Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018 (2018), Article ID 8470949, 9 pages
Research Article

Attribute-Based Anonymous Handover Authentication Protocol for Wireless Networks

1State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
2Physical Education College of Zhengzhou University, Zhengzhou 450044, China

Correspondence should be addressed to Guangsong Li; moc.361@kosgl

Received 8 January 2018; Accepted 27 February 2018; Published 18 April 2018

Academic Editor: Petros Nicopolitidis

Copyright © 2018 Yongbin Zeng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


Mobile wireless networks are widely used in our daily lives. Seamless handover occurs frequently and how to guarantee security and efficiency during handover procedure is a major challenge. A handover authentication protocol with nice properties can achieve goals. Protocols proposed in recent years more or less have some security vulnerability. In this paper, we outline security requirements for handover authentication protocols and then propose an anonymous protocol based on a new attribute-based signature scheme. The proposed protocol realizes conditional privacy preserving, user revocation, and session key update as well as mutual authentication and anonymity. Besides, it achieves fine-grained access control due to attributes representing real identity. What is more, experiment shows the proposed protocol has a superior performance.

1. Introduction

Nowadays, due to the wide use of mobile smart devices (e.g., PDA, smart phone pad, laptop PC, and vehicle) in our daily lives, we can enjoy Internet access services through mobile wireless networks such as mobile telecommunication networks, WLANs, and vehicular ad hoc networks. As a result, mobile wireless networks attract a lot of attention from both academia and industry [13]. Mobile nodes (MNs), access points (APs), and an authentication server (AS) are major entities in mobile wireless networks. Different types of entities have distinct features. For example, MNs have limited storage, computation, and communication capabilities; meanwhile APs have relatively formidable resources. MNs could move from one place to another one while APs have a limited geographical coverage. As a consequence, the handover occurs frequently. It needs an efficient security handover protocol when the handover occurs. An essential goal of the handover protocol is authentication. It aims to guarantee only valid MNs could access wireless networks and prevent illegal access request from adversaries. Mutual authentication is a basic requirement which a handover authentication protocol should meet. What is more, users’ privacy, such as ID information and location information, should be protected, so that anonymity is of importance in handover process. An anonymous handover authentication protocol could meet this requirement.

Regardless of the technology implementation details, a typical handover authentication scenario is indicated in Figure 1. An MN registers to AS firstly, then it could connect to an AP for accessing the network. Assume an MN, say , enters in the geography coverage of a new access point from current one , handover authentication protocol should be executed by and . If it is performed successfully, can recognize whether is a legal user. Only if is legal will accept its access request. At the same time, a session key for protecting subsequent communication should be established between and .

Figure 1: A typical scenario of handover.

To design an anonymous handover authentication protocol is a hot issue for researchers. Generally, efficiency, security, and privacy should be considered carefully. First, an anonymous handover authentication protocol should have lightweight computation cost, especially on the MN side because of its limited resources. Further, the protocol should achieve good security such as data confidentiality and integrity for openness of wireless communication. At last, an anonymous handover authentication protocol should protect users’ privacy in case of serious crime caused by the leakage of private information.

Attribute-based signature (ABS) is a type of public key signature. Different from ID-based public key signature, in attribute-based signature, each user is tagged with a set of attributions. Attributes only expose group characteristics and hide individual characteristics which can provide anonymity. Introducing ABS to handover authentication protocols is an innovative idea for it can address the anonymity issue. However, designing an attribute-based handover authentication also presents some challenges because of computation complexity of common ABS. The ABS scheme usually involves lots of pairing operation which is a type of cryptographic operation with high computation complexity. Only ABS with low computation complexity is suitable for handover authentication protocols in wireless networks.

1.1. Related Works

Protocols with cryptographic technology are very suitable for handover authentication goal. In recent years, a lot of authentication protocols [47] were proposed for access control in various networks. In particular, ID-based public key cryptography (PKC) protocols are common in the latest proposed protocols. But some proposed protocols are not satisfactory. Wang et al. [8] figured out the roots of the identified failures in existing schemes. They are inherently unable to achieve key compromise impersonation resistance for authentication protocols in which the authentication server also acts as the registration center. He et al. [9] proposed a handover authentication protocol called PairHand, which utilized ID-based PKC based on the bilinear pairing. Authors claimed PairHand had a better performance compared with previous protocols. However, He et al. [10] pointed out that PairHand had a risk of key compromise for an adversary could extract a private key from intercepted traffic. Although an improvement had been presented in [10], Yeo et al. [11] declared the new scheme also suffered from the compromised key problem. What a pity, Yeo et al. did not address this issue. Later, Tsai et al. [12] gave a security-enhanced handover authentication protocol.

