Nowadays, due to the rapid development and wide deployment of handheld mobile devices, the mobile users begin to save their resources, access services, and run applications that are stored, deployed, and implemented in cloud computing which has huge storage space and massive computing capability with their mobile devices. However, the wireless channel is insecure and vulnerable to various attacks that pose a great threat to the transmission of sensitive data. Thus, the security mechanism of how the mobile devices and remote cloud server authenticate each other to create a secure session in mobile cloud computing environment has aroused the interest of researchers. In this paper, we propose an efficient and provably secure anonymous two-factor user authentication protocol for the mobile cloud computing environment. The proposed scheme not only provides mutual authentication between mobile devices and cloud computing but also fulfills the known security evaluation criteria. Moreover, utilization of ECC in our scheme reduces the computing cost for mobile devices that are computation capability limited and battery energy limited. In addition, the formal security proof is given to show that the proposed scheme is secure under random oracle model. Security analysis and performance comparisons indicate that the proposed scheme has reasonable computation cost and communication overhead at the mobile client side as well as the server side and is more efficient and more secure than the related competitive works.

1. Introduction

Mobile cloud computing (MCC) is introduced as services of cloud computing, which is offered in mobile devices such as smart phones and tablets environment [1]. In MCC, mobile users can access resources, applications, and running results stored in the cloud and can deploy and implement a variety of services through cloud computing, enabling mobile devices to increase computing power and to increase storage capacity and contextual awareness. According to Mordor Intelligence’s research, in 2023 the MCC market will generate revenues of $94.75 billion (online, 2018) [2]. However, wireless channels supporting communication between mobile devices and the cloud service providers are insecure and are vulnerable to many kinds of attacks like impersonation attack, replay attack, and interception (see Figure 1). Additionally, when the mobile devices access cloud computing services, seamless connectivity will be required while roaming across the heterogeneous network, but their security policies vary greatly which leads to inefficiency. In addition, mobile devices have relatively limited computation capability and energy as compared with traditional computers or laptops. Therefore, a secure and efficient authentication mechanism between the mobile devices and the cloud service provider to ensure the legitimacy of each other is indispensable in preventing illegal access and withstanding potential attacks through wireless channels by the adversary.

According to the comments above, two primary issues should be considered in designing a remote user authentication scheme for mobile devices in MCC:(1)Security. Since the authentication request and the relevant messages are transmitted over public channel, the roaming authentication mechanism verifies the identity legitimacy of mobile devices while withstanding the well-known attacks launched by the adversary so as to ensure that the private data such as the identity and the geographical location are not leaked and tracked.(2)Efficiency. Efficiency should be taken intensively into account for the mobile devices. As mentioned above, mobile devices are constrained by computation capability and energy, and the authentication process passes through the heterogeneous network, which means latency and packet loss.

Therefore, improving security and reducing computation cost and communication overhead are very important for developing a practical authenticated scheme.

1.1. Related Works

Authentication protocols play an important role in preventing any unauthorized access from an adversary or malicious user for net-based services. Most of the traditional authentication protocols are based on public key cryptography like RSA. However, RSA cryptosystems heavily consume computation resources and have a lengthy key size making the traditional authentication schemes inefficient in mobile devices that are resource constrained. Elliptic curve cryptography (ECC) [3, 4], compared with the other public key cryptography, such as RSA, provides the same security level in RSA with smaller keys and faster computation; e.g., a 160-bit ECC based public key can provide the security level of a 1024-bit RSA based public key and a 256-bit ECC based public key has the same security level as a 3072-bit RSA public key [5]. Therefore, the authentication schemes based on ECC are more beneficial for mobile devices than other cryptosystems.

To access the resource at the remote server, the most convenient and simplest mechanism is the password-only authentication schemes [610]. If the user wants to login to the remote server, he must submit his identity and password to the server. Upon receiving the login request, the server checks whether the submitted identity and password are equal to the identity and password stored in the table. If the user’s identity and password match the corresponding pair of the table, the user passes authentication of the remote server and is authorized to access the system. To achieve higher security, the password is salted with a hash function in the login request. In general, these schemes only use the single factor of password to secure the security of the system, which is prone to suffer from online or offline password guessing attack [11, 12].

