Research Article  Open Access
An Efficient and Provably Secure Anonymous User Authentication and Key Agreement for Mobile Cloud Computing
Abstract
Nowadays, due to the rapid development and wide deployment of handheld mobile devices, the mobile users begin to save their resources, access services, and run applications that are stored, deployed, and implemented in cloud computing which has huge storage space and massive computing capability with their mobile devices. However, the wireless channel is insecure and vulnerable to various attacks that pose a great threat to the transmission of sensitive data. Thus, the security mechanism of how the mobile devices and remote cloud server authenticate each other to create a secure session in mobile cloud computing environment has aroused the interest of researchers. In this paper, we propose an efficient and provably secure anonymous twofactor user authentication protocol for the mobile cloud computing environment. The proposed scheme not only provides mutual authentication between mobile devices and cloud computing but also fulfills the known security evaluation criteria. Moreover, utilization of ECC in our scheme reduces the computing cost for mobile devices that are computation capability limited and battery energy limited. In addition, the formal security proof is given to show that the proposed scheme is secure under random oracle model. Security analysis and performance comparisons indicate that the proposed scheme has reasonable computation cost and communication overhead at the mobile client side as well as the server side and is more efficient and more secure than the related competitive works.
1. Introduction
Mobile cloud computing (MCC) is introduced as services of cloud computing, which is offered in mobile devices such as smart phones and tablets environment [1]. In MCC, mobile users can access resources, applications, and running results stored in the cloud and can deploy and implement a variety of services through cloud computing, enabling mobile devices to increase computing power and to increase storage capacity and contextual awareness. According to Mordor Intelligence’s research, in 2023 the MCC market will generate revenues of $94.75 billion (online, 2018) [2]. However, wireless channels supporting communication between mobile devices and the cloud service providers are insecure and are vulnerable to many kinds of attacks like impersonation attack, replay attack, and interception (see Figure 1). Additionally, when the mobile devices access cloud computing services, seamless connectivity will be required while roaming across the heterogeneous network, but their security policies vary greatly which leads to inefficiency. In addition, mobile devices have relatively limited computation capability and energy as compared with traditional computers or laptops. Therefore, a secure and efficient authentication mechanism between the mobile devices and the cloud service provider to ensure the legitimacy of each other is indispensable in preventing illegal access and withstanding potential attacks through wireless channels by the adversary.
According to the comments above, two primary issues should be considered in designing a remote user authentication scheme for mobile devices in MCC:(1)Security. Since the authentication request and the relevant messages are transmitted over public channel, the roaming authentication mechanism verifies the identity legitimacy of mobile devices while withstanding the wellknown attacks launched by the adversary so as to ensure that the private data such as the identity and the geographical location are not leaked and tracked.(2)Efficiency. Efficiency should be taken intensively into account for the mobile devices. As mentioned above, mobile devices are constrained by computation capability and energy, and the authentication process passes through the heterogeneous network, which means latency and packet loss.
Therefore, improving security and reducing computation cost and communication overhead are very important for developing a practical authenticated scheme.
1.1. Related Works
Authentication protocols play an important role in preventing any unauthorized access from an adversary or malicious user for netbased services. Most of the traditional authentication protocols are based on public key cryptography like RSA. However, RSA cryptosystems heavily consume computation resources and have a lengthy key size making the traditional authentication schemes inefficient in mobile devices that are resource constrained. Elliptic curve cryptography (ECC) [3, 4], compared with the other public key cryptography, such as RSA, provides the same security level in RSA with smaller keys and faster computation; e.g., a 160bit ECC based public key can provide the security level of a 1024bit RSA based public key and a 256bit ECC based public key has the same security level as a 3072bit RSA public key [5]. Therefore, the authentication schemes based on ECC are more beneficial for mobile devices than other cryptosystems.
To access the resource at the remote server, the most convenient and simplest mechanism is the passwordonly authentication schemes [6–10]. If the user wants to login to the remote server, he must submit his identity and password to the server. Upon receiving the login request, the server checks whether the submitted identity and password are equal to the identity and password stored in the table. If the user’s identity and password match the corresponding pair of the table, the user passes authentication of the remote server and is authorized to access the system. To achieve higher security, the password is salted with a hash function in the login request. In general, these schemes only use the single factor of password to secure the security of the system, which is prone to suffer from online or offline password guessing attack [11, 12].
To overcome this issue and further improve the system security, Das firstly proposed a twofactor authentication scheme in 2009 [13], i.e., using password and smartcard, which provides greater flexibility for authentication and inspired many subsequent relevant works [14–17]. Das claimed that his scheme has the advantage of employing simple hash function, requiring less communication cost, and is secure against known attacks. Unfortunately, many researchers [14–16, 18, 19] examined Das’s scheme and identified several security weaknesses (such as insider attack, impersonation attack, and offline password guessing attack) and then put forward many improved versions.
In 2014, IslamBiswas [20] put forward a twofactor authentication scheme on ECC for cloud computing, and claimed that their protocol is not only efficient but also secure enough to fulfill the security requirements of many authentication scenarios. However, SarvabhatlaVorugunti [21] found that IslamBiswas's scheme [20] fails to resist replay attack and is defenseless to impersonation attack, and they then they proposed an enhanced twofactor authenticated scheme to thwart the security weakness. However, extensive use of scalar multiplication made their work inefficient. QuTan [22] presented a new twofactor user authentication and key agreement scheme on ECC to overcome some security weaknesses such as smartcard loss attack in the previous schemes. However, Huang et al. [23] analyzed QuTan’s scheme [22] and pointed out that their scheme was unable to withstand impersonation attack, and a new enhanced key agreement for authentication was introduced by Huang et al. to mitigate the chances of security weakness. Unfortunately, Chaudhry et al. [24] found that Huang et al.’s scheme [23] was subjected to impersonation attack and has correctness issues. They introduced an improved twofactor authentication scheme over Huang et al.’s protocol [25] and claimed their scheme can resolve all the correctness issues in the previous one. However, we found that Chaudhry et al.’s scheme [24] is vulnerable to smartcard loss attack.
