ArticlePDF Available

Abstract and Figures

A multi-server environment is an important application paradigm in the Internet of Things (IoT). It enables a user access services from different vendors without having to go through multiple registration. The privacy of one who desires to access these services is often crucial. In order to access this service in a manner that assures user privacy, a user needs to be anonymously authenticated independent of the vendors’ services. However, existing identity-based anonymous schemes are only suitable for the client-server domain. Moreover, these schemes provide conditional anonymity which presupposes that if an adversary discovers the user’s private key, the identity can easily be recovered and misused. To avoid this situation, a new unconditional anonymity identity-based user authenticated key agreement scheme for IoT multi-server environment is introduced in this paper. Our protocol applies a ring signature to allow users to anonymously authenticate themselves in the severs without revealing their identities. Hence, an adversary cannot recover the user’s identity even when the user’s private key is known. We further provide a security proof in the random oracle model. Compared with the existing protocols, our proposed scheme is well fitting for mobile phone applications and guarantees the privacy of users in IoT multi-server domain.
This content is subject to copyright. Terms and conditions apply.
Mobile Networks and Applications
https://doi.org/10.1007/s11036-018-1145-5
Identity-Based User Authenticated Key Agreement Protocol
for Multi-Server Environment with Anonymity
Alzubair Hassan1·Anyembe Andrew Omala1·Mohamed Ali2·Chunhua Jin3·Fagen Li1
©Springer Science+Business Media, LLC, part of Springer Nature 2018
Abstract
A multi-server environment is an important application paradigm in the Internet of Things (IoT). It enables a user access
services from different vendors without having to go through multiple registration. The privacy of one who desires to access
these services is often crucial. In order to access this service in a manner that assures user privacy, a user needs to be
anonymously authenticated independent of the vendors’ services. However, existing identity-based anonymous schemes are
only suitable for the client-server domain. Moreover, these schemes provide conditional anonymity which presupposes that
if an adversary discovers the user’s private key, the identity can easily be recovered and misused. To avoid this situation, a
new unconditional anonymity identity-based user authenticated key agreement scheme for IoT multi-server environment is
introduced in this paper. Our protocol applies a ring signature to allow users to anonymously authenticate themselves in the
severs without revealing their identities. Hence, an adversary cannot recover the user’s identity even when the user’s private
key is known. We further provide a security proof in the random oracle model. Compared with the existing protocols, our
proposed scheme is well fitting for mobile phone applications and guarantees the privacy of users in IoT multi-server domain.
Keywords Anonymous user authentication ·Multi-server environment ·Bilinear pairing ·Random oracle model
1 Introduction
The Internet of Things (IoT) is a growing concept applied
to establish a robust network of devices, all entrenched with
Fagen Li
fagenli@uestc.edu.cn
Alzubair Hassan
alzubairuofk@gmail.com
Anyembe Andrew Omala
andromala@gmail.com
Mohamed Ali
mody231279@yahoo.com
Chunhua Jin
xajch0206@163.com
1Center for Cyber Security, School of Computer Science and
Engineering, University of Electronic Science and Technology
of China, Chengdu 611731, China
2School of Information and Software Engineering, University
of Electronic Science and Technology of China,
Chengdu 610054, China
3The Laboratory for Internet of Things and Mobile Internet
Technology of Jiangsu Province,
Huaiyin Institute of Technology, Huaian 223003, China
electronics, sensors etc. that enable them to exchange and
analyze data. Recently, mobile devices are widely used in
our daily lives as part of IoT to receive services from servers
such as in e-government, health monitoring, smart home,
smart city and electronic medical applications. In the IoT,
a multi-server environment provides several services which
can be accessed through different wireless networks by the
client.
Whenever the remote user looks forward to access
services from numerous server in IoT environment, specific
identity and password must be registered for each server
to provide legitimate access. However, it is difficult for
the user to remember the access passwords for all the
servers especially when large numbers are involved. Several
schemes [13] have been presented to address the remote
user authentication in a single client-server environment.
However, these schemes are only applicable in a single
client-server environment [4]. Therefore, it is necessary to
offer user authentication protocol that can work effectively
in multi-server environment.
The concept of signature has been used to provide user
authentication. In the traditional signature, the sender uses
his private key to sign the message. Then, the receiver ver-
ifies the sender’s signature by using the public key assign-
ed. Therefore, the receiver has prior knowledge of the
sender’s identity. In a multi-server environment where IoT
Mobile Netw Appl
operates, knowledge of user identity by the server poses
considerable risk to the privacy. However, with the concept
of ring signature [5], the sender chooses the set of users and
values related to these users. Then, the sender uses his pri-
vate key to connect the values in series as well as to sign the
message using these values. Then, the receiver verifies the
ring signature by computing the values related to the set of
the users from the message and the possible users’ public
key. Thus, the receiver knows that this message is signed by
one of the numerous independent senders. But, the receiver
cannot distinguish the actual signer. The signer in a ring sig-
nature scheme randomly chooses the users in the process of
signing the message and advance knowledge of users is not
required. Therefore, the signature verification should be cor-
rect and should not give any information about the singer’s
identity.
Anonymity has the following five security levels as men-
tioned in [6]: (a): In level 0 (void anonymity), the identity
of the users is not allowed to hide, that means there is
no anonymity; (b): In level 1 (apparent anonymity), the
users can provide anonymity using indirect personal infor-
mation about their identities; (c): In level 2 (revocable
anonymity) the personal information about a special group
of users acts as trusted entities without rejecting high-
level anonymity; (d): In level 3 (conditional anonymity),
the users can hide their identities if they follow the poli-
cies and the rules e.g. if the users encrypt their identities,
and an adversary knows the user’s private keys, he/she can
recover the identities of the users; (f): In level 4 (uncon-
ditional anonymity), the users can recognize a service
as unconditionally anonymous e.g. if an adversary knows
the user’s private keys, he/she cannot recover their identities.
Indeed, user authentication, key agreement, mutual
authentication and privacy-preserving should be ensured in
the IoT environment to offer authentication, data confiden-
tiality, integrity, non-repudiation, and privacy preservation.
For instance, in the electronic medical systems, to keep the
privacy of the clients from the medical system provider
and network administrator, it is important to protect the
identities and limit access to locations of the clients. Thus,
we need to offer user authentication for this environment
that can provide unconditional anonymity as well as non-
traceability.
1.1 Related work
The identity-based cryptography (IBC) [7] was introduced
to overcome the problems associated with the traditional
public-key cryptography. To eliminate the complexity of the
digital certificates, the IBC applies user’s attributes such as
email addresses or phone numbers as public keys while the
private keys are created by the private key generator (PKG).
Therefore, the user’s keys are critical for identification
and do not need to be revoked. Since then the use of
IBC in the design of user authentication schemes remain
active till now. In 2001, Li et al. [8] introduced a user
authentication for the multi-server environment based on
neural networks. In 2004, Juang [9] demonstrated that Li
et al.’s protocol is not suitable for practical application
because of huge communication as well as processing
amount required in training the network. Therefore, he
introduced an authentication protocol using a hash function
and a symmetric key cryptosystem. Unfortunately, Chang
and Lee [10] showed that Juang and Lee’s protocol is
vulnerable to off-line dictionary attack. They proposed a
protocol to overcome Juang and Lee’s protocol security
vulnerability. Since then, Liao and Wang [11] proposed
a dynamic identity-based authentication protocol for a
multi-server environment. They claimed that their protocol
could resist various attacks. But, Hsiang and Shih [12]
found that Liao and Wang’s protocol is vulnerable to an
insider attack, masquerade attack, server spoofing attack,
and registration center’s spoofing attack. To enhance the
security, they proposed an improved protocol. In 2011, Sood
et al. [13] demonstrated that Hsiang and Shih’s protocol
cannot provide mutual authentication, and is vulnerable
to masquerade attack and server spoofing attack. Also,
they proposed a protocol to improve the security. Li et al.
[14] pointed out that Sood et al.’s protocol is vulnerable
to leak-of-verifier attack and stolen smart card attack.
To overcome this weakness, they proposed an improved
protocol. However, Han [15] pointed out that Li et al.’s
protocol is vulnerable to the replay attack, password
guessing attack, and masquerade attack. In 2013, Yoon
and Yoo [16] proposed a biometric user authentication
protocol with a key agreement for smart cards without a
verification table to reduce the complication of the hash
operation between all users. To solve the previous security
weaknesses, Khan et al. [17] proposed a new dynamic
identity-based authentication protocol using elliptic curve
cryptography (ECC). Han and Zhu [18] proposed a
new identity-based mutual authentication protocol without
bilinear pairings to improve the performance. He and Wang
[19] proposed a biometric-based authentication protocol
for the multi-server environment using ECC. They claimed
that their protocol could overcome weaknesses in previous
schemes at the computation and communication costs.
Shen et al. [20] found that Yoon and Yoo’s protocol is
not secure against three kinds of attacks and proposed an
improved scheme for the multi-server environment using
Mobile Netw Appl
biometrics and ECC. In 2017, Tseng et al. [21] proposed
a user authentication and key agreement protocol based
on identity-based cryptosystem. They claimed that their
protocol resists to the ephemeral secret leakage (ESL)
attacks in mobile multi-server environments. Furthermore,
their protocol requires the lowest communication overhead.