Later, an efficient attack [13] was given to show the vulnerability in PairHand [9] and the authors proposed an improved protocol also based on bilinear paring. At the same time, He et al. [14] did some improvement to enhance He et al.’s protocol [9]. Note that He et al. [15] and Liu et al. [16] independently presented two efficient handover authentication protocols without involving bilinear paring and map-to-point operation.

Due to the computation complexity of bilinear pairing and map-to-point operation, to design handover authentication protocols without them is an attractive job. Some handover authentication protocols [1720] using Elliptic Curve Cryptography (ECC) could achieve the security goal with smaller key length. Li et al. [17] proposed a protocol using ECC. Meanwhile Chaudhry et al. [18] pointed out that Li et al.’s protocol suffered from impersonation attack and gave an enhanced security protocol. Xie et al. [19] also presented the vulnerability in [17] and then proposed an improved handover authentication protocol to address it. Yang et al. [20] presented a handover authentication protocol using ECC to strengthen security too.

Privacy protection requires handover authentication protocols to achieve anonymity. Some privacy-preserving protocols take advantage of pseudonyms to achieve anonymity [911, 17]. This type of method requires MNs to store a number of pseudonyms so that they can represent the true identifier to ensure privacy. Another type of method is using the group signature to provide anonymity [21]. In this way, any group member could produce a valid signature without involving private identity information. Therefore APs could verify the signature but could not determine which member did the signature. However, schemes based on the group signature usually have higher computation cost. Recently, attribute-based encryption was utilized to secure authentication [22]. However, the authors did not present concrete attribute-based encryption scheme and did not consider the high computation cost of common ABE scheme. Protocols with attribute-based encryption may not be suitable for confined devices in mobile wireless networks.

1.2. Our Contributions

To achieve security and efficiency as well as anonymity, we apply attribute-based signature to handover authentication protocols. We propose an attribute-based authentication protocol with light computation cost on the MN side. Compared with ID-based authentication protocols, attribute-based authentication protocols have a nice advantage due to their natural anonymity feature. To be specific, the major contributions of this paper are as follows.

Firstly, we propose an ABS scheme with low computation complexity and give the security proof for it. Different from other ABS schemes, our ABS scheme is lightweight so that it is fit for handover authentication protocols in wireless networks.

Secondly, we design a new handover authentication protocol based on our new lightweight ABS scheme. The new protocol meets requirements on security and efficiency. What is more, it provides anonymity inherently.

Finally, we present detailed security analysis and performance analysis of our new protocol to demonstrate that it achieves security and efficiency indeed.

1.3. Organization

The rest of the paper is organized as follows. We introduce some preliminaries used in this paper in Section 2. In Section 3, we describe our designed ABS scheme in detail and give its security proof. An attribute-based handover authentication protocol is proposed in Section 4. Security analysis and performance evaluation are given in Section 5. In Section 6, we conclude the whole paper.

2. Preliminaries

2.1. Bilinear Pairings and Computational Assumptions

Let , be cyclic groups of prime order and be a generator of . A map is a bilinear pairing if it satisfies the following properties: (1) being bilinear: , where ; (2) nondegeneracy: ; (3) computability: there is an efficient algorithm to compute for any .

It is well known that the following problems are hard for no probabilistic polynomial time algorithm can solve them.

Discrete Logarithm (DL) Problem. Given with an unknown integer , the DL problem is computing in polynomial time.

Computational Diffie-Hellman (CDH) Problem. Given , the goal of CDH problem is computing , where , are two unknown integers in .

The CDH assumption means there is no probabilistic polynomial time algorithm that can solve the CDH problem with nonnegligible probability.

