjminus 1 to KRn as Figure 3 where the symbol ldquordquo denotes thenode that service provider does not have
453 Authentication Right Verification When an ith leveluser wants to access a jth level service provider where ige juser sends ai to service provider and when service pro-vider received authentication parameter ai heshe checksthe last logn
2 bits of ai to get userrsquos level and finds 1113954ai Serviceprovider computes the value of Li as Li H4(ai 1113954ai) andthe value of KRi as KRi H4(KRiminus 1Li) en serviceprovider verifies userrsquos authentication right by calculating1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD If the equationholds service provider continues Otherwise hesheaborts the session For instance if a 10th level user wants toaccess to a 5th level service provider user sends a10 toservice provider and when service provider receivedauthentication parameter a10 heshe checks the last logn
2bits of a10 to get userrsquos level and finds 1113955a10 Service providercomputes L10 H4(a101113955a10) and KR10 H4(KR9L10)Service provider verifies userrsquos authentication right bycalculating 1113954e(E H1(IDUi
eKR10) middot P + Ppub)
g1 middot gD Ifthe equation holds service provider continues Otherwiseheshe aborts the authentication
46 4e User Revocation and Reregistration PhaseRevocation and reregistration has been used in many pro-tocols [31 32] In this part we describe user revocation andreregistrationWhen a userUi lost hisher smart card hesheneeds to reregister Ui submits hisher personal informationto RC and then RC verifies Uirsquos personal information andchecks the expire date of the private key dUi
If dUihas
already expired RC issues Ui a new private key with a newexpire date If dUi
has not expired RC issues Ui a new ID anda new private key with the same expire date as the lost smartcard RC adds the lost IDUi
to its ID revocation list (IDRL)
and board casts IDUito all service providers After received
IDUi service providers save it into their local storage
5 Security Proof
In this section we analyze the security of our protocol Firstwe present a security model for our protocol which is basedon BellarendashRogaway (BR) model [33] and CK-adversarymodel [34] and we use Zipfrsquos law [35] to enhance the se-curity of the basemodel Second we show that the security ofthe proposed protocol is based on the hardness of mathe-matical problems ird we show that our protocol satisfiessecurity requirements
51 Security Model We propose a security model for theproposed protocol based on literature studies [5 15 27 33 36]ere areUi and Sj at the authentication phase of the proposedprotocol e security of the proposed protocol is defined by agame played between an adversary A and a challenger C LetΠlΛ denote the lth instance of the participant of Λ isin Ui Sj1113966 1113967
respectively In this game we describe the capabilities ofA thatis defined in the literature [27] as follows
(i) A can enumerate offline all the items in the Car-tesian product Did ⋆Dpw within polynomial timewhere Dpw and Did denote the password space andthe identity space respectively
(ii) A has the capability of somehow learning thevictimrsquos identity when evaluating security strength(but not privacy provisions) of the protocol
(iii) A is in full control of the communication channelbetween the protocol participants
(iv) A may either (i) learn the password of a legitimateuser via malicious card reader or (ii) extract thesensitive parameters in the card memory by side-channel attacks but cannot achieve both
KRn
KRnndash1
a n
Figure 2 Authentication right tree on nth level service provider
KRn
KRnndash1
a n
KR2
KR1
a 1
a 2
hellip
a nndash1
Figure 3 Authentication right tree on jth level service provider
6 Security and Communication Networks
(v) A can learn previous session keys(vi) A has the capability of learning serverrsquos longtime
private keys only when evaluating the resistance toeventual failure of the server (eg forward secrecy)
A can issue queries to C and get answers from it asfollows
(i) Hi(qj) at any timeA issues query qj where qj canbe any string and C picks a random numberrj isin Zlowastq and stores langqj rjrang into list Hlist
i wherei isin 1 2 3 4 and j isin poly(n)1113864 1113865 FinallyC sends rj
to A(ii) ExtractUID (IDUi
) A issues queries of useridentity IDUi
andC generates users private key dUi
and stores langIDUi dUi
rang into list ElistdUi
(iii) ExtractSID (IDSj
) A issues queries of serviceproviderrsquos identity IDSj
and C generates serviceproviderrsquos private key dSj
and stores langIDSj dSj
rang
into list ElistdSj
(iv) Send (Πl
Λ) A issues query of the message m andC runs the protocol and returns the result to A
(v) SKReveal (ΠlΛ)A issues query and C returns the
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) A issues the query of userrsquos
identity IDUi and C returns userrsquos private key dUi
to A(vii) CorruptSID (IDSj
) A issues the query of serviceproviderrsquos identity IDSj
and C returns serviceproviderrsquos private key dSj
to A(viii) Test (Πl
Λ) when A issues the query C flips arandom coin b isin 0 1 If b 1 C sends sessionkey in Πl
Λ to A otherwise (b 0) and C picks arandom number with the same length of sessionkey and sends it to A
After issuing the queries aboveA outputs bprime where bprime isabout the coin b produced in Test (Πl
Λ)-query A violatesthe authentication key agreement (AKA) of the proposedprotocol Σ if A can guess b correctly We define Arsquosadvantage in attacking the proposed protocol Σ asAdvAKAΣ (A) |2Pr[b bprime] minus 1|
Definition 1 (AKA-Secure) e proposed protocol Σis authentication key agreement secure (AKA-Secure) ifAdvAKAΣ (A) |2Pr[b bprime] minus 1| is negligible for anypolynomial-time adversary A
A violates the mutual authentication of the proposedprotocol Σ ifA can generate a legal login message or a legalresponse message Let E US and E SU denote the events thatA generates a legal login message and a legal responsemessage We define the advantage ofA attacking the mutualauthentication of the proposed protocol Σ as AdvMA
Σ (A)
Pr[E US ] + Pr[E SU ]
Definition 2 (MA-Secure) e proposed protocol Σ ismutual authentication secure (MA-Secure) if AdvMA
Σ (A) isnegligible for any polynomial-time adversary A
52 Proof of Security In this part we show the proposedprotocol Σ for multiserver architecture is AKA-secure andMA-secure in the security model we described above
Lemma 1 No polynomial-time adversaryA can forge a legallogin message with a nonnegligible probability ϵ
Proof Suppose the adversaryA forges a legal login messagewith a nonnegligible probability ϵ We show there is achallenger C who can solve the discrete logarithm (DL)problem with a nonnegligible probability
Given an instance (g gs) of the DL problem the aim ofchallenger C is to compute s isin Zlowastq and C sends the systemparameters G1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967 to A Crandomly selects IDUi
and answersArsquos queries according tothe following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise
Crandomly picks rj isin Zlowastq and stores langqj rjrang inHlist
i then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUi
