Improved and Provably Secure ECCBased TwoFactor Remote Authentication Scheme with Session Key Agreement
Abstract
:1. Introduction
1.1. Motivations and Contributions
1.2. Structure of the Article
2. Preliminaries
2.1. Hash Function
 The function h takes an arbitrary length input $x\in {\{0,1\}}^{*}$ and returns a fixed lbit length message digest $y\in {\{0,1\}}^{l}$.
 The function h is oneway; it is trivial to compute $y=h\left(x\right)$, but computationally infeasible to find the inverse $x={h}^{1}\left(y\right)$.
 The function h is collisionresistant; it is computationally infeasible to find two inputs ${x}_{1}\ne {x}_{2}$ such that $h\left({x}_{1}\right)=h\left({x}_{2}\right)$.
2.2. Elliptic Curve over Finite Fields
2.3. Adversary Model
 A1: An adversary $\mathcal{A}$ can trap, delete, or alter the messages transmitted over the public channel.
 A3: An adversary $\mathcal{A}$ can guess the identity or password using a dictionary attack. However, A cannot guess both the identity and password simultaneously within polynomial time [37].
 A4: An adversary $\mathcal{A}$ can be a nonregistered user who tries to attack the authentication system [31].
 A5: The server is considered a trusted authority, and the adversary $\mathcal{A}$, as a privileged insider, cannot extract the server’s secret key s.
2.4. Security Goals
 Mutual authentication: Both the server and the user can authenticate each other. No adversary can impersonate a legal user or server.
 Session key agreement: A session key should be created as the final step in the mutual authentication phase. Afterward, the communication between both parties can be encrypted using the shared session key.
 Forward secrecy: Even if the longterm private keys are compromised, the previous session keys cannot be used by any adversary to forge other session keys.
 User anonymity: A user’s identity should not be transmitted explicitly over an insecure channel. This ensures that the user’s sensitive information is protected from an adversary $\mathcal{A}$, even with the knowledge of login information or access to the server.
 User traceability: The server should be able to trace the sender of the login request message to avoid the denialofservice attack. A database of registered users should be maintained by the server.
 Local password verification: A smart card can verify the user identity and password in the login phase before generating the login request message. This way, the smart card can reduce computational overhead by avoiding unnecessary calculations.
 Local password changeability: Users can update/change their passwords independently without the server’s assistance. The smart card must be able to detect unauthorized password update requests through the wrong input of the user identity and old password.
2.5. BAN Logic
2.6. Review of the Scheme by Chaudhry et al.
 (1)
 System initialization phase
 (2)
 User registration phase
 (3)
 User login phase
 (4)
 Mutual authentication phase
2.7. Drawbacks of Scheme by Chaudhry et al.
 (1)
 Computational infeasibility
 (2)
 Weakness to privileged insider attack
 (3)
 Unable to trace user
 (4)
 No mechanism for password change/update
3. Proposed Scheme
3.1. System Initialization Phase
 The Server S selects an elliptic curve ${E}_{p}(a,b)$ over ${\mathbb{F}}_{p}$, where p is kbit prime and a base point P of order n from ${G}_{p}$ of ${E}_{p}(a,b)$, where n is a large number for security purposes.
 The Server S computes the secret key and public key pair $(s,{P}_{pub})$ such that ${P}_{pub}=\left[s\right]P$, where s is a random integer $s\in {\mathbb{Z}}_{n}^{*}$.
 The Server S chooses a cryptographic oneway hash function $h:{\{0,1\}}^{*}\to {\mathbb{Z}}_{n}^{*}$.
 The Server S publishes $\{{E}_{p}(a,b),P,{P}_{pub},h(\xb7)\}$ and keeps s secret.
3.2. User Registration Phase
 The user ${U}_{i}$ chooses an identity ${ID}_{i}$ and password ${pw}_{i}$, and generates a random integer ${b}_{i}\in {\mathbb{Z}}_{n}^{*}$. Then, the user ${U}_{i}$ computes ${hpw}_{i}=h({pw}_{i}\parallel {b}_{i})$ and sends $\{{ID}_{i},{hpw}_{i}\}$ to S through a secure channel.
 The Server S computes ${CID}_{i}=h({ID}_{i}\oplus s)$ and checks the availability of ${CID}_{i}$. If the value ${CID}_{i}$ is in the database of registered users, the user ${U}_{i}$ will be asked to input a new ${ID}_{i}$. Otherwise, the Server stores ${CID}_{i}$ into the database. Following the approach taken by [31], this step is added to allow S to trace the user during the login phase.
 The Server S computes ${AID}_{i}=[{CID}_{i}+{hpw}_{i}]P$, ${BID}_{i}=h(h\left({ID}_{i}\right)\oplus {hpw}_{i})$, stores $\{{AID}_{i},{BID}_{i}\}$ into the smart card ${SC}_{i}$, and issues the card securely to ${U}_{i}$.
 Once the user ${U}_{i}$ receives the smart card ${SC}_{i}$, the user computes ${\widehat{b}}_{i}=h({ID}_{i}\parallel {pw}_{i})\oplus {b}_{i}$ and stores the value ${\widehat{b}}_{i}$ into ${SC}_{i}$. Hence, the smart card ${SC}_{i}=\{{AID}_{i},{BID}_{i},{\widehat{b}}_{i}\}$.