2.2. Security Requirements

For wireless communication, an adversary could control the communication channel between the MN and the AP. To ensure security, handover authentication protocol should meet the following security requirements [12, 14, 15].(1)Mutual authentication: to guarantee only a legal MN and AP could communicate in the wireless network, the protocol should provide mutual confirmation of the MN’s and AP’s legitimacy.(2)Session key establishment: the MN and AP should establish a unique random session key which guarantees confidentiality and integrity of the communication session.(3)User anonymity and nontraceability: to protect the user’s privacy, except for AS, no one include the AP could extract MN’s identity or link any messages to the same user through intercepted messages.(4)Provision of user revocation: service to the MN should be terminated once it comes to the expiration time.(5)Updating session key periodically: in order to ensure strong security, when MN always accesses the Internet through the same AP, the session key needs to be updated periodically. This technique could reduce the risk due to a compromised session key.(6)Attack resistance: due to the open environment of mobile wireless networks, a handover authentication protocol should prevent common attacks such as the replay attack, the impersonation attack, and the man-in-the-middle attack.

3. A High Efficiency ABS Scheme

Different from ID-based signature scheme taking identity to generate the public key, attribute-based signature scheme utilizes attributes to produce the public key. It has a nice property that an adversary could not determine the identity according to user’s attributes. Attributes refer to some features a user may have, such as gender, job, and privilege. Let the universal set of attributes be and for each its value set be , where . A user’s attribute list is denoted as , and the access structure is denoted as , where . There are 4 algorithms in our proposed ABS scheme.

ABS.Setup. The AS takes a security parameter with universal attribute set and outputs system public parameters and master key .

ABS.KeyGen. Upon receiving a register request with an attribute list , the AS runs the algorithm to generate a secret key with input , params, and sends to the user securely.

ABS.Sign. To sign a message msg, the signer runs this algorithm with input msg, , and returns the signature .

ABS.Verify. To verify a signature, the verifier runs the algorithm with msg, , and and outputs “reject” or “accept” according to the validity of the signature.

3.1. Security Model

Similar to security against existential forgery on adaptively chosen message attacks, we define the security model through a game between a challenger and an attacker . The game is defined below.

Setup. The challenger runs the ABS.Setup algorithm and outputs params and . The challenger keeps secret and sends params to .

Query. makes a series of queries to adaptively, and responses in the following way.

(i) Key Query. Attacker issues this query to acquire private key related to attribute list . runs ABS.KeyGen algorithm with input and sends the output to .

(ii) Signing Query. When issues a signing query with a message msg, access structure , runs ABS.Sign algorithm and returns a signature to .

Forgery. outputs a tuple .

If the following conditions hold, an attack is successful:

(1) .

(2) does not issue the key query on .

(3) does not issue the signing query on .

The probability of a successful attack is defined as ’s advantage .

Definition 1. An attribute-based signature is existentially unforgeable against adaptive chosen message if there is no probabilistic polynomial time adversary that has a nonnegligible advantage in the game.

3.2. Construction

. The AS chooses two cyclic groups , of prime order with a bilinear map , random numbers , , , where is a generator of and sets the value , . Then AS randomly selects , , a k-length vector with elements chosen at random from , and a k-length vector with elements chosen at random from . So the public parameters set iswhere is a generator of and is a secure hash function . The master private key is .

ABS.KeyGen(L, params). A user sends its attribute list and identity information ID to register at the AS. The AS computes a k-bit string . Let denote the th bit of and be a subset of , where . Then the AS randomly chooses a number and computes , , . Note that if , the AS selects a new . Finally, the AS sends the generated private key to the user. For security, the user can verify whether the following equation holds:

ABS.Sign(msg,W, skL). If the user’s attribute list satisfies the access structure, a message msg is signed by the user with its private key as follows. The user computes a k-bit string . let denote the th bits of and be a subset of , where . Then the signer selects random numbers , , and computeswhere . So the signature of msg is .

ABS.Verify(msg, W, σ). The verifier computes a k-bit string . Let denote the th bit of and be a subset of , where . Then verifier computes and checks whether the following equation holds: If it holds, the verifier outputs “accept”; namely, the signature is valid. Otherwise, the verifier outputs “reject”; namely, the signature is illegal.