ini-tialized empty When receiving the query IDUi
Cchecks if langIDUi
dUirang exists in Elist
dUi
then C senddUi
to A otherwise C executes the operations asfollows
(1) If IDUi IDUch
C sets H1(IDUi)⟵ α
dUi⟵perp and stores langIDUi
αrang into Hlist1
langIDUi dUi
rang into ElistU
(2) Otherwise if IDUine IDUch
C randomly selectsαi isin α1 α2 αk1113864 1113865 setsH1 IDUch
1113966 1113967⟵αi dUi⟵ (1(s + αi)) middot P and
stores langIDUi αirang in Hlist
1 langIDUi dUi
rang in ElistdUi
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
If yesC send
dSjto A otherwise C randomly picks rdSj
isin Zlowastq
and computes dSj (1(s + rdSj
)) middot P C storeslangIDSj
dSjrang into Elist
dSj
langIDSj rdSj
rang into Hlist1 and
sends dSjto A
(iv) Send (ΠlΛ) C checks if Λ and Uch are equal if yes
C aborts the game otherwise C operatesaccording to protocol Σ
(v) SKReveal (ΠlΛ) after received the query C sends
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) C searches for langIDUi
dUirang in
ElistdUi
and returns dUito A
(vii) CorruptSID (IDSj) C searches for langIDSj
dSjrang in
ElistdSj
and returns dSjto A
(viii) Test (ΠlΛ) C randomly picks a number with the
same length of session key and sends it to A
At last A outputs a legal login message C E F cor-responding to userrsquos identity IDUi
If IDUine IDUch
C abortsthe game Based on the forking lemma [37] A can output
Security and Communication Networks 7
another legal login message (C Eprime Fprime) Because the loginmessages is legal we get the following two equations gUi
iscomputed by rising g to the power of a random numberchose by A
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gD
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gDprime
(1)
Based on the two equations above we get the followingequations
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
gUi
middot gD
gUimiddot gDprime
gDminus Dprime
(2)
C outputs (D minus Dprime)minus 1 middot (E minus Eprime) as the solution to the givenDL problem e probability that C can solve the DLproblem is described as follows
(i) E1 C dose not abort in the any Send-queries(ii) E2 A outputs a legal login request(iii) E3 IDUi
and IDUIare equal
Let l denote the number of bits in biometric data qSendand qH1
denote the number of Send-queries and H1-queriesexecuted in the game Cprime and sprime are the Zipfrsquos parameters[35] and l is the length of biometric information We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1qH1
)erefore the nonnegligible probability thatC can solve
the DL problem is given byPr E1 andE2 andE31113858 1113859 Pr E3 E1 andE2
11138681113868111386811138681113960 1113961
Pr E2 E111138681113868111386811138681113960 1113961 middot Pr E11113858 1113859ge
1 minus 1 qSend + 1( 1113857( 1113857( 1113857qSend
qH1
middot ε
+ max Cprime middot qs primeSend
qSend
2l1113882 1113883
(3)
is contradicts with the hardness of the DL problemerefore we get that no polynomial-time adversary againstthe proposedMSAA protocol can forge a legal login messagewith a nonnegligible probability
Lemma 2 No polynomial-time adversaryA can forge a legalresponse message with a nonnegligible probability
Proof Suppose the adversary A forges a legal responsemessage with a nonnegligible probability ε We show there isa challenger C who can solve the k-mBIDH problem with anonnegligible probability
Given an instance (P y middot P z middot P (1(y + α1)) middot P
(1(y + α2)) middot P (1(y + αk)) middot P isin G1) of the k-mBIDHproblem the aim of challengerC is to compute 1113954e(P P)s(y+α)he picks a random number x isin Zlowastq and computes x middot P y middot Pand sends the system parameters G1G2 q e P Ppub1113966
g H1 H2 H3 H4 toAC randomly selects IDUiand answers
Arsquos queries according to the following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise C
randomly picks rj isin Zlowastq and stores langqj rjrang in Hlisti
then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUiinitialized empty When receiving the query IDUi
C checks if langIDUi dUi
rang exists in ElistdUi
and then C
sends dUito A otherwise C randomly picks
rdUiisin Zlowastq and computes dUi
(1(s + rdUi)) middot P C
stores langIDUi dUi
rang in ElistdUi
langIDUi rdUi
rang in Hlist1 and
sends dUito A
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
and then C
sends dSjto A otherwise C executes the oper-
ations as follows
(1) If IDSj IDSch
C sets H1 IDUi1113966 1113967⟵α and stores
langIDSj αrang into Hlist
1 langIDSjperprang into Elist
dSj
(2) Otherwise if IDSjne IDSch
C randomly selects
αi isin α1 α2 αk1113864 1113865 sets H1 IDSj1113882 1113883⟵α and
stores langIDSj αirang in Hlist
1 langIDSj αi (1(s + αi)) middot
Prang in ElistdSj
(iv) Send (ΠlΛ) C checks if Λ and Sch are equal if yes
C aborts the game otherwiseC operates accordingto the proposed protocol Σ
Finally A outputs a response message correspondingto identity IDSj
C outputs g1 as the solution of k-mBIDHproblem e probability that C can solve the k-mBIDHproblem is described as follows
(i) E1 C dose not abort in any Send-queries(ii) E2 C outputs a legal response message(iii) E3 IDSJ
and IDSchare equal
Let qSend qH1 and qH2
denote the number of Response-query H1-query and H2-query in the game We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1(qH1
middot qH2)) erefore the non-
negligible probability that C can solve the k-mBIDHproblem is given by
Pr E1 andE2 andE31113858 1113859 Pr E31113868111386811138681113868 E1 andE21113960 1113961 middot Pr E2
1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859
ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857
qSend
qH1middot qH2
middot ε(4)
is contradicts with the hardness of the k-mBIDHproblem erefore we get that no polynomial-timeadversary against the proposed MSAA protocol canforge a legal response message with a nonnegligibleprobability
Theorem 1 4e proposed protocol is MA-secure if the DLproblem and the k-mBIDH problem are hard
8 Security and Communication Networks
Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure
Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard
Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability
Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)
Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations
ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859
andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961
Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2
minus Pr E US 1113960 1113961
(5)
Since Pr[ETS andE US ] Pr[ETU] we get
Pr ETS andE US 1113960 1113961geε4
minusPr E US 1113960 1113961
2 (6)
We get the probability as follows
Pr sk H2 gr1r2( 1113857
1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge
ε4
minusPr E US 1113960 1113961
2 (7)
According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard
53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows
(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration
(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi
and IDSjcan au-
thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication
(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi
is only in the messageF (DIDUi
eIDSj)oplusH2(gr1) To get IDUi
ad-versary needs to compute gr1 from C
r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-
versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard
(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj
) middot P +
Ppub) gr1 F (aiDIDUieIDSj
)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability
(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement
(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj
) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g
r21 g
r12 gr1r2 where g1 gr1
g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard
(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-
Security and Communication Networks 9
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
child node Li is an intermediate variable which preparesfor calculating KRi Value stored in node Li is computedfrom the hash values of its left leaf node ai and right leafnode 1113954ai as Li H4(ai 1113954ai) Leaf node ai and 1113954ai are two 160-bit random strings that are stored on user and serviceprovider separately If a user is at ith level number i is storedin the last logn
2 bits and the first (160 minus logn2) bits should be
a random string
452 Tree Stored on Service Provider e authenticationright tree 1113954T stored on the service provider has a littledifferent from T Service provider uses 1113954T to verify userrsquosauthentication right e scale of 1113954T stored on each serviceprovider is based on the level of service provider As wementioned above nth level is the highest level in the systemIf service provider is at nth level heshe only provides servicefor nth level user so heshe only needs to save the au-thentication right tree 1113954T as Figure 2 If service provider is atthe jth level heshe can provide service for user that is fromjth to nth level erefore heshe needs to save 1113954aj to 1113954an andKRjminus 1 to KRn as Figure 3 where the symbol ldquordquo denotes thenode that service provider does not have
453 Authentication Right Verification When an ith leveluser wants to access a jth level service provider where ige juser sends ai to service provider and when service pro-vider received authentication parameter ai heshe checksthe last logn
2 bits of ai to get userrsquos level and finds 1113954ai Serviceprovider computes the value of Li as Li H4(ai 1113954ai) andthe value of KRi as KRi H4(KRiminus 1Li) en serviceprovider verifies userrsquos authentication right by calculating1113954e(E H1(IDUi
eKRi) middot P + Ppub)
g1 middot gD If the equationholds service provider continues Otherwise hesheaborts the session For instance if a 10th level user wants toaccess to a 5th level service provider user sends a10 toservice provider and when service provider receivedauthentication parameter a10 heshe checks the last logn
2bits of a10 to get userrsquos level and finds 1113955a10 Service providercomputes L10 H4(a101113955a10) and KR10 H4(KR9L10)Service provider verifies userrsquos authentication right bycalculating 1113954e(E H1(IDUi
eKR10) middot P + Ppub)
g1 middot gD Ifthe equation holds service provider continues Otherwiseheshe aborts the authentication
46 4e User Revocation and Reregistration PhaseRevocation and reregistration has been used in many pro-tocols [31 32] In this part we describe user revocation andreregistrationWhen a userUi lost hisher smart card hesheneeds to reregister Ui submits hisher personal informationto RC and then RC verifies Uirsquos personal information andchecks the expire date of the private key dUi
If dUihas
already expired RC issues Ui a new private key with a newexpire date If dUi
has not expired RC issues Ui a new ID anda new private key with the same expire date as the lost smartcard RC adds the lost IDUi
to its ID revocation list (IDRL)
and board casts IDUito all service providers After received
IDUi service providers save it into their local storage
5 Security Proof
In this section we analyze the security of our protocol Firstwe present a security model for our protocol which is basedon BellarendashRogaway (BR) model [33] and CK-adversarymodel [34] and we use Zipfrsquos law [35] to enhance the se-curity of the basemodel Second we show that the security ofthe proposed protocol is based on the hardness of mathe-matical problems ird we show that our protocol satisfiessecurity requirements
51 Security Model We propose a security model for theproposed protocol based on literature studies [5 15 27 33 36]ere areUi and Sj at the authentication phase of the proposedprotocol e security of the proposed protocol is defined by agame played between an adversary A and a challenger C LetΠlΛ denote the lth instance of the participant of Λ isin Ui Sj1113966 1113967
respectively In this game we describe the capabilities ofA thatis defined in the literature [27] as follows
(i) A can enumerate offline all the items in the Car-tesian product Did ⋆Dpw within polynomial timewhere Dpw and Did denote the password space andthe identity space respectively
(ii) A has the capability of somehow learning thevictimrsquos identity when evaluating security strength(but not privacy provisions) of the protocol
(iii) A is in full control of the communication channelbetween the protocol participants
(iv) A may either (i) learn the password of a legitimateuser via malicious card reader or (ii) extract thesensitive parameters in the card memory by side-channel attacks but cannot achieve both
KRn
KRnndash1
a n
Figure 2 Authentication right tree on nth level service provider
KRn
KRnndash1
a n
KR2
KR1
a 1
a 2
hellip
a nndash1
Figure 3 Authentication right tree on jth level service provider
6 Security and Communication Networks
(v) A can learn previous session keys(vi) A has the capability of learning serverrsquos longtime
private keys only when evaluating the resistance toeventual failure of the server (eg forward secrecy)
A can issue queries to C and get answers from it asfollows
(i) Hi(qj) at any timeA issues query qj where qj canbe any string and C picks a random numberrj isin Zlowastq and stores langqj rjrang into list Hlist
i wherei isin 1 2 3 4 and j isin poly(n)1113864 1113865 FinallyC sends rj
to A(ii) ExtractUID (IDUi
) A issues queries of useridentity IDUi
andC generates users private key dUi
and stores langIDUi dUi
rang into list ElistdUi
(iii) ExtractSID (IDSj
) A issues queries of serviceproviderrsquos identity IDSj
and C generates serviceproviderrsquos private key dSj
and stores langIDSj dSj
rang
into list ElistdSj
(iv) Send (Πl
Λ) A issues query of the message m andC runs the protocol and returns the result to A
(v) SKReveal (ΠlΛ)A issues query and C returns the
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) A issues the query of userrsquos
identity IDUi and C returns userrsquos private key dUi
to A(vii) CorruptSID (IDSj
) A issues the query of serviceproviderrsquos identity IDSj
and C returns serviceproviderrsquos private key dSj
to A(viii) Test (Πl
Λ) when A issues the query C flips arandom coin b isin 0 1 If b 1 C sends sessionkey in Πl
Λ to A otherwise (b 0) and C picks arandom number with the same length of sessionkey and sends it to A
After issuing the queries aboveA outputs bprime where bprime isabout the coin b produced in Test (Πl
