A Provably Secure Biometrics-Based Authentication Scheme for …downloads.hindawi.com/journals/scn/2019/2838615.pdf · 2019-07-30 · ResearchArticle A Provably Secure Biometrics-Based

Research ArticleA Provably Secure Biometrics-Based Authentication Scheme forMultiserver Environment

Feifei Wang 1 Guoai Xu 1 Chenyu Wang 1 and Junhao Peng2

1Beijing University of Posts and Telecommunications Beijing 100876 China2Guangzhou University Guangzhou 510006 China

Correspondence should be addressed to Guoai Xu xgabupteducn

Received 9 March 2019 Accepted 9 June 2019 Published 25 June 2019

Academic Editor Carmen Fernandez-Gago

Copyright copy 2019 Feifei Wang et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

With the rapid development of mobile services multiserver authentication protocol with its high efficiency has emerged as anindispensable security mechanism for mobile services Recently Ali et al introduced a biometric-based multiserver authenticationscheme and claimed the scheme is resistant to various attacks However after a careful examination we find that Ali et alrsquos schemeis vulnerable to various security attacks such as user impersonation attack server impersonation attack privileged insider attackdenial of service attack fails to provide forward secrecy and three-factor secrecy To overcome these weaknesses we propose animproved biometric-based multiserver authentication scheme using elliptic curve cryptosystem Formal security analysis underthe random oracle model proves that our scheme is provably secure Furthermore BAN (Burrows-Abadi-Needham) logic analysisdemonstrates our scheme achieves mutual authentication and session key agreement In addition the informal analysis provesthat our scheme is secure against all current known attacks and achieves desirable features Besides the performance and securitycomparison shows that our scheme is superior to related schemes

1 Introduction

Nowadays millions of people enjoy various mobile ser-vices such as mobile shopping mobile entertainment andmobile learning by using various mobile devices Due to theopenness of mobile network when the users are enjoyinggreat conveniences brought by mobile services they simul-taneously face a great deal of security threatens such asdiverse network attacks and privacy leaks Authenticationprotocol plays a great role in protecting the security andprivacy of users as an indispensable security mechanism forvarious mobile services It provides mutual authenticationuser anonymity and establishes secure session key for serverand users [1]

With the continuous expansion of the scale of mobileservices multiserver mode has been widely adopted bynumerous mobile service application systems [2] When thetraditional single-server authentication schemes are appliedto multiserver environment it is extremely inconvenient foruser to register himself with every server and keep manypairs of identity and password To overcome this problem

multiserver authentication schemes have been introduced[3ndash10] These schemes make the user registers once with reg-istration center and keeps one pair of identity and passwordto obtain all the services Multiserver authentication schemesare more attractive as high efficiency and convenience Buton the other hand multiserver authentication schemes havemore requirements for security The user employs the sameauthentication information to access diverse servers If theauthentication information is compromised it will bringtremendous damage to userrsquos assets Besides the maliciousserver may masquerade another server to defraud the user orimpersonate user to access server based on the secret it hasThis privileged insider attack should be overcome

In the past 20 years many multiserver authenticationschemes using password and smart card have been putforward [11ndash16] However the smart card may be lost orstolen and the malicious attacker can retrieve the data insmart card by side channel attack It increases the risk ofsecurity breach [17] To overcome this weakness biometricauthentication element has been added in authenticationschemes in recent years because of its good characteristics

HindawiSecurity and Communication NetworksVolume 2019 Article ID 2838615 15 pageshttpsdoiorg10115520192838615

2 Security and Communication Networks

Three-factor authentication schemes that adopt passwordsmart card and biometric facilitate better security

Recently some three-factor multiserver authenticationschemes have been introduced In 2010 Yoon et al [18]introduced an efficient biometric-based multiserver authen-tication scheme using elliptic curve cryptosystem (ECC)Later on Kim et al [19] pointed out Yoon et alrsquos schemecannot resist smart card loss attack forgery attack andfails to provide forward secrecy In 2015 Amin et al [20]proposed a three-factor multiserver authentication schemeusing bilinear pairing Afterwards Chandrakar et al [21]proved Amin et alrsquos scheme is susceptible to offline passwordguessing attack impersonation attack and fails to achieveuser anonymity He et al [22] introduced a biometric-basedmultiserver authentication scheme using fuzzy extractorand ECC and claimed their scheme achieves intrinsicallythree-factor secrecy But we observed He et alrsquos scheme issusceptible to known session-specific temporary informationattack and cannot detect wrong password and biometricimmediately In 2016Wang et al [23] presented a three-factormultiserver authentication scheme using hash function andfuzzy extractor But Yang et al [24] pointed out Wang et alrsquosscheme cannot resist user impersonation attack and fails toachieve forward secrecy In 2017 Kumari et al [25] proposeda biometric-based multi-cloud-server authentication schemeusing ECC and bio-hash function However Feng et al[26] demonstrated that Kumari et alrsquos scheme suffers fromserver impersonation attack and introduced an enhancedscheme Unfortunately we found Feng et alrsquos scheme failsto achieve three-factor secrecy and suffers from knownsession-specific temporary information attack Ali et al [27]introduced a three-factor multiserver authentication schemeusing symmetric encryption and ECC and claimed theirscheme is resistant to a variety of security attacks Howeverwe found that Ali et alrsquos scheme is not as secure as it claimedby demonstrating their scheme is vulnerable to a variety ofserious security attacks

Either the existing three-factor multiserver authentica-tion schemes [18ndash30] have more or less vulnerabilities ortheir communication and computation costs need to beimproved This moves us to design a secure three-factormultiserver authentication scheme with higher efficiencyOur contributions are summed up as follows

(1) We prove that Ali et alrsquos scheme suffers fromuser impersonation attack privileged insider attackserver impersonation attack denial of service attackand known session-specific temporary informationattack Besides the scheme fails to achieve forwardsecrecy and three-factor secrecy

(2) We propose a novel biometric-based multiserverauthentication scheme using ECC Formal securityanalysis under the random oracle model proves ourscheme is provably secure BAN logic proof provesthe completeness of our scheme Moreover informalanalysis demonstrates our scheme achieves variousdesirable features and is resistant to all known attacks

(3) In addition the performance and security compari-son shows that our scheme achieves superior security

properties Moreover our scheme has the least com-munication overhead and computation cost

11 Adversary Model When evaluating a three-factor multi-server authentication scheme the capacities of adversary Aare described as follows

(1) Amay be an external attacker or a privileged insider(2) A can fully control the public channel namely A is

able to interrupt eavesdrop forge and modify themessages transmitted via public channel

(3) A is able to enumerate all the values in119863119875119882 lowast119863119868119863 inpolynomial time where 119863119875119882 denotes the passwordspace and119863119868119863 denotes the identity space [31]

(4) A is able to get userrsquos password by shoulder surfingA can retrieve the data in smart card by powerconsumption analysis A is able to get the biometricof user by a malicious terminal [32]

(5) When evaluating three-factor secrecyA is able to getany two kinds of authentication elements at the sametime but cannot get all [26]

(6) When evaluating forward secrecy A can get themaster key of RC or the secret key of server

The user tends to choose an easy-to-remember passwordwith low strength The user identity usually is based on thepredefined format The identity and password may be of lowentropy and can be easily guessed According to the adversarymodel presented byWang et al [31] we assume the adversaryA is able to enumerate all the values in 119863119875119882 lowast 119863119868119863 inpolynomial time

Three-factor secrecy denotes that if any two kinds ofauthentication elements are compromised the attacker stillcannot breach the other one and damage the security of thesystem [26] Such a consideration is of practical significanceThe adversary may get userrsquos password by shoulder surfing orthe data in smart card via side channel attack Moreover theadversary is able to obtain the biometric of user by amaliciousbiometric-based terminal

12 The Organization of Paper The structure of this paperis arranged as follows We brief review and cryptanalyze Aliet alrsquos scheme in Sections 2 and 3 Section 4 introduces anovel biometric-based authentication scheme formultiserverenvironment We give the security proof and informal secu-rity analysis of the proposed scheme in Sections 5 and 6Section 7 is security and performance comparison of therelevant schemes Section 8 concludes the paper In additionwe sum up the notations of this paper in Table 1

2 Review of Ali et alrsquos Scheme

Ali et alrsquos scheme consists of four phases initial phaseserver registration phase user registration phase login andauthentication phase

21 Initial Phase RC chooses its master key x Then RCselects an elliptic curve group 119864119902 and a generator 119875 of 119864119902

Security and Communication Networks 3

Table 1 Notations

Symbols Description119880119894 119894119905ℎ user119878119895 Server 119878119895RC Registration centerA Malicious adversaryx Master key of RC119868119863119894 119875119882119894 119887119894 Identity password and biometric of 119880119894

119878119868119863119895 Identity of 119878119895119875 A generator of elliptic curve group 119864119902

119864119870119890119910()119863119870119890119910() Symmetric encryptiondecryption algorithmwith key 119870119890119910

119878119870 Session key between 119880119894 and 119878119895 The string concatenation operationoplus The bitwise XOR operation1198671() Hash function

1198672()Bio-hash function it maps the biometric 119887119894 anda tokenised random number to a randombinary string

22 Server Registration Phase 119878119895 enrolls with RC in thefollowing steps

Step 1 The server picks its identity 119878119868119863119895 and sends 119878119868119863119895 asa registration request to RC through the reliable channel

Step 2 Upon receiving 119878119868119863119895 from 119878119895 RC computes 119878119872119895 =1198671(119878119868119863119895 119909) and returns 119878119872119895 to 119878119895 through the reliablechannel

Step 3 119878119895 keeps 119878119872119895 as secret

23 User Registration Phase 119880119894 enrolls with RC in thefollowing steps

Step 1 119880119894 picks his identity 119868119863119894 and password 119875119882119894 freely andimprints his biometric 119887119894 119880119894 sends the registration request119868119863119894 1198672(119887119894) to RC through the reliable channel

Step 2 Upon receiving 119868119863119894 1198672(119887119894) from 119880119894 RC computes119863119868119863119894 = 1198641198671(119909)(119868119863119894 1198731) 119860 119894 = 1198671(119868119863119894 119909)119875 119861119894 = 1198672(119887119894)119875119864119894 = 119860 119894 + 119861119894 where 1198731 is a random number RC stores119863119868119863119894 119864119894 119875 119864119870119890119910() in a smart card and transmits it to 119880119894

through the reliable channel

Step 3 119880119894 calculates 119881119894 = 1198671(119868119863119894 119875119882119894 1198672(119887119894)) and stores119881119894 in his smart card

24 Login and Authentication Phase 119880119894 and 119878119895 authenticateeach other and establish a session key drawing support fromRC as shown in Figure 1

Step 1 119880119894 attaches the smart card to a terminal inputs 119868119863lowast119894

and 119875119882lowast119894 and imprints 119887lowast119894 The smart card calculates 119881lowast

119894 =1198671(119868119863lowast119894 119875119882lowast

119894 1198672(119887lowast119894 )) and checks if 119881lowast119894 = 119881119894 If the

equation holds proceed to the next step

Step 2 119880119894 computes 119877119894 = 119903119894119875 119861lowast119894 = 1198672(119887lowast119894 )119875 119862119894 = 119877119894 +119861lowast

119894 119863119894 = 1198671(119868119863lowast119894 119877119894 119878119868119863119895 119864119894) where 119903119894 is a random

number 119880119894 sends 119863119868119863119894 119864119894 119862119894 119863119894 to RC through the publiccommunication channel

Step 3 After receiving 119863119868119863119894 119864119894 119862119894 119863119894 RC computes(119868119863119894 1198731) = 1198631198671(119909)(119863119868119863119894)1198601015840

119894 = 1198671(119868119863119894 119909)119875 1198611015840119894 = 119864119894minus1198601015840

1198941198771015840

119894 = 119862119894 minus 1198611015840119894 1198631015840

119894 = 1198671(119868119863119894 1198771015840119894 119878119868119863119895 119864119894) and compares

1198631015840119894 with119863119894 If they are equal proceed to the next step

Step 4 RC computes 119863119868119863119899119890119908119894 = 1198641198671(119909)(119868119863119894 119903119877119862) 119865119894 =

1198641198671(119878119868119863119895119909)(119868119863119894 1198771015840119894 1198672(119887119894)) 119877119877119862 = 119903119877119862119875 119870119894 = 119877119877119862 +

1198672(119887119894)119875 119871 119894 = 1198671(119877119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) where 119903119877119862 is

a random number RC sends 119863119868119863119899119890119908119894 119870119894 119871 119894 119865119894 to 119878119895

Step 5 Upon receiving 119863119868119863119899119890119908119894 119870119894 119871 119894 119865119894 119878119895 computes

(119868119863119894 11987710158401015840119894 1198672(119887119894)1015840) = 119863119878119872119895

(119865119894) 1198771015840119877119862 = 119870119894 minus 1198672(119887119894)1015840119875

1198711015840119894 = 1198671(1198771015840

119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) and checks if

1198711015840119894 = 119871 119894 If it holds 119878119895 computes 119877119878 = 119903119878119875 119876119894 = 119877119878 + 11987710158401015840

119894 119872119894 = 1198671(119863119868119863119899119890119908

119894 119877119878 1198771015840119877119862 1198672(119887119894)1015840119875) where 119903119878 is a

random number 119878119895 sends 119863119868119863119899119890119908119894 119876119894119872119894 119870119894 to 119880119894

Step 6 Upon receiving 119863119868119863119899119890119908119894 119876119894119872119894 119870119894 119880119894 computes

1198771015840119878 = 119876119894 minus 119877119894 11987710158401015840

119877119862 = 119870119894 minus 119861lowast119894 1198721015840

119894 = 1198671(119863119868119863119899119890119908119894 1198771015840

119878 11987710158401015840119877119862

119861lowast119894 ) and checks if1198721015840

119894 = 119872119894 If the equation holds119880119894 computes119878119870 = 1198671(119877119894 1198771015840