Independently, FarashAttari [26] proposed an authenticated protocol to protect data transmission on ECC for mobile clientserver networks. Chaudhry et al. [27] proposed an improved smartcard based authenticated protocol for telecare medical information. Xie et al. [28] extended the security model of authentication and presented a dynamic IDbased twofactor authenticated scheme to achieve user anonymity and overcome smartcard loss attack. Lu et al. [29] proposed an anonymous twofactor authentication scheme to eliminate the security weaknesses in the previous schemes for session initiation. Chang et al. [25] proposed an enhanced scheme for IoT and cloud server to fix the security issue of inability to provide mutual authentication and the mistiness of the session key, and retains the merits of the previous one. Kumari et al. [30] also proposed an improved authenticated scheme using ECC for IoT and cloud server and claimed their proposal is resistant to known attacks. The common feature of these schemes is that they support twofactor authentication and make use of ECC to enhance security. Unfortunately, most of these twofactor authentication schemes and the similar kinds were pointed out that they cannot achieve truly twofactor security since they are vulnerable to smartcard lost attack.
In recent years, there are some other ECC based authentication protocols that were proposed for mobile devices [31–35]. Yet, there is a common issue in these schemes; that is, the authentication process between mobile devices and the remote server must be done with the help of the third party, which makes their communication overhead substantially higher.
In summary, according to the analysis above, most of the existing authentication schemes ultimately turn out to have defects as follows:(1)High computation cost and high communication overhead result in the impracticality of their scheme.(2)Not being able to preserve the user privacy leads to the tracking of sensitive information such as identity and location by the adversary.(3)The security properties of their schemes are evaluated by using their own evaluation criteria, rather than the wellknown thirdparty evaluation criteria.
1.2. Our Contributions
Considering the comments above, a desirable remote authentication scheme for mobile cloud computing services should ensure efficiency while providing appropriate security. In this paper, we present a secure and efficient anonymous twofactor authentication and key agreement scheme for MCC by employing IDbased ECC with pairingfree. The contributions of the proposed scheme are summarized as follows:(1)Privacypreserving. Preserving user anonymity and providing untraceability are the strong demand of the mobile client, and our protocol fulfills these security requirements.(2)Not requiring the additional third party. In our scheme, the participants, except for the mobile client and the cloud server, and the authentication process do not involve the trusted third party like the home agent.(3)Strong security and efficiency. The proposed scheme employs “fuzzy verifier” technique to resist offline dictionary attack and fulfills the security evaluation metrics; meanwhile, the performance comparison with the related twofactor schemes shows that our scheme has a better tradeoff between the security requirements and the performance.
1.3. Security Evaluation Criteria
In order to evaluate the security properties of our scheme more fairly, we will adopt the widely accepted evaluation criteria as the thirdparty security evaluation criteria. We brief the security evaluation criteria as follows.
C1: No password verifiertable. The server should not maintain a table to store the password of user. C2: Password friendly. The scheme should provide a mechanism for the user to the change password locally. C3: No password exposure. The privileged insider cannot derive the user password. C4: No smart card loss attack. If the user’s smart card is lost or stolen and obtained by the attacker, the attacker cannot reveal the identity and password of the user. C5: Resistance to known attacks. The scheme should be secure against basic/sophisticated attacks, such as offline password guessing attack, impersonation attack, and replay attack. C6: Sound repairability. The scheme should provide a smartcard revocation mechanism. C7: Provision of key agreement. The client and the server should generate a shared session key between them. C8: No clock synchronization. The scheme should be prevented from clock synchronization and timedelay problem. C9: Timely typo detection. The scheme can detect the wrong password of the user. C10: Mutual authentication. The client and the server should authenticate each other. C11: User anonymity. The scheme should prevent the identity of the user from being known or tracked by the attacker. C12: Forward secrecy. The scheme should provide the perfect forward secrecy.
1.4. Organization of This Paper
The rest of the paper is organized as follows. Some preliminaries are given in Section 2. Section 3 presents our twofactor authentication scheme for MCC and the security analysis of the proposed scheme is given in Section 4. The performance comparisons are discussed in Section 5. We concluded this paper in Section 6.
2. Preliminaries
2.1. Notations
Some notations used in this paper are introduced as follows: MC_{i}: the ith mobile client; CS: the cloud server; ID_{i}: MC_{i}'s identity; PW_{i}: MC_{i}'s password; ID_{S}: the CS's identity; p, q: two large prime numbers; : a finite field with p; : an elliptic curve defined on finite field with order q; G: a cyclic additive group with order q; P: the generator of G; : ; s: the private key of CS; K_{pub}: the system public key; SCN_{i}: the smartcard number; h(·): →, the collisionfree oneway hash function.
2.2. Elliptic Curve Cryptosystem (ECC)
Let be the prime field and denotes an elliptic curve over a finite , defined by an equation mod p = ( + ax + b) mod p, a, b∈ with (4a^{3} + 27b^{2}) mod p ≠ 0. The point on / together with an extra point is called the point as “point at infinity.” The additive elliptic curve group is defined as G=(x, y): x, y∈ and (x, y) ∈(a, b) and we call the point O “point at infinity.” Let P,Q∈G, l be the line containing and Q (tangent line to if P=Q) and the third point R intersecting with /. Let be the line connecting and . Then P ‘+' Q is the point such that intersects / at and and P ‘+' Q. The scalar multiplication on / can be computed as kP=P+P+…+P (k times).
More details of the ECC definition can be found in [3].
2.3. Computational Problem
We review the following mathematical problems on elliptic curves in order to prove the security of our proposed protocol:
Elliptic Curve Discrete Logarithm (ECDL) Problem: Given Q, P∈G, finding an integer such that Q=aP∈G is hard.
Computational DiffieHellman (CDH) Problem: Given (P, aP, bP) for any a, , finding abP∈G is hard.