To overcome this issue and further improve the system security, Das firstly proposed a two-factor authentication scheme in 2009 [13], i.e., using password and smartcard, which provides greater flexibility for authentication and inspired many subsequent relevant works [1417]. Das claimed that his scheme has the advantage of employing simple hash function, requiring less communication cost, and is secure against known attacks. Unfortunately, many researchers [1416, 18, 19] examined Das’s scheme and identified several security weaknesses (such as insider attack, impersonation attack, and offline password guessing attack) and then put forward many improved versions.

In 2014, Islam-Biswas [20] put forward a two-factor authentication scheme on ECC for cloud computing, and claimed that their protocol is not only efficient but also secure enough to fulfill the security requirements of many authentication scenarios. However, Sarvabhatla-Vorugunti [21] found that Islam-Biswas's scheme [20] fails to resist replay attack and is defenseless to impersonation attack, and they then they proposed an enhanced two-factor authenticated scheme to thwart the security weakness. However, extensive use of scalar multiplication made their work inefficient. Qu-Tan [22] presented a new two-factor user authentication and key agreement scheme on ECC to overcome some security weaknesses such as smartcard loss attack in the previous schemes. However, Huang et al. [23] analyzed Qu-Tan’s scheme [22] and pointed out that their scheme was unable to withstand impersonation attack, and a new enhanced key agreement for authentication was introduced by Huang et al. to mitigate the chances of security weakness. Unfortunately, Chaudhry et al. [24] found that Huang et al.’s scheme [23] was subjected to impersonation attack and has correctness issues. They introduced an improved two-factor authentication scheme over Huang et al.’s protocol [25] and claimed their scheme can resolve all the correctness issues in the previous one. However, we found that Chaudhry et al.’s scheme [24] is vulnerable to smartcard loss attack.

Independently, Farash-Attari [26] proposed an authenticated protocol to protect data transmission on ECC for mobile client-server networks. Chaudhry et al. [27] proposed an improved smartcard based authenticated protocol for telecare medical information. Xie et al. [28] extended the security model of authentication and presented a dynamic ID-based two-factor authenticated scheme to achieve user anonymity and overcome smartcard loss attack. Lu et al. [29] proposed an anonymous two-factor authentication scheme to eliminate the security weaknesses in the previous schemes for session initiation. Chang et al. [25] proposed an enhanced scheme for IoT and cloud server to fix the security issue of inability to provide mutual authentication and the mistiness of the session key, and retains the merits of the previous one. Kumari et al. [30] also proposed an improved authenticated scheme using ECC for IoT and cloud server and claimed their proposal is resistant to known attacks. The common feature of these schemes is that they support two-factor authentication and make use of ECC to enhance security. Unfortunately, most of these two-factor authentication schemes and the similar kinds were pointed out that they cannot achieve truly two-factor security since they are vulnerable to smartcard lost attack.

In recent years, there are some other ECC based authentication protocols that were proposed for mobile devices [3135]. Yet, there is a common issue in these schemes; that is, the authentication process between mobile devices and the remote server must be done with the help of the third party, which makes their communication overhead substantially higher.

In summary, according to the analysis above, most of the existing authentication schemes ultimately turn out to have defects as follows:(1)High computation cost and high communication overhead result in the impracticality of their scheme.(2)Not being able to preserve the user privacy leads to the tracking of sensitive information such as identity and location by the adversary.(3)The security properties of their schemes are evaluated by using their own evaluation criteria, rather than the well-known third-party evaluation criteria.

1.2. Our Contributions

Considering the comments above, a desirable remote authentication scheme for mobile cloud computing services should ensure efficiency while providing appropriate security. In this paper, we present a secure and efficient anonymous two-factor authentication and key agreement scheme for MCC by employing ID-based ECC with pairing-free. The contributions of the proposed scheme are summarized as follows:(1)Privacy-preserving. Preserving user anonymity and providing untraceability are the strong demand of the mobile client, and our protocol fulfills these security requirements.(2)Not requiring the additional third party. In our scheme, the participants, except for the mobile client and the cloud server, and the authentication process do not involve the trusted third party like the home agent.(3)Strong security and efficiency. The proposed scheme employs “fuzzy verifier” technique to resist offline dictionary attack and fulfills the security evaluation metrics; meanwhile, the performance comparison with the related two-factor schemes shows that our scheme has a better tradeoff between the security requirements and the performance.