119878 11987710158401015840119877119862) 119885119894 = 119878119870 sdot 119875 +1198671(119868119863119894 1198672(119887lowast119894 )) sdot 119875119880119894 replaces 119863119868119863119894 with 119863119868119863119899119890119908

119894 in his smart card and sends119885119894 to 119878119895Step 7 Upon receiving 119885119894 119878119895 computes 119878119870 = 1198671(11987710158401015840

119894 119877119878 1198771015840

119877119862)1198851015840119894 = 119878119870sdot119875+1198671(119868119863119894 1198672(119887119894)1015840)sdot119875 and checks if1198851015840

119894 = 119885119894If the equation holds 119878119895 and 119880119894 authenticate each other andestablish a session key 119878119870 successfully

3 Cryptanalysis of Ali et alrsquos Scheme

In this section we demonstrate that Ali et alrsquos scheme is sus-ceptible to several security attacks Note that we cryptanalyzeAli et alrsquos scheme on the basis of the adversary capacitiesmentioned in Section 1

31 Forward Secrecy The adversary A compromisesthe master key x and intercepts 119863119868119863119899119890119908

119894 119870119894 119871 119894 119865119894 and119863119868119863119899119890119908119894 119876119894119872119894 119870119894 from public channel Then A is able to

retrieve the session key in the following steps

Step 1 Compute 119878119872119895 = 1198671(119878119868119863119895 119909) (119868119863119894 1198771015840119894 1198672(119887119894)1015840) =119863119878119872119895

(119865119894)

Step 2 Compute 1198771015840119878 = 119876119894 minus 1198771015840

119894

Step 3 Compute 1198771015840119877119862 = 119870119894 minus 1198672(119887119894)1015840119875

Step 4 Compute 119878119870 = 1198671(1198771015840119894 1198771015840

119878 1198771015840119877119862)

32 User Impersonation Attack The adversary A gets 119880119894rsquosidentity 119868119863119894 by shoulder surfing and 119880119894rsquos biometric 119887119894 by


Figure 1 Login and authentication phase of Ali et alrsquos scheme

a malicious terminal and intercepts 119863119868119863119894 119864119894 119862119894 119863119894 frompublic channel ThenA performs user impersonation attackin the following steps

Step 1 A computes 119877119894119886= 119903119894119886119875 119861119894 = 1198672(119887119894)119875 119862119886 = 119877119894119886

+ 119861119894119863119886 = 1198671(119868119863119894 119877119894119886 119878119868119863119895 119864119894) where 119903119894119886 is a random

numberA sends 119863119868119863119894 119864119894 119862119886 119863119886 to RCStep 2 Upon receiving 119863119868119863119894 119864119894 119862119886 119863119886 RC computes(119868119863119894 1198731) = 1198631198671(119909)(119863119868119863119894) 1198611015840

119894 = 119864119894 minus 1198671(119868119863119894 119909)1198751198771015840

119894119886= 119862119886 minus 1198611015840

119894 1198631015840119886 = 1198671(119868119863119894 1198771015840

119894119886 119878119868119863119895 119864119894) obviously

1198631015840119886=119863119886 Then RC computes 119863119868119863119899119890119908

119894 = 1198641198671(119909)(119868119863119894 119903119877119862)119865119886 = 1198641198671(119878119868119863119895119909)(119868119863119894 1198771015840

119894119886 1198672(119887119894)) 119877119877119862 = 119903119877119862119875 119870119894 =

119877119877119862 + 1198672(119887119894)119875 119871 119894 = 1198671(119877119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895)

where 119903119877119862 is a randomnumberRC sends 119863119868119863119899119890119908119894 119870119894 119871 119894 119865119886

to 119878119895Step 3 Upon receiving 119863119868119863119899119890119908

119894 119870119894 119871 119894 119865119886 119878119895computes(119868119863119894 11987710158401015840

119894119886 1198672(119887119894)1015840) = 119863119878119872119895

(119865119886) 1198771015840119877119862 = 119870119894 minus 1198672(119887119894)1015840119875 1198711015840

119894 =1198671(1198771015840

119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) obviously 1198711015840

119894 = 119871 119894 Then119878119895 computes 119877119878 = 119903119878119875 119876119886 = 119877119878 + 11987710158401015840

119894119886119872119894 = 1198671(119863119868119863119899119890119908

119894 119877119878 1198771015840

119877119862 1198672(119887119894)1015840119875) where 119903119878 is a random number 119878119895 sends119863119868119863119899119890119908

119894 119876119886119872119894 119870119894 toA

Step 4 Upon receiving 119863119868119863119899119890119908119894 119876119886 119872119886 119870119894A computes

1198771015840119878 = 119876119886 minus 119877119894119886

11987710158401015840119877119862 = 119870119894 minus 119861119894 119878119870 = 1198671(119877119894119886

1198771015840119878 11987710158401015840

119877119862)119885119886 = 119878119870 sdot 119875 + 1198671(119868119863119894 1198672(119887119894)) sdot 119875 and sends 119885119886 to 119878119895Step 5 Upon receiving 119885119886 119878119895 computes 119878119870 = 1198671(11987710158401015840

119894119886 119877119878

1198771015840119877119862)1198851015840

119886 = 119878119870 sdot 119875+1198671(119868119863119894 1198672(119887119894)1015840) sdot 119875 obviously1198851015840119886 = 119885119886119878119895 regardsA as legitimate user 119880119894

33 Server Impersonation Attack The adversary A obtains119880119894rsquos biometric 119887119894 and intercepts 119863119868119863119894 119864119894 119862119894 119863119894 from pub-lic channel Afterwards A performs server impersonationattack in the following steps

Step 1 A chooses two random numbers 119903119878119886 119903119877119862119886and com-

putes 119877119878119886= 119903119878119886119875 119877119877119862119886

= 119903119877119862119886119875 119861119894 = 1198672(119887119894)119875 1198771015840

119894 = 119862119894 minus 119861119894119876119886 = 119877119878119886

+1198771015840119894 119870119886 = 119877119877119862119886

+119861119894119872119886 = 1198671(119863119868119863119886119894 119877119878119886

119877119877119862119886

119861119894) where 119863119868119863119886119894 is a random binary string whose length is

equal with119863119868119863119894A sends 119863119868119863119886119894 119876119886119872119886 119870119886 to 119880119894


1198771015840119878119886= 119876119886minus1198771198941198771015840

119877119862119886= 119870119886minus119861lowast

119894 1198721015840119886 = 1198671(119863119868119863119886

119894 1198771015840119878119886 1198771015840

119877119862119886

119861lowast119894 ) obviously 1198721015840

119886 = 119872119886 119880119894 regards A as the server 119878119895 119880119894

computes 119878119870 = 1198671(119877119894 1198771015840119878119886 1198771015840

119877119862119886) 119885119886 = 119878119870 sdot 119875 + 1198671(119868119863119894


1198672(119887lowast119894 )) sdot 119875 119880119894 replaces 119863119868119863119894 with 119863119868119863119886119894 in his smart card

sends 119885119886 toA

Step 3 Upon receiving 119885119886A computes 119878119870 = 1198671(1198771015840119894 119877119878119886

119877119877119862119886)A establishes a session key 119878119870 with 119880119894 successfully

34 Denial of Service Attack In the process of server imper-sonation attack the adversary A delivers a forged dynamicidentity119863119868119863119886

119894 to119880119894119880119894 believes its validity and stores it in thesmart card When 119880119894 intends to access the server 119880119894 sends alogin request with 119863119868119863119886

119894 to RC As 119863119868119863119886119894 is a random binary

string rather than the encryption results of 119868119863119894 and a randomnumber RC rejects the login request In addition 119880119894 cannotlogin any server unless 119880119894 reregister with RC

35 Privileged Insider Attack In authentication phase of Aliet alrsquos scheme 1198672(119887119894) and new dynamic identity 119863119868119863119899119890119908

119894 isexposed to 119878119895 With 1198672(119887119894) and 119863119868119863119899119890119908

119894 119878119895 who acts as aprivileged insider can masquerade user 119880119894 to access serveror impersonate the other server to defraud 119880119894 As theirattack procedures are the same with aforementioned userimpersonation attack and server impersonation attack weomit it

36 Known Session-Specific Temporary Information AttackKnown session-specific temporary information attack is acryptanalysis under the circumstance the temporary secretvalue such as random number is leaked and the adversarytries to breach the current session key Suppose that Aobtains 119880119894rsquos biometric 119887119894 and intercepts 119863119868119863119899119890119908

119894 119876119894119872119894 119870119894from public channel In the case that random number 119903119894 iscompromised A can get the session key in the followingsteps

Step 1 Compute 119877119894 = 119903119894119875Step 2 Compute 119861119894 = 1198672(119887119894)119875Step 3 Compute 119877119877119862 = 119870119894 minus 119861119894


Step 5 Compute 119878119870 = 1198671(119877119894 119877119878 119877119877119862)

37 Three-Factor Secrecy In case that 119880119894rsquos smart card119863119868119863119894 119864119894 119875 119864119870119890119910() 119881119894 and biometric 119887119894 are breached theadversary is able to acquire 119880119894rsquos password via the followingsteps

Step 1 Guess the value of 119868119863119894 to be 119868119863lowast119894 from identity

dictionary space guess the value of 119875119882119894 to be 119875119882lowast119894 from

identity dictionary space

Step 2 Compute 119881lowast119894 = 1198671(119868119863lowast

119894 119875119882lowast119894 1198672(119887119894)) check if

119881lowast119894 = 119881119894 If the equation holds it shows that 119868119863lowast

119894 is 119880119894rsquos realidentity and 119875119882lowast

119894 is 119880119894rsquos correct password

Step 3 Repeat Steps 1 and 2 untilA finds the correct 119868119863119894 and119875119882119894

When the smart card and biometric of user are compro-mised the attacker is able to breach the password On theother handA is able to impersonate user successfully as longas he gets the biometric of user Ali et alrsquos scheme fails toachieve three-factor secrecy

4 The Proposed Scheme

In this section we present a biometric-based remote userauthentication scheme for multiserver environment Theproposed scheme includes the following five phases

41 Initial Phase RC chooses an elliptic curve group 119864119902

of order p and a generator 119875 of 119864119902 RC generates a ran-dom number 119909 and computes 119875119901119906119887 = 119909119875 RC publishes119864119902 119875 119875119901119906119887 1198671()1198672() and keeps 119909 as secret

42 Server Registration Phase The server 119878119895 registers withRCin the following steps

Step 1 119878119895 picks its identity 119878119868119863119895 freely and delivers 119878119868119863119895 toRC through the reliable channel

Step 2 Upon receiving 119878119868119863119895 RC calculates 119878119872119895 =1198671(119878119868119863119895 119909) and returns 119878119872119895 to 119878119895 via the reliable channelStep 3 119878119895 keeps 119878119872119895 as secret

43 User Registration Phase The user119880119894 registers with RC inthe following steps As described in Figure 2

Step 1 119880119894 chooses his identity 119868119863119894 and password 119875119882119894 freelyand imprints his biometric 119887119894 119880119894 calculates 119875119894 = 1198671(119875119882119894 1198672(119887119894) 119903119894) where 119903119894 is a random number Afterwards119868119863119894 119875119894 is transmitted to RC through the reliable channel

Step 2 Upon receiving 119868119863119894 119875119894 RC computes 119860 119894 = 1198671(119909 119868119863119894) 119861119894 = 119860 119894⨁119875119894 119881119894 = 1198671(119875119894⨁1198671(119868119863119894))mod 119899 where24 le 119899 le 28 RC stores 119861119894 119881119894 119864119870119890119910() 119875 119875119901119906119887 119899 in a smartcard and transmits it to 119880119894 via the reliable communicationchannel

Step 3 119880119894 stores 119903119894 in the smart card

44 Login and Authentication Phase The user 119880119894 and theserver 119878119895 authenticate each other and establish a session keyby the aide of RC in the following steps As shown in Figure 3

Step 1 119880119894 attaches the smart card to a terminal enters119868119863lowast

119894 and 119875119882lowast119894 and imprints 119887lowast119894 Then the smart card

calculates 119875lowast119894 = 1198671(119875119882lowast

119894 1198672(119887lowast119894 ) 119903119894) 119881lowast119894 =

1198671(119875lowast119894 ⨁1198671(119868119863lowast

119894 ))mod 119899 and checks if 119881lowast119894 = 119881119894 If this

equation holds the smart card computes 119860lowast119894 = 119861119894 oplus 119875lowast

119894 119877119894 = 1198731119875 119862119894 = 1198671(1198731119875119901119906119887) 119871 119894 = 119864119862119894(119868119863lowast

119894 119860lowast119894 119878119868119863119895)

where 1198731 is a random number 119877119894 119871 119894 is transmitted to RCvia the public channel

Step 2 After receiving 119877119894 119871 119894 RC computes 1198621198941015840 = 1198671(119909119877119894)(1198681198631015840

119894 1198601015840119894 1198781198681198631015840

119895) = 1198631198621198941015840(119871 119894) 119860 119894 = 1198671(119909 1198681198631015840

119894 ) and


Figure 2 User registration phase of the proposed scheme

Figure 3 Login and authentication phase of the proposed scheme

checks if119860 119894 = 1198601015840119894 If the equation holds RC computes 119878119872119895 =

1198671(1198781198681198631015840119895 119909) 119884119894 = 1198671(1198781198681198631015840

119895 119878119872119895)119872119894 = 119864119878119872119895(1198681198631015840

119894 119877119894 119884119894 1198671(119860 119894 1198621015840

119894 )) 119872119894 is transmitted to 119878119895Step 3 After receiving 119872119894 119878119895 computes (11986811986310158401015840

119894 1198771015840119894 1198841015840

119894 1198671(119860 119894 1198621015840

119894 )1015840) = 119863119878119872119895(119872119894) 11988410158401015840

119894 = 1198671(119878119868119863119895 119878119872119895) andchecks if11988410158401015840