Elliptic Curve Factorization (ECF) Problem: Given (P, Q)∈G, where Q = rP + tP and r, and computation of rP and tP is impossible.
2.4. Adversary Model
Understanding the adversary capabilities is extremely important for designing a truly secure protocol. In this section, we conclude the adversary model used in this paper based on [35] as follows:(1)An attacker may control the insecure channel between the related parties. That is to say, the attacker can intercept, eavesdrop, replay, modify, delete, or insert messages over the public channel.(2)An attacker can extract the secret data stored in the smartcard by sidechannel attack [36, 37] or differential power attack[38].(3)An attacker can learn the identity of the user as far as the attacks and security properties are concerned.(4)An attacker can enumerate offline all the pairs in Cartesian product x in polynomial time, where and denote identity space and password space, respectively.(5)An attacker cannot successfully guess the random number and the secret key chosen by the communication parties within polynomial time, since they are adequately large.(6)An attacker can learn the public parameter of system like (a,b), P, K_{pub}.
3. Proposed Scheme
In this section, we shall describe the details of our anonymous twofactor user authentication scheme for MCC. The proposed scheme consists of three phases: system setup, registration, and authentication.
3.1. System Setup
The purpose of this phase is to generate the initial parameters for the future user registration and authentication. The working process is as follows and the notations are as defined above:(1)Choose an elliptic curve over a prime field ;(2)Select the master key and set =sP as the public key;(3)Publish system parameters= , /, p, P, , G, h().(4)Select an integer 2^{4},2^{8} as the parameter of fuzzy verifier.
3.2. Registration
In this phase, MC_{i} with identity ID_{i} wants to register to the cloud server CS and CS generates registration information and delivers them to MC_{i}. The messages to be exchanged in this phase are illustrated as follows: MC_{i} CS: ID_{i}, RPW_{i}, where RPW_{i}=h(PW_{i}) ( is a random number). CS MC_{i}: a smartcard containing , ID_{s}, h(·), P, K_{pub}, m, where = h(h(ID_{i}SCN_{i}) mod m)⊕RPW_{i} ( is MC_{i}’s registration time, is a random number). Furthermore, CS stores (ID_{i},,SCN_{i}) into a table. MC_{i} computes h(ID_{i}RPW_{i}) mod m and stores into the smartcard.
The detail of this phase is shown in Figure 2.
3.3. Authentication
In this phase, mutual authentication between MC_{i} and CS shall be accomplished. Meanwhile, the session key shared between them is generated. MC_{i} and CS perform the following steps:(1)MC_{i} CS: PID_{i}, , . MC_{i} keys his/her ID_{i} and PW_{i}, the smartcard computes RP=h(PW_{i}), = ⊕(h(ID_{i}RPW_{i}) mod m). If = , the card accepts MC_{i}, selects a random number , and computes =r_{m}P,=r_{m}, , ⊕RPW_{i}, PID_{i}=(ID_{i})⊕h(), and =h(ID_{i}PID_{i}). Finally, MC_{i} sends PID_{i}, , as a login request to CS via a public channel. Otherwise, it aborts this session.(2)CS MC_{i}: Y, . CS first computes =sX_{1}, X_{3}’=+X_{2}’, (ID_{i}’M_{1}’) = PID_{i}⊕h(), and M_{2}’ = h(ID_{i}’X_{2}’PID_{i}) and then checks whether M_{2}’ = holds or not. If not, CS terminates this session. Otherwise, MC_{i} is authenticated, and CS finds (,SCN_{i}) via ID_{i}’, computes =h(ID_{i}’SCN_{i}) mod , and verifies the condition M_{1}’ ?= . If it is false, CS aborts this session. Otherwise, CS selects a random number and computes Y=r_{s}P, =r_{s}X_{1}, S = h(ID_{i}’ID_{S} Y ), and = h(ID_{i}’ID_{S} Y ) and sends Y, to MC_{i}.(3)MC_{i} CS: M_{4}. MC_{i} computes K_{m}=r_{m}Y, M_{3}’= h(ID_{i}ID_{S} X_{1}X_{2}K_{m}), and MC_{i} will abort this session if M_{3}’ ≠ M_{3}; otherwise, MC_{i} computes S = h(ID_{i}ID_{S} X_{2}K_{m}) and M_{4}= h(ID_{i}ID_{S} X_{2}K_{m}) and forwards M_{4} to CS.(4)CS computes M_{4}’= h(ID_{i}ID_{S}), and it exits the session if M_{4}’ ≠ . Otherwise, it accepts S(=S) as the shared session key with MC_{i}.
This authentication phase is summarized in Figure 3.
3.4. Password Update
When the password of MC_{i} is leaked out, our proposed scheme can change the password flexibly. MC_{i} performs the following steps to change the password:
MC_{i} inserts the smartcard and keys ID_{i}, PW_{i}.
The card computes RP’=h(PW_{i}), ’=⊕(h(ID_{i}RPW_{i}) mod m) and checks whether ’= holds. If not, the card rejects MC_{i}'s request. Otherwise, the card asks the user to input a new password P.
The card computes RP=h(r_{i}), = D_{1}⊕RPW_{i}’⊕RP, and =r_{i}⊕(h(ID_{i}RP) mod m) and replaces (D_{1}, D_{2}) with (, ).
3.5. Smartcard Revocation
If MC_{i}'s smartcard is breached, to protect the card from being abused, MC_{i} can revoke the card as follows:
MC_{i} performs step in Section 3.3 to get authenticated by the card.
MC_{i} CS: PID_{i}, , , revoke_request. As shown in Section 3.3, the card computes PID_{i}, , and and sends PID_{i}, , , revoke_request to CS.
Upon receipt of revocation request from MC_{i}, CS first validates the legitimacy of MC_{i}. If it is true, CS sets , , and SCN_{i} as null. Thus, the card is revoked so that the card can no longer be used to login to the system unless MC_{i} registers again. Otherwise, CS rejects this revocation request.