Anonymous user authentication has been studied widely.
Some user anonymous protocols were presented based
on smart card and biometrics [22,23], self-certified
public key cryptography [24,25], identity-based public key
cryptography [26,27], and chaotic map [28,29]. According
to the anonymity classification in [6] none of the works
mentioned above can entirely satisfy the unconditional
requirement of maintaining user privacy.
Since Rivest et al. [30] introduced the ring signature
scheme based on public key infrastructure (PKI), several
ID-based ring signature schemes have been proposed to
reduce the computational cost related to PKI. Zhang and
Kim [31] introduced the first ID-based ring signature.
Later, Lin and Wu [32] suggested another efficient scheme.
suggested a more efficient ID-based ring signature scheme.
Unfortunately, a study conducted by Awasthi and Lol [33]
found that [31]and[32] have some problems and which
were rectified in their proposed scheme. In a related
development, Herranz and Saez [34] introduced a new
scheme for anonymous subsets. Subsequently, Chow et
al. [35] introduced the ID- based threshold ring signature
scheme. However, introduced the ID- based threshold ring
signature scheme. However, the above mentioned schemes
which depends on the size of the group are associated with
high computational cost. To overcome this issue Chow et
al. [5] proposed a scheme that requires only two bilinear
pairings and hence computationally efficient.
1.2 Contribution
This work introduces a new user authentication protocol
and key agreement for multi-server environment with
anonymity. To provide unconditional anonymity to IoT
multi-server environment the proposed protocol uses a
ring signature to allow users to anonymously authenticate
themselves in the severs without revealing their identities.
Though the servers recognize the client as a member
of the ring, the exact identity is unknown. However,
in the traditional group signature where anonymity is
conditional, the possibility of knowing the client’s identity
can compromise the security of user privacy. Therefore, the
application of our proposed scheme can assure the privacy
of client for improved user confidence in a multi-server
environment in which IoT operates.
1.3 Organization
This paper is organized as follows. In Section 2, preliminar-
ies are given. In Sections 3and 4, the proposed scheme and
its security analysis are presented respectively. In Section 5,
the performance analysis is provided. In Section 6, the appli-
cation scenario is given. Finally, a conclusion is drawn in
Section 7.
2 Preliminaries
2.1 Bilinear pairings
While G1is the additive group and G2is the multiplicative
group of the exact prime order q, the bilinear pairing
function can be illustrated as e:G1×G1G2and Pis the
generator of G1. The bilinear pairing properties as described
by [36,37] are as follow:
1. Bilinearity : While a, b Z
qand for all Q, P G1,
then the bilinearity is given as e(aQ, bP ) =e(Q, P )ab
2. Non-degeneracy: While Q, P G1and 1G2is the
identity of G2, then the non-degeneracy property is
given as e(Q, P ) = 1G2.
3. Computability: The e(Q, P ) is processed efficiently
wh-ere for all Q, P G1.
Computational Diffie-Hellman (CDH) Problem
Where a, b Z
q,(P , a P , bP ) G1is given to
compute abP.
Bilinear Diffie-Hellman (BDH) Problem Given
e(P,aP,bP,cP) G1,wherea, b, c Z
qto
compute e(P , P )abc.
2.2 The algorithm of our protocol
Our protocol is located by Setup phase, Key extract phase,
and user authenticated key agreement phase. The algorithm
of our protocol is given as follows:
Setup(1λ): This phase is executed by the registration
center (RC). RC takes a secure parameter λas its input.
RC generates a master private key xcorresponding
to the master public key Ppub, and public parameters
params. Then, RC publishes params,Ppub, and keeps
xsecret.
Key extract: this phase is executed by the RC. RC
takes as inputs the system parameters params,the
master private key, and the user’s identity or the server’s
identity ID
uwhere u∈{Ci,S
j}. Then, the RC returns
Mobile Netw Appl
the private key Duand the public key Quto the user or
the server. Upon receiving Du, the user and the server
can verify their validity.
User authenticated key agreement: This phase is
executed by the user and the server to authenticate from
each other and to agree on a session key for use in the
future communication.
2.3 Security model
The abilities of an adversary Aand the security require-
ments for mutual authentication and key exchange are
described in this section. know that an instance λof a mem-
ber uas been defined as λ
u. The challenger Fresponds to
the adversary Aqueries as follows:
1. Setup(1λ): The algorithm takes as input a security
parameter λ.Fexecutes Setup algorithm to generate
a master secret key xZ
q, a master public key Ppub
and system parameters params. System parameters
params are delivered to adversary Awith xremaining
as secret.
2. Probing: Then, Acan demonstrate polynomial limited
queries in an adaptive manner:
(a) Extract (ID
u)query:Acould obtain the private
key of other identity ID
uexcept the targeted
identity ID
t.
(b) Send (λ
u,M) query: Whenever a message Mis
sent based on our proposed from Ato F,thenF
makes the computation and responds to A.
(c) Reveal (λ
u,M) query: A session key sk is accepted
by Afrom F. In the case it hasn’t, it replies a null.
(d) Corrupt (u) query: For the aim of compromising
the user’s private key, a member uis created a
Corrupt query by Ato F.
(e) Test (λ
u) query: Ftosses a fair coin wafter a
single Test query is sent from A. In the case where
w=1, the session key sk is obtained by A. Else,
a random string is received. The semantic security
of sk is computed With this query.
Aftermath, Aproduces was estimation for w.Adv(A)
is described as the advantage of Amathematically as
Adv(A)=|Pr[w=w]−1/2|such that, the probability
that w=wis denoted as Pr[w=w].
3 Proposed protocol
Our protocol is located by a setup phase, a key extract phase
and a user authenticated key agreement phase. We have
Tab le 1 Symbols
Notation Explanation
λA security parameter
G1A cyclic additive group
G2A cyclic multiplicative group
qA group’s prime order of G1and G2
PA generator of G1
eA bilinear map e:G1×G1G2
HiAn one way hash function, where i=1,2,3
RC Registration Center
xRC’s master secret key
Ppub RC’s master public key
uA client’s or server’s identity u∈{Ci,S
j}
ID
uparticipants’ identity
DuA client’s or server’s private key
QuA client’s or server’s public key
dx Actual signer’s index
ID
tA challenged identity
used Chow et al.’s identity-based ring signature [5]. This
paper uses the notations in Table 1. The proposed protocol’s
phases are illustrated as follows:
3.1 Setup phase
This phase is executed by the RC as follows :
1. Take as input a security parameter λand generate the
parameters.
2. Choose two cyclic groups G1and G2of the same prime
order qand the bilinear pairing e:G1×G1G2.P
is a generator of G1.
3. Choose xZ
qas master secret key, set Ppub =
xP, and select three cryptographic secure hash function
H1:{0,1}G1,H2:{0,1}×G1×G1Z
q,
H3:G1×{0,1}×Z
q×G1×G1Z
qand
H4:G1×{0,1}×Z
q×G1×G1×Z
qZ
q.
4. Publish {G1,G
2,q,e,P,P
pub,H
1,H
2,H
3,H
4}as the
public parameters.
3.2 Key extract
Figure 1depicts the key extract phase. The phase is executed
by the RC as follows:
1. A user usends his identity ID
uto the RC. Then, the RC
computes Qu=H1(I Du)as a user’s public key and
Mobile Netw Appl
Fig. 1 Key extract phase
Du=xQuas a private key, where uis either a client
or a server u∈{Ci,S
j},i∈{1,2,3,...,n}and
j∈{1,2,3,...,y}.
2. RC sends the private keys to the ID
uusing a secure
channel, or using the proposed secure and the anony-
mous protocol of [38].
3. A user ID
uverifies the validity of Duby determining
if the equality e(Du,P)=e(Qu,P
pub)holds.
3.3 User authenticated key agreement
Here, the cooperation between the server and the client to
authenticate from each other is described in Fig. 2.In
this subsection our scheme offers the authentication and
the key agreement. Most of the schemes [13] provide
the authentication by using the traditional signature. Here,
we have used the ring signature rather than the traditional
signature to provide more features to our scheme such
as unconditional anonymity and non-traceability. The
procedures involved are listed as:
1. The client chooses his index dx,andriZ
q.The
identities of nusers are denoted as T={ID
1,ID
2,
ID
3,...,ID
n}and the groups of users’ identities
mare denoted as ∪{Ui},where,1 in,
Ui=∪{ID
ij}. Then, the client computes Ui=
riP,k1=e(r1Ppub,Q
Sj),hi=H2(T , Ui,k
1)i
{1,2,3,...,n}except dx,andUdx =rdx QID
dx
i=dx(Ui+hiQID
i). Finally, the client sends (T, Ui)
to the server.
2. After (T , Ui)is received, αZ
qis chosen by the
server, computes k2=e(U1,D
Sj),andAuth =
H3(Ppub,T,α,U
1,k
2). And finally, (α, Auth) is sent
to the client by the server.