119894 is equal to1198841015840119894 If it holds 119878119895 computes 119877119878 = 1198732119875

119864119894 = 1198732 sdot 119877119894 119878119870 = 1198671(119864119894 1198671(119860 119894 1198621015840119894 )1015840) 119865119894 = 1198671(11986811986310158401015840

119894 119878119870 119877119878 119878119868119863119895) where 1198732 is a random number 119877119878 119865119894 istransmitted to 119880119894

Step 4 After receiving 119877119878 119865119894 119880119894 computes 1198641015840119894 = 1198731 sdot 119877119878

119878119870 = 1198671(1198641015840119894 1198671(119860lowast

119894 119862119894)) 1198651015840119894 = 1198671(119868119863lowast

119894 119878119870 119877119878 119878119868119863119895)

and checks if 1198651015840119894 = 119865119894 If the equation holds119880119894 computes119876119894 =1198671(119878119870 119877119878) and sends 119876119894 to 119878119895

Step 5 After receiving 119876119894 119878119895 computes 1198761015840119894 = 1198671(119878119870 119877119878)

and checks if 1198761015840119894 = 119876119894 If the equation holds 119878119895 establishes a

session key 119878119870 with 119880119894 successfully

45 Password Update Phase 119880119894 changes his original pass-word to a new one in the following steps As described inFigure 4

Step 1 119880119894 attaches his smart card to a terminal enters 119868119863lowast119894


119894 =1198671(119875119882lowast119894 1198672(119887lowast119894 ) 119903119894) 119881lowast

119894 = 1198671(119875lowast119894 ⨁1198671(119868119863lowast

119894 ))mod 119899


Figure 4 Password update phase

and checks 119881lowast119894 t119881119894 If it holds the smart card asks the user to

input a new password

Step 2 119880119894 enters his new password 119875119882119899119890119908119894 Then the smart

card calculates 1198751015840119894 = 1198671(119875119882119899119890119908

119894 1198672(119887lowast119894 ) 119903119894) 1198611015840119894 =

119861119894⨁ 119875lowast119894 ⨁1198751015840

119894 1198811015840119894 = 1198671(1198751015840

119894 ⨁1198671(119868119863lowast119894 ))mod 119899 The smart

card stores 1198611015840119894 1198811015840

119894 in the smart card and removes 119861119894 119881119894

5 Security Proof

51 Formal Security Analysis Wedescribe the formal securitymodel for three-factor multiserver authentication schemesproposed by Feng at al [26] and prove the proposed schemeis provably secure in this model

511 Security Model

ParticipantsThere are three types of principals inmultiserverauthentication scheme that is the user 119880119894 the server 119878119895 andthe registration centerRC Every kind of participant hasmanyinstancesWe use 119880119886

119894 119878119886119895 and 119877119862119886 denote them

Queries The abilities of adversary are modeled by asking thefollowing queries

Execute (119880119886119894 119878119886119895 119877119862119886)The query simulates the eavesdropping

attack It returns the transcripts of the transmitted messagesin public channel to the adversary

Send (119880119886119894 119878119886119895119877119862119886 119898) It allows the adversary masquerades

as a principal to send a message 119898 The oracle handles themessage and gives a response to the adversary

Reveal (119880119886119894 119878119886119895 ) This query discloses the session key of

instance 119880119886119894 or 119878119886119895 to the adversary However if instance 119880119886

119894

or 119878119886119895 does not establish a session key it returns an invalidsymbol perpCorrupt (119880119886

119894 119911)This query reveals one or two authenticationfactors of user to the adversary Note that the adversarycannot get all the three authentication factors at the sametime as he has no difference with a legitimate user

When 119911 = 1 it returns the password of 119880119886119894 to the

adversaryWhen 119911 = 2 it returns the data in 119880119886

119894 rsquos smart cardWhen 119911 = 3 it returns the biometric of 119880119886

119894

Corrupt (119878119886119895 119877119862119886) This query simulates the forward secrecyattack it answers the master key x or the secret key 119878119872119895 tothe adversary

Test (119880119886119894 119878119886119895 ) The query is used to evaluate the semantic

security of session key The adversary is allowed to make thequery nomore than once If the instance119880119886

119894 or 119878119886119895 is fresh (seebelow) the oracle flips a coin 119887 If 119887 = 1 it returns the sessionkey to the adversary If 119887 = 0 it returns a random string ofthe same size to the adversary

Freshness The instance 119880119886119894 or 119878119886119895 is fresh if the following

conditions are satisfied

(1) The instance is accepted and establishes a session key(2) The instance and its partner that belongs to the same

session are never made a reveal query(3) The adversary never asks the Corrupt (119880119886

119894 119911 = 1 2 3)query

(4) The adversary never makes a Corrupt (119878119886119895 119877119862119886)query

Semantic Security The adversary makes a series of aforemen-tioned queries in polynomial time Eventually the adversarydeduces the value of 119887 involved in test query to be 1198871015840We denote the advantage that the adversary breaches thesemantic security of our scheme as

119860119889V119886119896119890119875 (A) = 2Pr (1198871015840 = 119887) minus 1 (1)

Our protocol is secure if for any adversary the advantage isnegligible

512 Formal Security Proof The formal security proof of theproposed scheme relies on the presumed hardness of theelliptic curve DiffiendashHellman problem defined below

The Elliptic Curve DiffiendashHellman Problem (ECDHP) Let 119864119902

be an elliptic curve group of order p And P is a generator of119864119902 For given 1198771 1198772 isin 119864119901 where 1198771 = 1198731119875 1198772 = 1198732119875 it isinfeasible to compute11987311198732119875 in polynomial time

Theorem 1 We use P to denote the proposed scheme Thereis an adversary A who tries to break the semantic securityof our scheme We assume that A is able to make at most 119902119904Send-queries 119902119890 Execute queries 119902ℎ Hash queries 119902119887 Bio-hashqueries and 119902120576 EncryptionDecryption queries in polynomialtime t Then we have

119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(2)


where 1198971 is the bit length of hash output 1198972 is the bit lengthof Bio-hash output 1198973 is the bit length of symmetric encryptionoutput The password dictionary space is 119884 119860119889V119864119862119863119867119875

119875 is theprobability that the adversary solves the119864119862119863119867119875 in polynomialtime t

The Proof The advantage of breaking our scheme is deducedvia a series of games from 1198660 to 1198667 119878119894 denotes the event thatthe adversary correctly guesses the value of 119887 involved in testquery in game 119866119894 And Pr[119878119894] is the probability of the event119878119894 1198660 it represents the real attack obviously we have

119860119889V119886119896119890119875 (A) = 2 (Pr [1198780]) minus 1 (3)

By a further transformation we have

2 (Pr [1198780]) minus 1 = 2 (Pr [1198780] minus Pr [1198786]) + 2Pr [1198786] minus 1

= 2Pr [1198786] minus 1

+ 25

sum119894=0

(Pr [119878119894] minus Pr [119878119894+1])

(4)

1198661 in this game the hash oracle bio-hash oracle andencryptiondecryption oracle are simulated by maintaininga hash list Λ119867 a bio-hash list Λ 119887119867 and an encryptiondecryption list Λ 120576 For a hash query 1198671(120572) if there is anitem (120572 120573) in Λ119867 the oracle returns 120573 to the adversaryOtherwise the oracle chooses a random number 120573 returns120573 to the adversary and adds the item (120572 120573) to Λ119867 The bio-hash oracle is simulated in the same way For an encryptionquery 119864119896(119904119905119903) if there is an item (119896 119904119905119903 120574) in Λ 120576 the oraclereturns 120574 to the adversary Otherwise the oracle chooses avalue 120574 from cipher text space returns 120574 to the adversary andadds the item (119896 119904119905119903 120574) to Λ 120576 For a decryption query119863119896(120574)if there is an item (119896 119904119905119903 120574) in Λ 120576 the oracle returns 119904119905119903 tothe adversary Otherwise the oracle chooses a value 119904119905119903 fromplaintext space returns 119904119905119903 to the adversary and adds theitem (119896 119904119905119903 120574) to Λ 120576 Besides all oracles involved in securitymodel are simulated in this game Obviously this game hasno difference with 1198660 We have

Pr [1198780] minus Pr [1198781] = 0 (5)

1198662 we avoid the occurrence of some collisions in thisgame 1198662 is indistinguishable from 1198661 unless the followingconditions occur

(1) A collision happens in the output of hash functionthe probability is less than 1199022ℎ21198971+1

(2) A collision happens in the output of bio-hash theprobability is no more than 119902211988721198972+1

(3) A collision happens in the output of symmetricencryption the probability is less than 119902212057621198973+1

(4) A collision happens on 119877119894 or 119877119878 the probability is nomore than (119902119904 + 119902119890)22119901

So we have

1003816100381610038161003816Pr [1198781] minus Pr [1198782]1003816100381610038161003816 le1199022ℎ21198971+1+ 119902

2119887

21198972+1+ 119902

2120576

21198973+1+ (119902119904 + 119902119890)

2

2119901 (6)

1198663 in this game we avoid the situation that the adversarycorrectly guesses 119865119894 or 119876119894 without making the correspondinghash query The probability is at most 11990211990421198971 Thus

1003816100381610038161003816Pr [1198782] minus Pr [1198783]1003816100381610038161003816 le11990211990421198971 (7)

1198664 this game averts the execution when the adversarycorrectly guesses the authentication value 119860 119894 directly Theprobability is at most 11990211990421198971 We get

1003816100381610038161003816Pr [1198783] minus Pr [1198784]1003816100381610038161003816 le11990211990421198971 (8)

1198665 in this game we avoid the occurrence that theadversary has computed the authentication value 119860 119894 withthe help of Corrupt (119880119886

119894 119911) The following three cases areincluded

Case 1 The adversary queries Corrupt (119880119886119894 1) and Corrupt

(119880119886119894 2) To derive 119860 119894 the adversary still needs to get the

biometric The probability that he correctly guesses thebiometric is at most 11990211990421198972Case 2 The adversary queries Corrupt (119880119886

119894 2) and Corrupt(119880119886

119894 3)Theprobability that he correctly guesses the passwordis less than 119902119904119884Case 3 The adversary queries Corrupt (119880119886

119894 1) and Corrupt(119880119886

119894 3) The probability that he correctly guesses the parame-ter 119861119894 is no more than 11990211990421198971

The probability that the adversary gets119860 119894 is less than 119902119904 lowast(1119884 + 121198971 + 121198972) We have

1003816100381610038161003816Pr [1198784] minus Pr [1198785]1003816100381610038161003816 le 119902119904 lowast ( 1119884 +121198971 +

121198972 ) (9)

1198666 in this game we compute the session key 119878119870 usingthe private oracles 1198671015840

1 instead of the hash oracle 1198671 As theprivate oracles1198671015840

1 is unknown to the adversary We have

Pr [1198786] = 12 (10)

1198666 has no difference with 1198665 unless the adversary makesa hash query1198671(119864119894 1198671(119860 119894 119862119894) we denote the event asΛ 1We have

1003816100381610038161003816Pr [1198785] minus Pr [1198786]1003816100381610038161003816 le Pr [Λ 1] (11)

1198667 we simulate the random self-reducibility of ECDHPin this game For 119877119894 = 1198731119875 119877119878 = 1198732119875 through selectingrandomly in Λ119867 we can obtain the item containing 119864119894 =11987311198732119875 with the probability 1119902ℎ Since the event Λ 1 denotesthat the adversary makes a hash query1198671(119864119894 1198671(119860 119894 119862119894)We have

Pr [Λ 1] le 119902ℎ119860119889V119864119862119863119867119875119875 (12)


Table 2 The notations and rules of BAN logic

119875119876 A principal119883119884 A statementK A key119875 ⊲ 119883 P sees X P receives a message containing X119875| sim 119883 P said X P sent a message including X119875| equiv 119883 119875 believes119883 is true119875 119884lArrrArr 119876 P and Q share a secret 119884(119883) X is fresh119875 119870larrrarr 119876 P and Q share a key K119883119870 119883 is encrypted under the key Klt 119883 gt119884 X is combined with a secret Y119875 997904rArr 119883 P has jurisdiction over119883

Message meaning rule 119875| equiv 119875 119870larrrarr 119876119875 ⊲ 119883119870119875| equiv 119876| sim 119883 or 119875| equiv 119875

119884lArrrArr 119876119875 ⊲ lt 119883 gt119884

119875| equiv 119876| sim 119883Belief rule 119875| equiv 119883 119875| equiv 119884

119875| equiv (119883 119884)Nonce-verification rule 119875| equiv (119883) 119875| equiv 119876| sim 119883

119875| equiv 119876| equiv 119883Jurisdiction rule 119875| equiv 119876 997904rArr 119883119875| equiv 119876| equiv 119883

119875| equiv 119883

Through the series of games above we have

119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(13)

52 Security Proof Using BAN Logic In this section we useBAN logic [33] to prove that our scheme achieves mutualauthentication and establishes a secure session key Table 2describes the symbols and rules of BAN logic

The goals that our scheme should achieve are as follows

Goal 1 119880119894| equiv 119878119895| equiv (119878119895 119878119870larr997888rarr 119880119894)Goal 2 119880119894| equiv (119878119895 119878119870larr997888rarr 119880119894)Goal 3 119878119895| equiv 119880119894| equiv (119878119895 119878119870larr997888rarr 119880119894)Goal 4 119878119895| equiv (119878119895 119878119870larr997888rarr 119880119894)

We idealized the proposed scheme as follows

M1 119880119894 997888rarr 119877119862lt 1198731119875119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894

lArrrArr119877119862

M2 119877119862 997888rarr 119878119895 1198731119875119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

M3 119878119895 997888rarr 119880119894lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

M4 119878119895 997888rarr 119880119894 lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

The initiative assumption of our scheme is given asfollows

S1 119877119862| equiv 119880119894

119860119894lArrrArr 119877119862S2 119877119862 equiv (1198731)S3 119877119862 equiv 119880119894 997904rArr (119880119894