1.3. Security Evaluation Criteria

In order to evaluate the security properties of our scheme more fairly, we will adopt the widely accepted evaluation criteria as the third-party security evaluation criteria. We brief the security evaluation criteria as follows.

C1: No password verifier-table. The server should not maintain a table to store the password of user. C2: Password friendly. The scheme should provide a mechanism for the user to the change password locally. C3: No password exposure. The privileged insider cannot derive the user password. C4: No smart card loss attack. If the user’s smart card is lost or stolen and obtained by the attacker, the attacker cannot reveal the identity and password of the user. C5: Resistance to known attacks. The scheme should be secure against basic/sophisticated attacks, such as offline password guessing attack, impersonation attack, and replay attack. C6: Sound repairability. The scheme should provide a smartcard revocation mechanism. C7: Provision of key agreement. The client and the server should generate a shared session key between them. C8: No clock synchronization. The scheme should be prevented from clock synchronization and time-delay problem. C9: Timely typo detection. The scheme can detect the wrong password of the user. C10: Mutual authentication. The client and the server should authenticate each other. C11: User anonymity. The scheme should prevent the identity of the user from being known or tracked by the attacker. C12: Forward secrecy. The scheme should provide the perfect forward secrecy.

1.4. Organization of This Paper

The rest of the paper is organized as follows. Some preliminaries are given in Section 2. Section 3 presents our two-factor authentication scheme for MCC and the security analysis of the proposed scheme is given in Section 4. The performance comparisons are discussed in Section 5. We concluded this paper in Section 6.

2. Preliminaries

2.1. Notations

Some notations used in this paper are introduced as follows:MCi: the ith mobile client;CS: the cloud server;IDi: MCi's identity;PWi: MCi's password;IDS: the CS's identity;p, q: two large prime numbers;: a finite field with p;: an elliptic curve defined on finite field with order q;G: a cyclic additive group with order q;P: the generator of G;: ;s: the private key of CS;Kpub: the system public key;SCNi: the smartcard number;h(·): , the collision-free one-way hash function.

2.2. Elliptic Curve Cryptosystem (ECC)

Let be the prime field and denotes an elliptic curve over a finite , defined by an equation mod p = ( + ax + b) mod p, a, b with (4a3 + 27b2) mod p ≠ 0. The point on / together with an extra point is called the point as “point at infinity.” The additive elliptic curve group is defined as G=(x, y): x, y and (x, y)(a, b) and we call the point O “point at infinity.” Let P,QG, l be the line containing and Q (tangent line to if P=Q) and the third point R intersecting with /. Let be the line connecting and . Then P ‘+' Q is the point such that intersects / at and and P ‘+' Q. The scalar multiplication on / can be computed as kP=P+P+…+P (k times).

More details of the ECC definition can be found in [3].

2.3. Computational Problem

We review the following mathematical problems on elliptic curves in order to prove the security of our proposed protocol:

Elliptic Curve Discrete Logarithm (ECDL) Problem: Given Q, PG, finding an integer such that Q=aPG is hard.

Computational Diffie-Hellman (CDH) Problem: Given (P, aP, bP) for any a, , finding abPG is hard.

Elliptic Curve Factorization (ECF) Problem: Given (P, Q)G, where Q = rP + tP and r,   and computation of rP and tP is impossible.

2.4. Adversary Model

Understanding the adversary capabilities is extremely important for designing a truly secure protocol. In this section, we conclude the adversary model used in this paper based on [35] as follows:(1)An attacker may control the insecure channel between the related parties. That is to say, the attacker can intercept, eavesdrop, replay, modify, delete, or insert messages over the public channel.(2)An attacker can extract the secret data stored in the smartcard by side-channel attack [36, 37] or differential power attack[38].(3)An attacker can learn the identity of the user as far as the attacks and security properties are concerned.(4)An attacker can enumerate offline all the pairs in Cartesian product x in polynomial time, where and denote identity space and password space, respectively.(5)An attacker cannot successfully guess the random number and the secret key chosen by the communication parties within polynomial time, since they are adequately large.(6)An attacker can learn the public parameter of system like (a,b), P, Kpub.