4. Security Analysis
In this section, we provide an informal security analysis of the proposed scheme on satisfying the security evaluation criteria of twofactor authenticated protocol, and a formal security analysis to demonstrate that our scheme is secure under random oracle model [39].
4.1. Informal Security Analysis
4.1.1. User Anonymity and Privacy
Privacy is of great importance in the area of mobile cloud computing [40–42]. It means that the attacker cannot determine the sender of the messages and also cannot distinguish whether the messages are sent by the same sender. In our scheme, user’s ID_{i} is hidden in PID_{i}, which is different with h() because is changed with in every session. To retrieve ID_{i}, the adversary has to compute . However, he/she will fail because he/she has no knowledge of and . Thus, the adversary cannot get the MC_{i}’s identity by computing (ID_{i})=PID_{i}⊕h(). Therefore, the proposed scheme achieves not only user anonymity but also untraceability.
4.1.2. Forward Secrecy
In our scheme, the session key SK=h(ID_{i}ID_{S}), where =sX_{1}, Y=r_{s}P, and =r_{s}X_{1}=r_{s}r_{m}P. That is to say, the session key is generated with partial key information provided by MC_{i} and CS respectively and dealt with a hash function. Although the adversary can intercept and in the public channel, to compute = sX_{1} and =r_{s}X_{1}=r_{s}r_{m}P, he/she needs to know the secret key s and the random number of CS, or the random number of MC_{i}. However, his/her dream will not come true due to the hardness of ECDL problem and CDH problem.
4.1.3. Mutual Authentication
In the proposed scheme, CS with s verifies the legitimacy of MC_{i} by checking . If is valid, CS authenticates MC_{i}. On the other hand, MC_{i} authenticates CS by checking and CS will pass the test if is valid. Thus, the proposed scheme achieves mutual authentication.
4.1.4. Offline Dictionary Attack
Suppose the lost/stolen smartcard is obtained by the adversary and he/she reveals the secret information ,ID_{s},h(·), P, K_{pup}, m from the smartcard by performing the sidechannel attacks[36, 37] and fully controls the public channel. We will use two aspects to demonstrate that the proposed scheme is secure against offline dictionary attack.
If the adversary uses and conduct an offline dictionary attack as follows:
The adversary chooses a pair (I,P) from the dictionary space of and , respectively.
The adversary computes RPW’=h(r_{i}) and D_{2}’ =r_{i}⊕(h( Ih (r_{i}) mod m).
The adversary verifies the correctness of I and P by checking whether D_{2}’ = holds. If it holds, the adversary has found a correct pair (ID_{i},PW_{i}). Otherwise, the adversary will repeat step until D_{2}’ = .
However, the adversary will not succeed for the following two reasons. First, the adversary has no knowledge of and is large enough to prevent the adversary from guessing successfully according to item of the adversary model in Section 2.4, which results in failure of guessing ID_{i} and PW_{i} successfully. Second, suppose the adversary knows ; it is also infeasible for him/her to find a correct pair (ID_{i}, PW_{i}) because the computation of employs “fuzzy verifier” mechanism. For example, supposing ==10^{6} and m=2^{8}, there are /m≈2^{32} candidates of (ID_{i}, PW_{i}) pair. Therefore, the number of (ID_{i}, PW_{i}) candidates is too large for the adversary to conduct the offline dictionary attack successfully.
If the adversary uses and guesses ID_{i} from = h(ID_{i}PID_{i}), PID_{i} and are available from the public channel and = sX_{1}. However, the adversary cannot calculate because he/she knows nothing about the secret key of CS. Therefore, the adversary fails to conduct such an attack.
In short, the proposed scheme is secure from dictionary attack.
4.1.5. Privileged Insider Attack
In the proposed scheme, MC_{i} submits ID_{i}, h( PW_{i}) to CS for registration. The password PW_{i} is protected with a random number and thus CS cannot learn MC_{i}’s PW_{i} and other useful information. Therefore, the proposed scheme is secure from privileged insider attack.
4.1.6. Replay Attack
In our scheme, we make use of the random number mechanism to resist replay attack. In each session, the random number is generated by MC_{i} to compute the login request messages PID_{i}, , , and the random number is chosen by CS to compute the response messages Y, . The freshness and validity of the messages are assured effectively by the random number mechanism for the current session. Therefore, the proposed scheme can withstand replay attack.
4.1.7. VerifierStolen Attack
In our scheme, the verifier table ID_{i}, , , SCN_{i} stored in CS and these parameters are not securityrelated. The adversary cannot conduct any attack if he/she compromises this table. Therefore, the proposed scheme can resist verifierstolen attack.
4.1.8. User Impersonation Attack
If the adversary intends to impersonate MC_{i}, he will fail since he/she cannot guess the pair (ID_{i}, PW_{i}) or replay the login request PID_{i}, , successfully as we analyzed above. Furthermore, if he/she chooses a random number and computes X_{1a} = r_{a}p, forges PID_{a} and , constructs the login request message PID_{a}, X_{1a}, , and sends it to CS. However, CS cannot compute the correct ID_{i} in the table according to the login request PID_{a}, X_{1a}, from the adversary, which results in the computed M_{a}’ not being equal to the received . This means that the adversary fails to impersonate MC_{i}. Therefore, the proposed scheme can withstand user impersonation attack.
4.2. Formal Security Analysis
In this section, we use the random oracle model [39] to conduct a formal security analysis of the proposed scheme. For simplification, we adopt the security model of [43] as our security model. We will provide a security proof and a privacy proof of our scheme, and they are similar to [43]. But there are two differences, one is because their authentication schemes are based on modular exponentiation, their security analyses are also based on the modular exponentiation, and our security analysis is based on ECC; the second is that our analysis result of the various games is just a rough estimate.