119862119894lArrrArr 119877119862)S4 119878119895| equiv 119877119862

119878119872119895larr997888997888rarr 119878119895S5 119878119895| equiv (1198731)S6 119878119895| equiv 119877119862| 997904rArr (119880119894

1198671(119860119894119862119894)lArrrArr 119878119895)S7 119880119894| equiv 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895S8 119880119894| equiv (1198731)S9 119880119894| equiv 119878119895 997904rArr (119880119894

119878119870larr997888rarr 119878119895)S10 119878119895| equiv (1198732)S11 119878119895| equiv 119880119894 997904rArr (119880119894

119878119870larr997888rarr 119878119895)The proof of our scheme is performed as followsFromM1 we have

(1) 119877119862 ⊲ lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894


According to S1 (1) andmessage meaning rule we obtain

(2) 119877119862| equiv 119880119894| sim lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gtAccording to S2 (2) and nonce-verification rule we

obtain


(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gtAccording to S3 (3) and jurisdiction rule we obtain

(4) 119877119862| equiv 119880119894

119862119894lArrrArr 119877119862FromM2 we have

(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

According to S4 (5) andmessagemeaning rule we obtain

(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895According to S5 (6) and nonce-verification rule we

obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895According to S6 (7) and jurisdiction rule we obtain

(8) 119878119895| equiv 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895FromM3 we have

(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gtAccording to S8 (10) and nonce-verification rule we

obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 1)According to S9 (11) and jurisdiction rule we obtain

(12) 119880119894| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 2)FromM4 we have

(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

According to (8) (13) and message meaning rule weobtain

(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)

6 Informal Security Analysis

In this section we demonstrate that our scheme achieves useranonymity forward secrecy and three-factor secrecy and isresistant to several known attacks

61 User Anonymity In our scheme userrsquos identity 119868119863119894 isprotected with symmetric encryption As the key 119862119894 and119878119872119895 is unavailableA cannot get any information about 119868119863119894

from the transmittedmessages in public channel In additionA cannot link two distinct messages to one user due tothe existence of random number Our scheme achieves useranonymity

62 Forward Secrecy Suppose that A compromises themaster key of RC and intercepts 119877119894 119871 119894 119877119878 119865119894 from publicchannel Then A tries to compute the session key 119878119870 =1198671(119864119894 1198671(119860 119894 119862119894)) A can get 119862119894 and 119860 119894 by computing119862119894 = 1198671(119909119877119894) (1198681198631015840

119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A

needs to derive 119864119894 from 119877119894 119877119878 It means that A has to solvethe elliptic curve DiffiendashHellman problem It is absolutelyimpossible Our scheme achieves forward secrecy

63 Offline Password Guessing Attack In the case that Aextracts 119861119894 119881119894 119864119870119890119910() 119875 119875119901119906119887 119899 119903119894 from 119880119894rsquos smart card andobtains 119880119894rsquos biometric 119887119894 A tries to acquire the password of119880119894 in the following steps

Step 1 Choose an identity 119868119863lowast119894 from identity dictionary space

and a password 119875119882lowast119894 from password dictionary space


119894 1198672(119887lowast119894 ) 119903119894) 119881lowast119894 =1198671(119875lowast

119894 ⨁1198671(119868119863lowast119894 ))mod 119899 Check 119881lowast

119894 t119881119894

Step 3 Repeat Steps 1 and 2 until A finds a pair of lt119868119863lowast

119894 119875119882lowast119894 gt satisfying 119881lowast

119894 = 119881119894

However even if A finds a pair of lt 119868119863lowast119894 119875119882lowast

119894 gtsatisfying 119881lowast

119894 = 119881119894 he cannot determine whether they arethe real identity and password of 119880119894 The proposed schemeemploys the fuzzy validation of inputted authenticationinformation When 119899 = 28 and the identity and passwordboth are 64 bits there will be (264 lowast 264)28 pairs of identityand password satisfying 119881lowast

119894 = 119881119894 The probability that eachcandidate is equal to the pair of identity and password of 119880119894

is 28(264 lowast 264) this is negligible In our scheme it is unableto reveal the identity and password of user even if both thesmart card and biometric are compromised

64 User Impersonation Attack Assume that A tries toimpersonate user and forge a login requested message119877119894 119871 119894 A computes 119877119894119886

= 1198731119886119875 where 1198731119886

is a randomnumber To compute 119871 119894 A needs to know 119860 119894 However Acannot get any information about 119860 119894 from the transmittedmessages in public channel as119860 119894 is protectedwith symmetricencryption and hash function In the case that the smart cardis compromised A tries to retrieve 119860 119894 from 119861119894 As 119860 119894 =119861119894 oplus 119875119894 A needs to get 119875119894 at first To compute 119875119894 A requires119903119894 119887119894 119875119882119894 That is to sayA cannot get 119860 119894 unless he obtainsall the three authentication factors at the same time This isbeyond the capacity of A The proposed scheme is secureagainst user impersonate attack

65 Server Impersonation Attack Suppose that A intercepts119877119894 119871 119894 and 119872119894 frompublic channel and tries tomasquerade


as the server 119878119895 by sending a forged message 119877119878 119865119894 to119880119894 AtfirstA generates a randomnumber1198732119886

and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886

lowast119877119894 Next to compute 119878119870 = 1198671(119864119894 1198671(119860 119894 119862119894) A still needs 119860 119894 and 119862119894 As analyzed above A cannotobtain 119860 119894 To derive 119862119894 the adversary needs to compromisethe master key x or break the elliptic curve DiffiendashHellmanproblem It is beyond the capacity ofA Our scheme is secureagainst server impersonation attack

66 Replay Attack In our scheme we adopt random num-bers instead of timestamp to guarantee the freshness ofexchanged messages It decreases the communication over-head and avoids clock synchronization problem In thefollowing four cases we demonstrate that our scheme isresistant to replay attack

Case 1 Suppose that the adversaryA intercepts 119877119894 119871 119894 frompublic channel and sends it to RC as a new login request RCand 119878119895 deal with this message and return 119872119894 toA ThenAneeds to generate a response message 119876119894 and sends it to 119878119895As1198731 119860 119894 are unavailable the adversary is unable to return avalid 119876119894 to 119878119895 The protocol finally aborts

Case 2 In caseA replays 119872119894 to 119878119895 asA is unable to returna valid 119876119894 to 119878119895 the protocol finally abortsCase 3 IfA intercepts 119872119894 from public channel and replays119877119878 119865119894 to 119880119894 The user deals with this message and finds that1198651015840

119894 = 119865119894 The protocol aborts

Case 4 Assume thatA intercepts 119877119878 119865119894 from public chan-nel and replays 119876119894 to 119878119895 The server deals with this messageand finds that 1198761015840


67 Known Session-Specific Temporary Information AttackSuppose that random number1198731 or1198732 is compromised theadversary computes 119864119894 = 1198731 lowast 119877119878 or 119864119894 = 1198732 lowast 119877119894 It stillrequires 119860 119894 and 119862119894 to compute the session key 119878119870 However119860 119894 119862119894 are unavailable It is unable to compromise the sessionkey in our scheme

68 Privileged Insider Attack On one hand the passwordand biometric of 119880119894 are protected with hash function inregistration phase On the other hand the user never revealsany authentication information (password biometric or theparameters of smart card) to RC or server in login andauthentication phase Hence our scheme is resistant toprivileged insider attack

69 Three-Factor Secrecy As analyzed above in the absenceof any one authentication factorA cannot impersonate usersuccessfully In the following three cases we demonstrate thatif any two authentication factors of user are compromised theadversary cannot breach the other one

Case 1 Suppose that 119880119894rsquos smart card and biometric are com-promised As analyzed above the adversary cannot reveal119880119894rsquospassword via offline password guessing attack

Case 2 Suppose that 119880119894rsquos smart card and password arecompromised As the biometric 119887119894 is protected by means ofhash functionA is unable to retrieve 119887119894 from 119881119894

Case 3 Suppose that 119880119894rsquos biometric and password are com-promised The adversary tries to reveal the parameters119861119894 119881119894 119903119894 stored in the smart card where 119903119894 is a randomnumber 119861119894 = 119860 119894⨁119875119894 119875119894 = 1198671(119875119882119894 1198672(119887119894) 119903119894)119881119894 = 1198671(119875119894⨁1198672(119868119863119894))mod 119899 As 119903119894 119860 119894 are unavailable Theadversary is unable to reveal any data of smart card

7 Security and Performance Comparison

We compare our scheme with other biometric-based multi-server authentication schemes using ECC [22 25ndash27] Theresults of comparison indicate that our scheme satisfies allthe security requirements while it requires the minimumcommunication and computation overhead

Table 3 shows the results of security analysis It indicatesthat only our scheme is secure against various known attacksand provides desirable security properties such as forwardsecrecy user anonymity three-factor secrecy and efficientwrong password and biometric detectionThe other schemes[22 25ndash27] suffer from more or less security vulnerabilities

Table 4 gives the computation costs of related schemesat login and authentication phase More specifically 119879119867

denotes computing a hash function 119879119864 denotes one sym-metric encryption 119879119863 denotes one symmetric decryption119879119875 denotes one point multiplication on elliptic curve groupThe computing overhead of lightweight operation ldquoXORrdquois negligible compared with other operations Our schemerequires 3119879119875 + 1119879119864 + 7119879119867 in user end requires 1119879119875 + 1119879119863 +1119879119864 + 5119879119867 in RC and requires 2119879119875 + 1119879119863 + 4119879119867 in serverend And the total computation cost of our scheme is 6119879119875 +2119879119863 + 2119879119864 + 16119879119867 The total computation costs of relatedschemes [22 25ndash27] are 8119879119875+22119879119867 8119879119875+16119879119867 8119879119875+241198791198677119879119875 + 2119879119863 + 2119879119864 + 12119879119867 respectively

Table 5 summarizes the computing time of differentcryptographic operations [34] The hash function SHA-256and SHA-512 the symmetric algorithm AES-128 and AES-256 the elliptic curve cryptosystem using P521 and Curve-25519 respectively are employed to estimate the runningtime of related schemes We compare our scheme withrelated schemes for two scenarios as shown in Figure 5The Scenario 1 adopts the comparatively efficient algorithmsthat is SHA-256 AES-128 encryptiondecryption and ellipticcurve cryptosystem using Curve25519 In this scenario ourscheme requires 43257 ms the related schemes [22 25ndash27]require 576286 ms 576208 ms 576312 ms and 504518ms respectively Scenario 2 uses the comparatively time-consuming algorithms that is SHA-512 AES-256 encryp-tiondecryption and elliptic curve cryptosystem using P521In this scenario our scheme requires 6319022 ms the relatedschemes [22 25ndash27] require 8424704 ms 8424512 ms8424768 ms and 7371894 ms respectivelyThe computationoverhead of our scheme is superior to other schemes in bothscenarios

Figure 6 illustrates the communication overheads ofrelated schemes To evaluate the communication overhead


Table3Re

sults

ofsecurityanalysisof

related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk

nownsession-specifictem

porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic


Table 4 Computation cost of related schemes

Schemes User RC Server Total costHe [22] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 5119879119867 8119879119875 + 22119879119867

Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867

Table 5 Computing time of cryptographic operations

Operations Computing timeSHA-256 13 120583sSHA-512 32 120583sAES-128 Encryption 64 120583sAES-128 Decryption 117120583sAES-256 Encryption 90 120583sAES-256 Decryption 165 120583sCurve25519 Point Multiplication 72 msP521 Point Multiplication 1053 ms

8000

6000

4000

2000

0 He et al Kumari et al Feng et al Ali et al Our scheme

Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512

Scenario 1Scenario 2

Figure 5 Running time of related schemes

we suppose that the identity of user timestamp randomnumber are 64 bits a point on 119864119901 is 160 bits When usingthe hash function SHA-256 and the symmetric algorithmAES-128 the communication overhead of our scheme is2112 bits the communication overheads of relevant schemes[22 25ndash27] are 4224 bits 3392 bits 4224 bits and 2624bits respectively When adopting the hash function SHA-512and the symmetric algorithm AES-256 the communicationoverhead of our scheme is 3392 bits the communicationoverheads of relevant schemes [22 25ndash27] are 7808 bits 5696bits 7808 bits and 3392 bits respectively Our scheme hasthe lowest communication overhead compared with otherschemes

8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224

Kumari et al Feng et al

SHA-256+AES-128SHA-512+AES-256

3392 3392

21122624

Ali et al Our scheme

Com

mun

icat

ion

over

head

(bits

)

Figure 6 Communication overhead of related schemes

8 Conclusions

In this paper we prove that Ali et alrsquos scheme is sus-ceptible to various security threats such as impersonationattack denial of service attack and known session-specifictemporary information attack Furthermore we propose anefficient ECC-based three-factor authentication scheme formultiserver environment BAN logic proof and the formalsecurity analysis under random oracle model are used toprove the completeness and security of the proposed schemeBesides the informal analysis demonstrates that our schemesurmount the vulnerabilities in Ali et alrsquos scheme and pro-vides desirable attributes like forward secrecy and three-factor secrecy In addition the performance and securitycomparison shows that our scheme provides strong securitywhile it has minimal communication overhead and compu-tation cost

Data Availability

The data used to support the findings of this study areincluded within the article

Conflicts of Interest

The authors declare no conflict of interest


Acknowledgments

This research was funded by the National Key Researchand Development Program of China under Grant No2018YFB0803605 and the National Natural Science Founda-tion of China under Grant No 61873069

References

[1] J-L Tsai and N-W Lo ldquoA chaotic map-based anonymousmulti-server authenticated key agreement protocol using smartcardrdquo International Journal of Communication Systems vol 28no 13 pp 1955ndash1963 2015

[2] D He S Zeadally N Kumar andWWu ldquoEfficient and anony-mous mobile user authentication protocol using self-certifiedpublic key cryptography for multi-server architecturesrdquo IEEETransactions on Information Forensics and Security vol 11 no9 pp 2052ndash2064 2016