3.3. Security Analysis

We analyze the security of above proposed ABS scheme according to the security model defined in Section 3.1.

Lemma 2. If there is an adversary that makes at most , queries for key query and signing query, respectively, and breaks the proposed signature scheme with nonnegligible probability , then there exists a challenger that can solve the CDH problem with advantage

Proof. Suppose is an adversary that wins the attack game with advantage . We construct an algorithm to act as a challenger for the adversary. Suppose is given a CDH instance , where is a generator of a cyclic group of order and does not know , . In order to compute , the simulation communication is as follows.
Setup. Let , , and randomly selects , , . And for given , ensures , . Then randomly chooses numbers , , and k-length vectors , , , where , , . 3 functions are defined as follows:Finally calculates system parameters as follows:soQuery. Algorithm acts as a challenger to communicate with an adversary as follows.
(i) Key Query. On receiving a key query on attribute list , could generate related private key if , although does not know the master key. randomly selects and calculates where . Then sends to and could verify it. For an attacker, the above private key and the one generated by a true challenger are undistinguishable, becausewhereIf , will abort.
In order to calculate probability simply, we set as the condition of generating valid private key. This is reasonable because indicates , due to , .
Signing Query. When issues a signing query on , if , chooses randomly and calculates Sends to , and could verify the validity of the signature. Of course, for attacker , the signature generated by is undistinguishable from the one generated by a true challenger.
If , will abort. Similar to key query, we set as the condition of generating a valid signature.
Forgery. Finally, if does not abort during above queries, the adversary outputs a forgery on message , access structure with a probability . Here we assume ,  ,  , and does not issue a signing query on and key query on which satisfies . If or , will abort. If and , computes and outputswhich is the solution to the given CDH problem.
We analyze the probability of outputting the solution to CDH problem, namely, not aborting. For the case without aborting, we require that all key queries will have , and all signing queries will have and that and in forgery.
For convenience, we will define the events as follows: : ,  with ;: ;: ,  with ;: .So the probability of not aborting is We have Due to , we haveSimilarly, we have , so that the probability of not aborting is In general, if simulation does not abort and an attacker breaks the proposed signature scheme with nonnegligible probability , then could give a solution to CDH problem with the probability , where

So we have the following theorem.

Theorem 3. The proposed attribute-based signature scheme is existence unforgeable against adaptive chosen message and attribute list attack under CDH assumption.

4. The Proposed Handover Authentication Protocol

Based on our designed signature scheme, we propose a new handover authentication protocol. We consider that each AP has a signing/verification key pair of a common digital signature scheme ECDSA [23]. To guarantee revocation check, we make some extension of the algorithm in Section 3. The AS also generates extra revocation information for the user. For interval index , the revocation information of the user is , where is a random number selected for the user by AS and is a keyed hash chain.

In the following, we describe the protocol in detail. Assume the handover authentication protocol is carried out between and . According to the signature algorithm, acquires its private key and revocation information for each . The protocol is illustrated in Figure 2. And the notations used to describe the protocol are listed as follows.(i): specified access structure(ii): timestamp(iii): identity of (iv): revocation information with time interval index for (v): attribute list owned by MN(vi): MN’s secret private key on attribute list (vii),  : random numbers in (viii),  : digital signature of and , respectively(ix): session key.

Figure 2: Handover authentication procedure.

   could obtain the access structure from the beacon message from . If its attribute list satisfies the access structure, then firstly selects a random number and generates , where . And then it sends to . Here a timestamp is added for revocation check and replay attack prevention.

After receiving the signature message from , checks the time to prevent replay attack and executes the revocation check (the details in Revocation). If it passes the above check, then verifies the signature. If the signature is invalid, rejects it; otherwise, selects a random number and computes , where . Then sends back to . Finally, computes the session key and erases the random number from its memory.

Upon receiving , verifies according to . If the algorithm returns 1, generates the session key and erases the random number from its memory. After that, generates and then sends it to . Here refers to using a symmetric key to encrypt a message . After receiving the encrypted message, decrypts and verifies it with . If the message is valid, believes that they have established a session key ; otherwise, it rejects the access request.