Theorem 1. Assume that represents the proposed scheme for mobile cloud computing, is a password space and its frequency distribution follows the Zipf’s law, is a probabilistic polynomialtime (PPT) adversary, and he/she makes maximum queries of Send oracle with execution time t, denotes the adversary in breaking AKE security of . Under the difficult assumption of CDH problem, if the oneway hash function behaves like a random oracle and the signature scheme in is unforgeable against adaptive chosen message attacks, thenwhere C’ and s’ are the Zipf parameters, l is the security parameter, and ε(·) is a negligible function.
Proof. We prove this theorem with a series of games Gm (i=0,1,2,3,4,5,6). In each Gm, the adversary will guess a correct bit with the Test query and this event is denoted as and the corresponding probability is Pr[].
Gm_{0}: This game is considered as the real attack scenario under random oracle model. According to the definition of ’s advantage [43], we haveGm_{1}: This game simulates the hash function h(·) by maintaining a hash list with respect to our scheme . We also simulate Send, Test, Execute, Reveal, and Corrupt queries as the real player’s behavior. We can see that the hash function can be modeled in PPT time and this game is indistinguishable from Gm_{0}. Thus, we haveGm_{2}: In this game, we rule out sessions in which the collisions of random oracle queries occur during the simulation of hash function and transcripts , , , Y, , and . If the collisions occur, we abort the game and let the adversary win. According to the birthday paradox, we haveGm_{3}: In this game, we modify the simulation rules of session through Execute queries. We use the private hash function h’(·) instead of h(·) to calculate the session key in passive session. Furthermore, when computing the session key and the authenticator , the DiffieHellman key (=r_{s}X_{1}) and (=r_{m}Y) are removed from the input list, i.e., the session key SK= h’(ID_{i}ID_{S}Y) and authenticator =h’(ID_{i}’ID_{S} Y). In Gm_{2}, we have ruled out the collisions of hash function and the transcripts. Thus, the adversary is capable of distinguishing Gm_{3} and Gm_{2} only if he/she can calculate the DiffieHellman key or in passive session and sends a query (ID_{i},ID_{S},,Y,) to h(·). However, breaking the CDH problem is computationally hard. To a CDH instance (X,Y), we use the selfreducibility [44] of CDH problem to embed this instance to the passive sessions. To do that, we select random numbers ,,, and for each session and set U=a_{1}X+b_{1}P and V=a_{2}Y+b_{2}P. If the adversary is able to distinguish the game Gm_{3} and Gm_{2}, a query (ID_{i},ID_{S},,Y,) is made to the hash oracle. This means that the adversary can compute (Ka_{1}b_{2}Xa_{2}b_{1}Yb_{1}b_{2}P)/a_{1}a_{2} as an answer to the CDH instance (X,Y). Under the difficulty of CDH problem, we haveGm_{4}: In this game, we start to handle the active session for Send (CS,) query. And we define the game with the following rule, where the adversary may have computed the correct to impersonate the mobile client MC_{i}. The rule of the participants process queries is modified as follows.
Compute M_{4}’=h(ID_{i}ID_{S} ) and check whether M_{4}’ is equal to the received . If it is true, the cloud server CS looks up a record ((PID_{i}, , ),(Y, ),()) from the hash list . We terminate the game if the record exists. The authenticator in the proposed scheme is unforgeable due to the hardness of CDH problem. Thus, we haveGm_{5}: In this game, we continue to the active session for Send(MC_{i},Y, ). We also define this game by terminating the game with the following rule, where the adversary is luck to guess to impersonate the cloud server CS without asking the hash query h(·). To achieve this goal, the rule of the participants process the queries is modified as follows.
Look up a record (ID_{i}) in the hash list , and we terminate the game if the result is null. Otherwise, compute the session key SK=h(ID_{i}ID_{S} ), = h(ID_{i}ID_{S} ).
The adversary wins only if is correctly guessed without asking h(·). Similar to the previous game, we obtainGm_{6}: In this game, we modify the simulation rule of Send(CS, PID_{i}, , ) query for the last time. When a Send(CS, PID_{i}, , ) query is submitted, the CS first computes ,,ID_{i},,M_{2}’, and checks whether M_{2}’ = holds. If the result is true and the message PID_{i}, , is forged by the adversary, we abort the simulation and let win. Afterwards, we evaluate the success probability of forging the message PID_{i}, , . Note that the authenticator =h(ID_{i}PID_{i}) and, similarly with the analysis in the previous game, we can know that the success probability of forging authenticator is negligible. Furthermore, based on the difficulty of ECDL problem, the probability of successful forgery of message PID_{i}, , is negligible. Thus, we obtainIn the last game, the session keys are chosen randomly and the advantage of in guessing session keys is negligible and the active sessions are aborted without accepting if forges the message. The only possibility for to win the game is to corrupt the smartcard and guess the password of MC_{i}. The advantage has no advantage to get the password from the game. Based on the Zipf’s law, we obtainAccording to (2)–(9), we have the result of Theorem 1.
Theorem 2. Assume that represents the proposed scheme and is a PPT adversary breaking the anonymity of . The advantage of in breaking the anonymity of is bounded by
Proof. We suppose that can break the anonymity of with a nonnegligible advantage. We reach this aim by employing to develop an algorithm to break the CDH problem with the identical nonnegligible advantage.
Algorithm 3. Select , , input two tuples (P, r_{m}P, sP, r_{m}sP) and (P, r_{m}P, sP, r), where s is the private key of CS.
Let be a valid user owning his smartcard and password.
Let =r_{m}P, =r_{m}sP, and execute the subsequent procedure with CS as the protocol definition. We use as the session identifier of this protocol execution.
Let =r_{m}P, =r, and execute the subsequent procedure with CS as the protocol definition. The corresponding session identifier of this protocol execution is labelled as . CS may respond with rejection according to the first message from user . In this case, to make and have the same structure, U can set and chooses two random bit strings for and , respectively.
Select r_{m}’ ∈, let =r_{m}’P and =r_{m}’=r_{m}’sP, and execute the subsequent procedure with the server CS using , . In this case, the session identifier is denoted as .