[3] W Han and Z Zhu ldquoAn ID-based mutual authentication withkey agreement protocol for multiserver environment on ellipticcurve cryptosystemrdquo International Journal of CommunicationSystems vol 27 no 8 pp 1173ndash1185 2014

[4] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smart cardsrdquoIEEE Transactions on Information Forensics and Security vol 10no 9 pp 1953ndash1966 2015

[5] X Liu Y Li J Qu and L Lu ldquoELAKA energy-efficientand lightweight multi-server authentication and key agreementprotocol based on dynamic biometricsrdquoWireless Personal Com-munications vol 100 no 3 pp 767ndash785 2018

[6] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017

[7] X Li K Wang J Shen S Kumari F Wu and Y HuldquoAn enhanced biometrics-based user authentication schemefor multi-server environments in critical systemsrdquo Journal ofAmbient Intelligence and Humanized Computing vol 7 pp 1ndash172016

[8] F Wu L Xu S Kumari and X Li ldquoA novel and provably securebiometrics-based three-factor remote authentication schemefor mobile client-server networksrdquo Computers and ElectricalEngineering vol 45 pp 274ndash285 2015

[9] M-C Chuang and M C Chen ldquoAn anonymous multi-serverauthenticated key agreement scheme based on trust computingusing smart cards and biometricsrdquo Expert Systems with Applica-tions vol 41 no 4 pp 1411ndash1418 2014

[10] J Moon Y Choi J Jung and D Won ldquoAn improvementof robust biometrics-based authentication and key agreementscheme formulti-server environments using smart cardsrdquo PLoSONE vol 10 no 12 Article ID e0145263 2015

[11] C-T Chen and C-C Lee ldquoA two-factor authentication schemewith anonymity for multi-server environmentsrdquo Security andCommunication Networks vol 8 no 8 pp 1608ndash1625 2015

[12] CWang G Xu andW Li ldquoA secure and anonymous two-factorauthentication protocol in multiserver environmentrdquo Securityand Communication Networks vol 2018 Article ID 9062675 15pages 2018

[13] D Mishra ldquoDesign and analysis of a provably secure multi-server authentication schemerdquo Wireless Personal Communica-tions vol 86 no 3 pp 1095ndash1119 2016

[14] K-HYeh ldquoAprovably securemulti-server based authenticationschemerdquo Wireless Personal Communications vol 79 no 3 pp1621ndash1634 2014

[15] W-B Hsieh and J-S Leu ldquoAn anonymous mobile user authen-tication protocol using self-certified public keys based onmulti-server architecturesrdquoThe Journal of Supercomputing vol 70 no1 pp 133ndash148 2014

[16] X Li J Niu S Kumari J Liao and W Liang ldquoAn Enhance-ment of a Smart Card Authentication Scheme for Multi-serverArchitecturerdquoWireless Personal Communications vol 80 no 1pp 175ndash192 2015

[17] D Wang and P Wang ldquoOffline dictionary attack on passwordauthentication schemes using smart cardsrdquo in Proceedings of the16th International Conference on Information Security (ISC rsquo13)pp 221ndash237 Dallas TX USA 2013

[18] E-J Yoon and K-Y Yoo ldquoRobust biometrics-based multi-server authentication with key agreement scheme for smartcards on elliptic curve cryptosystemrdquoThe Journal of Supercom-puting vol 63 no 1 pp 235ndash255 2013

[19] H Kim W Jeon K Lee Y Lee and D Won ldquoCryptanalysisand improvement of a biometrics-based multi-server authen-tication with key agreement schemerdquo in Proceedings of the12th International Conference on Computational Science and ItsApplications (ICCSA rsquo12) pp 391ndash406 Salvador de Bahia BrazilJune 2012

[20] R Amin and G P Biswas ldquoDesign and analysis of bilinearpairing based mutual authentication and key agreement pro-tocol usable in multi-server environmentrdquo Wireless PersonalCommunications vol 84 no 1 pp 439ndash462 2015

[21] P Chandrakar and H Om ldquoCryptanalysis and improvementof a biometric-based remote user authentication protocolusable in amultiserver environmentrdquo Transactions on EmergingTelecommunications Technologies vol 28 no 12 Article IDe3200 2017

[22] D He and D Wang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 2015

[23] C Wang X Zhang Z Zheng and M K Khan ldquoCryptanalysisand improvement of a biometric-based multi-server authenti-cation and key agreement schemerdquo PLoS ONE vol 11 no 2Article ID e0149173 2016

[24] L Yang Z Zheng and M K Khan ldquoCryptanalysis andimprovement of a biometrics-based authentication and keyagreement scheme for multi-server environmentsrdquo PLoS ONEvol 13 no 3 Article ID e0194093 2018

[25] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017

[26] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future Generation Com-puter Systems vol 84 pp 239ndash251 2018

[27] R Ali and A K Pal ldquoAn efficient three factor-based authentica-tion scheme in multiserver environment using ECCrdquo Interna-tional Journal of Communication Systems vol 31 no 4 ArticleID e3484 2018

[28] Y Lu L LiH Peng andY Yang ldquoA biometrics and smart cards-based authentication scheme for multi-server environmentsrdquoSecurity and Communication Networks vol 8 no 17 pp 3219ndash3228 2015


[29] S A Chaudhry ldquoA secure biometric basedmulti-server authen-tication scheme for social multimedia networksrdquo MultimediaTools and Applications vol 75 no 20 pp 12705ndash12725 2016

[30] D Mishra A Das and S Mukhopadhyay ldquoA secure useranonymity-preserving biometric-based multi-server authenti-cated key agreement scheme using smart cardsrdquo Expert Systemswith Applications vol 41 no 18 pp 8129ndash8143 2014

[31] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing vol 15 no4 pp 708ndash722 2018

[32] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article 29462017

[33] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990

[34] D Abbasinezhad-Mood and M Nikooghadam ldquoEfficientanonymous password-authenticated key exchange protocol toread isolated smart meters by utilization of extended chebyshevchaotic mapsrdquo IEEE Transactions on Industrial Informatics vol14 no 11 pp 4815ndash4828 2018

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


Three-factor authentication schemes that adopt passwordsmart card and biometric facilitate better security

Recently some three-factor multiserver authenticationschemes have been introduced In 2010 Yoon et al [18]introduced an efficient biometric-based multiserver authen-tication scheme using elliptic curve cryptosystem (ECC)Later on Kim et al [19] pointed out Yoon et alrsquos schemecannot resist smart card loss attack forgery attack andfails to provide forward secrecy In 2015 Amin et al [20]proposed a three-factor multiserver authentication schemeusing bilinear pairing Afterwards Chandrakar et al [21]proved Amin et alrsquos scheme is susceptible to offline passwordguessing attack impersonation attack and fails to achieveuser anonymity He et al [22] introduced a biometric-basedmultiserver authentication scheme using fuzzy extractorand ECC and claimed their scheme achieves intrinsicallythree-factor secrecy But we observed He et alrsquos scheme issusceptible to known session-specific temporary informationattack and cannot detect wrong password and biometricimmediately In 2016Wang et al [23] presented a three-factormultiserver authentication scheme using hash function andfuzzy extractor But Yang et al [24] pointed out Wang et alrsquosscheme cannot resist user impersonation attack and fails toachieve forward secrecy In 2017 Kumari et al [25] proposeda biometric-based multi-cloud-server authentication schemeusing ECC and bio-hash function However Feng et al[26] demonstrated that Kumari et alrsquos scheme suffers fromserver impersonation attack and introduced an enhancedscheme Unfortunately we found Feng et alrsquos scheme failsto achieve three-factor secrecy and suffers from knownsession-specific temporary information attack Ali et al [27]introduced a three-factor multiserver authentication schemeusing symmetric encryption and ECC and claimed theirscheme is resistant to a variety of security attacks Howeverwe found that Ali et alrsquos scheme is not as secure as it claimedby demonstrating their scheme is vulnerable to a variety ofserious security attacks

Either the existing three-factor multiserver authentica-tion schemes [18ndash30] have more or less vulnerabilities ortheir communication and computation costs need to beimproved This moves us to design a secure three-factormultiserver authentication scheme with higher efficiencyOur contributions are summed up as follows

(1) We prove that Ali et alrsquos scheme suffers fromuser impersonation attack privileged insider attackserver impersonation attack denial of service attackand known session-specific temporary informationattack Besides the scheme fails to achieve forwardsecrecy and three-factor secrecy

(2) We propose a novel biometric-based multiserverauthentication scheme using ECC Formal securityanalysis under the random oracle model proves ourscheme is provably secure BAN logic proof provesthe completeness of our scheme Moreover informalanalysis demonstrates our scheme achieves variousdesirable features and is resistant to all known attacks

(3) In addition the performance and security compari-son shows that our scheme achieves superior security

properties Moreover our scheme has the least com-munication overhead and computation cost

11 Adversary Model When evaluating a three-factor multi-server authentication scheme the capacities of adversary Aare described as follows

(1) Amay be an external attacker or a privileged insider(2) A can fully control the public channel namely A is

able to interrupt eavesdrop forge and modify themessages transmitted via public channel

(3) A is able to enumerate all the values in119863119875119882 lowast119863119868119863 inpolynomial time where 119863119875119882 denotes the passwordspace and119863119868119863 denotes the identity space [31]

(4) A is able to get userrsquos password by shoulder surfingA can retrieve the data in smart card by powerconsumption analysis A is able to get the biometricof user by a malicious terminal [32]

(5) When evaluating three-factor secrecyA is able to getany two kinds of authentication elements at the sametime but cannot get all [26]

(6) When evaluating forward secrecy A can get themaster key of RC or the secret key of server

The user tends to choose an easy-to-remember passwordwith low strength The user identity usually is based on thepredefined format The identity and password may be of lowentropy and can be easily guessed According to the adversarymodel presented byWang et al [31] we assume the adversaryA is able to enumerate all the values in 119863119875119882 lowast 119863119868119863 inpolynomial time

Three-factor secrecy denotes that if any two kinds ofauthentication elements are compromised the attacker stillcannot breach the other one and damage the security of thesystem [26] Such a consideration is of practical significanceThe adversary may get userrsquos password by shoulder surfing orthe data in smart card via side channel attack Moreover theadversary is able to obtain the biometric of user by amaliciousbiometric-based terminal

12 The Organization of Paper The structure of this paperis arranged as follows We brief review and cryptanalyze Aliet alrsquos scheme in Sections 2 and 3 Section 4 introduces anovel biometric-based authentication scheme formultiserverenvironment We give the security proof and informal secu-rity analysis of the proposed scheme in Sections 5 and 6Section 7 is security and performance comparison of therelevant schemes Section 8 concludes the paper In additionwe sum up the notations of this paper in Table 1

2 Review of Ali et alrsquos Scheme

Ali et alrsquos scheme consists of four phases initial phaseserver registration phase user registration phase login andauthentication phase

21 Initial Phase RC chooses its master key x Then RCselects an elliptic curve group 119864119902 and a generator 119875 of 119864119902


Table 1 Notations


















119894 =1198671(119868119863lowast119894 119875119882lowast







119894 = 1198671(119868119863119894 119909)119875 1198611015840119894 = 119864119894minus1198601015840

1198941198771015840

119894 = 119862119894 minus 1198611015840119894 1198631015840

119894 = 1198671(119868119863119894 1198771015840119894 119878119868119863119895 119864119894) and compares


Step 4 RC computes 119863119868119863119899119890119908119894 = 1198641198671(119909)(119868119863119894 119903119877119862) 119865119894 =

1198641198671(119878119868119863119895119909)(119868119863119894 1198771015840119894 1198672(119887119894)) 119877119877119862 = 119903119877119862119875 119870119894 = 119877119877119862 +

1198672(119887119894)119875 119871 119894 = 1198671(119877119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) where 119903119877119862 is



(119868119863119894 11987710158401015840119894 1198672(119887119894)1015840) = 119863119878119872119895

(119865119894) 1198771015840119877119862 = 119870119894 minus 1198672(119887119894)1015840119875

1198711015840119894 = 1198671(1198771015840

119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) and checks if


119894 119872119894 = 1198671(119863119868119863119899119890119908

119894 119877119878 1198771015840119877119862 1198672(119887119894)1015840119875) where 119903119878 is a



1198771015840119878 = 119876119894 minus 119877119894 11987710158401015840

119877119862 = 119870119894 minus 119861lowast119894 1198721015840

119894 = 1198671(119863119868119863119899119890119908119894 1198771015840

119878 11987710158401015840119877119862





119894 119877119878 1198771015840








Step 1 Compute 119878119872119895 = 1198671(119878119868119863119895 119909) (119868119863119894 1198771015840119894 1198672(119887119894)1015840) =119863119878119872119895

(119865119894)


119894


Step 4 Compute 119878119870 = 1198671(1198771015840119894 1198771015840

119878 1198771015840119877119862)





Step 1 A computes 119877119894119886= 119903119894119886119875 119861119894 = 1198672(119887119894)119875 119862119886 = 119877119894119886

+ 119861119894119863119886 = 1198671(119868119863119894 119877119894119886 119878119868119863119895 119864119894) where 119903119894119886 is a random


119894 = 119864119894 minus 1198671(119868119863119894 119909)1198751198771015840

119894119886= 119862119886 minus 1198611015840

119894 1198631015840119886 = 1198671(119868119863119894 1198771015840

119894119886 119878119868119863119895 119864119894) obviously

1198631015840119886=119863119886 Then RC computes 119863119868119863119899119890119908

119894 = 1198641198671(119909)(119868119863119894 119903119877119862)119865119886 = 1198641198671(119878119868119863119895119909)(119868119863119894 1198771015840

119894119886 1198672(119887119894)) 119877119877119862 = 119903119877119862119875 119870119894 =

119877119877119862 + 1198672(119887119894)119875 119871 119894 = 1198671(119877119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895)