3. Proposed Scheme

In this section, we shall describe the details of our anonymous two-factor user authentication scheme for MCC. The proposed scheme consists of three phases: system setup, registration, and authentication.

3.1. System Setup

The purpose of this phase is to generate the initial parameters for the future user registration and authentication. The working process is as follows and the notations are as defined above:(1)Choose an elliptic curve over a prime field ;(2)Select the master key and set =sP as the public key;(3)Publish system parameters= , /, p, P, , G, h().(4)Select an integer 24,28 as the parameter of fuzzy verifier.

3.2. Registration

In this phase, MCi with identity IDi wants to register to the cloud server CS and CS generates registration information and delivers them to MCi. The messages to be exchanged in this phase are illustrated as follows: MCi CS: IDi, RPWi, where RPWi=h(PWi) ( is a random number). CS MCi: a smartcard containing , IDs, h(·), P, Kpub, m, where = h(h(IDiSCNi) mod m)⊕RPWi ( is MCi’s registration time, is a random number). Furthermore, CS stores (IDi,,SCNi) into a table. MCi computes h(IDiRPWi) mod m and stores into the smartcard.

The detail of this phase is shown in Figure 2.

3.3. Authentication

In this phase, mutual authentication between MCi and CS shall be accomplished. Meanwhile, the session key shared between them is generated. MCi and CS perform the following steps:(1)MCi CS: PIDi, , . MCi keys his/her IDi and PWi, the smartcard computes RP=h(PWi), = ⊕(h(IDiRPWi) mod m). If = , the card accepts MCi, selects a random number , and computes =rmP,=rm, , ⊕RPWi, PIDi=(IDi)⊕h(), and =h(IDiPIDi). Finally, MCi sends PIDi, , as a login request to CS via a public channel. Otherwise, it aborts this session.(2)CS MCi: Y, . CS first computes =sX1, X3’=+X2’, (IDiM1’) = PIDi⊕h(), and M2’ = h(IDiX2PIDi) and then checks whether M2’ = holds or not. If not, CS terminates this session. Otherwise, MCi is authenticated, and CS finds (,SCNi) via IDi’, computes =h(IDiSCNi) mod , and verifies the condition M1’ ?= . If it is false, CS aborts this session. Otherwise, CS selects a random number and computes Y=rsP, =rsX1, S = h(IDiIDS Y ), and = h(IDiIDS Y ) and sends Y, to MCi.(3)MCi CS: M4. MCi computes Km=rmY, M3’= h(IDiIDS X1X2Km), and MCi will abort this session if M3’ ≠ M3; otherwise, MCi computes S = h(IDiIDS X2Km) and M4= h(IDiIDS X2Km) and forwards M4 to CS.(4)CS computes M4’= h(IDiIDS), and it exits the session if M4’ ≠ . Otherwise, it accepts S(=S) as the shared session key with MCi.

This authentication phase is summarized in Figure 3.

3.4. Password Update

When the password of MCi is leaked out, our proposed scheme can change the password flexibly. MCi performs the following steps to change the password:

MCi inserts the smartcard and keys IDi, PWi.

The card computes RP’=h(PWi), ’=⊕(h(IDiRPWi) mod m) and checks whether ’= holds. If not, the card rejects MCi's request. Otherwise, the card asks the user to input a new password P.

The card computes RP=h(ri), = D1RPWi’⊕RP, and =ri⊕(h(IDiRP) mod m) and replaces (D1, D2) with (, ).

3.5. Smartcard Revocation

If MCi's smartcard is breached, to protect the card from being abused, MCi can revoke the card as follows:

MCi performs step in Section 3.3 to get authenticated by the card.

MCi CS: PIDi, , , revoke_request. As shown in Section 3.3, the card computes PIDi, , and and sends PIDi, , , revoke_request to CS.

Upon receipt of revocation request from MCi, CS first validates the legitimacy of MCi. If it is true, CS sets , , and SCNi as null. Thus, the card is revoked so that the card can no longer be used to login to the system unless MCi registers again. Otherwise, CS rejects this revocation request.

4. Security Analysis

In this section, we provide an informal security analysis of the proposed scheme on satisfying the security evaluation criteria of two-factor authenticated protocol, and a formal security analysis to demonstrate that our scheme is secure under random oracle model [39].