3.3. User Login Phase
 The smart card ${SC}_{i}$ computes ${b}_{i}^{\prime}={\widehat{b}}_{i}\oplus h({ID}_{i}^{\prime}\parallel {pw}_{i}^{\prime})$, ${hpw}_{i}^{\prime}=h({pw}_{i}^{\prime}\parallel {b}_{i}^{\prime})$, and ${BID}_{i}^{\prime}=h(h\left({ID}_{i}^{\prime}\right)\oplus {hpw}_{i}^{\prime})$, and checks if ${BID}_{i}^{\prime}={BID}_{i}$ holds. If the equation holds, then ${U}_{i}$ has entered the correct identity and password, ${ID}_{i}^{\prime}={ID}_{i}$ and ${pw}_{i}^{\prime}={pw}_{i}$, respectively. Otherwise, the login phase is aborted.
 The smart card ${SC}_{i}$ selects a random integer ${r}_{i}\in {\mathbb{Z}}_{n}^{*}$ and computes ${R}_{i}=\left[{r}_{i}\right]P=({x}_{Ri},{y}_{Ri})\in {G}_{p}$, where ${x}_{Ri}$ and ${y}_{Ri}$ are the xcomponent and ycomponent of the point ${R}_{i}$, respectively.
 The smart card ${SC}_{i}$ computes ${M}_{i}=\left[{r}_{i}\right]{P}_{pub}=({x}_{Mi},{y}_{Mi})\in {G}_{p}$, ${TID}_{i}={AID}_{i}\left[{hpw}_{i}\right]P=({x}_{Ti},{y}_{Ti})\in {G}_{p}$, ${DID}_{i}={ID}_{i}\oplus {y}_{Mi}$, and ${EID}_{i}=h({x}_{Ti}\parallel {x}_{Mi}\parallel {T}_{i1})$, where ${T}_{i1}$ is the timestamp of ${U}_{i}$’s login request submission.
 The smart card ${SC}_{i}$ submits the login request message $=\{{DID}_{i},{EID}_{i},{R}_{i},{T}_{i1}\}$ to S through a public channel.
3.4. Mutual Authentication Phase
 The Server S checks if $({T}_{s1}{T}_{i1})\le \Delta T$, where $\Delta T$ is the allowed time transmission delay. If the time difference does not hold, the login request is rejected.
 The Server S computes ${M}_{i}^{\prime}=\left[s\right]{R}_{i}=({x}_{Mi}^{\prime},{y}_{Mi}^{\prime})\in {G}_{p}$ in order to retrieve the identity ${ID}_{i}^{\prime}={DID}_{i}\oplus {y}_{Mi}^{\prime}$ and ${CID}_{i}^{\prime}=h({ID}_{i}^{\prime}\oplus s)$. Then, the Server S checks the validity of ${ID}_{i}^{\prime}$ by searching the value of ${CID}_{i}^{\prime}$ in the registered users’ database. If ${CID}_{i}^{\prime}$ is not in the database, the login request is rejected.
 The Server S computes ${TID}_{i}^{\prime}=\left[{CID}_{i}^{\prime}\right]P=({x}_{Ti}^{\prime},{y}_{Ti}^{\prime})\in {G}_{p}$ and ${EID}_{i}^{\prime}=h({x}_{Ti}^{\prime}\parallel {x}_{Mi}^{\prime}\parallel {T}_{i1})$, and checks if ${EID}_{i}^{\prime}={EID}_{i}$ holds. If the equation does not hold, the login request is rejected.
 The Server S generates a random integer ${r}_{s}\in {\mathbb{Z}}_{n}^{*}$, computes ${R}_{s}=\left[{r}_{s}\right]{R}_{i}=({x}_{Rs},{y}_{Rs})\in {G}_{p}$, ${Z}_{s}={R}_{s}+{M}_{i}^{\prime}$, and ${H}_{s}=h({EID}_{i}^{\prime}\parallel {x}_{Rs}\parallel {T}_{s1}\parallel {x}_{Ti}^{\prime})$, and sends the response message $=\{{Z}_{s},{H}_{s},{T}_{s1}\}$ to ${U}_{i}$ through the public channel.
 Once the user ${U}_{i}$ receives the response message at time ${T}_{i2}$, the user ${U}_{i}$ checks if $({T}_{i2}{T}_{s1})\le \Delta T$. If the time difference does not hold, the user ${U}_{i}$ disconnects from the Server S.
 The user ${U}_{i}$ computes ${R}_{s}^{\prime}={Z}_{s}{M}_{i}=({x}_{Rs}^{\prime},{y}_{Rs}^{\prime})\in {G}_{p}$, and ${H}_{s}^{\prime}=h({EID}_{i}\parallel {x}_{Rs}^{\prime}\parallel {T}_{s1}\parallel {x}_{Ti})$, and checks if ${H}_{s}^{\prime}={H}_{s}$ holds. If the equation does not hold, the user ${U}_{i}$ disconnects from S.
 The user ${U}_{i}$ computes ${H}_{i}=h({x}_{Mi}\parallel {x}_{Rs})$ and sends the message $=\{{H}_{i},{T}_{i2}\}$ to S.
 The Server S checks if $({T}_{s2}{T}_{i2})\le \Delta T$. If the time difference does not hold, the session is terminated.