3. After (α, Auth) is received, the client authenticate the
equality of Auth =H3(Ppub,T,α,U
1,k
1). A common
session key sk =H4(Ppub,T,α,U
1,k
1,Auth) and
hdx =H2(T , Udx,k
1)are computed by the client.
Then, the client computes V=(hdx +rdx)DID
dx and
sends it to the server.
4. Upon receiving V, the server computes hi=H2(T ,
Ui,k
2)to verify if e(Ppub,n
i=1(Ui+hiQID
i)) =
e(P , V ) holds. The server computes the common
session key sk =H4(Ppub,T,α,U
1,k
2,Auth).
3.4 Correctness of the proposed protocol
To ascertain that the presented scheme is correct, e(P , V ) =
e(Ppub,n
i=1(Ui+hiQID
i)) is verified, where V=(hdx+
Fig. 2 User authenticated key
agreement
Mobile Netw Appl
rdx)DID
dx ,Du=xQuand Udx =rdxQID
dx i=dx(Ui+
hiQID
i)then we have
e(P , V ) =e(P , (hdx +rdx)DID
dx )
=e(P , (hdx +rdx)xQID
dx
=e(xP , (hdx +rdx)QID
dx
=e(Ppub,(h
dxQID
dx +rdxQID
dx )
=e
Ppub,(h
dxQID
dx +Udx +
i=dx
(Ui+hiQID
i
=ePpub,
n
i=1
(Ui+hiQID
i)
4 Security analysis
This section depicts that the required security as described
in Section 2 can be achieved by the proposed protocol using
the random oracle model [39]. The logic of our security
proof uses an approach similar to [1,5].
4.1 Client-to-server authentication
Theorem 1 illustrates that an adversary Acannot represent
the client to the server assuming the computational Diffe-
Hellman problem is hard.
Theorem 1 Assuming Ahaving a non-negligible advan-
tage εexists with probability of breaking client-to-server
authentication. The computational Diffe-Hellman problem
is therefore solved by a challenger Fhaving a non-
negligible probability. Assume that at most, qSqueries to
the oracle j
Sof the server, qCqueries to the oracle i
Cof
the client, and qHiqueries on Hioracle i∈{1,2,3}are
made by F.
Proof Suppose that our client-to-server authentication
protocol is susceptible to a non-negligible εassault
advantage from Awithin a polynomial attack duration
under an adaptive chosen message and identity attacks. For
a chosen target identity such as Lemma 1 [40], Aowns
a non-negligible εadvantage within a polynomial duration
to attack the client-to-server authentication of our scheme
using adaptive chosen message attacks. This then dictates
that our protocol is resistant against chosen identity attack
in the random oracle model.
To prove Theorem 1, suppose that, a random instance
P,aP,bP G1with unknown a, b Z
qare received by
F. With Fs main goal being to derive abP by interacting
with A.A’s oracle queries are answered by Fas follows :
1. Initialization: The algorithm Fgenerates the system
parameters {G1,G2,q,e,P,P
pub,H
1,H
2,H
3,,H
4}
where Ppub =bP and sends them to A.Fpicks an
identity ID
trandomly as the challenge identity in this
game. To avoid collision and consistency, Fmaintains
five lists LH1,LH2,LH3,LH4and LKfor queries and
responses. We assume H1query on ID
uis made first
before other queries are issued.
2. H1query: Whenever Asends H1query on ID
u,F
randomly chooses yiZ
qand returns QCi=yiPto
A.However,ifID =ID
treturns QCi=yi(aP ) to
A. Then, Fupdates LH1with (I Du,y
i,Q
Ci)
3. H2query: When Asubmits H2query on (T , Ui,k),
Frandomly chooses e1Z
qand returns it to A.F
updates LH2with (T , Ui,k,e
1).
4. H3query: Whenever Asends H3query on
(Ppub,T,α,U
i,K),Fchooses e2RZ
qand returns it
back to A.Fupdates LH3with (Ppub,T,α,U
i,k,e
2).
5. H4query: Whenever Asends H4query on
(Ppub,T,α,U
i,K,Auth),Fchooses e3RZ
q
and returns it back to A.Fupdates LH4with
(Ppub,T,α,U
i,k,Auth,e
3).
6. Extract query: Whenever Asends Extract query on
ID
urequesting for the private key, Fchecks if a tuple
(I Du,Q
ID
u,D
ID
u)exists in LK. If it satisfy, DID
iis
returned by Fto A. Else, Fsearches in LH1for an
entry (I D, yi,Q
Ci)and executes the following:
(a) If ID
u=ID
t, the private key cannot be computed
since the value of aand bare unknown. Fupdates
Lkwith (I Du,y
i(aP ), ). The symbol denotes
an unknown value.
(b) If ID
u= ID
t,Festimates the private key
DID
u=yi(bP ) and replies it to A.Fupdates LK
with (I Du,y
iP,y
i(bP )).
7. Send query:
(a) When Asubmits Send (i
C,“start ”)query and
chooses nuser’s identities T=∪{ID
i}where
1in.Frandomly chooses UiG1,
computes k1=e(r1Ppub,Q
Sj), chooses an index
dx ∈{1,2,3,...,n}and zZ
q. Then, F
computes hi=H2(T , Ui,k
1)i∈{1,2,3,...,n}
except dx, chooses h
dx Z
q, and computes Udx =
zP h
dxQID
dx i=dx(Ui+hiQID
i). Finally,
Fsends (T , Ui)to the adversary A.
(b) When Asubmits Send (j
S,(T,U
i)) query to the
server. If ID
u= ID
t,Frandomly chooses α
Z
q, computes k2=e(U1,D
Sj),setsAut h =
H3(Ppub,T,α,U
1,k
2)and returns (α, Auth) to
A. Otherwise, if ID
u=ID
t,Ffails and
terminates.
(c) When Asubmits Send (i
C, (α, Auth)) query
to the client, If ID = ID
t,Fverifies if
Auth =H3(Ppub,T,α,U
1,k
1)holds. If it holds,
Mobile Netw Appl
Fcomputes sk =H4(Ppub,T,α,U
1,k
1,Auth),
adds hdx =H2(T , Udx,k
1)to LH2, computes V=
z(bP ) and sends Vto A. Otherwise, ID =ID
t,
Since Acan’t satisfy Auth,Facts correctly.
(d) When Asubmits Send (j
S,(V)) to the server.
Fcomputes hi=H2(T , Ui,k
2)to verify
e(Ppub,n
i=1(Ui+hiQID
i)) =e(P , V ).
If it holds, Faccepts, computes sk =
H4(Ppub,T,α,U
1,k
2,Auth) and terminates.
Otherwise, Fends.
Analysis Given that, δqex is Fs probability of succeeding
all the private key extraction queries qex ,aswell
as (1δ)pbeing the probability that Aforges a
signature that Fwon’t have all the corresponding private
keys engaged in it. Where pdenotes the number of
participants engaged with the forged signature. Then, the
sum probability is given as δqex (1δ)p.Thevalueofδ
is obtained by maximizing this probability qex/qex +p
while the maximized probability is given as
1p
qex +pqex+pp
qex p
With (1qH12/2λ)being the probability of F
succeeding all the sign queries qs, which is greater than
(1qsqH1/2λ1), the probability for Fto success for
very large qex is given as
εF=εAp
eqex p1qsqH1
2λ1
Violation of the client-to-server authentication by
Ameans a valid forgery (V , U ) has been committed
on ID
u. The generic ring signature schemes’ Forking
Lemma [34] which states that if εF7FqH
p/2λas well
as Aproduces a correct faked signature within a specific
time tAas in the above relationship, then another attacker
that produces two signature V={Un
i=1{Ui},V}and
V={Un
i=1{Ui},V}with not more than ε2
F/66FqH
p
probability within time 2tAis computed. For all i
{1,2,...,n}, suppose hi=H2(T , Ui,k
1)and h
i=
H2(L, Ui,k
1),i∈{1,2,,n}except dx,thenhi=h
i.
Given that Ais a derivation of A, the CDHP can be
solved by computing abP =y1
dx (hdx h
dx)1(V V),
such that in the list LH1,ydx is found by searching for
ID
u.
4.2 Key agreement
Theorem 2 illustrates our protocol achieves a key agreement
under (BDH) problem.
Theorem 2 Suppose that the value win the Test-query can
be guessed by exists Awith a non-negligible advantage ε.
Then, the BDH Problem is solved by exist Fwith a non-
negligible probability. Assume that at most qSqueries to the
oracle j
Sof the server, qCqueries to the oracle i
Cof the
client, and qHiqueries on Hioracle i∈{1,2,3}are made
by F.
Proof The toss value in a Tes t query can be perfectly
guessed by Awith probability not lower than 1/2. Acan
obtain the correct session key with advantage Pr[Ocsk]≥
ε/2 assuming it can guess the coin with ε. Where the event
whereby the correct session key obtained is denoted as
Osk.LetTest(C
i)and Test (Sj) be connoted as the success
events of the oracles i
Cof the client and j
Sof the server,
separately. The event which comes after break up the client-
server authentication is denoted by EC2S.Amay submit
Test query to the client and the server, then for some iand j
we get this probability
Pr[Ocsk Test(
j
S)EC2S]+Pr[Ocsk Test(
j
S)∧¬EC2S]
+Pr[Ocsk Test(
i
C)]≥ ε
2
While EC2Sdenotes the event of the breaking client-server
authentication. Then, we have this probability for some i
and jas;
Pr[Ocsk Test(
i
C)∧¬EC2S]+Pr[Ocsk Test(
i
C)]≥ε
2Pr
C2S
To prove Theorem 2, We assume that Freceives random
instances P,aP,bP,cP G1with unknown a, b, c Z
q.