4.1. Informal Security Analysis
4.1.1. User Anonymity and Privacy

Privacy is of great importance in the area of mobile cloud computing [4042]. It means that the attacker cannot determine the sender of the messages and also cannot distinguish whether the messages are sent by the same sender. In our scheme, user’s IDi is hidden in PIDi, which is different with h() because is changed with in every session. To retrieve IDi, the adversary has to compute . However, he/she will fail because he/she has no knowledge of and . Thus, the adversary cannot get the MCi’s identity by computing (IDi)=PIDi⊕h(). Therefore, the proposed scheme achieves not only user anonymity but also untraceability.

4.1.2. Forward Secrecy

In our scheme, the session key SK=h(IDiIDS), where =sX1, Y=rsP, and =rsX1=rsrmP. That is to say, the session key is generated with partial key information provided by MCi and CS respectively and dealt with a hash function. Although the adversary can intercept and in the public channel, to compute = sX1 and =rsX1=rsrmP, he/she needs to know the secret key s and the random number of CS, or the random number of MCi. However, his/her dream will not come true due to the hardness of ECDL problem and CDH problem.

4.1.3. Mutual Authentication

In the proposed scheme, CS with s verifies the legitimacy of MCi by checking . If is valid, CS authenticates MCi. On the other hand, MCi authenticates CS by checking and CS will pass the test if is valid. Thus, the proposed scheme achieves mutual authentication.

4.1.4. Offline Dictionary Attack

Suppose the lost/stolen smartcard is obtained by the adversary and he/she reveals the secret information ,IDs,h(·), P, Kpup, m from the smartcard by performing the side-channel attacks[36, 37] and fully controls the public channel. We will use two aspects to demonstrate that the proposed scheme is secure against offline dictionary attack.

If the adversary uses and conduct an offline dictionary attack as follows:

The adversary chooses a pair (I,P) from the dictionary space of and , respectively.

The adversary computes RPW’=h(ri) and D2’ =ri⊕(h( Ih (ri) mod m).

The adversary verifies the correctness of I and P by checking whether D2’ = holds. If it holds, the adversary has found a correct pair (IDi,PWi). Otherwise, the adversary will repeat step until D2’ = .

However, the adversary will not succeed for the following two reasons. First, the adversary has no knowledge of and is large enough to prevent the adversary from guessing successfully according to item of the adversary model in Section 2.4, which results in failure of guessing IDi and PWi successfully. Second, suppose the adversary knows ; it is also infeasible for him/her to find a correct pair (IDi, PWi) because the computation of employs “fuzzy verifier” mechanism. For example, supposing ==106 and m=28, there are /m≈232 candidates of (IDi, PWi) pair. Therefore, the number of (IDi, PWi) candidates is too large for the adversary to conduct the offline dictionary attack successfully.

If the adversary uses and guesses IDi from = h(IDiPIDi), PIDi and are available from the public channel and = sX1. However, the adversary cannot calculate because he/she knows nothing about the secret key of CS. Therefore, the adversary fails to conduct such an attack.

In short, the proposed scheme is secure from dictionary attack.

4.1.5. Privileged Insider Attack

In the proposed scheme, MCi submits IDi, h( PWi) to CS for registration. The password PWi is protected with a random number and thus CS cannot learn MCi’s PWi and other useful information. Therefore, the proposed scheme is secure from privileged insider attack.

4.1.6. Replay Attack

In our scheme, we make use of the random number mechanism to resist replay attack. In each session, the random number is generated by MCi to compute the login request messages PIDi, , , and the random number is chosen by CS to compute the response messages Y, . The freshness and validity of the messages are assured effectively by the random number mechanism for the current session. Therefore, the proposed scheme can withstand replay attack.

4.1.7. Verifier-Stolen Attack

In our scheme, the verifier table IDi, , , SCNi stored in CS and these parameters are not security-related. The adversary cannot conduct any attack if he/she compromises this table. Therefore, the proposed scheme can resist verifier-stolen attack.