 The Server S computes ${H}_{i}^{\prime}=h({x}_{Mi}^{\prime}\parallel {x}_{Rs})$ and checks if ${H}_{i}^{\prime}={H}_{i}$. If it holds, the user ${U}_{i}$ and the Server S achieve mutual authentication and agree on the session key ${Sk}_{us}=h({y}_{Ri}\parallel {y}_{Rs}^{\prime}\parallel {y}_{Mi}\parallel {y}_{Ti}\parallel {T}_{i2}\parallel {T}_{s1})=h({y}_{Ri}\parallel {y}_{Rs}\parallel {y}_{Mi}^{\prime}\parallel {y}_{Ti}^{\prime}\parallel {T}_{i2}\parallel {T}_{s1})={Sk}_{su}$. Otherwise, the session is terminated.
3.5. Password Change/Update Phase
 The smart card ${SC}_{i}$ computes ${b}_{i}^{\prime}={\widehat{b}}_{i}\oplus h({ID}_{i}^{\prime}\parallel {pw}_{i}^{\prime})$, ${hpw}_{i}^{\prime}=h({pw}_{i}^{\prime}\parallel {b}_{i}^{\prime})$, and ${BID}_{i}^{\prime}=h(h\left({ID}_{i}^{\prime}\right)\oplus {hpw}_{i}^{\prime})$, and checks if ${BID}_{i}^{\prime}={BID}_{i}$. If the equation is true, the smart card ${SC}_{i}$ asks the user ${U}_{i}$ to submit a new password ${pw}_{i}^{*}$. Otherwise, the request is rejected.
 Once the user ${U}_{i}$ enters the new password ${pw}_{i}^{*}$, the smart card ${SC}_{i}$ generates a new random integer ${b}_{i}^{*}\in {\mathbb{Z}}_{n}^{*}$ and computes the new values ${\widehat{b}}_{i}^{*}=h({ID}_{i}\parallel {pw}_{i}^{*})\oplus {b}_{i}^{*}$, ${hpw}_{i}^{*}=h({pw}_{i}^{*}\parallel {b}_{i}^{*})$, ${AID}_{i}^{*}={AID}_{i}+[{hpw}_{i}^{*}{hpw}_{i}]P$, and ${BID}_{i}^{*}=h(h\left({ID}_{i}\right)\oplus {hpw}_{i}^{*})$.
 Finally, the smart card ${SC}_{i}$ updates the values as ${SC}_{i}=\{{AID}_{i}^{*},{BID}_{i}^{*},{\widehat{b}}_{i}^{*}\}$.
3.6. Proof of Correctness
4. Security Analysis of the Proposed Scheme
4.1. Formal Security Analysis
 ${\mathcal{O}}_{\mathcal{H}ash}$: Given the input $h\left(x\right)$, the oracle yields the output x.
 ${\mathcal{O}}_{\mathcal{E}CDLP}$: Given the input P and $Q=\left[a\right]P$, the oracle yields the output a.
 ${\mathcal{O}}_{\mathcal{E}CCDHP}$: Given the input P, $Q=\left[a\right]P$, and $R=\left[b\right]P$, the oracle yields the output $[a\xb7b]P$.
 ${\mathcal{O}}_{\mathcal{E}CFP}$: Given the input P and $Q=\left[a\right]P+\left[b\right]P=[a+b]P$, the oracle yields the output $\left[a\right]P$ and $\left[b\right]P$.
Algorithm 1 ${ALG}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}$ for deriving identity ${ID}_{i}$, secret key s, and session key ${Sk}_{us}(={Sk}_{su})$. 
1: Eavesdrop the login message $\{{DID}_{i},{\left(EID\right)}_{i},{R}_{i},{T}_{i1}\}$ 
2: Call ${\mathcal{O}}_{\mathcal{H}ash}$ on input ${EID}_{i}=h({x}_{Ti}\parallel {x}_{Mi}\parallel {T}_{i1})$ to obtain $({x}_{Ti}^{\u2605}\parallel {x}_{Mi}^{\u2605}\parallel {T}_{i1}^{\u2605})\leftarrow {\mathcal{O}}_{\mathcal{H}ash}\left({EID}_{i}\right)$ 
3: Call ${\mathcal{O}}_{\mathcal{E}CCDHP}$ on input ${P}_{pub}$, ${R}_{i}$, and P to obtain ${M}_{i}^{\u2605\u2605}$ as $({M}_{i}^{\u2605\u2605}=({x}_{Mi}^{\u2605\u2605},{y}_{Mi}^{\u2605\u2605}))\leftarrow {\mathcal{O}}_{\mathcal{E}CCDHP}({P}_{pub},{R}_{i},P)$ 
4: if ${x}_{Mi}^{\u2605}={x}_{Mi}^{\u2605\u2605}$then 
5: Call ${\mathcal{O}}_{\mathcal{E}CFP}$ on input ${AID}_{i}$ and P to obtain ${TID}_{i}^{\u2605\u2605}$ and ${\left(\left[{hpw}_{i}\right]P\right)}^{\u2605}$ as $({TID}_{i}^{\u2605\u2605}=({x}_{Ti}^{\u2605\u2605},{y}_{Ti}^{\u2605\u2605}),{\left(\left[{hpw}_{i}\right]P\right)}^{\u2605})\leftarrow {\mathcal{O}}_{\mathcal{E}CFP}({AID}_{i},P)$ 