Λ)-query A violatesthe authentication key agreement (AKA) of the proposedprotocol Σ if A can guess b correctly We define Arsquosadvantage in attacking the proposed protocol Σ asAdvAKAΣ (A) |2Pr[b bprime] minus 1|
Definition 1 (AKA-Secure) e proposed protocol Σis authentication key agreement secure (AKA-Secure) ifAdvAKAΣ (A) |2Pr[b bprime] minus 1| is negligible for anypolynomial-time adversary A
A violates the mutual authentication of the proposedprotocol Σ ifA can generate a legal login message or a legalresponse message Let E US and E SU denote the events thatA generates a legal login message and a legal responsemessage We define the advantage ofA attacking the mutualauthentication of the proposed protocol Σ as AdvMA
Σ (A)
Pr[E US ] + Pr[E SU ]
Definition 2 (MA-Secure) e proposed protocol Σ ismutual authentication secure (MA-Secure) if AdvMA
Σ (A) isnegligible for any polynomial-time adversary A
52 Proof of Security In this part we show the proposedprotocol Σ for multiserver architecture is AKA-secure andMA-secure in the security model we described above
Lemma 1 No polynomial-time adversaryA can forge a legallogin message with a nonnegligible probability ϵ
Proof Suppose the adversaryA forges a legal login messagewith a nonnegligible probability ϵ We show there is achallenger C who can solve the discrete logarithm (DL)problem with a nonnegligible probability
Given an instance (g gs) of the DL problem the aim ofchallenger C is to compute s isin Zlowastq and C sends the systemparameters G1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967 to A Crandomly selects IDUi
and answersArsquos queries according tothe following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise
Crandomly picks rj isin Zlowastq and stores langqj rjrang inHlist
i then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUi
ini-tialized empty When receiving the query IDUi
Cchecks if langIDUi
dUirang exists in Elist
dUi
then C senddUi
to A otherwise C executes the operations asfollows
(1) If IDUi IDUch
C sets H1(IDUi)⟵ α
dUi⟵perp and stores langIDUi
αrang into Hlist1
langIDUi dUi
rang into ElistU
(2) Otherwise if IDUine IDUch
C randomly selectsαi isin α1 α2 αk1113864 1113865 setsH1 IDUch
1113966 1113967⟵αi dUi⟵ (1(s + αi)) middot P and
stores langIDUi αirang in Hlist
1 langIDUi dUi
rang in ElistdUi
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
If yesC send
dSjto A otherwise C randomly picks rdSj
isin Zlowastq
and computes dSj (1(s + rdSj
)) middot P C storeslangIDSj
dSjrang into Elist
dSj
langIDSj rdSj
rang into Hlist1 and
sends dSjto A
(iv) Send (ΠlΛ) C checks if Λ and Uch are equal if yes
C aborts the game otherwise C operatesaccording to protocol Σ
(v) SKReveal (ΠlΛ) after received the query C sends
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) C searches for langIDUi
dUirang in
ElistdUi
and returns dUito A
(vii) CorruptSID (IDSj) C searches for langIDSj
dSjrang in
ElistdSj
and returns dSjto A
(viii) Test (ΠlΛ) C randomly picks a number with the
same length of session key and sends it to A
At last A outputs a legal login message C E F cor-responding to userrsquos identity IDUi
If IDUine IDUch
C abortsthe game Based on the forking lemma [37] A can output
Security and Communication Networks 7
another legal login message (C Eprime Fprime) Because the loginmessages is legal we get the following two equations gUi
iscomputed by rising g to the power of a random numberchose by A
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gD
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gDprime
(1)
Based on the two equations above we get the followingequations
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
gUi
middot gD
gUimiddot gDprime
gDminus Dprime
(2)
C outputs (D minus Dprime)minus 1 middot (E minus Eprime) as the solution to the givenDL problem e probability that C can solve the DLproblem is described as follows
(i) E1 C dose not abort in the any Send-queries(ii) E2 A outputs a legal login request(iii) E3 IDUi
and IDUIare equal
Let l denote the number of bits in biometric data qSendand qH1
denote the number of Send-queries and H1-queriesexecuted in the game Cprime and sprime are the Zipfrsquos parameters[35] and l is the length of biometric information We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1qH1
)erefore the nonnegligible probability thatC can solve
the DL problem is given byPr E1 andE2 andE31113858 1113859 Pr E3 E1 andE2
11138681113868111386811138681113960 1113961
Pr E2 E111138681113868111386811138681113960 1113961 middot Pr E11113858 1113859ge
1 minus 1 qSend + 1( 1113857( 1113857( 1113857qSend
qH1
middot ε
+ max Cprime middot qs primeSend
qSend
2l1113882 1113883
(3)
is contradicts with the hardness of the DL problemerefore we get that no polynomial-time adversary againstthe proposedMSAA protocol can forge a legal login messagewith a nonnegligible probability
Lemma 2 No polynomial-time adversaryA can forge a legalresponse message with a nonnegligible probability
Proof Suppose the adversary A forges a legal responsemessage with a nonnegligible probability ε We show there isa challenger C who can solve the k-mBIDH problem with anonnegligible probability
Given an instance (P y middot P z middot P (1(y + α1)) middot P
(1(y + α2)) middot P (1(y + αk)) middot P isin G1) of the k-mBIDHproblem the aim of challengerC is to compute 1113954e(P P)s(y+α)he picks a random number x isin Zlowastq and computes x middot P y middot Pand sends the system parameters G1G2 q e P Ppub1113966
g H1 H2 H3 H4 toAC randomly selects IDUiand answers
Arsquos queries according to the following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise C
randomly picks rj isin Zlowastq and stores langqj rjrang in Hlisti
then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUiinitialized empty When receiving the query IDUi
C checks if langIDUi dUi
rang exists in ElistdUi
and then C
sends dUito A otherwise C randomly picks
rdUiisin Zlowastq and computes dUi
(1(s + rdUi)) middot P C
stores langIDUi dUi
rang in ElistdUi
langIDUi rdUi
rang in Hlist1 and
sends dUito A
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
and then C
sends dSjto A otherwise C executes the oper-
ations as follows
(1) If IDSj IDSch
C sets H1 IDUi1113966 1113967⟵α and stores
langIDSj αrang into Hlist
1 langIDSjperprang into Elist
dSj
(2) Otherwise if IDSjne IDSch
C randomly selects
αi isin α1 α2 αk1113864 1113865 sets H1 IDSj1113882 1113883⟵α and
stores langIDSj αirang in Hlist
1 langIDSj αi (1(s + αi)) middot
Prang in ElistdSj
(iv) Send (ΠlΛ) C checks if Λ and Sch are equal if yes
C aborts the game otherwiseC operates accordingto the proposed protocol Σ
Finally A outputs a response message correspondingto identity IDSj
C outputs g1 as the solution of k-mBIDHproblem e probability that C can solve the k-mBIDHproblem is described as follows
(i) E1 C dose not abort in any Send-queries(ii) E2 C outputs a legal response message(iii) E3 IDSJ
and IDSchare equal
Let qSend qH1 and qH2
denote the number of Response-query H1-query and H2-query in the game We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1(qH1
middot qH2)) erefore the non-
negligible probability that C can solve the k-mBIDHproblem is given by
Pr E1 andE2 andE31113858 1113859 Pr E31113868111386811138681113868 E1 andE21113960 1113961 middot Pr E2