The goal of Fis to derive e(P, P )abc by interacting with
A.A’s queries are responded by algorithm Fas follows :
1. Initialization The algorithm Fgenerates the system
parameters {G1,G2,q,e,P,P
pub,H
1,H
2,H
3,H
4}
where Ppub =bP and sends them to A.Fpicks
an identity ID
trandomly as the challenge identity
in this game. To avoid collision and consistency, F
maintains five lists LH1,LH2,LH3,LH4and LKfor
queries and responses. We assume H1query on ID
u
is made first before other queries are issued.
2. H1query: Whenever Asends H1query on ID
u,F
randomly chooses yiZ
qand returns QCi=yiPto
A.However,ifID =ID
treturns QCi=yi(aP ) to
A. Then, Fupdates LH1with (I Du,y
i,Q
Ci)
3. H2query: Whenever Asends H2query on (L, Ui,k),
Frandomly chooses e1Z
qand returns it to A.F
updates LH2with (L, Ui,k,e
1).
Mobile Netw Appl
4. H3query: Whenever Asends H3query on
(Ppub,L,U
i,k),Fchooses e2RZ
qand returns
it to A.Fupdates LH3with (Ppub,L,U
i,k,e
2).
5. H4query: Whenever Asends H4query on
(Ppub,T,α,U
i,K,Auth),Fchooses e3RZ
q
and returns it to A.Fupdates LH4with
(Ppub,T,α,U
i,k,Auth,e
3).
6. Extract query: When Asubmits this query on ID
u
requesting for a private key. Fchecks if a tuple
(I Du,Q
ID
u,D
ID
u)exists in LK. If it satisfy, DID
iis
returned by Fto A. Else, Fsearches in LH1for an
entry (I D, yi,Q
Ci)and executes the following:
(a) If ID
u=ID
t, the private key cannot be
computed since the value of aand bare
unknown. Fupdates Lkwith (I Du,y
i(aP ), ).
The symbol denotes an unknown value.
(b) If ID
u= ID
t,Fcomputes the private key
DID
u=yi(bP ) and returns it to A.Fupdates
LKwith (I Du,y
iP,y
i(bP )).
7. Send query:
(a) When Asubmits Send (i
C,“start ”)query and
chooses nuser’s identities T=∪{ID
i}where
1in.Frandomly chooses Ui
G1, computes k1=e(r1Ppub,Q
Sj), chooses
an index dx ∈{1,2,3,...,n}and zZ
q.
Then, Fcomputes hi=H2(T , Ui,k
1)i
{1,2,3,...,n}except dx, chooses h
dx Z
q,
and computes Udx =zP h
dxQID
dx
i=dx(Ui+hiQID
i). Finally, Fsends (T, Ui)
to the adversary A.
(b) When Asubmits Send (j
S,(T,U
i)) query to
the server. If ID
u= ID
t,Frandomly chooses
αZ
q, computes k2=e(U1,D
Sj), sets Auth =
H3(Ppub,T,α,U
1,k
2)and returns (α, Auth) to
A. Otherwise, if ID
u=ID
t,Ffails and
terminates.
(c) When Asubmits Send (i
C, (α, Auth)) query
to the client, If ID = ID
t,Fverifies if
Auth =H3(Ppub,T,α,U
1,k
1)holds. If it holds,
Fcomputes sk =H4(Ppub,T,α,U
1,k
1,Auth),
adds hdx =H2(T , Udx,k
1)to LH2, computes
V=z(bP ) and sends Vto A. Otherwise,
ID =ID
t,SinceAcan’t satisfy Auth,Facts
correctly.
(d) When Asubmits Send (j
S,(V)) to the server.
Fcomputes hi=H2(T , Ui,k
2)to verify
e(Ppub,n
i=1(Ui+hiQID
i)) =e(P , V ).Ifit
holds, Faccepts, computes sk =H4(Ppub,T,α,
U1,k
2,Auth)and terminates. Otherwise, Fends.
8. Corrupt query: Whenever Corrupt query on ID
uis
submitted by A,DID
uis returned by F.
9. Reveal query: The session key sk is returned by F,
whenever Reveal query is submitted by A.
10. Test query: Whenever Asend Tes t query, if the query
is not asked in the session, Fsets U=cP an instance
of BDHP and aborts. Else, a fair coin wis flipped by
F.Ifw=1, a session key is returned to A;else,a
random string is returned to A.
However, with Fis noticed that j,Ocsk Test(
j
S)
¬EC2Sis equal to i, Ocsk Test(
j
C)such that
Pr[OcskTest(
i
C)]≥ ε
2PrC2S. We have the following
probability by the simulation of the queries to the client
Pr sk =H4(Ppub,L,U
i,k
1,Auth)|α,Aut hZ
q
U1,k1G1ε
2Pr
c2s
We know that the PrC2Sis negligible by Theorem 1. If ε
is non-negligible, that means the ε/2PrC2Sis a non-
negligible. We assume that the adversary can calculate
k1and k2with a non-negligible probability. Aneeds to
calculate k1and k2to know (Qu=aP, Ppub =bP , U1=
cP ).Togete(P , P )abc, which solves the difficult BDH
problem, the adversary needs to computes K1and K2
k1=e(r1Ppub,Q
Sj)=e(r1(bP ), ap) =e(r1P,abP)
=e(U1,abP)=e(cP , abP ) =e(P, P )abc
k2=e(U1,D
Sj)=e(cP , xQSj)=e(cP, x aP )
=e(acP , xP ) =e(cP , Ppub)=e(acP , bP )
=e(P , P )abc
According to the assumptions of the difficult problem of
BDH, the probability that Awins the game is negligible.
Hence, Our protocol provides a secure key agreement.
4.3 Sever-to-client authentication
Theorem 3 determines that an adversary Acannot represent
the server to communicate with the client under the BDHP.
Theorem 3 Assuming Ahaving non-negligible advantage
εexists with probability of breaking server-to-client
authentication. The BDHP problem is therefore solved by a
challenger Fhaving a non-negligible probability. Assume
that at most, qSqueries to the oracle j
Sof the server, qC
queries to the oracle i
Cof the client, and qHiqueries on
Hioracle i∈{1,2,3}are made by F.
Proof Let the algorithm be displayed as presented in
the proof of Theorem 2. As such, it is completely
indistinguishable from our protocol except the occurrence
of the event EC2S.WeuseES2Cas the event which follows
Mobile Netw Appl
breaking up the server-to-client authentication. When the
oracle accepts with a non-legitimate entity, event ES2C
occurs. Basically, this phenomenon happens aftermath of
sending (L, U =cP ) and the receiving of (α, Aut h),
then, the client accepts (α, Auth) which is not generated by
the server. In this circumstance, one of the following three
conditions are occurred:
1. The adversary Aguessed the value Aut h with probability
less than qC/2k.
2. The value Uioccurred in another session with a probabil-
ity qC/q ×(qC1)less than q2
C/q.
3. Aasked H1(I Dt)with a probability Pr[(Ppub,
L, α, Ui,k
2)|Ppub RG1,k
2=e(U1,D
Sj)]. Then, we
have
Pr[ES2CEC2S]≤Pr[Ppub,L,U
i,k
2]|Ppub RG1,k
2
=e(U1,D
Sj)]+ qC
2k+q2
C
q
To prove Theorem 3, A’s queries are responded by an
algorithm F. Assuming that the instances P,aP,bP,cP
G1with unknown a, b,c Z
qare received by Frandomly.
The goal of Fis to derive e(P, P )abc by interacting with
A.Fpicks an identity ID
trandomly as the challenged
identity in this game. In this case, Areceives (Qu=
aP , Ppub =bP , U1=cP ).Acan compute e(P , P )abc
with a non-negligible probability. To get e(P , P )abc,which
solves the BDH problem, the adversary computes
k2=e(U1,D
Sj)=e(cP , xQSj)=e(cP, x aP )
=e(acP , xP ) =e(cP , Ppub)
=e(acP , bP ) =e(P, P )abc
However, Fcan use Ato process e(P , P )abc.Fcan solve
the BDH problem with εεqC/2kq2
C/q. Hence, the
scheme provides server-to-client authentication.
4.4 Unconditional signer ambiguity property
Theorem 4 Our protocol has the unconditional signer
ambiguity property.
Proof To prove that the ring signature that we have used
in our protocol has the unconditional signer ambiguity
property. Suppose that n
i¬dx{Ui}and rdx are randomly
generated, However n
i=1{Ui}are distributed uniformly.