6: if ${x}_{Ti}^{\u2605}={x}_{Ti}^{\u2605\u2605}$ then 
Compute ${ID}_{i}^{\u2605}={DID}_{i}\oplus {y}_{Mi}^{\u2605}$ 
8: Compute ${EID}_{i}^{\u2605}=h({x}_{Ti}^{\u2605}\parallel {x}_{Mi}^{\u2605}\parallel {T}_{i1})$ 
9: if ${EID}_{i}^{\u2605}={EID}_{i}$ then 
10: Accept ${ID}_{i}^{\u2605}$ as the correct user’s identity 
11: Call ${\mathcal{O}}_{\mathcal{E}CDLP}$ on input ${TID}_{i}^{\u2605}$ and P to obtain ${CID}_{i}^{\u2605}$ as $\left({CID}_{i}^{\u2605}\right)\leftarrow {\mathcal{O}}_{\mathcal{E}CDLP}({TID}_{i}^{\u2605},P)$ 
12: Call ${\mathcal{O}}_{\mathcal{H}ash}$ on input ${CID}_{i}^{\u2605}=h({ID}_{i}\oplus s)$ to obtain ${({ID}_{i}\oplus s)}^{\u2605}$ as ${({ID}_{i}\oplus s)}^{\u2605}\leftarrow {\mathcal{O}}_{\mathcal{H}ash}\left({CID}_{i}^{\u2605}\right)$ 
13: Compute ${s}^{\u2605}={({ID}_{i}\oplus s)}^{\u2605}\oplus {ID}_{i}^{\u2605}$ 
Eavesdrop the message $\{{Z}_{s},{H}_{s},{T}_{s1}\}$ 
15: Compute ${R}_{s}^{\u2605}={Z}_{s}{M}_{i}^{\u2605}=({x}_{Rs}^{\u2605},{y}_{Rs}^{\u2605})$ 
16: Compute ${H}_{s}^{\u2605}=h({EID}_{i}^{\u2605}\parallel {x}_{Rs}^{\u2605}\parallel {T}_{s1}\parallel {x}_{Ti}^{\u2605})$ 
17: if ${H}_{s}^{\u2605}={H}_{s}$ then 
18: Accept ${s}^{\u2605}$ as the correct secret key 
19: Eavesdrop the message $\{{H}_{i},{T}_{i2}\}$ 
20: Compute ${H}_{i}^{\u2605}=h({x}_{Mi}^{\u2605}\parallel {x}_{Rs}^{\u2605})$ 
21: if ${H}_{i}^{\u2605}={H}_{i}$ then 
22: Compute ${Sk}_{us}=h({y}_{Ri}\parallel {y}_{Rs}^{\u2605}\parallel {y}_{Mi}^{\u2605}\parallel {y}_{Ti}^{\u2605}\parallel {T}_{i2}\parallel {T}_{s1})={Sk}_{su}$ as the correct shared session key 
23: return 1 (Success) 
24: else 
25: return 0 (Fail) 
26: end if 
27: else 
28: return 0 (Fail) 
29: end if 
30: else 
31: return 0 (Fail) 
32: end if 
33: else 
34: return 0 (Fail) 
35: end if 
36:else 
37: return 0 (Fail) 
38: end if 
4.2. Attainment of Security Goals
 (1)
 Mutual authentication
 (2)
 Session key agreement
 (3)
 Forward secrecy
 (4)
 User anonymity
 (5)
 User traceability
 (6)
 Local password verification
 (7)
 Local password changeability
4.3. Resistance to Security Attacks
 (1)
 Offline passwordguessing attack
 (2)
 Replay attack
 (3)
 Privileged insider attack
 (4)
 Stolenverifier attack
 (5)
 Keycompromised impersonation attack
4.4. Formal Verification Using BAN Logic
 (1)
 Verification goals
 Goal 1: ${U}_{i}\mid \equiv ({U}_{i}\stackrel{\mathrm{Sk}}{\leftrightarrow}S)$
 Goal 2: ${U}_{i}\mid \equiv S\mid \equiv {U}_{i}\mid \equiv ({U}_{i}\stackrel{\mathrm{Sk}}{\leftrightarrow}S)$
 Goal 3: $S\mid \equiv ({U}_{i}\stackrel{\mathrm{Sk}}{\leftrightarrow}S)$
 Goal 4: $S\mid \equiv {U}_{i}\mid \equiv ({U}_{i}\stackrel{\mathrm{Sk}}{\leftrightarrow}S)$
 (2)
 Idealization of the proposed scheme
 Message 1: ${U}_{i}\to S:{\langle {ID}_{i}\rangle}_{{M}_{i}},{({M}_{i},{T}_{i1})}_{{TID}_{i}},{R}_{i},{T}_{i1}$
 Message 2: $S\to {U}_{i}:{\langle {R}_{s}\rangle}_{{M}_{i}},{({EID}_{i},{R}_{s},{T}_{s1})}_{{TID}_{i}},{T}_{s1}$
 Message 3: ${U}_{i}\to S:{\left({R}_{s}\right)}_{{M}_{i}},{T}_{i2}$
 (3)
 Initial state assumptions
 A1: $S\mid \equiv ({U}_{i}\stackrel{{M}_{i}}{\rightleftharpoons}S)$;
 A2: ${U}_{i}\mid \equiv ({U}_{i}\stackrel{{TID}_{i}}{\rightleftharpoons}S)$;
 A3: $S\mid \equiv ({U}_{i}\stackrel{{TID}_{i}}{\rightleftharpoons}S)$;
 A4: ${U}_{i}\mid \equiv \#({T}_{s1})$;
 A5: $S\mid \equiv \#({T}_{i1},{T}_{i2})$.