Session Key Update. When is always connecting to the same AP, assume their current session key is . They establish a new session key as follows.    chooses a random number , computes , and sends to the AP. Upon receipt of , the AP uses current to compute a verification code and compares it with . If does not match , the AP rejects session key update; otherwise, the AP concludes that the message is from . Then the AP randomly picks , computesand erases from its memory. Finally, AP transmits to . Upon receiving the message from the AP, computes , generates a verification code , and compares it with . If matches , erases from its memory and believes that they have established a new session key ; otherwise, rejects session key update.

Revocation. The detailed revocation check is described as follows. The AS generates a revocation list which consists of revocation information corresponding to and transmits it to every AP along with secret key corresponding to the revoked user. This can prevent the revoked user access to the network. Upon acquiring , each AP updates as follows: for any , . Then AP stores both and in its database. During the handover authentication procedure, upon receipt of , the AP parses the revocation information and checks whether it is in the revocation list . If is in , the user is revoked. As a result, the handover request is rejected. Otherwise, the protocol performs next steps sequentially.

5. Security Analysis and Performance Evaluation

5.1. Security Analysis

We present the security analysis of the proposed protocol to check whether it achieves the security goal mentioned in Section 2.

Mutual Authentication. On one hand, AP authentication is ensured by the challenge-response pair . Due to the security of digital signature, only that has can generate a valid signature on a fresh challenge from . If the signature passes the verification , it will demonstrate the AP is a trusted valid entity. On the other hand, the designed ABS scheme provides user authentication. Only the user that has the right key on right attribute list (satisfying the access structure) could generate the valid signature. In other words, a malicious node could neither impersonate a valid node nor pass the authentication. Therefore, the proposed protocol achieves mutual authentication.

Key Establishment. As described in protocol, and , respectively, use and to complete DH key establishment. On one hand, figures out . On the other hand, figures out . Obviously, . As a result, both compute the session key . Besides, any adversary could not calculate the secret session key due to the CDH problem.

User Anonymity and Nontraceability. Due to the outstanding property of attribute-based signature, the identity information is not contained in the transmitted message in the whole handover authentication procedure. So except for the AS, nobody could tell the identity of the user including the AP. In addition, the request message msg does not contain any specific privacy information of the MN except for the revocation information . Since is a secure hash value, an adversary could not parse the identity of a user or trace the user. So user anonymity and nontraceability are guaranteed.

User Revocation. Once the revocation hash value of exists in the revocation list with , it will exist in the database in the future due to update technique of the AP. If exists in , it means is revoked since the time , and as a result the authentication fails.

Updating Session Key Periodically. As described in session key update phase, the MN and AP could establish a new session key successfully according to the current session key. In detail, The MN and AP leverage a new Diffie-Hellman key establishment procedure to generate a new session key. This is based on the hard DL problem and CDH problem. Once a new session key is established, the previous one is destroyed securely, so that adversaries could not reveal the new session key.

Besides, the protocol could prevent replay attack due to timestamp. It is important that only the AS could find the real identity of a user according to since is selected for by the AS. So the protocol achieves conditional privacy preservation too.

For convenience, we let P1, P2, P3, P4, P5, and P6 denote mutual authentication, user anonymity with nontraceability, session key update, conditional privacy preserving, session key establishment, and user revocation, respectively. Security comparisons between our protocol and 3 other protocols are presented in Table 1. In general, our protocol meets all the security requirements in the table while the other 3 protocols more or less have some security vulnerability. All protocols could guarantee session key establishment but only ours adds the session key update technique. Except for our protocol, the other 3 protocols do not meet the requirements of conditional privacy preserving and user revocation. Moreover, they neither achieve user anonymity nor achieve nontraceability, so that our protocol has an obvious advantage of security.

Table 1: Security comparisons of four protocols.

Note that our protocol has a nice exclusive property that it can achieve fine-grained access control due to the attribute-based cryptography. For example, the AP can provide better service for specific users by indicating a required access structure, so that only the user with right attribute list can enjoy the service.