Considering if V=(hdx +rdx)DID
dx , this gives details
about the true signer. Then, focus is shifted on the value
of hdxDID
dx =rdx as hdx is publicly estimable. Visibly,
rdxDID
dx is associated to hdx. Then, it is possible that
we can estimate the rdxQID
dx by hdx +n
i=dx(Ui+
hiQID
i). The relation between rdxDID
dx and rdxQID
dx
can be found by using the bilinearity property in this
equality e(rID
dx QID
dx ,P) =e(rdxDID
dx ,P
pub). It could
be enticing to check if ID
jis the true signer by examining
with the condition that this equation is satisfied or not.
e
Uj+
n
i=dx
(Ui+hiQID
i), Ppub
=e(V, P )/e(hjQID
j,P
pub)
Hence, the aforementioned equality might not hold when
j=dx,aswellasforallj∈{1,2,...,n}except
dx. Certainly, the prior stated equation is but similar as
the equality to be looked out for in authentication phase.
The following equations show that our protocol provides
unconditional signer ambiguity property as follows:
e
Uj+
n
i=dx
(Ui+hiQID
i), Ppub
=
n
i=dx
Uj+Udx +
n
i=j
(hiQID
i), Ppub
=e
n
i=dx
Uj+rdxQID
dx
n
i=dx
(Ui+hiQID
i)
+
n
i=j
(hiQID
i), Ppub
=e
rdxQID
dx
n
i=dx
(hiQIDi)+
n
i=j
(hiQID
i), Ppub
=e(rdxQID
dx +hdxQID
dx hjQID
j,xP)
=e(rdxQID
dx +hdxDID
dx hjSID
j,P)
=e(V hjSID
j,P)
=e(V, P )/e(hjSID
j,P)
=e(V, P )/e(hjQID
j,P
pub)
Tab le 2 Comparisons based
computation and
communication cost
Schemes Computational Cost Communication Cost
Client Server
[1]4TMu +TAd +3TH2Te+2TMu +TAd +3TH|ID|+2|Z
q|+2|G1|
[41]2TMu +3TH+TIn Te+5TMu +2TAd +5TH2|Z
q|+3|G1|
[21]4TMu +3TAd +4TH4TMu +3TAd +4TH|ID|+2|Z
q|+4|G1|
Ours Te+nTMu +nTAd +4TH3Te+3TH|ID|+2|Z
q|+n|G1|+|G1|
Mobile Netw Appl
Tab le 3 Security comparisons
[1][41][21] Our scheme
Mutual authentication Y Y Y Y
Key agreement Y Y Y Y
Unconditional anonymity N N N Y
Un traceability N N N Y
Perfect secrecy Y Y Y Y
For each defined identity ID
jand determined nuser’s iden-
tities T, this dictates that the distributions of {∪n
i=1{Ui},V}
are not only absolute but also totally consistently distributed
regardless of who the true signer is.
5 Performance analysis
This section evaluates the performance of our protocol in
terms of the computation cost , the communication cost as
well as the security properties. The proposed protocol is
compared with Wu et al. [1], Tsai et al. [41], and Tseng
et al. [21]. Some notations are assumed to evaluate the
computational cost as follows:
Te: The time of a bilinear map operation e:G1×G1G2.
TMu: The time of a scalar multiplication operation of G1.
TIn: The time of performing a modular inversion operation.
TAd : The time of an addition operation of G1.
TH: The performing time of a one-way hash function.
Table 2gives the theoretical analysis of the computation
and communication costs. Table 3shows that our protocol
gives better security properties than the other schemes by
providing unconditional anonymity.
We have implemented four schemes using the java pai-
ring-based cryptography library (JPBC) [42] for both the
client and servers. The client is simulated by using Android
Studio bundle version 2.2.0.0 on Honor-phone with EMUI
4.0.1 CPU Octa-core 1.5 GHz and RAM of 2.0 GB.
Regarding the servers, simulation carried out by using
java on computers with an Intel Core-i 3-3110 CPU dual
core 2.40 and GHz 2.40 GHz and with 4 GB RAM. This
study employed Type A pairings constructed from the curve
y2=x3+xover the field Fpfor some prime p=3
mod 4. The experiment involves 80, 112 and 128 bits key
Tab le 4 Security level of our experiment
Security Level Size of pSize of q
80-bit 1024 160
112-bit 2048 224
128-bit 3072 256
80 bit 112 bit 128 bit
0
2
4
6
8
10
12
14
Time (S)
[2]
[5]
[21]
Ours
Fig. 3 The client computational time
sizes of AES security levels [43] as shown in Table 4.
To simulate our protocol, we have prepared three servers
(registration server, server 1 and server 2) connected to
form the multi-server and one mobile phone prepared to
simulate the client (i.e., doctor, nurse or family member)
as shown in Fig. 6. Here, we assume the WBANs data are
transmitted and stored securely to/in the medical servers.
Thus, the experiment has focused on the clients and the
servers as part of the IoT environment. For each of the
four schemes, the experiment was carried out 100 times
and the corresponding computation time was calculated. To
ascertain the computation cost for the cases of client and
servers, we consider the average and the results presented in
Figs. 3and 4.
The results show that the computational costs on both
sides when our proposed protocol is adopted, exceeds the
computational cost for the use of the other protocols. The
higher computational cost demonstrated by the empirical
results can be explained by use of the ring signature in our
proposed protocol. This notwithstanding, the advantage of
guaranteed privacy demonstrated by the proposed protocol
makes it a preferred choice for secured privacy in multi-
server IoT environment.
80 bit 112 bit 128 bit
0
5
10
15
Time (S)
[2]
[5]
[21]
Ours
Fig. 4 The server computational time
Mobile Netw Appl
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0
200
400
600
800
1000
Number of users
Size (Bytes)
[2]
[5]
[21]
Ours
Fig. 5 Communication cost
Figure 5shows the communication cost, by assuming
that |m|= 160
8bytes and |ID|= 80
8bytes. Using an
elliptic curve with q=160
8bytes, the size of G1is 1024.
Using the standard compression method [44], the size of
G1can be reduced to 65 bytes. According to Table 2,the
communication cost for each scheme is as follows.
1. Communication cost in [1]is|ID|+2|Z
q|+2|G1|=
10 +2×20 +2×65 =180 bytes.
2. Communication cost in [41]is2|Z
q|+3|G1|=2×
20 +3×65 =235 bytes.
3. Communication cost in [21]is|ID|+2|Z
q|+4|G1|=
10 +2×20 +4×65 =310 bytes.
4. Communication cost in our scheme is |ID|+2|Z
q|+
d|G1|+|G1|=115 +n×65 bytes.
By comparing the communication costs, our protocol has
the highest cost. Indeed, The cost increases as the number
of users increases.
6 Application scenario
Figure 6shows an electronic medical application scenario
in which the WBAN collects a biomedical data such as
heart rate, blood pressure, etc. in real-time. A remote
hospital server receives these data from a personal digital
assistant (PDA) device connected to the WBAN. By using
these data, the clients (doctors, nurses, scientists and family
members), can access a patient’s health status and related
information from the medical system servers (registration
server, hospital server, Health insurance server and E-
government server). The medical experts can, in turn, offer
clinical diagnostics according to the patient’s status. When
treatment is administered, relatives of patients can get the
health status update. The opportunity for easy access to
sensitive information made available by IoT operating in
multi-server environment requires efficient scheme that
preserves the privacy of system users.
Fig. 6 An electronic medical application scenario
Mobile Netw Appl
The transmitted data between the WBANs and the
medical servers are very sensitive because they are the
basis of clinical diagnostics. Situated in the context of
unconditional anonymity upon which our proposal is
grounded, the clients can authenticate themselves in the
severs without revealing their identities to the severs unlike
the other schemes. In addition, the transmitted data between
clients and the servers is sensitive in that an adversary
getting access to this data can be altered to the detriment
of the patient in question. From the perspective of the
stakeholders, privacy-preserving is one of the essential
issues in the medical systems. Here, the clients interact with
the multi-medical server environment and our protocol is
necessary and well suited to protect their privacy for the IoT
that operate in multi-severs environment as described.
For example to use our protocol in the IoT environment
that described in Fig. 6, the clients are doctors, nurses,
scientists and family members while the servers are
registration server, hospital server, health insurance server
and e-government server. The Setup phase is executed by
the registration server to generate the public parameters and
send to the clients and servers. Therefore, registration by
the client and severs is required at the registration server.
Then, the Key extract phase is executed by the clients
and servers to get their private keys Duand public keys
Qufrom the registration server. Based on the proposed
protocol, they evaluate their private keys to ensure that
they are dealing with the appropriate registration server.
The user authenticated key agreement phase is executed to
get access to all the servers. Finally, the session key sk is
computed by the clients and the servers to use in future
communication.
7 Conclusion
Conclusively, this paper proposes a new anonymity ID-
based user authenticated key agreement protocol for
multi-server environment while its security proved in
the random oracle model. Compared with the existing
protocols, our model provides unconditional anonymity.
The proposed protocol utilizes ring signature for the purpose
of anonymously authenticating themselves in the severs
without revealing their identities to the severs unlike
the other schemes. Therefore, our scheme provides more
secured privacy for users in IoT multi-server environment.