 (4)
 Proof using BAN logic
 Step 1: From Message 1, $S\u22b2({\langle {ID}_{i}\rangle}_{{M}_{i}},{({M}_{i},{T}_{i1})}_{{TID}_{i}},{R}_{i},{T}_{i1})$.
 Step 2: According to Step 1, A3, and applying the messagemeaning rule, the statement $S\mid \equiv {U}_{i}\mid \sim ({M}_{i},{R}_{i},{T}_{i1})$ is deduced.
 Step 3: By the freshnessconjuncatenation rule and A5 yields, $S\mid \equiv \#({M}_{i},{R}_{i},{T}_{i1})$.
 Step 4: From Step 2, Step 3, and the nonceverification rule, then $S\mid \equiv {U}_{i}\mid \equiv ({M}_{i},{R}_{i},{T}_{i1})$.
 Step 5: From Message 3, $S\u22b2({\left({R}_{s}\right)}_{{M}_{i}},{T}_{i2})$.
 Step 6: Applying the messagemeaning rule to Step 5 and A1, then $S\mid \equiv {U}_{i}\mid \sim ({R}_{s},{T}_{i2})$.
 Step 7: By the freshnessconjuncatenation rule and A5 yields, $S\mid \#({R}_{s},{T}_{i2})$.
 Step 8: From Steps 6 and 7 using the nonceverification rule, then $S\mid \equiv {U}_{i}\mid \equiv ({R}_{s},{T}_{i2})$.
 Step 9: By the belief rule, Step 4, and Step 8, $S\mid \equiv {U}_{i}\mid \equiv ({M}_{i},{R}_{i},{R}_{s},{T}_{i1},{T}_{i2})$.
 Step 10: From Step 9, A5, and the session key rule, then $S\mid \equiv \left({U}_{i}SkS\right)$ (Goal 3).
 Step 11: From A5, Step 9, Step 10, and the sessionkey verification rule, then $S\mid \equiv {U}_{i}\mid \equiv ({U}_{i}\stackrel{\mathrm{Sk}}{\leftrightarrow}S)$ (Goal 4).
 Step 12: From Message 2, ${U}_{i}\u22b2({\langle {R}_{s}\rangle}_{{M}_{i}},{({EID}_{i},{R}_{s},{T}_{s1})}_{{TID}_{i}},{T}_{s1})$.
 Step 13: Applying the messagemeaning rule, from Step 12 and A2, then the statement ${U}_{i}\mid \equiv S\mid \sim ({EID}_{i},{R}_{s},{T}_{s1})$ is obtained.
 Step 14: By the freshness conjuncatenation rule and A4 yields, ${U}_{i}\mid \equiv \#({EID}_{i},{R}_{s},{T}_{s1})$.
 Step 15: According to Step 13, Step 14, and applying the nonce verification rule, then ${U}_{i}\mid \equiv S\mid \equiv ({EID}_{i},{R}_{s},{T}_{s1})$.
 Step 16: By the sessionkey rule, Step 14, and Step 15, then ${U}_{i}\mid \equiv ({U}_{i}\stackrel{\mathrm{Sk}}{\leftrightarrow}S)$ (Goal 1).
 Step 17: Finally, from A4, Step 15, Step 16, and the sessionkey verification rule, ${U}_{i}\mid \equiv S\mid \equiv ({U}_{i}\stackrel{\mathrm{Sk}}{\leftrightarrow}S)$ (Goal 2).
5. Performance Analysis
6. Applications
7. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
 Lamport, L. Password authentication with insecure communication. Commun. ACM 1981, 24, 770–772. [Google Scholar] [CrossRef][Green Version]
 NIST. FIPS 1804 Secure Hash Standard (SHS); Technical Report; National Institute of Standard and Technology: Gaithersburg, MD, USA, 2015. [Google Scholar]
 Wang, X.M.; Zhang, W.F.; Zhang, J.S.; Khan, M.K. Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards. Comput. Stand. Interfaces 2007, 29, 507–512. [Google Scholar] [CrossRef]
 Chaudhry, S.A.; Farash, M.S.; Naqvi, H.; Kumari, S.; Khan, M.K. An enhanced privacy preserving remote user authentication scheme with provable security. Secur. Commun. Netw. 2015, 8, 3782–3795. [Google Scholar] [CrossRef]
 Madhusudhan, R.; Hegde, M. Cryptanalysis and improvement of remote user authentication scheme using smart card. In Proceedings of the 2016 International Conference on Computer and Communication Engineering (ICCCE), Kuala Lumpur, Malaysia, 26–27 July 2016; IEEE: Piscataway, NJ, USA, 2016; pp. 84–89. [Google Scholar]
 Rivest, R.L.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and publickey cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef][Green Version]
 Diffie, W.; Hellman, M. New directions in cryptography. IEEE Trans. Inf. Theory 1976, 22, 644–654. [Google Scholar] [CrossRef][Green Version]
 Miller, V.S. Use of elliptic curves in cryptography. In Proceedings of the Conference on the Theory and Application of Cryptographic Techniques, Linz, Austria, 9–11 April 1985; Springer: Berlin/Heidelberg, Germany, 1985; pp. 417–426. [Google Scholar]
 Koblitz, N. Elliptic curve cryptosystems. Math. Comput. 1987, 48, 203–209. [Google Scholar] [CrossRef]
 Gura, N.; Patel, A.; Wander, A.; Eberle, H.; Shantz, S.C. Comparing elliptic curve cryptography and RSA on 8bit CPUs. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, Cambridge, MA, USA, 11–13 August 2004; Springer: Berlin/Heidelberg, Germany, 2004; pp. 119–132. [Google Scholar]