5.2. Performance Evaluation

Although signal transmission also affects handover delay, in view of high speed rate of WLAN and only 3 interaction messages involved in our proposed protocol, we only discuss the authentication latency determined by the time of computation cost. We compare the computation cost of our protocol with that of some other protocols. For more reasonable simulation, we cross-compile the Pair-Based Cryptography (PBC) Library (version pbc-0.5.14) so that related cryptographic operations could be performed on mobile devices. We let a smart phone (HUAWEI honor 5C) and a personal computer (Acer) act as a MN and an AP, respectively, and select the type A pairing in PBC library as the bilinear pairing. Device information is listed in Table 2 and Table 3 presents time consumption of different operations on MN and AP. Note that we ignore the light cryptographic operations such as general hash operations. But one type of hash operation, called map-to-point (denoted as MTP in Table 3) hash operation, is not a lightweight cryptographic operation. To some extent, its time consumption can be compared with the pairing operation. Table 4 gives the performance comparison between our protocol and related works, where the time data in parentheses is calculated on the basis of data in Table 3.

Table 2: Device configurations.
Table 3: Time consumption of different operations (in ms).
Table 4: Evaluation of computation cost (in ms).

As presented, our protocol does not have much computation cost which means it is feasible. There is no heavy cryptographic operation, such as pairing and map-to-point operation, on the MN side. Our protocol has lower computation cost on both the MN side and AP side.

6. Conclusions and Future works

In this paper, we summarize the security requirements a handover authentication protocol should meet. After reviewing previous ID-based protocols in recent years, we point out that they have some vulnerability to some extent. We design an ABS scheme based on which we present an anonymous handover authentication protocol. Security analysis demonstrates our proposed protocol meets various security requirements, especially inherent anonymity with attribute-based cryptography. What is more, concrete experiments on a smart phone and a personal computer show that our proposed protocol is practical in mobile wireless networks.

Our proposed protocol achieves user revocation property. Besides, attribute revocation could provide more flexible access control. If an attribute is revoked, the secret key corresponding to it is no longer valid. What a pity, to achieve attribute revocation, computation cost will be high. The new protocol does not involve this property. Therefore, our work focus is to achieve attribute revocation with light computation cost. Note that access structure in our proposed protocol is as simple as a single AND gate. It is also our future work to introduce more complex access structure into authentication protocols in order to realize more fine-grained access control.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of the paper.


This work is supported by National Key Research Program of China (2016YFB0800101, 2016YF0800100) and Innovative Research Groups of the National Natural Science Foundation of China (Grant no. 61521003).