Two queries TestAnonymity(,) and TestAnonymity(,) are made by , and the returned bits are denoted as and , respectively.
If =0 and =0, output “none is a DiffieHellman tuple”; if =0 and =1, output “(P, r_{m}P, sP, r_{m}sP) is a DiffieHellman tuple”; if =1 and =0, output “(P, r_{m}P, sP, r) is a DiffieHellman tuple”; if =1 and =1, output “both are DiffieHellman tuples.”
Obviously, the Algorithm 3 can be performed within polynomial time. Furthermore, in Algorithm 3, sP is fixed while r_{m}P is different in every protocol run. Based on the selfreducibility of CDH problem, we obtain Pr[U(P, r_{m}P, sP, r_{m}sP)=1]Pr[U(P,r_{m}P,sP,r)=1], where is a fixed value and . Thus, we have Pr[TestAnonymity(,)=1]  Pr[TestAnonymity(,)=1]. That is to say, can break the untraceability of a participant by solving the CDH problem which is believed computationally hard. This is a contradiction with the difficulty of CDH problem.
Therefore, the theorem is proved.
5. Comparison on Efficiency and Security
In this Section, we compare our protocol with other related competitive protocols such as QuTan[22], FarashAttari [26], Chaudhry et al.[27], Xie et al. [28], Chaudhry et al. [24], Lu et al. [29], Chang et al. [25], and Kumari et al. [30] in terms of computation cost and communication overhead and security during the authentication phase. The registration is a onetime process, so we have not taken it into consideration.
Here we set and as the order of the super singular curve or nonsupersingular curve over a finite field is 512 bits and 160 bits, respectively. For the convenience of evaluating computation cost, we set as the time of performing a oneway hash function, the time of performing a scalar multiplication operation of point, the time of performing an addition operation of point, and the time of performing a 160 bits modular inversion, respectively. The time of performing an exclusiveor operation (XOR) and a concatenate operation are much less than a hash function [45], so their times are negligible. Combined with the analysis above, the specific performing time of these operations is shown in Table 1 based on experimental data [46]. Furthermore, we set as the length of identity with 32 bits, as the length of a Point with 1024 bits, as the length of a oneway hash value with 160 bits, and as the length of a timestamp with 32 bits, respectively.

5.1. Comparison of Computation Cost
The comparison of computation cost between the proposed scheme and the related schemes is shown in Table 2.
 
S1: computation cost in mobile client side; S2: executing time in mobile client side; S3: computation cost in cloud server side; S4: executing time in cloud server side. 
According to Table 2, we can learn that the computation cost of our scheme in the mobile client is 0.497 s, which is just slightly higher than [28], while it is much less than the others [22, 24–27, 29, 30]. Meanwhile, the computation cost of our scheme in the server side is 3.616 ms, which is almost the same as [24, 28, 29] and is much less than [22, 25–27, 30]. It is evident that our scheme is still efficient as compared with other related schemes, whether in client side or in server side. To make the comparison more clearly, the comparison graph of computation cost is shown in Figure 4.
5.2. Comparison of Communication Overhead
Table 3 compares the communication overhead of the proposed scheme with other related schemes.
 
I1: communication cost; I2: the length of communication message; I3: total messages. 
From Table 3, we can see that the message size of the proposed scheme is 2688 bits, which manifests that our scheme outperforms the related schemes except for [26, 28]. We can also see that the number of total messages in the authentication phase of schemes participating in comparison can be divided into two classes, the number of which is 2 and 3, respectively. The number of total messages in our scheme is 3. Although schemes [25, 27] can complete their authentication process with 2 messages, these 2message protocols have the significant security weakness of failing to achieve perfect forward secrecy as pointed out by Krawczyk [47]. In brief, the comparison result demonstrates that the communication overhead of our scheme is acceptable.
The comparison of communication overhead is shown in Figure 5.
5.3. Comparison of Security Properties
Finally, we make a comparison of security properties between our scheme and other related schemes in light of the evaluation metrics, and the result is given in Table 4.

From Table 4, we can see that the proposed scheme can achieve more security properties than the other related schemes, such as user anonymity and untraceability which should not be overlooked in privacypreserving, and it is more effectively satisfied with the urgent security requirement of mobile users when their sensitive data was transmitted over the wireless network. The other schemes are more and less vulnerable to some security weaknesses, such that schemes in [22, 24, 25, 27, 29] are vulnerable to smartcard loss attack, schemes in [25, 28] fail to provide user anonymity, and schemes in [24, 25, 27, 30] cannot provide forward secrecy. Thus, it is clear that the proposed scheme can provide better protection for the mobile client in MCC.
In summary, from the three comparisons above, we can draw a conclusion that the proposed scheme is not only more powerful and efficient in computation cost and communication overhead but also is more secure in withstanding various known attacks than other related schemes.
6. Conclusion
In this paper, we have proposed a new anonymous twofactor user authentication and key agreement protocol on ECC for mobile cloud computing. The design of the proposed scheme exploits fuzzy verifier technique to prevent offline identity and password dictionary attack. Furthermore, the reasonable use of ECC makes this scheme efficient for mobile devices that are computing capability limited and energy limited with privacypreserving property. The formal security analysis on random oracle model reveals that the proposed scheme is provably secure under ECDL problem and CDH problem. Furthermore, the comparison of performance and security shows that the proposed scheme is more efficient and secure than the related works. We believe that this proposal is practical for mobile cloud computing.
Data Availability
The [22] data used to support the findings of this study have been deposited in the [ACM] repository ([DOI: 10.1155/2014/423930]). The [25] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s1122701411705]). The [26] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s1091601502440]). The [27] data used to support the findings of this study have been deposited in the [IEEE Xplore] repository ([DOI: 10.1109/TIFS.2017.2659640]). The [24] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s1127701637453]). The [28] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s1104201531664]). The [29] data used to support the findings of this study have been deposited in the [ScienceDirect] repository ([DOI: 10.1016/j.pmcj.2015.12.003]). The [30] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s1122701720480]).