 Juang, W.S.; Chen, S.T.; Liaw, H.T. Robust and efficient passwordauthenticated key agreement using smart cards. IEEE Trans. Ind. Electron. 2008, 55, 2551–2556. [Google Scholar] [CrossRef]
 Fan, C.I.; Chan, Y.C.; Zhang, Z.K. Robust remote authentication scheme with smart cards. Comput. Secur. 2005, 24, 619–628. [Google Scholar] [CrossRef]
 Sun, D.Z.; Huai, J.P.; Sun, J.Z.; Li, J.X.; Zhang, J.W.; Feng, Z.Y. Improvements of Juang et al.’s passwordauthenticated key agreement scheme using smart cards. IEEE Trans. Ind. Electron. 2009, 56, 2284–2291. [Google Scholar]
 Li, X.; Qiu, W.; Zheng, D.; Chen, K.; Li, J. Anonymity enhancement on robust and efficient passwordauthenticated key agreement using smart cards. IEEE Trans. Ind. Electron. 2010, 57, 793–800. [Google Scholar]
 He, D.; Chen, J.; Hu, J. Further improvement of Juang et al.’s passwordauthenticated key agreement scheme using smart cards. Kuwait J. Sci. Eng. 2011, 38, 55–68. [Google Scholar]
 Li, X.; Zhang, Y. A simple and robust anonymous twofactor authenticated key exchange protocol. Secur. Commun. Netw. 2013, 6, 711–722. [Google Scholar] [CrossRef]
 Jiang, Q.; Ma, J.; Li, G.; Yang, L. Robust twofactor authentication and key agreement preserving user privacy. Int. J. Netw. Secur. 2014, 16, 229–240. [Google Scholar]
 Liu, C.; Ma, C.G. An efficient and provable secure PAKE scheme with robust anonymity. In Proceedings of the International Conference on Information Computing and Applications, Chengde, China, 14–16 September 2012; Springer: Berlin/Heidelberg, Germany, 2012; pp. 722–729. [Google Scholar]
 Tsai, J.L.; Lo, N.W.; Wu, T.C. Novel anonymous authentication scheme using smart cards. IEEE Trans. Ind. Inform. 2012, 9, 2004–2013. [Google Scholar] [CrossRef]
 Byun, J.W. On the secure design of hashbased authenticator in the smartcard authentication system. Wirel. Pers. Commun. 2019, 109, 2329–2352. [Google Scholar] [CrossRef]
 Wang, R.C.; Juang, W.S.; Lei, C.L. Robust authentication and key agreement scheme preserving the privacy of secret key. Comput. Commun. 2011, 34, 274–280. [Google Scholar] [CrossRef]
 Wu, S.; Zhu, Y.; Pu, Q. Robust smartcardsbased user authentication scheme with user anonymity. Secur. Commun. Netw. 2012, 5, 236–248. [Google Scholar] [CrossRef]
 Chang, C.C.; Lin, I.C.; Wu, C.C. A multipurpose key agreement scheme in ubiquitous computing environments. Mob. Inf. Syst. 2015, 2015, 934716. [Google Scholar] [CrossRef][Green Version]
 Wang, L. Analysis and enhancement of a password authentication and update scheme based on elliptic curve cryptography. J. Appl. Math. 2014, 2014, 247836. [Google Scholar] [CrossRef]
 Islam, S.H.; Biswas, G. Design of improved password authentication and update scheme based on elliptic curve cryptography. Math. Comput. Model. 2013, 57, 2703–2717. [Google Scholar] [CrossRef]
 Odelu, V.; Das, A.K.; Goswami, A. An efficient ECCbased privacypreserving client authentication protocol with key agreement using smart card. J. Inf. Secur. Appl. 2015, 21, 1–19. [Google Scholar] [CrossRef]
 Madhusudhan, R.; Hegde, M.; Memon, I. A secure and enhanced elliptic curve cryptographybased dynamic authentication scheme using smart card. Int. J. Commun. Syst. 2018, 31, e3701. [Google Scholar]
 Kumari, A.; Jangirala, S.; Abbasi, M.Y.; Kumar, V.; Alam, M. ESEAP: ECC based secure and efficient mutual authentication protocol using smart card. J. Inf. Secur. Appl. 2020, 51, 102443. [Google Scholar] [CrossRef]
 Qu, J.; Tan, X.L. Twofactor user authentication with key agreement scheme based on elliptic curve cryptosystem. J. Electr. Comput. Eng. 2014, 2014, 16. [Google Scholar] [CrossRef][Green Version]
 Huang, B.; Khan, M.K.; Wu, L.; Muhaya, F.T.B.; He, D. An efficient remote user authentication with key agreement scheme using elliptic curve cryptography. Wirel. Pers. Commun. 2015, 85, 225–240. [Google Scholar] [CrossRef]
 Maitra, T.; Obaidat, M.S.; Islam, S.H.; Giri, D.; Amin, R. Security analysis and design of an efficient ECCbased twofactor password authentication scheme. Secur. Commun. Networks 2016, 9, 4166–4181. [Google Scholar] [CrossRef][Green Version]
 Chaudhry, S.A.; Naqvi, H.; Mahmood, K.; Ahmad, H.F.; Khan, M.K. An improved remote user authentication scheme using elliptic curve cryptography. Wirel. Pers. Commun. 2017, 96, 5355–5373. [Google Scholar] [CrossRef]