  1. X. Duan and X. Wang, “Authentication handover and privacy protection in 5G hetnets using software-defined networking,” IEEE Communications Magazine, vol. 53, no. 4, pp. 28–35, 2015. View at Publisher · View at Google Scholar
  2. A. Fu, G. Zhang, Y. Yu, and Z. Zhu, “A privacy preserving vertical handover authentication scheme for WiMAX-WiFi networks,” KSII Transactions on Internet and Information Systems, vol. 8, no. 9, pp. 3250–3265, 2014. View at Publisher · View at Google Scholar · View at Scopus
  3. A. Kumar and H. Om, “A Secure Seamless Handover Authentication Technique for Wireless LAN,” in Proceedings of the 14th International Conference on Information Technology, ICIT 2015, pp. 43–47, India, December 2015. View at Publisher · View at Google Scholar · View at Scopus
  4. Q. Jiang, Z. Chen, B. Li, J. Shen, L. Yang, and J. Ma, “Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems,” Journal of Ambient Intelligence and Humanized Computing. View at Publisher · View at Google Scholar
  5. Q. Jiang, S. Zeadally, J. Ma, and D. He, “Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks,” IEEE Access, vol. 5, pp. 3376–3392, 2017. View at Publisher · View at Google Scholar
  6. D. Wang and P. Wang, “Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound,” IEEE Transactions on Dependable and Secure Computing, pp. 1–1. View at Publisher · View at Google Scholar
  7. D. He, S. Zeadally, N. Kumar, and J.-H. Lee, “Anonymous authentication for wireless body area networks with provable security,” IEEE Systems Journal, 2016. View at Publisher · View at Google Scholar · View at Scopus
  8. D. Wang, H. Cheng, D. He, and P. Wang, “On the Challenges in Designing Identity-Based Privacy-Preserving Authentication Schemes for Mobile Devices,” IEEE Systems Journal, pp. 1–10. View at Publisher · View at Google Scholar
  9. D. He, C. Chen, S. Chan, and J. Bu, “Secure and efficient handover authentication based on bilinear pairing functions,” IEEE Transactions on Wireless Communications, vol. 11, no. 1, pp. 48–53, 2012. View at Publisher · View at Google Scholar · View at Scopus
  10. D. He, C. Chen, S. Chan, and J. Bu, “Analysis and improvement of a secure and efficient handover authentication for wireless networks,” IEEE Communications Letters, vol. 16, no. 8, pp. 1270–1273, 2012. View at Publisher · View at Google Scholar · View at Scopus
  11. S. L. Yeo, W.-S. Yap, J. K. Liu, and M. Henricksen, “Comments on analysis and improvement of a secure and efficient handover authentication based on bilinear pairing functions,” IEEE Communications Letters, vol. 17, no. 8, pp. 1521–1523, 2013. View at Publisher · View at Google Scholar · View at Scopus
  12. J.-L. Tsai, N.-W. Lo, and T.-C. Wu, “Secure handover authentication protocol based on bilinear pairings,” Wireless Personal Communications, vol. 73, no. 3, pp. 1037–1047, 2013. View at Publisher · View at Google Scholar · View at Scopus
  13. W. Wang and L. Hu, “A secure and effcient handover authentication protocol for wireless networks,” Sensors, vol. 14, no. 7, pp. 11379–11394, 2014. View at Publisher · View at Google Scholar · View at Scopus
  14. D. He, M. K. Khan, and N. Kumar, “A new handover authentication protocol based on bilinear pairing functions for wireless networks,” International Journal of Ad Hoc & Ubiquitous Computing, vol. 18, 2015. View at Google Scholar
  15. D. He, D. Wang, Q. Xie, and K. Chen, “Anonymous handover authentication protocol for mobile wireless networks with conditional privacy preservation,” Science China Information Sciences, vol. 60, no. 5, Article ID 052104, 2017. View at Publisher · View at Google Scholar · View at Scopus
  16. L. Liu, H. Quan, X. Liu, and Y. Zhang, “Lightweight handover authentication with location privacy-preserving in mobile wireless networks,” International Journal of Embedded Systems, vol. 7, no. 3-4, pp. 280–288, 2015. View at Publisher · View at Google Scholar · View at Scopus
  17. G. Li, Q. Jiang, F. Wei, and C. Ma, “A New Privacy-Aware Handover Authentication Scheme for Wireless Networks,” Wireless Personal Communications, vol. 80, no. 2, pp. 581–589, 2014. View at Publisher · View at Google Scholar · View at Scopus
  18. S. A. Chaudhry, M. S. Farash, H. Naqvi, S. H. Islam, and T. Shon, “A Robust and Efficient Privacy Aware Handover Authentication Scheme for Wireless Networks,” Wireless Personal Communications, vol. 93, no. 2, pp. 311–335, 2017. View at Publisher · View at Google Scholar · View at Scopus
  19. Y. Xie, L. Wu, N. Kumar, and J. Shen, “Analysis and Improvement of a Privacy-Aware Handover Authentication Scheme for Wireless Network,” Wireless Personal Communications, vol. 93, no. 2, pp. 523–541, 2017. View at Publisher · View at Google Scholar · View at Scopus
  20. X. Yang, X. Huang, and J. K. Liu, “Efficient handover authentication with user anonymity and untraceability for Mobile Cloud Computing,” Future Generation Computer Systems, vol. 62, pp. 190–195, 2016. View at Publisher · View at Google Scholar · View at Scopus
  21. D. He, J. Bu, S. Chan, C. Chen, and M. Yin, “Privacy-preserving universal authentication protocol for wireless communications,” IEEE Transactions on Wireless Communications, vol. 10, no. 2, pp. 431–436, 2011. View at Publisher · View at Google Scholar · View at Scopus
  22. H. Kwon, D. Kim, C. Hahn, and J. Hur, “Secure authentication using ciphertext policy attribute-based encryption in mobile multi-hop networks,” Multimedia Tools and Applications, vol. 76, no. 19, pp. 19507–19521, 2017. View at Publisher · View at Google Scholar · View at Scopus
  23. X. Ansi, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1999.