119894 119870119894 119871 119894 119865119886 119878119895computes(119868119863119894 11987710158401015840

119894119886 1198672(119887119894)1015840) = 119863119878119872119895

(119865119886) 1198771015840119877119862 = 119870119894 minus 1198672(119887119894)1015840119875 1198711015840

119894 =1198671(1198771015840

119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) obviously 1198711015840

119894 = 119871 119894 Then119878119895 computes 119877119878 = 119903119878119875 119876119886 = 119877119878 + 11987710158401015840

119894119886119872119894 = 1198671(119863119868119863119899119890119908

119894 119877119878 1198771015840


119894 119876119886119872119894 119870119894 toA


1198771015840119878 = 119876119886 minus 119877119894119886

11987710158401015840119877119862 = 119870119894 minus 119861119894 119878119870 = 1198671(119877119894119886

1198771015840119878 11987710158401015840


119894119886 119877119878

1198771015840119877119862)1198851015840




putes 119877119878119886= 119903119878119886119875 119877119877119862119886

= 119903119877119862119886119875 119861119894 = 1198672(119887119894)119875 1198771015840

119894 = 119862119894 minus 119861119894119876119886 = 119877119878119886

+1198771015840119894 119870119886 = 119877119877119862119886

+119861119894119872119886 = 1198671(119863119868119863119886119894 119877119878119886

119877119877119862119886




1198771015840119878119886= 119876119886minus1198771198941198771015840

119877119862119886= 119870119886minus119861lowast

119894 1198721015840119886 = 1198671(119863119868119863119886

119894 1198771015840119878119886 1198771015840

119877119862119886



computes 119878119870 = 1198671(119877119894 1198771015840119878119886 1198771015840

119877119862119886) 119885119886 = 119878119870 sdot 119875 + 1198671(119868119863119894



sends 119885119886 toA














Step 5 Compute 119878119870 = 1198671(119877119894 119877119878 119877119877119862)






119894 119875119882lowast119894 1198672(119887119894)) check if





















119894 1198672(119887lowast119894 ) 119903119894) 119881lowast119894 =

1198671(119875lowast119894 ⨁1198671(119868119863lowast



119894 119877119894 = 1198731119875 119862119894 = 1198671(1198731119875119901119906119887) 119871 119894 = 119864119862119894(119868119863lowast

119894 119860lowast119894 119878119868119863119895)



119894 1198601015840119894 1198781198681198631015840

119895) = 1198631198621198941015840(119871 119894) 119860 119894 = 1198671(119909 1198681198631015840

119894 ) and





1198671(1198781198681198631015840119895 119909) 119884119894 = 1198671(1198781198681198631015840

119895 119878119872119895)119872119894 = 119864119878119872119895(1198681198631015840

119894 119877119894 119884119894 1198671(119860 119894 1198621015840


119894 1198771015840119894 1198841015840

119894 1198671(119860 119894 1198621015840

119894 )1015840) = 119863119878119872119895(119872119894) 11988410158401015840

119894 = 1198671(119878119868119863119895 119878119872119895) andchecks if11988410158401015840


119864119894 = 1198732 sdot 119877119894 119878119870 = 1198671(119864119894 1198671(119860 119894 1198621015840119894 )1015840) 119865119894 = 1198671(11986811986310158401015840



119878119870 = 1198671(1198641015840119894 1198671(119860lowast

119894 119862119894)) 1198651015840119894 = 1198671(119868119863lowast

119894 119878119870 119877119878 119878119868119863119895)









119894 = 1198671(119875lowast119894 ⨁1198671(119868119863lowast

119894 ))mod 119899






card calculates 1198751015840119894 = 1198671(119875119882119899119890119908

119894 1198672(119887lowast119894 ) 119903119894) 1198611015840119894 =

119861119894⨁ 119875lowast119894 ⨁1198751015840

119894 1198811015840119894 = 1198671(1198751015840


card stores 1198611015840119894 1198811015840


5 Security Proof


511 Security Model


119894 119878119886119895 and 119877119862119886 denote them








119894






119894









119894 119911 = 1 2 3)query



119860119889V119886119896119890119875 (A) = 2Pr (1198871015840 = 119887) minus 1 (1)






119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(2)





119860119889V119886119896119890119875 (A) = 2 (Pr [1198780]) minus 1 (3)



= 2Pr [1198786] minus 1

+ 25

sum119894=0

(Pr [119878119894] minus Pr [119878119894+1])

(4)


Pr [1198780] minus Pr [1198781] = 0 (5)






So we have

1003816100381610038161003816Pr [1198781] minus Pr [1198782]1003816100381610038161003816 le1199022ℎ21198971+1+ 119902

2119887

21198972+1+ 119902

2120576

21198973+1+ (119902119904 + 119902119890)

2

2119901 (6)


1003816100381610038161003816Pr [1198782] minus Pr [1198783]1003816100381610038161003816 le11990211990421198971 (7)


1003816100381610038161003816Pr [1198783] minus Pr [1198784]1003816100381610038161003816 le11990211990421198971 (8)






119894 2) and Corrupt(119880119886


119894 1) and Corrupt(119880119886




121198972 ) (9)




Pr [1198786] = 12 (10)


1003816100381610038161003816Pr [1198785] minus Pr [1198786]1003816100381610038161003816 le Pr [Λ 1] (11)


Pr [Λ 1] le 119902ℎ119860119889V119864119862119863119867119875119875 (12)





119884lArrrArr 119876119875 ⊲ lt 119883 gt119884




119875| equiv 119883


119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(13)





M1 119880119894 997888rarr 119877119862lt 1198731119875119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894


M2 119877119862 997888rarr 119878119895 1198731119875119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

M3 119878119895 997888rarr 119880119894lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

M4 119878119895 997888rarr 119880119894 lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


S1 119877119862| equiv 119880119894


119862119894lArrrArr 119877119862)S4 119878119895| equiv 119877119862


1198671(119860119894119862119894)lArrrArr 119878119895)S7 119880119894| equiv 119880119894




(1) 119877119862 ⊲ lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894



(2) 119877119862| equiv 119880119894| sim lt 1198731119875 119880119894


obtain


(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894


(4) 119877119862| equiv 119880119894


(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895


(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894


obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894


(8) 119878119895| equiv 119880119894


(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894


obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894


(12) 119880119894| equiv 119880119894


(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)






119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A








119894 t119881119894



119894 = 119881119894







= 1198731119886119875 where 1198731119886





and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Table 1 Notations


















119894 =1198671(119868119863lowast119894 119875119882lowast







119894 = 1198671(119868119863119894 119909)119875 1198611015840119894 = 119864119894minus1198601015840

1198941198771015840

119894 = 119862119894 minus 1198611015840119894 1198631015840

119894 = 1198671(119868119863119894 1198771015840119894 119878119868119863119895 119864119894) and compares


Step 4 RC computes 119863119868119863119899119890119908119894 = 1198641198671(119909)(119868119863119894 119903119877119862) 119865119894 =

1198641198671(119878119868119863119895119909)(119868119863119894 1198771015840119894 1198672(119887119894)) 119877119877119862 = 119903119877119862119875 119870119894 = 119877119877119862 +

1198672(119887119894)119875 119871 119894 = 1198671(119877119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) where 119903119877119862 is



(119868119863119894 11987710158401015840119894 1198672(119887119894)1015840) = 119863119878119872119895

(119865119894) 1198771015840119877119862 = 119870119894 minus 1198672(119887119894)1015840119875

1198711015840119894 = 1198671(1198771015840

119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) and checks if


119894 119872119894 = 1198671(119863119868119863119899119890119908

119894 119877119878 1198771015840119877119862 1198672(119887119894)1015840119875) where 119903119878 is a



1198771015840119878 = 119876119894 minus 119877119894 11987710158401015840

119877119862 = 119870119894 minus 119861lowast119894 1198721015840

119894 = 1198671(119863119868119863119899119890119908119894 1198771015840

119878 11987710158401015840119877119862





119894 119877119878 1198771015840








Step 1 Compute 119878119872119895 = 1198671(119878119868119863119895 119909) (119868119863119894 1198771015840119894 1198672(119887119894)1015840) =119863119878119872119895

(119865119894)


119894


Step 4 Compute 119878119870 = 1198671(1198771015840119894 1198771015840

119878 1198771015840119877119862)





Step 1 A computes 119877119894119886= 119903119894119886119875 119861119894 = 1198672(119887119894)119875 119862119886 = 119877119894119886

+ 119861119894119863119886 = 1198671(119868119863119894 119877119894119886 119878119868119863119895 119864119894) where 119903119894119886 is a random


119894 = 119864119894 minus 1198671(119868119863119894 119909)1198751198771015840

119894119886= 119862119886 minus 1198611015840

119894 1198631015840119886 = 1198671(119868119863119894 1198771015840

119894119886 119878119868119863119895 119864119894) obviously

1198631015840119886=119863119886 Then RC computes 119863119868119863119899119890119908

119894 = 1198641198671(119909)(119868119863119894 119903119877119862)119865119886 = 1198641198671(119878119868119863119895119909)(119868119863119894 1198771015840

119894119886 1198672(119887119894)) 119877119877119862 = 119903119877119862119875 119870119894 =

119877119877119862 + 1198672(119887119894)119875 119871 119894 = 1198671(119877119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895)



119894 119870119894 119871 119894 119865119886 119878119895computes(119868119863119894 11987710158401015840

119894119886 1198672(119887119894)1015840) = 119863119878119872119895

(119865119886) 1198771015840119877119862 = 119870119894 minus 1198672(119887119894)1015840119875 1198711015840

119894 =1198671(1198771015840

119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) obviously 1198711015840

119894 = 119871 119894 Then119878119895 computes 119877119878 = 119903119878119875 119876119886 = 119877119878 + 11987710158401015840

119894119886119872119894 = 1198671(119863119868119863119899119890119908

119894 119877119878 1198771015840


119894 119876119886119872119894 119870119894 toA


1198771015840119878 = 119876119886 minus 119877119894119886

11987710158401015840119877119862 = 119870119894 minus 119861119894 119878119870 = 1198671(119877119894119886

1198771015840119878 11987710158401015840


119894119886 119877119878

1198771015840119877119862)1198851015840




putes 119877119878119886= 119903119878119886119875 119877119877119862119886

= 119903119877119862119886119875 119861119894 = 1198672(119887119894)119875 1198771015840

119894 = 119862119894 minus 119861119894119876119886 = 119877119878119886

+1198771015840119894 119870119886 = 119877119877119862119886

+119861119894119872119886 = 1198671(119863119868119863119886119894 119877119878119886

119877119877119862119886




1198771015840119878119886= 119876119886minus1198771198941198771015840

119877119862119886= 119870119886minus119861lowast

119894 1198721015840119886 = 1198671(119863119868119863119886

119894 1198771015840119878119886 1198771015840

119877119862119886



computes 119878119870 = 1198671(119877119894 1198771015840119878119886 1198771015840

119877119862119886) 119885119886 = 119878119870 sdot 119875 + 1198671(119868119863119894



sends 119885119886 toA














Step 5 Compute 119878119870 = 1198671(119877119894 119877119878 119877119877119862)






119894 119875119882lowast119894 1198672(119887119894)) check if





















119894 1198672(119887lowast119894 ) 119903119894) 119881lowast119894 =

1198671(119875lowast119894 ⨁1198671(119868119863lowast



119894 119877119894 = 1198731119875 119862119894 = 1198671(1198731119875119901119906119887) 119871 119894 = 119864119862119894(119868119863lowast

119894 119860lowast119894 119878119868119863119895)



119894 1198601015840119894 1198781198681198631015840

119895) = 1198631198621198941015840(119871 119894) 119860 119894 = 1198671(119909 1198681198631015840

119894 ) and





1198671(1198781198681198631015840119895 119909) 119884119894 = 1198671(1198781198681198631015840

119895 119878119872119895)119872119894 = 119864119878119872119895(1198681198631015840

119894 119877119894 119884119894 1198671(119860 119894 1198621015840


119894 1198771015840119894 1198841015840

119894 1198671(119860 119894 1198621015840

119894 )1015840) = 119863119878119872119895(119872119894) 11988410158401015840

119894 = 1198671(119878119868119863119895 119878119872119895) andchecks if11988410158401015840


119864119894 = 1198732 sdot 119877119894 119878119870 = 1198671(119864119894 1198671(119860 119894 1198621015840119894 )1015840) 119865119894 = 1198671(11986811986310158401015840



119878119870 = 1198671(1198641015840119894 1198671(119860lowast

119894 119862119894)) 1198651015840119894 = 1198671(119868119863lowast

119894 119878119870 119877119878 119878119868119863119895)









119894 = 1198671(119875lowast119894 ⨁1198671(119868119863lowast

119894 ))mod 119899






card calculates 1198751015840119894 = 1198671(119875119882119899119890119908

119894 1198672(119887lowast119894 ) 119903119894) 1198611015840119894 =

119861119894⨁ 119875lowast119894 ⨁1198751015840

119894 1198811015840119894 = 1198671(1198751015840


card stores 1198611015840119894 1198811015840


5 Security Proof


511 Security Model


119894 119878119886119895 and 119877119862119886 denote them








119894






119894









119894 119911 = 1 2 3)query



119860119889V119886119896119890119875 (A) = 2Pr (1198871015840 = 119887) minus 1 (1)






119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(2)





119860119889V119886119896119890119875 (A) = 2 (Pr [1198780]) minus 1 (3)



= 2Pr [1198786] minus 1

+ 25

sum119894=0

(Pr [119878119894] minus Pr [119878119894+1])

(4)


Pr [1198780] minus Pr [1198781] = 0 (5)






So we have

1003816100381610038161003816Pr [1198781] minus Pr [1198782]1003816100381610038161003816 le1199022ℎ21198971+1+ 119902

2119887

21198972+1+ 119902

2120576

21198973+1+ (119902119904 + 119902119890)

2

2119901 (6)