 Mehmood, Z.; Chen, G.; Li, J.; Albeshri, A. An untraceable ECCbased remote user authentication scheme. KSII Trans. Internet Inf. Syst. (TIIS) 2017, 11, 1742–1760. [Google Scholar]
 Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
 Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 1999; Springer: Berlin/Heidelberg, Germany, 1999; pp. 388–397. [Google Scholar]
 Messerges, T.S.; Dabbish, E.A.; Sloan, R.H. Examining smartcard security under the threat of power analysis attacks. IEEE Trans. Comput. 2002, 51, 541–552. [Google Scholar] [CrossRef][Green Version]
 Sood, S.K.; Sarje, A.K.; Singh, K. Cryptanalysis of password authentication schemes: Current status and key issues. In Proceedings of the 2009 International Conference on Methods and Models in Computer Science (ICM2CS), New Delhi, India, 14–15 December 2009; IEEE: Piscataway, NJ, USA, 2009; pp. 1–7. [Google Scholar]
 Wu, F.; Xu, L.; Kumari, S.; Li, X.; Alelaiwi, A. A new authenticated key agreement scheme based on smart cards providing user anonymity with formal proof. Secur. Commun. Netw. 2015, 8, 3847–3863. [Google Scholar] [CrossRef]
 Burrows, M.; Abadi, M.; Needham, R.M. A logic of authentication. Proc. R. Soc. Lond. Math. Phys. Sci. 1989, 426, 233–271. [Google Scholar]
 Sowjanya, K.; Dasgupta, M.; Ray, S. An elliptic curve cryptography based enhanced anonymous authentication protocol for wearable health monitoring systems. Int. J. Inf. Secur. 2020, 19, 129–146. [Google Scholar] [CrossRef]
 Kilinc, H.H.; Yanik, T. A survey of SIP authentication and key agreement schemes. IEEE Commun. Surv. Tutorials 2013, 16, 1005–1023. [Google Scholar] [CrossRef]
 Lynn, B. The PairingBased Cryptography (PBC) Library. Available online: https://crypto.stanford.edu/pbc/ (accessed on 30 September 2022).
 Tsai, J.L. Weaknesses and improvement of HsuChuang’s user identification scheme. Inf. Technol. Control 2010, 39, 48–50. [Google Scholar]
 Chang, C.C.; Lee, C.Y. A secure single signon mechanism for distributed computer networks. IEEE Trans. Ind. Electron. 2011, 59, 629–637. [Google Scholar] [CrossRef]
 Chen, Y.C.; Liu, C.L.; Horng, G. Cryptanalysis of some user identification schemes for distributed computer networks. Int. J. Commun. Syst. 2014, 27, 2909–2917. [Google Scholar] [CrossRef]
 Ghaffar, Z.; Ahmed, S.; Mahmood, K.; Islam, S.H.; Hassan, M.M.; Fortino, G. An improved authentication scheme for remote data access and sharing over cloud storage in cyberphysicalsocialsystems. IEEE Access 2020, 8, 47144–47160. [Google Scholar] [CrossRef]
 Lu, Y.; Wang, D.; Obaidat, M.S.; Vijayakumar, P. Edgeassisted intelligent device authentication in cyberphysical systems. IEEE Internet Things J. 2022, 1–14. [Google Scholar] [CrossRef]
Notation  Description  Notation  Description 

S  Server  P  Base point on ${G}_{p}$ of order n such that $\left[n\right]P=\mathcal{O}$ and n is the smallest integer $>0$ 
${U}_{i}$  User i  ${\mathbb{Z}}_{n}^{*}$  Multiplicative group mod n 
$\mathcal{A}$  Adversary  s  Secret key, random integer such that $s\in {\mathbb{Z}}_{n}^{*}$ 
${ID}_{i}$  ${U}_{i}$’s identity  ${P}_{pub}$  Public key, ${P}_{pub}=\left[s\right]P\in {G}_{p}$ 
${pw}_{i}$  ${U}_{i}$’s password  $h(\xb7)$  Oneway hash function, $h:{\{0,1\}}^{*}\to {\mathbb{Z}}_{n}^{*}$ 
${SC}_{i}$  ${U}_{i}$’s smart card  ⟹  Secure channel 
p  kbit prime number, k is at least 512 bits  ⟶  Public channel 
$E\left({\mathbb{F}}_{p}\right)$  The set of points on an elliptic curve over a finite field ${\mathbb{F}}_{p}$  ∥  String concatenation operation 
${G}_{p}$  Additive cyclic subgroup of $E\left({\mathbb{F}}_{p}\right)$, where ${G}_{p}=E\left({\mathbb{F}}_{p}\right)\cup \left\{\mathcal{O}\right\}$  ⊕  Bitwise XOR operation 
$\mathcal{O}$  The point at infinity that is an identity element of $E\left({\mathbb{F}}_{p}\right)$ 
Notation  Description 

$P\mid \equiv X$  P believes X 
$P\u22b2X$  P sees X 
$P\mid \sim X$  P once said X 
$\#\left(X\right)$  Message X is fresh 
${\langle X\rangle}_{Y}$  Formula X is combined with secret Y 
${\left(X\right)}_{Y}$  Formula X hashed with secret Y 
$P\stackrel{K}{\leftrightarrow}Q$  P and Q communicate with a shared secret key K 
$P\stackrel{X}{\rightleftharpoons}Q$  Only P and Q share the formula X which is a secret 
Rule  Description  Symbolic Form 

Messagemeaning rule  If P sees ${\langle X\rangle}_{K}$ and P believes secret K is shared with Q, then P believes Q once said X. 