Acknowledgements This work is supported by the National Na-
tural Science Foundation of China (Grant No 61272525), the
Fundamental Research Funds for the Central Universities (Grant
No. ZYGX2016J081) and the Laboratory for Internet of Things and
Mobile Internet Technology of Jiangsu Province (Grant No. JSWLW-
2017-006).
References
1. Wu TY, Tseng YM (2010) An efficient user authentication and
key exchange protocol for mobile client–server environment.
Comput Netw 54(9):1520–1530
2. Debiao H, Jianhua C, Jin H (2012) An ID-based client
authentication with key agreement protocol for mobile client–
server environment on ECC with provable security. Information
Fusion 13(3):223–230
3. He D (2012) An efficient remote user authentication and key
agreement protocol for mobile client–server environment from
pairings. Ad Hoc Netw 10(6):1009–1016
4. Shen H, Gao C, He D, Wu L (2015) New biometrics-based
authentication scheme for multi-server environment in critical
systems. J Ambient Intell Humaniz Comput 6(6):825–834
5. Chow SSM, Yiu SM,Hui LCK (2005) Efficient identity based ring
signature. Springer, Berlin, pp 499–512. https://doi.org/10.1007/
11496137 34
6. Pleva P (2012) A revised classification of anonymity.
arXiv:1211.5613
7. Shamir A (1984) Identity-based cryptosystems and signature
schemes. In: Workshop on the theory and application of
cryptographic techniques. Springer, pp 47–53
8. Li LH, Lin LC, Hwang MS (2001) A remote password
authentication scheme for multiserver architecture using neu-
ral networks. IEEE Trans Neural Netw 12(6):1498–1504.
https://doi.org/10.1109/72.963786
9. Juang WS (2004) Efficient multi-server password authenticated
key agreement using smart cards. IEEE Trans Consum Electron
50(1):251–255. https://doi.org/10.1109/TCE.2004.1277870
10. Chang CC, Lee JS (2004) An efficient and secure multi-
server password authentication scheme using smart cards. In:
2004 International conference on cyberworlds, pp 417–422.
https://doi.org/10.1109/CW.2004.17
11. Liao YP, Wang SS (2009) A secure dynamic id based remote user
authentication scheme for multi-server environment. Computer
Standards & Interfaces 31(1):24–29
12. Hsiang HC, Shih WK (2009) Improvement of the secure dynamic
id based remote user authentication scheme for multi-server
environment. Computer Standards & Interfaces 31(6):1118–1123
13. Sood SK, Sarje AK, Singh K (2011) A secure dynamic identity
based authentication protocol for multi-server architecture. J Netw
Comput Appl 34(2):609–618
14. Li X, Xiong Y, Ma J, Wang W (2012) An efficient and security
dynamic identity based authentication protocol for multi-server
architecture using smart cards. J Netw Comput Appl 35(2):763–
769
15. Han W (2012) Weaknesses of a dynamic identity based authenti-
cation protocol for multi-server architecture. arXiv:1201.0883
16. Yoon EJ, Yoo KY (2013) Robust biometrics-based multi-server
authentication with key agreement scheme for smart cards
on elliptic curve cryptosystem. J Supercomput 63(1):235–255.
https://doi.org/10.1007/s11227-010-0512-1
17. Khan MK, He D (2012) A new dynamic identity-based
authentication protocol for multi-server environment using elliptic
curve cryptography. Security and Communication Networks
5(11):1260–1266. https://doi.org/10.1002/sec.573
18. Han W, Zhu Z (2014) An id-based mutual authentication
with key agreement protocol for multiserver environment on
elliptic curve cryptosystem. Int J Commun Syst 27(8):1173–1185.
https://doi.org/10.1002/dac.2405
19. He D, Wang D (2015) Robust biometrics-based authentication
scheme for multiserver environment. IEEE Syst J 9(3):816–823.
https://doi.org/10.1109/JSYST.2014.2301517
Mobile Netw Appl
20. Shen H, Gao C, He D, Wu L (2015) New biometrics-based
authentication scheme for multi-server environment in critical
systems. J Ambient Intell Humaniz Comput 6(6):825–834.
https://doi.org/10.1007/s12652-015-0305-8
21. Tseng YM, Huang SS, You ML (2017) Strongly secure ID-
based authenticated key agreement protocol for mobile multi-
server environments. Int J Commun Syst 30(11):e3251–n/a.
https://doi.org/10.1002/dac.3251. E3251 IJCS-16-0586.R1
22. Jiang P, Wen Q, Li W, Jin Z, Zhang H (2015) An anonymous
and efficient remote biometrics user authentication scheme in
a multi server environment. Front Comp Sci 9(1):142–156.
https://doi.org/10.1007/s11704-014-3125-7
23. Lin H, Wen F, Du C (2015) An improved anonymous
multi-server authenticated key agreement scheme using smart
cards and biometrics. Wirel Pers Commun 84(4):2351–2362.
https://doi.org/10.1007/s11277-015-2708-4
24. Liao YP, Hsiao CM (2013) A novel multi-server remote user
authentication scheme using self-certified public keys for mobile
clients. Futur Gener Comput Syst 29(3):886–900
25. He D, Zeadally S, Kumar N, Wu W (2016) Efficient
and anonymous mobile user authentication protocol using
self-certified public key cryptography for multi-server archi-
tectures. IEEE Trans Inf Forensics Secur 11(9):2052–2064.
https://doi.org/10.1109/TIFS.2016.2573746
26. Zhu H (2015) A provable one-way authentication key agreement
scheme with user anonymity for multi-server environment. KSII
Trans Internet Inf Syst (TIIS) 9(2):811–829
27. Jangirala S, Mukhopadhyay S, Das AK (2017) A multi-server
environment with secure and efficient remote user authentication
scheme based on dynamic id using smart cards. Wirel Pers
Commun 95(3):2735–2767. https://doi.org/10.1007/s11277-017-
3956-2
28. Tsai JL, Lo NW (2015) A chaotic map-based anony-
mous multi-server authenticated key agreement protocol
using smart card. Int J Commun Syst 28(13):1955–1963.
https://doi.org/10.1002/dac.2829. IJCS-13-0727.R2
29. Irshad A, Sher M, Chaudhary SA, Naqvi H, Farash MS (2016)
An efficient and anonymous multi-server authenticated key agree-
ment based on chaotic map without engaging registration centre.
J Supercomput 72(4):1623–1644. https://doi.org/10.1007/s11227-
016-1688-9
30. Rivest RL, Shamir A, Tauman Y (2001) How to leak a secret.
In: International conference on the theory and application of
cryptology and information security. Springer, pp 552–565
31. Zhang F, Kim K (2002) ID-based blind signature and ring
signature from pairings. In: International conference on the theory
and application of cryptology and information security. Springer,
pp 533–547
32. Lin CY, Wu TC (2004) An identity-based ring signature scheme
from bilinear pairings. In: 18th international conference on
advanced information networking and applications, 2004. AINA
2004, vol 2. IEEE, pp 182–185
33. Awasthi AK, Lal S (2005) ID-based ring signature and proxy ring
signature schemes from bilinear pairings. arXiv:cs/0504097
34. Herranz J, S´
aez G (2004) New identity-based ring signature
schemes. In: ICICS, vol 4. Springer, pp 27–39
35. Chow SSM, Hui LCK, Yiu SM (2005) Identity based threshold
ring signature. In: Park CS, Chee S (eds) Information security
and cryptology – ICISC 2004. Springer, Berlin, pp 218–
232
36. Boneh D, Franklin M (2001) Identity-based encryption from
the weil pairing. In: Advances in cryptology – CRYPTO 2001.
Springer, pp 213–229
37. Boneh D, Lynn B, Shacham H (2004) Short signatures from the
weil pairing. J Cryptol 17(4):297–319. https://doi.org/10.1007/
s00145-004-0314-9
38. Sui A, Chow SSM, Hui LCK, Yiu SM, Chow KP, Tsang WW,
Chong CF, Pun KH, Chan HW (2005) Separable and anonymous
identity-based key issuing. In: 11Th international conference on
parallel and distributed systems (ICPADS’05), vol 2. pp 275–279.
https://doi.org/10.1109/ICPADS.2005.263
39. Bellare M, Rogaway P (1993) Random oracles are practi-
cal: a paradigm for designing efficient protocols. In: Pro-
ceedings of the 1st ACM conference on computer and com-
munications security, CCS ’93. ACM, New York, pp 62–73.
https://doi.org/10.1145/168588.168596
40. Choon JC, Hee Cheon J (2002) An identity-based signature
from gap Diffie-Hellman groups. Springer, Berlin, pp 18–30.
https://doi.org/10.1007/3-540-36288-6 2
41. Tsai JL, Lo NW (2015) Provably secure and efficient anony-
mous id-based authentication protocol for mobile devices
using bilinear pairings. Wirel Pers Commun 83(2):1273–1286.
https://doi.org/10.1007/s11277-015-2449-4
42. Caro AD, Iovino V (2011) JPBC: java pairing based cryptography.
In: 2011 IEEE symposium on computers and communications
(ISCC), pp 850–855. https://doi.org/10.1109/ISCC.2011.5983948
43. Daemen J, Rijmen V (2013) The design of Rijndael: AES-
the advanced encryption standard. Springer Science & Business
Media
44. Shim KA, Lee YR, Park CM (2013) EIBAS: an efficient
identity-based broadcast authentication scheme in wireless sensor
networks. Ad Hoc Netw 11(1):182–189
... It can not achieve the key escrow resilience. Hassan et al. [10] presented an ID-based user authenticated key agreement protocol for multi-server environment with anonymity. The protocol can establish a session key and applied a ring signature to protect anonymity, but the computation cost is high for example the number of hash functions and exchanged messages during the communication between entities. ...