1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859
ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857
qSend
qH1middot qH2
middot ε(4)
is contradicts with the hardness of the k-mBIDHproblem erefore we get that no polynomial-timeadversary against the proposed MSAA protocol canforge a legal response message with a nonnegligibleprobability
Theorem 1 4e proposed protocol is MA-secure if the DLproblem and the k-mBIDH problem are hard
8 Security and Communication Networks
Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure
Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard
Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability
Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)
Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations
ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859
andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961
Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2
minus Pr E US 1113960 1113961
(5)
Since Pr[ETS andE US ] Pr[ETU] we get
Pr ETS andE US 1113960 1113961geε4
minusPr E US 1113960 1113961
2 (6)
We get the probability as follows
Pr sk H2 gr1r2( 1113857
1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge
ε4
minusPr E US 1113960 1113961
2 (7)
According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard
53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows
(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration
(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi
and IDSjcan au-
thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication
(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi
is only in the messageF (DIDUi
eIDSj)oplusH2(gr1) To get IDUi
ad-versary needs to compute gr1 from C
r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-
versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard
(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj
) middot P +
Ppub) gr1 F (aiDIDUieIDSj
)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability
(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement
(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj
) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g
r21 g
r12 gr1r2 where g1 gr1
g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard
(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-
Security and Communication Networks 9
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
(v) A can learn previous session keys(vi) A has the capability of learning serverrsquos longtime
private keys only when evaluating the resistance toeventual failure of the server (eg forward secrecy)
A can issue queries to C and get answers from it asfollows
(i) Hi(qj) at any timeA issues query qj where qj canbe any string and C picks a random numberrj isin Zlowastq and stores langqj rjrang into list Hlist
i wherei isin 1 2 3 4 and j isin poly(n)1113864 1113865 FinallyC sends rj
to A(ii) ExtractUID (IDUi
) A issues queries of useridentity IDUi
andC generates users private key dUi
and stores langIDUi dUi
rang into list ElistdUi
(iii) ExtractSID (IDSj
) A issues queries of serviceproviderrsquos identity IDSj
and C generates serviceproviderrsquos private key dSj
and stores langIDSj dSj
rang
into list ElistdSj
(iv) Send (Πl
Λ) A issues query of the message m andC runs the protocol and returns the result to A
(v) SKReveal (ΠlΛ)A issues query and C returns the
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) A issues the query of userrsquos
identity IDUi and C returns userrsquos private key dUi
to A(vii) CorruptSID (IDSj
) A issues the query of serviceproviderrsquos identity IDSj
and C returns serviceproviderrsquos private key dSj
to A(viii) Test (Πl
Λ) when A issues the query C flips arandom coin b isin 0 1 If b 1 C sends sessionkey in Πl
Λ to A otherwise (b 0) and C picks arandom number with the same length of sessionkey and sends it to A
After issuing the queries aboveA outputs bprime where bprime isabout the coin b produced in Test (Πl
Λ)-query A violatesthe authentication key agreement (AKA) of the proposedprotocol Σ if A can guess b correctly We define Arsquosadvantage in attacking the proposed protocol Σ asAdvAKAΣ (A) |2Pr[b bprime] minus 1|
Definition 1 (AKA-Secure) e proposed protocol Σis authentication key agreement secure (AKA-Secure) ifAdvAKAΣ (A) |2Pr[b bprime] minus 1| is negligible for anypolynomial-time adversary A
A violates the mutual authentication of the proposedprotocol Σ ifA can generate a legal login message or a legalresponse message Let E US and E SU denote the events thatA generates a legal login message and a legal responsemessage We define the advantage ofA attacking the mutualauthentication of the proposed protocol Σ as AdvMA
Σ (A)
Pr[E US ] + Pr[E SU ]
Definition 2 (MA-Secure) e proposed protocol Σ ismutual authentication secure (MA-Secure) if AdvMA
Σ (A) isnegligible for any polynomial-time adversary A
52 Proof of Security In this part we show the proposedprotocol Σ for multiserver architecture is AKA-secure andMA-secure in the security model we described above
Lemma 1 No polynomial-time adversaryA can forge a legallogin message with a nonnegligible probability ϵ
Proof Suppose the adversaryA forges a legal login messagewith a nonnegligible probability ϵ We show there is achallenger C who can solve the discrete logarithm (DL)problem with a nonnegligible probability
Given an instance (g gs) of the DL problem the aim ofchallenger C is to compute s isin Zlowastq and C sends the systemparameters G1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967 to A Crandomly selects IDUi
and answersArsquos queries according tothe following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise
Crandomly picks rj isin Zlowastq and stores langqj rjrang inHlist
i then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUi
ini-tialized empty When receiving the query IDUi
Cchecks if langIDUi
dUirang exists in Elist
dUi
then C senddUi
to A otherwise C executes the operations asfollows
(1) If IDUi IDUch
C sets H1(IDUi)⟵ α
dUi⟵perp and stores langIDUi
αrang into Hlist1
langIDUi dUi
rang into ElistU
(2) Otherwise if IDUine IDUch
C randomly selectsαi isin α1 α2 αk1113864 1113865 setsH1 IDUch
1113966 1113967⟵αi dUi⟵ (1(s + αi)) middot P and
stores langIDUi αirang in Hlist
1 langIDUi dUi
rang in ElistdUi
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
If yesC send
dSjto A otherwise C randomly picks rdSj
isin Zlowastq
and computes dSj (1(s + rdSj
)) middot P C storeslangIDSj
dSjrang into Elist
dSj
langIDSj rdSj
rang into Hlist1 and
sends dSjto A
(iv) Send (ΠlΛ) C checks if Λ and Uch are equal if yes
C aborts the game otherwise C operatesaccording to protocol Σ
(v) SKReveal (ΠlΛ) after received the query C sends
session key produced in ΠlΛ to A
(vi) CorruptUID (IDUi) C searches for langIDUi
dUirang in
ElistdUi
and returns dUito A
(vii) CorruptSID (IDSj) C searches for langIDSj
dSjrang in
ElistdSj
and returns dSjto A
(viii) Test (ΠlΛ) C randomly picks a number with the
same length of session key and sends it to A
At last A outputs a legal login message C E F cor-responding to userrsquos identity IDUi
If IDUine IDUch
C abortsthe game Based on the forking lemma [37] A can output
Security and Communication Networks 7