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this article.
Acknowledgments
This work was partially sponsored by the National Natural Science Foundation of China (No. 61672007) and Science and Technology Innovation Guidance Project 2017 of Zhaoqing (No. 201704030605).
References
 M. B. Mollah, M. A. K. Azad, and A. Vasilakos, “Security and privacy challenges in mobile cloud computing: Survey and way ahead,” Journal of Network and Computer Applications, vol. 84, pp. 38–54, 2017. View at: Publisher Site  Google Scholar
 Mordor Intelligence Industry Report, Mobile Cloud Market, https://www.mordorintelligence.com/industryreports/globalmobilecloudmarketindustry, 2018.
 N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987. View at: Publisher Site  Google Scholar  MathSciNet
 V. S. Miller, “Use of elliptic curves in cryptography,” in Proceedings of the Conference on The Theory And Application of Cryptographic Techniques, vol. 218, pp. 417–426, Springer, 1985. View at: Google Scholar  MathSciNet
 E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, “Recommendation for key management part 1: General (revision 3),” NIST Special Publication, vol. 800, no. 57, pp. 1–147, 2012. View at: Google Scholar
 C.L. Lin and T. Hwang, “A password authentication scheme with secure password updating,” Computers & Security, vol. 22, no. 1, pp. 68–72, 2003. View at: Publisher Site  Google Scholar
 M. Peyravian and C. Jeffries, “Secure remote user access over insecure networks,” Computer Communications, vol. 29, no. 5, pp. 660–667, 2006. View at: Publisher Site  Google Scholar
 H.M. Sun and H.T. Yeh, “Passwordbased authentication and key distribution protocols with perfect forward secrecy,” Journal of Computer and System Sciences, vol. 72, no. 6, pp. 1002–1011, 2006. View at: Publisher Site  Google Scholar
 X. Li, W. Qiu, D. Zheng, K. Chen, and J. Li, “Anonymity enhancement on robust and efficient passwordauthenticated key agreement using smart cards,” IEEE Transactions on Industrial Electronics, vol. 57, no. 2, pp. 793–800, 2010. View at: Publisher Site  Google Scholar
 J. Xu, W.T. Zhu, and D.G. Feng, “An improved smart card based password authentication scheme with provable security,” Computer Standards & Interfaces, vol. 31, no. 4, pp. 723–728, 2009. View at: Publisher Site  Google Scholar
 J. Ma, W. Yang, M. Luo, and N. Li, “A study of probabilistic password models,” in Proceedings of the 35th IEEE Symposium on Security and Privacy (SP '14), pp. 689–704, IEEE, May 2014. View at: Publisher Site  Google Scholar
 J. Gosney, “Password cracking HPC,” in Passwords 2012 Security Conference, University of Oslo, Oslo, Norway, 2012, http://bit.ly/1y00I3O. View at: Google Scholar
 M. L. Das, TwoFactor User Authentication in Wireless Sensor Networks, IEEE Press, 2009. View at: Publisher Site
 D. Nyang and M.K. Lee, “Improvement of das's twofactor authentication protocol in wireless sensor networks,” IACR Cryptology ePrint Archive, vol. 2009, p. 631, 2009. View at: Google Scholar
 H.F. Huang, Y.F. Chang, and C.H. Liu, “Enhancement of twofactor user authentication in wireless sensor networks,” in Proceedings of the 6th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP '10), pp. 27–30, October 2010. View at: Publisher Site  Google Scholar
 D. He, Y. Gao, S. Chan, C. Chen, and J. Bu, “An enhanced twofactor user authentication scheme in wireless sensor networks,” Ad Hoc & Sensor Wireless Networks, vol. 10, no. 4, pp. 361–371, 2010. View at: Google Scholar
 Q. Xie, “Improvement of a security enhanced onetime twofactor authentication and key agreement scheme,” Scientia Iranica, vol. 19, no. 6, pp. 1856–1860, 2012. View at: Publisher Site  Google Scholar
 M. K. Khan and K. Alghathbar, “Cryptanalysis and security improvements of ‘twofactor user authentication in wireless sensor networks’,” Sensors, vol. 10, no. 3, pp. 2450–2459, 2010. View at: Publisher Site  Google Scholar
 C.C. Lee, C.T. Li, and S.D. Chen, “Two attacks on a twofactor user authentication in wireless sensor networks,” Parallel Processing Letters, vol. 21, no. 1, pp. 21–26, 2011. View at: Publisher Site  Google Scholar  MathSciNet
 S. H. Islam and G. Biswas, “Dynamic IDbased remote user mutual authentication scheme with smartcard using Elliptic Curve Cryptography,” Journal of Electronics (China), vol. 31, no. 5, pp. 473–488, 2014. View at: Google Scholar
 M. Sarvabhatla and C. S. Vorugunti, “A secure and robust dynamic IDbased mutual authentication scheme with smart card using elliptic curve cryptography,” in Proceedings of the 7th International Workshop on Signal Design and Its Applications in Communications, IWSDA 2015, pp. 75–79, India, September 2015. View at: Google Scholar
 J. Qu and X.L. Tan, “Twofactor user authentication with key agreement scheme based on elliptic curve cryptosystem,” Journal of Electrical and Computer Engineering, vol. 2014, 16 pages, 2014. View at: Google Scholar
 B. Huang, M. K. Khan, L. Wu, F. T. B. Muhaya, and D. He, “An Efficient Remote User Authentication with Key Agreement Scheme Using Elliptic Curve Cryptography,” Wireless Personal Communications, vol. 85, no. 1, pp. 225–240, 2015. View at: Publisher Site  Google Scholar
 S. A. Chaudhry, H. Naqvi, K. Mahmood, H. F. Ahmad, and M. K. Khan, “An Improved Remote User Authentication Scheme Using Elliptic Curve Cryptography,” Wireless Personal Communications, vol. 96, no. 4, pp. 5355–5373, 2017. View at: Publisher Site  Google Scholar