... 3. Unknown key share Any of the two entities is not forced to disclose the key to others rather than his counterpart. 10. Consensus mechanism It is mechanism used in blockchain to make an agreement on data value or network state of network among the distributed processes. ...
... -Signing: the node B calculates and issues z 1 = (k + h d)mod q to the collector node M. -Unblinding: the collector node computes the following. 10 . The collector node outputs (m, Υ , R, ν) and Ω = (Υ , R, ν) is a blind signature on m (Fig. 6). ...
Article
Full-text available
Certificateless authenticated key agreement (CLAKA) is important to prevent the escrow problem. It also mitigates the certificate management burden in storage and during the message exchange. However, many previously designed CLAKA protocols were designed in the centralized system architectures that may cause the single point of failure. A new CLAKA is designed in a decentralized (blockchain) architecture that is very suitable for wireless body area networks (WBANs). The proposed protocol is secure as long as it computes a common session key between WBAN user and blockchain nodes. An ID-based blind signature with message recovery is used between blockchain nodes. The blind signature with message recovery is used to achieve authentication and anonymity by acquiring a signature without disclosing the message. It also has advantage in minimizing the size of signature and it is efficient in a situation of limited bandwidth. The protocol analysis shows that it is secure and can resist many WBAN security attacks compared to the existing authenticated key agreement protocols.
... Next, Lin et al. [32] presented a protocol based on the ElGamal digital signature, but the use of multiple system parameters also made this approach computationally inefficient. Subsequently, several multiserver authentication protocols were designed that can be classified into symmetric cryptosystem-based protocols [4,34,46], public cryptosystems-based protocols [7,17,38,39,48,49], protocols using pairing-based cryptosystems [6,16,22,43] and hash-based protocols [13,15,26,36,42]. Of these categories, the hash-based protocols are highly efficient because cryptographic one-way hash operations require less computation than do other complex cryptographic operations. ...
Article
Full-text available
Multiserver authentication requires users to have only one-time registration for accessing different permissible services securely from various servers over an insecure network. To date, many multiserver authentication protocols have been presented in the literature. Most of them require the registration server’s participation at the time of authentication, leading to increased communication overhead and bandwidth overload of the registration server. Recently, Lee et al. introduced a multiserver authentication protocol using extended chaotic maps that permits registered users and servers to authenticate with each other directly. In this paper, we revisit Lee et al.’s protocol and find that it is insecure against user impersonation and session-specific temporary information attacks. Additionally, the protocol uses timestamps, which may cause serious time synchronization problems. The weaknesses of Lee et al.’s protocol prompted us to propose another protocol based on extended chaotic maps, which is free from serious time synchronization problems, more efficient in terms of computation and communication overheads, and more robust against all known attacks. Furthermore, our protocol adds extra functionality features such as considering the users’ registration expiration, server scalability, and inclusion of two new phases: a deregistration phase and a registration renewal phase for a registered user. Our protocol’s security has been validated using the automated tool ProVerif and proven through formal and informal analyses. With better security protection, fewer complexities, and additional features, the proposed protocol is more suitable for practical use than other related protocols.
Article
Nowadays, fog computing has become an emerging hot-topic for possessing the same advantages as cloud computing and the lower latency. Nevertheless, there are still many issues in fog computing that worth studying, the most importantly of which are key agreement and user authentication. In order to achieve secure communication among different entities, designing a secure key agreement and user authentication scheme becomes an urgent issue. Although many schemes have been investigated the key agreement and user authentication for cloud computing, these schemes cannot be directly applied to the fog computing due to efficiency and cost. To tackle this problem, we propose a secure and efficient key agreement and user authentication scheme for fog computing. Our scheme can establish secure sessions among different entities, and users can achieve cross-domain access to other fog server. Most importantly, Our scheme satisfies the perfect forward security and the complete anonymity. We prove that our scheme is secure in the random oracle model, and achieve formal security verification through the AVISPA tool. Finally, the performance analysis demonstrates that our scheme tends to be more efficient in comparison with similar schemes.
Article
The use of Implantable medical devices (IMDs) in the arena of medical sciences have provided a quantum leap in network transformation by permitting and retrieving the technology on demand. However, with the constant progress of these devices with respect to wireless communication and the potential for outside caregiver to communicate wirelessly have increased its impact to security, and infringement in privacy of human beings. The Controller Device (CD) is one of the most important component in the IMD communication network. The patient’s vitals are stored in a medical server through this device. The IMD monitors the physical phenomena such as heart rate and blood glucose level of the patient and transmits the information to the CD through some type of wireless communication media like Bluetooth, WiFi etc. Then the CD forwards the information to the cloud server using a access point. The data is stored for further analysis and decision making by the medical expert such as doctor, healthcare provider for the consultation. The users (doctors, patients, or the emergency response team) can access the data stored in the cloud server after a successful authentication. In this paper, we propose an efficient and lightweight secure authenticated key establishment protocol ( PUA-KE). The security is proven in random oracle model and the experimental analysis demonstrates that the proposed scheme achieves a lower computational time and communication overhead at 80-bit, 112-bit and 128-bit security level in comparison to existing such schemes.
Article
Full-text available
Currently, every user outsources a huge amount of shared secrets remotely from different servers and utilises synchrony resources. To make all types of operations secure for the end‐user, synchronous storage is vital and asynchronous storage might lead to the unavailability of successful services. Hence, a robust authentication scheme is mandatory for such purpose which not only confirms the synchrony of the distributed shared resources but also secure access to shared secrets. So far no one has offered an accurate and flawless secure mechanism despite serious attempts. For this purpose, the authors have designed an improved and robust authentication protocol to ensure the security, integrity, and confidentiality of information and synchrony of shared secrets up to a maximum level. The security of the proposed dynamic mechanism has been verified both formally using random Oracle model and verification toolkit ProVerif2.00 and informally using assumptions and theorems. A delicate balance between security and performance has been shown in the performance analysis section of the study.
Article
Authenticated key agreement (AKA) enables communicating parties to mutually establish a session key, in a way that each entity is assured of the authentication of its peer. Certificateless AKA (CLAKA) protocols are widely designed since they avoid the key escrow problem found in identity-based systems and overcome certificateless management overheads in Public Key Infrastructure (PKI). Furthermore, the existing CLAKA were designed to operate in centralized network. Such architecture is a single point of management and single point of failure. We need lightweight protocols that fit with body sensors capabilities. In order to mitigate the aforementioned vulnerabilities, we propose a pairing-based certificateless against the key escrow problem. Our protocol operates in a decentralized system against the single point of failure and management. The protocol establishes a session key in the first phase for communications. The ring signature is used in the second phase for node authentication. The ring signature has advantage of reducing computation costs where a node signs a signature on behalf of others. The signing node remains anonymous and other nodes can verify the signature. Another advantage of ring signature is that there is no specification about the size of the group.
Article
With the development of cloud computing, many enterprises have been interested in outsourcing their data to cloud servers to decrease IT costs and rise capabilities of provided services. To afford confidentiality and fine-grained data access control, attribute-based encryption (ABE) was proposed and used in several cloud storage systems. However, scalability and flexibility in key delegation and user revocation mechanisms are primary issues in ABE systems. In this paper, we introduce the concept of a fully distributed revocable ciphertext-policy hierarchical ABE (FDR-CP-HABE) and design the first FDR-CP-HABE scheme. Our scheme offers a high level of flexibility and scalability in the key delegation and user revocation phases. Moreover, our scheme is efficient and provides lightweight computation in the decryption phase. Indeed, by exploiting a computation outsourcing technique, most of the operations are executed by the powerful cloud server, and very few computations are left to the users. Also, the storage cost on the user side is significantly decreased as compared to similar schemes. Furthermore, using the hardness assumption of DBDH problem, we prove that our scheme is adaptively secure in the standard model. Our security analyses and implementation results indicate that our scheme is efficient, secure, and scalable.
Chapter
Multi‐access edge computing (MEC) is an evolving paradigm of the Internet of things (IoT) applications. The MEC is a complement to traditional cloud computing where services are extended closer to the network and so to the end users. As mobile users can use MEC services in an inter‐domain, security is one of the challenging questions, how to protect IoT applications in MEC environments from abuses? In addition, considering real‐world MEC supported IoT applications (e.g. airport) where a user is always on the move from one network to another network. This scenario also poses many security challenges. To mitigate this, an authentication mechanism can play an important role to defend MEC from unauthorized access. Thus, an authentication mechanism is needed that can support mobility for MEC users. Moreover, establishing a session key is also highly desirable between the MEC users and foreign‐edge servers to enable secure communication in MEC environments. In addition, how to maintain users' anonymity is another important security requirement, as MEC users do not want to disclose their private information. To solve these issues, this chapter proposes a new efficient and anonymous mobility supported mutual authentication scheme in MEC environments. The scheme utilizes the password and smartcard as two‐factor authentications and facilitates many services to the users such as user anonymity, mutual authentication, and secure session key establishment in mobility supported environments. In addition, it allows users to choose/update their password regularly, whenever needed. Security and performance evaluation show the practicality of the proposed scheme.