1003816100381610038161003816Pr [1198782] minus Pr [1198783]1003816100381610038161003816 le11990211990421198971 (7)


1003816100381610038161003816Pr [1198783] minus Pr [1198784]1003816100381610038161003816 le11990211990421198971 (8)






119894 2) and Corrupt(119880119886


119894 1) and Corrupt(119880119886




121198972 ) (9)




Pr [1198786] = 12 (10)


1003816100381610038161003816Pr [1198785] minus Pr [1198786]1003816100381610038161003816 le Pr [Λ 1] (11)


Pr [Λ 1] le 119902ℎ119860119889V119864119862119863119867119875119875 (12)





119884lArrrArr 119876119875 ⊲ lt 119883 gt119884




119875| equiv 119883


119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(13)





M1 119880119894 997888rarr 119877119862lt 1198731119875119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894


M2 119877119862 997888rarr 119878119895 1198731119875119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

M3 119878119895 997888rarr 119880119894lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

M4 119878119895 997888rarr 119880119894 lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


S1 119877119862| equiv 119880119894


119862119894lArrrArr 119877119862)S4 119878119895| equiv 119877119862


1198671(119860119894119862119894)lArrrArr 119878119895)S7 119880119894| equiv 119880119894




(1) 119877119862 ⊲ lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894



(2) 119877119862| equiv 119880119894| sim lt 1198731119875 119880119894


obtain


(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894


(4) 119877119862| equiv 119880119894


(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895


(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894


obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894


(8) 119878119895| equiv 119880119894


(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894


obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894


(12) 119880119894| equiv 119880119894


(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)






119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A








119894 t119881119894



119894 = 119881119894







= 1198731119886119875 where 1198731119886





and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





Step 1 A computes 119877119894119886= 119903119894119886119875 119861119894 = 1198672(119887119894)119875 119862119886 = 119877119894119886

+ 119861119894119863119886 = 1198671(119868119863119894 119877119894119886 119878119868119863119895 119864119894) where 119903119894119886 is a random


119894 = 119864119894 minus 1198671(119868119863119894 119909)1198751198771015840

119894119886= 119862119886 minus 1198611015840

119894 1198631015840119886 = 1198671(119868119863119894 1198771015840

119894119886 119878119868119863119895 119864119894) obviously

1198631015840119886=119863119886 Then RC computes 119863119868119863119899119890119908

119894 = 1198641198671(119909)(119868119863119894 119903119877119862)119865119886 = 1198641198671(119878119868119863119895119909)(119868119863119894 1198771015840

119894119886 1198672(119887119894)) 119877119877119862 = 119903119877119862119875 119870119894 =

119877119877119862 + 1198672(119887119894)119875 119871 119894 = 1198671(119877119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895)



119894 119870119894 119871 119894 119865119886 119878119895computes(119868119863119894 11987710158401015840

119894119886 1198672(119887119894)1015840) = 119863119878119872119895

(119865119886) 1198771015840119877119862 = 119870119894 minus 1198672(119887119894)1015840119875 1198711015840

119894 =1198671(1198771015840

119877119862 119863119868119863119899119890119908119894 119868119863119894 119878119868119863119895) obviously 1198711015840

119894 = 119871 119894 Then119878119895 computes 119877119878 = 119903119878119875 119876119886 = 119877119878 + 11987710158401015840

119894119886119872119894 = 1198671(119863119868119863119899119890119908

119894 119877119878 1198771015840


119894 119876119886119872119894 119870119894 toA


1198771015840119878 = 119876119886 minus 119877119894119886

11987710158401015840119877119862 = 119870119894 minus 119861119894 119878119870 = 1198671(119877119894119886

1198771015840119878 11987710158401015840


119894119886 119877119878

1198771015840119877119862)1198851015840




putes 119877119878119886= 119903119878119886119875 119877119877119862119886

= 119903119877119862119886119875 119861119894 = 1198672(119887119894)119875 1198771015840

119894 = 119862119894 minus 119861119894119876119886 = 119877119878119886

+1198771015840119894 119870119886 = 119877119877119862119886

+119861119894119872119886 = 1198671(119863119868119863119886119894 119877119878119886

119877119877119862119886




1198771015840119878119886= 119876119886minus1198771198941198771015840

119877119862119886= 119870119886minus119861lowast

119894 1198721015840119886 = 1198671(119863119868119863119886

119894 1198771015840119878119886 1198771015840

119877119862119886



computes 119878119870 = 1198671(119877119894 1198771015840119878119886 1198771015840

119877119862119886) 119885119886 = 119878119870 sdot 119875 + 1198671(119868119863119894



sends 119885119886 toA














Step 5 Compute 119878119870 = 1198671(119877119894 119877119878 119877119877119862)






119894 119875119882lowast119894 1198672(119887119894)) check if





















119894 1198672(119887lowast119894 ) 119903119894) 119881lowast119894 =

1198671(119875lowast119894 ⨁1198671(119868119863lowast



119894 119877119894 = 1198731119875 119862119894 = 1198671(1198731119875119901119906119887) 119871 119894 = 119864119862119894(119868119863lowast

119894 119860lowast119894 119878119868119863119895)



119894 1198601015840119894 1198781198681198631015840

119895) = 1198631198621198941015840(119871 119894) 119860 119894 = 1198671(119909 1198681198631015840

119894 ) and





1198671(1198781198681198631015840119895 119909) 119884119894 = 1198671(1198781198681198631015840

119895 119878119872119895)119872119894 = 119864119878119872119895(1198681198631015840

119894 119877119894 119884119894 1198671(119860 119894 1198621015840


119894 1198771015840119894 1198841015840

119894 1198671(119860 119894 1198621015840

119894 )1015840) = 119863119878119872119895(119872119894) 11988410158401015840

119894 = 1198671(119878119868119863119895 119878119872119895) andchecks if11988410158401015840


119864119894 = 1198732 sdot 119877119894 119878119870 = 1198671(119864119894 1198671(119860 119894 1198621015840119894 )1015840) 119865119894 = 1198671(11986811986310158401015840



119878119870 = 1198671(1198641015840119894 1198671(119860lowast

119894 119862119894)) 1198651015840119894 = 1198671(119868119863lowast

119894 119878119870 119877119878 119878119868119863119895)









119894 = 1198671(119875lowast119894 ⨁1198671(119868119863lowast

119894 ))mod 119899






card calculates 1198751015840119894 = 1198671(119875119882119899119890119908

119894 1198672(119887lowast119894 ) 119903119894) 1198611015840119894 =

119861119894⨁ 119875lowast119894 ⨁1198751015840

119894 1198811015840119894 = 1198671(1198751015840


card stores 1198611015840119894 1198811015840


5 Security Proof


511 Security Model


119894 119878119886119895 and 119877119862119886 denote them








119894






119894









119894 119911 = 1 2 3)query



119860119889V119886119896119890119875 (A) = 2Pr (1198871015840 = 119887) minus 1 (1)






119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(2)





119860119889V119886119896119890119875 (A) = 2 (Pr [1198780]) minus 1 (3)



= 2Pr [1198786] minus 1

+ 25

sum119894=0

(Pr [119878119894] minus Pr [119878119894+1])

(4)


Pr [1198780] minus Pr [1198781] = 0 (5)






So we have

1003816100381610038161003816Pr [1198781] minus Pr [1198782]1003816100381610038161003816 le1199022ℎ21198971+1+ 119902

2119887

21198972+1+ 119902

2120576

21198973+1+ (119902119904 + 119902119890)

2

2119901 (6)


1003816100381610038161003816Pr [1198782] minus Pr [1198783]1003816100381610038161003816 le11990211990421198971 (7)


1003816100381610038161003816Pr [1198783] minus Pr [1198784]1003816100381610038161003816 le11990211990421198971 (8)






119894 2) and Corrupt(119880119886


119894 1) and Corrupt(119880119886




121198972 ) (9)




Pr [1198786] = 12 (10)


1003816100381610038161003816Pr [1198785] minus Pr [1198786]1003816100381610038161003816 le Pr [Λ 1] (11)


Pr [Λ 1] le 119902ℎ119860119889V119864119862119863119867119875119875 (12)





119884lArrrArr 119876119875 ⊲ lt 119883 gt119884




119875| equiv 119883


119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(13)





M1 119880119894 997888rarr 119877119862lt 1198731119875119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894


M2 119877119862 997888rarr 119878119895 1198731119875119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

M3 119878119895 997888rarr 119880119894lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

M4 119878119895 997888rarr 119880119894 lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


S1 119877119862| equiv 119880119894


119862119894lArrrArr 119877119862)S4 119878119895| equiv 119877119862


1198671(119860119894119862119894)lArrrArr 119878119895)S7 119880119894| equiv 119880119894




(1) 119877119862 ⊲ lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894



(2) 119877119862| equiv 119880119894| sim lt 1198731119875 119880119894


obtain


(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894


(4) 119877119862| equiv 119880119894


(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895


(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894


obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894


(8) 119878119895| equiv 119880119894


(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894


obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894


(12) 119880119894| equiv 119880119894


(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)






119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A








119894 t119881119894



119894 = 119881119894







= 1198731119886119875 where 1198731119886





and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




sends 119885119886 toA














Step 5 Compute 119878119870 = 1198671(119877119894 119877119878 119877119877119862)






119894 119875119882lowast119894 1198672(119887119894)) check if





















119894 1198672(119887lowast119894 ) 119903119894) 119881lowast119894 =

1198671(119875lowast119894 ⨁1198671(119868119863lowast



119894 119877119894 = 1198731119875 119862119894 = 1198671(1198731119875119901119906119887) 119871 119894 = 119864119862119894(119868119863lowast

119894 119860lowast119894 119878119868119863119895)



119894 1198601015840119894 1198781198681198631015840

119895) = 1198631198621198941015840(119871 119894) 119860 119894 = 1198671(119909 1198681198631015840

119894 ) and





1198671(1198781198681198631015840119895 119909) 119884119894 = 1198671(1198781198681198631015840

119895 119878119872119895)119872119894 = 119864119878119872119895(1198681198631015840

119894 119877119894 119884119894 1198671(119860 119894 1198621015840


119894 1198771015840119894 1198841015840

119894 1198671(119860 119894 1198621015840

119894 )1015840) = 119863119878119872119895(119872119894) 11988410158401015840

119894 = 1198671(119878119868119863119895 119878119872119895) andchecks if11988410158401015840


119864119894 = 1198732 sdot 119877119894 119878119870 = 1198671(119864119894 1198671(119860 119894 1198621015840119894 )1015840) 119865119894 = 1198671(11986811986310158401015840



119878119870 = 1198671(1198641015840119894 1198671(119860lowast

119894 119862119894)) 1198651015840119894 = 1198671(119868119863lowast

119894 119878119870 119877119878 119878119868119863119895)









119894 = 1198671(119875lowast119894 ⨁1198671(119868119863lowast

119894 ))mod 119899






card calculates 1198751015840119894 = 1198671(119875119882119899119890119908

119894 1198672(119887lowast119894 ) 119903119894) 1198611015840119894 =

119861119894⨁ 119875lowast119894 ⨁1198751015840

119894 1198811015840119894 = 1198671(1198751015840


card stores 1198611015840119894 1198811015840


5 Security Proof


511 Security Model


119894 119878119886119895 and 119877119862119886 denote them








119894






119894









119894 119911 = 1 2 3)query



119860119889V119886119896119890119875 (A) = 2Pr (1198871015840 = 119887) minus 1 (1)






119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(2)





119860119889V119886119896119890119875 (A) = 2 (Pr [1198780]) minus 1 (3)



= 2Pr [1198786] minus 1

+ 25

sum119894=0

(Pr [119878119894] minus Pr [119878119894+1])

(4)


Pr [1198780] minus Pr [1198781] = 0 (5)






So we have

1003816100381610038161003816Pr [1198781] minus Pr [1198782]1003816100381610038161003816 le1199022ℎ21198971+1+ 119902

2119887

21198972+1+ 119902

2120576

21198973+1+ (119902119904 + 119902119890)

2

2119901 (6)


1003816100381610038161003816Pr [1198782] minus Pr [1198783]1003816100381610038161003816 le11990211990421198971 (7)


1003816100381610038161003816Pr [1198783] minus Pr [1198784]1003816100381610038161003816 le11990211990421198971 (8)






119894 2) and Corrupt(119880119886


119894 1) and Corrupt(119880119886




121198972 ) (9)




Pr [1198786] = 12 (10)


1003816100381610038161003816Pr [1198785] minus Pr [1198786]1003816100381610038161003816 le Pr [Λ 1] (11)


Pr [Λ 1] le 119902ℎ119860119889V119864119862119863119867119875119875 (12)





119884lArrrArr 119876119875 ⊲ lt 119883 gt119884




119875| equiv 119883


119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(13)





M1 119880119894 997888rarr 119877119862lt 1198731119875119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894


M2 119877119862 997888rarr 119878119895 1198731119875119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

M3 119878119895 997888rarr 119880119894lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

M4 119878119895 997888rarr 119880119894 lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


S1 119877119862| equiv 119880119894


119862119894lArrrArr 119877119862)S4 119878119895| equiv 119877119862


1198671(119860119894119862119894)lArrrArr 119878119895)S7 119880119894| equiv 119880119894




(1) 119877119862 ⊲ lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894



(2) 119877119862| equiv 119880119894| sim lt 1198731119875 119880119894


obtain


(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894


(4) 119877119862| equiv 119880119894


(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895


(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894


obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894


(8) 119878119895| equiv 119880119894


(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894


obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894


(12) 119880119894| equiv 119880119894


(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)






119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A








119894 t119881119894



119894 = 119881119894







= 1198731119886119875 where 1198731119886





and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






1198671(1198781198681198631015840119895 119909) 119884119894 = 1198671(1198781198681198631015840

119895 119878119872119895)119872119894 = 119864119878119872119895(1198681198631015840