another legal login message (C Eprime Fprime) Because the loginmessages is legal we get the following two equations gUi
iscomputed by rising g to the power of a random numberchose by A
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gD
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gDprime
(1)
Based on the two equations above we get the followingequations
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
gUi
middot gD
gUimiddot gDprime
gDminus Dprime
(2)
C outputs (D minus Dprime)minus 1 middot (E minus Eprime) as the solution to the givenDL problem e probability that C can solve the DLproblem is described as follows
(i) E1 C dose not abort in the any Send-queries(ii) E2 A outputs a legal login request(iii) E3 IDUi
and IDUIare equal
Let l denote the number of bits in biometric data qSendand qH1
denote the number of Send-queries and H1-queriesexecuted in the game Cprime and sprime are the Zipfrsquos parameters[35] and l is the length of biometric information We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1qH1
)erefore the nonnegligible probability thatC can solve
the DL problem is given byPr E1 andE2 andE31113858 1113859 Pr E3 E1 andE2
11138681113868111386811138681113960 1113961
Pr E2 E111138681113868111386811138681113960 1113961 middot Pr E11113858 1113859ge
1 minus 1 qSend + 1( 1113857( 1113857( 1113857qSend
qH1
middot ε
+ max Cprime middot qs primeSend
qSend
2l1113882 1113883
(3)
is contradicts with the hardness of the DL problemerefore we get that no polynomial-time adversary againstthe proposedMSAA protocol can forge a legal login messagewith a nonnegligible probability
Lemma 2 No polynomial-time adversaryA can forge a legalresponse message with a nonnegligible probability
Proof Suppose the adversary A forges a legal responsemessage with a nonnegligible probability ε We show there isa challenger C who can solve the k-mBIDH problem with anonnegligible probability
Given an instance (P y middot P z middot P (1(y + α1)) middot P
(1(y + α2)) middot P (1(y + αk)) middot P isin G1) of the k-mBIDHproblem the aim of challengerC is to compute 1113954e(P P)s(y+α)he picks a random number x isin Zlowastq and computes x middot P y middot Pand sends the system parameters G1G2 q e P Ppub1113966
g H1 H2 H3 H4 toAC randomly selects IDUiand answers
Arsquos queries according to the following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise C
randomly picks rj isin Zlowastq and stores langqj rjrang in Hlisti
then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUiinitialized empty When receiving the query IDUi
C checks if langIDUi dUi
rang exists in ElistdUi
and then C
sends dUito A otherwise C randomly picks
rdUiisin Zlowastq and computes dUi
(1(s + rdUi)) middot P C
stores langIDUi dUi
rang in ElistdUi
langIDUi rdUi
rang in Hlist1 and
sends dUito A
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
and then C
sends dSjto A otherwise C executes the oper-
ations as follows
(1) If IDSj IDSch
C sets H1 IDUi1113966 1113967⟵α and stores
langIDSj αrang into Hlist
1 langIDSjperprang into Elist
dSj
(2) Otherwise if IDSjne IDSch
C randomly selects
αi isin α1 α2 αk1113864 1113865 sets H1 IDSj1113882 1113883⟵α and
stores langIDSj αirang in Hlist
1 langIDSj αi (1(s + αi)) middot
Prang in ElistdSj
(iv) Send (ΠlΛ) C checks if Λ and Sch are equal if yes
C aborts the game otherwiseC operates accordingto the proposed protocol Σ
Finally A outputs a response message correspondingto identity IDSj
C outputs g1 as the solution of k-mBIDHproblem e probability that C can solve the k-mBIDHproblem is described as follows
(i) E1 C dose not abort in any Send-queries(ii) E2 C outputs a legal response message(iii) E3 IDSJ
and IDSchare equal
Let qSend qH1 and qH2
denote the number of Response-query H1-query and H2-query in the game We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1(qH1
middot qH2)) erefore the non-
negligible probability that C can solve the k-mBIDHproblem is given by
Pr E1 andE2 andE31113858 1113859 Pr E31113868111386811138681113868 E1 andE21113960 1113961 middot Pr E2
1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859
ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857
qSend
qH1middot qH2
middot ε(4)
is contradicts with the hardness of the k-mBIDHproblem erefore we get that no polynomial-timeadversary against the proposed MSAA protocol canforge a legal response message with a nonnegligibleprobability
Theorem 1 4e proposed protocol is MA-secure if the DLproblem and the k-mBIDH problem are hard
8 Security and Communication Networks
Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure
Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard
Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability
Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)
Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations
ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859
andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961
Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2
minus Pr E US 1113960 1113961
(5)
Since Pr[ETS andE US ] Pr[ETU] we get
Pr ETS andE US 1113960 1113961geε4
minusPr E US 1113960 1113961
2 (6)
We get the probability as follows
Pr sk H2 gr1r2( 1113857
1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge
ε4
minusPr E US 1113960 1113961
2 (7)
According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard
53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows
(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration
(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi
and IDSjcan au-
thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication
(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi
is only in the messageF (DIDUi
eIDSj)oplusH2(gr1) To get IDUi
ad-versary needs to compute gr1 from C
r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-
versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard
(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj
) middot P +
Ppub) gr1 F (aiDIDUieIDSj
)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability
(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement
(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj
) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g
r21 g
r12 gr1r2 where g1 gr1
g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard
(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-
Security and Communication Networks 9
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
another legal login message (C Eprime Fprime) Because the loginmessages is legal we get the following two equations gUi
iscomputed by rising g to the power of a random numberchose by A
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gD
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi
middot gDprime
(1)
Based on the two equations above we get the followingequations
1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873
gUi
middot gD
gUimiddot gDprime
gDminus Dprime
(2)
C outputs (D minus Dprime)minus 1 middot (E minus Eprime) as the solution to the givenDL problem e probability that C can solve the DLproblem is described as follows
(i) E1 C dose not abort in the any Send-queries(ii) E2 A outputs a legal login request(iii) E3 IDUi