Chapter
Nowadays, smartphone applications are the most widespread in our daily lives. These applications raised several security concerns such as authentication, key agreement, and mutual authentication. Accordingly, the researchers have been presented several user authentication schemes based on the identity-based cryptography (IBC) and certificateless cryptography (CLC). Smartphones considered as limited resources devices, thus, it needs lightweight protocols. However, the existing schemes are suffering from high computational costs especially the one that depends on CLC. In this paper, a lightweight certificateless user authentication scheme based on the elliptic curve cryptography (ECC) is introduced. The proposed scheme has the lowest computation costs comparing with the existing certificateless user’s authentication protocols. Furthermore, The proposed scheme is secure under the computational Diffie-Hellman (CDH) Problem and the elliptic curve discrete logarithm problem (ECDLP). Indeed, the proposed scheme is suitable to use in the mobile client-server environment and the Internet of things (IoT) applications.
Article
Full-text available
The growth of the Internet and telecommunication technology has facilitated remote access. During the last decade, numerous remote user authentication schemes based on dynamic ID have been proposed for the multi-server environment using smart cards. Recently, Shunmuganathan et al. pointed out that Li et al.’s scheme is defenseless in resisting the password guessing attack, stolen smart card attack and forgery attack. Furthermore, they showed the poor repairability and no two-factor security in Li et al.’s scheme. To surmount these security disadvantages, Shunmuganathan et al. proposed a remote user authentication scheme using smart card for multi-server environment and claimed that their scheme is secure and efficient. In this paper, we show that Shunmuganathan et al.’s scheme is also defenseless in resisting the password guessing attack, stolen smart card attack, user impersonation attack, forgery attack, forward secrecy and session key secrecy. Moreover, the two-factor security is also not preserved in their scheme. In our proposed scheme, a user is free to choose his/her login credentials such as user id and password. And also a user can regenerate the password any time. Simultaneously the proposed scheme preserves the merits of Shunmuganathan et al.’s scheme and also provides better functionality and security features, such as mutual authentication, session key agreement and perfect forward secrecy. The security analysis using the widely accepted Burrows–Abadi–Needham logic shows that the proposed scheme provides the mutual authentication proof between a user and a server. Through the rigorous formal and informal security analysis, we show that the proposed scheme is secure against possible known attacks. In addition, we carry out the simulation of the proposed scheme using the most-widely accepted and used Automated Validation of Internet Security Protocols and Applications tool and the simulation results clearly indicate that our scheme is secure.
Article
Full-text available
Multi-server authentication (MSA) enables the user to avail multiple services permitted from various servers out of a single registration through registration centre. Earlier, through single-server authentication, a user had to register all servers individually for availing the respective services. In the last few years, many MSA-based schemes have been presented; however, most of these suffer communication overhead cost due to the Registration Centre (RC) involvement in every mutual authentication session. In voice communication this round-trip latency becomes even more noticeable. Hence, the focus of the protocols design has been shifted towards light-weight cryptographic techniques such as Chebyshev chaotic map technique (CCM). We have reviewed few latest MSA-related schemes based on CCM and elliptic curve cryptography (ECC) as well. Based on these limitations and considerations, we have proposed a single-round trip MSA protocol based on CCM technique that foregoes the RC involvement during mutual authentication. Our study work is cost efficient in terms of communication delay and computation, and provides enhanced security by the use of public key cryptosystem. The proposed scheme is duly backed by formal security analysis and performance evaluation.
Article
Full-text available
Recently, Chuang et al. proposed a multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. They claimed that their scheme can resist replay attacks, modification attack, off-line password guessing attack and insider attack. However, we demonstrated that their scheme is vulnerable to servers spoofing attack and cannot protect the user’s anonymity and the session key, even if the adversary only knows the information transmitting in the public channel. Furthermore, their scheme cannot resist user impersonation attack if the smart cards is stolen. To overcome these problems, we proposed a robust anonymous multi-server authenticated key agreement scheme. We show that our proposed scheme can provide stronger security than previous protocols and protect the user anonymity.
Article
To provide mutual authentication and communication confidentiality between mobile clients and servers, numerous identity-based authenticated key agreement (ID-AKA) protocols were proposed to authenticate each other while constructing a common session key. In most of the existing ID-AKA protocols, ephemeral secrets (random values) are involved in the computations of the common session key between mobile client and server. Thus, these ID-AKA protocols might become vulnerable because of the ephemeral-secret-leakage (ESL) attacks in the sense that if the involved ephemeral secrets are compromised, an adversary could compute session keys and reveal the private keys of participants in an AKA protocol. Very recently, 2 ID-AKA protocols were proposed to withstand the ESL attacks. One of them is suitable for single server environment and requires no pairing operations on the mobile client side. The other one fits multi-server environments, but requires 2 expensive pairing operations. In this article, we present a strongly secure ID-AKA protocol resisting ESL attacks under mobile multi-server environments. By performance analysis and comparisons, we demonstrate that our protocol requires the lowest communication overhead, does not require any pairing operations, and is well suitable for mobile devices with limited computing capability. For security analysis, our protocol is provably secure under the computational Diffie-Hellman assumption in the random oracle model.
Article
Rapid advances in wireless communication technologies have paved the way for a wide range of mobile devices to become increasingly ubiquitous and popular. Mobile devices enable anytime, anywhere access to the Internet. The fast growth of many types of mobile services used by various users has made the traditional single-server architecture inefficient in terms of its functional requirements. To ensure the availability of various mobile services, there is a need to deploy multi-server architectures. To ensure the security of various mobile service applications, the anonymous mobile user authentication (AMUA) protocol without online registration using the self-certified public key cryptography (SCPKC) for multi-server architectures was proposed in the past. However, most of the past AMUA solutions suffer from malicious attacks or have unacceptable computation and communication costs. To address these drawbacks, we propose a new AMUA protocol that uses the SCPKC for multi-server architectures. In contrast to the existing AMUA protocols, our proposed AMUA protocol incurs lower computation and communication costs. By comparing with two of the latest AMUA protocols, the computation and the communication costs of our protocol are at least 74.93% and 37.43% lower than them, respectively. Moreover, the security analysis of our AMUA protocol demonstrates that it satisfies the security requirements in practical applications and is provably secure in the novel security model. By maintaining security at various levels, our AMUA protocol is more practical for various mobile applications.
Article
The critical system is an open control system using distributed computing method and possessing increasing levels of autonomy. Due to openness of the network, the system is vulnerable various attacks. To enhance its security, the mutual authentication among the server, the user and the registration is essential. In last several years, many biometrics-based authentication schemes for critical systems based on the client-server environment were proposed for practical applications. However, those schemes are not suitable for critical systems based on the multi-server environment. To guarantee secure communication in critical systems based on the multi-server environment, we propose a new biometrics-based authentication scheme for the multi-server environment. Security analysis and performance analysis show that the proposed scheme avoids security weaknesses in previous schemes while additional cost is small.
Article
One-way authenticated key agreement protocols, aiming at solving the problems to establish secure communications over public insecure networks, can achieve one-way authentication of communicating entities for giving a specific user strong anonymity and confidentiality of transmitted data. Public Key Infrastructure can design one-way authenticated key agreement protocols, but it will consume a large amount of computation. Because one-way authenticated key agreement protocols mainly concern on authentication and key agreement, we adopt multi-server architecture to realize these goals. About multi-server architecture, which allow the user to register at the registration center (RC) once and can access all the permitted services provided by the eligible servers. The combination of above-mentioned ideas can lead to a high-practical scheme in the universal client/server architecture. Based on these motivations, the paper firstly proposed a new one-way authenticated key agreement scheme based on multi-server architecture. Compared with the related literatures recently, our proposed scheme can not only own high efficiency and unique functionality, but is also robust to various attacks and achieves perfect forward secrecy. Finally, we give the security proof and the efficiency analysis of our proposed scheme.
Article
With rapid development and massive deployment of handheld mobile devices, people in modern societies heavily enjoy and depend on the convenience and efficiency of instant information access and data processing through wireless Internet connection capability of their own mobile devices. In consequence, how to securely communicate with remote servers and access inquired data through insecure wireless channel, and to keep low energy consumption on handheld mobile devices, while performing these security computing operations, has become a major challenge for designers of secure authentication protocol. This study proposes a provably secure and efficient ID-based authentication protocol using bilinear pairings for mobile user environment. Formal security analyses show the proposed protocol is secure against well-known attacks under random oracle model. Comparisons on performance efficiency and security among existing pairings based protocols and ours are conducted to evaluate our protocol. The results indicate that our protocol has the less computation cost at the mobile user side and supports more security properties in comparison with others.