4.1.8. User Impersonation Attack

If the adversary intends to impersonate MCi, he will fail since he/she cannot guess the pair (IDi, PWi) or replay the login request PIDi, , successfully as we analyzed above. Furthermore, if he/she chooses a random number and computes X1a = rap, forges PIDa and , constructs the login request message PIDa, X1a, , and sends it to CS. However, CS cannot compute the correct IDi in the table according to the login request PIDa, X1a, from the adversary, which results in the computed Manot being equal to the received . This means that the adversary fails to impersonate MCi. Therefore, the proposed scheme can withstand user impersonation attack.

4.2. Formal Security Analysis

In this section, we use the random oracle model [39] to conduct a formal security analysis of the proposed scheme. For simplification, we adopt the security model of [43] as our security model. We will provide a security proof and a privacy proof of our scheme, and they are similar to [43]. But there are two differences, one is because their authentication schemes are based on modular exponentiation, their security analyses are also based on the modular exponentiation, and our security analysis is based on ECC; the second is that our analysis result of the various games is just a rough estimate.

Theorem 1. Assume that represents the proposed scheme for mobile cloud computing, is a password space and its frequency distribution follows the Zipf’s law, is a probabilistic polynomial-time (PPT) adversary, and he/she makes maximum queries of Send oracle with execution time t, denotes the adversary in breaking AKE security of . Under the difficult assumption of CDH problem, if the one-way hash function behaves like a random oracle and the signature scheme in is unforgeable against adaptive chosen message attacks, thenwhere C’ and s’ are the Zipf parameters, l is the security parameter, and ε(·) is a negligible function.

Proof. We prove this theorem with a series of games Gm (i=0,1,2,3,4,5,6). In each Gm, the adversary will guess a correct bit with the Test query and this event is denoted as and the corresponding probability is Pr[].
Gm0: This game is considered as the real attack scenario under random oracle model. According to the definition of ’s advantage [43], we haveGm1: This game simulates the hash function h(·) by maintaining a hash list with respect to our scheme . We also simulate Send, Test, Execute, Reveal, and Corrupt queries as the real player’s behavior. We can see that the hash function can be modeled in PPT time and this game is indistinguishable from Gm0. Thus, we haveGm2: In this game, we rule out sessions in which the collisions of random oracle queries occur during the simulation of hash function and transcripts , , , Y, , and . If the collisions occur, we abort the game and let the adversary win. According to the birthday paradox, we haveGm3: In this game, we modify the simulation rules of session through Execute queries. We use the private hash function h’(·) instead of h(·) to calculate the session key in passive session. Furthermore, when computing the session key and the authenticator , the Diffie-Hellman key (=rsX1) and (=rmY) are removed from the input list, i.e., the session key SK= h’(IDiIDSY) and authenticator =h’(IDiIDS Y). In Gm2, we have ruled out the collisions of hash function and the transcripts. Thus, the adversary is capable of distinguishing Gm3 and Gm2 only if he/she can calculate the Diffie-Hellman key or in passive session and sends a query (IDi,IDS,,Y,) to h(·). However, breaking the CDH problem is computationally hard. To a CDH instance (X,Y), we use the self-reducibility [44] of CDH problem to embed this instance to the passive sessions. To do that, we select random numbers ,,, and for each session and set U=a1X+b1P and V=a2Y+b2P. If the adversary is able to distinguish the game Gm3 and Gm2, a query (IDi,IDS,,Y,) is made to the hash oracle. This means that the adversary can compute (K-a1b2X-a2b1Y-b1b2P)/a1a2 as an answer to the CDH instance (X,Y). Under the difficulty of CDH problem, we haveGm4: In this game, we start to handle the active session for Send (CS,) query. And we define the game with the following rule, where the adversary may have computed the correct to impersonate the mobile client MCi. The rule of the participants process queries is modified as follows.
Compute M4’=h(IDiIDS ) and check whether M4’ is equal to the received . If it is true, the cloud server CS looks up a record ((PIDi, , ),(Y, ),()) from the hash list . We terminate the game if the record exists. The authenticator in the proposed scheme is unforgeable due to the hardness of CDH problem. Thus, we haveGm5: In this game, we continue to the active session for Send(MCi,Y, ). We also define this game by terminating the game with the following rule, where the adversary is luck to guess to impersonate the cloud server CS without asking the hash query h(·). To achieve this goal, the rule of the participants process the queries is modified as follows.
Look up a record (IDi) in the hash list , and we terminate the game if the result is null. Otherwise, compute the session key SK=h(IDiIDS ), = h(IDiIDS ).
The adversary wins only if is correctly guessed without asking h(·). Similar to the previous game, we obtainGm6: In this game, we modify the simulation rule of Send(CS, PIDi, , ) query for the last time. When a Send(CS, PIDi, , ) query is submitted, the CS first computes ,,IDi,,M2’, and checks whether M2’ = holds. If the result is true and the message PIDi, , is forged by the adversary, we abort the simulation and let win. Afterwards, we evaluate the success probability of forging the message PIDi, , . Note that the authenticator =h(IDiPIDi) and, similarly with the analysis in the previous game, we can know that the success probability of forging authenticator is negligible. Furthermore, based on the difficulty of ECDL problem, the probability of successful forgery of message PIDi, , is negligible. Thus, we obtainIn the last game, the session keys are chosen randomly and the advantage of in guessing session keys is negligible and the active sessions are aborted without accepting if forges the message. The only possibility for to win the game is to corrupt the smartcard and guess the password of MCi. The advantage has no advantage to get the password from the game. Based on the Zipf’s law, we obtainAccording to (2)–(9), we have the result of Theorem 1.