 C.C. Chang, H.L. Wu, and C.Y. Sun, “Notes on “Secure authentication scheme for IoT and cloud servers”,” Pervasive and Mobile Computing, vol. 38, pp. 275–278, 2017. View at: Publisher Site  Google Scholar
 M. S. Farash and M. A. Attari, “A secure and efficient identitybased authenticated key exchange protocol for mobile clientserver networks,” The Journal of Supercomputing, vol. 69, no. 1, pp. 395–411, 2014. View at: Publisher Site  Google Scholar
 S. A. Chaudhry, H. Naqvi, T. Shon, M. Sher, and M. S. Farash, “Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems,” Journal of Medical Systems, vol. 39, no. 6, pp. 1–11, 2015. View at: Publisher Site  Google Scholar
 Q. Xie, D. S. Wong, G. Wang, X. Tan, K. Chen, and L. Fang, “Provably secure dynamic IDbased anonymous twofactor authenticated key exchange protocol with extended security model,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 6, pp. 1382–1392, 2017. View at: Publisher Site  Google Scholar
 Y. Lu, L. Li, H. Peng, and Y. Yang, “An anonymous twofactor authenticated key agreement scheme for session initiation protocol using elliptic curve cryptography,” Multimedia Tools and Applications, vol. 76, no. 2, pp. 1801–1815, 2017. View at: Publisher Site  Google Scholar
 S. Kumari, M. Karuppiah, A. K. Das, X. Li, F. Wu, and N. Kumar, “A secure authentication scheme based on elliptic curve cryptography for IoT and cloud servers,” The Journal of Supercomputing, pp. 1–26, 2017. View at: Google Scholar
 H. Mun, K. Han, Y. S. Lee, C. Y. Yeun, and H. H. Choi, “Enhanced secure anonymous authentication scheme for roaming service in global mobility networks,” Mathematical and Computer Modelling, vol. 55, no. 12, pp. 214–222, 2012. View at: Publisher Site  Google Scholar  MathSciNet
 D. Zhao, H. Peng, L. Li, and Y. Yang, “A secure and effective anonymous authentication scheme for roaming service in global mobility networks,” Wireless Personal Communications, vol. 78, no. 1, pp. 247–269, 2014. View at: Publisher Site  Google Scholar
 I. Memon, I. Hussain, R. Akhtar, and G. Chen, “Enhanced privacy and authentication: an efficient and secure anonymous communication for location based service using asymmetric cryptography scheme,” Wireless Personal Communications, vol. 84, no. 2, pp. 1487–1508, 2015. View at: Publisher Site  Google Scholar
 A. G. Reddy, A. K. Das, E.J. Yoon, and K.Y. Yoo, “A secure anonymous authentication protocol for mobile services on elliptic curve cryptography,” IEEE Access, vol. 4, pp. 4394–4407, 2016. View at: Publisher Site  Google Scholar
 R. Amin, S. H. Islam, G. P. Biswas, M. K. Khan, L. Leng, and N. Kumar, “Design of an anonymitypreserving threefactor authenticated key exchange protocol for wireless sensor networks,” Computer Networks, vol. 101, pp. 42–62, 2016. View at: Publisher Site  Google Scholar
 T. H. Kim, C. Kim, and I. Park, “Side channel analysis attacks using AM demodulation on commercial smart cards with SEED,” The Journal of Systems and Software, vol. 85, no. 12, pp. 2899–2908, 2012. View at: Publisher Site  Google Scholar
 N. VeyratCharvillon and F. X. Standaert, Generic SideChannel Distinguishers: Improvements and Limitations, Springer, Berlin, Germany, 2011.
 S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards, Springer Publishing Company, Incorporated, 2010.
 M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73, ACM, 1993. View at: Google Scholar
 Q. Jiang, J. Ma, and F. Wei, “On the security of a privacyaware authentication scheme for distributed mobile cloud computing services,” IEEE Systems Journal, pp. 1–4, 2016. View at: Google Scholar
 R. Amin, S. H. Islam, G. P. Biswas, D. Giri, M. K. Khan, and N. Kumar, “A more secure and privacyaware anonymous user authentication scheme for distributed mobile cloud computing environments,” Security and Communication Networks, vol. 9, no. 17, pp. 4650–4666, 2016. View at: Publisher Site  Google Scholar
 D. He, N. Kumar, M. K. Khan, L. Wang, and J. Shen, “Efficient privacyaware authentication scheme for mobile cloud computing services,” IEEE Systems Journal, no. 99, pp. 1–11, 2017. View at: Google Scholar
 F. Wei, P. Vijayakumar, Q. Jiang, and R. Zhang, “A mobile intelligent terminal based anonymous authenticated key exchange protocol for roaming service in global mobility networks,” IEEE Transactions on Sustainable Computing, no. 99, pp. 2377–3782, 2018. View at: Publisher Site  Google Scholar
 D. Pointcheval, “Provable security for public key schemes,” in Contemporary Cryptology, Advanced Courses in Mathematics  CRM Barcelona, pp. 133–190, Springer, 2005. View at: Publisher Site  Google Scholar  MathSciNet
 N. Koblitz, A. Menezes, and S. Vanstone, “The state of elliptic curve cryptography,” Designs, Codes and Cryptography, vol. 19, no. 23, pp. 173–193, 2000. View at: Publisher Site  Google Scholar  MathSciNet
 M. Scott, N. Costigan, and W. Abdulwahab, “Implementing cryptographic pairings on smartcards,” in Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, vol. 4249 of Lecture Notes in Computer Science, pp. 134–147, Springer, 2006. View at: Publisher Site  Google Scholar
 H. Krawczyk, “HMQV: a highperformance secure DiffieHellman protocol,” in Advances in Cryptology—CRYPTO 2005, vol. 3621 of Lecture Notes in Computer Science, pp. 546–566, Springer, Berlin, Germany, 2005. View at: Publisher Site  Google Scholar
Copyright
Copyright © 2019 Jiaqing Mo et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.