119894 119877119894 119884119894 1198671(119860 119894 1198621015840


119894 1198771015840119894 1198841015840

119894 1198671(119860 119894 1198621015840

119894 )1015840) = 119863119878119872119895(119872119894) 11988410158401015840

119894 = 1198671(119878119868119863119895 119878119872119895) andchecks if11988410158401015840


119864119894 = 1198732 sdot 119877119894 119878119870 = 1198671(119864119894 1198671(119860 119894 1198621015840119894 )1015840) 119865119894 = 1198671(11986811986310158401015840



119878119870 = 1198671(1198641015840119894 1198671(119860lowast

119894 119862119894)) 1198651015840119894 = 1198671(119868119863lowast

119894 119878119870 119877119878 119878119868119863119895)









119894 = 1198671(119875lowast119894 ⨁1198671(119868119863lowast

119894 ))mod 119899






card calculates 1198751015840119894 = 1198671(119875119882119899119890119908

119894 1198672(119887lowast119894 ) 119903119894) 1198611015840119894 =

119861119894⨁ 119875lowast119894 ⨁1198751015840

119894 1198811015840119894 = 1198671(1198751015840


card stores 1198611015840119894 1198811015840


5 Security Proof


511 Security Model


119894 119878119886119895 and 119877119862119886 denote them








119894






119894









119894 119911 = 1 2 3)query



119860119889V119886119896119890119875 (A) = 2Pr (1198871015840 = 119887) minus 1 (1)






119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(2)





119860119889V119886119896119890119875 (A) = 2 (Pr [1198780]) minus 1 (3)



= 2Pr [1198786] minus 1

+ 25

sum119894=0

(Pr [119878119894] minus Pr [119878119894+1])

(4)


Pr [1198780] minus Pr [1198781] = 0 (5)






So we have

1003816100381610038161003816Pr [1198781] minus Pr [1198782]1003816100381610038161003816 le1199022ℎ21198971+1+ 119902

2119887

21198972+1+ 119902

2120576

21198973+1+ (119902119904 + 119902119890)

2

2119901 (6)


1003816100381610038161003816Pr [1198782] minus Pr [1198783]1003816100381610038161003816 le11990211990421198971 (7)


1003816100381610038161003816Pr [1198783] minus Pr [1198784]1003816100381610038161003816 le11990211990421198971 (8)






119894 2) and Corrupt(119880119886


119894 1) and Corrupt(119880119886




121198972 ) (9)




Pr [1198786] = 12 (10)


1003816100381610038161003816Pr [1198785] minus Pr [1198786]1003816100381610038161003816 le Pr [Λ 1] (11)


Pr [Λ 1] le 119902ℎ119860119889V119864119862119863119867119875119875 (12)





119884lArrrArr 119876119875 ⊲ lt 119883 gt119884




119875| equiv 119883


119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(13)





M1 119880119894 997888rarr 119877119862lt 1198731119875119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894


M2 119877119862 997888rarr 119878119895 1198731119875119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

M3 119878119895 997888rarr 119880119894lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

M4 119878119895 997888rarr 119880119894 lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


S1 119877119862| equiv 119880119894


119862119894lArrrArr 119877119862)S4 119878119895| equiv 119877119862


1198671(119860119894119862119894)lArrrArr 119878119895)S7 119880119894| equiv 119880119894




(1) 119877119862 ⊲ lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894



(2) 119877119862| equiv 119880119894| sim lt 1198731119875 119880119894


obtain


(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894


(4) 119877119862| equiv 119880119894


(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895


(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894


obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894


(8) 119878119895| equiv 119880119894


(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894


obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894


(12) 119880119894| equiv 119880119894


(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)






119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A








119894 t119881119894



119894 = 119881119894







= 1198731119886119875 where 1198731119886





and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







card calculates 1198751015840119894 = 1198671(119875119882119899119890119908

119894 1198672(119887lowast119894 ) 119903119894) 1198611015840119894 =

119861119894⨁ 119875lowast119894 ⨁1198751015840

119894 1198811015840119894 = 1198671(1198751015840


card stores 1198611015840119894 1198811015840


5 Security Proof


511 Security Model


119894 119878119886119895 and 119877119862119886 denote them








119894






119894









119894 119911 = 1 2 3)query



119860119889V119886119896119890119875 (A) = 2Pr (1198871015840 = 119887) minus 1 (1)






119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(2)





119860119889V119886119896119890119875 (A) = 2 (Pr [1198780]) minus 1 (3)



= 2Pr [1198786] minus 1

+ 25

sum119894=0

(Pr [119878119894] minus Pr [119878119894+1])

(4)


Pr [1198780] minus Pr [1198781] = 0 (5)






So we have

1003816100381610038161003816Pr [1198781] minus Pr [1198782]1003816100381610038161003816 le1199022ℎ21198971+1+ 119902

2119887

21198972+1+ 119902

2120576

21198973+1+ (119902119904 + 119902119890)

2

2119901 (6)


1003816100381610038161003816Pr [1198782] minus Pr [1198783]1003816100381610038161003816 le11990211990421198971 (7)


1003816100381610038161003816Pr [1198783] minus Pr [1198784]1003816100381610038161003816 le11990211990421198971 (8)






119894 2) and Corrupt(119880119886


119894 1) and Corrupt(119880119886




121198972 ) (9)




Pr [1198786] = 12 (10)


1003816100381610038161003816Pr [1198785] minus Pr [1198786]1003816100381610038161003816 le Pr [Λ 1] (11)


Pr [Λ 1] le 119902ℎ119860119889V119864119862119863119867119875119875 (12)





119884lArrrArr 119876119875 ⊲ lt 119883 gt119884




119875| equiv 119883


119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(13)





M1 119880119894 997888rarr 119877119862lt 1198731119875119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894


M2 119877119862 997888rarr 119878119895 1198731119875119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

M3 119878119895 997888rarr 119880119894lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

M4 119878119895 997888rarr 119880119894 lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


S1 119877119862| equiv 119880119894


119862119894lArrrArr 119877119862)S4 119878119895| equiv 119877119862


1198671(119860119894119862119894)lArrrArr 119878119895)S7 119880119894| equiv 119880119894




(1) 119877119862 ⊲ lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894



(2) 119877119862| equiv 119880119894| sim lt 1198731119875 119880119894


obtain


(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894


(4) 119877119862| equiv 119880119894


(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895


(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894


obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894


(8) 119878119895| equiv 119880119894


(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894


obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894


(12) 119880119894| equiv 119880119894


(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)






119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A








119894 t119881119894



119894 = 119881119894







= 1198731119886119875 where 1198731119886





and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






119860119889V119886119896119890119875 (A) = 2 (Pr [1198780]) minus 1 (3)



= 2Pr [1198786] minus 1

+ 25

sum119894=0

(Pr [119878119894] minus Pr [119878119894+1])

(4)


Pr [1198780] minus Pr [1198781] = 0 (5)






So we have

1003816100381610038161003816Pr [1198781] minus Pr [1198782]1003816100381610038161003816 le1199022ℎ21198971+1+ 119902

2119887

21198972+1+ 119902

2120576

21198973+1+ (119902119904 + 119902119890)

2

2119901 (6)


1003816100381610038161003816Pr [1198782] minus Pr [1198783]1003816100381610038161003816 le11990211990421198971 (7)


1003816100381610038161003816Pr [1198783] minus Pr [1198784]1003816100381610038161003816 le11990211990421198971 (8)






119894 2) and Corrupt(119880119886


119894 1) and Corrupt(119880119886




121198972 ) (9)




Pr [1198786] = 12 (10)


1003816100381610038161003816Pr [1198785] minus Pr [1198786]1003816100381610038161003816 le Pr [Λ 1] (11)


Pr [Λ 1] le 119902ℎ119860119889V119864119862119863119867119875119875 (12)





119884lArrrArr 119876119875 ⊲ lt 119883 gt119884




119875| equiv 119883


119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(13)





M1 119880119894 997888rarr 119877119862lt 1198731119875119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894


M2 119877119862 997888rarr 119878119895 1198731119875119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

M3 119878119895 997888rarr 119880119894lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

M4 119878119895 997888rarr 119880119894 lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


S1 119877119862| equiv 119880119894


119862119894lArrrArr 119877119862)S4 119878119895| equiv 119877119862


1198671(119860119894119862119894)lArrrArr 119878119895)S7 119880119894| equiv 119880119894




(1) 119877119862 ⊲ lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894



(2) 119877119862| equiv 119880119894| sim lt 1198731119875 119880119894


obtain


(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894


(4) 119877119862| equiv 119880119894


(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895


(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894


obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894


(8) 119878119895| equiv 119880119894


(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894


obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894


(12) 119880119894| equiv 119880119894


(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)






119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A








119894 t119881119894



119894 = 119881119894







= 1198731119886119875 where 1198731119886





and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






119884lArrrArr 119876119875 ⊲ lt 119883 gt119884




119875| equiv 119883


119860119889V119886119896119890119875 (A) le

1199022ℎ + 611990211990421198971 + 119902

2119887 + 211990211990421198972 + 119902

2120576

21198973 +(119902119904 + 119902119890)2119901

+ 2119902119904119884 + 2119902ℎ119860119889V119864119862119863119867119875119875

(13)





M1 119880119894 997888rarr 119877119862lt 1198731119875119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894


M2 119877119862 997888rarr 119878119895 1198731119875119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895

M3 119878119895 997888rarr 119880119894lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)

M4 119878119895 997888rarr 119880119894 lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


S1 119877119862| equiv 119880119894


119862119894lArrrArr 119877119862)S4 119878119895| equiv 119877119862


1198671(119860119894119862119894)lArrrArr 119878119895)S7 119880119894| equiv 119880119894




(1) 119877119862 ⊲ lt 1198731119875 119880119894

119862119894lArrrArr 119877119862 gt119880119894119860119894



(2) 119877119862| equiv 119880119894| sim lt 1198731119875 119880119894


obtain


(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894


(4) 119877119862| equiv 119880119894


(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895


(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894


obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894


(8) 119878119895| equiv 119880119894


(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894


obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894


(12) 119880119894| equiv 119880119894


(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)






119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A








119894 t119881119894



119894 = 119881119894







= 1198731119886119875 where 1198731119886





and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



(3) 119877119862| equiv 119880119894| equiv lt 1198731119875 119880119894


(4) 119877119862| equiv 119880119894


(5) 119878119895 ⊲ 1198731119875 119880119894

1198671(119860119894119862119894)lArrrArr 119878119895119878119872119895


(6) 119878119895| equiv 119877119862| sim 1198731119875 119880119894


obtain

(7) 119878119895| equiv 119877119862| equiv 1198731119875 119880119894


(8) 119878119895| equiv 119880119894


(9) 119880119894 ⊲ lt 1198731119877119878 119877119878 119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(10) 119880119894| equiv 119878119895| simlt 1198731119877119878 119877119878 119880119894


obtain

(11) 119880119894| equiv 119878119895| equiv 119880119894


(12) 119880119894| equiv 119880119894


(13) 119878119895 ⊲ lt 1198732119875119880119894

119878119870larr997888rarr 119878119895 gt1198671(119860119894119862119894)


(14) 119878119895| equiv 119880119894| simlt 1198732119875119880119894


obtain

(15) 119878119895| equiv 119880119894| equiv 119880119894


(16) 119878119895| equiv 119880119894

119878119870larr997888rarr 119878119895(Goal 4)






119894 1198601015840119894 1198781198681198631015840

119895) = 119863119862119894(119871 119894) To get 119864119894 A








119894 t119881119894



119894 = 119881119894







= 1198731119886119875 where 1198731119886





and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




and computes 119877119878119886=

1198732119886119875 119864119894 = 1198732119886






















Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Table3Re

sults


related

schemes

Securityprop

ertie

sHe[22]

Kumari[25]

Feng

[26]

Ali[27]

Our

scheme

Resisto

fflinep

assw

ordguessin

gattack

radicradic

radicradic

radicUsera

nonymity

radicradic

radicradic

radicRe

sistd

enialofservice

attack

radicradic

radictimes

radicRe

sistu

serimperson

ationattack

radicradic

radictimes

radicRe

sistserverimperson

ationattack

radictimes

radictimes

radicFo

rwardsecrecy

radicradic

radictimes

radicRe

sistk


porary

inform

ationattack

timestimes

timestimes

radicEffi

cientw

rong

passwordandbiom

etric

detection

timesradic

radicradic

radicRe

sistp

rivilegedinsid

erattack

radicradic

radictimes

radicTh

ree-factor

secrecy

radictimes

timestimes

radic




Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





Kumari [25] 3119879119875 + 5119879119867 2119879119875 + 6119879119867 3119879119875 + 5119879119867 8119879119875 + 16119879119867

Feng [26] 3119879119875 + 7119879119867 2119879119875 + 10119879119867 3119879119875 + 7119879119867 8119879119875 + 24119879119867

Ali [27] 3119879119875 + 5119879119867 1119879119875 + 1119879119863 + 2119879119864 + 3119879119867 3119879119875 + 1119879119863 + 4119879119867 7119879119875 + 2119879119863 + 2119879119864 + 12119879119867

Our protocol 3119879119875 + 1119879119864 + 7119879119867 1119879119875 + 1119879119863 + 1119879119864 + 5119879119867 2119879119875 + 1119879119863 + 4119879119867 6119879119875 + 2119879119863 + 2119879119864 + 16119879119867



8000

6000

4000

2000


Runn

ing

time (

ms)

576286 576208 576312 504518 43257

6319022

7371894

84247688424704 8424512




8000 7808

4224

7000

6000

5000

4000

3000

2000

1000

0

He et al

7808

5696

3392

4224



3392 3392

21122624


Com

mun

icat

ion

over

head

(bits

)


8 Conclusions


Data Availability





Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Acknowledgments


References






































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia











RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


Documents

A Provably Secure Biometrics-Based Authentication Scheme for …downloads.hindawi.com/journals/scn/2019/2838615.pdf · 2019-07-30 · ResearchArticle A Provably Secure Biometrics-Based