$$\frac{P\u22b2{\langle X\rangle}_{K},P\mid \equiv \left(PKQ\right)}{P\mid \equiv Q\mid \sim X}$$

Freshnessconjuncatenation rule  If P believes X is fresh, then P believes $(X,Y)$ is fresh. 
$$\frac{P\mid \equiv \#\left(X\right)}{P\mid \equiv \#(X,Y)}$$

Nonceverification rule  If P believes X is fresh and P believes Q once said X, then P believes Q believes X. 
$$\frac{P\mid \equiv \#\left(X\right),P\mid \equiv Q\mid \sim X}{P\mid \equiv Q\mid \equiv X}$$

Belief rule  If P believes X and P believes Y, then P believes $(X,Y)$. 
$$\frac{P\mid \equiv X,P\mid \equiv Y}{P\mid \equiv (X,Y)}$$

Sessionkey rule  If P believes Q believes a necessary parameter X of the session key K and P believes X is fresh, then P believes session key K is shared with Q. 
$$\frac{P\mid \equiv Q\mid \equiv X,P\mid \equiv \#\left(X\right)}{P\mid \equiv \left(PKQ\right)}$$

Sessionkey verification rule [40]  If P believes that X is fresh and P believes Q believes X and P believes session key K is shared with Q, then P believes Q believes session key K is shared between P and Q. 
$$\frac{P\mid \equiv \#\left(X\right),P\mid \equiv Q\mid \equiv X,P\mid \equiv \left(PKQ\right)}{P\mid \equiv Q\mid \equiv \left(PKQ\right)}$$

Schemes  

Proposed  Qu and Tan  Huang et al.  Maitra et al.  Chaudhry et al.  Mehmood et al.  
[29]  [30]  [31]  [32]  [33]  
Attainment of security goals  
Formal security proof  ✓  ✗  ✗  ✓  ✓  ✓ 
Mutual authentication  ✓  ✓  ✓  ✓  ✓  ✓ 
Session key agreement  ✓  ✓  ✓  ✓  ✓  ✓ 
Forward secrecy  ✓  ✓  ✓  ✓  ✓  ✓ 
User anonymity  ✓  ✓  ✓  ✓  ✓  ✓ 
User traceability  ✓  ✗  ✗  ✓  ✗  ✗ 
Local password verification  ✓  ✓  ✓  ✓  ✓  ✓ 
Local password changeability  ✓  ✓  ✓  ✓  ✗  ✗ 
Resistance to security attacks  
Replay attack  ✓  ✓  ✓  ✓  ✓  ✓ 
Offline passwordguessing attack  ✓  ✗  ✓  ✓  ✓  ✓ 
Privileged insider attack  ✓  ✓  ✗  ✓  ✗  ✗ 
Stolenverifier attack  ✓  ✓  ✓  ✓  ✓  ✗ 
Keycompromised impersonation attack  ✓  ✗  ✗  ✗  ✗  ✗ 
Schemes  Computational Cost  Running Time 

Proposed  7 ${T}_{em}$ + 3 ${T}_{ea}$ + 18 ${T}_{h}$  ≈ 15.710 ms 
Qu and Tan [29]  9 ${T}_{em}$ + 5 ${T}_{ea}$ + 16 ${T}_{h}$  ≈ 20.215 ms 
Huang et al. [30]  7 ${T}_{em}$ + 5 ${T}_{ea}$ + ${T}_{m}$ + 18 ${T}_{h}$  ≈ 15.767 ms 
Maitra et al. [31]  11 ${T}_{em}$ + 2 ${T}_{m}$ + 15 ${T}_{h}$  ≈ 24.521 ms 
Chaudhry et al. [32]  7 ${T}_{em}$ + 3 ${T}_{ea}$ + 2 ${T}_{m}$ + 17 ${T}_{h}$  ≈ 15.708 ms 
Mehmood et al. [33]  4 ${T}_{em}$ + 2 ${T}_{ea}$ + 3 ${T}_{m}$ + 2 ${T}_{sym}$ + 14 ${T}_{h}$  ≈ 9.003 ms 
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. 
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Shohaimay, F.; Ismail, E.S. Improved and Provably Secure ECCBased TwoFactor Remote Authentication Scheme with Session Key Agreement. Mathematics 2023, 11, 5. https://doi.org/10.3390/math11010005
Shohaimay F, Ismail ES. Improved and Provably Secure ECCBased TwoFactor Remote Authentication Scheme with Session Key Agreement. Mathematics. 2023; 11(1):5. https://doi.org/10.3390/math11010005
Chicago/Turabian StyleShohaimay, Fairuz, and Eddie Shahril Ismail. 2023. "Improved and Provably Secure ECCBased TwoFactor Remote Authentication Scheme with Session Key Agreement" Mathematics 11, no. 1: 5. https://doi.org/10.3390/math11010005