Theorem 2. Assume that represents the proposed scheme and is a PPT adversary breaking the anonymity of . The advantage of in breaking the anonymity of is bounded by

Proof. We suppose that can break the anonymity of with a nonnegligible advantage. We reach this aim by employing to develop an algorithm to break the CDH problem with the identical nonnegligible advantage.
Algorithm 3. Select , , input two tuples (P, rmP, sP, rmsP) and (P, rmP, sP, r), where s is the private key of CS.
Let be a valid user owning his smartcard and password.
Let =rmP, =rmsP, and execute the subsequent procedure with CS as the protocol definition. We use as the session identifier of this protocol execution.
Let =rmP, =r, and execute the subsequent procedure with CS as the protocol definition. The corresponding session identifier of this protocol execution is labelled as . CS may respond with rejection according to the first message from user . In this case, to make and have the same structure, U can set and chooses two random bit strings for and , respectively.
Select rm, let =rm’P and =rm=rm’sP, and execute the subsequent procedure with the server CS using , . In this case, the session identifier is denoted as .
Two queries TestAnonymity(,) and TestAnonymity(,) are made by , and the returned bits are denoted as and , respectively.
If =0 and =0, output “none is a Diffie-Hellman tuple”; if =0 and =1, output “(P, rmP, sP, rmsP) is a Diffie-Hellman tuple”; if =1 and =0, output “(P, rmP, sP, r) is a Diffie-Hellman tuple”; if =1 and =1, output “both are Diffie-Hellman tuples.”
Obviously, the Algorithm 3 can be performed within polynomial time. Furthermore, in Algorithm 3, sP is fixed while rmP is different in every protocol run. Based on the self-reducibility of CDH problem, we obtain Pr[U(P, rmP, sP, rmsP)=1]-Pr[U(P,rmP,sP,r)=1], where is a fixed value and . Thus, we have Pr[TestAnonymity(,)=1] - Pr[TestAnonymity(,)=1]. That is to say, can break the untraceability of a participant by solving the CDH problem which is believed computationally hard. This is a contradiction with the difficulty of CDH problem.
Therefore, the theorem is proved.

5. Comparison on Efficiency and Security

In this Section, we compare our protocol with other related competitive protocols such as Qu-Tan[22], Farash-Attari [26], Chaudhry et al.[27], Xie et al. [28], Chaudhry et al. [24], Lu et al. [29], Chang et al. [25], and Kumari et al. [30] in terms of computation cost and communication overhead and security during the authentication phase. The registration is a one-time process, so we have not taken it into consideration.

Here we set and as the order of the super singular curve or nonsupersingular curve over a finite field is 512 bits and 160 bits, respectively. For the convenience of evaluating computation cost, we set as the time of performing a one-way hash function, the time of performing a scalar multiplication operation of point, the time of performing an addition operation of point, and the time of performing a 160 bits modular inversion, respectively. The time of performing an exclusive-or operation (XOR) and a concatenate operation are much less than a hash function [45], so their times are negligible. Combined with the analysis above, the specific performing time of these operations is shown in Table 1 based on experimental data [46]. Furthermore, we set as the length of identity with 32 bits, as the length of a Point with 1024 bits, as the length of a one-way hash value with 160 bits, and as the length of a timestamp with 32 bits, respectively.