and IDUIare equal
Let l denote the number of bits in biometric data qSendand qH1
denote the number of Send-queries and H1-queriesexecuted in the game Cprime and sprime are the Zipfrsquos parameters[35] and l is the length of biometric information We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1qH1
)erefore the nonnegligible probability thatC can solve
the DL problem is given byPr E1 andE2 andE31113858 1113859 Pr E3 E1 andE2
11138681113868111386811138681113960 1113961
Pr E2 E111138681113868111386811138681113960 1113961 middot Pr E11113858 1113859ge
1 minus 1 qSend + 1( 1113857( 1113857( 1113857qSend
qH1
middot ε
+ max Cprime middot qs primeSend
qSend
2l1113882 1113883
(3)
is contradicts with the hardness of the DL problemerefore we get that no polynomial-time adversary againstthe proposedMSAA protocol can forge a legal login messagewith a nonnegligible probability
Lemma 2 No polynomial-time adversaryA can forge a legalresponse message with a nonnegligible probability
Proof Suppose the adversary A forges a legal responsemessage with a nonnegligible probability ε We show there isa challenger C who can solve the k-mBIDH problem with anonnegligible probability
Given an instance (P y middot P z middot P (1(y + α1)) middot P
(1(y + α2)) middot P (1(y + αk)) middot P isin G1) of the k-mBIDHproblem the aim of challengerC is to compute 1113954e(P P)s(y+α)he picks a random number x isin Zlowastq and computes x middot P y middot Pand sends the system parameters G1G2 q e P Ppub1113966
g H1 H2 H3 H4 toAC randomly selects IDUiand answers
Arsquos queries according to the following description
(i) Hi(qj) C maintains a list Hlisti initialized empty
Upon receiving the query qj C checks if langqj rjrang
exists in Hlisti If yes C sends rj to A otherwise C
randomly picks rj isin Zlowastq and stores langqj rjrang in Hlisti
then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi
) C maintains a list ElistdUiinitialized empty When receiving the query IDUi
C checks if langIDUi dUi
rang exists in ElistdUi
and then C
sends dUito A otherwise C randomly picks
rdUiisin Zlowastq and computes dUi
(1(s + rdUi)) middot P C
stores langIDUi dUi
rang in ElistdUi
langIDUi rdUi
rang in Hlist1 and
sends dUito A
(iii) ExtractSID (IDSj) C maintains a list Elist
dSjinitialized empty When receiving the query IDSj
C checks if langIDSj dSj
rang exists in ElistdSj
and then C
sends dSjto A otherwise C executes the oper-
ations as follows
(1) If IDSj IDSch
C sets H1 IDUi1113966 1113967⟵α and stores
langIDSj αrang into Hlist
1 langIDSjperprang into Elist
dSj
(2) Otherwise if IDSjne IDSch
C randomly selects
αi isin α1 α2 αk1113864 1113865 sets H1 IDSj1113882 1113883⟵α and
stores langIDSj αirang in Hlist
1 langIDSj αi (1(s + αi)) middot
Prang in ElistdSj
(iv) Send (ΠlΛ) C checks if Λ and Sch are equal if yes
C aborts the game otherwiseC operates accordingto the proposed protocol Σ
Finally A outputs a response message correspondingto identity IDSj
C outputs g1 as the solution of k-mBIDHproblem e probability that C can solve the k-mBIDHproblem is described as follows
(i) E1 C dose not abort in any Send-queries(ii) E2 C outputs a legal response message(iii) E3 IDSJ
and IDSchare equal
Let qSend qH1 and qH2
denote the number of Response-query H1-query and H2-query in the game We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1(qH1
middot qH2)) erefore the non-
negligible probability that C can solve the k-mBIDHproblem is given by
Pr E1 andE2 andE31113858 1113859 Pr E31113868111386811138681113868 E1 andE21113960 1113961 middot Pr E2
1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859
ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857
qSend
qH1middot qH2
middot ε(4)
is contradicts with the hardness of the k-mBIDHproblem erefore we get that no polynomial-timeadversary against the proposed MSAA protocol canforge a legal response message with a nonnegligibleprobability
Theorem 1 4e proposed protocol is MA-secure if the DLproblem and the k-mBIDH problem are hard
8 Security and Communication Networks
Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure
Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard
Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability
Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)
Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations
ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859
andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961
Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2
minus Pr E US 1113960 1113961
(5)
Since Pr[ETS andE US ] Pr[ETU] we get
Pr ETS andE US 1113960 1113961geε4
minusPr E US 1113960 1113961
2 (6)
We get the probability as follows
Pr sk H2 gr1r2( 1113857
1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge
ε4
minusPr E US 1113960 1113961
2 (7)
According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard
53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows
(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration
(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi
and IDSjcan au-
thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication
(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi
is only in the messageF (DIDUi
eIDSj)oplusH2(gr1) To get IDUi
ad-versary needs to compute gr1 from C
r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-
versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard
(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj
) middot P +
Ppub) gr1 F (aiDIDUieIDSj
)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability
(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement
(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj
) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g
r21 g
r12 gr1r2 where g1 gr1
g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard
(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-
Security and Communication Networks 9
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure
Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard
Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability
Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)
Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations
ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859
andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961
Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2
minus Pr E US 1113960 1113961
(5)
Since Pr[ETS andE US ] Pr[ETU] we get
Pr ETS andE US 1113960 1113961geε4
minusPr E US 1113960 1113961
2 (6)
We get the probability as follows
Pr sk H2 gr1r2( 1113857
1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge
ε4
minusPr E US 1113960 1113961
2 (7)
According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard
53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows
(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration
(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi
and IDSjcan au-
thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication
(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi
is only in the messageF (DIDUi
eIDSj)oplusH2(gr1) To get IDUi
ad-versary needs to compute gr1 from C
r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-
versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard
(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj
) middot P +
Ppub) gr1 F (aiDIDUieIDSj
)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability
(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement
(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj
) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g
r21 g
r12 gr1r2 where g1 gr1
g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard
(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-
Security and Communication Networks 9
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
channel attack the adversary can extract the dataB H4(IDUi
H4(pwσ i)) A dUioplusH3(pwσ i)
e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi
ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack
(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table
(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center
(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi
(1(s + H1(IDUieKRi))) middot P when au-
thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi
eKRi)middot P + Ppub)
g1 middot gD holds(xi) e resistance of various attacks the proposed
protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows
(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi
because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi
erefore the proposed protocolis secure against temporary information attack
(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi
H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack
(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack
(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack
(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1
1113954e(C dSj) and 1113954e(E H1(IDUi
eKRi) middot P +
Ppub)
g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj
) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack
(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1
g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack
(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack
54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows
C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing
10 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
Tabl
e6
Performance
comparison
Protocol
roun
ds
Com
putatio
ncost
Com
mun
ication
cost
Storagecost
Security
requ
irem
ents
Usersid
eServer
side
User
side
Server
side
C1
C2
C3
C4
C5
C6
C7
C8
C9
C10
C11
C12
C13
Odelu
etal[14]
3T
mtp
+4T
h+3T
sm
+2T
expasymp78
519
Tm
tp+4T
h+4T
exp
+T
sm
+Tmul
+2T
bpasymp15
303
832
672
1674
Heet
al
[15]
32T
sm+
Tp
a+2T
exp
+8T
h
asymp31
837
Tbp
+4T
exp
+2T
mul
+5T
hasymp5246
2240
1184
3424
Ours
23T
sm+2T
exp
+T
pa
+6T
hasymp45
354
2Tbp
+4T
exp
+T
sm+
Tp
a
+Tmul
+7T
hasymp11
107
896
672
1834
Security and Communication Networks 11
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied
6 Performance Comparison
We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +
1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number
61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper
(i) Tbp the running time of a bilinear pairingoperation
(ii) Tsm the running time of a scalar multiplicationoperation in G1
(iii) Tmtp the running time of a map-to-point hashfunction in G1
(iv) Tpa the running time of a point addition operationin G1
(v) Texp the running time of an exponentiation op-eration in G2
(vi) Tmul the running time of a multiplication operationin G2
(vii) Th the running time of a general hash operation
e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7
We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6
62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi
CUirequire 1024 + 32+1024 + 160 2240 bits
and on server side messages y αSjrequire 1024 + 1601184
bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6
63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti
ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user
needs to store Rui y asj
gUiψUi
vUi bUi
1113882 1113883 which costs 3230
Table 7 e running time of related operations (milliseconds)
Tmtp Tbp Tsm Tpa Texp Tmul Th
User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006
12 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits
7 Conclusion
In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture
Data Availability
No data were used to support this study
Conflicts of Interest
e authors declare that there are no conflicts of interestregarding the publication of this article
Acknowledgments
is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)
References
[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009
[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018
[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012
[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015
[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015
[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security
modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017
[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017
[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018
[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018
[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018
[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005
[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016
[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017
[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016
[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016
[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015
[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017
[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017
[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018
[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018
[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018
Security and Communication Networks 13
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks
[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018
[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004
[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018
[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004
[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015
[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018
[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988
[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom
[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017
[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017
[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998
[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002
[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017
[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001
[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000
[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-
server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017
[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016
[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018
[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018
[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home
14 Security and Communication Networks