5.1. Comparison of Computation Cost

The comparison of computation cost between the proposed scheme and the related schemes is shown in Table 2.

According to Table 2, we can learn that the computation cost of our scheme in the mobile client is 0.497 s, which is just slightly higher than [28], while it is much less than the others [22, 2427, 29, 30]. Meanwhile, the computation cost of our scheme in the server side is 3.616 ms, which is almost the same as [24, 28, 29] and is much less than [22, 2527, 30]. It is evident that our scheme is still efficient as compared with other related schemes, whether in client side or in server side. To make the comparison more clearly, the comparison graph of computation cost is shown in Figure 4.

5.2. Comparison of Communication Overhead

Table 3 compares the communication overhead of the proposed scheme with other related schemes.

From Table 3, we can see that the message size of the proposed scheme is 2688 bits, which manifests that our scheme outperforms the related schemes except for [26, 28]. We can also see that the number of total messages in the authentication phase of schemes participating in comparison can be divided into two classes, the number of which is 2 and 3, respectively. The number of total messages in our scheme is 3. Although schemes [25, 27] can complete their authentication process with 2 messages, these 2-message protocols have the significant security weakness of failing to achieve perfect forward secrecy as pointed out by Krawczyk [47]. In brief, the comparison result demonstrates that the communication overhead of our scheme is acceptable.

The comparison of communication overhead is shown in Figure 5.

5.3. Comparison of Security Properties

Finally, we make a comparison of security properties between our scheme and other related schemes in light of the evaluation metrics, and the result is given in Table 4.

From Table 4, we can see that the proposed scheme can achieve more security properties than the other related schemes, such as user anonymity and untraceability which should not be overlooked in privacy-preserving, and it is more effectively satisfied with the urgent security requirement of mobile users when their sensitive data was transmitted over the wireless network. The other schemes are more and less vulnerable to some security weaknesses, such that schemes in [22, 24, 25, 27, 29] are vulnerable to smartcard loss attack, schemes in [25, 28] fail to provide user anonymity, and schemes in [24, 25, 27, 30] cannot provide forward secrecy. Thus, it is clear that the proposed scheme can provide better protection for the mobile client in MCC.

In summary, from the three comparisons above, we can draw a conclusion that the proposed scheme is not only more powerful and efficient in computation cost and communication overhead but also is more secure in withstanding various known attacks than other related schemes.

6. Conclusion

In this paper, we have proposed a new anonymous two-factor user authentication and key agreement protocol on ECC for mobile cloud computing. The design of the proposed scheme exploits fuzzy verifier technique to prevent offline identity and password dictionary attack. Furthermore, the reasonable use of ECC makes this scheme efficient for mobile devices that are computing capability limited and energy limited with privacy-preserving property. The formal security analysis on random oracle model reveals that the proposed scheme is provably secure under ECDL problem and CDH problem. Furthermore, the comparison of performance and security shows that the proposed scheme is more efficient and secure than the related works. We believe that this proposal is practical for mobile cloud computing.

Data Availability

The [22] data used to support the findings of this study have been deposited in the [ACM] repository ([DOI: 10.1155/2014/423930]). The [25] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s11227-014-1170-5]). The [26] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s10916-015-0244-0]). The [27] data used to support the findings of this study have been deposited in the [IEEE Xplore] repository ([DOI: 10.1109/TIFS.2017.2659640]). The [24] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s11277-016-3745-3]). The [28] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s11042-015-3166-4]). The [29] data used to support the findings of this study have been deposited in the [ScienceDirect] repository ([DOI: 10.1016/j.pmcj.2015.12.003]). The [30] data used to support the findings of this study have been deposited in the [Springer] repository ([DOI: 10.1007/s11227-017-2048-0]).

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this article.


This work was partially sponsored by the National Natural Science Foundation of China (No. 61672007) and Science and Technology Innovation Guidance Project 2017 of Zhaoqing (No. 201704030605).